Data Processing Agreement for Stenoly

This data processing agreement ("Agreement") is entered into between:

• Data Controller: The legal entity using Stenoly for processing personal data.
• Data Processor: Stenoly AS ("Stenoly"), which provides the Stenoly service.

The purpose of the Agreement is to regulate the processing of personal data in accordance with GDPR, where Stenoly acts as a data processor and the Data Controller is responsible for the basis for processing.

• Personal Data: Information that can identify a natural person, directly or indirectly.
• Processing: Any operation performed on personal data.
• Data Processor: Stenoly, which processes personal data on behalf of the Data Controller.

Stenoly shall only process personal data according to instructions from the Data Controller. The responsibility for establishing a legal basis for processing rests with the Data Controller.

• Purpose: Documentation of medical records during consultations.
• Categories of data subjects: Patients, clients, customers, or others consulted by the Data Controller.
• Types of personal data: Will depend on what the Data Controller shares with Stenoly. Stenoly encourages the Data Controller to minimize the amount of data Stenoly receives. The service can be used entirely without sharing personal data with Stenoly.

Stenoly commits to confidentiality, and all employees and subprocessors who process data are bound by confidentiality. The information shall not be shared with third parties without express permission from the Data Controller.

Stenoly shall implement appropriate technical and organizational measures to protect personal data, including:

• Encryption of data during storage and transfer.
• Secure servers in the EU/EEA (European cloud platforms).
• Access controls to limit access to authorized persons.

Stenoly processes personal data only in accordance with the Data Controller s instructions, and data is stored on secure servers in compliance with GDPR.

Stenoly may use subprocessors for data processing. In such cases, they must comply with the conditions set out in this data processing agreement. Stenoly is obligated to provide a complete list of its subprocessors upon request from the Data Controller.

Stenoly shall assist the Data Controller in fulfilling the rights of data subjects. The responsibility for responding to such requests rests with the Data Controller.

Stenoly shall notify the Data Controller without undue delay in case of security breaches.

The notification shall contain:

• Description of the breach
• Potential consequences
• Stenoly s measures to handle the breach
• Recommendations for notifying affected parties and relevant data protection authorities

Stenoly shall not transfer personal data outside the EU/EEA without written consent from the Data Controller. Any transfers shall occur in accordance with GDPR.

Stenoly shall strive for high availability but does not guarantee uninterrupted uptime. Stenoly is not responsible for losses resulting from unavailability, and maintenance may be performed without prior notice.

Upon termination of the Agreement, Stenoly shall delete or return personal data according to the Data Controller s wishes. Confirmation of deletion can be provided upon request.

The Data Controller shall:

• Ensure that there is a legal basis for processing.
• Inform data subjects about how their data is processed.
• Provide Stenoly with instructions regarding processing.
• Execute any instructions regarding access, rectification, and deletion.

Stenoly is not responsible for the Data Controller s obligations under GDPR. In all cases, Stenoly is only liable for damages resulting from breach of the agreement or GDPR; and limited upward to the amount the Data Controller has paid for the Service in the last 12 months. The parties commit to cooperate in case of claims for compensation.

The Agreement applies as long as Stenoly processes personal data for the Data Controller. Upon termination, all data shall be returned or deleted.

This agreement is governed by Norwegian law, and disputes shall be resolved by Oslo District Court.