Data Processing Agreement
A) This Data Processing Appendix and its annexes (“DPA”) is an appendix to, and legally binding only in connection with, the Agreement with regard to the Services.
B) Within the scope of the Agreement, the Company may process personal data for which the Customer is the data controller and the Company is the data processor.
C) The purpose of this DPA is to fulfil the requirements of a written agreement pursuant to Article 28 of General Data Protection Regulation.
In this DPA the following terms shall have the following meanings:
“Data Protection Laws” refers to Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) including supplementing legislation acts and decisions, e.g. the Act (2018: 218) with additional provisions to the EU General Data Protection Regulation with regard to the processing of personal data and on the free movement of such data (Data Protection Act)
”DPA” refers to this Data Processing Appendix and all annexes thereto
“Parties” refers to both the Company and the Customer
“Party” refers to either the Company or the Customer
“Personal Data” refers to the personal data that the Company processes on behalf of the Customer within the scope of the Agreement
“personal data breach”, “audit”, “controller”, “data subject”, “personal data”, “processor” and “processing” and other expressions not defined in this DPA shall have the meaning given under the GDPR.
2. Processing instructions
2.1 In consideration of the Customer making available the Personal Data to the Company, the Company agrees to process the Personal Data in accordance with the terms and conditions of this DPA and the Customer’s documented instructions.
2.2 Subject to clause 2.3 in this DPA, the Parties acknowledge and agree that:
i. for the purposes of this DPA and as between them, the Customer is, or shall be regarded as, a controller of the Personal Data and the Company is, or shall be regarded as, a processor of the Personal Data and
ii. the Customer will comply with its obligations as a controller under the Data Protection Laws and the Company will comply with its obligations as a processor under this DPA, the Data Protection Laws and the Customer’s written instructions.
2.3 The Customer instructs the Company, and the Company agrees to process the Personal Data in accordance with the instructions put forward in Annex 1.
3. Confidentiality of processing
3.1 The Company shall ensure that all persons it authorizes to process the Personal Data are subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and only process the Personal Data as set out in this DPA.
3.2 The Company shall ensure that only persons who need to process the Personal Data in order for the Company to supply the Services have access to such Personal Data.
4. Data subject rights
4.1 Taking into account the nature of processing and the information available to the Company, at Customer’s cost, provide reasonable assistance to the Customer to enable the Customer to fulfil its obligations pursuant to chapter III in the GDPR, such as responding to:
i. any request relating to the Personal Data from a data subject to exercise any of its rights under Data Protection Laws
ii. any other correspondence, enquiry or complaint received from a data subject or regulator in connection with the processing of the Personal Data by the Company.
4.2 If any such request, correspondence, enquiry or complaint is made directly to the Company, the Company shall without undue delay inform the Customer of such request, correspondence, enquiry or complaint.
4.3 The Company shall not disclose any Personal Data in response to a request for access or disclosure from any third party without Customer’s prior written consent, unless Company is compelled to do so in accordance with applicable law or as otherwise allowed under this DPA or the Agreement.
5. Data protection impact assessment
If requested by the Customer, the Company shall, at the cost of the Customer, provide the Customer with reasonable assistance in order for the Customer to conduct a data protection impact assessment.
6.1 The Company shall, insofar this is possible, implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
6.2 The Company shall notify the Customer of any personal data breach that it becomes aware of without undue delay. All such notifications shall be made at the Company’s discretion by a phone call or email to the Customer representative that the Company regularly liaises with.
6.3 If the personal data breach may be attributed to the Company’s processing of the Personal Data, the Company shall cooperate with the Customer and provide the Customer with commercially reasonable assistance and information in the investigation of a personal data breach.
7.1 The Company is hereby given a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of the Customer. Where Company engages a Sub-processor under this clause, Company undertakes to ensure that the contract entered into between Company and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. Company shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors, to which the Customer may object. If Customer has made no such objection within ten (10) days from the date of receipt of the notification, Customer is assumed to have made no objection.
7.2 A list of pre-approved Sub-processors at the Effective Date of this DPA is attached in Annex 1. The Company shall, upon request from the Customer, provide a list to the Customer of the Sub-processors the Company engages with in its processing of the Personal Data.
7.3 The Company shall have the right to cure an objection from Customer as described in 7.1 above, at Company’s sole discretion. If no corrective option is reasonably available and the objection has not been cured within thirty (30) days after receiving the objection, either Party may terminate the affected Services or the Agreement with reasonable written notice. The Company shall remain fully liable for the processing of the Personal Data that its Sub-processors process under this DPA.
The Company shall permit the Customer (or its appointed third-party auditors) to audit the Company's compliance with this DPA, and shall make available to the Customer information, systems and staff necessary for the Customer (or its third-party auditors) to conduct such audit. The Company acknowledges that the Customer (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that the Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to the Company's operations. The Customer will not exercise its audit rights more than once in any twenty-four (24) calendar month period, except if, and when, required by instruction of a competent supervisory authority.
9. International data transfers
The Customer gives the Company permission to transfer personal data to third countries outside the EU or European Economic Area ("EEA") in accordance with Customer's documented instructions. When personal data is transferred to a country that does not ensure an adequate level of data protection, the Company ensures that the transfer is subject to adequate safeguards as stated in Chapter V GDPR is in place. The Company is hereby given clear mandate, on behalf of the Customer, to enter into Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated, amended, replaced or superseded from time to time by the European Commission or a competent authority.
10. Interpretative prerogative
10.1 In the event that the clauses of the Agreement or this DPA are in conflict with the data protection provisions set forth in the data processing agreement that the Company has signed with the Sub-processors (“Sub-processor Agreement”) set out in Annex 1 to this DPA, the data protection provisions set out in the prevailing Sub-Processor Agreement, to the extent it is applicable, shall take precedence with due changes. The above applies, insofar these data protection obligations in the Sub-Processor Agreement are at least as stringent as the obligations in this DPA or constitutes data protection obligations for which the Company must comply with.
10.2 Notwithstanding the above clause 10.1, other applicable data protection provisions stated in this DPA remain unaffected.
11. Limitaton of liability and indemnification
11.1 The Company’s total aggregate liability towards the Customer for breach of the personal data obligations set forth in this DPA or applicable data protection laws shall be limited to an amount corresponding to 100 % of the fees paid or payable as per the Agreement during the six (6) months period immediately preceding the time when the claim arose. The limitations of liability set out in this section shall not apply in case of the Company’s gross negligence or wilful misconduct.
11.2 Neither Party shall be liable for any loss of production, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages. The limitations of liability set out in this section shall not apply in case of the liable Party’s gross negligence or wilful misconduct.
11.3 Notwithstanding what is stated in this DPA, the Company shall be held harmless from all liability in the DPA, if such liability arises as a result of the Customer’s instructions which is in breach with the provisions of the GDPR or other applicable laws.
12. Terms and termination
12.1 This DPA shall be in effect for as long as the Company processes personal data for the Customer under the Agreement. On termination or expiration of the Agreement or on instruction from Customer, upon written request and at Customer’s choice, the Company shall destroy or return the personal data processed under the Agreement at Customer’s cost unless Company is required to retain the personal data by applicable laws, rules and regulations. Customer must make such a written request fourteen (14) days from the Agreement’s expiration or termination.
12.2 All clauses of this DPA which by their nature should survive termination will survive termination, including, without limitation, confidentiality obligations and limitations of liability.
13. Governing law and disputes
Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be English. This DPA shall be governed by the substantive law of Sweden, without regard to conflict of law principles.
Instruction for processing of the personal data
- To provide the Services pursuant to the Agreement.
Categories of Personal Data
- Electronic Identification Data (such as IP addresses, device identifier, cookies)
- Identification Data (such as name, telephone number and email) and data related to the use of the Services.
Categories of data subjects
- Users of the Services, e.g. customers’ customers and employees.
- adaptation or alteration
- anonymization or aggregating and
Location for the processing of the Personal Data
- EU, EEA or Switzerland
- The Company will process the Personal Data during the period in which the Agreement is in effect and for a reasonable period of time thereafter. However, the Company will strive to aggregate or in other ways de-identify the Personal Data so it is no longer considered as personal data.
- Google Cloud
- Salesforce Heroku