DATA PROCESSING AGREEMENT

Last updated: 07.09.2025

1. About the agreement

This data processing agreement with attachments (hereinafter referred to as the “Agreement”) is entered into between Companies (hereinafter referred to as the “Processor”) that offer Services from assistertselvhjelp.no and trigga.no to service recipients (hereinafter referred to as the “End Users”), and Assistert Selvhjelp AS (hereinafter referred to as the “Processor”). The Agreement regulates the rights and obligations between the Data Controller and the Data Processor (hereinafter referred to as the “Parties”) according to:

  • Act on the Processing of Personal Data of 15 June 2018 No. 38 (Personal Data Act);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (hereinafter referred to as the “GDPR”);
  • Act on Health Registers and Processing of Health Registers of 20 June 2014 No. 43 (Health Registers Act);
  • Act on the Processing of Health Information in the Provision of Health Care of 20 June 2014 No. 42 (Patient Records Act); and
  • Any law, regulation or other rule that amends or replaces the above rules.

In the event of a conflict between the provisions of the Agreement and the framework resulting from the data protection regulations or relevant health legislation, the provisions of the Agreement shall prevail. In the event of a conflict between this Agreement and the Service/Assignment Agreement, this Agreement shall apply.

Attachment to the agreement:

  • Appendix 1: Purpose of processing, information and processing
  • Appendix 2: Subcontractors
 

2. Definitions

The terms “personal data”, “health data”, “processing”, “data controller”, “data processor”, “personal data breach” and “health data” shall be understood as defined in Article 4 of the General Data Protection Regulation, Section 2 of the Health Register Act and Section 2 of the Patient Records Act.

3. Purpose of the Agreement

The purpose of the Agreement is to ensure the rights of the data subjects and the parties' compliance with Article 28, paragraph 3, of the General Data Protection Regulation.

4. Scope

This Agreement applies to all processing of health and personal data that the Data Processor carries out on behalf of the Data Controller on the basis of the Service/Assignment Agreement.

This Agreement will also apply to further processing of health and personal data based on any written agreements between the parties entered into during the term of this Agreement and which involve the Data Processor processing health and personal data on behalf of the Data Controller (hereinafter referred to as “subsequent written agreements between the parties”). 

5. Purpose of processing, information and processing

The purpose and duration of the processing of health and personal data, which health and personal data are processed, categories of data subjects and processing activities are stated in Appendix 1.

6. The framework for processing health and personal data

The Data Controller has full control at all times over the health and personal data that the Data Processor processes under this Agreement. The Data Processor does not have independent control over the health and personal data, and cannot process it for its own purposes.

The Data Controller has, unless otherwise agreed or required by law, the right to access and review the health and personal data processed by the Data Processor.

7. Data controller's obligations

The data controller shall comply with the obligations arising from the data protection regulations, cf. Article 24 of the General Data Protection Regulation, relevant health legislation and other special legislation, as well as this Agreement.

The data controller is responsible for ensuring that the data protection principles are complied with, cf. Article 5 of the General Data Protection Regulation, and shall, among other things, ensure that the processing of information is purpose-specific and based on a valid legal basis.

8. Data processor's obligations

8.1. General
The Data Processor undertakes to process health and personal data only in accordance with applicable regulations, this Agreement, the Service/Assignment Agreement, the Data Controller's documented instructions and other applicable agreements between the parties, as well as the "Norm for information security in the health and care sector". The Data Processor shall not, by any action or omission, place the Data Controller in such a situation that the Data Controller violates applicable regulations as stated in Section 1 of the Agreement.

8.1.1 The Data Processor shall not:
a. process health and personal data for other purposes or to a greater extent or in a different manner than that provided for in this Agreement, Service/Assignment Agreement and any subsequent written agreements between the parties;
b. process health and personal data beyond what is necessary to fulfill the Data Processor's obligations under the agreements in force at any given time;
c. disclose, transfer, transfer or obtain health and personal data in any form to or from third parties on its own initiative, unless required by law or agreed in advance with the Data Controller or the Data Controller has approved this in writing;

8.1.2 The data processor shall:
a. have ongoing control over all categories of processing activities carried out on behalf of the Data Controller, cf. GDPR Article 30 No. 2, cf. also Appendix 1;
b. provide the Data Controller with access to and insight into health and personal data processed by the Data Processor on behalf of the Data Controller;
c. take all reasonable steps to assist the Data Controller in ensuring that the health and personal data are accurate and up-to-date at all times;
d. establish routines for deleting information in accordance with instructions or guidelines set by the Data Controller;
e. ensure that all persons who are given access to personal data processed on behalf of the Data Controller are familiar with this Agreement and applicable agreements between the parties, and are subject to the provisions of these agreements;
f. provide the Data Controller with the necessary assistance to enable the Data Controller to fulfil its obligations towards data subjects, including responding to requests from data subjects who wish to exercise their rights set out in Chapter III of the General Data Protection Regulation;
g. notify the Data Controller without undue delay if the Data Processor believes that an instruction is in breach of the General Data Protection Regulation or other provisions on the protection of personal data;
h. assist the Data Controller to ensure compliance with the obligations in the General Data Protection Regulation, articles 35-36, which deal with data protection impact assessments and prior discussions with the Norwegian Data Protection Authority;
i. The Data Processor shall immediately notify the Data Controller if it receives a request from an authority to disclose personal data processed under the Data Processor Agreement. Unless disclosure is required by law, the Data Processor shall not comply with such a request without the prior written consent of the Data Controller.

8.2. Technical, organizational and security measures
The data processor is obliged to take and implement all technical, organizational and security measures so that there is at all times a level of security that is appropriate with regard to the risk involved in the processing of health and personal data.

The data processor must, as a minimum:

a. establish and comply with necessary technical and organizational measures with regard to the ongoing confidentiality, integrity, availability and robustness of the processing of health and personal data to ensure satisfactory information security in accordance with data protection regulations, including the requirements under Article 32 of the General Data Protection Regulation, and applicable health legislation.
b. ensure that requirements for privacy by design and privacy by default are met in the Data Processor's solutions. This includes building in functionality to comply with privacy principles as well as functionality to ensure the rights of the data subject, including the right to restricted processing;
c. have routines for internal control;
d. have routines for authorization and management that ensure that only those of the Data Processor's employees who have a business need for access to systems and information to carry out the tasks necessary for the implementation of the Service/Assignment Agreement are granted such access. The level of access shall be in accordance with the business need associated with carrying out the assignment. Strong authentication shall be established for access to health information;
e. establish necessary systems and routines to safeguard information security and follow up on deviations, which shall include, among other things, routines for deviation reporting, routines for backup, restoration of the normal situation, removal of the cause of the deviation and prevention of recurrence. Upon request, the Data Processor shall provide the Data Controller with access to relevant security documentation for the processing of health and personal data;
f. detect, record, report and close information security-related deviations, including logging and documenting any attempt at unauthorized access and other breaches of personal data security in the computer systems. Such documentation shall be kept by the Data Processor;
g. in the event of suspicion or ascertainment of a breach of personal data security, notify the Data Controller without undue delay. The notification shall state the breach with an explanation of the reason, period and time at which the breach was discovered, the categories of and approximate number of data subjects affected, the categories of and approximate number of personal data records affected, the name and contact details of the data protection officer or another contact point where more information can be obtained, the anticipated consequences of the breach and what immediate measures have been initiated or are being considered to address the breach. If and to the extent that it is not possible to provide all information at once, it may be provided in stages without further undue delay;
h. document any non-conformity, including the facts relating to the non-conformity, its effects and any corrective measures taken;
i. notify the Data Controller without undue delay in the event of unauthorized disclosure of personal data;
j. record all authorized and unauthorized access to information. All lookups made shall be recorded so that they can be traced to the individual user (i.e. employees of the Data Processor, subcontractors and the Data Controller). The logs shall be retained until they are no longer deemed to be of use or as specified in the Agreement or Service/Assignment Agreement;
k. assist the Data Controller in ensuring compliance with the obligations in the General Data Protection Regulation Articles 32–34, including, but not limited to:
– safety of treatment;
– notification to the supervisory authority of a personal data breach;
– notification of the data subject of a personal data breach;
l. notify the Data Controller of matters related to the Data Processor's obligations under the Service/Assignment Agreement that result in or may be deemed to result in a weakening of information security;
m. obtain written approval from the Data Controller before implementing any change to the data processing at the Data Processor that has or may have a negative impact on the information security of the processing pursuant to this Agreement.

In the event of a breach of this Agreement or of the provisions of the data protection regulations, health legislation or other relevant legislation, the Data Controller may require changes to the processing method or order the Data Processor to stop further processing of the information with immediate effect.
The Data Processor shall document its procedures and all measures taken to meet the requirements set out above. This documentation shall be made available to the Data Controller upon request.

9. Use of subcontractors

The Data Controller permits the Data Processor to use subcontractors to fulfill the obligations under the Agreement. The Data Processor only uses the subcontractors specified in Appendix 2 for the services specified there.

Data processor must:
a. ensure that the subcontractor assumes similar obligations to which the Data Processor itself is subject under the Agreement and applicable legislation;
b. keep an up-to-date list of the identity and location of subcontractors as specified in Appendix 4 and where they process personal data. The updated list shall be available to the Data Controller;
c. conduct a risk assessment of the use of subcontractors and their significance for the service before entering into an agreement with the subcontractor and, at the Data Controller's request, share the assessment with the Data Controller;
d. upon request of the Data Controller, provide a copy of the agreement(s) entered into with the subcontractors (with the exception of commercial terms). Such agreements must be entered into at the latest before the subcontractors start processing health and personal data;
e. inform the Data Controller of any plans to use other subcontractors or replace subcontractors. Such changes must be notified to the Data Controller in good time so that the Data Controller is given the opportunity to object to the change. When changing subcontractors, Appendix 2 is updated and submitted to the Data Controller before the new subcontractor starts up. The change is also listed in Appendix 6;
f. ensure that the Data Controller and the supervisory authorities have the same right of access and control over the processing of personal data by a subcontractor as the Data Controller has towards the Data Processor pursuant to clause 12 of the Agreement;
g. upon termination of the Agreement, ensure that subcontractors fulfill the obligation to return, delete or properly destroy all health and personal data and all possible copies and backup copies of the data, as set out in clause 13 of the Agreement.
The Data Processor is at all times fully responsible to the Data Controller for all work performed by subcontractors and for the subcontractors' compliance with the provisions of this Agreement.

10. Transfer of personal data abroad

The parties to this Agreement agree that none of the health and personal data processed under this Agreement shall be exported from Norway, unless specifically agreed between the parties. In addition, archival documents containing health and personal data shall be located on servers in Norway (cf. the Archives Act, Section 9, letter b), and any exceptions to this shall be explicitly approved by the Data Controller before this processing begins.

The Data Processor confirms that none of the subcontractors transfers health and personal data covered by this Agreement abroad, with the exception of such transfers as specified in Appendix 2This also includes remote access from abroad.

The use of subcontractors who transfer health and personal data to countries outside the EU/EEA (third countries) must be agreed in writing with the Data Controller in advance. When transferring health and personal data to countries outside the EU/EEA (third countries), the Data Processor must use approved EU transfer mechanisms.

In the event of a transfer abroad, regardless of whether it is within the EU/EEA or outside the EU/EEA (third country), the Data Processor shall provide the necessary documentation on the security, risk and compliance level associated with the relevant subcontractors so that the Data Controller has the necessary information to be able to carry out a specific risk assessment. The Data Controller may refuse consent to the relevant transfer based on specific risks arising from the Data Controller's own risk assessment.

11. Confidentiality

The Data Processor's employees and others acting on behalf of the Data Processor in connection with the processing of health and personal data pursuant to this Agreement, Service/Assignment Agreement and subsequent written agreements between the parties shall be subject to a duty of confidentiality pursuant to this Agreement and applicable regulations. Persons authorized to process the health and personal data undertake to treat the data confidentially. The same applies to any subcontractors.

Employees and others who act on behalf of the Data Processor in connection with the processing of health and personal data must have signed a confidentiality agreement. The provision applies correspondingly to subcontractors.

The data processor must ensure that everyone who processes personal data under the Agreement is aware of the duty of confidentiality.
The parties also have a duty of confidentiality regarding confidential information relating to each other's business, which is communicated in connection with the assignment.
The parties are obliged to take the necessary precautions to ensure that material or information is not made known to others in violation of this point.
The duty of confidentiality also applies after the termination of the Agreement.

12. Audit

The Data Processor shall, upon request, make available to the Data Controller all information necessary to demonstrate that the Data Processor's obligations set out in Article 28 of the General Data Protection Regulation and this Agreement have been fulfilled.

The Data Processor shall facilitate and contribute to inspections and audits carried out by or on behalf of the Data Controller. The Data Processor shall provide internal audit reports, internal procedures, routines, security architecture, risk and vulnerability analyses with measures and other documents of importance for the audit;
The Data Processor shall also facilitate and assist in inspections by relevant supervisory authorities. The Data Controller's supervision of any subcontractors shall take place through the Data Processor unless otherwise specifically agreed.

If an audit reveals non-compliance with the obligations in the applicable privacy regulations or the Agreement, the Data Processor shall rectify the non-compliance without undue delay. The Data Controller may require the Data Processor to temporarily stop all or part of the processing activities until the rectification has been approved by the Data Controller.

Each Party shall bear its own costs associated with inspections by relevant supervisory authorities and up to one annual audit initiated by the Data Controller. If an audit reveals material breaches of obligations under applicable data protection regulations or the Agreement, the Data Processor shall nevertheless cover the Data Controller's reasonable costs associated with the audit.

13. Duration and termination

The data processing agreement applies from conclusion of an agreement and applies as long as the Data Processor processes Personal Data on behalf of the Data Controller.

During this period, the Agreement applies unless other provisions regulating the Data Processor's processing of Personal Data on behalf of the Data Controller are agreed between the Parties.

Upon termination of the Agreement, the Data Processor shall facilitate and assist in the return of all health and personal data that the Data Processor has received and processed on behalf of the Data Controller. The parties shall agree in more detail how the transfer shall take place.

After all information has been transferred to the Data Controller and confirmed receipt by the latter, the Data Processor shall irreversibly delete or properly destroy all information and all possible copies and backup copies of the information in its systems, unless other regulations require that the health and personal information continue to be stored.

If shared infrastructure is used where direct deletion is not technically possible, the Data Processor must ensure that data is made inaccessible until this data has been overwritten by the system.

The Data Processor shall provide the Data Controller with written confirmation that the information has been transferred and deleted as stated above.

14. Amendment of agreement

The agreement is governed by Norwegian law. Disputes will be resolved in accordance with the provisions of the Service/Assignment Agreement, including any provisions on venue.

15. Applicable law, disputes and venue

The agreement is governed by Norwegian law. Disputes will be resolved in accordance with the provisions of the Service/Assignment Agreement, including any provisions on venue.

Last updated: 07.09.2025

Last updated: 07.09.2025

ANNEX 1

A. Purpose and duration of the processing(s)

The purpose 

Assisted Self-Help / Trigga: End Users

The purpose with and the duration of processing of health and personal data is to provide professionals at the controller (the Company) with insight into the End User's registrations, so that they can provide the best possible follow-up. In practice, this means that the professionals - as long as the End User uses the service under active follow-up and agrees to share data - can: 

  • track progress and usage ahead of agreements 
  • adjust workload between follow-up hours 
  • assess the usefulness and effect of the follow-up

Personal data is primarily recorded by the End User themselves. In addition, the professional, alone or together with the End User, may record assessments, surveys and clinical observations (including standardized scoring tools). Recordings made by the professional – such as internal notes (for example, unfinished assessments, hypotheses or drafts that are not intended to be shared).

The processing is time-limited and ceases when the End User: 

  • even deletes their data in Settings
  • is anonymized or deactivated by the system, e.g. due to lack of use (>12 months since last login).

Assisted Self-Help / Trigga: Businesses and Professionals

The purpose is to deliver the service in accordance with The service agreement, including identifying, registering and administering users (Professionals), as well as providing necessary support. This includes processing personal data such as name, contact information. 

Personal identification numbers are only processed if the business or professional uses the optional additional service for logging in via HelseID or ID-porten.

The treatment is time-limited and ends when: 

  • the business itself deletes access to employees 
  • The agreement with the business is terminated, and Assisted Self-Help removes access.

B. Processing of health and personal data

The following treatments are covered by the Agreement: 

  • Collection: The information is mainly collected by the End User registering data in the Service (e.g. answers to tasks, surveys, evaluations). In some cases, it may be the professional who registers the information on behalf of the End User.
  • RegistrationInformation is entered into the system and linked to a pseudo-ID / user access. 
  • StructuringThe information is organized in a relational database in a systematic manner so that it can be handled securely and efficiently.
  • StorageInformation is stored on secure servers and is available to end users and professionals (if consent is given).
  • CompilationInformation is analyzed or aggregated (e.g. development over time, statistics for businesses, anonymized datasets for the Norwegian Institute of Public Health)
  • Delivery/transfer: Information is only shared when necessary – for example, to professionals in the business (with the End User's consent), or to subcontractors of operational services (including two-factor login or technical notification services if this is included in the agreement).
  • Deletion or destruction: End users can delete their own data at any time via Settings. The deletion is final and applies to both professionals and Assisted Self-Help's databases.

C. Types of information

The following personal data is processed: 

Businesses (customer relations): name of business, organization number, contact person, email, telephone number, etc.

Health care professionals: first name and last name, workplace, position, telephone number and email address.

  • When logging in via ID-porten or HelseID, the personal identification number is registered directly with the provider that offers the login service.
  • At Assistert Selvhjelp, the social security number is stored exclusively in hashed form. There are no situations where it is stored or processed in clear text.

Following shonest categories of personal data: 

End users: information registered in the Service after logging in with a unique code (pseudo-ID), including:

  • answers/answer categories to tasks and surveys (e.g. symptoms of anxiety or depression)
  • overview of reviewed content
  • scores and development over time
  • technical logs (login date/time, time spent, browser/operating system, clickstream data)
  • evaluations and feedback on use of the Service

Anonymization: Information is considered anonymous when it is not possible, with reasonable means, to identify individuals. When information is anonymized, it is not covered by the data protection regulations. Such information may be used for analysis and statistics, including development over time and evaluation of the service. Anonymized datasets may also be prepared and shared with the Norwegian Institute of Public Health (NIPH) for evaluation purposes.

D. Categories of data subjects

The following categories of persons are processed (data subjects):

  • End users – people accessing the services (often called users/patients/clients)
  • Health care professionals – employees in businesses that use the services to follow up on end users
  • Contact persons in businesses – people responsible for customer relations, ordering and administration (e.g. managers or administrative contact persons)

ANNEX 2 – SUB-CONTRACTORS

Server provider

Nordlo Vennesla AS – Corporate ID number 928 775 305
Hunsøya, PM5, 4700 Vennesla
Treatment location – Main server: Norway (Vennesla)
Treatment location – Backup server: Norway (Haugesund)

Optional options: 

1. HealthID

Norwegian Health Network (NHN) – 994 598 759
Abels gate 9, 7031 Trondheim
Treatment location: Norway (Trondheim)

Authentication of healthcare personnel and employees in businesses: Assisted Self-Help offers login via HelseID (managed by NHN). When using this solution, NHN data controller for the personal data processed during authentication. Assisted Self-Help receives necessary attributes in the form of pseudonymized identifiers, and never stores social security numbers in clear text.

Login for end users via Helsenorge.no: When the professional's login with HelseID is activated, End Users can also access Assisted Self-Help via Health Norway.no. Also in this case is NHN data controller for the information processed during authentication, but in this case Assisted Self-Help only receives pseudonymized identifiers that provide access to the service.

2. ID-porten login 


Youwell AS – Organization number 916 293 739

C. Sundts gate 17, 5004 Bergen
Place of treatment: Norway (Eastern Norway)

Authentication of professional/end user and SMS notification (end users): If professionals use the ID-porten, End Users can access Assisted Self-Help by using the ID-porten as a login method. When using this solution, Youwell AS is the data controller for the information processed during authentication. Assisted Self-Help only receives necessary attributes in the form of pseudonymized identifiers.

Transfer of personal data to third countries (outside the EU/EEA)

As a general rule, all personal data is processed within Norway/EU/EEA. However, there is one limited exception:

Assisted Self-Help uses an external developer residing in Turkey, with a long-term and permanent connection (>10 years), who primarily perform development work outside of the production environment. Access to the production server is only granted in the event of critical errors that cannot be resolved otherwise. In such cases, the developer may, on a rare occasion, process pseudonymized end-user data or limited information about professionals (e.g. name and email). 

Optional options:

  • When using HelseID, personal identification numbers are stored exclusively in hashed form at Assistert Selvhjelp. Personal identification numbers are never stored in clear text ("de-hashed").
  • When using the ID-porten login provided by Youwell AS, no personal information necessary for authentication will be processed by Assisted Self-Help at any time. 

Basis of treatment: GDPR Art. 6 No. 1 Letter f (legitimate interest), as access is necessary, proportionate and time-limited to ensure stable operation and information security.

Transfer basis:

  • EU's Standard Contractual Clauses (SCC, module 3)
  • Supplementary technical, organizational and contractual measures
  • Completed Transfer Impact Assessment (TIA) documenting low risk

Logging and control routines:

  • All access to the production environment is automatically logged, so that actions in the production database can be traced to the individual developer.
  • The incidents are documented in internal deviation systems and reviewed by the safety manager.
  • Access is always time-limited and ends when the error is corrected.

Security measures for IP addresses:
To protect against security incidents (e.g. denial of service attacks), it may be necessary in very rare cases to log IP addresses in clear text for a short period of time. Such IP addresses are processed in isolation from other data, are never stored beyond what is strictly necessary, and are deleted immediately after use.
This is supported by GDPR Art. 6 No. 1 Letter f (legitimate interest), as the processing is necessary to protect digital infrastructure.

Other subcontractors
Assisted Self-Help confirms that no other subcontractors specified in The privacy statement transfers personal data covered by this agreement to third countries.