DATA PROCESSING AGREEMENT (DPA)
Effective date May 27th, 2026
For the purposes of this agreement, specific terms carry established legal meanings in accordance with European data protection laws.
"Applicable Data Protection Laws" refers to all legislation governing the processing of personal data under this agreement, primarily the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Norwegian Personal Data Act.
"Personal Data" encompasses any information relating to an identified or identifiable natural person, who is referred to as the "Data Subject".
"Processing" means any operation or set of operations performed on personal data, such as collection, recording, storage, alteration, or transfer.
"Data Controller" is the Customer of Spences services and the entity that alone or jointly determines the purposes and means of the processing, while “Data Processor" is the entity processing personal data on behalf of the Controller.
"Sub-processor" is any third-party data processor engaged by Spense to assist in fulfilling its service obligations.
"Personal Data Breach" constitutes a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, protected personal data.
“Instructions” means the documented instructions issued by the Customer to Spense for the processing of Customer Personal Data, including the service agreement, this Data Processing Agreement, configuration choices made by the Controller within the Services, and written instructions agreed between the Parties.
For the processing of Personal Data under this Data Processing Agreement, the Controller acts as Controller and Spense acts as Processor. Spense shall process Controller Personal Data only on behalf of the Controller and in accordance with this Data Processing Agreement, the applicable service agreement, and the Controller’s documented instructions. Spense may process certain personal data as an independent controller where such processing is necessary for Spense’s own legitimate business, legal, regulatory, security, accounting, tax, compliance, Controller relationship management, fraud prevention, service administration, or legal claims purposes. Such independent controller processing is not governed by this Data Processing Agreement, except where expressly stated.
The Parties acknowledge that they are separate entities and are not acting as Joint Controllers. This agreement establishes the binding legal framework to ensure compliance with Applicable Data Protection Laws.
Spense shall process Personal Data exclusively in accordance with the documented instructions provided by the Controller, which are defined by the agreed-upon services and operations within the platform, set out in Appendix A. If Spense believes an instruction violates Applicable Data Protection Laws, it will notify the Controller immediately and may pause the specific processing activity until the legal conflict is resolved. Spense guarantees that all personnel and external staff authorized to process the data are bound by strict obligations of confidentiality and have received appropriate training on the secure handling of Personal Data.
If Spense is required to process Personal Data by applicable law, Spense shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
Spense maintains robust technical and organizational measures designed to ensure a high level of security appropriate to the risk of processing, as detailed in Appendix B. Spense commits to regular evaluations, testing, and audits of these security frameworks to protect against a Personal Data Breach.
The Controller provides general written authorization for Spense to engage Sub-processors to assist in delivering the platform services, as listed in Appendix A. Spense will maintain an up-to-date list of active Sub-processors and will provide the Controller with a mechanism to receive notifications regarding any planned additions or replacements. Upon receiving such notification, the Controller will have a 10-day period to raise legitimate, data-protection-related objections before the new Sub-processor begins processing data. Spense remains fully liable to the Controller for the performance and regulatory compliance of any engaged Sub-processor.
Spense primarily stores and processes Personal Data within the European Economic Area. In the event that data must be transferred to a third country outside this area that lacks an adequacy decision from the European Commission, Spense ensures that such cross-border transfers are legally governed by valid Standard Contractual Clauses. Spense will also implement any necessary supplementary technical, organizational, and contractual measures to guarantee that the transferred data receives an equivalent level of protection to that mandated by European law.
Where Personal Data is transferred to a country outside the European Economic Area that is not subject to an adequacy decision, Spense shall ensure that an appropriate transfer mechanism is in place in accordance with Applicable Data Protection Laws. Such mechanism may include the European Commission’s Standard Contractual Clauses, an applicable adequacy framework, including the EU-U.S. Data Privacy Framework where applicable, or another lawful transfer mechanism.
Where required by Applicable Data Protection Laws, Spense shall implement reasonable supplementary measures, taking into account the nature of the Controller Personal Data, the transfer mechanism, the recipient, the destination country, and the risk associated with the transfer.
As the Data Controller, the Controller remains solely responsible for responding to Data Subject requests. Spense will provide reasonable technical assistance to help the Customer fulfill obligations regarding the access, rectification, restriction, or deletion of data. In the event of a suspected or confirmed Personal Data Breach, Spense shall notify the Controller without undue delay, and no later than 36 hours after becoming aware of the incident or the information that may implicate a breach. This formal notification will at least include (1) details of the breach, (2) the affected data categories, and (3) the immediate mitigation steps taken by Spense to secure the environment. The Controller should also provide other information known to them where this could be relevant to Spence.
Spense shall be entitled to reimbursement from the Customer for reasonable costs incurred by Spense in providing assistance to the Customer in connection with Data Subject requests, except to the extent such reimbursement is prohibited by Applicable Data Protection Laws. Spense shall, where reasonably practicable, inform the Customer of any expected costs before incurring them.
The processing involves data regarding End-customers, defined as individuals who make payments for goods or services, and Employees, who are individuals involved in the processing, handling, or reconciliation of those payments. For end-customers, Spense processes as follows:
Personal identifiers (name, email address, phone number, optional: address)
Transaction-related metadata (date, amount, currency, order details, original invoice data, vehicle identification number, information on the type of payment method used, purchase history) necessary to enable payment processing and reconciliation.
Regardless of categorization above we process data related to the technical installation and data. We collect IP addresses, user agent data, browser and interaction logs for security, monitoring, troubleshooting, and service improvement. For employees, we collect names and email addresses for secure login purposes.
The core purpose of processing this information is to generate payments and ensure that they are correctly routed and sent to the end-customer.
The processor shall, without undue delay and in any event within sixty (60) days upon the termination of this agreement shall, permanently delete or irreversibly anonymize all Company Data in its possession or control, including any copies stored in active systems.
Spense processes Personal Data for the duration of the Services and thereafter only as necessary for deletion, return, backup retention, legal compliance, dispute resolution, security, or other purposes permitted under the Data Processing Agreement.
The following table details the authorized Sub-processors engaged by Spense, including their processing locations and core functions:
Name
CVR / Org. No.
Address
Description of
Processing
Location(s) of
Processing
Microsoft
Datacenter
921 816
561
Dronning Eufemias gate
71, 0194 Oslo
Hosting services, data
storage
Norway
Google Cloud
IE660412
Via Giacomo Peroni, 292,
00131 Roma RM, Italy
Hosting services, data
storage
Germany,
Netherlands
368047
Gordon House, 4 Barrow
Street, Grand Canal
Dock, Dublin 4, D04
V4X7, Ireland
Support email
EU
Sentry
47-
4554430
Functional Software,
Inc., 45 Fremont Street,
San Francisco, CA 94105
Alerting, monitoring
US
MailGun
877 523 639
43 Rue de Dunkerque,
75010 Paris, France
Email Messaging
EU
LinkMobility
992 434 643
Gullhaug Torg 5, 0484
Oslo
SMS Messaging
EU
DataFactory
917 254 532
Youngstorget 3, 0181
Oslo
Lookup of phone
numbers, to retrieve
name, address, etc.
Norway
Neonomics
919 041
021
Ruseløkkveien 26, 0251
Oslo
Initiating open
banking transfers on
behalf of customers
EU
Telenor
976 967
631
Snarøyveien 30, 1360
Fornebu
Support phone calls
(the caller and
duration of the phone
call are saved)
EU
Spense has implemented several key mechanisms to safeguard data integrity and ensure confidentiality:
• Encryption: All personal data is fully encrypted during transfer across networks.
• Access Controls: Strict access controls are enforced for Spense employees as well as for user sites, requiring proper authentication and authorization before any access to the platform is granted.
• Data Minimization: The platform is designed to collect only the absolute minimum amount of personal data necessary to fulfill the product's purpose.
• Backups: Comprehensive backups are maintained to guarantee that data integrity can be upheld even in the event of data loss or corruption, and to enable swift recovery of data.