Data Processing Agreement (15/05/2023)

This Data Processing Agreement (the “DPA”), is executed between Flowbox AB (the “Processor”) and the customer set out in the Order Form to which this DPA is attached (the “Controller”).

The Controller and the Processor are individually referred to as “Party” and jointly referred to as the “Parties”.

BACKGROUND

(A) This DPA is an integral part of the Agreement executed between the Processor and the Controller, under which the Processor will process personal data on behalf of the Controller when supplying the services under the Agreement.
(B) The Controller is the data controller in relation to the processing of the Data. The Processor is a data processor, processing the Data on behalf of the Controller.

1. DOCUMENTS

This Agreement consists of this main document and the following appendices:

Appendix 1: Instructions to the Processor

Appendix 2: Security Measures

Appendix 3: Approved Sub-Processors

2. DEFINITIONS AND INTERPRETATION

2.1 In this Agreement, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation.

Applicable Legislation	means the GDPR and any applicable supplementary legislation to the GDPR.
Data	means the personal data (as defined in Applicable Legislation), specified in Appendix 1 hereto.
Data Protection Authority	means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
GDPR	means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.
Service Agreement	means as set forth in the background to this Agreement.

2.2 The Parties shall negotiate in good faith and agree on any relevant and necessary amendments and updates to this Agreement and the processing carried out hereunder to ensure that it complies with Applicable Legislation at all times during the term of this Agreement.

2.3 The Processor shall provide all services under this Agreement in a professional manner and as may be expected from a well reputed provider of data processing services.

1. INSTRUCTIONS

1.1 The Processor shall process the Data in accordance with the Controller’s written instructions in Appendix 1. The instructions shall at least include the following information:

(i) The purpose of the processing;
(ii) The character of the processing;
(iii) The duration of the processing, or how the duration will be decided;
(iv) Categories of personal data included in the Data; and
(v) Categories of data subjects included in the processing.

1.2 The Processor may not process the Data for any other purposes or in any other way than as instructed by the Controller in writing from time to time. In the event the Controller provides new or amended instructions the Parties shall update Appendix 1 accordingly.

1.3 Notwithstanding the above, the Processor may undertake reasonable day-to-day actions with the Data without having received specific written instructions from the Controller, provided that the Processor acts for and within the scope of the purposes stated in Appendix 1.

1.4 In the event that the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.

2. SECURITY MEASURES

2.1 The Processor shall at all times maintain appropriate technical and organizational measures to protect the Data and shall ensure that the Data is at all times protected by updated appropriate security measures against destruction, modification, proliferation and unauthorized access. The Processor shall further ensure that access events are logged and traceable. The security measures are detailed in Appendix 2.

2.2 The Processor shall ensure

(i) that only authorized employees who need access to the Data in order for the Processor to provide the processing services under this Agreement have access to the Data,
(ii) that the authorized employees process the Data only in accordance with this Agreement and the Controller’s instructions and
(iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Data.

2.3 The Processor shall notify the Controller without undue delay after becoming aware of a data breach. Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations to

(i) document any personal data breach,
(ii) notify the applicable supervisory authority of any personal data breach and
(iii) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation.

3. THE PROCESSOR’S OBLIGATIONS TO ASSIST

3.1 The Processor shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures to such effect. The data subjects’ rights include

(i) rights to object to the processing and have the Data erased,
(ii) rights to request information about and access to the Data,
(iii) if technically viable, rights to move Data from one controller to another, and
(iv) rights to request correction of Data.

3.2 The Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR (such obligations include (i) ensuring security of the processing, (ii) impact assessments regarding data protection and (iii) prior consultations).

4. SUB-PROCESSORS

4.1 The Processor may engage third parties to process the Data or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has approved thereto. Approved Sub-Processors are listed in Appendix 3 hereto. Appendix 3 shall list the following information regarding each approved Sub-Processor:

(i) name, contact information, company form and geographical location,
(ii) a description of the services provided by the Sub-Processor,
(iii) the location of the Data that the Sub-Processor processes.

4.2 When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor, unless the Sub-Processor fails to comply with Applicable Legislation or the Processor fails to comply with this Agreement due to the Sub-Processor’s default. For any avoidance of doubt, the Processor shall always be liable for the Sub-Processor as for itself.

4.3 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations reflecting those undertaken by the Processor under this Agreement. The Controller shall be entitled to review such agreement before the Controller approves to the new Sub-Processor and within the scope of the right to audit pursuant to Section 6 of this Agreement.

5. TRANSFERS TO THIRD COUNTRIES

5.1 The Processor may not transfer personal data outside the EU/EEA, or engage a Sub-Processor to process Data outside of the EU/EEA, without the Controller’s prior written consent and upon such consent only if at least one of the following prerequisites is fulfilled:

(i) the receiving country has an adequate level of protection of Data as decided by the European Commission,
(ii) the Controller confirms that the data subject has given his/her consent to the transfer,
(iii) the transfer is subject to the European Commission’s standard contractual clauses for transfer of personal data to third countries,
(iv) the Processor is subject to Binding Corporate Rules and the receiving party in the third country is also subject to the Binding Corporate Rules.

5.2 In the event of a transfer of Data outside the EU/EEA initiated by the Processor, the Processor shall upon the Controller’s request evidence that a valid legal ground applies to the transfer.

6. AUDIT

6.1 Upon 30 business days prior written notice, the Processor will provide to the Controller such information and documentation as is necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation.

6.2 The Controller shall be entitled on 30 business days prior written notice to carry out an audit of the Processor’s processing of the Data and information and documentation relevant in that respect. The Processor shall assist the Controller and disclose any information and documentation necessary in order for the Controller to carry out such audit. The Controller shall carry the costs for such audit, unless the audit reveals that the Processor has substantially violated this Agreement or Applicable Legislation, in which event the Processor shall carry the cost.

6.3 If a Data Protection Authority carries out an audit of the Processor which may involve the processing of the Data, the Processor shall promptly notify the Controller thereof.

7. FEES

The costs for processing of Data and related services are included in the fees set out in the Service Agreement. The Processor shall not be entitled to any other fees, costs or reimbursements than those specified in the Service Agreement for any services related to the processing of Data under this Agreement.

8. LIMITATION OF LIABILITY

The Processor’s limitation of liability set forth in the Services Agreement shall apply for the services related to processing of Data carried out under this Agreement.

9. CONFIDENTIALITY

9.1 The Processor undertakes not to disclose or provide any Data, or any information related to the Data, to any third party unless necessary for the performance of the services in accordance with the Service Agreement. For the avoidance of doubt, any approved Sub-Processor shall not be considered a third party for the purposes of this Section 9.

9.2 Notwithstanding Section 9.1 above, the Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.

9.3 The confidentiality obligation will continue to apply also after the termination of this Agreement without limitation in time.

10. RETURN AND DELETION OF DATA

The Controller shall upon termination of the Services Agreement instruct the Processor in writing whether or not to transfer the Data to the Controller (such transfer to be made in a common machine-readable format). The Processor will erase the Data from its systems no later than 14 days after the effective date of termination of the Services Agreement, or earlier in accordance with the Controller’s instructions from time to time.

11. TERM

This Agreement shall, notwithstanding the term of the Service Agreement, enter into effect when the Processor commences to process Data on behalf of the Controller and shall terminate when the Processor has erased the Data in accordance with Section 10 above.

_______________

APPENDIX 1 – INSTRUCTIONS

Any processing carried out by the Processor shall be carried out in accordance with the following instructions. If the Processor processes Data in violation with these instructions, the Processor will be deemed data controller.

	INSTRUCTION
Purposes of the processing	For the provision of services in accordance with the Service Agreement. For the fulfillment of Processor’s obligations under this Agreement.
The character of the processing	Processor collects posts from social media to Flowbox’s databases, stores Controller’s data in Flowbox’s services and utilizes cookies and other similar tracking technologies on the Controller’s website to provide the Controller insights on visitors’ behavior etc. Processor collects data from Controller’s customers through forms on Controller’s website or by way of other communication with the data subject, to provide the Controller with information on customer product reviews and ratings etc.
The period of the processing	The data will be processed during the term of the Service Agreement and in accordance with Section 11 in the Agreement, or shorter in accordance with below. Posts from social media are stored as long as they have been approved by the Controller. Posts that are not approved (active) will be stored for 30 days, after which they are deleted. Posts that are rejected are deleted after 14 days.
Categories of Data	Mainly: Username (social media); Name and surname; and Pictures of individuals. Technical data obtained via cookies and similar tracking technologies, e.g. unique user behavior, device type, operating system, browser and location (area) information. Data provided by Controller’s customers or website visitors as part of Flowbox’s Rating & Review service, e.g. e-mail, phone number, address, age and any other data provided by the data subject. Any other data uploaded by the Controller to Flowbox’s services.
Categories of data subjects	Website visitors Social media users Persons in publicly available content from social media Controller’s customers Other persons whose personal data is shared by the Controller with Flowbox as part of Flowbox’s services

APPENDIX 2 – SECURITY MEASURES

Description of the technical and organisational security measures implemented by the Processor:

The Processor must have proper people, processes and technology to safeguard Controller’s personal data within the following areas:

Confidentiality – Make sure that data is only available to the persons who need access to them.
Integrity – Prevent unauthorized or inadvertent change to the personal data
Availability – Ensure access to personal data to those who need it, when they need it.

The Processor should conduct regular risk assessments on the above mentioned areas.

Access control mechanisms must be in place for Controller’s personal data consisting of at a minimum:

Authentication by username and password
Audit logging of access to Controller’s personal data
Access to personal data must be handled on a least privilege basis, i.e. as few people as possible should be granted access.

Physical security controls such as key card or key access must be in place for the premises where equipment with personal data are stored.

Systems containing Controller’s personal data must be protected by firewalls and anti-malware software that must be regularly updated.

Systems containing personal data must be updated with security patches regularly.

Personal data must be encrypted in transit, e.g. through SSL or similar. If possible, personal data should be encrypted at rest as well.

All personal information must be securely removed or destroyed from equipment that is decommissioned.

The Processor must have tested procedures for backup and restore of Controller’s personal data.

The Processor must have a documented and tested Disaster Recovery Plan for systems containing Controller’s personal data.

The Processor must have documentation of all the procedures on how to handle Controller´s personal data and make those available to the Controller on demand.

Data Breach Notification – The Processor must have procedures in place to notify the Controller without undue delay in case of a breach of Controller information.

The Processor must have trained their staff in all procedures mentioned above.

APPENDIX 3 – APPROVED SUB-PROCESSORS

*Sub-Processor*	*Company reg. No.*	*Address*	*Service*	*Location of processing*
Dynabyte AB	556524-5759	Drottninggatan 95A 113 60 Stockholm	IT Consultant	Flowbox Offices
Amazon Web Services Ireland Ltd	566018	One Burlington Plaza, Burlington Road, Dublin 4, Ireland	Cloud network service provider	Ireland (eu-west-1)
Applied Technology STHLM AB	559130-3689	Mäster Samuelsgatan 36, 111 57 Stockholm	IT Consultant	Flowbox Offices
Snowflake Inc	46-0636374	106 East Babcock Street, Suite 3a, Bozeman, Montana, 59715	Data Warehousing	EMEA Cloud Region, Ireland (eu-west-1)
Heap, Inc	46-1532394	225 Bush St., Suite 200 San Francisco, CA	Insights analytics platform	Ireland. DPA, GDPR compliant.
Functional Software, Inc.	EU372050121	45 Fremont Street, 8th Floor, San Francisco, CA 9410	Sentry. Performance monitoring platform.	United States. DPA, GDPR compliant