White_Wave_2

GetAccept Data Processing Agreement

Updated October 2020

CONTACT US

Welcome to our Data Processing Agreement

This Data Processing Agreement (“DPA”) and its annexes, including links, governs the Processing of Personal Data by GetAccept AB, 559023-1402, as a Processor, on behalf of Customer or Customer Affiliates, as applicable and as defined in the Main Agreement, including our Terms, which can be found at Terms and Conditions.

Contact information to responsible GetAccept party: legal@getaccept.com

Preamble

(A) This data processing agreement (“Agreement”) applies to all activities where the Processor processes personal data on behalf of the Controller, as required by Article 28 (3) of the GDPR, in connection with the GetAccept Service, including any sub-agreements and similar concluded thereunder (“Main Agreement“).

(B) The Processor uses the personal data of the Controller solely in the interest and on behalf of the Controller.

(C) If the Processor is also providing services and/or products under the Agreement to the Controller’s Affiliates, or otherwise gains access to the Affiliate’s data relating to identified or identifiable natural person(s) for the purposes of fulfilling the Main Agreement, such data shall be regarded as Personal Data and this Agreement shall be applicable to the Processor’s processing of such Personal Data. Such Affiliates have the same rights and obligations as the Controller under this Agreement.

(D) This Agreement is an integral part of the Main Agreement. In the event of any conflict between the terms of the Main Agreement and the terms of this Agreement, this Agreement shall prevail with respect to the subject matter of this Agreement.

1. Definitions

1.1 Affiliate: Companies (a) directly or indirectly owning or controlling the Controller; or (b) under the same direct or indirect ownership or control as the Controller; or (c) directly or indirectly controlled by the Controller. Ownership or control shall be understood to exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions or the minimum share entitling to control prescribed in applicable legislations in such jurisdictions where the ownership of fifty percent (50%) or more would not be possible.

1.2 Applicable Data Protection Laws: refers to all privacy and personal data legislation, along with any other legislation (including regulations and directives) applicable to the Processing carried out in accordance with this Agreement, including national legislation and EU legislation.

1.3 Commissioned Processing of Personal Data: Commissioned Processing of Personal Data is the access to Personal Data by the Processor as well as collection, modification, transfer, blocking, deletion, storing, hosting or any other type of processing of Personal Data by the Processor on behalf of the Controller in connection with the Main Agreement and as further specified under this Agreement.

1.4 Instruction: The Processor shall process Personal Data in accordance with the Controller’s written instructions. The initial instructions derive from Section 2 of this Agreement; the Controller can change, amend or replace these initial instructions by single instructions in writing at any time.

1.5 The terms Data Subject, Personal Data, and Personal Data Breach, shall have the same meaning as in the GDPR.

2 Scope of the Commissioned Processing

2.1 The Processor shall process or otherwise use Personal Data solely on behalf of the Controller and according to the Controller’s instructions as set out in Section 2 and the requirements of the applicable data protection laws. The Document Data is processed and stored in the EU at selected data centers (eg Frankfurt, Stockholm). For the application with its metadata, we have redundancy between the US / EU depending on where the user is located to guarantee a fast system regardless of geography.

2.2 The scope, manner and purpose of the collection, processing and use of the Personal Data under this Agreement are defined as follows:

Categories of subject

Type of personal data

Scope of use & purpose

Sensitive data

Customers and clients

Name, email, mobile number, address, IP-information, personal data contained in the individual documents

Signing of contracts

 

Partners

Name, email, mobile number, address, IP-information, personal data contained in the individual documents

Signing of contracts

 

Employees

Name, email, mobile number, address, IP-information, personal data contained in the individual documents

Signing of employee contracts

Yes, if salary is applied on contract.

 

3. Obligations of the Processor

3.1 The Processor shall only collect, process or utilise Personal Data of the Controller in accordance with the Instructions of the Controller and Applicable Data Protection Laws and not for other own purposes or purposes of third parties. The Controller shall confirm any oral instructions in writing or via email to legal@getaccept.com. Where the Processor believes that compliance with any Instructions by the Controller would result in a violation of applicable law on data protection, the Processor shall immediately notify the Controller thereof.

3.2 The Processor shall ensure within his area of responsibility the implementation and compliance with technical and organisational measures. In particular, the Processor shall take such technical and organisational measures to protect the Personal Data of the Controller against accidental, unlawful or unauthorised destruction, loss, alteration, disclosure and access as well as against other events that endanger the security, confidentiality or integrity of the Personal Data, appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. This including, inter alia as appropriate the following measures:
  • The pseudonymisation and encryption of personal data,
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing,
  • Taking steps to ensure that any natural person acting under the authority of the processor who has access to commissioned personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law,
  • To prevent unauthorised persons from gaining access to data processing systems with which Personal Data is processed or used,
  • To prevent data processing systems from being used without authorisation,
  • To ensure the availability and resilience of processing systems and services,

 The Processor shall in particular ensure a strict separation between the Personal Data of the Controller, the Processor’s own data, and data of third parties.

3.3 The Processor shall inform the Controller in the event of (i) substantial disruptions of the service, (ii) possible infringements of applicable data protection laws or of this Agreement by itself, its employees or third parties, and (iii) any other irregularity in relation to the processing of the Controller’s Personal Data. 

3.4 The Processor shall inform the Controller if the Personal Data of the Controller will be at risk on the site of the Processor by distrainment, seizures, insolvency or bankruptcy measures or by any other activities or measures of third parties. The Processor shall inform all people responsible in this context that the Personal Data are in sovereignty of the Controller.

3.5 All data storage media, if any, and all copies or reproductions thereof shall remain the property of the Controller. The Processor shall store them carefully without granting access to third parties. The Processor shall at any time give information to the Controller relating to its Personal Data and materials.

4. Notification obligation

4.1 In case of a Personal Data Breach, the Processor shall, without undue delay and in any case within 48 hours, after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. The notification must, to the extent such information is available to the Processor: (i) describe the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of data records concerned; (ii) communicate the identity and contact details of the data protection officer of the Processor or other contact point where more information can be obtained; (iii) recommend measures to mitigate the possible adverse effects of the Personal Data Breach; (iv) describe the consequences and potential risk to the Data Subjects due to the Personal Data Breach; (v) describe the measures proposed or taken by the Processor to address the Personal Data Breach; and (v) any other information reasonably required in order for the Controller to comply with its own data protection requirements, including duties of notification and disclosure in relation to public authorities.

4.2 The Processor shall, without undue delay after becoming aware of any further details surrounding the Personal Data Breach, supplement the notification described above in Section 4.1 as well as provide the Controller with and any other information relating to the respective Data Breach as reasonably requested by the Controller and available to the Processor.

4.3 The Processor will document any Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This Documentation must enable the supervisory authority to verify compliance with this Section 4. The Documentation will only include information necessary for such purpose, and shall be marked as confidential.

5. Confidentiality

5.1 Each Party shall keep confidential all material and information, including but not limited to Personal Data, marked as confidential or that should be under-stood to be confidential, regardless of whether personal, technical, financial or commercial and received in whatever form from the other Party (‘Confidential Information’). A Party shall have the right to:

(a)       use Confidential Information only for the purposes of this DPA and the Agreement;

(b)       copy Confidential Information only to the extent necessary for the purposes of this DPA and the Agreement; and

(c)        disclose Confidential Information only to those of its employees, subcontractors or advisors that need the Confidential Information for the purposes of this DPA and the Agreement. The disclosing Party is responsible for ensuring that the parties that receive Confidential Information comply with the terms relating to confidentiality agreed in this DPA.

 

5.2 Except for personal data, the confidentiality obligations set out in this Clause 5 shall not, however, be applied to any material or information (i) that was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto; or (ii) that is generally available or otherwise public, other than if it is public through a breach of this DPA or the Agreement on the part of the receiving Party; or (iii) that a Party has received from a third party without any obligation of confidentiality; or (iv) that a Par-ty has independently developed without using any material or information received from the other Party; or (v) that a Party is obliged to disclose pursuant to Law or other order issued by a Supervisory Authority.

5.3 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party no longer needs the Confidential Information in question for the purposes of this DPA and/or the Agreement and shall return the material in question (including all copies thereof). Each Party shall, however, be entitled to retain copies as and to the extent required by the applicable law.

5.4 Each Party guarantees the observance and proper performance of this DPA by its personnel and advisors to whom Confidential Information may be disclosed pursuant to this Clause 5. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5 The confidentiality obligations set out in this Clause 5 shall survive any termination or cancellation of this DPA or the Agreement.

6. Obligations of the Controller

6.1 The Controller shall collect, process, and utilise Personal Data in accordance with applicable laws.

7. Obligation to Assist

7.1 The Processor shall duly assist and cooperate with Controller to allow Controller to comply with its obligations under (i) applicable law, inter alia pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor, (ii) the rights of data subjects and (iii) with requests or notices served by public authorities on Company in relation to the Services, the Personal Data or the Processing activities performed under this Data Processing Agreement. The Controller shall reimburse any reasonable incurring costs by the Processor in connection with the fulfilment of the duties. In case the inquiries relate to the duties of the Processor, the Processor shall assist the Controller free of charge.

8. Control Rights and Certificates

8.1 The Controller may itself – or with a third party being subject to statutory professional confidentiality obligations – carry out an audit at the Processor’s establishment, during the usual business hours and without disturbing the Processor’s business processes, to convince itself of the Processor’s compliance with the technical and organisational measures, this Agreement and data protection laws. The Processor shall tolerate such audit and shall comprehensively support the Controller in such audit. Furthermore, the Processor shall provide to the Controller, upon written request, within a reasonable period all information which is necessary to carry out a comprehensive review of the Commissioned Processing of Personal Data and release those persons from their confidentiality obligations vis-à-vis the Controller for the purpose of the audit. However, the Processor is not obliged to disclose business and trade secrets, operational know-how and other data being protected by law, such as data of other controllers, within such an audit. Controls and audits shall be announced at least four (4) weeks in advance and shall be coordinated with the Processor. Any costs of such controls and audits, including possible costs of the Processor, shall be borne by the Controller.

8.2 In the event of an audit or an information request from a regulatory authority supervising the Controller’s business, the Processor shall assist the Controller in answering the request and organising the audit. The Processor shall always allow any such regulatory authority to conduct audits of the Processor’s operations. Each Party shall bear its own costs in connection with audits initiated by such regulatory authority.

8.3 In case an audit reveals that the Processor has breached this Agreement, relevant provisions of the Main Agreement and/or the applicable data protection laws and such breach is considered more than just a minor breach, the Processor shall bear all costs of the respective audit. The Processor shall take, at its own cost, all corrective actions in case of all identified breaches. 

9. Data transfers to non-EEA-based subprocessors

9.1 The Processor shall ensure that Personal Data is processed within EU/EEA and not transferred to a third country or international organisation unless the Controller consents in writing to such transfer and the transfer is in compliance with Chapter V of the GDPR.

9.2 The Controller consents to transfer of Personal Data (i) under Controller’s instructions in Clause 2, above; (ii) in compliance with the conditions stipulated here in Clause 9; and (iii) to Subprocessor(s) as listed and agreed on by Clause 10, below.

9.3 The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled "FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC" the Controller (data exporter) may provide a general consent to onward subprocessing by the Processor.

9.4 Accordingly, the Controller mandates the Processor to sign Model Clauses 2010/87/EU with their non-EEA-based sub processors in the name and on behalf of the Controller. The latter remains the data exporter and the subprocessor is the data importer under those terms. The Controller also agrees, in advance, to the content of Appendices 1 and 2 of Model Clauses 2010/87/EU.

9.5 At the request of the Controller, the Processor shall provide a copy of the agreement or other legal act concerning processing of Personal Data on behalf of the Controller, entered into between the Processor and the Subprocessor (for Commissioned Processing of Personal Data).

10. Subprocessors

10.1 The Controller specifically authorizes the engagement of sub processors as listed below:
(Name, Location of processing, Processing(s) performed by subprocessor, Transfer mechanism when applicable)

  • Amazon AWS, USA, Storage, SCC (Standard Contractual Clauses)
  • Twilio, USA, SMS service provider, BCR (Binding Corporate Rules) & SCC (Standard Contractual Clauses)
  • Sendgrid, USA, Email service provider, SCC (Standard Contractual Clauses)
  • CloudConvert, Germany, File converter

10.2 The Processor is authorized to engage or replace Sub processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Subprocessor. The Controller is entitled to, within five (5) days of receiving notification, lodge reasonable objections to such changes. The Processor shall notify the Controller of the following:

(a) The identity, corporate domicile and corporate ID of the Subprocessor;

(b) The types of Customer Personal Data and categories of data subjects that will processed by the Subprocessor;

(c) The location(s) where the Subprocessor will process Customer Personal Data; and

(d) If the engagement or replacement of the Subprocessor would constitute a transfer of Personal Data to a third country or international organization and under what transfer mechanism.

 

10.3 In all cases, such approval shall be granted only provided that the contractual agreement between the Processor and the subcontractor protects the Personal Data of the Controller essentially as this Agreement does (especially as regards confidentiality, data protection and data security) and in no regards contains data protection obligations less stringent than those contained in this Agreement. The Processor shall be responsible for the subcontractors’ obligations as for its own. The Controller shall have control rights vis-à-vis the Processor and the subprocessor as agreed in Section 7 of this Agreement. Furthermore, the Controller shall receive, upon request, information on the subprocessor as well as on the implementation of technical and organisational measures.

10.4 The Controller is entitled to prohibit the use of a specific subcontractor engaged in the Commissioned Processing of Personal Data for justified reason at any time. In order to avoid any adverse effects to the provision of the services and/or products under the Main Agreement, the Controller shall give the Processor a reasonable time to find a replacing subcontractor.

10.5 The Processor shall make available to the Controller an accurate and up-to-date list indicating the sub processors engaged, as well as the geographical location where their processing activities in respect of the personal data for which you are the data controller of are performed. 

11. Liability

11.1 The Parties agree that the general principle of division of responsibility between the Parties under this Agreement relating to fines and/or damages to the Data Subjects imposed by any relevant supervisory authority and/or competent court authorised to impose such fines or damages is based on the respective Parties need to fulfil its obligations under the applicable data protection laws and that any fines and/or damages to the Data Subjects imposed by a supervisory authority and/or competent court shall be paid by the party that has failed in its performance of its legal obligations under the applicable data protection laws.

11.2 Neither Party shall be liable to the other Party under the agreement for any indirect damages. The Parties aggregate liability under this Agreement shall be limited to not exceed the amount that the Controller has paid for the use of the services (limited to the last 12 months prior to the claim) and service content regardless of the claim. The Controller shall defend, indemnify and hold the Processor harmless against all reasonable cost and damages finally awarded to the Processor by a competent supervisory authority and/or a court of competent jurisdiction (i.e. by an award not capable of appeal) and resulting from claims and actions alleging that the Processor is in breach of the applicable data protection laws provided that (i) such breach results directly from the Controller’s written instructions or requirements that are in breach of applicable data protection laws; and (ii) the Processor has notified the Controller beforehand that such requirements or instructions constitute a violation of the data protection laws applicable to the Processor but the Controller has not amended such requirements or instructions in accordance with Processor’s advice in order to avoid such violation by the Processor; and (iii) the Processor notifies the Controller without any delay of such claims and actions; and (iv) the Processor gives the Controller all necessary information, assistance and authorisations as requested by the Controller from time to time and shall authorise the Controller to settle the matter at its discretion. The indemnification obligation of the Controller shall be the sole and exclusive remedy of the Processor regarding any breach of applicable data protection regulation by the Controller.

12. Term and Termination

12.1 This DPA applies to the identical term as the Main Agreement. For the sake of clarity, termination of the Main Agreement by either Party, for whatever reason, is a termination of this DPA. Either Party’s right to terminate this Agreement for cause shall remain unaffected.

12.2 If the Processor materially breaches its obligations under this Agreement and fails to remedy such breach within thirty (30) days from the Controller’s notification of the breach to the Processor, or within thirty (30) days from the date when the Processor should have noticed the breach, the Controller shall have the right to terminate with immediate effect any and all services and other agreements which the breach affects or relates to.

12.3 Upon termination of this Agreement for whatsoever reason, the Processor shall return all data storage media and copies thereof as well as all Personal Data in its possession to the Controller and shall thereafter delete any Personal Data stored at the Processor. Upon request of the Controller, the Processor shall confirm compliance with such obligations in writing within one (1) week from such request.

13. General Provisions

13.1 Amendments and additions to this Agreement must be in writing. This also applies to a waiver of the requirement for this form.

13.2 Should one or more clauses of this Agreement be or become invalid and/or unenforceable, the validity of the other clauses of this Agreement shall remain unaffected thereby. In such a case, the Parties shall amend this agreement and amicably replace the invalid clauses.

13.3 Swedish law shall govern the Agreement.

13.4 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Swedish Chamber of Commerce. The arbitral tribunal shall be composed of a sole arbitrator who shall be appointed by the Board of Arbitration of the Central Chamber of Commerce. The place of arbitration shall be Sweden. The language used in the arbitral proceedings shall be English.

Contact information
If you have any questions or suggestions regarding our Privacy Policy or practices, you may contact us at hello@getaccept.com or via postal mail, see address on website www.getaccept.com.

Important features and benefits

streamline-icon-database-connect-alternate@50x50

EU Data Center

All documents and all data created by our customers within the EU are stored in European data centers and the customer chooses where to store them

streamline-icon-lock-1@50x50

Secure Storage

All documents and data created by our customers are automatically encrypted with an AES 256-bit EV SSL encryption key.

streamline-icon-voice-id-lock@50x50

Encrypted Communication

GetAccept has strict policies regarding internal access to data. Only authorized personnel have access to encrypted customer data.

streamline-icon-recycling-hand-trash@50x50

Automated Removal

Automated processes ensure that data that cannot be saved over a longer period is automatically cleared according to the time intervals required.

streamline-icon-database-download-alternate@50x50

Tracking and Exporting

GetAccept has advanced search methods to find data and the ability to export selected data to readable format.

streamline-icon-voice-id-user@50x50

Routines in Case of Intrusion

GetAccept has developed processes and routines for protecting data and informing affected people who are applied in the event of an infringement.

Product_Rectangle