arrow Home/Legal /

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Effective Date: October 1, 2024

1. Introduction

This Data Processing Agreement (“Agreement“) is an integral part of the Terms and Conditions between Deskhero AB (“we,” “us,” or “our“) and the Client (“you” or “Client“) and governs the processing of Personal Data by us on your behalf in connection with your use of our Software-as-a-Service (SaaS) platform (“Service“).

This Agreement reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR).

2. Definitions

  • Data Protection Laws: All applicable laws relating to data protection, privacy, and the processing of Personal Data, including GDPR and any applicable national implementing laws.
  • GDPR: EU General Data Protection Regulation 2016/679.
  • Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR.
  • Processing: Any operation performed on Personal Data, whether or not by automated means, as defined in Article 4 of the GDPR.
  • Controller: The entity that determines the purposes and means of the processing of Personal Data.
  • Processor: The entity that processes Personal Data on behalf of the Controller.
  • Sub-Processor: Any Processor engaged by us to process Personal Data on behalf of the Client.
  • Standard Contractual Clauses (SCCs): The contractual clauses adopted by the European Commission for the transfer of Personal Data to processors established in third countries.

3. Roles and Responsibilities

3.1 Relationship of the Parties

  • Controller and Processor: For the purposes of this Agreement, you are the Controller and we are the Processor with respect to Personal Data processed on your behalf.

3.2 Purpose of Processing

  • We will process Personal Data as necessary to provide the Service in accordance with the Terms and Conditions and this Agreement.

4. Instructions

4.1 Processing Instructions

  • We shall process Personal Data only on documented instructions from you, including with regard to international data transfers, unless required to do so by law.

4.2 Limitations

  • If we believe that any instruction infringes Data Protection Laws, we shall inform you promptly.

5. Details of the Processing

5.1 Subject Matter

  • The processing of Personal Data in connection with the provision of the Service.

5.2 Duration

  • For the duration of the Agreement until deletion of all Personal Data as described herein.

5.3 Nature and Purpose

  • Processing of Personal Data to provide the Service, including storage, retrieval, and other operations necessary for the performance of the Service.

5.4 Types of Personal Data

  • Personal Data may include, but is not limited to:
    • Identification data (e.g., names, email addresses, phone numbers).
    • Contact information.
    • Support and communication data.
    • Any other Personal Data submitted by Users or Client’s Customers through the Service.

5.5 Categories of Data Subjects

  • Users: Employees or agents of the Client authorized to use the Service.
  • Client’s Customers: Individuals who interact with the Client through the Service.

6. Confidentiality

6.1 Personnel Confidentiality

  • We shall ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security Measures

7.1 Technical and Organisational Measures

8. Sub-Processing

8.1 Authorised Sub-Processors

  • You authorize us to engage Sub-Processors to process Personal Data on your behalf, provided that:
    • We inform you of any intended changes concerning the addition or replacement of Sub-Processors, giving you the opportunity to object within ten (10) days.
    • We enter into a written agreement with Sub-Processors imposing data protection obligations no less protective than those in this Agreement.
    • We remain fully liable for the performance of Sub-Processors.

8.2 Current Sub-Processors

9. International Data Transfers

9.1 Transfers Outside the EU/EEA

  • Personal Data may be transferred to countries outside the European Union (EU) or European Economic Area (EEA) where necessary, provided that:
    • Such transfers are made in compliance with Data Protection Laws.
    • Appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs).

9.2 Standard Contractual Clauses

  • The parties agree that the Standard Contractual Clauses (SCCs) as adopted by the European Commission shall apply to any transfers of Personal Data outside the EU/EEA to countries not recognized by the European Commission as providing an adequate level of data protection.

10. Assistance with Compliance

10.1 Data Subject Rights

  • We shall assist you by appropriate technical and organisational measures, insofar as possible, to fulfill your obligations to respond to requests for exercising Data Subject rights under Data Protection Laws.

10.2 Data Protection Impact Assessments

  • We shall provide you with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.

11. Notification of Data Breach

  • We shall notify you without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf. Such notification shall include sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach.

12. Deletion or Return of Personal Data

  • Upon termination of the Agreement or upon your request, we shall, at your choice, delete or return all Personal Data to you, and delete existing copies unless storage is required by law.

13. Audits and Inspections

  • We shall make available to you all information necessary to demonstrate compliance with this Agreement and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

14. Liability

  • The liability of each party under this Agreement shall be subject to the exclusions and limitations of liability set out in the Terms and Conditions.

15. Governing Law and Jurisdiction

  • This Agreement is governed by and construed in accordance with the laws of Sweden. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Sweden.

16. Miscellaneous

  • 16.1 Entire Agreement: This Agreement constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes any prior agreements.
  • 16.2 Severability: If any provision of this Agreement is held invalid, the remaining provisions shall remain in full force and effect.

Annexes

Annex 3: Standard Contractual Clauses (SCCs)

Due to copyright restrictions, we cannot include the full text of the Standard Contractual Clauses (SCCs) directly in this document. However, we acknowledge that the SCCs, as adopted by the European Commission, form an integral part of this Agreement for the purpose of governing international data transfers outside the EU/EEA to countries not recognized as providing an adequate level of data protection.

Action Required:

  • Incorporation by Reference: By entering into this Agreement, both parties agree that the Standard Contractual Clauses are incorporated herein by reference and apply to any international data transfers.

Guidance:

  • Download SCCs: You can download the official SCCs from the European Commission’s website.
  • Attachment: We recommend that you attach the SCCs as an appendix to this Agreement when finalizing the document.

Data Protection Officer (DPO) Contact Information:

  • Name: Klas Karlsson
  • Email: dpo@deskhero.com
  • Phone: +46 70 601 13 22

Contact Information:

  • Deskhero AB
    KIVRA: 559415-4170
    106 31, Stockholm, Sweden
    Email: support@deskhero.com

By using the Service and accepting the Terms and Conditions, you agree to the terms of this Data Processing Agreement.