Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (DPA) is hereby incorporated by reference into and is part of the Agreement under which Demaai AB provides the Services to the Customer specified in the Order, solely to the extent and for the purposes outlined herein. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement and this DPA, this DPA shall control.


- Words and expressions defined in the Agreement shall have the same meaning herein.
- Applicable Laws: means the law of the European Union or any member state of the European Union to which Demaai is subject.
- Data Protection Laws: means the General Data Protection Regulation ((EU) 2016/679) and the law of the European Union or any member state of the European Union to which Demaai is subject, which relates to the protection of personal data.
- Customer Personal Data: any Customer Data which includes personal data that Demaai processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.
- Purpose: the purposes for which the Customer Personal Data is processed, as set out in clause 2.1.


1.1 For the purposes of this DPA, the terms controller, processor, data subject, personal data, personal data breach, special categories of data and processing shall have the meaning given to them in the Data Protection Laws.

1.2 Both parties will comply with all applicable requirements of Data Protection Laws. The terms of this DPA are in addition to, and do not relieve, remove or replace, a party's obligations or rights under Data Protection Laws.

1.3 To the extent the Customer uploads or inputs any Customer Personal Data into the Services, the parties have determined and acknowledged that the Customer shall act as a controller in respect of such data and Demaai shall process such data as a processor on behalf of the Customer for the purpose of providing the Services. Should the determination in this clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this DPA.

1.4 As the Services are cloud based the parties acknowledge and agree that: (a) Customer Personal Data is only processed by Demaai if the Customer uploads it to or inputs it through the Services; and (b) it is the responsibility of the Customer to inform Demaai if Customer Data includes any Customer Personal Data by indicating this in the applicable Order or by notice in writing.

1.5 Without prejudice to the generality of clause 1.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to Demaai for the duration and purposes of the Agreement.


2.1 Purpose of processing. The purpose of the processing is to provide the Services in accordance with the terms of the Agreement.

2.2 Nature of processing. Hosting of Customer Data, which may contain Customer Personal Data, as a result of the Customer uploading it to or inputting it through the Services at Customer’s sole discretion, for the provision of the Services by Demaai and receipt of the Services by the Customer.

2.3 Duration of processing. The duration of the processing shall be for the provision of the Services during the term specified in the applicable Order and as otherwise required by law.

2.4 Categories of data subjects.  Any categories of data subjects that the Customer includes in the Customer Personal Data at the Customer’s sole discretion including without limitation the Customers’ clients, employees, suppliers and end users.

2.5 Categories of personal data. Any form of Customer Personal Data that the Customer uploads to or inputs through the Services at Customer’s sole discretion.  The inclusion of any special categories of personal data in the Customer Personal Data is not permitted and any use of the Services in respect of such data is at the Customer’s sole discretion and liability.


3.1 Without prejudice to the generality of clause 1.2 Demaai shall, in relation to Customer Personal Data:

...process that Customer Personal Data only on the documented instructions of the Customer, unless Demaai is required by Applicable Laws to otherwise process that Customer Personal Data. Where Demaai is relying on Applicable Laws as the basis for processing Customer Processor Data, Demaai shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Demaai from so notifying the Customer on important grounds of public interest. Demaai shall inform the Customer if, in the opinion of Demaai, the instructions of the Customer infringe Data Protection Laws;

...implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

...ensure that any personnel engaged and authorised by Demaai to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or other legal obligation of confidentiality;

...assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Demaai), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

...notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data and take reasonable steps to mitigate any damage resulting from such breach; the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless Demaai is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 3.1(f) Customer Personal Data shall be considered deleted where it is put beyond further use by Demaai; and

...maintain records to demonstrate its compliance with this DPA and at the Customer’s sole expense and cost allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice.


4.1 The Customer hereby provides its prior, general authorisation for Demaai to:
4.1.1 appoint processors to process the Customer Personal Data, including those listed on its website, provided that Demaai:

...shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on Demaai in this DPA;

...shall remain responsible for the acts and omissions of any such processor as if they were the acts and omissions of Demaai; and

...shall inform the Customer of any intended changes concerning the addition or replacement of the processors listed on its website either by providing no less that 14 days prior notice in writing by email or via the Platform or through the Services setting out details of the processor’s name and contact information, services to be provided to Demaai and location of processing, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to Demaai's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Law, the Customer shall indemnify Demaai for any losses, damages, costs (including reasonable legal fees) and expenses suffered by Demaai in accommodating the objection.


5.1 The Customer hereby provides its prior, general authorisation for Demaai to transfer Customer Personal Data outside of the European Economic Area (EEA) as required for the Purpose, provided that Demaai shall ensure that all such transfers are effected in accordance with Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Demaai, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time.