Get started
Get started

Data Processing Agreement

Payout Partner
Payout Partner AS · Pilestredet 17, 0164 Oslo · privacy@payoutpartner.com
Effective date: 26 March 2026

This Data Processing Agreement ("DPA") supplements the Terms of Use and governs the processing of personal data by Skiwo AS ("Processor") on behalf of business customers ("Controller") in connection with the Payout Partner platform.

1. Scope

This DPA applies when a business customer uses Payout Partner's payroll outsourcing service and Payout Partner AS processes personal data of the customer's freelancers on the customer's behalf.

2. Roles

The business customer is the data controller. Payout Partner AS is the data processor. When Payout Partner provides its salary service directly to individual freelancers, Payout Partner AS acts as an independent controller — this DPA does not apply to that relationship.

3. Purpose and Scope of Processing

The Processor processes personal data solely for the purpose of providing the invoicing, payroll, and payment services described in the Terms of Use. Categories of data subjects include freelancers and contractors of the Controller. Categories of personal data include identity data, contact data, financial data, and employment data as described in the Privacy Policy.

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to data subject requests
  • Assist the Controller with data protection impact assessments where required
  • Delete or return personal data upon termination, subject to legal retention requirements
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

The Processor uses sub-processors for hosting, payment processing, and communication services. The Processor maintains a list of sub-processors and will notify the Controller of any intended changes. All sub-processors are bound by equivalent data protection obligations.

6. International Transfers

Personal data is stored within the European Economic Area (EEA). If any transfer outside the EEA is required, it will be subject to appropriate safeguards under Chapter V of the GDPR.

7. Security Measures

The Processor implements security measures including: encryption of data in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, regular security assessments, incident response procedures, and employee security training.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

9. Duration and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor shall delete or return all personal data within 90 days, unless retention is required by law.

10. Contact

For questions about this DPA, contact:
privacy@payoutpartner.com
Payout Partner AS, Pilestredet 17, 0164 Oslo, Norway