Data proccessing agreement
This data processing agreement, including the annexes attached hereto (“the DPA”) is hereby entered into by:
- Signatory company
- Pitchflow AB, corporate registration number 559252-4572, Drottninggatan 55, 111 21 Stockholm, Sweden (”Pitchflow”)
The below paragraphs should be interpreted in the same way as GDPR
Pitchflow offers a web-based platform for digital communication. Subject to the terms of the Agreement, Pitchflow will provide Customer access to the platform for use of agreed services, as specified in the Agreement (below the “Services”).
AGREEMENT DOCUMENTS AND PRECEDENCE
The Parties have entered into a services agreement including appendices for Customer’s use of the Pitchflow platform and other Services (the “Services Agreement”). Pitchflow will process personal data on behalf of Customer in connection with provisioning of Services under the Services Agreement.
Customer hereby appoints Pitchflow as a processor of personal data on behalf of Customer and any Additional Controllers (as defined below) subject to the terms of the DPA.
Customer may use the Services for Included Brands, as defined in the Services Agreement. If any other legal entity than customer (e.g. a subsidiary or affiliate of Customer) is a controller of personal data used in the Services, then all such legal entities shall be listed in Annex 2 (“Additional Controllers”). By signing this DPA, Customer concludes a data processing agreement with Pitchflow on behalf of Customer and each Additional Controller. For the purposes ofApplicable Data Protection Legislation, this means that separate data processing agreements (on identical terms as this DPA) are entered into between Pitchflow and each controller of personal data.
Customer hereby warrants and represents in relation to Pitchflow that Customer has obtained all necessary mandates and approvals in order to be able to enter into this DPA with legally binding effect on behalf of Additional Controllers.
Customer shall notify Pitchflow in writing about all additions or changes to the Additional Controllers listed in Annex 2.
Notwithstanding the inclusion of Additional Controllers in this DPA, Customer shall always be Pitchflow’s single-point of contact with regard to the Services and this DPA. This means, inter alia, that:
- any and all controller instructions to Pitchflow under the DPA shall be given by Customer through agreed processes with Pitchflow,
- Additional Controllers may contact Pitchflow directly only where such direct contact is required to ensure compliance with Applicable Data Protection Legislation and has been approved by Pitchflow in advance,
- only the Customer and authorities aswell as directly accociated third parties to the Customer if reasonable may audit the Data Processor (on behalf of Additional Controllers, where necessary under Applicable Data Protection Legislation), and
- Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered, and
- Customer guarantees to be jointly and severally liable (Sw. solidariskt ansvar) in relation to Pitchflow, and will indemnify Pitchflow pursuant to Section 3.6, for any and all acts or omissions by Additional Controllers,
- all communication to or from Pitchflow shall be addressed via or originate from Customer.
Customer hereby agrees to indemnify and hold Pitchflow harmless for any and all losses, costs or liabilities (including legal fees) arising for Pitchflow due to Additional Controller’s use of the Services.
It is Customer’s sole responsibility and cost to coordinate all Additional Controllers, including any required changes to its organization or corporate structure to ensure compliance with this Section 3.
RESPONSIBILITY AND INSTRUCTIONS
Customer (on behalf of Additional Controllers where relevant) is responsible for the processing of all personal data which Pitchflow processes on behalf of Customer and Additional Controllers for the purpose of providing the Services. The relevant data is specified in Annex 1 (“Included Personal Data”).
Pitchflow undertakes to only process the Included Personal Data in accordance with the controller’s written instructions as set in the DPA, and only to the extent necessary for the performance of the Services Agreement. For the avoidance of doubt, the DPA and the Services Agreement include exhaustive instructions to Pitchflow as of the signing date. Pitchflow may alternatively terminate the DPA in such circumstances, subject to section 13.2 below.
Pitchflow shall immediately inform Customer if, in Pitchflow’s opinion, an instruction infringes Applicable Data ProtectionLegislation.
Pitchflow undertakes to promptly notify Customer of any personal data breach within 24 hours after having becomeaware of it.
Pitchflow shall provide reasonable assistance to the controller in ensuring compliance with the obligations set out inApplicable Data Protection Legislation with regard to security for processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment and prior consultation, taking into account the nature of processing and the information available to Pitchflow.
Taking into account the nature of the processing, Pitchflow shall assist controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Applicable Data Protection Legislation.
Customer acknowledges that the Services include functionality to enable Customer to retrieve information and access personal data from the Services independently from Pitchflow, in order for Customer to answer data subject requests and/or take other actions required pursuant to Applicable Data Protection Legislation. If and to the extent Customer requests Pitchflow to assist on a matter which Customer could have handled itself through the Services, then Pitchflow is entitled to reasonable compensation for any and all such assistance or information provided. For the avoidance of doubt, Pitchflow will not be entitled to compensation for assistance related to a personal data breach caused by Pitchflow.
Each Party undertakes to not, without the other Party s prior written consent, disclose or reveal to any third party’s personal data or information about the other Party’s business that is reasonably deemed to be regarded as trade secrets, and hence confidential information. Information which a Party has stated to be confidential is always considered as trade secrets. The confidentiality requirement does not apply to information which a Party can show has been known to him in another way than in connection with the assignment or public knowledge. The confidentiality requirement does further not apply when a Party is required by law or court order to disclose information.
Each Party is responsible for ensuring that its employees, subcontractors and subcontractors’ employees are subject to confidentiality in accordance with section 5.1 above, and that such persons only have access to information to the extent which is necessary to perform their obligations.
Notwithstanding the above, the Services Agreement’s confidentiality provisions shall apply to the extent, and in those parts, it contains stricter and more far-reaching confidentiality requirements for either of the Parties compared to the DPA.
Pitchflow shall implement the technical and organizational safety measures necessary for protecting integrity and data.
OBLIGATIONS AFTER THE TERMINATION OF THE AGREEMENT
The Parties agree that Pitchflow after the termination of the Services shall make available all Included Personal Data for download by Customer during a reasonable data retention period (not less than thirty (30) days). Included Personal Data shall be provided in the format in which the Included Personal Data was provided to Pitchflow or in an industry standard format. After expiration of the data retention period, Pitchflow may and shall delete any and all remaining copies of included Personal Data. If Customer requires assistance in relation to export of data, Pitchflow shall be entitled to adequate compensation thereof.
If and to the extent required by Union or national law that Pitchflow shall retain the Included Personal Data, Pitchflow has the right to do so notwithstanding what has been stated above.
Customer and Additional Controllers hereby authorize Pitchflow to engage subcontractors for the processing of included Personal Data. A list of subcontractors is provided by Pitchflow without undue delay from Customer’s request.
Pitchflow shall inform Customer of any plans to replace or engage new subcontractors, giving Customer the opportunity to object to such changes. Customer shall have fourteen (14) days from the date of notification to reasonably object to the use of any new subcontractor by notifying Pitchflow in writing. If Customer has not notified Pitchflow within the time period specified above, Customer shall be deemed to have approved the use of the new subcontractor.
Pitchflow shall enter into data processing agreements with all its subcontractors that will process Included personal data. Such data processing agreement shall impose the corresponding obligations to those of Pitchflow under this DPA on the subcontractor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in accordance with the requirements of Applicable Data Protection Legislation. Pitchflow will never store any personal data outside of EU.
Pitchflow shall be fully liable to Customer for the performance of the subcontractors’ obligations according to the DPA and corresponding sections in any data processing agreements.
Customer has the right to, on its own or through an auditor, within reasonable extent and prior notice to Pitchflow, undertake an audit, including inspections, of Pitchflow. Such third-party auditor must execute a written confidentiality agreement acceptable to Pitchflow before conducting the audit. Subject to Section 3.5 above, Pitchflow will to a reasonable extent assist and permit audits by Additional Controllers and supervisory authorities. Pitchflow is entitled to reasonable compensation thereof.
Customer acknowledges that Pitchflow may engage third party cloud providers to provide the Services. Any audit or inspection of such third-party cloud provider is subject to the policies and rules implemented by such third-party cloud provider from time to time.
To request an audit, Customer must submit a detailed audit plan to Pitchflow at least ten (10) business days in advance of the proposed audit. The audit plan must describe the proposed scope, duration, and start date of the audit. Pitchflow will review the audit plan and provide Customer with any concerns or questions. Parties shall negotiate in good faith in agreeing on a final audit plan.
Pitchflow must, upon Customer’s request and to a reasonable extent, provide Customer available information about the processing of the Included Personal Data, in order to demonstrate compliance with its obligations under Applicable Data Protection Legislation. Pitchflow shall have the right to reasonable compensation thereof.
In the event of a request by data subjects, supervisory authorities, or any other third party, regarding the processing of the Included Personal Data, the Parties shall cooperate and exchange information to a necessary extent.
TRANSFERS TO THIRD COUNTRIES
Pitchflow may transfer the Included Personal Data outside of the EU/EEA (i) if the European Union Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection, or (ii) by signing necessary standard contractual clauses adopted by the European Union Commission. If required to comply with Applicable Data Protection Legislation,Customer hereby authorises Pitchflow to enter into such standard contractual clauses on behalf of Customer and all Additional Controllers.
Any disputes with regard to the interpretation or application of this DPA will be determined according to the provisions of disputes and applicable law set out in the Services Agreement.
Neither Party is entitled to transfer, in whole or in part, its obligations or rights under this DPA to a third party without prior written approval from the other Party.
The DPA remains in effect as long Pitchflow processes Included Personal Data on behalf of Customer and Additional Controllers. Any termination of the Services Agreement shall be deemed as a termination also of this DPA.
The Data Processor has the right to, without any liability for damages or other liabilities, terminate both the Services Agreement and the DPA within ninety (90) days from receiving instructions or demands from Customer, which Pitchflow cannot accept (provided that Pitchflow can show reasonable cause for not accepting the instruction). Terminationaccording to the above will take effect latest at the time when the instructions or requirements are to take effect, or at the time agreed upon in writing by the Parties. In case of such termination, Customer shall pay full compensation for the remaining term of the Services Agreement.
This DPA is an appendix to the Services Agreement entered into by Pitchflow and Customer. The signature of the Services Agreement shall be deemed as binding also for the DPA.
DPA - APPENDIX 2
This annex sets out the details concerning the Included Personal Data and processing thereof pursuant to the DPA. The purpose of this Annex 1 is to clarify which processing and personal data that is covered by the DPA, and to fulfill the requirements of the Applicable Data Protection Legislation regarding the obligation to specify the categories of a processor’s processing of personal data.
The subject, nature, and the purpose of processing under the DPA
For communication and interaction with customers in digital salesrooms and meeting rooms in the tool Pitchflow. Personal data is saved 3 months by default. This can be changed in settings.
Duration of the data processing
The time it takes for the marketing department and sales department to efficiently process personal data, in an approved manner according to current legislation.
The categories of personal data
- Customer Data
- Behavior Data
The categories of data subjects
- First Name, Last Name, address, phone number, email
- Country
- Interaction data in meetings like clicks, URLs, meeting categories, mouse movement, engagement, browser behavior
- Video & Audio recordings of meetings
Processing activities
Without any limitation of the scope of the service agreement, the following processing activities shall be covered by Pitchflow's processing of Included Personal Data under the Service Agreement:
- Connection and data enrichment from and to CRM and internal sys
- Market
- Automation
- Mail sending
- Use in meetings and post-processing
- Analysis and statistics about meetings and use sales material
DPA - APPENDIX 2
Interactive Solutions Bodama AB (556734-2182)
Scope: Responsible for Pitchflow s infrastructure and parts of software development.
Scaleway (FR 35 433115904)
Scope: Hosting & Storage
European hosting and infrastructure provider
Symplify Technologies AB (556589-7294)
Scope: Sending transactional email and SMS
Scandinavian omnichannel communications platform