This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Terms") between Abundly AI AB, a company established under the laws of Sweden ("Processor" or "we," "us," "our") and the entity or person agreeing to these terms ("Controller" or "you," "your").
This DPA automatically applies and is incorporated into the Terms when you:
No signature is required for this DPA to be binding. By checking the relevant box during registration or through your account settings, you acknowledge that you have read and agree to be bound by this DPA.
For the purposes of this DPA, the following terms shall have the meanings set forth below. All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.
means the General Data Protection Regulation (EU) 2016/679, together with any national implementing laws in any Member State of the European Union, as amended, replaced or superseded from time to time, including by the UK GDPR and the Data Protection Act 2018.
means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, and Switzerland, applicable to the Processing of Personal Data under the Terms.
means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
means an identified or identifiable natural person to whom the Personal Data relates.
means any Processor engaged by us who agrees to receive from us Personal Data exclusively intended for Processing activities to be carried out on behalf of you.
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
The parties acknowledge and agree that with regard to the Processing of Personal Data, you are the Controller and we are the Processor.
You shall, in your use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you acquired Personal Data.
a) We shall only Process Personal Data on behalf of and in accordance with your documented instructions for the following purposes: (i) Processing in accordance with the Terms; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by you where such instructions are consistent with the Terms.
b) We shall inform you if, in our opinion, your instruction infringes any Data Protection Laws. In such cases, we are entitled to refuse Processing of Personal Data.
The subject-matter, nature and purpose of Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are set forth in Annex 1 to this DPA.
We shall, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, we shall assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent you, in your use of the Services, do not have the ability to address a Data Subject Request, we shall, upon your request, provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, you shall be responsible for any costs arising from our provision of such assistance.
We shall ensure that our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. We shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
We shall take commercially reasonable steps to ensure the reliability of any of our personnel engaged in the Processing of Personal Data.
We shall ensure that our access to Personal Data is limited to those personnel who require such access to perform the Services.
You acknowledge and agree that we may engage third-party subprocessors in connection with the provision of the Services. We will ensure that our subprocessors are bound by written agreements that require them to provide at least the level of data protection required of us by this DPA.
We maintain a list of current subprocessors for the Services, including the location of each subprocessor.
We will update the subprocessor list prior to adding or replacing existing subprocessors.
If you have legitimate data protection concerns about a new subprocessor, you may contact us to raise your concerns. If we cannot address your concerns in a reasonable manner, you may terminate the Services by providing written notice to us.
We shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Personal Data. Our technical and organizational measures are described in Annex 2 to this DPA.
We regularly monitor compliance with these measures. We will not materially decrease the overall security of the Services during a subscription term.
We shall take reasonable steps to ensure that any person acting under our authority who has access to Personal Data does not Process them except on our instructions, unless required to do so by law.
We shall notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. Such notification shall at minimum: a) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; b) communicate the name and contact details of the data protection officer or other contact where more information can be obtained; c) describe the likely consequences of the Personal Data Breach; d) describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
We shall co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
We shall provide reasonable assistance to you with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, us.
Upon termination or expiration of the Terms, we shall, at your choice, delete or return to you all Personal Data in our possession and delete existing copies unless applicable law requires storage of the Personal Data.
At your request, we shall provide you with a certification of deletion of Personal Data.
Upon your request, and subject to the confidentiality obligations set forth in the Terms, we shall make available to you information necessary to demonstrate compliance with this DPA. These documents may include relevant certifications, such as ISO 27001, SOC 2 reports, or results of internal audits.
If the reports provided under Section 10.1 are not sufficient to demonstrate compliance with this DPA, you may conduct an audit subject to the following conditions:
All information obtained during an audit will be considered our confidential information and shall be used solely for the purpose of assessing compliance with this DPA.
We will store and process Personal Data only in the European Economic Area (EEA), a country that has received an adequacy decision from the European Commission, or in another location that offers equivalent levels of protection for personal data.
If we transfer Personal Data protected under this DPA to a third country or international organization, we shall ensure that appropriate safeguards are in place in accordance with GDPR, which may include:
This DPA supplements our general Terms. In case of conflict between this DPA and the Terms regarding the Processing of Personal Data, this DPA shall prevail.
We may update this DPA from time to time. Material changes will be notified to you through our website or via email. Your continued use of the Services after such notification constitutes your acceptance of the updated DPA.
If any provision of this DPA is found to be unenforceable, the remainder shall continue in full force and effect.
All notices required under this DPA shall be provided in writing to the contact points specified in the Terms or through the Platform's notification systems.
This DPA is governed by the laws of Sweden.
Any dispute arising in connection with this DPA, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Sweden.
This DPA has been automatically accepted and does not require a physical or electronic signature to be binding. The effective date of this DPA is the date when you checked the box to accept it during registration or when you otherwise requested it through your account settings.
We will Process Personal Data as necessary to perform the Services pursuant to the Terms, as further specified in the documentation relating to the Services, and as further instructed by you in your use of the Services.
We will Process Personal Data for the duration of the Terms, unless otherwise agreed upon in writing.
You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to the following categories of Personal Data:
The Processor implements and maintains appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. These measures may include, depending on the specific services and processing activities:
A more detailed description of the specific technical and organizational measures implemented by the Processor is available upon reasonable request.
For questions about this Data Processing Agreement, please contact us at support@abundly.ai