Data Processing Addendum (DPA) for Markular SaaS
This Data Processing Addendum (“DPA”) forms part of the SaaS Subscription Agreement available on this page between Markular AS and Customer (the “Agreement”) under which Markular provides its Software-as-a-Service for Crew Management.
1. Definitions
“Data Center Region” means the region offered by Markular and chosen by Customer in which Markular stores Customer’s Personal Data in a data center. Available data centers are listed in our Data Processors documentation.
“Data Controller” means the legal entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the legal entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPA.
“Data Subject” means an identifiable natural person which the Processing of Personal Data is related to.
“EEA” means the European Economic Area.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Personal Data” means Personal Data relating to a Data Subject as an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processing or Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, altering, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Subprocessor” means a third party engaged by Markular as a Data Processor under this DPA.
“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data pursuant to GDPR.
2. Processing of Personal Data
Scope and roles of the parties
This DPA applies to Markular’s Processing of Personal Data by virtue of providing the Service to Customer. For the purposes of this DPA, Customer is the Data Controller and Markular is the Data Processor Processing Personal Data on Customer’s behalf.
Purpose and duration of the Processing
Markular will Process Personal Data to provide Markular’s Software-as-a-Service for Crew Management. The duration of Processing Personal Data shall be for the term of the Agreement.
Types of Personal Data and categories of Data Subjects
The types of Personal Data and categories of Data Subjects are set forth in Appendix 1 below.
Instructions for Processing
Markular shall Process Personal Data in accordance with Customer’s documented instructions, including with regards to transfers of Personal Data to a Third Country. Customer instructs Markular to Process Personal Data to provide the Service in accordance with the Agreement and this DPA. Markular may Process Personal Data otherwise than on Customer’s instructions if requested to do so by applicable law. Markular will in such case inform Customer of that legal requirement before Processing unless that law prohibits such information on important grounds of public interests.
Markular personnel
Markular ensures that all personnel authorized to Process Personal Data is subject to a perpetual confidentiality obligation, and that such personnel receive appropriate training on their responsibilities regarding the Processing and safeguarding of Personal Data pursuant to applicable Data Protection Laws. Authorized personnel shall only be granted access to Process Personal Data to the extent strictly necessary to carry out the Agreement.
Return and deletion of Personal Data
Markular shall return and delete Personal Data in accordance with the Agreement upon termination of the Agreement. Markular shall confirm upon written request from Customer that such return and deletion has been conducted.
Compliance with laws
Markular shall comply with all Data Protection Laws applicable to Markular in its role as a Data Processor Processing Personal Data. Customer shall comply with all Data Protection Laws applicable to Customer as a Data Controller.
3. Subprocessors
Authorization to engage Subprocessors
Markular may engage Subprocessors to provide certain services on its behalf. Customer authorizes Markular to engage the Subprocessors listed in Appendix 2 and available on our Data Processors page. Customer acknowledges that this authorization constitutes prior written consent to Processing of Personal Data by the listed Subprocessors.
Subprocessors’ compliance
Markular is fully responsible for its Subprocessors’ compliance with this DPA. Markular shall conclude a written agreement with each Subprocessor (i) making the Subprocessor subject to at least the same level of data protection as imposed on Markular in this DPA, and (ii) restricting Subprocessor from Processing Personal Data for any other purpose than delivering the contracted services.
Notification of new Subprocessors
Markular may replace or engage new Subprocessors. Markular shall in such case give Customer 30 days prior written notice before the new Subprocessor is authorized to Process Personal Data.
Subprocessor’s objection right
Customer is entitled to object to the engagement of a new Subprocessor within 14 calendar days from Markular’s prior written notice. The objection notice shall be given in writing and describe Customer’s reasonable grounds for objection. Markular shall notify Customer at least 14 calendar days before authorizing the new Subprocessor to Process Personal Data if Markular chooses to retain the Subprocessor. Customer may in such case discontinue using the Service immediately and terminate the Agreement with 30 calendar days prior written notice from Markular’s notification. Customer is entitled to a refund proportional to the remaining Subscription Period already paid for.
4. Data center regions and data transfers
Storage of Personal Data
Personal Data will be stored in the Data Center Region chosen by Customer.
Transfer of Personal Data
Markular will not transfer Personal Data from Customer’s chosen Data Center Region except as necessary to provide the Services to Customer or to comply with law or a valid and binding order of a governmental body. Markular ensures that it will only transfer Personal Data from the EEA to a Third Country by using appropriate safeguards such as, but not limited to the at any time applicable EU Standard Contractual Clauses. Customer agrees that Personal Data may be temporarily transferred to a Third Country on the conditions outlined in this Section.
5. Rights of Data Subjects
Requests from Data Subjects
Customer is responsible for responding to Data Subjects’ requests for access, correction, deletion, or restriction of that person’s Personal Data. If Markular receives a request from a Data Subject, Markular shall promptly redirect the Data Subject to the Customer.
Markular’s assistance
Markular shall comply with Customer’s reasonable requests on behalf of Data Subjects pursuant to Data Protection Laws to (a) correct, delete, or restrict Processing of Personal Data, (b) make available Personal Data and associated Processing information, and (c) to enable data portability of a Data Subject’s Personal Data if alternative (a), (b) or (c) is not feasible to Customer through the Service. Markular may charge Customer for reasonable costs inflicted on a time and material basis for assistance according to this Section.
6. Security of Personal Data
Security of Processing
Markular shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Markular shall ensure a level of security appropriate to the risk, including encryption of Personal Data to ensure ongoing confidentiality, integrity, availability, and resilience of Markular’s Service and associated systems as described in Appendix 3.
Personal Data Breach
Markular shall without undue delay notify Customer when becoming aware of a Personal Data Breach. Such notification shall describe (i) the nature of the Personal Data Breach, (ii) the details of a contact point where more information concerning the Personal Data Breach can be obtained, (iii) the Personal Data Breach’s effect and consequences for the Service, (iv) and the measures taken or proposed to be taken by Markular to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Markular shall cooperate with and assist Customer in preventing, mitigating, and rectifying Personal Data Breach in accordance with applicable Data Protection Laws considering the nature of the Processing and the information available to Markular. Markular may charge Customer for reasonable costs on a time and material basis for any assistance related to Personal Data Breach under this Section unless Markular must be deemed responsible for the cause initiating the activity.
Data Protection Impact Assessments and prior consultations
Markular shall provide reasonable assistance to Customer to carry out data protection impact assessment and prior consultation with the supervisory authority related to Customer’s use of the Service. Customer is entitled to use Markular’s audit reports when conducting such activities imposed by Data Protection Laws, including GDPR Article 35 and 36. Markular may charge Customer for reasonable costs inflicted on a time and material basis based on assistance according to this Section.
Audit
Markular shall make available to Customer all information necessary to demonstrate compliance with this DPA. The information is subject to Customer’s confidentiality as stipulated in the Agreement. If Customer requires additional information, Customer may conduct an audit by engaging an independent, qualified third party to conduct such audit. Any such audit shall follow Markular’s reasonable security requirements and not interfere unreasonably with Markular’s business activities. The Customer shall give Markular 14 calendar days prior written notice before any audit can be initiated. All costs relating to the audit shall be compensated by Customer.
Notification of unlawfulness
Markular shall immediately inform Customer if it considers that its Processing of Personal pursuant to this DPA violates applicable Data Protection Laws. Customer is in such case entitled to suspend any further Processing of Personal Data until Markular has conducted necessary corrections.
7. Miscellaneous
Liability
Each party’s liability under this DPA is governed by the SaaS Terms unless otherwise required by applicable Data Protection Laws.
Affiliates of Customer
Customer is responsible for coordinating all communication with Markular on behalf of its Affiliates regarding this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPA on behalf of its Affiliates.
Termination
The term of this DPA will end upon termination of the Agreement.
Conflict
In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the parties’ data protection obligations.
APPENDIX 1: Types of Personal Data and categories of Data Subjects
Types of Personal Data:
- Names and other Personal Data included in the crew management data uploaded by Customer
- Contact person’s and User’s name, username, email address and phone number
- Work schedule and availability information
- Qualifications and certifications
- Location data related to work assignments
- Next of kin information (name, relationship, contact details) for emergency situations
- Product usage data and analytics for service improvement (e.g., feature usage patterns, user interactions)
Categories of Data Subjects:
- Natural persons within Customer’s organization operating as Users or contact persons
- Crew members and personnel whose data is managed through the Service
- Natural persons which may be identified in any data uploaded by Customer into the Service
- Next of kin of crew members and personnel
APPENDIX 2: Subprocessors
| Entity | Type of service provider | Location of Processing |
|---|---|---|
| Microsoft | Data hosting | Customer’s Data Center Region |
| Twilio Sendgrid | Email service provider | USA (GDPR Compliant) |
| Postmark | Email service provider | USA (GDPR Compliant) |
| Freshdesk | Customer service | Europe |
| Sveve | SMS service provider | Europe |
| Posthog | Product analytics | Europe |
APPENDIX 3: Security Measures
[Security measures section continues with the same detailed content as provided, adapted for Markular’s context]