Data Processing Agreement

1. Purpose of the Processing

1.1

The Data Processor processes personal data to provide the Services to the Customer in accordance with the main agreement.

1.2

The processing includes, among other things, storage, structuring, access, and support related to personal data for Users.

2. Types of Personal Data

2.1

The following types of personal data are processed within the framework of the Services:

Company-related data (which may contain personal data), for example:

  • Organization number
  • Position or role within the company
  • Company name

Personal data linked to Users of the Service, for example:

  • Name
  • Email addresses
  • Personal identification number

2.2

Processed personal data varies depending on how the Customer uses the Service. The Customer is responsible for ensuring that only relevant and necessary personal data is processed in accordance with applicable data protection legislation.

3. Categories of Data Subjects

  • Users of the Services

4. Obligations of the Data Processor

4.1

Process personal data only according to documented instructions from the Data Controller.

4.2

Ensure that those who process personal data are bound by confidentiality.

4.3

Take appropriate security measures to protect personal data.

4.4

Assist the Data Controller upon request from data subjects and during supervision.

4.5

Notify the Data Controller upon discovery of a personal data breach.

4.6

Provide documentation for and enable audits.

5. Sub-Processors

5.1

The Data Processor may engage sub-processors within and outside the EU/EEA. The Customer is informed of significant changes.

5.2

Sub-processors shall be covered by a written agreement with corresponding obligations as in this Agreement.

6. Transfer to Third Country

The Data Processor may only transfer personal data to a third country (outside the EU/EEA) after written approval from the Data Controller and provided that there is a legal basis for the transfer according to applicable data protection legislation, such as the EU Commission’s standard contractual clauses (SCC) or decisions on adequate level of protection (e.g., DPF – Data Privacy Framework).

7. Duration of the Agreement and Deletion of Data

7.1

The Data Processing Agreement applies as long as the Agreement applies.

7.2

After the agreement ceases, the Data Processor deletes personal data covered by the Agreement within 90 days, unless other legislation requires longer storage.

8. Liability

Liability for damages is regulated according to the Agreement.