Data processing agreement

Conclusion of data processing agreement with Onlime under the General Data Protection Regulation (GDPR)

We offer a data processing agreement (open here) to companies or organisations that process personal data and use an Onlime business account for this purpose. According to Article 4 of the GDPR, you are the controller and we are the processor, processing data only on your instructions, by virtue of the fact that you, or the users of the business account, use the service to store files.

We offer one general data processing agreement, as our processing is the same for all users of our service. The Data Processing Agreement is an annex to our Terms of Use and forms an integral part thereof.

The data processing agreement is concluded by a person (DPO if appointed - read more here) on behalf of an organisation or company.

  1. Sign the data processor agreement
  2. Send it to
  3. We review the agreement and approve it definitively

If you have any questions, please do not hesitate to contact us.

Questions & answers about the data processing agreement

What is the GDPR?
According to the EU's Personal Data Regulation, as of 25 January 2010, companies must May 2018, companies must comply with various requirements when processing personal data. Among other things, you must:

  • What data is processed.
  • Where data is processed - physically and by which parties.
  • Who has access to this data.
  • How this data is protected

In addition, the Regulation ensures that ordinary internet users have better rights, including to:

  • Get insight into the data a company/organisation has about a
  • How these are used.
  • Have data deleted or handed over.
  • Get control over what data you disclose.

Read more here:

When to use a data processing agreement?
data processing agreement must be concluded between organisations or companies and the third parties or sub-processors they may use for processing personal data.

For example, if you own a website with a contact form, data processing takes place when the data subject (e.g. a customer) provides his contact details. Thus, a data processing agreement must be concluded with the hosting provider of the website as personal data is processed and stored on their servers.

What is personal data
Personal data is any information about an identified or identifiable individual. This can be general contact information such as name, email, address, job title, CV, account number, etc.

Particularly sensitive personal data is information about, for example, a person's health and sexual, political and religious orientation.

About digital security at Onlime

Read more below about how we continuously protect personal data in accordance with the requirements and obligations set out in our privacy policy and data processing agreement.

Onlime follows the principles for processing personal data in the GDPR and the Personal Data Act and has implemented a data protection strategy to ensure compliance with the GDPR.

All processing of personal data is continuously assessed and audited against these security principles to minimize the risk to the rights of data subjects.

Security breaches affecting data subjects' personal data are reported via email or Onlime's direct messaging system.

Do you have questions for our DPO? Write to

Incident Response Plan

  • We have implemented a formal procedure for security incidents and have trained all our employees on our policies.
  • When security incidents are detected, they are escalated to our emergency alias, teams are searched, notified and assembled to quickly handle the incident.
  • After a security incident is corrected, we write a post mortem analysis.
  • The analysis is reviewed in person, distributed across the company and includes action points that will facilitate the detection and prevention of a similar event in the future.

Best practice

  • We develop Onlime with a focus on minimising personal data collection
  • We develop features that use machine learning on physical devices rather than on our servers whenever possible.
  • We do not use personally identifiable user data to develop features of the service or for purposes other than those to which the user explicitly consents.

Build Process Automation

  • We have working, frequently used automation in place so we can safely and reliably deploy changes to both our application and operating platform within minutes.
  • We typically deploy code several times a day, so we have a lot of confidence that we can get a security fix out quickly when it's needed.


  • All our services run in our own data centre. We use our own routers, load balancers and physical servers.
  • We use both our own internal DNS servers and external DNS servers.
  • Our data centres are located in Norway at Green Mountain SVG1 - Rennesøy which is certified with i.a. ISO/IEC 27001:2013 - Information Security Management System. Onlime services are built with disaster recovery in mind.
  • All our servers are within our own private network with network access control lists (ACLs) that prevent unauthorised requests from accessing our internal network.

Service levels

  • Our uptime is 99.9% or higher.
  • All files transferred to the service are stored in Norway.
  • We do not have individual data warehouses for each customer. However, strict confidentiality controls are in place in our application code to ensure data protection and prevent a customer from accessing another customer's data.
  • All data is encrypted at rest on the server

Data transfer

  • All data sent to or from Onlime is encrypted in transit using 256 bit encryption.
  • Our API and application endpoints are TLS/SSL only and receive an "A+" rating on SSL Labs' test. This means we only use strong encryption packages and have features like HSTS and Perfect Forward Secrecy fully enabled.


  • The Onlime service is delivered 100% over https.
  • We have two-factor authentication (2FA) and strong password policies to ensure access to cloud services is protected.

Permissions and access management

  • Onlime makes it possible to set permission levels for all customer end users with access to Onlime management tools.
  • We restrict access to personal data to only those employees who have a business need to know and who have signed confidentiality agreements.

Application monitoring

  • At application level, we produce audit logs for all activity
  • All access to Onlime applications is logged and audited


  • We enter into written sub-processor agreements with all our sub-processors.
  • We ensure that any transfers of personal data to third countries are done in accordance with applicable data protection rules, either by using standard contractual clauses or by choosing recipients certified under the Privacy Shield.
  • We continuously train our employees on applicable data protection regulations and our internal policies and procedures.
  • We conduct regular audits of our systems and processes to ensure their effectiveness and compliance.

PCI Commitments

Onlime is not subject to PCI obligations. All processing of payment instruments is handled by our external payment processor.