Product updates worth reading
A short email when we ship something useful for shop-floor teams.
You can unsubscribe anytime. By subscribing you agree to our Privacy Notice.
Privacy
Sub-processor list
Current sub-processors used by the Visual Tracking Service
Author: Hans Philip Eide, Data Protection Officer (personvernombud) Document Owner: Odda Digital System AS Audience: Customers, prospective customers, customer counsel Effective date: 25 May 2026 Version: 001
This page is the publicly accessible Sub-processor list referenced in the Data Processing Addendum (DPA) entered into with each Customer of the Visual Tracking Service. The list is identical to DPA Schedule 1; this page exists so that current and prospective Customers can review the catalogue without requesting a copy of their contract, and so that Customers who have subscribed to change notifications can verify the current state at any time.
How this list relates to your contract
If your organisation is a Customer of the Visual Tracking Service, your contract includes a DPA whose Schedule 1 lists the sub-processors in force. This page mirrors that schedule. The contract is the authoritative source of obligations between Odda Digital System and your organisation; this page is the operational reference.
The DPA terms governing how sub-processors are added, replaced, or removed are summarised in Section 6 below.
Current sub-processors
| # | Sub-processor | Role and processing activity | Location of processing | Transfer mechanism (if outside EEA) |
|---|---|---|---|---|
| 1 | Microsoft Ireland Operations Ltd (Azure, Business Central platform) | Hosting of the Service and underlying Business Central environment | EU (Ireland) and Norway (where customer-selected) | N/A |
| 2 | GitHub, Inc. (AL-Go for GitHub deployment pipeline) | Storage and execution of deployment artefacts for the Service extension | United States | EU-US Data Privacy Framework; EU Standard Contractual Clauses as backup |
| 3 | Functional Software, Inc. (dba Sentry) | Error and performance monitoring of the Service's web interface; capture of error stack traces and request context | United States (with EU region available on request) | EU-US Data Privacy Framework; EU Standard Contractual Clauses as backup |
| 4 | Google Ireland Limited (Google Analytics 4) | Product analytics for the Service's web interface; aggregated and pseudonymised usage events | EU (Ireland) for collection; United States (Google LLC) for further processing | EU-US Data Privacy Framework; EU Standard Contractual Clauses as backup; IP address anonymisation enabled |
| 5 | Softices Consultancy Private Limited (Surat, Gujarat, India) | Engineering, debugging, support, and maintenance of the Service, including operational access to Customer Tenants as needed to resolve support cases and perform maintenance | India (Surat, Gujarat) | EU Standard Contractual Clauses (Module Three, processor-to-processor); supplementary measures per DPA Section 3.6.3 |
| 6 | Atlassian B.V. (Jira Cloud) | Customer support ticketing, bug tracking, and incident records. Tickets routinely contain Customer Personal Data when Supplier or Customer personnel include error messages, screenshots, contact information, or environment details in ticket descriptions and comments | EEA (Germany / Ireland) under Customer-selected Atlassian data residency | Intra-EEA processing under data residency setting; Atlassian's SCCs and DPA apply to any cross-border support access by Atlassian personnel |
| 7 | Atlassian B.V. (Bitbucket Cloud) | Source control for the Service codebase. Customer Personal Data is not part of the normal contents of source control; incidental exposure may occur if Customer Personal Data is included in commit messages, pull request descriptions, or referenced ticket context | EEA (Germany / Ireland) under Customer-selected Atlassian data residency | Intra-EEA processing under data residency setting; Atlassian's SCCs and DPA apply to any cross-border support access by Atlassian personnel |
| 8 | HubSpot Ireland Limited (HubSpot CRM, Sales, and Service Hub) | Customer relationship management and customer communications. System of record for customer and prospect contact records, support conversations and tickets, and outbound email. Routinely contains Customer Personal Data when customer contacts, support correspondence, or environment details are recorded in CRM records, tickets, or email | EEA (Germany, Frankfurt) under HubSpot EU data residency | Intra-EEA processing under data residency setting; EU-US Data Privacy Framework and EU Standard Contractual Clauses apply to any access by HubSpot, Inc. (United States) parent or support personnel |
Customer's own Azure Blob Storage account, used by the Documents and Messages modules, is not a Sub-processor in respect of the files stored in that account, because those files remain under Customer's direct control.
Supplementary measures for the India transfer
The transfer to Softices Consultancy Private Limited (entry 5) is governed by the European Commission's Standard Contractual Clauses, Module Three (processor-to-processor), with the following supplementary measures required by Schrems II and subsequent EDPB guidance:
(a) all access to Customer Tenants is performed over encrypted remote sessions to Microsoft Azure and Business Central, with data remaining at rest in the EEA;
(b) no Customer Personal Data is stored on devices located in India; local download, copy, or screen-capture is technically restricted where feasible and contractually prohibited in all cases;
(c) multi-factor authentication and role-based access control are enforced for all India personnel accessing Customer Tenants;
(d) access is logged and monitored, with logs retained per DPA Schedule 2;
(e) India personnel are bound by confidentiality obligations no less protective than those imposed on Odda Digital System's Norwegian personnel; and
(f) Odda Digital System maintains a documented transfer impact assessment for the India transfer and reviews it at least annually.
These measures are described in full in DPA Section 3.6.3.
Section 6. Changes and notification
Odda Digital System will give Customers at least thirty days' written notice before adding or replacing a Sub-processor, either by email to the Customer's Data Protection Contact named in the Order Form or by an update to this publicly accessible page.
A Customer may object to a proposed change on reasonable data-protection grounds within fifteen days of the notice. If Odda Digital System and the Customer cannot resolve the objection within thirty days, the Customer may terminate the affected Order Form on written notice with no further liability other than the obligations that survive termination. Fees paid in advance for the unused portion of the Subscription Term are refunded.
The full procedure is set out in DPA Section 3.5.4.
Subscribe to change notifications
To receive email notifications when this list changes:
- Send a message to post@oddadigitalsystem.no with subject line "Subscribe — sub-processor list"
- Include the email address(es) to add and the organisation name
- Confirmation is sent within one business day
You may unsubscribe at any time by replying to any notification email with subject "Unsubscribe".
Change history
| Version | Effective date | Change |
|---|---|---|
| 001 | 25 May 2026 | Initial publication. Mirrors DPA Schedule 1 as of May 2026. |
Contact
Questions about this list, individual sub-processors, or the change-notification procedure:
- DPO (personvernombud): Hans Philip Eide, hans@oddadigitalsystem.no
- General: post@oddadigitalsystem.no
- Address: Odda Digital System AS, Holmavegen 29, 5750 Odda, Norway