Data Processing Agreement

1. Background

1.1 This data processing agreement, (the “Agreement”), forms an integral part of Proposales AB’s, (the “Processor”) terms of service related to the website www.proposales.com and/or the associated desktop application, (the “Terms”). Any term not otherwise defined herein shall have the meaning ascribed to it in the Terms.

1.2 The Processor may within the scope of the Service process personal data on behalf of the legal entity (the “Controller”), represented by you, that has accepted and executed the Terms.

1.3 The Controller and the Processor are each a “Party” and collectively the “Parties”.

1.4 In light of the above, the Parties have reached the following Agreement.

2. Relationship between the Agreement and other agreements between the Parties

In the event that the provisions of this Agreement are contradictory to the provisions of the Terms or any other agreement between the Parties, the provisions of this Agreement shall prevail. However, the foregoing does not apply to provisions of a subsequent agreement that expressly supersede the provisions of this Agreement.

3. Processing of personal data

3.1 In the context of the performance of the Service, the Processor may receive personal data, as defined in the General Data Protection Regulation (EU 2016/679) (as amended or replaced from time to time, “EU GDPR”) and, where applicable, the UK General Data Protection Regulation as incorporated into UK law under the Data Protection Act 2018 (as amended or replaced from time to time, “UK GDPR and together with EU GDPR, “GDPR”), processed for purposes determined by the Controller, (“Personal Data”). The Controller is the data controller of Personal Data in accordance with the personal data protection laws applicable from time to time, as well as any other applicable law, regulation or equivalent ordinance relating to the processing of personal data.

3.2 The Processor undertakes to only process Personal Data in accordance with the terms of the Agreement or other written agreement between the Parties, and only in accordance with the Controller's instructions, Appendix 1, as well as with applicable GDPR and any other applicable law, regulation or equivalent ordinance relating to the processing of personal data. The Controller is responsible for ensuring that the Processor does not process any other categories of Personal Data than those listed in Appendix 1, and in accordance with the scope stated therein.

3.3 In case the Processor lacks the instructions that the Processor considers necessary to perform the tasks that the Processor has acquired from the Controller within the scope of the Service, the Processor shall, without delay, notify the Controller of its position and await instructions that the Controller deems necessary. Should the Processor receive Personal Data from the Controller outside of Appendix 1, it will inform the Controller and request instructions to clarify how Personal Data is to be processed.

3.4 The Processor shall maintain the confidentiality of all Personal Data. Access to Personal Data shall, within the Processor’s organisation, be limited to personnel who require such access for the performance of the Service and who are bound by confidentiality obligations by contract or law to the same extent as required under this Agreement. The Processor shall not disclose Personal Data to any third party except: (i) to authorised sub-processors engaged in accordance with Section 3.9; (ii) to a competent supervisory authority; or (iii) where disclosure is required by applicable law or regulation. The Processor shall take appropriate technical and organisational measures to protect Personal Data. Such measures shall provide a level of security that is appropriate with regard to the available technology and the cost of the measures, taking into account whether there are any specific risks involved with the processing and the level of sensitivity of Personal Data. The Processor’s technical and organisational measures are outlined in Appendix 2.

3.5 The Processor undertakes to, at all times, ensure that relevant personnel comply with this Agreement and the Controller’s instructions, and to ensure that they are kept informed regarding the from time-to-time applicable data protection legislation.

3.6 The Processor shall, through suitable technical and organizational measures and to the degree it is possible in relation to the nature of the processing, assist the Controller in order for the Controller to be able to fulfil its obligation to respond to requests from the individual data subjects as required under the applicable GDPR. The Processor shall also in all other aspects assist the Controller in fulfilling its obligations, taking into account the type of processing and the information available to the Processor, regarding:

  1. security in connection to the processing;
  2. notification of any personal data breach to each relevant supervisory authority;
  3. communication to the data subject of a personal data breach; and
  4. data protection impact assessment and prior consultation;

to the extent that the obligations in (a)-(d) above are required according to the applicable law or regulation relating to the processing of personal data.

3.7 The Processor undertakes to maintain a written record of the processing of Personal Data including the content required under the applicable GDPR. Upon request, the records shall be provided to the Controller.

3.8 If, contrary to GDPR, the Controller does not inform the individual data subject of a personal data breach and the relevant supervisory authority orders the Processor to rectify the deficiency, the Controller shall compensate the reasonable costs of the Processor to adhere to the order of the relevant supervisory authority.

3.9 The Processor has the right to appoint or replace another processor (a so-called sub-processor) for the processing of Personal Data, provided it informs the Controller thereof at least 30 days before such an appointment or replacement takes place. If the Controller objects in writing before the appointment becomes effective, the Processor may not appoint the sub-processor for the processing of the Controller’s Personal Data, provided that the Controller had a justifiable reason for its objection. The term “justifiable reason” as referred to in this Section refers to circumstances on behalf of the sub-processor that, to a considerable degree affects, or likely will affect, the protection of the personal integrity of the individual data subject, for example if the new sub-processor does not fulfil the requirements on personal data processors in GDPR or any other relevant legislation relating to the processing of personal data. If the Processor engages a sub-processor, the Processor shall ensure that the data processor by agreement undertakes the same data privacy obligations as arising out of this Agreement. The Processor is fully responsible towards the Controller for such undertakings of the sub-processor.

3.10 Unless otherwise agreed upon in writing between the Parties, the Processor shall not transfer personal data outside the EU/EEA/UK except as permitted under this Agreement. The Processor undertakes to only transfer or process personal data outside the EU/EEA/UK when such transfer or processing is lawful under GDPR. Where Personal Data is subject to UK GDPR, transfers to third countries by the Processor or their sub-processors will rely on the UK Extension to the EU-US Data Privacy Framework and/or the UK Addendum to the EU Standard Contractual Clauses, where applicable.

3.11 The Controller has the right to information and the right to audit (at its own cost) the performance of the Processor’s obligations under the Agreement, as required under GDPR. The Processor shall allow and contribute to such audits, including inspections, carried out by the Controller or an auditor engaged by the Controller. If the Controller wishes to carry out an inspection, it shall inform the Processor of such inspection within reasonable time before the inspection and at the same time specify the content and scope of the inspection. 

3.12 An inspection according to Section 3.11 requires that the Controller, or an auditor appointed by the Controller, has agreed upon necessary confidentiality obligations and adheres to the safety regulations on the place of inspection. It also requires that the inspection is performed without the risk of disrupting the business operations of the Processor or the protection of the information of other controllers and personal data. Information that is gathered as part of an audit, including inspections, shall be deleted in accordance with legal requirements.

3.13 The Processor shall immediately inform the Controller if the Processor believes that an instruction is contrary to applicable law, regulation or equivalent ordinance. The Processor shall be prepared to comply with decisions made by the Swedish Data Protection Authority on measures to comply with the safety requirements of applicable law.

3.14 The Processor shall notify the Controller regarding any contact with a competent supervisory authority that concerns, or is of importance for, the Processor’s processing of Personal Data. If a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor may do so provided it uses reasonable endeavours to first inform the Controller of the requirement and gives the Controller an opportunity to object or challenge the requirement, unless law or regulation prohibits such notice. The Processor does not have the right to represent the Controller or act on its behalf in relation to any relevant supervisory authority.

3.15 In the event of a personal data breach, the Processor shall notify the Controller in such time and including available details as required under GDPR. The Processor shall provide other required information as it becomes available and shall reasonably cooperate with the Controller in investigating the personal data breach and complying with applicable obligations under GDPR. The Processor shall take reasonable steps to contain, mitigate, and remediate the effects of any personal data breach and restore the availability and access to Personal Data where feasible.

3.16 Processor will notify the Controller without undue delay if it receives any complaint, notice or communication that relates directly or indirectly to the processing of Personal Data or to either Party’s compliance with GDPR, as well as any request from a data subject for access to their Personal Data or to exercise any of their related rights under GDPR.

3.17 Upon discontinuation of the Processor’s processing of Personal Data (e.g. due to the Controller giving instructions that the processing should be discontinued or that the Agreement is terminated in accordance with Section 4.1), the Processor shall, at the Controller’s written election, delete or return Personal Data in its possession or control, unless applicable law requires continued retention. The Processor may retain Personal Data in backup systems or archives that are not reasonably accessible in the ordinary course of business, provided that such data remains subject to appropriate safeguards and is deleted or overwritten in accordance with the Processor’s standard retention and backup policies.

4. Miscellaneous

4.1 This Agreement shall enter into force upon signing by authorised representatives of both Parties. The Agreement shall terminate simultaneously with the agreement between the Parties governing the Service, however, at the earliest when the Processor has ceased all processing of Personal Data.

4.2 The Processor may not transfer its rights or obligations under this Agreement, in whole or in part, without the Controller's prior written consent.

4.3 If applicable data protection legislation changes during the period of this Agreement, or if a competent supervisory authority issues guidelines, decisions or rules regarding the application of the applicable data protection legislation, that results in this Agreement to no longer meet the requirements provided for data processing agreements, or if the agreement or agreements that regulate the Service change, this Agreement shall change to accommodate such new or additional requirements and/or changes. Any such change shall enter into force on the day that the Controller states, but not earlier than five days after notice of such change was sent to the Processor. The Processor has the right to compensation for its reasonable costs incurred by such a change of this Agreement.

4.4 The confidentiality obligations in Section 3.4 shall apply for the term of this Agreement and thereafter.

4.5 This Agreement shall be governed by and construed in accordance with Swedish law. Disputes concerning the interpretation or application of this Agreement shall be settled in accordance with the Terms.

4.6 At the Controller’s written request, the Processor shall, to the extent technically feasible and subject to applicable law, provide a copy of or access to Personal Data in its possession or control in a commonly used and machine-readable electronic format. The format shall be mutually agreed where reasonably practicable.

4.7 Nothing in this Agreement excludes or limits either Party’s liability to the extent such liability cannot be excluded or limited under applicable law. Subject to the foregoing, each Party’s total aggregate liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence), or otherwise, shall not exceed an amount equal to the total fees paid or payable under the agreement governing the Services during the twenty-four (24) months preceding the event giving rise to the claim.

Notwithstanding the above, each Party’s total aggregate liability for any breach of its obligations under this Agreement relating to Personal Data shall not exceed two (2) times the amount set out above, but never exceed one (1) million euro.

Appendix 1: Controller's instructions

Below are the instructions of the Controller, as stated in Section 3.2 of the Agreement. Instructions given at a later date which makes reference to the Agreement replace the ones provided below.

Categories of data subjects

Potential customers and receivers of the Controller's offers, as well as Controller’s employees who have a user account.

Types of Personal Data

Name, e-mail address, company name, address for invoicing, phone number, data on use of the Service, time of acceptance or rejection of an offer, other potential data contained in the offer or related to the offer. Where applicable, personal data may also include electronic signature data, guest names, guest email addresses, and guest dietary preferences provided in connection with the booking, organization, or planning of a group stay or event. Profile photo and job title can be optionally provided for user accounts.

Processing purposes

The Personal Data may only be processed for the following purposes and only on behalf of the Controller: providing the Service, including sending, following up, and registering the acceptance or rejection of an offer.

Nature of the processing

Storage, viewing, transferring, registering, amending, deleting.

Retention period

As long as necessary for the provision of the Service, always at most until Controller instructs Processor to delete Personal Data (some or all).

Sub-processors

The Processor may, provided the conditions in Section 3.9 are met, transfer Personal Data to any sub-processor. Approved sub-processors at the date of this Agreement are listed in Appendix 3.

Third country transfers

The Processor may, provided that the conditions in Section 3.10 are met, transfer Personal Data to countries outside the EU/EEA/UK.

Appendix 2: Technical and Organisational Measures

No.1
Category of Measures: EncryptionDescription of Category: Measures to ensure that data is encrypted during transfer and at rest.

Technical Measures:

  • All communication is done over Secure Sockets Layer (SSL).
  • Passwords are salted and hashed.
  • Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

No.2
Category of Measures: Confidentiality – physical access control Description of Category: Measures to prevent unauthorized physical access to data processing systems.

Technical Measures:

  • All data is stored by trusted cloud providers with SOC 2 certified data centers

No.3
Category of Measures: Confidentiality – data access control
Description of Category: Measures to prevent unauthorized access to data processing systems.

Technical Measures:

  • Authentication with username /password, and/or biometric methods
  • All non-public pages and REST-endpoints require user authentication
  • Passwords to databases are rotated regularly

Organisational Measures: 

  • Dedicated ‘Alert Manager’ on duty at all times
  • Internal company configuration secrets managed via a secure password manager

No.4
Category of Measures: Confidentiality – data usage control
Description of Category: Measures to ensure that authorized users only have access to the data necessary for their role.

Technical Measures:

  • Authentication with username, password, and/or biometric methods
  • All non-public pages and REST-endpoints require user authentication
  • Passwords to databases are rotated regularly

Organisational Measures: 

  • Role-based user management ensures controlled access to personal information
  • Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

No.5
Category of Measures: Availability – availability control
Description of Category: Measures to ensure that personal data is protected from accidental destruction or loss.

Technical Measures:

  • Monitoring in place to detect issues that could affect platform functionality

Organisational Measures: 

  • Automated database snapshots on a daily basis (stored off-site)
  • Permanent access to past deployments for instant rollbacks

No.6
Category of Measures: Availability – job control
Description of Category: Measures to ensure that, in the case of commissioned processing, data is processed only in accordance with the instructions of the controller.

Technical Measures:

  • All system events are logged and aggregated
  • Important user events stored in Audit logs, kept for a minimum of 3 months

Organisational Measures: 

  • Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)
  • Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

No.7
Category of Measures: Resilience
Description of Category: Measures to ensure that systems and services can handle high peak loads

Organisational Measures: 

  • Actively monitoring the health of our services and upstream services through status alerts, log alerts, log aggregation, and incident reports

No.8
Category of Measures: Restoration of availability
Description of Category: Measures to ensure data availability and access can be restored in a timely manner after an incident.

Technical Measures:

  • Automated database snapshots on a daily basis (stored off-site)

Organisational Measures: 

  • Testing of data restoration

No.9
Category of Measures: Data protection management
Description of Category: Measures to ensure regular testing and evaluation to ensure that the measures in place are effective in protecting personal data.

Technical Measures:

  • Regular penetration tests
  • Every code change goes through a pull request on GitHub with automated tests on Vercel
  • Peer-review required before deployment to production

Organisational Measures: 

  • Regularly revising database schema to ensure high-quality data and prevent redundant or gratuitous data storage
  • Post-mortem analysis after any incident to create action points for the future

Appendix 3: Sub-Processors

Amazon Web Services, Inc. (Amazon Web Services)

  • Registration number: 174230
  • Address: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal
  • Country of establishment: US/IE
  • Country of processing: DE
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): https://aws.amazon.com
  • Subject matter of the processing: The main SQL database where the Processor keeps track of proposals, hotels and data operations
  • Nature of processing: Used for data storage, though information regarding the way we access the data (i.e. SQL queries) are sampled as well in order to monitor and optimize our SQL queries.
  • Duration of processing: During service provision

DigitalOcean, Inc. (DigitalOcean)

  • Registration number: 5118787
  • Address: C/O Corporation Service Company, 251 Little Falls Drive, 19808, Wilmington, US
  • Country of establishment: US
  • Country of processing: DE
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): privacy@digitalocean.com
  • Subject matter of the processing: Server performing long-running synchronizations of account information
  • Nature of processing: We use this server to synchronize account information necessary for Customer Success to communicate with the users.
  • Duration of processing: Transient (1 hour until the script is complete)

Humio, Ltd. (CrowdStrike Inc.)

  • Registration number: 13138098
  • Address: 150 Mathilda Place, Ste. 300, Sunnyvale, CA 94086
  • Country of establishment: US
  • Country of processing: DE
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): privacy@crowdstrike.com
  • Subject matter of the processing: Log aggregation
  • Nature of processing: We store logs of actions that were taken inside our platform to maintain observability on our platform and be alerted early in case of incidents with sufficient metadata to debug them. We maintain a strict policy of not providing any more data to the front-end than the bare necessary it needs to perform its function.
  • Duration of processing: 14 days

Vercel, Inc.

  • Registration number: 5857312
  • Address: 440 N Barranca Ave #4133, Covina, CA 91723
  • Country of establishment: US
  • Country of processing: DE
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): privacy@vercel.com
  • Subject matter of the processing: Backend and frontend functionality
  • Nature of processing: Here we prepare the data necessary for displaying the Service to our users and perform any actions requested by our users. This is the service that bridges the front-end websites that the users see from the database that keeps the data. 
  • Duration of processing: Transient

AC PM, LLC (Postmark)

  • Address: 1 North Dearborn St, 5th Floor Chicago, IL 60602
  • Country of establishment: US
  • Country of processing: EU/US
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): privacy@wildbit.com
  • Subject matter of the processing: Email service
  • Nature of processing: We use the Postmark service to send out email notifications to users (e.g. when a proposal is accepted) and to the recipients of the proposals. We only send information necessary for displaying the email and a very limited amount of email metadata.
  • Duration of processing: 45 days

Emailable, LLC

  • Registration number: 61-1791068
  • Address: 485 Underhill Blvd, Syosset, New York 11791
  • Country of establishment: US
  • Country of processing: EU/US
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): hello@emailable.com
  • Subject matter of the processing: Deliverability check of email addresses
  • Nature of processing: We send in the email address for a new contact, and receive information of whether that email is accessible or not. We use this to help senders identify typos when creating a new contact.
  • Duration of processing: Transient

Uploadcare, Inc.

  • Registration number: 82-1639831
  • Address: 2711 Centerville Road, Suite 400 City of Wilmington, County of New Castle, 19808
  • Country of establishment: US
  • Country of processing: EU/US
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): trust@uploadcare.com
  • Subject matter of the processing: File storage
  • Nature of processing: Storage and processing of uploaded files and images 
  • Duration of processing: Not limited in time (Storage), Transient (Processing)

Intercom

  • Registration number: 10917030
  • Address: Intercom R&D Unlimited Company, 55 2nd Street, 4th Floor San Francisco, CA 94105
  • Country of establishment: US
  • Country of processing: US
  • Transfer instrument: Data Privacy Framework (DPF)
  • Data protection officer (if applicable): legal@intercom.io 
  • Subject matter of the processing: Customer Support
  • Nature of processing: Data for a user account. Data exchanged between the Processor and Controller.
  • Duration of processing: During the time of an active user account

OpenAI OpCo, LLC

  • Address: Pioneer building, 3180 18th St, San Francisco, USA
  • Country of establishment: US
  • Country of processing: US
  • Transfer instrument: EU Standard Contractual Clauses (SCCs) supplemented by the UK Addendum where applicable
  • Data protection officer (if applicable): legal@openai.com 
  • Subject matter of the processing: Provides large language model processing for customers using the Processor’s AI Products 
  • Nature of processing: Processing in order to understand the context of data as well as cleaning data before storing it. 
  • Duration of processing: Transient

Any further questions? Feel free to reach out.
Contact us