DEFINITIONS
Capitalised terms in this DPA defined in Regulation (EU) 2016/679 (the “General Data Protection Regulation”, GDPR) shall have the meanings ascribed to them in the GDPR. “Data Processor” shall mean “processor”, and “Data Controller” shall mean “controller”, each as defined in the GDPR.
Except for the definitions stated in Section 1, the terms listed below shall have the following meaning in the DPA:
The DPA means the main body of this DPA and the appendices applicable at any given time.
A Personal Data Breach refers to a security breach that leads to the accidental or unlawful destruction, loss, modification or unauthorised disclosure of or access to the Personal Data that are transferred, stored or otherwise processed.
Applicable Regulations refer to regulations and practice relating to the General Data Protection Regulation, national legislation supplementary to the General Data Protection Regulation, provisions and opinions of supervisory authorities, including the European Data Protection Board, and the Commission’s legal acts concerning Personal Data.
Sub-Processor refers to the party Processing Personal Data in accordance with instructions from the Data Processor.
The Service refers to BoardClic Board, Committee and CEO Evaluation tool which is licensed to the Data Controller by the Data Processor and under which scope the Data Processor is Processing Personal Data for the Data Controller.
The Users refers to the users of the Service, who may be any of the employees, officers, committee members and board directors at the Data Controller, at third-party portfolio companies of the Data Controller and affiliated legal entities of the Data Controller.
Sensitive Personal Data refers to the categories of Personal Data defined in art. 9 para. 1 of the GDPR.
License Agreement refers to the License Agreement between the Parties stating that the Data Processor grants the Data Controller a license to the Service.
INSTRUCTIONS ON THE PROCESSING
On signing of the DPA, the Data Processor undertakes to Process Personal Data on behalf of the Data Controller. The Parties have agreed to regulate the scope and the detailed structuring of the Processing by entering the DPA.
Purpose of the Processing
The purpose of the Data Processor’s Processing of Personal Data is to enable the Data Controller’s full usage of the Service in accordance with the License Agreement including the additional services that may be added to the Service.
Categories of the data subjects that are applicable for the DPA
The Users of the Service.
Categories of the Personal Data
Full name, contact information, year of birth, gender, professional role, competencies, affiliated companies and other Personal Data that may be submitted by the Users in the scope of the Service.
It is hereby noted that Sensitive Personal Data may be part of the processed Personal Data if the Users choose to submit Sensitive Personal Data at their free discretion, and the only way to submit Sensitive Personal Data is by stating this data in free text boxes. The Service does not ask for such data. What is stated about Personal Data in the DPA shall then be applicable for Sensitive Personal Data unless stated otherwise in the DPA.
Time of the Processing
The Processor shall Process the Personal Data as long as the Parties have a License Agreement in place. After the termination of the License Agreement the Processor shall anonymize or delete Personal Data within ninety (90) days. Until the completion of the anonymization or deletion, the regulations of this DPA shall survive the termination of the License Agreement.
OBLIGATIONS OF THE DATA CONTROLLER
4.1 Processing in compliance with the DPA and Applicable Regulations
The Data Controller is responsible for ensuring that all Processing of Personal Data, and when applicable, Sensitive Personal Data, by the Data Controller in connection with the DPA complies with the DPA and the Applicable Regulations.
4.2 Provision of Personal Data
The Data Controller shall provide the Data Processor with the information and Personal Data relating to the Users that are necessary and appropriate for the purpose of the Service.
4.3 Correct information
The Data Controller will provide the Data Processor with correct information without undue delay in the event that the documented instructions (including instructions in the DPA as well as other future written instructions to the Data Processor) are incorrect, incomplete or otherwise need to be amended.
4.4 Documented instructions
The Data Controller shall provide the Data Processor with documented instructions in the case Data Controller wish to add further or other instructions to the Data Processor than the instructions provided in the DPA and the existing License Agreement between the Parties. These further instructions shall then regulate, amongst other things but not exclusively, what Personal Data is to be processed, the object of the Processing, the duration, extent, nature and purpose of the Processing, the type of Personal Data and categories of data subjects, the obligations and rights of the Data Controller and the Data Processor, as well as the scope of the protective measures and other IT and security-related obligations.
THE DATA PROCESSOR’S AREAS OF RESPONSIBILITY
5.1 Processing of Personal Data
Processing in compliance with the DPA and Applicable Regulations
The Data Processor shall only process Personal Data on behalf of the Data Controller in compliance with the DPA, the License Agreement between the Parties and Applicable Regulations.
Without the consent from the Data Controller, an order from the relevant supervisory authority or mandatory legislation, the Data Processor may not
collect or disclose Personal Data from or to any third party, unless otherwise agreed in writing between the Parties,
change the method of Processing,
copy or reproduce Personal Data, or
otherwise Process Personal Data for other purposes than those specified in the DPA and future documented instructions.
Storage and data minimisation
The Data Processor shall ensure that the principles for the Processing of Personal Data are respected, including, in particular, storage minimisation. The Data Processor is responsible for deleting Personal Data that are no longer required for the purpose. The Data Processor shall establish procedures for how the Personal Data are deleted, what Personal Data are deleted and how often the deletion is carried out.
The Data Processor shall, as soon it is technically possible for the Data Processor, delete Sensitive Personal Data.
For the avoidance of doubt, any Personal Data shall be deleted, or anonymized so it is no longer constituting Personal Data in accordance with Applicable Regulations, by the Data Processor when the Service is finalized and no longer than three (3) months after, unless consent not to do so has been given by the Data Controller.
Transfer of Personal Data
The Data Processor may not transfer any Personal Data to a state outside of the EU/EEA if necessary transfer mechanisms stated in the Applicable Regulations are not in place.
The Data Processor transfers Personal Data to Heroku Inc. which is the provider of the Data Processor’s hosting provider. Heroku Inc. has its servers within EU but is itself a third country entity (US). At the time of the DPA, US is not a third country considered to have an adequate level of protection in accordance with the Applicable Regulations. Therefore the following transfer mechanisms are in place:
Processor Binding Corporate Rules for Salesforce, Inc., of which Heroku Inc. is an affiliated legal entity – can be found here: [link]
EU Standard Contractual Clauses – can be found here: [link]The Data Processor has also performed a transfer impact analysis that can be obtained upon request made to info@boardclic.com.
Written authorization for transfer
A transfer to a third country that is, except for what is stated in clause 5.1.4 above, requires a written authorization of the Data Controller and an assurance from the Data Processor that such transfer complies with the Applicable Regulations.
Implementation of modifications
The Data Processor shall carry out modifications, deletions, limitations, and transfers at the explicit request of the Data Controller, but not, however, if such request contravenes the DPA, the License Agreement between the Parties or Applicable Regulations.
5.2 Technical and authorization measures
Implementation of technical and authorization measures
In view of the latest development, implementation costs and the nature, scope, context and purpose of the Processing, as well as the risks, of varying degrees of likelihood and gravity, for natural persons’ rights and freedoms, the Data Processor shall take suitable technical and authorization measures to ensure a level of security that is appropriate for the risk, including, where applicable,
authorization and encryption of Personal Data,
the capacity to ensure the confidentiality, privacy, accessibility and resistance of Processing systems and services on a continuous basis,
the capacity to reinstate accessibility and access to Personal Data within a reasonable time scale in the event of a physical or technical breach,
a procedure for the regular testing, investigation and assessment of the efficiency of the technical and authorization measures that are to ensure the security of the Processing.
Code of conduct and certification mechanism
The Data Processor may adopt an approved code of conduct or approved certification mechanism to show that the above-mentioned obligations are met.
5.3 Drawing up a record of Processing activities
Draw up a record of Processing activities
The Data Processor shall maintain a record of Processing activities of all categories of Processing that is carried out on behalf of the Data Controller, to include the following:
Name and contact details of the Data Processor and the Data Controller on whose behalf the Data Processor acts, and, where applicable, of the Data Processor’s and Data Controller’s representative and data protection officer,
The categories of Processing that has been carried out on behalf of the Data Controller,
Where applicable, transfers of Personal Data to a third country or an international authorization, including the identification of the third country or international authorization and the documentation of suitable protection measures,
If possible, a general description of the technical and authorization security measures.
Written record of Processing activities
The Data Processor shall draw up the record of Processing activities in writing, including in electronic form.
5.4 Duty to notify
The Data Processor shall notify the Data Controller without undue delay in the event that the Personal Data Processing contravenes the DPA or the Applicable Regulations. The Data Processor shall then await instructions from the Data Controller.
5.5 Information
Disclosure of Personal DataThe Data Processor may not disclose Personal Data or information about the Processing of Personal Data without the prior consent of the Data Controller, except in the event that the relevant supervisory authority has issued an order to do so, or if the Applicable Regulations oblige the Data Processor to do so.
Duty to notify in the event of contactThe Data Processor shall notify the Data Controller without undue delay if the Data Processor is contacted by a supervisory authority, data subject or third party for the purpose of viewing the Personal Data that is processed by the Data Processor.
5.6 Audit
Monitoring of compliance
The Data Controller has the right to carry out, or to employ a third party to carry out, an audit of the work of the Data Processor or otherwise check that the Data Processor’s Processing of Personal Data complies with the DPA and Applicable Regulations. The Data Processor shall give the Data Controller the assistance that is required for the implementation of such audit.
The Parties shall agree in writing on a suitable audit date which shall be at least thirty (30) days after such written agreement. The audit shall occur during the Data Processor’s business hours and must not disturb the Data Processor’s business. Any costs arising in connection to the audit, other than costs caused by the Data Processor’s failure to comply with the DPA and Applicable Regulations, shall be carried by the Data Controller.
Access to premises and equipment
The Data Processor shall allow the Data Controller access to premises and equipment for inspection for the purpose of ensuring that the Data Processor is meeting its obligations in accordance with the Agreement and the Applicable Regulations. The Data Controller does not have such right, however, if the access and/or inspection may put the security or privacy of the data subjects at risk.
The Parties shall agree in writing on a suitable date for the access stated above, which shall be at least thirty (30) days after such written agreement. The visit shall occur during the Data Processor’s business hours and must not disturb the Data Processor’s business. Any costs arising in connection to the visit, other than costs caused by the Data Processor’s failure to comply with the DPA and Applicable Regulations, shall be carried by the Data Controller
Demonstration of compliance with the DPA and Applicable Regulations
The Data Processor shall demonstrate that the obligations of the DPA and Applicable Regulations are being fulfilled, on request and without undue delay. This includes, amongst other things but not exclusively, an obligation to provide documentation, to show, if applicable, that approved codes of conduct or certifications are being complied with, and to enable and assist the Data Controller in carrying out the necessary examinations and inspections.
Access to Personal Data
The Data Processor shall give the Data Controller access to all of the Personal Data that are processed by the Data Processor on behalf of the Data Controller. This also includes access to information and documents that the Data Controller needs to carry out monitoring of the Data Processor’s compliance with the DPA and Applicable Regulations. Such access shall be given without unreasonable delay, but no later than thirty (30) days from the date of the explicit and written request of the Data Controller.
5.7 Security and Confidentiality
Assess the risks
The Data Processor shall assess the risks of the Processing and take measures, such as encryption, to reduce them. These measures should ensure an appropriate level of security, including confidentiality, and take account of the most recent development and implementation costs in respect of the risks and what type of Personal Data are to be protected.
Carry out security measures
The Data Processor shall take measures to ensure that all natural persons and legal persons that carry out work under the Data Processor’s supervision, and that are given access to Personal Data, only process these on the instructions of the Data Controller through the Data Processor.The security measures include technical as well as organizational measures. The scope of the measures shall be undertaken in consideration of the latest development, the implementation costs and the nature, extent, context and purpose of the Processing, as well as the risks, of varying degrees of likelihood and gravity, for the rights and freedoms of natural persons. The level of security that is to be ensured shall be appropriate for the risks.
Sufficient knowledge and training
The Data Processor is responsible for ensuring that each natural person who has access to the Personal Data processed in accordance with the DPA has sufficient knowledge and training to be able to process the Personal Data in a secure and appropriate manner.
Changes to the Personal Data Processing
If the Data Processor intends to implement changes to the way in which the Personal Data is processed or otherwise implement changes that may affect security for the data subjects, the rights of the data subjects or compliance with the DPA or Applicable Regulations, the Data Processor shall inform the Data Controller of this in writing beforehand. The Data Controller shall give its consent to such changes.
Secrecy and duty of confidentiality
The Data Processor undertakes to process Personal Data and other information associated with the DPA in compliance with the applicable legislation on secrecy and the Applicable Regulations. The staff who process Personal Data have signed special confidentiality clauses and have been informed that a duty of confidentiality exists in accordance with the DPA or national law.
Appropriate undertaking of confidentiality
The Data Processor shall make sure that all employees, consultants and other persons for whom the Data Processor is responsible and who process Personal Data are bound by an appropriate confidentiality undertaking, and that they are informed of how the Processing of Personal Data is to be carried out.
Information for persons with access
The Data Processor is responsible for ensuring that the persons who have access to the Personal Data are informed of how they are to process the Personal Data in accordance with the documented instructions from the Data Controller. The Data Processor shall also make sure that an adequate control of authorisation is in place.
5.8 Personal Data Breaches
Take measures to reduce damage
In the event of a suspected or discovered Personal Data Breach, the Data Processor shall investigate the breach immediately and take suitable measures to mitigate its potential negative effects.
Description of a Personal Data Breach
The Data Controller shall be provided with a description of the Personal Data Breach at the latter’s request within thirty (30) hours of being made aware of the breach. Such description shall contain at least
a description of the type of Personal Data Breach, including where possible the categories of and the approximate number of data subjects concerned, as well as the categories of and approximate number of Personal Data items concerned,
the name of and contact details for the contact points from where further information may be obtained,
a description of the likely consequences of the Personal Data Breach, and
a description of the measures that have been taken or proposed by the Data Processor to remedy the Personal Data Breach, including, where appropriate, measures to mitigate its potential negative effects.
If it is not possible to provide the information at the same time, the information may be provided in stages without further unnecessary delay.
Assistance with obligations regarding Personal Data Breaches
The Data Processor shall assist the Data Controller in ensuring that the latter’s obligations according to the Applicable Regulations concerning Personal Data Breaches are met, taking account of the type of Processing and the information that the Data Processor has access to. This also applies if the Data Controller suspects or discovers a Personal Data Breach.
Notification of a Personal Data Breach
The Data Processor shall notify the Data Controller of a Personal Data Breach without unnecessary delay, but at the latest within thirty (30) hours of being made aware of the breach.
Information about a Personal Data Breach
A notification in accordance with the above shall contain all the information the Data Controller needs to fulfil its obligations towards the supervisory authority.
Unconditional duty to notify
The above duty to notify the Data Controller also applies if the Data Processor is unable to fulfil its obligations according to the DPA or the documented instructions for some other reason or, alternatively, becomes aware that the Personal Data have been processed in contravention of the DPA.
5.9 Assisting the Data Controller
Impact assessments and prior consultation
If necessary and on request, the Data Processor shall assist the Data Controller in the fulfilment of its obligations pursuant to the provisions of the General Data Protection Regulation in respect of the implementation of impact assessments concerning data protection and prior consultation with the supervisory authority. Prior the assistance the Parties shall agree in writing on the Data Processor’s fee for such services.
Fulfilment of obligations in respect of the rights of data subjects
If necessary and on request, the Data Processor shall assist the Data Controller in the fulfilment of its duty to respond to requests from data subjects to exercise their rights pursuant to the General Data Protection Regulation by taking suitable technical and authorization measures as far as this is possible.
THE HIRING OF A SUB-PROCESSOR BY THE DATA PROCESSOR
Written authorization to hire a Sub-Processor
The Data Processor may not hire another data processor (Sub-Processor) without obtaining a specific or general written prior authorization from the Data Controller.
The approved Sub-Processors by the time of the Parties’ entrance of the DPA are the following:
Heroku Inc.
Hosting provider https://www.heroku.com/support
MailPace
SMPTP server (e-mail)
Hubspot
CRM system
Custify
CRM system
Intercom
Support and onboarding system
Mixapanel
Product analytics
Okta
Single-Sign On Solution
https://www.okta.com/sites/default/files/2022-09/DPA%20%289-13-22%29.pdf
General written authorization
If a general written authorisation is obtained, the Data Processor shall inform the Data Controller of any plans to hire new data processors or replace data processors, so that the Data Controller has the opportunity to raise qualified objections to such changes.
Distribution of risks
The Data Processor hires a Sub-Processor at its own risk. This will not result in any change to the allocation of responsibilities between the Parties, as specified in the DPA.
Adequate level of protection
If the Data Controller approves the Data Processor’s application to hire a Sub-Processor, the Data Processor shall take the measures that are required to ensure that the Sub-Processor maintains an adequate level of protection and otherwise observes the relevant parts of the DPA and applicable data protection legislation.
Notification of the hiring or replacement of a Sub-Processor
The Data Processor shall inform the Data Controller of the hiring or replacement of a Sub-Processor before measures are taken and on condition that the application for the Sub-Processor is accepted by the Controller. The Data Controller shall have the opportunity to raise objections to the Data Processor’s proposal for the change. The Data Processor must not implement the proposed change if such an objection has been raised.
LIABILITY FOR DAMAGE
The Data Processor’s liability
The Data Processor shall only be liable to the Data Controller for damage caused as a result of the Processing of Personal Data if it has not fulfilled the obligations according to the Applicable Regulations that apply specifically to the Data Processor or has acted outside or in conflict with the DPA.
The Data Processor shall avoid liability according to the above if it can demonstrate that it is not in any way liable for the breach that caused the damage.
THE DURATION OF THE AGREEMENT AND ITS AMENDMENTS
Duration
The Agreement is valid from the date of signing by the Parties and for as long as the Data Processor processes Personal Data in accordance with the Data Controller’s instructions.
Deletion of Personal Data
As soon as Processing of Personal Data no longer is required under the License Agreement, the Data Processor shall anonymize or delete the Personal Data within ninety (90) days, unless storage of the Personal Data is required according to the law by which the Data Processor is governed or if the Data Controller has instructed the Data Processor otherwise.
The Data Controller’s right to make changes
The Data Controller may only make changes to the DPA if they are needed to ensure compliance with the Applicable Regulations.
Modification of the DPA
Any changes to the DPA, including new types of Processing, shall be made in writing and be signed by both Parties.
NOTIFICATIONS
Notifications according to the DPA shall be sent by e-mail and shall be considered delivered when the e-mail has been sent.
Notifications to the Data Processor shall be sent to the following e-mail address: dataprotection@boardclic.com.
Notifications to the Data Controller shall be sent to such email address as is notified by the Data Controller to the Data Processor in writing from time to time.
APPLICABLE LAW AND DISPUTE RESOLUTION
The DPA shall be exclusively governed by and construed in accordance with the substantive laws of Sweden, excluding its conflict of laws principles.
Any dispute, controversy or claim arising out of or in connection with the DPA, or the breach, termination, or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be Swedish or, if the Data Controller so requests, English.
The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way its rights vis-à-vis the other Party in connection with the dispute, the enforcement of an award or if such a right exists pursuant to statute, regulation, a decision by an authority, a stock exchange contract or similar.