These terms constitute a part of a Software and Service License Agreement between the Parties (the “Agreement”), under which the Processor may process certain personal information (“Personal Information”) on behalf of the Controller. The Controller is the data controller in relation to the processing of the Personal Information. The Processor is the data processor.
These terms are between the user/client (below, the “Controller”) and Detectify AB, org.nr. 556985-9084, Kungsgatan 37, 111 56 Stockholm, Sweden (below, the “Processor”). The Controller and the Processor are separately referred to as “Party” and jointly as the “Parties”.
The Processor may only process the Personal Information in accordance with the DPA, applicable data protection legislation (“Applicable Legislation”) and for providing the Service to the Controller. It is the responsibility and liability of The Controller that its instructions for the processing of Personal Information comply with Applicable Legislation and that the Controller further meets all other obligations of a controller under Applicable Legislation.
The Processor may not process the Personal Information for any other purposes or in any other way than what is in line with providing the Service.
Notwithstanding the foregoing, the Processor may process or use the Personal Information without having received specific written instructions from the Controller in its day-to-day business activities, provided that the processing is for, and falls within the scope of, the purposes providing the Service.
In the event that the Processor believes that any instructions from the Controller violate Applicable Legislation, the Processor shall refrain from acting on such instructions and promptly notify the Controller and await amended instructions.
The Processor shall maintain adequate security measures to ensure that the Personal Information is protected against destruction, modification and proliferation. The Processor shall further ensure that Personal Information is protected against unauthorized access and that access events are logged and traceable.
The Processor shall ensure (i) that only authorized employees who need access to the Personal Information for the fulfillment of the Processor’s obligations under the Agreement have access to the Personal Information, (ii) that the authorized employees process the Personal Information only in accordance with this DPA and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Information.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall, where possible, at least contain the information described in Article 33.3 of the GDPR.
The Processor shall assist the Controller with the fulfillment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. The Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR, and also in relation to data breaches.
The Processor may engage third parties to process the Personal Information or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has been informed thereof in writing and not objected in writing 10 days after such information was provided (in which event they are considered approved). This includes technology providers, financial service providers, administrative systems and various tool integrations. They will receive personal information based on the need for the performing of their task. A full list of sub-processors can be found at our services page. Our contracts limit their usage of the data that you have provided to us.
If the Controller objects to such Sub-Processor without documented reasonable cause, then the Processor shall refrain from using such Sub-Processor for the processing of the Personal Information and shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable change to Controller’s configuration or use of the services to avoid processing of data by the objected-to new Sub-Processor without unreasonably burdening the Controller. If such change is not practically or commercially reasonable to make within a reasonable period of time, which shall not exceed thirty (30) days, the Processor shall at its discretion be entitled either to (i) compensation from the Controller for any additional costs incurred by it due to such objection, or, (ii) terminate the Agreement on 45 days’ notice. The Processor shall inform the Controller within 40 days after receipt of the Controller’s objection whether it opts for alternative (i) or (ii).
When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor.
The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.
The Processor is entitled to transfer personal data outside the EU/EEA, or engage a Sub-Processor to process Personal Information outside of the EU/EEA, provided the Processor has an applicable legal ground for such transfer. The Processor shall upon the Controller’s request provide documented evidence showing the applicable legal ground for the transfer.
Upon the Controller’s request, the Processor will once per calendar year provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and this DPA.
If the Controller, despite receiving the information set out above, has a legitimate and documented reason to suspect that the Processor does not meet its obligations under Applicable Legislation and this DPA, the Controller shall be entitled on 30 days’ written notice to carry out an audit of the Processor’s processing of the Personal Information and information relevant in that respect. The Processor shall assist the Controller, disclose any information necessary and provide the access necessary in order for the Controller to carry out such audit. Each Party shall carry its own costs for such an audit.
If a data protection authority carries out an audit of the Processor which may involve the processing of Personal Information, the Processor shall promptly notify the Controller thereof.
The Processor shall be entitled to compensation on a time and material basis for (i) complying with altered or additional instructions issued by the Controller or Applicable Legislation regarding the processing of the Personal Information, and (ii) carrying out its obligations under the obligation to assist. Unless the Parties have agreed on a price list for consultancy services, the Processor shall be compensated in accordance with its applicable price list for consultancy services as amended from time to time.
The Processor undertakes not to disclose or provide any Personal Information, or any information related to the Personal Information, to any third party. For the avoidance of doubt, any Sub-Processor shall not be considered a third party. This confidentiality obligation will continue to apply also after the termination of this DPA without limitation in time.
Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.
If a Party becomes liable to a data subject under Applicable Legislation and the other Party was involved in the same processing which formed basis for the data subject’s claim, the other Party shall (in accordance with Article 82.5 of the GDPR) reimburse the liable Party with the part of the compensation corresponding to the other Party’s part of the responsibility for the damage. In addition, the other Party shall compensate the liable Party for fair and proportionate (in relation to the other Party's liability) costs for defending such claims. Further, a Party subject to a claim from a data subject shall within reasonable time inform the other Party in writing of the claim, if it is likely that claims against the other Party may be made. The other Party shall gain insight into the data subject’s and the Party’s documents in such lawsuit and shall be given the opportunity to comment on this.
For the avoidance of doubt, administrative fines under Article 83 of the GDPR, due to a Party’s breach of its obligations under the GDPR, will be imposed on the offending Party and are not subject to any liability arrangement between the Parties under this DPA.