Get started

Data Processing Agreement

Previous versions

LAST REVIEWED AND UPDATED 18 FEBRUARY 2026

The Customer has subscribed to certain software-as-a-service (SaaS) products (“Subscription Items”) and/or ordered the performance of professional services from Cognite ("Professional Services"). The Customer is also referred to as the "Data Controller" and Cognite as the "Data Processor".

This Data Processing Agreement (“DPA”) is an integrated part of the Master Subscription and Professional Services Agreement, EULA, and/or such other agreement entered into between the Data Controller and Data Processor pertaining to the subscription to the Subscription Items and/or performance of Professional Services (the “Agreement”). Any capitalized terms not specifically defined in this DPA shall have the meaning as set forth in the Agreement. In this DPA:

  1. the Data Controller shall be a data controller for the purposes of the GDPR;
  2. the Data Processor shall be a data processor for the purposes of the GDPR;
  3. “Artifical Intelligence or AI” means Cognite Atlas AI and/or any other artificial intelligence product or features that Cognite provides as part of a Subscription Item.
  4. "Customer" means the legal entity that has entered into the Agreement with Cognite entity specified therein on Cognite's performance of Professional Services or subscription(s) to Subscription Items.
  5. "Data Processing Agreement" or "DPA" shall mean this agreement on the Processing of Personal Data on behalf of the Data Controller.
  6. Data Protection Legislation” means the body of laws and regulations designed to protect Personal Data and ensure privacy rights for individuals, including but not limited to GDPR and UK GDPR.
  7. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  8. "Personal Data" has the meaning given to the term in Article 4(1) of the GDPR;
  9. "Personal Data Breach" has the meaning given to the term in Article 4(12) of the GDPR; and
  10. "Process" or "Processing" has the meaning given in Article 4(2) of the GDPR, and its cognates shall be construed accordingly.
  11. Sub-processor” means a third party engaged by the Data Processor for carrying out Processing activities on behalf of the Data Processor; and
  12. Third Countries” means countries outside the EU/EEA.

The Data Processor’s performance of the Subscription Items and Professional Services may include the Processing of Personal Data on behalf of the Data Controller.

In accordance with Article 28(3) of the GDPR, the obligations of the Data Processor are set out in this DPA.

If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Professional Services from Cognite, such reseller shall be the "Data Processor" and Cognite shall be the Sub-processor for the purpose of this DPA. The Data Controller has consented to Cognite as Sub-processor. This DPA applies equally between the reseller as Data Processor and Cognite as Sub-processor.

1. SCOPE OF DATA PROCESSING

This DPA governs and defines the legal limits of the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The limits and obligations set out in this DPA shall be in addition to those imposed by applicable laws, including the GDPR.

The Data Processor’s performance of the Subscription Items and Professional Services may entail the Processing of Personal Data relating to the Data Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details.

In addition, this DPA also regulates the Data Controller’s and its personnel's use of Cognite Academy. The Data Processor may share information with the Data Controller about the Data Controller’s personnel that use Cognite Academy if this is requested by the Data Controller.

The Data Controller acknowledges that the Data Processor may process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Data Processor is the Data Controller for such Processing and will Process such data in accordance with applicable data protection law and the Data Processor’s Privacy Policy.

Data Controller agrees that Data Processor may process pseudonymized Personal Data of the Data Controller for the purposes of developing, training, and improving its product and related services. Data Processor shall implement appropriate technical and organizational measures to ensure that such data is pseudonymized prior to use and that no individual is identified or identifiable. This processing shall not result in the disclosure of Customer Personal Data to any third party in an unencrypted or non-pseudonymized format.

The objective of the Data Processor’s processing of Personal Data, the nature and purpose of the processing, the types of Personal Data and categories of data subjects are specified in Appendix 1 to this DPA.

2. THE DATA CONTROLLER'S OBLIGATIONS

The Data Controller shall ensure that the Processing of Personal Data is permitted and in accordance with applicable laws.

The Data Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, ensures that all processing is done with the required legal basis, including obtaining any required consents, providing the data subject with privacy notices and instructing the Data Processor through this DPA.

3. THE DATA PROCESSOR'S OBLIGATIONS

The Data Processor shall Process Personal Data strictly based on, and in accordance with, the Data Controller's instructions and the GDPR. The Data Processor is obligated to obtain prior written consent or explicit written instructions from the Data Controller before processing Personal Data beyond the scope necessary for fulfilling the purposes outlined in this DPA.

The Data Processor shall assist the Data Controller in ensuring and documenting compliance with legal obligations related to Personal Data processing. Additionally, the Data Processor is required to maintain a record of all processing activities conducted on behalf of the Data Controller, ensuring adherence to GDPR Article 30, section 2,3 and 4.

If the Data Processor receives instructions that contravene the GDPR, it must promptly notify the Data Controller.

In the event of a subpoena or legal demand from a foreign authority for access to Data Controller’s Data or cluster environments, Data Processor shall, exercise all commercially reasonable legal efforts, promptly notify Data Controller to allow for a protective order or challenge such subpoena or legal demand. If compliance with such a demand would cause Data Processor to breach its obligations under applicable Data Protection Laws, Data Processor shall make reasonable efforts to notify Data Controller of this conflict and seek to stay enforcement of the demand until a lawful resolution is identified.

4. AUDIT

For the purpose of verifying that the Data Processor fulfills its obligations under this DPA, the Data Processor shall permit audits. The Data Controller or a third party acting for the Data Controller may perform such audits. The Data Processor shall cooperate with such audits, providing the necessary resources and support to ensure they are conducted effectively.

The audit may be conducted once per calendar year, upon providing the Data Processor with at least thirty (30) days' prior written notice. The audit shall be conducted during regular business hours and in a manner that minimizes disruption to the Data Processor's operations. All information obtained during these audits shall be treated as confidential and used solely for the purpose of verifying compliance with obligations under this DPA.

If an audit or inspection identifies any deviations from the Data Processor’s obligations under the DPA, the Data Processor shall rectify the deviations as soon as possible.

The Data Controller shall cover the costs of any third parties used to conduct the audits. Otherwise, each party shall bear its own costs associated with conducting the audits. If an audit reveals significant breaches of obligations under the DPA or applicable Data Protection Legislation, the Data Processor shall, however, cover the Data Controller’s reasonable costs associated with the audits.

5. PERSONAL DATA BREACH

In the event that the Data Processor is made aware of a Personal Data breach, the Data Processor is obliged to notify the Data Controller in writing without undue delay, no later than seventy two hours (72 hours) after becoming aware of a Personal Data breach. The Data Processor shall provide the Data Controller with all information necessary in order for the Data Controller to notify the supervisory authority (Nw: Datatilsynet) and the data subject(s) affected by the breach.

Where the Data Processor becomes aware of a Personal Data breach, and taking into account the nature of the processing and the information available to the Data Processor, the following information shall be provided to the Data Controller without undue delay:

  1. description of the nature of the breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

If the information as specified above is not possible to provide at the same time, the information may be provided in phases without undue further delay.

6. ACCESS TO PERSONAL DATA AND DELETION

The Data Processor shall, upon the Data Controller's request, at any time during the Term, make commercially reasonable efforts to make all Personal Data available to the Data Controller in a structured, commonly used, and machine-readable format.

Upon the expiration or termination of the subscription to Subscription Items or completion of the Professional Services, and upon the Data Controller's request, the Data Processor shall delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in Cognite’s possession or control, except to the extent the Data Processor is required to retain such Personal Data by Applicable Laws.

The Data Controller shall define routines for the deletion of such Personal Data, while the Data Processor shall be responsible for the execution of such routines. The Data Processor may retain Personal Data in backups, archives, and disaster recovery systems until deleted in the ordinary course of business, or for such periods as may be required to comply with applicable Artificial Intelligence (AI) legislation and regulatory requirements, provided that such retained Personal Data shall remain subject to the requirements on confidentiality and security under the Agreement and this DPA.

Upon Data Processor’s insolvency, bankruptcy, or cessation of business (an 'Insolvency Event'), Data Processor shall immediately grant Data Controller access to retrieve all exportable data. During the ensuing transition, Data Processor warrants it will maintain all standard automated tools to facilitate data migration to a destination of Data Controller’s choosing. Following a mandatory transitional period, the Data Controller shall have a final thirty (30) calendar day 'Data Retrieval Period' prior to any permanent erasure. Data Processor shall use reasonable efforts to ensure any successor entity or trustee honors these portability obligations and provides the technical documentation necessary to validate the exported data.

7. CONFIDENTIALITY

Each Party acknowledges that it may receive or have access to confidential information of the other Party in connection with this DPA. Confidential Information includes, but is not limited to, all data, materials, products, technology, computer programs, specifications, manuals, business plans, software, marketing plans, financial information, and other information disclosed or submitted, orally, in writing, or by any other media, to the receiving Party by the disclosing Party. The receiving Party agrees to:

  • Maintain the confidentiality of the Confidential Information.
  • Not disclose the Confidential Information to any third party without the prior written consent of the disclosing Party.
  • Use the Confidential Information solely for the purposes of fulfilling its obligations under this DPA.

8. DATA SHARING & SUB-PROCESSORS

The Data Controller generally consents to the engagement of Cognite’s Sub-processors as listed here. The list of Sub-processors shall be updated to reflect any changes in the use of Sub-processors related to the DPA.

The consent is conditioned upon the Data Processor entering into a written data processing agreement with the Sub-processor imposing obligations equivalent to those imposed on the Data Processor under this DPA.

If the Data Processor intends to engage any new Sub-processors or replace existing ones, it shall provide written notification to the Data Controller at least thirty (30) days prior to the commencement of processing by such Sub-processor. Upon receiving such notification, the Data Controller shall have sixty (60) days to review and raise any objections, based on reasonable grounds related to the processing of personal data, in writing to the Data Processor.

The Data Controller shall have the right to object to such changes in writing without undue delay, but no later than 30 days after a Controller representative was informed of the new Sub-processor in writing. In case of an objection to a new Sub-processor, the Parties shall discuss in good faith to seek to remedy the Data Controller’s concerns. If the Parties are not able to remedy the Data Controller’s concerns relating to the new sub-processor, Data Controller shall have the right to terminate the Agreement.

Sub-processing under this provision shall not include ancillary services ordered by the Data Processor from third parties to assist in the performance of the Data Processor's day-to-day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.

For the avoidance of doubt, the Data Processor may share Personal Data with its subsidiaries and affiliates as necessary for legitimate business purposes and to fulfil Data Processor’s obligations under this DPA.

9. SECURITY

The Data Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

The Data Processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity, and accessibility in connection with the Processing of Personal Data, in accordance with Article 32 of the GDPR, including;

  • ensure that IT systems and other systems used in the Processing of Personal Data in relation to this DPA, and any connections between such systems, are configured in a way that secures appropriate information security;
  • ensure that any storage medium, data medium, and/or data equipment used to Process Personal Data are protected against destruction and against access by unauthorized persons;
  • ensure that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Data Processor in the Processing of Personal Data on behalf of the Data Controller;
  • ensure that Personal Data Processed according to this DPA is kept separate from the Data Processor’s own information, information of third parties, and/or other information; and
  • ensure that no unauthorized persons obtain access to the premises, files, or systems where Personal Data to which the Data Processor receives access under this DPA are stored, kept, or Processed.

The Data Processor shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to Process any Personal Data pursuant to this DPA and the Agreement. The technical and organisational measures are laid down in Appendix 2.

10. TRANSFER OF DATA TO A COUNTRY OUTSIDE THE EU/EEA

Transfers of Personal Data, including as regard to transfers (assignment, disclosure and internal use) of Personal Data to Third Countries or international organisations, is subject to written approval from the Data Controller and can only proceed if there are sufficient guarantees for an adequate level of data protection in accordance with Applicable Law. In any case, such transfers must always be based on:

  1. an adequacy decision by the EU Commission in accordance with Article 45 of the GDPR; or
  2. a DPA including standard data protection clauses as specified in Article 46(2)(c) or (d) of the GDPR (Standard Contractual Clauses); or
  3. binding corporate rules in accordance with Article 47 of the GDPR.

A list of all approved transfers of Personal Data to Third Countries or international organisations are provided here.

  1. TERM

This DPA shall remain effective for as long as the Data Processor Processes Personal Data on behalf of the Data Controller under the Agreement.

APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

SERVICES PERFORMED BY DATA PROCESSOR

Professional Services (including consultancy services), subscriptions to the Subscription Items, and, if applicable, Cognite Academy.

PURPOSE AND NATURE OF THE PROCESSING

Processing Personal Data in the act of providing Professional Services and/or access to CDF and Cognite Applications, including the use of session replay tools for technical troubleshooting, platform optimization, and improving user experience, and, if applicable, Cognite Academy.

CATEGORIES OF PERSONAL DATA

  • Personal Data transferred by the Data Controller into CDF;
  • Personal Data made accessible by Data Controller to enable Data Processor to perform Professional Services;
  • Personal data pertaining to the use of Cognite Technology (e.g. log data, audit logs (including AI related logs), IP address, geographic metadata, user interface interactions including mouse movements, clicks and scrolls, and session recordings/replays, and correspondence;
  • Contact info, name, email, and job title;
  • Additionally, the Data Processor may Process information regarding the Data Controller’s employees’ usage, course completion, and grades from Cognite Academy.

CATEGORIES OF DATA SUBJECTS

Data Controller’s employees and consultants.

DATA RETENTION

For the duration of the Agreement, unless otherwise agreed.

THE FREQUENCY OF THE TRANSFER (E.G.WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)

Personal Data will be transferred on a continuous basis.

IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/AUTHORITIES

Datainspektionen (Sweden) and Datatilsynet (Norway).

APPENDIX 2 -TECHNICAL AND ORGANISATIONAL MEASURES

1. Introduction and Purpose

This document outlines the technical and organizational measures (TOMs) implemented by Cognite ("the Company") to ensure a level of security appropriate to the risk for all personal data processed by the Company. These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Our commitment is to uphold the principles of data protection as enshrined in the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Norwegian Personal Data Act (LOV-2018-06-15-38, "Personopplysningsloven"), ensuring the confidentiality, integrity, and availability of the personal data we process on behalf of our customers and for our own business purposes.

2. Scope

These measures apply to all processing of personal data conducted by the Company, its employees, contractors, and any third-party sub-processors. This includes all systems, applications, databases, and infrastructure involved in the processing of such data.

3. Organizational Measures

3.1. Data Protection Governance

  • Privacy officer: The Company maintains a dedicated privacy office responsible for overseeing our data protection strategy and compliance. For any inquiries, our privacy team can be reached via the contact details available internally or upon request.
  • Policies and Procedures: We maintain a suite of internal policies, including a Data Protection Policy, an Information Security Policy, and an Incident Response Plan, which are regularly reviewed and updated.
  • Record of Processing Activities (ROPA): In accordance with Article 30 of the GDPR, the Company maintains a detailed ROPA for all personal data processing activities.

3.2. Personnel Training and Awareness

  • All employees and relevant contractors undergo mandatory data protection and information security training upon onboarding and on an annual basis thereafter.
  • Confidentiality agreements are signed by all personnel with access to personal data.
  • A culture of security awareness is promoted through regular communications and role-specific training.

3.3. Data Processing and Third Parties

  1. Data Processor Due Diligence: We conduct thorough due diligence on all third-party sub-processors to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures.
  2. Data Processing Agreements (DPAs): Legally binding DPAs, compliant with Article 28 of the GDPR, are in place with all sub-processors.

3.4. Data Protection by Design and by Default

  1. We integrate data protection principles into our software development lifecycle (SDLC) and business processes.
  2. Data minimization is a core principle; we only collect and process personal data that is necessary for the specified purpose.
  3. Privacy-enhancing technologies are evaluated and implemented where appropriate.

3.5. Risk Management

  • We conduct regular risk assessments of our data processing activities.
  • Data Protection Impact Assessments (DPIAs) are performed for any new processing likely to result in a high risk to the rights and freedoms of natural persons, pursuant to Article 35 of the GDPR.

4. Technical Measures

4.1. Access Control

  • Physical Access: Access to our offices and data center facilities is restricted through physical security measures, including access cards and surveillance systems.
  • Logical Access: Access to systems and data is managed based on the principle of least privilege. User access rights are reviewed periodically.
  • Authentication: We enforce strong password policies and mandate the use of multi-factor authentication (MFA) for access to critical systems and personal data.

4.2. Confidentiality (Encryption and Pseudonymization)

  • Encryption in Transit: All data transmitted over public networks is encrypted using strong protocols, such as TLS 1.2 or higher.
  • Encryption at Rest: Personal data stored in our databases and storage systems is protected by industry-standard encryption (e.g., AES-256).
  • Pseudonymization: Where feasible, pseudonymization techniques are applied to reduce the risks to data subjects.

4.3. Integrity

  • Measures are in place to ensure that personal data is not altered or corrupted in an unauthorized manner. This includes the use of checksums, version control for critical data, and detailed audit logs.
  • Change management processes are enforced for all modifications to production systems.

4.4. Availability and Resilience

  • Backups: Regular, automated backups of personal data are performed. Backup data is encrypted and stored securely.
  • Disaster Recovery: We maintain a Disaster Recovery Plan (DRP) that is tested periodically to ensure the timely restoration of data and services in the event of a major incident.
  • System Redundancy: Critical systems are designed with redundancy to ensure high availability and resilience against hardware failure.
  • Network Security: We utilize firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security controls to protect against unauthorized access and malicious traffic.

4.5. Secure Development

  • Our SDLC includes security checkpoints at each phase, from design to deployment.
  • Code is subject to peer review and static/dynamic application security testing (SAST/DAST).
  • We conduct regular vulnerability scanning and third-party penetration testing to identify and remediate security weaknesses.

5. Incident Management

  • Incident Response Plan: The Company has a documented Incident Response Plan to ensure a swift and coordinated response to any security incident.
  • Breach Notification: In the event of a personal data breach, we will notify the Norwegian Data Protection Authority (Datatilsynet) without undue delay and, where feasible, not later than 72 hours after having become aware of it, as required by Article 33 of the GDPR. Affected data subjects will be notified in accordance with Article 34 of the GDPR.

6. Data Subject Rights

We have established procedures to efficiently handle requests from data subjects exercising their rights, including the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object.

7. International Data Transfers

Personal data is not transferred outside the European Economic Area (EEA) without ensuring an adequate level of protection. Such transfers are legitimized through mechanisms such as an adequacy decision from the European Commission, Standard Contractual Clauses (SCCs), or other appropriate safeguards as stipulated in Chapter V of the GDPR.

8. Document Review

This document is reviewed at least annually, or upon significant changes to our processing activities or the regulatory landscape, to ensure its continued relevance and adequacy.