Data Processing Agreement
Last Updated: 12 January 2021
These terms are between You, the user/customer (below, the “Controller”) and Detectify AB, org.nr. 556985-9084, Mäster Samuelsgatan 56, 111 21 Stockholm, Sweden (below, the “Processor”). The Controller and the Processor are separately referred to as “Party” and jointly as the “Parties”.
The Processor may only process the Personal Information in accordance with the DPA, applicable data protection legislation (the laws and regulations, including of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) (“Applicable Legislation”) and for providing the Service to the Controller. It is the responsibility and liability of The Controller that its instructions for the processing of Personal Information comply with Applicable Legislation and that the Controller further meets all other obligations of a controller under Applicable Legislation.
The Processor may only process the Personal Information for the purpose and in a manner that is necessary for providing the Service to the Controller and in accordance with this DPA or under specific written instructions from the Controller.
In the event that the Processor believes that any instructions from the Controller violate Applicable Legislation, the Processor shall refrain from acting on such instructions and promptly notify the Controller and await amended instructions.
The Processor shall maintain adequate security measures to ensure that the Personal Information is protected against destruction, modification and proliferation. The Processor shall further ensure that Personal Information is protected against unauthorized access and that access events are logged and traceable.
The Processor shall ensure (i) that only authorized employees who need access to the Personal Information for the fulfillment of the Processor’s rights and obligations under the Agreement have access to the Personal Information, (ii) that the authorized employees process the Personal Information only in accordance with this DPA and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Information.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and shall take reasonable steps to mitigate the effects of the personal data breach. Furthermore, taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the Controller's obligations to (a) document any personal data breach, (b) notify the applicable supervisory authority of any personal data breach and (c) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation.
The Processor’s Obligation To Assist
Taking into account the nature of the processing, the Processor shall assist the Controller with the fulfillment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. Taking into account the nature of processing and the information available to the Processor, the Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR.
The Processor may engage third parties to process the Personal Information or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has been informed thereof in writing and not objected in writing 10 days after such information was provided (in which event they are considered approved). This includes technology providers, financial service providers, administrative systems and various tool integrations. They will receive personal information based on the need for the performing of their task. A full list of sub-processors can be found below.
If the Controller objects to such Sub-Processor with documented reasonable cause, then the Processor shall refrain from using such Sub-Processor for the processing of the Personal Information and shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable change to Controller’s configuration or use of the services to avoid processing of data by the objected-to new Sub-Processor without unreasonably burdening the Controller. If such change is not practically or commercially reasonable to make within a reasonable period of time, which shall not exceed thirty (30) days, the Processor shall at its discretion be entitled either to (i) compensation from the Controller for any additional costs incurred by it due to such objection, or, (ii) terminate the Agreement on 45 days’ notice.
When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor.
The Processor shall enter into a written agreement with every Sub-Processor to ensure that the personal data is only processed by the Sub-Processor for the purpose of providing the respective services to the Controller, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.
Transfers to Third Countries
The Processor is entitled to transfer personal data outside the EU/EEA or engage a Sub-Processor to process Personal Information outside of the EU/EEA, provided the Processor has an applicable legal ground for such transfer, such as Standard Contractual Clauses approved by the European Commission. To the extent that the Processor processes personal data in any country outside the EEA or an adequate country, as defined in Applicable Legislation, the parties agree that the standard contractual clauses will apply in respect of that processing and are incorporated within this DPA by reference. In the event that the standard contractual clauses are not sufficient to safeguard the transfer of personal data, the Processor shall implement any additional supplementary, technical, contractual and/or policy measures as may be required to ensure the personal data is protected to a standard equivalent to that afforded by Applicable Legislation. The Processor shall upon the Controller’s request provide documented evidence showing the applicable legal ground for the transfer.
Upon the Controller’s request, the Processor will once per calendar year provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and this DPA.
If the Controller, despite receiving the information set out above and any additional information provided to Controller, has a legitimate and documented reason to suspect that the Processor does not meet its obligations under Applicable Legislation and this DPA, the Controller shall be entitled on 30 days’ written notice to carry out an audit of the Processor’s processing of the Personal Information and information relevant in that respect. The Processor shall reasonably assist the Controller, disclose any information necessary and provide the access necessary in order for the Controller to carry out such an audit. Each Party shall carry its own costs for such an audit.
If a data protection authority carries out an audit of the Processor which may involve the processing of Personal Information on behalf of the Controller, the Processor shall promptly notify the Controller thereof.
The Processor shall be entitled to reasonable compensation on a time and material basis for (i) complying with altered or additional instructions issued by the Controller or Applicable Legislation regarding the processing of the Personal Information, and (ii) carrying out its obligations under the obligation to assist. Unless the Parties have agreed on a price list for consultancy services, the Processor shall be compensated in accordance with its applicable price list for consultancy services as amended from time to time.
The Processor undertakes not to disclose or provide any Personal Information, or any information related to the Personal Information, to any third party. For the avoidance of doubt, any Sub-Processor shall not be considered a third party. This confidentiality obligation will continue to apply also after the termination of this DPA without limitation in time.
Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.
Limitation of liability
If a Party becomes liable to a data subject under Applicable Legislation and the other Party was involved in the same processing which formed basis for the data subject’s claim, the other Party shall (in accordance with Article 82.5 of the GDPR) reimburse the liable Party with the part of the compensation corresponding to the other Party’s part of the responsibility for the damage. In addition, the other Party shall compensate the liable Party for fair and proportionate (in relation to the other Party's liability) costs for defending such claims. Further, a Party subject to a claim from a data subject shall within reasonable time inform the other Party in writing of the claim, if it is likely that claims against the other Party may be made. The other Party shall gain insight into the data subject’s and the Party’s documents in such lawsuit and shall be given the opportunity to comment on this.
For the avoidance of doubt, administrative fines under Article 83 of the GDPR, due to a Party’s breach of its obligations under the GDPR, will be imposed on the offending Party and are not subject to any liability arrangement between the Parties under this DPA.
Return And Deletion Of Data
Nature and Purpose of the processing
The purpose of the processing under this DPA is to fulfil the Processor’s obligations under the Agreement.
The nature of the processing is to conduct tests and continuous monitoring (including crawling and penetration of the Controller’s web application as specified in the Order Form) for the purpose of identifying security vulnerabilities gaps in the Controller’s web applications or web sites in order to maintain the availability, confidentiality and the integrity of the web application or web site.
Description of the processing of personal data
Categories of data subjects: The Controller may submit personal data to the Service to the extent determined by the Controller in its sole discretion, and which may relate to the following categories of data subjects:
- The Controller’s prospects, customers, business partners and vendors (who are natural persons)
- The Controller’s employees, agents, advisors, freelancers (who are natural persons)
- The Controller’s end-users and consumers (who are natural persons)
Personal data that will be processed: The Controller may submit personal data to the Service to the extent determined by the Controller in its sole discretion, and which may include the following categories of personal data:
- First and last name
- Employment related information: Title, Position, Employer
- Contact information: Company, email, phone, physical business address
- ID data
- Professional life data
- Personal life data
- Connection data
- Localisation data
Sub-processor, Amazon Web Services EMEA SARL: 38 avenue John F. Kennedy, L-1855 Luxembourg
Location for processing: Ireland
Type of service: Cloud service platform
Sub-processor, Google Cloud EMEA Limited: 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
Location for processing: EU and US (SCCs are applicable to transfers of personal data to sub-processors outside the EU)
Type of service: Cloud service platform