Data Processing Agreement

Data Processing Agreement

APPENDIX A TO THE TERMS AND CONDITIONS

1. Parties

1.1 This Data Processing Agreement (“DPA”) is entered into by and between Encube Technologies AB and Customer of the Encube platform as described in the Terms and Conditions entered into by and between Encube Technologies AB and Customer (“Terms and Conditions”).

1.2 Each of Encube Technologies AB (the “Processor”) and Customer (the “Controller”) are hereinafter referred to individually as a “Party” and collectively as the “Parties”.

2. Background

2.1 The Parties have in connection with this DPA entered into the Terms and Conditions concerning the Functions as defined in the Terms and Conditions.

2.2 The term “Data Protection Laws” shall mean the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and laws, rules and regulations issued pursuant to or under the GDPR and which are directly applicable to the processing of personal data within the scope of this DPA. Expressions used in this DPA, e.g. ‘data subject’, ‘personal data’, ‘processing’ etc., shall be construed in accordance with the meaning given to them in the Data Protection Laws.

2.3 Pursuant to the Data Protection Laws, a written agreement shall be entered into between a controller and a processor and the Parties shall therefore enter into this DPA before any Functions are provided by the Processor to the Controller.

2.4 The provisions of this DPA shall take precedence over all other provisions of the Terms and Conditions in matters relating to processing of personal data.

3. General obligations

3.1 The Controller, on behalf of itself and on behalf of its Affiliates, is the controller of the personal data processed in connection with the performance and provision of Functions under the Terms and Conditions. The Controller is responsible for ensuring that the processing of personal data under this DPA is in accordance with the Data Protection Laws.

3.2 The Processor is to be considered a processor on behalf of the Controller. The Processor is responsible for carrying out all processing of personal data on behalf of the Controller in accordance with this DPA and the instruction set forth in Schedule A, unless otherwise required by applicable laws to which the Processor is subject. In such event, the Processor shall notify the Controller of such requirements unless such legal requirements prohibit the Processor from such notification.

3.3 If the Processor considers that it has insufficient instructions for the processing of personal data according to this DPA or considers that an instruction infringes the Data Protection Laws, the Processor shall be entitled to notify the Controller and suspend the processing in question without liability.

3.4 The Processor shall ensure that persons authorized to process personal data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and will process personal data in accordance with the instructions from the Controller.

3.5 The Controller undertakes to communicate to the Processor, only personal data collected and processed in compliance with Data Protection Laws.

4. Assistance

4.1 Taking into account the nature of the processing, the Processor shall, through appropriate technical and organisational measures, assist the Controller, to the extent required under the GDPR, so that the Controller can fulfil its obligation to respond to requests regarding exercise of the rights of the data subject in accordance with Chapter III of the GDPR.

4.2 The Processor shall, upon written request, assist the Controller to a reasonable extent in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.

5. Subcontractors and international data transfers

5.1 The Processor is entitled to engage subcontractors for the processing of personal data by way of written contract as set forth in Article 28 of the GDPR. The Processor shall, upon written request, provide information of engaged subcontractors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Controller the opportunity to object to such changes, such objection not to be unreasonable. If the Controller does not object within fifteen (15) days of notice, the changes are considered accepted. In case the Controller objects to such changes, the Processor shall, (i) use reasonable efforts to make available an alternative arrangement so that the relevant Functions may still be provided to the Controller, or (ii) where such an alternative arrangement cannot, using reasonable efforts, be implemented, be relieved from its responsibility to provide the relevant Functions affected by the engagement of the subcontractor without liability.

5.2 The subcontractors listed in Schedule A shall be considered approved.

5.3 The Processor may transfer, store, transmit, or otherwise process personal data on behalf of the Controller outside the EU/EEA, provided the Processor, before transfer to a third country commences, complies with the requirements and measures that follow from the GDPR with regard to third country transfers. The Processor therefore undertakes, where applicable, to enter into the EU Commission’s Standard Contractual Clauses (SCC) or equivalent transfer mechanism with subprocessors whose operations are outside the EU/EEA.

6. Security

6.1 The Processor shall implement the security measures in relation to the processing which follows from the GDPR (in particular article 32) and appropriate technical and organisational measures to protect personal data taking into account the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

6.2 The Processor shall notify the Controller, without undue delay, however no later than forty-eight (48) hours, after becoming aware of a personal data breach in relation to the processing of personal data covered by this DPA. The Processor shall provide reasonable information regarding (i) the nature of the personal data breach, (ii) the likely consequences of the personal data breach, and (iii) the measures taken or proposed to be taken to address the personal data breach. Where the Processor is not able to provide this information at the time of the notification of the personal data breach, the Processor may provide such information later.

7. Audits

7.1 The Processor shall upon written request provide the Controller with all information necessary to demonstrate compliance with the Processor’s obligations under this DPA.

7.2 Upon sixty (60) days’ written notice, a reputable third party auditor mandated by the Controller shall have the right to audit the processing of personal data under this DPA once a year or more frequently if there are reasonably substantiated indications of material non-compliance under this DPA. Any audit will be subject to restrictions under applicable laws, and conditional on compliance with the Processor’s work rules, security requirements and confidentiality standards (including entering into a non-disclosure agreement) and must not interrupt the Processor’s day-to-day business activities. The Controller shall bear all costs arising from or in connection with audits under this Section 7.

8. Liability

8.1 The Parties acknowledge that the Controller and Processor shall be liable to the data subjects in accordance with Article 82 of the GDPR. As such, the Processor shall only be liable for damage caused by its processing to the extent that it has failed to comply with the obligations set out in this DPA, the GDPR obligations specifically directed to processors or where the Processor has acted outside or contrary to the lawful instructions of the Controller or any of its Affiliates.

8.2 If a data subject or any third party directs any claims (including supervisory authorities imposing administrative fines or other measures) towards the Processor based on the Controller’s or any of its affiliates’ processing of personal data, instructions, failure to disclose relevant information or documents or processes and in general where the failure is due to circumstances not attributable to the Processor, the Controller shall hold the Processor harmless from such claims.

8.3 This Section 8 shall survive termination of the DPA regardless of the reason for termination.

8.4 The limitation of liability clause in the Terms and Conditions shall be applicable under this DPA.

9. Term and effects of termination

9.1 This DPA shall enter into force upon the date hereof and shall remain in force for as long as the Processor processes personal data on behalf of the Controller. Provisions regarding termination are set out in termination provisions of the Terms and Conditions, and this DPA shall terminate automatically when the Terms and Conditions is terminated.

9.2 Upon termination of this DPA, the Processor shall upon request return all personal data to the Controller in the format available to the Processor, or if so requested by the Controller, delete all such personal data, unless the Processor is required to store the personal data under applicable laws. In the absence of any such request, the Processor shall delete all such personal data following termination of the DPA, unless the Processor is required to store the personal data under applicable laws.

10. Miscellaneous

10.1 The provisions set forth in the Terms and Conditions regarding confidentiality, governing law and disputes shall apply to this DPA.

Schedule A – Description of the processing of personal data

1. Subject matter and nature of processing

a) User names and email addresses, company contact and billing information

b) Identity data - names, usernames, titles

c) Contact information - email addresses, phone numbers, postal addresses

d) Professional/employment data - job titles, employer name

e) Financial data - bank account details, payment card information, transaction histories,

f) Technical data - IP addresses, login credentials, device identifiers, cookies, usage logs, system access records

g) Communications data - email content, chat messages, video/audio recordings, meeting transcripts

h) Location data - time zone information, office locations

i) Marketing and preferences - communication preferences, survey responses, consent records

2. Categories of data subjects

a) Employees, consultants, suppliers, partners and customers of the Controller and its Affiliates

3. Categories of personal data

a) Identification data (i.e. name and surname, email address, address, title, and telephone number)

4. Purpose of the processing

a) The purpose of the processing of personal data under this DPA is to provide the Encube Platform to the Controller

5. Duration of processing

a) As long as the Processor processes personal data on behalf of the Controller

Processing locations and instruction on the transfer of personal data to countries outside the EU/EEA

EU/EEA
United States - The transfer mechanism shall be the EU–US Data Privacy Framework