Data Processing Agreement

Last updated: November 9, 2023

Background
  1. This data processing agreement ("Processing Agreement") is an appendix to the parties' agreement with general terms regarding services for financial data analysis and reconciliation, collaboration functions, and reporting ("Main Agreement").
  2. The Processing Agreement applies in relation to the Main Agreement and any other agreements between the parties under which Senseworks AB, 559237-6593, Tvistevägen 47, 907 29 Umeå ("Data Processor") is the data processor and the Customer (the "Data Controller") is the data controller.
Defenitions
  1. Terms in this Processing Agreement shall be interpreted in accordance with applicable data protection legislation, which includes the Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as complementary national legislation.
  2. Definitions used in this Processing Agreement but not defined in this Agreement shall be defined as specified in the Main Agreement.
Attachments to the data processing agreement

This Processing Agreement consists of this main document as well as the following attachments:

  • Appendix 1 - Specification of the processing of personal data
  • Appendix 2 - Pre-approved sub-processors
Processing of personal data
  1. The data processor agrees to process personal data only in accordance with documented instructions from the data controller, unless otherwise required by applicable data protection legislation. The data controller’s original instructions to the data processor regarding the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, and the categories of data subjects are specified in this Processing Agreement, including its appendices.
  2. The data controller confirms that the data processor's obligations under this Processing Agreement, except for any written instructions provided in accordance with this section 4.2, constitute the complete instructions to be followed by the data processor. Any changes to the data controller's instructions must, except as stated in section 7.2 below, be negotiated separately and must, in order to be valid, be documented in writing and signed by both parties. The data controller is obliged not to allow the data processor to process other categories of personal data or process personal data about other categories of data subjects, other than those specified in Appendix 1, without such written agreement.
  3. The data processor shall, to the extent required by applicable data protection legislation and in accordance with the data controller's written instructions in each individual case, assist the data controller in fulfilling their obligations under applicable data protection legislation.
  4. The data processor shall immediately inform the data controller if the data processor believes that an instruction from the data controller is missing or if an existing instruction conflicts with applicable data protection legislation.
Disclosure of personal data
  1. Except for processing specified in this Processing Agreement, the data processor agrees not to disclose or otherwise make personal data processed under this Processing Agreement available to any third party without prior written consent from the data controller, unless otherwise required by applicable law, court order, or government decision.
  2. If a data subject requests information from the data processor regarding the processing of their personal data, the data processor shall promptly refer such request to the data controller without unnecessary delay.
  3. If an authorized authority requests information from the data processor regarding the processing of personal data, the data processor shall promptly inform the data controller of this, unless otherwise required by applicable law, court order, or government decision. The data processor may not act on behalf of the data controller or as their representative, and may not, without prior consent from the data controller, transfer or otherwise disclose personal data or other information related to the processing of personal data to a third party, unless otherwise required by applicable law, court order, or government decision.
  4. If, under applicable law, the data processor is required to disclose personal data it processes on behalf of the data controller, the data processor is obligated to promptly inform the data controller of this, unless otherwise required by current law, court order, or government decision, and to request that the information be treated confidentially at the time of disclosure.
Sub-processor and transfers to third countries
  1. The data controller agrees that the data processor may engage sub-processors both within and outside the EU/EEA and may transfer personal data outside the EU/EEA. The data processor shall ensure that sub-processors are bound by written agreements that impose equivalent obligations in data processing as those under this Processing Agreement. Appendix 2 contains a list of pre-approved sub-processors as of the effective date of this Processing Agreement.
  2. If personal data is transferred to, or access is allowed from, a location outside the EU/EEA, the data processor shall ensure that there is a legal basis for the transfer under applicable data protection legislation, such as the EU Commission's standard contractual clauses. The data controller authorizes the data processor to enter into the EU Commission's standard contractual clauses with sub-processors on behalf of the data controller.
  3. If the data processor intends to engage a new or replace an existing sub-processor for the processing of personal data covered by this Processing Agreement, the data processor must inform the data controller in advance and provide the data controller with the opportunity to raise objections. Such objections must be made in writing within one (1) month from the date the data controller received the information. The data processor must provide the data controller with all information reasonably requested to assess whether the engagement of the proposed sub-processor will ensure compliance with the data controller's obligations under this Processing Agreement and applicable data protection legislation. If, in the data controller's opinion, compliance with these obligations cannot be ensured by the proposed sub-processor, and the data processor still intends to engage the proposed sub-processor despite the data controller’s objection, the data controller has the right to terminate the Main Agreement without additional cost.
Information security and confidentiality
  1. The data processor is obligated to fulfill its legal obligations regarding information security under applicable data protection legislation and shall, in all cases, implement appropriate technical and organizational measures to protect the personal data being processed.
  2. The data processor shall follow the measures outlined in Appendix 1 and its own security regulations. The data processor may change its own security regulations without prior written consent from the data controller, provided that the change does not conflict with applicable data protection legislation.
  3. The data processor is obligated to ensure that only personnel who directly need access to personal data in order to fulfill the data processor's obligations under this Processing Agreement have access to such data. The data processor shall ensure that such personnel are bound by a confidentiality agreement, which is designed in accordance with the confidentiality provisions of the Main Agreement.
Personal data breaches
  1. The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach.
  2. The data processor shall, in accordance with applicable data protection legislation, assist the data controller with the information that may reasonably be required to fulfill their obligation to report personal data breaches.
Right to audit
  1. Den Personuppgiftsansvarige ska, i sin egenskap av personuppgiftsansvarig, ha rätt att vidta erforderliga åtgärder för att verifiera att Personuppgiftsbiträdet kan fullgöra sina skyldigheter enligt detta Biträdesavtal och att Personuppgiftsbiträdet faktiskt har vidtagit de åtgärder som krävs för att säkerställa att dessa fullgörs.
  2. Personuppgiftsbiträdet förbinder sig att tillhandahålla den Personuppgiftsansvarige all information som krävs för att visa att de skyldigheter som anges i detta Biträdesavtal efterlevs, samt att möjliggöra för och medverka till sådan granskning, inklusive kontroll på plats, som genomförs av den Personuppgiftsansvarige eller annan granskare som utsetts av denne, under förutsättning att de personer som utför granskningen ingår lämpliga sekretessavtal. Vid kontroll på plats ska den Personuppgiftsansvarige meddela Personuppgiftsbiträdet senast fem arbetsdagar innan granskningen ska genomföras.

Term of Agreement


The provisions of this Processing Agreement shall apply as long as the Data Processor processes personal data for which the Data Controller is responsible.

Measures upon termination of processing
  1. When the Main Agreement ceases to apply, the Data Processor shall, at the request of the Data Controller and according to their choice, either permanently delete or return all personal data processed under the Processing Agreement in a general and readable format to the Data Controller or a designated recipient within thirty (30) days from the termination of the Main Agreement, unless the Data Processor is required by Swedish or European legislation to retain a copy of the personal data. The above shall also apply to personal data processed for logging and security purposes; however, the timeframe for deletion or return of such personal data shall instead be ninety (90) days from the termination of the Main Agreement.
  2. At the request of the Data Controller, the Data Processor shall confirm in writing the measures taken regarding the personal data after the termination of processing in accordance with section 11.1 above.
Compensation

The Data Processor is entitled to compensation according to the Data Processor's prevailing price list for the work performed due to the obligations in sections 4.3, 5, 8.2, 9, and 11 of this Processing Agreement.

Limitation of Liabillity
  1. In the event of a claim for damages from data subjects, the party held liable for damages shall have the right to regressively reclaim the portion of the damages that, according to applicable data protection legislation, pertains to the other party’s involvement in the processing. The liability for damages shall include a reasonable share of the legal costs incurred in the case with the data subjects.
  2. A party shall be fully liable for and indemnify the other party against any administrative fines attributable to the first party’s failure to fulfill its obligations under this Processing Agreement or applicable data protection legislation.
  3. Liability under this section 13 shall take precedence over the provisions of the Main Agreement. A party’s liability for other types of damages not explicitly regulated in this Processing Agreement shall be exclusively governed by the Main Agreement
  4. Compensation under this section 13 presupposes, in the event that the claim concerns damages from data subjects, that the party against whom the compensation claim is directed…
  1. is notified in writing of the claims for damages from data subjects within a reasonable time, and
  2. during negotiations or court proceedings and before any settlement or other agreement with the data subjects, is given
  1. insight into the submissions and other correspondence of the data subjects and the party, and
  2. an opportunity to provide comments, which shall be reasonably taken into account to the extent that such comments may be relevant to the amount of damages.
  1. The date on which the party became aware, or should have become aware, of the grounds for the claim.
  1. from the date of a final and binding decision or judgment, or from the conclusion of a settlement with the data subjects, whichever occurs first.
  2. with regard to damage other than that referred to in section 13.1, the later of the time of the damage occurring or when it reasonably should have been discovered.
  1. A party's liability for compensation under this section 13 shall remain in effect even after the termination of the Main Agreement. Dispute Resolution and Applicable Law

Dispute Resolution and Applicable Law


The provisions regarding dispute resolution and applicable law stated in the Main Agreement shall also apply to this Data Processing Agreement.

Annex 1 - Instructions for the Processing of Personal Data
Instructions
Brief Description of the Service Provided Under the Main Agreement and the Purpose of the Processing

The Data Processor provides a web-based service that includes financial data analysis and reconciliation, collaboration features, and reporting, as well as support via telephone and email.


Nature and purpose of the processing:

  • Provision of the service, which includes:
  • allowing the Customer to import financial data
  • providing analysis and reconciliation capabilities for financial data
  • providing reports for financial data
  • providing collaboration features for financial data analysis
  • Support for the Customer and users, as well as maintenance of the service (on behalf of the Customer), which includes:
  • handling support cases and assisting in the registration of correct information in the service
  • perform ongoing automatic proactive checks for common errors in the Customer's account and inform and assist in correcting any errors
  • notify the Customer of any affected data that may need to be corrected or adjusted upon discovery of bugs or other errors in the service
  • Development and improvement of the service (on behalf of the Customer), which includes:
  • anonymize personal data for statistical purposes, and
  • develop the service with new functionality based on statistics (usually by processing anonymized statistics) of the Customer’s usage.

Except as provided in the Data Processing Agreement, the Data Processor may not process personal data on behalf of the Data Controller for purposes other than those specified in this section 1.1, to the extent necessary to fulfill the Data Processor's obligations under this Data Processing Agreement and the Data Controller's written instructions. The Data Processor may only rectify, delete, or restrict personal data in accordance with the Data Controller's prior written instructions.

Categories of Personal Data

Personal Data to be Processed by the Data Processor:

  • Contact details such as name, email address, phone number, and image.
  • Comments regarding the Customer's Data made by the Customer's users for the purpose of conveying information within the Customer's organization.
  • User data such as IP address, user ID, password, as well as login and usage of the service's systems and features (when processing is carried out on behalf of the Customer).
  • Support data such as personal data provided by the data subjects in support cases (when processing is carried out on behalf of the Customer).

Special categories of personal data to be processed by the Data Processor:

  • None
Categories of data subjects:

Categories of data subjects that the Data Processor will process personal data about and the scope of processing:

  • Employees of the user of the service
Processing activities (storage, administration, merging of registers, etc.)

Processing activities to be performed by the Data Processor:

  • administration in the provision of service, support, or training
  • maintenance of the service
  • storage and backup
Location for the processing of personal data

Countries where personal data may be stored and/or processed by the Data Processor:

  • Sweden and other countries within the EU/EEA.
  • USA

Personal data may also be processed in additional countries by the Data Processor's sub-processors.

Security Measures

All processing of personal data shall be traceable and access-controlled so that the Data Controller has the ability to monitor the processing that has taken place.

Physical Access Control

Measures to prevent unauthorized physical access to IT systems where the processing of personal data takes place.

  • Data centers where personal data is stored must maintain a high level of security regarding access control systems, alarms, and perimeter protection.
  • The Data Processor must have procedures for issuing and returning codes and keys upon employment and termination of employment.
Access Control Systems

Measures to prevent unauthorized access to IT systems:

  • Strong passwords shall be used by the Data Processor's personnel for access to systems where personal data is stored.
Access Control for Personal Data

Measures to ensure that individuals authorized to use the IT system only have access to personal data within the scope of their designated permissions:

  • Staff only have access to the systems containing personal data that they need to perform their job duties.
  • When staff leave their employment with the data processor, procedures are in place to revoke access.
Access control for transfers

Measures to ensure that personal data cannot be unlawfully read, copied, modified, or deleted during electronic transmission or during transfer or storage on storage devices, as well as to ensure that recipients can be identified and verified when personal data is transferred via electronic transmission:

  • All transfers to and from the service shall be encrypted using strong encryption in accordance with current industry standards.
Control over the input of personal data

Measures to ensure that it is possible to retrospectively review and determine whether personal data has been entered, modified, or deleted in the IT system and who performed the action:

  • Logging of system activities such as logins and data modifications in system logs.
Availability Control

Measures to ensure that personal data is protected against accidental destruction or loss:

  • The primary database storage shall be mirrored across redundant disks and two data centers.
  • At the system level, it shall be possible to restore database content at the second level using "Point-in-Time Recovery" from the past 7 days.
  • Daily backup files shall be stored separately from the production database across multiple data centers.
  • Daily backup files shall also be stored at a secondary data center for disaster recovery.
Storage Rules

Procedures shall be in place to regularly review and delete personal data that are no longer necessary for the original purpose.

  • During the contract period: As soon as possible and no later than ninety (90) days from the date the Data Controller requested the deletion of the personal data. The Data Controller shall specify whether the personal data should be permanently deleted or if it should be possible to restore them within a specified period.
  • After the agreement has expired: see section 11 of the Data Processing Agreement.
Appendix 2 - Approved Sub-processors

The Data Processor has the right to use the following sub-processors for the processing of personal data within the scope of the Data Processing Agreement: