Data processing agreement

Conclusion of data processing agreement with Onlime under the General Data Protection Regulation (GDPR)

We offer a data processing agreement (open here) to companies or organisations that process personal data and use an Onlime business account for this purpose. According to Article 4 of the GDPR, you are the controller and we are the processor, processing data only on your instructions, by virtue of the fact that you, or the users of the business account, use the service to store files.

We offer one general data processing agreement, as our processing is the same for all users of our service. The Data Processing Agreement is an annex to our Terms of Use and forms an integral part thereof.

The data processing agreement is concluded by a person (DPO if appointed - read more here) on behalf of an organisation or company.

Sign the data processor agreement
Send it to privacy@onlime.dk
We review the agreement and approve it definitively

If you have any questions, please do not hesitate to contact us.

Questions & answers about the data processing agreement

What is the GDPR?
According to the EU's Personal Data Regulation, as of 25 January 2010, companies must May 2018, companies must comply with various requirements when processing personal data. Among other things, you must:

What data is processed.
Where data is processed - physically and by which parties.
Who has access to this data.
How this data is protected

In addition, the Regulation ensures that ordinary internet users have better rights, including to:

Get insight into the data a company/organisation has about a
How these are used.
Have data deleted or handed over.
Get control over what data you disclose.

When to use a data processing agreement?
Adata processing agreement must be concluded between organisations or companies and the third parties or sub-processors they may use for processing personal data.

For example, if you own a website with a contact form, data processing takes place when the data subject (e.g. a customer) provides his contact details. Thus, a data processing agreement must be concluded with the hosting provider of the website as personal data is processed and stored on their servers.

What is personal data
Personal data is any information about an identified or identifiable individual. This can be general contact information such as name, email, address, job title, CV, account number, etc.

Particularly sensitive personal data is information about, for example, a person's health and sexual, political and religious orientation.

Information about digital security at Onlime

Keeping our customers' data secure is a core mission at Onlime. We respect your privacy and we protect your data - read more about how we work to protect your and your organisation's security below.

Do you have any questions? Write to privacy@onlime.dk

Incident Response Plan

We have implemented a formal procedure for security incidents and have trained all our employees on our policies.
When security incidents are detected, they are escalated to our emergency alias, teams are searched, notified and assembled to quickly deal with the incident.
After a security incident is corrected, we write a post mortem analysis.
The analysis is reviewed in person, distributed across the company and includes action points that will facilitate the detection and prevention of a similar event in the future.

Best practice

We develop Onlime with a focus on minimising personal data collection
We develop features that use machine learning on physical devices rather than on our servers whenever possible.
We do not use personally identifiable user data to develop features of the service or for purposes other than those to which the user explicitly consents.

Build Process Automation

We have working, frequently used automation in place so we can safely and reliably deploy changes to both our application and operating platform within minutes.
We typically deploy code several times a day, so we have a lot of confidence that we can get a security fix out quickly when it's needed.

Infrastructure

All our services run in our own data centre. We use our own routers, load balancers and physical servers.
We use both our own internal DNS servers and external DNS servers.
Our data centres are located in Norway at Green Mountain SVG1 - Rennesøy which is certified with i.a. ISO/IEC 27001:2013 - Information Security Management System. Onlime services are built with disaster recovery in mind.
All our servers are within our own private network with network access control lists (ACLs) that prevent unauthorised requests from accessing our internal network.

Service levels

Our uptime is 99.9% or higher.
All files uploaded to the service are stored in Norway.
We do not have individual data warehouses for each customer. However, strict confidentiality controls are in place in our application code to ensure data protection and prevent a customer from accessing another customer's data.
All data is encrypted at rest on the server

Data transfer

All data sent to or from Onlime is encrypted in transit using 256 bit encryption.
Our API and application endpoints are TLS/SSL only and receive an "A+" rating on SSL Labs' test. This means we only use strong encryption packages and have features like HSTS and Perfect Forward Secrecy fully enabled.

Approval

The Onlime service is delivered 100% over https.
We have two-factor authentication (2FA) and strong password policies to ensure access to cloud services is protected.

Permits and administrator controls

Onlime allows you to set permission levels for all employees with access to Onlime management tools.

Application monitoring

At application level, we produce audit logs for all activity
All access to Onlime applications is logged and audited

Compliance

Onlime complies with European and Norwegian privacy legislation and GDPR.

PCI Commitments

Onlime is not subject to PCI obligations. All processing of payment instruments is handled by our external payment processor.