Data Processing Agreement
1. Parties, background and purpose
1.1
Hippoly AB, Reg. No. 559101-3320, (the “Processor” or “Hippoly”) provides a digital service for board and management work (the “Service”). Within the framework of the execution of the Service, Hippoly, as a personal data processor, may need to process personal data for which you as a customer are processing as a data controller (the “Controller” respectively the “Processing”). The Controller and the Processor are hereinafter jointly referred to as the “Parties” and each as a “Party”.
1.2
The Parties have, through the Controller’s acceptance of Hippoly’s Service and User Terms, entered into an agreement regarding the use of the Service (the “Main Agreement”).
1.3
The purpose of this data processing agreement (the “Agreement”) is to ensure that the Processing is performed in accordance with the Data Protection Laws, the Controller’s instructions and what has otherwise been agreed between the Parties. The Agreement becomes binding between the Parties upon the Controller’s approval of the above-mentioned Service and User Terms and the Main Agreement is entered into (the “Signing Date”).
1.4
The provisions in this Agreement shall take precedence over conflicting provisions in the Main Agreement.
1.5
This Agreement supersedes all prior data processing agreements which may have been concluded between the Parties under the Main Agreement.
2. Definitions and applicable laws
2.1
The Processing shall be carried out in accordance with the Data Protection Laws.
2.2
The “Data Protection Laws” means all applicable laws and regulations that govern the processing of personal data, including, but not limited to the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.
2.3
Terms used in this Agreement shall have the same meaning as in the Data Protection Laws, unless otherwise stated in this Agreement.
3. Obligations of the Controller
3.1
In relation to the data subjects, the Controller is responsible for the Processing’s compliance with the Data Protection Laws.
3.2
The Controller warrants that the Processing is carried out in accordance with the purpose for which the personal data have been collected.
3.3
It is the Controller’s responsibility to ensure that the Processor, at any time, is duly informed of the Controller’s instructions in Appendix A, as well as of other written instructions provided by the Controller regarding the Processing. If the Controller provides additional instructions which deviate from the instructions that follow from the services provided under the Main Agreement, and such additional instructions require that the Processor takes more measures or more action than what is provided for under the Data Protection Laws or the Swedish Data Protection Authority’s (Sw. Integritetsskyddsmyndigheten) recommendations, the Processor shall consider, but is not obliged to, accepting such instructions. If such additional instructions would imply that the scope of the services under the Main Agreement is materially changed, the matter must be handled under the Main Agreement.
3.4
All instructions provided by the Controller must be in writing.
4. Obligations of the Processor
4.1
The Processing is described in detail in Appendix A. The Processor undertakes to only process personal data necessary for the performance of its obligations under the Main Agreement, this Agreement or according to specific and documented instructions provided by the Controller in Appendix A, which have been approved by the Processor. The Processor may also process personal data in connection with the provision of additional services, which from time to time may be ordered by the Controller.
4.2
Upon receipt of written instructions from the Controller regarding the Processing, such as provided for in Appendix A or additional written instructions, the Processor must, within a reasonable period of time, take appropriate measures to ensure that the Processing is carried out in accordance with the instructions. The Processor has the right to request additional remuneration for any measures relating to the Processing, which have not expressly been specified by the Controller at the time of conclusion of the Main Agreement and this Agreement.
4.3
The Processor undertakes to ensure that any natural person acting under the authority of the Processor, and who has access to personal data, is informed of the content of the Agreement and processes the personal data only in accordance with the Agreement and the Controller’s documented instructions.
4.4
The Processor is, to a reasonable extent, required to assist the Controller with appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
4.5
The Processor must, without undue delay, notify the Controller after becoming aware of a personal data breach. The Processor shall assist the Controller to a reasonable extent by providing information necessary for the fulfilment of the Controller’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Controller’s obligation to communicate the personal data breach to the affected data subjects.
4.6
The Processor is, to a reasonable extent, required to assist the Controller in connection with any data protection impact assessments and prior consultations carried out by the Controller, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.
4.7
The Processor is entitled to reasonable compensation for any measures taken in relation to the obligations set out in sections 4 to 4.6.
5. Transfers of personal data
5.1 Transfers outside of the EU/EEA
5.1.1
The Processor may transfer personal data outside of the EU/EEA. In the event of such transfer, the Processor will ensure that the transfer is made to countries with an adequate level of data protection or that other appropriate safety measures have been taken.
5.1.2
If the Data Protection Laws allow for transfers outside of the EU/EEA where a separate agreement has been concluded (or certain relevant actions have been taken) for the purpose of maintaining a sufficient level of security, and the Processor presents proof that such an agreement (or such relevant actions have been taken) in accordance with the Data Protection Laws, the Controller may not deny that such a transfer is carried out.
5.2 Transfers to third parties
5.2.1
The Processor may not transfer personal data to third parties without the Controller’s prior written consent, unless such a transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, the Processor is always entitled to transfer personal data to Sub-Processors in accordance with section 1 below.
5.2.2
If any court and/or public authority requests that the Processor disclose personal data or that the Processor take other action relating to the Processing, the Processor is entitled to reasonable compensation for any such measures taken. The Processor is also entitled to reasonable compensation in relation to any required disclosure of personal data to third parties and for any measures taken in connection with such disclosure.
6. Engagement of Sub-Processors
6.1
By approval of this Agreement, the Controller approves and acknowledges that the Processor may engage subcontractors for the purpose of carrying out the Processing (“Sub-Processors”). Any transfer of personal data to the Sub-Processors is made at the Processor’s risk and does not alter the allocation of responsibility between the Processor and the Controller.
6.2
The Processor undertakes to inform the Controller in writing prior to engaging a Sub-Processor. The Controller may, within five (5) days of receipt of the Processor’s notice hereof, object to the Processor’s choice of Sub-Processor. The Processor may not engage the chosen Sub-Processor if the Controller has presented reasonable objections. The Parties agree that the Controller, by approval of this Agreement, is deemed to have been informed of the Processor’s intended engagement of the Sub-Processors listed in Appendix B.
6.3
When engaging a Sub-Processor for the purpose of carrying out the Processing, the Processor undertakes to enter into an agreement with the Sub-Processor regarding the processing activities, pursuant to which the Sub-Processor shall be bound by the same obligations as is the Processor under this Agreement.
7. Technical and organisational measures
7.1
The Processor is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data. The Processor shall determine how such measures are to be implemented in order to reach an appropriate level of security.
7.2
If the Controller makes probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the Parties shall discuss in good faith the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. The Processor is entitled to reasonable compensation for any extended or additional security measures taken.
8. Confidentiality
8.1
The Processor undertakes not to disclose to any third party such information which the Processor, in its capacity as data processor, has received from the Controller or any other such information which the Processor processes in its capacity as data processor under this Agreement. The Processor undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 8. However, this confidentiality obligation shall not apply to:
- information which is generally known or becomes generally known other than as a result of a breach of the Agreement;
- information which was in the Processor’s possession prior to being provided to the Processor under the Agreement;
- information which the Processor receives from any third party outside the scope of the Agreement; or
- information which the Processor is obligated to disclose under law or any court judgment.
9. Audits
9.1
Upon a thirty (30) day written notice and at the Controller’s expense, the Controller or any third-party auditor mandated by the Controller (the “Auditor”) shall have the right to audit the Processing, including conducting inspections, for the purpose of verifying compliance with the Agreement.
9.2
When designating the Auditor, the Controller must consider any competition aspects with respect to any business relationship between the Processor and the contemplated Auditor. With respect to such competition aspects, the Auditor must be approved by the Processor; however, the Processor’s approval may not be unreasonably withheld.
9.3
The Processor undertakes to make available to the Controller or the Auditor all information necessary to demonstrate compliance with the Processor’s obligations under the Agreement, as well as to allow for and assist in the audits carried out by the Controller or the Auditor. Audits and inspections shall be carried out on business days between 9 a.m. and 5 p.m. During any onsite inspections, the Processor’s reasonable work rules, security requirements and standards must be complied with and the Processor’s day-to-day business activities may not be interrupted.
9.4
The Processor may give the Auditor access to the Processor’s facilities where the Processor carries out the Processing. When conducting onsite inspections, the Auditor must comply with the Processor’s reasonable work rules, security requirements and standards and must not interrupt the Processor’s day-to-day business activities. The Auditor will not get access to any of the Processor’s other clients’ confidential information and other personal data which is not processed within the scope of this Agreement.
10. Indemnification
10.1
Each Party undertakes to indemnify and hold the other Party harmless against and in respect of the latter Party’s liability to pay damages due to the former Party’s processing of personal data in breach of the Data Protection Laws or this Agreement. Such damages may include, but is not limited to, a Party’s liability to pay damages to a data subject or to pay administrative fines issued by a competent supervisory authority.
10.2
A Party shall not be liable for loss of profit or any other indirect or consequential damage under this Agreement.
11. Term and termination
11.1
This Agreement enters into force upon the Signing Date and remains in force for as long as the Processor processes personal data on behalf of the Controller. Provisions regarding termination are set out in the Main Agreement.
11.2
Unless the Controller explicitly instructs the Processor to return the personal data processed, the Processor shall, upon termination of the Agreement, delete all the personal data processed by the Processor on behalf of the Controller and delete existing copies, unless EU or any EU member state law requires storage of the personal data. Any request for the return of the personal data must be in writing and provided to the Processor at the latest in connection with the termination or expiration of the Main Agreement.
11.3
If the Main Agreement is terminated or expires and a new agreement which entails the processing of personal data is concluded between the Parties, without a new data processing agreement being concluded, this Agreement will remain in force in relation to any processing of personal data carried out in relation to the services provided under the new agreement.
12. Governing law and disputes
12.1
This Agreement shall be governed by and construed in accordance with Swedish law.
12.2
Any dispute, controversy or claim arising out of or in connection with this Agreement shall be settled by a Swedish court of general jurisdiction and the Gothenburg District Court (Sw. Göteborgs tingsrätt) shall be the court of first instance.
Appendix A
Instructions regarding the Processing
The Processor shall, in addition to complying with the provisions in the Agreement, carry out the Processing in accordance with the instructions below.
| Purpose | The Processing may only be performed in order to provide the services under the Main Agreement, i.e. store and manage information related to organisations’ boards, management and other decision-making bodies. The personal data may not be processed or used for the Processor’s own or any other purposes. |
| Types of processing
|
The Processor may use any types of processing which are necessary in order to provide the services covered by the Main Agreement, including registration, organization, processing, storage, updating and erasure of personal data. |
| Types of personal data | The Processor may only process the following types of personal data: names, personal ID number, title, address, email, telephone number and profile picture. The Processor may also process other types of personal data, if necessary to provide the services covered by the Main Agreement. |
| Categories of data subjects | The personal data processed by the Processor may only concern the customers, consultants, suppliers and employees, board representatives, owners, members and employees and other registered provided by the Controller. |
| Duration of the Processing | The personal data must be erased by the Processor at the time of termination of the Agreement, as set forth in the Agreement. Furthermore, personal data shall be erased from time to time, in accordance with the Controller’s written instructions. |
| Contact information | Contact details to the representative of the data controller and data processor are set out in the Main Agreement. |
Appendix B
Sub-Processors approved by the Controller
The Controller accepts and recognizes that the Processor engages the following Sub-Processors in accordance with section 6.2 of the Agreement.
| Name | Place of processing | Purpose |
| Microsoft 1 Microsoft Way Redmond, WA 98052 |
Ireland | Cloud infrastructure and data storage |
| Lime Technologies AB 556397-046 Sankt Lars väg 46 222 70 Lund |
Sweden | Email notifications |
| Activecampaign LLC 1 N Dearborn St FL 5 Chicago, IL 60602 |
USA | Email notifications |
| Functional Software Inc. 45 Fremont Street, 8th Floor San Francisco, CA 94105 |
USA | Error monitoring |
| Scrive AB 556816-6804 Grev Turegatan 11A 114 46 Stockholm |
Sweden | Electronic document signing |
| Xenit AB 556762-2120 Kungstorget 7 411 17 Göteborg |
Sweden | Security and operational monitoring |
| Freshworks 2950 S. Delaware Street, Suite 201 San Mateo, CA 94403 |
USA | Communication and support management |
| Videonor AS Gate 1 nr 57, 6700 Måløy, Norway |
Norway | Video meeting services |
| Twilio 101 Spear St FL 5 San Francisco, CA 94105 |
USA | SMS for two-factor authentication |