Data processing agreement

1. Background
1.1 Safeture and Customer have entered into a subscription agreement, (the “Agreement”). This data processing agreement, (the “DPA”), forms an integral part of the Agreement. Terms not defined in this DPA shall have the meaning ascribed to them elsewhere in the Agreement.
1.2 Safeture has undertaken, or will undertake, to perform services for the Customer of the nature and scope and on the terms set forth in the Agreement or any other separate agreement between the Parties, (the “Services”). Within the scope of the Services, Safeture will process personal data on behalf of the Customer.
1.3 In light of the above, the Parties have reached the following DPA.

2. Relationship between the DPA and other agreements between the Parties
In the event that the provisions of this DPA are contradictory to the provisions of any other agreement between the Parties, the provisions of this DPA shall prevail. However, the foregoing does not apply to provisions of a subsequent agreement that expressly supersede the provisions of this DPA.

3. Processing of personal data
3.1 In the context of the performance of the Services, Safeture may receive personal data, as defined in article 4.1 of the general data protection regulation (EU 2016/679), (the “GDPR”), processed for purposes determined by the Customer, (the “Personal Data”). The Customer is the data controller of the Personal Data in accordance with the personal data protection laws applicable from time to time, as well as any other applicable law, regulation or equivalent ordinance.
3.2 Safeture undertakes to only process the Personal Data in accordance with the terms of the DPA or other written agreement between the Parties, and only in accordance with the Customer’s instructions, Appendix 1, as well as with the from time to time applicable data protection legislation and any other applicable law, regulation or equivalent ordinance. The Customer is responsible for ensuring that the Safeture does not process any other categories of Personal Data than those listed in Appendix 1, and in accordance with the scope stated therein. In case of changes in the documented instructions by the Customer, Safeture is entitled to reasonable compensation.
3.3 In case Safeture lacks the instructions that the Customer considers necessary to perform the tasks that Safeture has acquired from the Customer within the scope of the Services, Safeture shall, without delay, notify the Customer of its position and await such instructions that Safeture deems necessary.
3.4 Access to the Personal Data shall, within Safeture’ organization, be limited to those who require it for the performance of the Services and who are obligated to observe secrecy by agreement or by law. Safeture shall take appropriate technical and organizational measures to protect the Personal Data. Such measures shall provide a level of security that is appropriate with regard to the available technology and the cost of the measures, taking into account whether there are any specific risks involved with the processing and the level of sensitivity of the Personal Data. Such measures include
a) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
b) the ability to restore the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident;
c) the pseudonymisation and encryption of the Personal Data when the processing so requires under the applicable law;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, when required under the applicable law;
e) keeping and updating logs of the Personal Data, the maintenance of a secure IT environment, and establishment and maintenance of physical security measures and procedures; and
f) ensuring procedures to immediately notify the Customer of any completed unauthorized access to the data provided by the Customer (including destruction or alteration of the Personal Data).
3.5 Safeture undertakes to, at all times, ensure that relevant personnel complies with this DPA and the Customer instructions, and to ensure that they are kept informed regarding the from time to time applicable data protection legislation.
3.6 Safeture shall, through suitable technical and organizational measures and to the degree it is possible in relation to the nature of the processing, assist the Customer in order for the Customer to be able to fulfil its obligation to respond to requests from the individual data subjects in accordance with the applicable law or regulation. Safeture shall also in all other aspects assist the Customer in fulfilling its obligations, taking into account the type of processing and the information available to Safeture, regarding
(a) security in connection to the processing;
(b) notification of any personal data breach to the supervisory authority;
(c) communication to the data subject of a personal data breach; and
(d) data protection impact assessment and prior consultation;
to the extent that the obligations in (a)-(d) above are required according to the applicable law or regulation. Safeture shall be entitled to reasonable compensation for its assistance in accordance with this Section 3.6.
3.7 Safeture undertakes to maintain a written record of the processing of Personal Data including the content stated in article 30.2 of the GDPR. Upon request, the records shall be provided to the Customer.
3.8 If, contrary to the GDPR, the Customer does not inform the individual data subject of a personal data breach and the supervisory authority orders Safeture to rectify the deficiency, the Customer shall compensate the costs of Safeture to adhere to the order of supervisory authority.
3.9 Safeture has the right to appoint another processor (a so-called sub-processor) for the processing of the Personal Data. Safeture shall inform the Customer that Safeture intends to appoint another or replace a sub-processor at least 10 working days before such an appointment or replacement takes place. Safeture may notify the Customer of new sub-processors by updating a list available on Safeture’ website. If the Customer objects to the appointment of such sub-processor that the Customer has been informed of according to this Section 3.9 before the appointment, Safeture cannot appoint the sub-processor for the processing of the Personal Data, provided that the Customer had a justifiable reason for its objection. The term “justifiable reason” as referred to in this Section refers to circumstances on behalf of the sub-processor that, to a considerable degree affects, or likely will affect, the protection of the personal integrity of the individual data subject, for example if the new sub-processor does not fulfil the requirements on personal data processors in the GDPR or any other relevant privacy legislation. If Safeture engages such sub-processor, Safeture shall ensure that the data processor by agreement undertakes the same data privacy obligations as arising out of this DPA. Safeture is fully responsible towards the Customer for such undertakings of the sub-processor.
3.10 Unless otherwise agreed upon in writing between the Parties, Safeture has the right to transfer personal data outside the EU/EEA. Safeture undertakes to only transfer or process personal data outside the EU/EEA when such transfer or processing is lawful under article 45-47 of the GDPR.
3.11 The Customer has the right to information and the right to audit the performance of Safeture’ obligations under the DPA. Safeture shall allow and contribute to such audits, including inspections, carried out by the Customer or an auditor engaged by the Customer. If the Customer wishes to carry out an inspection, the Customer shall inform Safeture of such inspection within reasonable time before the inspection and at the same time specify the content and scope of the inspection. Safeture has right to compensation of its reasonable costs in relation to such an inspection or other audit. Unless otherwise agreed upon in writing, the inspection can only be performed if an audit according to the GDPR cannot be fulfilled through the provision of information by Safeture.
3.12 An inspection according to Section 3.11 requires that the Customer, or an auditor appointed by the Customer, has agreed upon necessary confidentiality obligations and adheres to the safety regulations on the place of inspection. It also requires that the inspection is performed without the risk of disrupting the business operations of Safeture or the protection of the information of other controllers and personal data. Information that is gathered as part of an audit, including inspections, shall be deleted after the audit is completed or when it is not necessary for the purpose of the audit. 3.13 Safeture shall immediately inform the Customer if Safeture believes that an instruction is contrary to applicable law, regulation or equivalent ordinance. Safeture shall be prepared to comply with decisions made by the Swedish Data Protection Authority on measures to comply with the safety requirements of applicable law.
3.14 Safeture shall without delay notify the Customer regarding any contact with a competent supervisory authority that concerns, or could be of importance for, Safeture’ processing of Personal Data. Safeture does not have the right to represent the Customer or act on its behalf in relation to the supervisory authority.
3.15 Upon discontinuation of Safeture’ processing of the Personal Data (e.g. due to the Customer giving instructions that the processing should be discontinued or that the DPA is terminated in accordance with Section 4.1 below), Safeture shall return or anonymize all data containing personal data covered by this DPA and all media on which such data is stored. Safeture shall also delete or anonymize existing copies of all such data, e.g. from backup systems, unless Safeture has a legal obligation to retain the Personal Data under union or member state law.

4. Miscellaneous
4.1 This DPA shall enter into force upon signing of the Agreement by authorised representatives of both Parties. The DPA shall terminate simultaneously with the Agreement, however, at the earliest when Safeture has ceased all processing of the Personal Data.
4.2 Safeture has no right to transfer its rights or obligations under this DPA, in whole or in part, without the Customer’s prior written consent.
4.3 If applicable data protection legislation change during the period of this DPA, or if a competent supervisory authority issues guidelines, decisions or rules regarding the application of the applicable data protection legislation, that results in this DPA to no longer meet the requirements provided for data processing agreements, or if the agreement or agreements that regulate the Services change, this DPA shall change to accommodate such new or additional requirements and/or changes. Any such change shall enter into force on the day that the Customer states, but not earlier than five days after notice of such change was sent to Safeture. Safeture has right to compensation for its reasonable costs incurred by such a change of this DPA.
4.4 In addition to what is applicable under the Agreement, for the period of this DPA and thereafter, Safeture undertakes not to disclose the Personal Data to any third party. The Personal Data may only be disclosed to such employees of Safeture for which the Personal Data is necessary to perform their tasks, to a competent supervisory authority, or otherwise when disclosure of the Personal Data is required by law. It is the responsibility of Safeture to ensure that employees that are likely to come in contact with the Personal Data have undertaken to keep the Personal Data confidential to the same extent as Safeture is required under this DPA.

4.5 This DPA shall be governed by and construed in accordance with Swedish law. Disputes concerning the interpretation or application of this DPA shall be settled in accordance with the Agreement.
____________________

Appendix 1: Customer’s instructions

Below are the instructions of the Customer, as stated in Section 3.2 of the DPA. Instructions given at a later date which makes reference to the DPA replace the ones provided below.

Categories of data subjects Customers and Customer’s employees (end users).
Types of Personal Data Name, telephone number, address, e-mail address, gender, passport number, nationality, job title, manager, department/group, location, imsi, base station information, IP address, considered home country.
Processing purposes Data is processed to create and visualize corporate information and corporate structure, to keep track of end user’s location in order to fulfill the security service. Anonymized data is processed for statistical purposes and future optimization of the Services.
Nature of the processing Collecting, storing, viewing, analyzing, anonymization and use.
Retention period As long as Customer has an active subscription, however personal data will not be kept for a period longer than eighteen (18) months.