between the Data Controller and Timeplaner AS
In accordance with GDPR Article 28
Organization: _______________________
Org. No: _______________________
Contact Person: _______________________
Email: _______________________
Organization: Timeplaner AS
Org. No: 936 380 387
Contact Person: Alexander Kvarven
Email: [email protected]
Data Protection Officer: Alexander Kvarven ([email protected])
This Data Processing Agreement governs the Data Processor's processing of personal data on behalf of the Data Controller in connection with the use of the service Timeplaner.no.
Timeplaner.no is a digital planning tool for teachers that enables:
| Category | Data | Source |
|---|---|---|
| Identification | Name, email address | Feide / Google / Microsoft |
| Authentication | Feide ID, Google ID, Microsoft ID | Feide / Google / Microsoft |
| Organization Affiliation | School/municipality, role at organization (teacher/staff/student) — role is used solely to reject student logins at registration, not stored in the service database | Feide |
| User Content | Weekly plans, yearly plans, notes | Created by user |
| Technical | Login time, language preference | System generated |
| Student identifiers | Nickname/number/initials, gender (optional), birthday (MM-DD, optional) | Recorded by teacher |
| Student activity | Homework status (submitted/not submitted/late), test and quiz results | Recorded by teacher / system generated |
| Absence registration | Date, lesson, absence status (present/sick/unauthorized) | Recorded by teacher |
| Security logging | IP address, user agent (retained 12 months) | System generated |
| Activity logging | Page visits, in-service actions (aggregated) | System generated |
| AI lesson context | Subject name, class name, topic, teacher's text (only when AI assistant is used) | Teacher-activated |
| Cloud-stored content | Documents created by the teacher (only when Drive/OneDrive is connected) | Teacher-activated |
This agreement applies to the processing of personal data about:
The number of data subjects will vary based on how many teachers choose to use the service and how many students they record.
The Data Processor processes personal data solely for the following purposes:
Legal basis is GDPR Article 6(1)(b) - performance of a contract with the data subject.
The Data Processor shall:
The Data Processor has implemented the following security measures:
The Data Processor uses the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Hetzner Online GmbH | Web hosting and database | Server in Finland (Nordic, EU/EEA) |
| Cloudflare, Inc. | CDN and DDoS protection | EU/USA* |
| SMTP2GO | Email delivery (transactional emails, no pupil data) | EU (Amsterdam, Netherlands)** |
| Sikt — Norwegian Agency for Shared Services in Education and Research | Feide authentication (when Feide login is used) | Norway |
| Google LLC | Google OAuth 2.0 (when Google login is used) | EU/USA* |
| Microsoft Corporation | Microsoft OAuth 2.0 (when Microsoft login is used) | EU/USA* |
The following sub-processors process personal data only when the individual teacher actively activates an optional feature:
| Sub-processor | Service / data | Location | Activated when |
|---|---|---|---|
| Google LLC | Gemini AI — lesson context (subject name, class name, topic, teacher's text). Paid plan; data is not used to train Google's models. | USA* | Teacher uses the AI assistant |
| Google LLC | Google Drive — document storage (teacher's own documents) | USA* | Teacher connects Google Drive |
| Microsoft Corporation | Microsoft Graph / OneDrive — document storage (teacher's own documents) | USA* | Teacher connects OneDrive |
* Transfers to the USA are secured under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC).
** Timeplaner's SMTP2GO account is hosted in SMTP2GO's European data center in Amsterdam. All email is sent, stored, and processed on servers within the EU/EEA. SMTP2GO is ISO 27001 certified and GDPR compliant; the European data center is additionally SOC 2 Type II and ISAE 3402 certified. SMTP2GO Pty Ltd is incorporated in New Zealand, and Standard Contractual Clauses (SCC) apply to the corporate parent relationship.
The Data Processor will inform the Data Controller of any planned changes to sub-processors at least 30 days before the change takes effect.
The service includes three optional sharing mechanisms that the teacher activates:
All sharing can be revoked by the teacher, and tokens are random and unguessable.
Personal data is primarily stored on servers in the Nordic countries (server in Finland, EU/EEA).
Email is sent through SMTP2GO's European data center in Amsterdam, so transactional email content is stored and processed within the EU/EEA.
Data is transferred to the USA only when Google, Microsoft, or Cloudflare services are used (secured under the EU-US Data Privacy Framework and Standard Contractual Clauses).
Transfers outside the EU/EEA are secured through:
The Data Processor shall assist the Data Controller in fulfilling data subject rights:
Inquiries about data subject rights can be directed to: [email protected]
In the event of a personal data breach, the Data Processor shall:
Notification will be sent to the contact person specified in section 1, as well as to: [email protected]
The Data Controller has the right to:
Audits shall be notified at least 14 days in advance and conducted in a way that does not disrupt normal operations.
Upon termination of the agreement, the Data Processor shall:
This agreement enters into force upon signing and applies as long as the Data Controller has users using Timeplaner.no via Feide.
The agreement may be terminated by either party with 3 months written notice.
The Data Processor is liable for:
The Data Processor is exempted from liability if it is proven that the Data Processor is not responsible for the event that caused the damage.
This agreement is governed by Norwegian law. Any disputes shall be sought resolved through negotiations. If negotiations are unsuccessful, the dispute shall be decided by Norwegian courts with Bergen District Court as the legal venue.
This agreement is executed in two copies, one for each party.
For the Data Controller:
Place and date: _______________________
Name: _______________________
Position: _______________________
For the Data Processor (Timeplaner AS):
Place and date: _______________________
Name: Alexander Kvarven
Position: CEO
| Data Protection Officer (DPO): | Alexander Kvarven — [email protected] |
| General inquiries: | [email protected] |
| Breach and security incidents: | [email protected] |
Data Processing Agreement for Timeplaner.no
Version 2.3 - Updated May 2026
Timeplaner AS | Org. No: 936 380 387 | timeplaner.no