Hopp til hovedinnhold

Terms & Conditions

1. GENERAL INFORMATION

1.1 These Terms & Conditions govern the Customer’s procurement of the Service Provider’s Service. The Service Provider is Stø AS, registered in Norway with business registration no 927 611 929. The “Service” means the services provided by the Service Provider relating to customer due diligence and as ordered by the Customer from time to time.

“The Agreement” consists of these Terms & Conditions, including Appendix 1 Data Processing Agreement, Appendix 2 Sub-Suppliers list and the order confirmation issued by Service Provider to the Customer.

1.2 The information is available within the Service, a web-based solution, in connection with the statutory customer due diligence requirements set out in applicable national anti-money laundering legislation.

Information regarding the Customer´s own customers, limited to natural persons and legal entities, is obtained from public and private information sources as well as through self-declaration forms completed by the Customer`s own customers. The purpose is to collect, aggregate and validate required information. The Service provides continuous monitoring of data on a perpetual basis. Supporting documents will be generated for audit trail and record-keeping purposes. The Service is continuously evolving, with additional features being developed.

The Service is not to be regarded as an outsourcing of customer due diligence obligations under applicable anti-money laundering legislation.

2. RIGHT OF USE – USE RESTRICTIONS

2.1 Service Provider grants to the Customer a non-exclusive, non-transferable, revocable limited right to access and use the Service in accordance with the Agreement.

2.2 Customer may only use the Service for its intended purpose as set out in the description of the Service. The Customer shall not permit any third party to access and use the Service or data derived from it. The Customer may not use the Service to establish a separate database containing data derived from the Service.

2.3 The Service includes functionality that enables the Customer to use third-party electronic authentication services, such as BankID or equivalent European solutions.

The Service Provider does not perform or validate any identity checks and shall not be considered responsible for the outcome or regulatory compliance of such processes.

The Customer is solely responsible for conducting necessary assessments, storing relevant data, and ensuring compliance with applicable laws and regulations, including retention and documentation requirements.

2.4 Service Provider may suspend the Customer's right to use the Service without liability, temporarily or permanently, if the Customer is in breach of the Agreement or if such use is suspected.

3. PROVISION OF THE SERVICE

3.1 The Service is available for use 24/7.

3.2 Service Provider has the right to change the Service, provided that the change is based on new or amended regulatory- and other external requirements and/or orders, or the change is part of Service Provider’s ordinary development of the Service, security or market adaptation.

3.3 Service Provider shall fully cooperate with relevant competent authorities of the Customer, and any other person properly appointed by such authority.

4. FEES AND PAYMENT

4.1 All fixed fees and subscription fees are invoiced monthly in advance. Variable fees are invoiced monthly in arrears.

4.2 All fees under this Agreement shall be paid within ten (10) days of issue of an invoice by Service Provider.

4.3 All fees under this Agreement are exclusive of value added tax.

4.4 Payments that are more than ten (10) days overdue will be subject to the amount determined by applicable law pertaining to overdue payments, on the overdue balance. If any payments are more than two (2) months overdue, Service Provider may, at Service Provider's discretion, without prejudice to any other rights and remedies and without liability to the Customer, suspend access to all or part of the Service until the invoices in question have been paid.

4.5 Service Provider may change the prices with 3 months’ notice to the Customer. If the Customer does not accept the new prices, the Customer may terminate the Agreement with effect from the date of the price change. In addition, the prices may be index regulated yearly without further notice in accordance with the Statistics Norway’s (SSB) Consumer price index (CPI All-item index).

5. SUPPORT, MAINTENANCE AND SLA

5.1 Support is available from Monday to Friday 08.00-16.00 CE(S)T all Working Days in Norway.

5.2 Service Provider reserves the right to perform maintenance, upgrades, service, etc. related to the Service. While Service Provider in general aim to do maintenance without downtime, any changes might cause unavailability, interruptions, or changes to the Service.

5.3 Service Provider is responsible for the daily operations of the Service as well as incident monitoring and handling.

6. SECURITY AND COMPLIANCE

6.1 Both Parties shall perform their services and obligations under this Agreement in compliance with all applicable laws and regulations.

6.2 Service Provider has an established security awareness training program, and its employees will conduct necessary training.

6.3 Both Parties warrant to adhere to all applicable privacy laws and regulations pertaining to the Service, including Regulation (EU) 2016/679 ("GDPR"). Further, by entering into this Agreement, the Parties also enter into Appendix 1 (Data Processing Agreement).

6.4 In the event of termination of the Agreement, the Service Provider provides the Customer access to customer data in a standardized format, unless the Customer already has access to or is in possession of the Data.

6.5 Service Provider shall ensure availability, authenticity, confidentiality and integrity of Customer data.

6.6 Service Provider shall have a documented Information Security Management System (ISMS) aligned with ISO 27001 with a set of relevant policies.

7. CONFIDENTIALITY

7.1 "Confidential Information" means the specific terms of this Agreement, and any information disclosed by either Party to the other Party, either directly or indirectly, in writing or in any other manner, relating to each Party’s business and/or customers, including without limitation confidential information about the Service.

Confidential Information shall not include information (i) already in the possession of the receiving party without an obligation of confidentiality; (ii) hereafter rightfully furnished to the receiving party by a third party without a breach of any separate nondisclosure obligation; or (iii) publicly available without breach of this Agreement (i.e., information in the public domain).

7.2 Neither Party shall use, or disclose to any person, either during the term or after the termination of this Agreement, any Confidential Information except in accordance with the other party´s prior written consent or as required by law.

The duty of confidentiality gives way to national extradition orders, other statutory duty of disclosure, government orders pursuant to law or if court decisions require it.

7.3 Disclosure of necessary information in connection with security audits or control and supervision by public authorities is not considered a breach of confidentiality.

8. INTELLECTUAL PROPERTY RIGHTS

8.1 All right, title and interest to any software, products, technology and/or information in any service, documentation or material provided or developed by

The Service Provider from time to time under this Agreement, shall remain exclusively with Service Provider or Service Provider’s licensors. As between Service Provider and the Customer, Service Provider also owns and holds all Intellectual Property Rights and other rights to the non- personal log data in and from Service Transactions, which will be used in an aggregate manner that does not identify the Customer or any other legal or natural persons.

Customer acknowledges and agrees that it has no rights or claims of any type, other than the right of use granted under this Agreement, to the Service, all modifications (whether made by Service Provider, the Customer, or third parties), trademarks, the above mentioned log data, and the Intellectual Property Rights embodied therein, and the Customer irrevocably waives and releases any claim to title and ownership rights (including copyright ownership) thereto.

9. LIMITATION OF LIABILITY

9.1 The information from the Service is delivered "as is" from public and private sources, and there is no guarantee that the information is free from errors or omissions. Service Provider shall not be liable for identification or information or errors in the content of the data provider and shall have no liability to the Customer for the quality of the information provided by the sources through the Service under these Terms.

9.2 For the avoidance of doubt, the Service Provider accepts no liability whatsoever towards the Customer or any other third person, for:

(i) any loss caused by any transaction by use of the Service;

(ii) errors or delays that are outside Service Provider’s reasonable control, including without limitation denial-of- service attacks (DoS), general internet failure, line delays, power failure or faults of any machines;

(iii) loss caused by deficiencies in Service Provider’s Service that are caused by the Customer’s acts or omissions; or

(iv) any loss suffered because of loss of data caused by the Service, excluding remedial expenses incurred to restore lost data in the event the loss of data was caused by Service Provider’s failure to make backups and such backup obligation was explicitly agreed upon.

9.3 Neither Party shall be liable to the other Party in contract, tort or otherwise, whatever the cause thereof, for any loss of profit, business or goodwill or any other indirect damages of any kind arising under or in connection with this Agreement.

9.4 The total and maximum liability of a Party under this Agreement shall in no event exceed an amount equal to the total amount (excluding VAT) paid by the Customer to Service Provider under the Agreement the 12 months preceding the event that incurs liability.

9.5 If the tortious Party has demonstrated gross negligence or intent, the limitations on damages shall not apply.

10. TERM AND TERMINATION

10.1 The Agreement will have a fixed term of 12 months calculated from the first day of the month following the effective date of the Agreement (the date an order is placed by the Customer). Thereafter, the Customer may terminate the Agreement with 3 months’ written notice, calculated from the end of the month the notice is sent. Service Provider may terminate the Agreement by giving twelve (12) months' notice.

10.2 This Agreement may be terminated by either Party at any time if the other Party is in material breach of any term or condition of this Agreement and such breach continues unremedied for a period of thirty (30) days after the Party in breach has been notified of such breach by the other Party by means of a written notice.

10.3 This Agreement may be terminated by either party, if a receiver is appointed for the other party or its property, if the other party makes an assignment for the benefit of its creditors, any proceedings are commenced by, for or against the other party under any bankruptcy, insolvency or debtor's relief law, or actions are taken to liquidate or dissolve the other party.

10.4 This Agreement may be terminated by Customer subject to the conditions set out in the Data Controller Agreement.

The Agreement may be terminated by the Customer under the circumstances listed under DORA art 28 (7).

10.5 Upon expiration or termination of this Agreement

(i) The Customer shall immediately cease its use of the Service; and

(ii) The due dates of all outstanding invoices shall automatically be accelerated so they become due and payable on the date of termination or expiration, even if longer terms have been previously agreed.

11. MISCELLANEOUS

11.1 Service Provider may update these terms and conditions. Customer is always bound by the latest version of the terms and conditions. Service provider shall notify the Customer of changes if they are detrimental to Customer.

11.2 Neither Party may assign this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld.

11.3 Neither Party shall be responsible for failure of performance due to causes beyond its control, including, but not limited to labor disputes and actions of any government agency, and other force majeure events defined by applicable law.

11.4 This Agreement shall be governed by and construed in accordance with the laws of Norway. Any dispute, controversy or claim arising out of or in connection with this contract, or the breach, termination, or invalidity thereof, shall be settled by the courts of Oslo.

APPENDIX 1 – DATA PROCESSING AGREEMENT

1. BACKGROUND AND PURPOSE

1.1 The Service Provider (Stø AS) act as a Data Processor to Customer, which act as a Data Controller.

1.2 Data Processor delivers a service (the “Service”), which collects and analyses data from public and private information sources as well as the Customer`s own customers.

The information is available within the Service, a web-based solution, in connection with the statutory customer due diligence requirements set out in applicable national anti-money laundering legislation.

Information regarding the Customer´s own customers, limited to natural persons and legal entities, is obtained from public and private information sources as well as through self-declaration forms completed by the Customer`s own customers.

The Customer will be able to register own customers by performing searches with the following parameters:

For corporate customers; organization name and/or organization number

For private customers; name and date of birth and /or national identity number

The Service will then deliver information to the Customer. The information will be used by Customer in connection with their own risk assessments when onboarding their new customers and subsequent ongoing due diligence measures in accordance with the rules of the anti-money laundering regulations.

1.3 To ensure Service Provider´s processing as a Data Processor complies with the applicable data protection legislation, Service Provider and the Customer has entered into this Data Processing Agreement. This Data Processing Agreement sets out the Parties rights and obligations with respect to Service Provider´s processing on behalf of the Customer in connection with the delivery of the Service.

1.4 The purpose of this Data Processing Agreement is to ensure that the Parties´ rights and duties are settled according to the EU data protection regulation 2016/679/EC dated April 27, 2016 ("GDPR") and the Norwegian Data Protection Act no. 38 with regulations dated June 15, 2018. In case of conflict between the terms of this Data Processing Agreement and the data protection legislation or any other relevant legislation, this Data Processing Agreement has no precedence.

The Data Processor shall only process personal data as described in this Data Processing Agreement or as agreed in writing between the Parties.
Terms and definitions used in this Data Processing Agreement shall be construed in the same way as in the data protection legislation.

2. RIGHTS AND DUTIES

2.1 General responsibility: The Data Controller determines the purpose of the processing of personal data and the means to be used for such processing. The Data Controller has overall responsibility for the processing of personal data in accordance with the requirements set by the data protection legislation. Among other things, the Data Controller is responsible for ensuring that there is a legal basis for the delegated processing of the personal data.

2.2 Instructions: The Data Processor is subject to the Data Controller´s authority regarding the processing of personal data and shall only process personal data based on documented instructions from the Data Controller. If the processing is required under European Union law or the applicable Norwegian law to which the Data Processor is subject, the Data Processor shall notify the Data Controller about the aforementioned legal requirements before the processing, unless Norwegian law prohibits such notification for the sake of important social interests. If the Data Processor means that an instruction from the Data Controller is in breach of the data protection legislation or any other legislation, the Data Processor shall immediately notify the Data Controller about this.

2.3 Security measures: The Data Processor confirms that it will take appropriate technical and organizational measures to ensure that all processing under this Data Processing Agreement meets the requirements of the data protection legislation and ensures the protection of the data subject's rights, including compliance with all the requirements of GDPR article 32.

2.4 Transparency: Unless otherwise agreed or required by law, the Data Controller is entitled to access the personal data processed and the systems used in accordance with Data Processing Agreement. The Data Processor is obliged to provide the Data Controller with necessary assistance in this regard. For access requirements, the Data Controller must provide the Data Processor with at least a 14 days' notice.

2.5 Confidentiality: The Data Processor has a duty of confidentiality regarding the documentation and the personal data which it will have access to in accordance with Data Processing Agreement. This provision also applies after termination of Data Processing Agreement. The Data Processor is responsible for ensuring that the necessary agreements or obligations for confidential processing of such information are established with anyone who has access to that information.

2.6 Assistance according to GDPR articles 32- 36. The Data Processor is obliged to provide the Data Controller with access to its data security documentation, and to assist the Data Controller with fulfilling its own responsibility in accordance with the applicable data protection legislation. This is especially true for assistance with audits and inspections, as well as notification of personal data breach and impact assessment. The Data Controller is directly responsible towards the relevant supervisory authorities.

2.7 Assistance with inquiries: The Data Processor shall assist the Data Controller in safeguarding the rights of the data subjects. This applies, but is not limited to, providing information on how the personal data is processed, handling inquiries which include, among others, access to the personal data and fulfilment of the data subjects' right to rectification or deletion of the personal data. For all and any inquiries that the Data Processor may receive directly, the Data Processor shall transmit those inquiries to the Data Controller as soon as possible.

2.8 Access/Disclosure: The Data Processor shall not disclose personal data or information that it processes on behalf of the Data Controller to a third party without explicit instructions or permission from the Controller.

3. PROCESSING OF PERSONAL DATA

3.1 Purpose and processing activities: The purpose of the Service Provider´s processing of personal data on behalf of the Customer is to deliver a functional Service to obliged entities under national anti-money laundering regulations, i.e., to provide and develop functionalities, offer support and maintain the Service.

The processing activities includes, but is not limited to, the collection, structuring, screening, and storage of data, as well as making it available to the Customer in order to support the Customer`s obligations under national anti-money laundering legislation.

3.2 Categories of personal data and data subjects: The personal data about the data subjects which the Data Controller authorizes the Data Processor to process for the Purpose as described in section 1.2 above are:

Categories of Data subjects:

  • Existing- and potential customers of the Customer i.e. natural persons subject to due diligence measures under the national anti-money laundering regulations such as:
    • Direct customers of the Customer: natural persons and representatives of legal persons,
    • Beneficial owners and other controlling persons of legal entities,
    • Directors, board members, or other controlling individuals of legal entities,
    • Politically exposed persons (PEPs), their close associates, and family members
    • Any other natural persons whose data the Customer is required to process in order to comply with national anti-money laundering obligations
  • Employees or any other natural persons connected to the Customer`s business through usage of the Service.

Categories of personal data:

  • Personal data about existing-and potential customers of the Customer which is necessary to fulfil customer due-diligence controls and measures according to national anti-money laundering acts, such as:
    • Identification data (including, without limitation, full name, date of birth, nationality, national social security numbers or passport details),
    • Contact details (including address, email address or telephone number),
    • Information relating to beneficial ownership and corporate control structures,
    • Professional information (including directorships and executive positions),
    • Information relating to PEP status, sanctions, and other relevant regulatory designations,
    • Any other personal data that the Customer is legally obliged to collect and process in accordance with national anti-money laundering legislation
  • Personal data included in additional services specifically requested by and agreed with the Customer, such as credit data, national population register data, national beneficial owner register data, personal bankruptcies, personal business prohibition data, adverse media search, including any usage data (however in pseudomized form) in connection with any use of such services,
  • Personal data included in user- generated notes,
  • Various contact information related to employees, Customers or any other persons connected to the Customer’s business, which is necessary for Service Provider to process to be able to provide the Customer with the Services, such as names, email addresses and IP addresses,
  • Various usage data generated by the Customer’s users in connection with the Service (however in pseudomized form).

3.3 Records of processing activities: The Data Processor shall maintain a record of processing activities under its responsibility, according to GDPR article 30.

3.4 The Data Processor´s access to the personal data: The personal data processed by Service Provider on behalf of the Customer, will either be data acquired separately by the Customer and uploaded to Service Provider, or user- generated data entered directly through the Service Provider`s web interface.

4. SECURITY AND BREACH

4.1 The Data Processor shall comply with the requirements for security measures according to the applicable data protection legislation. The Data Processor shall be able to document routines and security measures that meet these requirements, including, as appropriate, measures to prevent accessible or illegal destruction or loss of data, unauthorized access to or dissemination of data, as well as any other use of personal data that does not comply with this Data Processing Agreement , and measures to restore access to the personal data in any event. The documentation must be available at the request of the Data Controller.

4.2 The Data Processor undertakes to notify the Data Controller without undue delay and at the latest within 48 hours if the Data Processor has information about, or reason to believe, that the personal data is used in an unauthorized manner or otherwise handled in violation of the data protection legislation and/or the terms of this Data Processing Agreement. This is especially true for any breach of personal data security that the Data Processor becomes aware of, including unauthorized access, dissemination, alteration, damage / destruction, but also for any circumstance that may cause a change in the risk assessment, and which has or may have an impact on data security.

4.3 In the event of a personal data breach by the Data Processor, the Data Processor shall notify the Data Controller within 48 hours of the Data Processor becoming aware of the breach. Notification of breach shall contain, as a minimum, the requirements of GDPR Article 33 (3), including:

  • description of the nature of the personal data breach, including, where possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of personal data records concerned,
  • the name and contact information of the data protection officer or other contact point where more information can be obtained,
  • description of the likely consequences of the personal data breach, and
  • description of the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Data Controller is responsible for sending a notification to the supervisory authority at the latest 72 hours after the breach has been detected, and the Data Processor shall not send such notification or contact the supervisory authority without the instructions of the Data Controller. If all information cannot be provided in the first notification, the information should be given successively as soon as it is available.

4.4 In the event of a data security or privacy breach by the Data Controller, the Data Processor shall assist the Data Controller in obtaining the necessary information as described in GDPR Article 33 (3), cf. section 4.3 above.

4.5 Any breach or suspicion of a breach to the personal data security at the Data Processor shall be recorded, hereafter logged and stored at the Data Processor.

4.6 The Data Processor shall, without undue delay, correct or implement measures to prevent personal data breach and nonconformities. Nonconformities or breaches which the Data Processor or its sub-processors are responsible for shall be corrected or prevented at no charge to the Data Controller and must be documented.

4.7 The security level of the processing shall consider the nature of the personal data and the risk for personal data breach for the data subjects. For this reason, the Data Processor and the Data Controller must conduct a risk assessment to ensure satisfactory data security.

4.8 The personal data shall only be made available to the Data Processor´s employees who have a need to access to the personal data to provide the Service. Personal data may also be made available to the Data Processor's sub- processors upon prior approval from the Data Controller and provided that the Data Processor has entered into a sub- processor agreement. Documentation of authorized access at the Data Processor shall be available at the request of the Data Controller.

5. TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA

5.1 Personal data, which is processed by the Data Processor on behalf of the Data Controller, shall only be transferred to countries outside the EU / EEA (third countries) according to instructions from the Data Controller or as otherwise agreed between the Parties. Transfer to third countries requires, even with instructions and/or agreement in place, that the requirements for security and protection of the data subjects' rights according to the data protection legislation are met.

5.2 When transferring or otherwise giving a third country access to the personal data, or when a sub-processor is incorporated in a third country or has ultimate ownership in a third country, the Data Controller or Data Processor on behalf of the Data Controller shall ensure that the Data Processor or Data Processor's sub- processors have provided the necessary guarantees, according to GDPR chapter V, to ensure an adequate level of protection of the personal data. Such necessary guarantees include, but are not limited to, the signing of the European Commission's standard contractual clauses.

6. SUB-PROCESSOR

6.1 A list of approved sub-processors is described in Appendix 2 (Sub-Suppliers List)

6.2 The Data Processor has the Data Controller’s general authorization to engage other sub-processors than those mentioned in Appendix 2 (Sub-Suppliers List). In such a case, the Data Processor shall notify the Data Controller well in advance, thereby giving the Data Controller the opportunity to object to such changes. The Data Controller may object in writing on reasonable grounds to the appointment of a new sub- processor, always provided that such objection includes all relevant details as to why the Data Controller objects to the appointment of a sub-processor.

6.3 The Data Processor is responsible for conducting a security analysis of the sub-processor's ability to comply with the requirements of this Data Processing Agreement and other statutory requirements for the processing of personal data.

6.4 The Data Processor shall ensure that all sub-processors are bound by the same requirements for data security and processing in general as set out in this Data Processing Agreement . The Data Processor shall therefore ensure that its sub-processors only process personal data in accordance with the terms of this Data Processing Agreement and not to a greater extent than is necessary to fulfil the service which the sub- processors provide. The Data Controller is entitled to access relevant parts of the Data Processor's sub-processing agreements, as well as the relevant sub-processors' documentation for the processing, such as security documentation.

6.5 The Data Processor is fully responsible towards the Data Controller for all and any of the sub-processors´ violations to this Data Processing Agreement´s requirements, as well as to other applicable data protection legislation.

6.6 Upon termination of this Data Processing Agreement, the Data Processor shall ensure that the sub-processors fulfil, in the same manner as the Data Processor, the obligation to delete or properly destroy all personal data, including backups, as set forth in section 7.3 of Data Processing Agreement.

7. TERM AND TERMINATION

7.1 The terms of this Data Processing Agreement apply as long as the Data Processor processes, including also has access to, personal data on behalf of the Data Controller.

7.2 If the Data Processor breaches this Data Processing Agreement, the Data Controller has the right to exclude the Data Processor from all access to the personal data and to decide that the Data Processor shall immediately stop further processing of the personal data for a defined period. In the event of material breach, the Data Controller shall be entitled to terminate Data Processing Agreement without notice.

7.3 Upon termination of Data Processing Agreement , the Data Processor shall immediately stop the processing of all personal data and return it to the Data Controller or properly destroy all material, including backup copies, containing personal data as covered by this Data Processing Agreement, unless the Data Processor must process the personal data any longer under legal requirements. If deletion of the personal data is not technically possible and return of the personal data to the Data Controller is not an option, the Data Processor shall then ensure that the personal data is made unavailable by the means of anonymization.

7.4 The Data Processor shall document in writing to the Data Controller that deletion and/or destruction and/or anonymization has been carried out in accordance with Data Processing Agreement no later than 30 days after the termination of Data Processing Agreement.

8. LIABILITY

8.1 Each of the Parties is liable for damages and shall compensate the data subjects for any material or non-material damage suffered by the data subjects as a result of a breach of the data protection legislation in accordance with Article 82 (1) of the GDPR.

8.2 If one of the Parties has paid full compensation for the damage under GDPR Article 82 (4), the paying Party shall have the right to claim back from the other Party the part of the compensation corresponding to the other Party's part of the liability for the damage. Any costs associated with establishing the division of responsibilities shall be charged equally to both Parties.

8.3 If one of the Parties has paid full compensation for the damage pursuant to Article 82 (4) of the GDPR but can prove that it is in no way responsible or has contributed to the incident that caused the damage, the paying Party shall be entitled to claim back from the other Party the full amount of compensation.

8.4 For any documented direct loss, the Party’s liability under this Data Processing Agreement towards the other Party is upwards limited to the remuneration paid by the Data Controller for the services to which the breach relates to during the last 12 months before the breach occurred.

9. AMENDMENTS

9.1 All amendments in this Data Processing Agreement shall be in writing and approved by both Parties.

APPENDIX 2 – Sub-Suppliers List

Name and business number

Location

Type of service

Personal data

T-Rank AS, 990092397 

Bogstadveien 54, 0366 Oslo, Norway 

Data elements used in connection with (beneficial) ownership data 

Name, date of birth, ownership of entities 

Data Factory AS, 917254532 

Youngstorget 3, 0181 Oslo, Norway 

Data elements used in connection with Norwegian private- and business customers  

Address information

Microsoft Norge AS, 957485030

Dronning Eufemias gate 71, 0194 Oslo, Norway 

Infrastructure provider

All data elements in the Service 

Orange Business Digital Norway AS, 982211743 

Lørenfaret 1 E, 0585 Oslo, Norway 

Infrastructure provider

All data elements in the Service 

Idura ApS, 35142207

Gammel Kongevej 3E, 1, 1610 København V, Denmark

Authentication and digital signature: Nordic eIDs

Full name, date of birth, SSN

Valuation Europe AB, 556662-7914

Danderydsgatan 18, 114 26 Stockholm, Sweden 

Data elements used in connection with (beneficial) ownership and company information 

Name, citizenship, ownership and roles in entities

Acuris Risk Intelligence LTD, 05048084 

10 Queen Street Place, London, EC4R 1BE, UK 

Data elements used in connection with PEP- screening.

Name, address, PEP- status 

For add-on services only

Bislab AS, 929879252

Arbins gate 1, 0253 OSLO, Norway

Credit information – enterprises

Management structure in a company, ownership relations

Dun & Bradstreet Norway AS, 975374939 

Langkaia 1, 0150 Oslo, Norway 

Data provider for global (beneficial) ownership and shareholders.

Name, nationality, date of birth, status, title, alias, address, ownership of legal entities