Privacy Policy

Scope

This Privacy Policy applies to the service avvik.com, a system for registering and managing non-conformities and improvements, delivered by Nettsenteret AS (org. no. 989 853 376) to business entities ("the Customer").

This statement describes how personal data regarding the Customer's employees and external users are processed within avvik.com. This policy is supplementary to Nettsenteret AS's general privacy policy, which covers the company's own business contacts.

1. Roles and Responsibilities

• The Customer (contracting party) is the Data Controller. The Customer determines the purpose and legal basis for processing personal data within their specific avvik.com instance.
• Nettsenteret AS is the Data Processor. We process data solely on behalf of, and according to instructions from, the Customer, in accordance with a signed Data Processing Agreement (DPA).

Inquiry Note: Questions regarding your personal data within a specific avvik.com environment should primarily be directed to the Customer.

2. Personal data processed

We process the following categories of data to provide the service:

• a) User Account Information
  • Name and job title
  • Work email address (and phone number)
  • Departmental affiliation and role
  • Login credentials (passwords are stored encrypted/hashed)
• b) Content in Non-conformity Reports
  • Descriptions of incidents, including time and location
  • Names of involved or reporting individuals
  • Attachments such as images or documents
  • Special Categories: In cases of workplace accidents, health or injury data may be processed. These are handled with heightened security measures.
• c) External Users
  • External users (e.g., contractors, partners, or visitors) are typically registered by the Customer directly, rather than through self-registration.
  • The data categories listed in points (a) and (b) apply to external users as well, though usually in a more limited scope.
• d) Technical & AI Data
  • System logs (IP addresses, timestamps, and audit trails for change tracking)
  • AI Access: When AI-features are enabled, text-based descriptions may be processed by sub-processors (e.g., Microsoft Azure/OpenAI) to provide suggestions. Data used for AI is governed by strict DPA terms and is not used to train global models.

3. Purpose and legal basis

The processing is necessary for:

• Service Delivery: Managing user accounts and system access
• Compliance: Assisting the Customer in meeting statutory requirements (e.g., Norwegian Internal Control Regulations and the Working Environment Act)
• Security: Maintaining a change log to ensure data integrity and traceability

4. Data Retention and Deletion

Personal data is processed only as long as necessary to fulfill the purposes described in this policy, or as long as required by law.

• User Accounts: When a user no longer requires access, the account is typically deactivated by the Customer's administrator. To maintain the integrity of historical HSE/Quality documentation and the system's "audit trail," the user's name may remain linked to existing reports and logs they have created or been involved in.
• Non-conformity Reports: Data within reports (including names of reporters or involved parties) are retained according to the Customer's internal retention periods for HSE and quality documentation. This is often necessary to comply with statutory requirements such as the Norwegian Internal Control Regulations.
• Contract Termination: Upon termination of the agreement between Nettsenteret AS and the Customer, all personal data will be permanently deleted or returned to the Customer as instructed, unless Nettsenteret AS is legally required to retain specific data.

5. Sub-processors and data location

Data is primarily stored on servers located in Norway and Ireland.

• Hosting Provider: Amazon Web Services (AWS) EMEA SARL
• Any transfer of data outside the EEA (e.g., for specific AI-integrations) is secured through EU Standard Contractual Clauses (SCCs) to ensure an equivalent level of protection.

6. Security measures

Nettsenteret AS implements technical and organizational measures according to ISO 27001 principles, including:

• Encrypted data transmission (TLS/HTTPS)
• Role-based access control
• Regular backups and security monitoring

7. Cookies

avvik.com uses strictly necessary cookies to manage user authentication and system security. These cookies do not track personal behavior for marketing purposes.

You also have the right to lodge a complaint with a supervisory authority, such as the Norwegian Data Protection Authority (Datatilsynet).

8. Your rights

As a data subject, you have the right to request access, correction, or deletion of your data. Since Nettsenteret AS is a Data Processor, such requests should be directed to your employer/customer/supplier. We will assist in fulfilling these requests.

9. Contact Information

Attn: Nina G. Wold, CEO
Email: post@avvik.com
Address: Børehaugen 3, 4003 Stavanger
Organization Number: 989 853 376