Appendix 1 - Data Processing Agreement
This DPA is entered into by and between Twicemee Technology AB and Customer as set out below (each, a "Party" and collectively, the "Parties") constitutes an annex to the agreement between the Parties which forms the basis of the agreement between T and Customer whereby both parties cooperate in a project to use T's platform (the "Agreement") and is deemed to be signed at the same time and date as the Agreement was signed (the "Effective Date"). The Parties hereby agree that the standard contractual clauses for use between controllers and processors contained in the Annex to European Commission Implementing Decision (EU) 2021/915 of June 4, 2021, available in all EU official languages in this zip file, https://commission.europa.eu/document/download/a53e88fe-3b08-4e83-8587-4e3869ebb1c3_en?filename=strandard_contractual_clauses_eu-eea.zip, ("SCC"), shall be used as a data processing agreement between the Parties in accordance with Article 28(6) of the GDPR. Capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the GDPR.
The SCC contains four annexes which form an integral part of this DPA and are to be completed by the Parties ("Annexes"). The Annexes are attached to this DPA as Annex I - IV.
Clause 2 of the standard contractual clauses states that the parties may not modify the clauses, except to add or update information in the annexes. The parties may also not add clauses that directly or indirectly contradict the clauses of the standard contractual clauses or restrict the fundamental rights and freedoms of data subjects. However, the SCC requires parties to make certain choices. Where such choices are available, the following shall apply in relation to this DPA:
| Clauses in the SCC | Agreed alternative |
|---|---|
| Clause 1(a) | Option 1 |
| Clause 5 | To be applied |
| Clause 7.7 (a) | Option 2, where the agreed list shall mean the list of sub-processors used by the processor as of the effective date. Changes shall be notified at least 30 days in advance. |
| Clause 8 c) 4) | Option 1 |
| Clause 9.1(b) | Option 1 |
| Clause 9.1(c) | Option 1 |
| Clause 9.2, third paragraph | Option 1 |
In addition to the above, the following provisions shall apply to the processing of Personal Data under the Contract.
Notification of a Data Breach
The Data Processor (as defined in Annex I) shall notify the Data Controller (as defined in Annex I) of any personal data breaches referred to in clause 9(2) of the SCC without undue delay after becoming aware of the breach.
Docking
For an additional entity to be considered a party to the Agreement in accordance with Clause 5(b), the entity's details must be completed in Annex II and a separate access agreement must be signed by all parties.
Reimbursement
Unless otherwise agreed in writing between the Parties, the Data Processor (as defined in Annex I) shall not receive any compensation for the performance of its obligations under the DPA, including compliance with the Data Controller's (as defined in Annex I) instructions regarding the processing of the Data Controller's Personal Data, other than the compensation payable under the Agreement.
Notwithstanding the provisions of the previous paragraph, the Data Processor is entitled to compensation for actual and justified additional costs incurred by the processor as a result of
- the extent of the processor's involvement in the controller's compliance with the data subject's rights under point 8.2(a) substantially exceeds what the processor could reasonably have foreseen at the time the DPA entered into force.
- the processor's assistance with the DPIA under clause 8(c)(1) initiated by the controller,
- assistance to the processor in the event of a personal data breach in accordance with clause 9.1 where the breach is caused by the controller,
- assistance to the processor in the event of an audit or review of the processor and/or its sub-processors initiated by the controller,
- after the DPA has entered into force, the controller issues new or amended instructions regarding the processing of Personal Data by the processor; and
- that the processing of the Controller's Personal Data by subcontractors has been terminated at the Controller's request after the Controller has been informed in accordance with clause 7.7(a).
Applicable law
This DPA shall be governed by and construed in accordance with the choice of law made in the Agreement.
Other
The Data Controller instructs the Processor to anonymize and aggregate the personal data entered into the Data Processor's platform.
ANNEX I - List of Parties
Data Controller
Details of the data controller are set out in the Main Contract (herein referred to as the "Customer").
By signing the Main Agreement, the Controller shall also be deemed to have signed this DPA which constitutes Annex 2 to the Main Contract.
Data Processor
Details of the Data Processor are set out in the Main Agreement (herein referred to as the " the Supplier").
By signing the Main Contract, the Processor shall also be deemed to have signed this DPA which constitutes Annex 2 to the Main Contract.
ANNEX II - Description of the processing operation
| Purpose and nature | Purpose and nature of processing: Providing a platform where the Customer can get access to the tools they need to ensure that the right staff are in their workplaces. |
|---|---|
| Categories of registrants | The categories of data subjects whose personal data are processed are the following: Customer, Employees of the Data Controller, Consultants affiliated to the Data Controller, Other: |
| Categories of personal data | The categories of personal data processed are the following: Identification data (e.g. name and surname), Contact details (e.g., telephone number and email), Work-related documents e.g. training certificates, etc., Personal data requiring additional protection (e.g. ), Other: |
| Sensitive personal data | N/A |
| Duration | The processing will continue as long as the Agreement between the Parties is valid. |
ANNEX III - Technical and organizational measures
List of all security measures, including technical and organizational measures, to ensure the security of the data taken by the processor to ensure the security of the data.
| Organization of information security | The Data Processor shall have appointed one or more persons responsible for coordinating and monitoring information security and data protection rules and procedures to ensure confidentiality, availability, accuracy and traceability.Ownership shall be documented.Data Processor’s staff with access to customer data shall be subject to confidentiality obligations. |
| Education and training | The Data Processor’s staff must have undergone training in information security and data protection, as well as the rules and procedures of the systems where customer data is stored.The staff of the Data Processor shall be aware of the measures for breach of information security rules. |
| Technical security | Backup and data recoveryThe Data Processor shall make backups of customer data regularly.The Data Processor shall log data recovery operations.Malicious codeThe Data Processor shall protect customer data against malware through security updates to prevent malware from gaining unauthorized access to customer data. The protection shall be continuously updated.Data outside the Processor's interfaceThe Data Processor shall appropriately protect customer data sent over public networks, for example by encryption. |
| Authorization management | Minimum eligibilityThe Data Processor shall restrict access to customer data to only those persons who need such access to perform their tasks.Technical support staff may only access customer data when necessary.Privacy and confidentialityThe Data Processor shall prevent unauthorized access to customer data by instructing its staff to log out of administrative sessions when they finish work and in situations where computers are left unattended.AuthenticationThe Data Processor shall use a password-based authentication mechanism. The password shall be complex and renewed regularly. The Data Processor shall aim to follow industry standard practices to disable passwords that have been corrupted or accidentally disclosed.The Data Processor shall use industry standard practices for password protection, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. |
ANNEX IV - List of sub-processors
List of sub-processors used by the Processor as of the effective date.
| Sub-processor | Company registration number and address | Contact person (name, position, contact details) | Description of processing | Location of processing |
| Microsoft Ireland Operations, Ltd. | One Microsoft PlaceSouth County Business ParkLeopardstownDublin 18, D18 P521, Ireland | Microsoft Ireland Operations, Ltd.Attn: Data ProtectionOne Microsoft PlaceSouth County Business ParkLeopardstownDublin 18, D18 P521, Ireland | Storage and Hosting | USA |
| HubSpot, Inc. | Two Canal Park,Cambridge, MA 02141, USA | Nicholas Knoop, Data Protection Officer, HubSpot, Inc., Two Canal Park, Cambridge, MA 02141 USA | Customer relationship management (CRM) | USA and EU |
| Twilio Ireland Limited | 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland | Privacy Team privacy@twilio.com | Transactional Emails | USA |
| Amplitude, Inc. | 201 3rd Street, Suite 200, San Francisco, CA 94103, United States | Privacy Team privacy@amplitude.com | User behavior analytics data | USA |
| Usercentrics A/S (Cookiebot) | Usercentrics A/SHavnegade 391058 CopenhagenDenmark | Legal Department, privacy@cookiebot.com | Consents management for cookies and trackers on the website | EU |