Data Processing Addendum (DPA) for Business Customers

Effective date: November 2025
Parties: This Data Processing Addendum (“DPA”) forms part of the master agreement, order form, or other written contract for Unloc services between Unloc AS (Processor) and the Business Customer (Controller) (the “Agreement”).

1. Purpose and scope

This DPA sets out the parties’ obligations under applicable Data Protection Legislation (including GDPR) for Unloc’s processing of Personal Data on behalf of Customer in connection with providing the Services. Capitalized terms not defined here have the meanings in the Agreement or GDPR.

2. Roles of the parties

• Customer is the Controller and determines the purposes and means of processing.
• Unloc is the Processor and processes Personal Data only on documented instructions from Customer, as described in this DPA and the Agreement.
• Independent Controller activities. Unloc may act as an independent Controller for (i) Unloc’s own business contact data for Customer personnel (accounting, billing, contract management), (ii) security monitoring and fraud prevention on Unloc systems, and (iii) compliance with legal obligations. These activities are outside the scope of this DPA.

3. Customer instructions

Unloc will process Personal Data solely: (a) to provide, maintain, and secure the Services; (b) per Customer’s documented instructions; and (c) as required by law. If Unloc considers an instruction to infringe Data Protection Legislation, it will notify Customer without undue delay.

4. Categories of data and data subjects

The types of Personal Data and Data Subjects are described in Appendix A. Customer will not instruct Unloc to process special categories of data unless explicitly agreed in writing.

5. Confidentiality

Unloc ensures that persons authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training. This obligation survives termination.

6. Security measures

Unloc implements appropriate technical and organizational measures to protect Personal Data, considering the state of the art, costs, and risks. A high-level description of these measures is provided in Appendix C. Unloc will maintain certifications and security practices appropriate to the Services.

7. Sub-processors

Customer grants a general authorization for Unloc to engage Sub-processors listed in Appendix B and any subsequently added Sub-processors. Unloc will (i) impose data protection obligations equivalent to this DPA by written contract and (ii) remain liable for Sub-processors’ performance. Unloc will notify Customer of additions or replacements and provide an opportunity to object on reasonable grounds.

8. International transfers

Unloc and its Sub-processors will not transfer Personal Data outside the EU/EEA unless appropriate transfer safeguards are in place (e.g., EU Standard Contractual Clauses and supplementary measures). Current transfer details are reflected in Appendix B.

9. Assistance and data subject requests

Taking into account the nature of the processing, Unloc will assist Customer with:

• responses to Data Subject requests (access, rectification, erasure, restriction, objection, portability);
• security obligations, including breach notifications, impact assessments (DPIAs), and consultation with supervisory authorities.
  Where permitted by law, Unloc may charge reasonable fees for excessive or manifestly unfounded requests or work outside the Services’ scope.

10. Personal data breach

Unloc will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on Customer’s behalf, and provide information available at the time on: (i) the nature of the breach, (ii) likely consequences, and (iii) measures taken or proposed to address and mitigate it.

11. Audit and compliance

Upon reasonable written notice (no more than once per 12 months, unless required by a supervisory authority or following a material breach), Unloc will: (i) make available information necessary to demonstrate compliance with this DPA, and (ii) allow audits, including on-site inspections, conducted in a manner that minimizes disruption and protects Unloc’s, its customers’, and Sub-processors’ confidentiality and security. Each party bears its own costs; if non-compliance of Unloc is confirmed, Unloc will bear reasonable, documented Customer audit costs.

12. Retention and deletion

Unloc retains Personal Data only for the term of the Agreement and as needed to provide the Services. Operational key-usage event logs are retained for up to 60 days for security and troubleshooting, then deleted or anonymized. At termination or upon written request, Unloc will delete or return Personal Data and delete existing copies from systems (including backups per standard cycles), unless retention is required by law.

13. Liability

The DPA follows the limitation-of-liability scheme in the Agreement. Nothing limits a party’s liability where not permitted by applicable law.

14. Order of precedence

If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection.

15. Term, changes, and notices

This DPA remains in force while Unloc processes Personal Data for Customer under the Agreement. Unloc may update Appendix B (Sub-processors) by notice. Other amendments require written agreement. Notices must be in writing and follow the Agreement’s notice provisions.

16. Governing law and venue

This DPA follows the governing law and venue specified in the Agreement.

Appendix A — Services, Processing, Personal Data, and Data Subjects

A1. Services
Development and provision of the Unloc platform and applications that enable creation, sharing, and use of digital keys and operation of compatible locks, including related support and maintenance.

A2. Nature and purpose of processing

• Account provisioning and authentication (e.g., phone verification).
• Key lifecycle operations (create, assign, share, revoke).
• Access operations and logging (who used which key on which lock and when).
• Device/telemetry collection for security, diagnostics, and reliability.
• Customer support (including in-app chat) and incident response.
• Fraud and abuse prevention, and service analytics.
  Processing is limited to what is necessary to deliver, secure, and improve the Services.

A3. Categories of Personal Data (as determined by Customer’s use of the Services)

• Identification and contact: name, phone number, (optional) profile photo.
• Relationship/assignment data: lock identifiers or aliases, key assignments, sharing metadata, time windows.
• Event/log data: key usage events (timestamps, user/key/lock references), status, error/diagnostic logs.
• Technical data: IP address, device model, OS, app version, push token.
• Support data: conversation history and metadata from support interactions initiated by users.
• (Optional) Approximate location data if enabled by users.
  No payment card data is stored by Unloc; payments are handled by Customer’s chosen provider(s), if any.

A4. Data Subjects

• Customer’s employees, residents, contractors, visitors, and other end users granted access by Customer.
• Customer’s administrative users.

A5. Retention

• Key usage event logs: ≤ 60 days.
• Other Personal Data: for the Agreement term and as required to provide the Services, then deleted or returned on termination or request (subject to legal retention).

Appendix B — Sub-processors

Sub-processorPurposeLocation of processingTransfer mechanism (if outside EEA)Google Cloud Platform (incl. Google Workspace)Hosting, storage, infrastructure servicesEU data centersN/A (EU)CrispIn-app support/chatEUN/A (EU)StrexSMS delivery (EU numbers)EUN/A (EU)TwilioSMS delivery (non-EU numbers)Primarily US/EUSCCs + supplementary measures

Unloc may update this list; Customer will be notified with a right to object on reasonable grounds.

Appendix C — Technical and Organizational Measures (TOMs)

Organization & access control

• Entire engineering team based in the EU; role-based access with least-privilege.
• MFA enforced for production and Sub-processor access.
• Background processes and access logs monitored; quarterly access reviews.

Data handling & encryption

• Encryption in transit (TLS) and at rest.
• Segregated environments (prod/test); production data not used in lower envs.
• Data minimization and retention controls; secure deletion workflows.

Application & infrastructure security

• Secure SDLC with code review, dependency scanning, and CI/CD controls.
• Regular external security testing/reviews.
• Hardening baselines for servers and endpoints; disk encryption on developer devices.

Monitoring, incident & continuity

• Centralized logging and alerting; 24/7 on-call for critical incidents.
• Documented incident response plan (triage, containment, eradication, recovery, post-mortem).
• Backups with integrity checks and tested restore procedures.

Vendor & transfer management

• Sub-processor due diligence and contractual DPAs/SCCs.
• Transfer impact assessments for non-EEA transfers; supplementary measures where appropriate.

Privacy by design & default

• Data protection impact assessments where required.
• Features designed to minimize data exposure (e.g., short log retention; optional location processing).
• User authentication via phone verification; push tokens kept separate from identity keys.

‍

Unloc AS, org. no. 919 424 508
Kongens gate 6, 0153 Oslo, Norway
info@unloc.app

‍

For end users, please see user terms.