Databehandleraftale

Version 1.0 | Ikrafttrædelsesdato: 14. april 2026

Databehandleraftale

Version 1.0 | Ikrafttrædelsesdato: 14. april 2026

Databehandlingsaftale

1 Parties to the Agreement

1.1 Data Controller:

The Customer who has entered into the Service Agreement. The person who has entered into the Service Agreement on behalf of the Customer is considered as the contact person.

1.2 Data Processor:

CARL HQ AS, Address: Bogstadveien 54 0366 OSLO Norge, Organization number: 934440323

Contact person: Petter Samuelsen, Title: CTO, Phone: 4745266868, Email: petter@carlhq.com

The Data Controller and Data Processor are individually referred to as a “Party” and collectively as the “Parties”.

2 Background and Purpose of the Agreement

The Data Processor has committed to deliver the services described in CARL HQ AS standard terms (the “Service Agreement”). The performance of this work means that the Data Processor will Process Personal Data on behalf of the Data Controller.

As a customer, the Data Controller determines the purpose of the Processing of Personal Data and which means shall be used.

This data processing agreement (the “Data Processing Agreement”) establishes the framework for the Data Processor’s Processing of Personal Data on behalf of the Data Controller.

The purpose of this Data Processing Agreement is to:

regulate the Parties’ rights and obligations when Processing Personal Data,

ensure that the requirements in the Data Protection Legislation and GDPR are complied with in the performance of the Service Agreement, and

ensure that Personal Data is not Processed unlawfully, comes into the hands of unauthorized persons, or is Processed for purposes other than those set out in this Data Processing Agreement.

In the event of conflict between the provisions of this Data Processing Agreement and other agreements between the Parties, including the Service Agreement, the provisions of the Data Processing Agreement shall prevail.

3 Definitions

The following definitions apply to this Data Processing Agreement:

“Data Processing Agreement” means the provisions set out in this data processing agreement with annexes.

“Personal Data” means all types of information or data that is considered personal data under the Data Protection Legislation and GDPR. This includes, but is not limited to, the information set out in Annex 1.

“Processing” (of Personal Data) means any use of Personal Data, for example collection, storage, organization, alteration or adaptation, disclosure and/or transfer.

“GDPR” means EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as implemented in Norwegian law).

“Data Protection Legislation” means the Act on the processing of personal data of 15 June 2018 No. 38 with accompanying regulations implementing the GDPR and all other relevant legislation regulating the parties’ processing of Personal Data.

“Law” means any other applicable legislation to which the Parties are subject.

“Sub-processor” means other data processors that the Data Processor uses to process the Personal Data.

“Data Subjects” means any identified or identifiable person to whom the Personal Data relates.

4 General

The Parties shall Process Personal Data in accordance with the Data Protection Legislation, GDPR and this Data Processing Agreement.

The Data Processor shall only collect, record, compile, store and otherwise Process Personal Data to the extent necessary to fulfill the Service Agreement and the Data Processing Agreement.

The Data Controller must ensure that there is a lawful basis for the Processing of the Personal Data.

5 Data Controller’s Right to Issue Instructions

The Data Processor shall only Process Personal Data according to documented instructions from the Data Controller.

The Data Processor may also Process Personal Data if this is required pursuant to Law to which the Data Processor is subject. In such case, the Data Processor shall notify the Data Controller of the legal obligation prior to Processing, unless the relevant Law prohibits such information from being provided on grounds of public interest.

The Data Controller’s instructions to the Data Processor are set out in this Data Processing Agreement with annexes.

Annex 1 to the Data Processing Agreement describes which categories of Personal Data the Data Processor may Process and the purpose of the Processing. The Data Processor shall not Process Personal Data for purposes other than those set out here.

The Data Controller may give the Data Processor subsequent instructions as long as the Data Processor Processes Personal Data on behalf of the Data Controller. Such subsequent instructions shall be given to the Data Processor in writing and must be documented.

The Parties shall immediately notify each other if one Party believes that instructions or requirements from the other Party are in breach of the Data Protection Legislation or GDPR.

6 Data Processor’s Duty to Assist the Data Controller

Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to GDPR Articles 32 – 36.

This means that the Data Processor will need to be able to assist in connection with data protection impact assessments and prior consultations.

7 Personal Data Security

The Data Processor shall comply with the information security requirements that follow from the Data Protection Legislation and GDPR, and implement appropriate technical and organizational security measures to achieve a level of security appropriate to the risk, in accordance with GDPR Article 32.

The technical and organizational measures to be implemented are described in Annex 2.

The Data Processor shall also assist the Data Controller in ensuring compliance with the Data Controller’s obligations regarding adequate information security pursuant to GDPR Article 32.

8 Data Processor’s Use of Sub-processors

If the Data Processor engages a Sub-processor to carry out specific processing activities on behalf of the Data Controller, the relevant Sub-processor shall be subject to the same obligations as set out in this Data Processing Agreement through an agreement or other legal document.

The Data Processor shall ensure that the Sub-processor is aware of the Data Processor’s contractual and legal obligations and complies with these requirements.

The Data Processor shall be fully liable to the Data Controller for the Sub-processor’s compliance with its obligations.

The Sub-processors that the Data Processor uses in connection with the Service Agreement are set out in Annex 3. The Data Controller accepts that the Data Processor uses these Sub processors.

The Data Controller accepts that the Data Processor uses other Sub-processors than those described in Annex 3. If the Data Processor wishes to use new Sub-processors, the Data Processor shall notify the Data Controller of the name and contact information of Sub processors in advance. The Data Controller has the right to object to the Data Processor’s use of Sub-processors. If the Data Controller objects to the use of a new Sub-processor, the Data Controller shall inform the Data Processor without undue delay.

9 Data Processor’s Transfer of Personal Data Abroad

The Data Processor may transfer the Personal Data that the Data Processor processes on behalf of the Data Controller to the countries where the Data Processor and Sub-processors operate their business and store them there. These countries are specified in Annex 3. The Data Controller is aware of this and approves this transfer as long as it is necessary to carry out the agreed deliveries.

The Data Controller accepts that the Personal Data is processed outside Norway. However, the Data Processor shall not transfer Personal Data to countries outside the EU/EEA area or to an international organization without prior written consent from the Data Controller, unless the EU Commission has determined that the country or international organization ensures an adequate level of protection.

If the Data Controller approves such transfer of Personal Data to a country outside the EU/EEA area or to an international organization, the Data Processor shall ensure that the transfer takes place in accordance with the rules in GDPR Chapter V.

The Data Processor also undertakes to assess the level of protection in the third country or third countries to which personal data is to be transferred, and ensure that supplementary measures of a technical, organizational or contractual nature are implemented to ensure an essentially equivalent level of protection as in the EU/EEA.

10 Handling Data Subjects’ Rights

The Data Controller shall be the contact point for Data Subjects and provide necessary information about the Processing.

The Data Controller is responsible for handling Data Subjects’ requests for access, rectification, erasure, restriction, data portability, etc., and ensuring that such requests are accommodated.

The Data Processor shall, taking into account the nature of the Processing and to the extent possible through appropriate technical and organizational measures, assist the Data Controller in fulfilling the Data Controller’s duty to respond to requests submitted by Data Subjects with a view to exercising their rights set out in GDPR Chapter III.

If the Data Processor receives a request from a Data Subject, the Data Processor shall notify the Data Controller as soon as possible.

11 Incident Management and Notification

Any use of information systems in breach of the Data Processor’s established procedures, the Data Controller’s instructions, the Data Protection Legislation or GDPR, as well as any other security breach, shall be handled as an incident.

The Parties shall establish and maintain procedures and systematic measures for follow-up of incidents, including measures for restoration to normal conditions, removal of the cause of the incident and prevention of recurrence.

The Parties shall, as soon as they become aware of an incident, without undue delay and no later than within 36 hours, inform each other of any security breaches and immediately implement all necessary and appropriate measures to restore normal conditions.

The Data Controller is responsible for sending incident notifications to the Data Protection Authority and Data Subjects pursuant to GDPR Articles 33 and 34. The Data Processor shall, if necessary, assist the Data Controller in ensuring that GDPR Articles 33 and 34 are complied with.

12 Audit and Inspection

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations pursuant to the Data Protection Legislation, GDPR and this Data Processing Agreement.

The Data Processor shall enable and contribute to audits, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller, of the Data Processor’s compliance with GDPR, the Data Protection Legislation and this Data Processing Agreement. The Data Controller has the right to conduct such audits at its own expense, maximum once per year with four weeks’ advance notice.

13 Confidentiality and Duty of Secrecy

The Data Processor has a duty of confidentiality regarding the Personal Data and documentation that the Data Processor gains access to through the Data Processing Agreement. The duty of confidentiality also applies after the Data Processing Agreement has expired.

The Data Processor shall not disclose or provide access to the Personal Data to anyone other than its own employees, Sub-processors or employees of the Data Controller, unless this has been agreed in writing with the Data Controller or follows from law, regulation or decision by public authority.

The Data Processor shall ensure that persons authorized to Process the Personal Data have committed to Process the data confidentially in the form of a confidentiality agreement or are subject to an appropriate statutory duty of confidentiality.

14 Duration of the Agreement

The Agreement applies as long as the Data Processor processes Personal Data on behalf of the Data Controller.

15 Termination

When the Data Processing Agreement terminates, the Data Processor shall return all Personal Data covered by the Data Processing Agreement in a format suitable for further Processing by the Data Controller or a third party designated by the Data Controller.

Alternatively, the Data Controller may require that the Personal Data is erased and/or destroyed in accordance with the Data Controller’s written instructions.

The Parties agree in more detail on how transfer, or erasure and/or destruction shall specifically take place.

The Data Processor shall document in writing that erasure and/or destruction has been carried out in accordance with the agreement within a reasonable time after the Data Processing Agreement terminates.

An exception applies if the Data Protection Legislation, GDPR or Law requires that the Personal Data shall be retained further.

16 Governing Law and Venue

The Agreement is governed by Norwegian law. The Parties agree to Oslo District Court as venue.

Annexes to the Agreement

Annex 1 Description of the personal data and the purpose of the processing

Annex 2 Technical and organizational measures for information security

Annex 3 Overview of the Data Processor’s Sub-processors

Annex 1: Description of the personal data and the purpose of the processing

Contact details (e.g. phone number), communciation content (e.g. SMS messages, voice recordings, transcriptions), conversational metadata (e.g. timestamps, message status, conversation history). Behavioral data (e.g. sentiment analysis, lead qualification tags).

Annex 2: Description of technical and organizational security measures Availability

Production workloads run on managed cloud infrastructure with built-in redundancy across Vercel, Render, and Supabase platforms. Database operations utilizeSupabase’s automatic failover and point-in-time recovery capabilities. Application servers employ auto-scaling and health monitoring to handle traffic spikes and maintain service availability.Temporal Cloud orchestrates critical workflows with built-in retry mechanisms and durable execution guarantees. Real-time monitoring via SigNoz and application-level health checks track uptime, latency, and error rates. Automatedalerts notify the operations team of degraded performance or outages.Sub-processors are selected based on their uptime SLAs and infrastructure reliability, with periodic reviews of their status pages and incident reports.

Integrity

Role-based access control restricts data modifications to authorized personnel only.All database operations are logged with timestamps, user identity, and action details through Supabase audit logs. Application-level validation and database constraintsprevent malicious or accidental data corruption at entry points.Version control and peer-reviewed deployments ensure code changes are traceable and reversible. Temporal workflow histories provide immutable audit trails of all automated processing activities. Logs are retained for 90 days and reviewed during incident investigations. Sub-processors must maintain equivalent logging capabilities and notify Carl of any integrity incidents without undue delay.

Confidentiality

All data transmission uses TLS 1.3 encryption. Data at rest in Supabase isencrypted using AES-256 encryption with managed encryption keys. API keys,credentials, and sensitive configuration are stored in secure environment variablemanagement systems with access restricted to authorized service accounts.Employees and contractors sign confidentiality agreements and complete securityawareness training upon onboarding. Access to production systems requiresmulti-factor authentication and is granted on a least-privilege basis. Accesspermissions are reviewed quarterly and revoked immediately upon role changes ortermination. Sub-processors undergo security assessments before onboarding andmust demonstrate robust encryption and access control measures.

Transparency

Carl maintains an up-to-date sub-processor register detailing each entity’s role,location, and processing activities. Controllers receive at least 30 days’ notice of material sub-processor changes, allowing them to raise objections or requestclarifications. Documentation of processing activities and security policies are available upon request.In the event of a personal data breach, Carl will notify the Controller without undue delay, providing incident details, affected data categories, potential impact, and remediation measures. Security incident logs are maintained for audit purposes and accountability.

Intervenability

Controllers can access, retrieve, correct, export, or delete personal data throughCarl’s web platform and APIs. Data subject requests are processed within fivebusiness days, with actions propagated to all relevant sub-processors. Confirmation of completed actions is provided to the Controller.AI-generated content undergoes human review and approval workflows managed through Temporal. Controllers can intervene at any point to modify, reject, or suspend automated processing. Data can be marked as restricted to prevent further automated decisions pending resolution of objections.

Security audits

Carl performs annual security self-assessments and vulnerability scans following major releases. Findings are prioritized, assigned to responsible parties, and tracked to closure. Security assessment summaries can be shared with Controllers underappropriate confidentiality agreements.Controllers may conduct one audit per contract year with 30

days’ advance notice,subject to reasonable business-hours constraints. Carl will provide evidence of security controls and, where legally permissible, sub-processor compliance or audit reports.

Portability

Upon request, Carl exports all personal data in structured formats including JSONand CSV. Exports include conversation histories, transcriptions, customer profiles,messages, and associated metadata. Data can be transferred directly to another processor via secure channels if technically feasible.Export functionality is tested quarterly to ensure completeness and accuracy. APIdocumentation is maintained to enable Controllers to perform incremental data exports at any time during the contract period. No proprietary formats are used that would create vendor lock-in.

Accountability

A designated Data Protection Officer oversees GDPR compliance, security incident management, and policy maintenance. Carl maintains documented information security policies aligned with GDPR Article 32 requirements and keeps Records ofProcessing Activities current.Comprehensive audit logs capture administrative actions across all systems and are preserved for one year minimum. Data Processing Agreements with sub-processors include GDPR-level obligations, and Carl remains accountable to the Controller forsub-processor performance. Quarterly management reviews assess controleffectiveness and approve remediation plans.

Data retention and deletion

Personal data is retained only for the duration necessary to fulfill contracted services and legal obligations. Automated retention policies ensure draft messages expire after configured timeout periods. Conversation data and related records are retained according to documented schedules.Upon Controller instruction or contract termination, Carl securely deletes all personal data within 30 days, including from backup systems once retention periods expire.Deletion instructions are propagated to all sub-processors with written confirmation obtained for audit records.

Physical securityCarl utilizes cloud infrastructure providers with SOC 2 Type II and ISO 27001certifications. Physical data center security is managed by Vercel, Render,Supabase, and other sub-processors, who maintain 24/7 surveillance, biometric access controls, and environmental monitoring at their facilities.Carl personnel work from secured locations. Lost or stolen devices must be reported immediately and are remotely wiped. Physical document handling follows clean-desk policies with secure disposal of any materials containing personal data.

Annex 3: Overview of the Data Processor’s sub-processors

All processing locations are inside the EU / EU economic zone.

Microsoft Corporation

Address: One Microsoft Way, Redmond, WA 98052-6399, USA
Function: AI transcription models, LLM models, AI agent orchestration, speech-to text transcription
Entity country of establishment: US
Processing locations: US, Sweden

LiveKit Incorporated