Data Processing Agreement

1. Background

1.1 This data processing agreement, (the "Agreement"), forms an integral part of Proposales AB's, (the "Processor") terms of service related to the website proposales.com and/or the associated desktop application, (the "Terms"). Any term not otherwise defined herein shall have the meaning ascribed to it in the Terms.

1.2 The Processor will within the scope of the Service process personal data on behalf of the legal entity, represented by you, that has accepted and executed the Terms. The legal entity is therefore the "Controller" with respect to this Agreement.

1.3 The Controller and the Processor are each a "Party" and collectively the "Parties".

1.4 In light of the above, the Parties have reached the following Agreement.

2. Relationship between the Agreement and other agreements between the Parties

In the event that the provisions of this Agreement are contradictory to the provisions of any other agreement between the Parties, the provisions of this Agreement shall prevail. However, the foregoing does not apply to provisions of a subsequent agreement that expressly supersede the provisions of this Agreement.

3. Processing of personal data

3.1 In the context of the performance of the Service, the Processor may receive personal data, as defined in article 4.1 of the general data protection regulation (EU 2016/679), (the "GDPR"), processed for purposes determined by the Controller, (the "Personal Data"). The Controller is the data controller of the Personal Data in accordance with the personal data protection laws applicable from time to time, as well as any other applicable law, regulation or equivalent ordinance.

3.2 The Processor undertakes to only process the Personal Data in accordance with the terms of the Agreement or other written agreement between the Parties, and only in accordance with the Controller's instructions, Appendix 1, as well as with the from time to time applicable data protection legislation and any other applicable law, regulation or equivalent ordinance. The Controller is responsible for ensuring that the Processor does not process any other categories of Personal Data than those listed in Appendix 1, and in accordance with the scope stated therein. 

3.3 In case the Processor lacks the instructions that the Processor considers necessary to perform the tasks that the Processor has acquired from the Controller within the scope of the Service, the Processor shall, without delay, notify the Controller of its position and await such instructions that the Controller deems necessary.

3.4 Access to the Personal Data shall, within the Processor's organisation, be limited to those who require it for the performance of the Service and who are obligated to observe secrecy by agreement or by law. The Processor shall take appropriate technical and organisational measures to protect the Personal Data. Such measures shall provide a level of security that is appropriate with regard to the available technology and the cost of the measures, taking into account whether there are any specific risks involved with the processing and the level of sensitivity of the Personal Data. The Processor’s technical and organisational measures are outlined in Appendix 2.

3.5 The Processor undertakes to, at all times, ensure that relevant personnel comply with this Agreement and the Controller's instructions, and to ensure that they are kept informed regarding the from time to time applicable data protection legislation.

3.6 The Processor shall, through suitable technical and organizational measures and to the degree it is possible in relation to the nature of the processing, assist the Controller in order for the Controller to be able to fulfil its obligation to respond to requests from the individual data subjects in accordance with the applicable law or regulation. The Processor shall also in all other aspects assist the Controller in fulfilling its obligations, taking into account the type of processing and the information available to the Processor, regarding

1. security in connection to the processing;
2. notification of any personal data breach to the supervisory authority;
3. communication to the data subject of a personal data breach; and
4. data protection impact assessment and prior consultation;

to the extent that the obligations in (a)-(d) above are required according to the applicable law or regulation. The Processor shall be entitled to reasonable compensation for its assistance in accordance with this Section 3.6.

3.7 The Processor undertakes to maintain a written record of the processing of Personal Data including the content stated in article 30.2 of the GDPR. Upon request, the records shall be provided to the Controller.

3.8 If, contrary to the GDPR, the Controller does not inform the individual data subject of a personal data breach and the supervisory authority orders the Processor to rectify the deficiency, the Controller shall compensate the costs of the Processor to adhere to the order of supervisory authority.

3.9 The Processor has the right to appoint another processor (a so-called sub-processor) for the processing of the Personal Data. The Processor shall inform the Controller that the Processor intends to appoint another or replace a sub-processor at least 30 days before such an appointment or replacement takes place. If the Controller objects to the appointment of such a sub-processor that the Controller has been informed of according to this Section 3.9 before the appointment, the Processor cannot appoint the sub-processor for the processing of the Personal Data, provided that the Controller had a justifiable reason for its objection. The term "justifiable reason" as referred to in this Section refers to circumstances on behalf of the sub-processor that, to a considerable degree affects, or likely will affect, the protection of the personal integrity of the individual data subject, for example if the new sub-processor does not fulfil the requirements on personal data processors in the GDPR or any other relevant privacy legislation. If the Processor engages such sub-processor, the Processor shall ensure that the data processor by agreement undertakes the same data privacy obligations as arising out of this Agreement. The Processor is fully responsible towards the Controller for such undertakings of the sub-processor.

3.10 Unless otherwise agreed upon in writing between the Parties, the Processor has the right to transfer personal data outside the EU/EEA. The Processor undertakes to only transfer or process personal data outside the EU/EEA when such transfer or processing is lawful under article 45-47 of the GDPR.

3.11 The Controller has the right to information and the right to audit the performance of the Processor's obligations under the Agreement. The Processor shall allow and contribute to such audits, including inspections, carried out by the Controller or an auditor engaged by the Controller. If the Controller wishes to carry out an inspection, the Controller shall inform the Processor of such inspection within reasonable time before the inspection and at the same time specify the content and scope of the inspection. 

3.12 An inspection according to Section 3.11 requires that the Controller, or an auditor appointed by the Controller, has agreed upon necessary confidentiality obligations and adheres to the safety regulations on the place of inspection. It also requires that the inspection is performed without the risk of disrupting the business operations of the Processor or the protection of the information of other controllers and personal data. Information that is gathered as part of an audit, including inspections, shall be deleted in accordance with legal requirements. .

3.13 The Processor shall immediately inform the Controller if the Processor believes that an instruction is contrary to applicable law, regulation or equivalent ordinance. The Processor shall be prepared to comply with decisions made by the Swedish Data Protection Authority on measures to comply with the safety requirements of applicable law.

3.14 The Processor shall without delay notify the Controller regarding any contact with a competent supervisory authority that concerns, or could be of importance for, the Processor's processing of Personal Data. The Processor does not have the right to represent the Controller or act on its behalf in relation to the supervisory authority.

3.15 Upon discontinuation of the Processor's processing of the Personal Data (e.g. due to the Controller giving instructions that the processing should be discontinued or that the Agreement is terminated in accordance with Section 4.1 below), the Processor shall return all data containing personal data covered by this Agreement and all media on which such data is stored. The Processor shall also delete existing copies of all such data, e.g. from backup systems, unless the Processor has a legal obligation to retain the Personal Data under union or member state law.

4. Miscellaneous

4.1 This Agreement shall enter into force upon signing by authorised representatives of both Parties. The Agreement shall terminate simultaneously with the agreement between the Parties governing the Service, however, at the earliest when the Processor has ceased all processing of the Personal Data.

4.2 The Processor has no right to transfer its rights or obligations under this Agreement, in whole or in part, without the Controller's prior written consent.

4.3 If applicable data protection legislation change during the period of this Agreement, or if a competent supervisory authority issues guidelines, decisions or rules regarding the application of the applicable data protection legislation, that results in this Agreement to no longer meet the requirements provided for data processing agreements, or if the agreement or agreements that regulate the Service change, this Agreement shall change to accommodate such new or additional requirements and/or changes. Any such change shall enter into force on the day that the Controller states, but not earlier than five days after notice of such change was sent to the Processor. The Processor has right to compensation for its reasonable costs incurred by such a change of this Agreement.

4.4 In addition to what is applicable under the agreement or agreements that regulate the Service, for the period of this Agreement and thereafter, the Processor undertakes not to disclose the Personal Data to any third party. The Personal Data may only be disclosed to such employees of the Processor for which the Personal Data is necessary to perform their tasks, to a competent supervisory authority, or otherwise when disclosure of the Personal Data is required by law. It is the responsibility of the Processor to ensure that employees that are likely to come in contact with the Personal Data have undertaken to keep the Personal Data confidential to the same extent as the Processor is required under this Agreement.

4.5 This Agreement shall be governed by and construed in accordance with Swedish law. Disputes concerning the interpretation or application of this Agreement shall be settled in accordance with the agreement or agreements between the Parties governing the Service.

Appendix 1: Controller's instructions

Below are the instructions of the Controller, as stated in Section 3.2 of the Agreement. Instructions given at a later date which makes reference to the Agreement replace the ones provided below.

Categories of data subjects

Potential customers and receivers of the Controller's offers, as well as Controller’s employees that has a user account

Types of Personal Data

Name, e-mail address, company name, address for invoicing, phone number, data on use of the Service, time of accept or rejection of an offer, other potential data contained in the offer or related to the offer. Profile photo and job title can be optionally provided for user accounts.

Processing purposes

The Personal Data may only be processed for the following purposes and only on behalf of the Controller: Providing the Service, including sending, following up, and register the acceptance or rejection of an offer.

Nature of the processing

Storage, viewing, transferring, registering, amending, deleting.

Retention period

As long as necessary for the provision of the Service, always at most until Controller instructs Processor to delete the Personal Data (some or all).

Sub-processors

The Processor may, provided the conditions in Section 3.9 are met, transfer the Personal Data to any sub-processor. Approved sub-processors at the date of this Agreement are listed in Appendix 3

Third country transfers

The Processor may, provided that the conditions in Section 3.10 are met, transfer the Personal Data to countries outside the EU/EEA.

Appendix 2: Technical and Organisational Measures

No.1
Category of Measures: Encryption (Art. 32 (1) a) GDPR)
Description of Category: Measures to ensure that data is encrypted during transfer and at rest.
‍
Technical Measures:

• All communication is done over Secure Sockets Layer (SSL).
• Passwords are salted and hashed.
• Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

No.2
Category of Measures: Confidentiality – physical access control (Art. 32 (1) b) GDPR)
Description of Category: Measures to prevent unauthorized physical access to data processing systems.
‍
Technical Measures:

• All data is stored by trusted cloud providers with SOC 2 certified data centers

No.3
Category of Measures: Confidentiality – data access control (Art. 32 (1) b) GDPR)
Description of Category: Measures to prevent unauthorized access to data processing systems.
‍
Technical Measures:

• Authentication with username /password, and/or biometric methods
• All non-public pages and REST-endpoints require user authentication.
• Passwords to databases are rotated regularly.

Organisational Measures: 

• Dedicated ‘Alert Manager’ on duty at all times.
• Internal company configuration secrets managed via a secure password manager.

No.4
Category of Measures: Confidentiality – data usage control (Art. 32 (1) b) GDPR)
Description of Category: Measures to ensure that authorized users only have access to the data necessary for their role.
‍
Technical Measures:

• Authentication with username, password, and/or biometric methods
• All non-public pages and REST-endpoints require user authentication.
• Passwords to databases are rotated regularly.

Organisational Measures: 

• Role-based user management ensures controlled access to personal information.
• Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

No.5
Category of Measures: Availability – availability control (Art. 32 (1) b) GDPR) Description of Category: Measures to ensure that personal data is protected from accidental destruction or loss.
‍
Technical Measures:

• Monitoring in place to detect issues that could affect platform functionality.

Organisational Measures: 

• Automated database snapshots on a daily basis (stored off-site).
• Permanent access to past deployments for instant rollbacks.

No.6
Category of Measures: Availability – job control (Art. 32 (1) b) GDPR)
Description of Category: Measures to ensure that, in the case of commissioned processing, data is processed only in accordance with the instructions of the controller.
‍
Technical Measures:

• All system events are logged and aggregated.
• Important user events stored in Audit logs, kept for a minimum of 3 months.

Organisational Measures: 

• Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)
• Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

No.7
Category of Measures: Resilience (Art. 32 (1) b) GDPR)
Description of Category: Measures to ensure that systems and services can handle high peak loads.

Organisational Measures: 

• Actively monitoring the health of our services and upstream services through status alerts, log alerts, log aggregation, and incident reports.

No.8
Category of Measures: Restoration of availability (Art. 32 (1) c) GDPR)
Description of Category: Measures to ensure data availability and access can be restored in a timely manner after an incident.
‍
Technical Measures:

• Automated database snapshots on a daily basis (stored off-site).

Organisational Measures: 

• Testing of data restoration.

No.9
Category of Measures: Data protection management (Art. 32 (1) d) GDPR)
Description of Category: Measures to ensure regular testing and evaluation to ensure that the measures in place are effective in protecting personal data.
‍
Technical Measures:

• Regular penetration tests
• Every code change goes through a pull request on GitHub with automated tests on Vercel.
• Peer-review required before deployment to production.

Organisational Measures: 

• Regularly revising database schema to ensure high-quality data and prevent redundant or gratuitous data storage.
• Post-mortem analysis after any incident to create action points for the future.
  

Appendix 3: Sub-Processors

Amazon Web Services, Inc. (Amazon Web Services)

• Registration number: 174230
• Address: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal
• Country of establishment: US/IE
• Country of processing: DE
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): https://aws.amazon.com
• Subject matter of the processing: The main SQL database where Proposales keeps track of proposals, hotels and data operations
• Nature of processing: Used for data storage, though information regarding the way we access the data (i.e. SQL queries) are sampled as well in order to monitor and optimize our SQL queries.
• Duration of processing: During service provision 

DigitalOcean, Inc. (DigitalOcean)

• Registration number: 5118787
• Address: C/O Corporation Service Company, 251 Little Falls Drive, 19808, Wilmington, US
• Country of establishment: US
• Country of processing: DE
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): privacy@digitalocean.com
• Subject matter of the processing: Server performing long-running synchronizations of account information
• Nature of processing: We use this server to synchronize account information necessary for Customer Success to communicate with the users.
• Duration of processing: Transient (1 hour until the script is complete)

Humio, Ltd. (CrowdStrike Inc.)

• Registration number: 13138098
• Address: 150 Mathilda Place, Ste. 300, Sunnyvale, CA 94086
• Country of establishment: US
• Country of processing: DE
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): privacy@crowdstrike.com
• Subject matter of the processing: Log aggregation
• Nature of processing: We store logs of actions that were taken inside our platform to maintain observability on our platform and be alerted early in case of incidents with sufficient metadata to debug them. We maintain a strict policy of not providing any more data to the front-end than the bare necessary it needs to perform its function.
• Duration of processing: 14 days

Vercel, Inc.

• Registration number: 5857312
• Address: 440 N Barranca Ave #4133, Covina, CA 91723
• Country of establishment: US
• Country of processing: DE
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): privacy@vercel.com
• Subject matter of the processing: Backend and frontend functionality
• Nature of processing: Here we prepare the data necessary for displaying the Service to our users and perform any actions requested by our users. This is the service that bridges the front-end websites that the users see from the database that keeps the data. 
• Duration of processing: Transient

AC PM, LLC (Postmark)

• Registration number: 
• Address: 1 North Dearborn St, 5th Floor Chicago, IL 60602
• Country of establishment: US
• Country of processing: EU/US
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): privacy@wildbit.com
• Subject matter of the processing: Email service
• Nature of processing: We use the Postmark service to send out email notifications to users (e.g. when a proposal is accepted) and to the recipients of the proposals. We only send information necessary for displaying the email and a very limited amount of email metadata.
• Duration of processing: 45 days

Emailable, LLC

• Registration number: 61-1791068
• Address: 485 Underhill Blvd, Syosset, New York 11791
• Country of establishment: US
• Country of processing: EU/US
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): hello@emailable.com
• Subject matter of the processing: Deliverability check of email addresses
• Nature of processing: We send in the email address for a new contact, and receive information of whether that email is accessible or not. We use this to help senders identify typos when creating a new contact.
• Duration of processing: Transient

Uploadcare, Inc.

• Registration number: 82-1639831
• Address: 2711 Centerville Road, Suite 400 City of Wilmington, County of New Castle, 19808
• Country of establishment: US
• Country of processing: EU/US     
• Transfer instrument: Data Privacy Framework (DPF)    
• Data protection officer (if applicable): trust@uploadcare.com
• Subject matter of the processing: File storage
• Nature of processing: Storage and processing of uploaded files and images 
• Duration of processing: Not limited in time (Storage), Transient (Processing)

Intercom

• Registration number: 10917030
• Address: Intercom R&D Unlimited Company, 55 2nd Street, 4th Floor San Francisco, CA 94105
• Country of establishment: US
• Country of processing: US
• Transfer instrument: Data Privacy Framework (DPF)
• Data protection officer (if applicable): legal@intercom.io
• Subject matter of the processing: Customer Support
• Nature of processing: Data for a user account. Data exchanged between the Processor and Controller.
• Duration of processing: During the time of an active user account

OpenAI OpCo, LLC

• Registration number: 
• Address: Pioneer building, 3180 18th St, San Francisco, USA
• Country of establishment: US
• Country of processing: US
• Data protection officer (if applicable): legal@openai.com
• Subject matter of the processing: Provides large language model processing for customers using Proposales' AI Products 
• Nature of processing: Processing in order to understand the context of data as well as cleaning data before storing it. 
• Duration of processing: Transient

‍

‍

‍