Data Processing Addendum – Demaai AB

This Data Processing Addendum (this “DPA”), including its appendices, is hereby incorporated by reference into and is part of the general terms (the “Agreement”) under which Demaai provides the Services to the Customer specified in the Order, solely to the extent and for the purposes outlined herein. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement and this DPA, this DPA shall control.

DEFINITIONS

1. Words and expressions defined in the Agreement shall have the same meaning herein.
2. Applicable Laws: means the law of the European Union or any member state of the European Union to which Demaai is subject.
3. Data Protection Laws: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation), and the law of the European Union or any member state of the European Union to which Demaai is subject, which relates to the protection of personal data.
4. Customer Personal Data: any Customer Data which includes personal data that Demaai processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.
5. Purpose: the purposes for which the Customer Personal Data is processed, as set out in section 2.1.
6. DATA PROTECTION
   1. For the purposes of this DPA, the terms controller, processor, data subject, personal data, personal data breach, special categories of data and processing shall have the meaning given to them in the Data Protection Laws.
   2. Both parties will comply with all applicable requirements of Data Protection Laws. The terms of this DPA are in addition to, and do not relieve, remove or replace, a party's obligations or rights under Data Protection Laws.
   3. To the extent the Customer uploads or inputs any Customer Personal Data into the Services, the parties have determined and acknowledged that the Customer shall act as a controller in respect of such data and Demaai shall process such data as a processor on behalf of the Customer for the purpose of providing the Services. Should the determination in this section 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this DPA.
   4. As the Services are cloud based the parties acknowledge and agree that: (a) Customer Personal Data is only processed by Demaai if the Customer uploads it to or inputs it through the Services; and (b) it is the responsibility of the Customer to inform Demaai if Customer Data includes any Customer Personal Data by indicating this in the applicable Order or by notice in writing.
   5. Without prejudice to the generality of section 1.2, the Customer undertakes to:
7. ensure that there is legal ground for processing of personal data covered by this DPA;
8. ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to Demaai for the duration and purposes of the Agreement;
9. immediately after it is brought to the Customer’s attention, inform Demaai of any erroneous, rectified, updated or deleted personal data subject to Demaai’s processing;
10. in a timely manner, provide Demaai with lawful and documented instructions regarding Demaai’s processing of personal data; and
11. act as the data subject’s point of contact.
12. DESCRIPTION OF PROCESSING
    1. Purpose of processing. The purpose of the processing is to provide the Services in accordance with the terms of the Agreement.
    2. Nature of processing. Hosting of Customer Data, which may contain Customer Personal Data, as a result of the Customer uploading it to or inputting it through the Services at Customer’s sole discretion, for the provision of the Services by Demaai and receipt of the Services by the Customer.
    3. Duration of processing. The duration of the processing shall be for the provision of the Services during the term specified in section 7 in this DPA and/or as otherwise required by Applicable Laws.
    4. Categories of data subjects. Any categories of data subjects that the Customer includes in the Customer Personal Data at the Customer’s sole discretion including without limitation the Customers’ clients, employees, suppliers and end users.
    5. Categories of personal data. Any form of Customer Personal Data that the Customer uploads to or inputs through the Services at Customer’s sole discretion. The inclusion of any special categories of personal data in the Customer Personal Data is not permitted and any use of the Services in respect of such data is at the Customer’s sole discretion and liability.
13. DEMAAI’S OBLIGATIONS
    1. Without prejudice to the generality of section 1.2 Demaai shall, in relation to Customer Personal Data:
14. process that Customer Personal Data only on the documented instructions of the Customer, unless Demaai is required by Applicable Laws to otherwise process that Customer Personal Data. Where Demaai is relying on Applicable Laws as the basis for processing Customer Processor Data, Demaai shall notify the Customer of this before performing the processing required by the Applicable Laws, unless those Applicable Laws prohibit Demaai from so notifying the Customer on important grounds of public interest. Demaai shall inform the Customer if, in the opinion of Demaai, the instructions of the Customer infringe Data Protection Laws;
15. implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
16. ensure that any personnel (of Demaai or its subcontractors) engaged and authorised by Demaai to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or other legal obligation of confidentiality;
17. assist the Customer, insofar as this is possible (by taking into account the nature of the processing and the information available to Demaai), and at the Customer's cost and written request, in (i) responding to any requests for exercising the data subject’s rights laid down in the Data Protection Laws and in (ii) ensuring the Customer's compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
18. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data and take reasonable steps to mitigate any damage resulting from such breach;
19. maintain records to demonstrate its compliance with this DPA and, at the Customer’s sole expense and cost, make available such records and allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice.
20. SUBCONTRACTING
    1. The Customer hereby provides its prior, general authorisation for Demaai to appoint processors to process the Customer Personal Data, including those listed in Appendix 1, provided that Demaai:
21. ensures that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on Demaai in this DPA;
22. remains responsible for the acts and omissions of any such processor as if they were the acts and omissions of Demaai; and
23. informs the Customer of any intended changes concerning the addition or replacement of the processors listed in Appendix 1 either by providing no less than fourteen (14) days prior notice in writing by email or via the Platform or through the Services setting out details of the processor’s name and contact information, services to be provided to Demaai and location of processing, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to Demaai's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Laws, the Customer shall indemnify Demaai for any losses, damages, costs (including reasonable legal fees) and expenses suffered by Demaai in accommodating the objection.]
24. TRANSFERS
    1. The Customer hereby provides its prior, general authorisation for Demaai to transfer Customer Personal Data outside of the European Economic Area (EEA) as required for the Purpose, provided that Demaai shall ensure that all such transfers are effected in accordance with Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Demaai, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time.
25. AUDITS
    1. The Customer shall have the right to perform audits of Demaai’s processing of Customer Personal Data (including such processing as may be carried out by Demaai’s subcontractors, if any) in order to verify Demaai’s, and any subcontractor’s, compliance with this DPA and the Data Protection Laws.
    2. Demaai will, during normal business hours and upon reasonable notice (whereby a notice period of twenty (20) Business Days shall always be deemed reasonable), provide, if possible, an independent auditor, appointed by the Customer and approved by Demaai, reasonable access to the parts of facilities where Demaai is carrying out processing activities on behalf of the Customer, to personnel and to all information relating to the processing of the Customer Personal Data. The auditor shall comply with Demaai’s work rules, security requirements and standards when conducting site visits.
    3. A supervisory authority shall always have direct and unrestricted access to Demaai’s premises, data processing equipment and documentation in order to investigate that Demaai’s processing of the personal data is performed in accordance with the Data Protection Laws.
    4. The Customer is responsible for all costs associated with the audit(s), save for when the audit(s) concludes a material breach of Demaai’s undertakings in violation of this DPA. If so, Demaai shall compensate the Customer for reasonable and verified costs associated with the audit.
26. REMUNERATION
    1. The remuneration for Demaai’s undertakings under this DPA shall, unless otherwise stated in this DPA, be included in the remuneration paid by the Customer under the Agreement.
    2. In the event that (i) the Customer amends its written instructions in this DPA, or (ii) the Customer would require the implementation of technical or organisational measures, in addition to those mentioned in section 3.1, and this would cause a cost increase to Demaai, then Demaai shall be entitled to request an equitable adjustment in the remuneration.
    3. The payment terms for the adjusted remuneration, or any other remuneration under this DPA, shall, mutatis mutandis, be governed by the provisions regarding payment in section 7 in the Agreement.
27. TERM AND TERMINATION
    1. This DPA shall enter into force on the Effective Date. Unless terminated earlier due to a material breach of the terms of this DPA, this DPA shall remain in force until termination or expiration of the Agreement, whereupon it shall terminate automatically without further notice.
    2. On termination of this DPA for any reason, Demaai shall cease to process the personal data processed on behalf of the Customer and shall, at the Customer’s expense, provide for the return to the Customer (or its nominated third party) of all such Customer Personal Data together with all copies in its possession or control unless storage of the personal data is required under the Regulatory Requirements. If the Customer does not respond to a Demaai offer to return the personal data processed by it under this DPA, within a period of one (1) month from when the offer was made, Demaai will be entitled to delete any such Customer Personal Data, including copies thereof, unless storage of the Customer Personal Data is required under Applicable Laws. For the purposes of this section 8.2, Customer Personal Data shall be considered deleted where it is put beyond further use by Demaai.
28. LIABILITY AND INDEMNIFICATION
    1. Administrative fines: Fines pursuant to Article 83 of the GDPR shall be borne by the Party to the Agreement named as recipient of such sanctions.
    2. Damages to data subjects: In the event of a compensation for damage in connection with processing of Customer Personal Data to be paid to a data subject due to an infringement of a provision in this DPA, instructions and/or an applicable provision in the Data Protection Laws, Article 82 of the GDPR shall apply.
    3. Other damages: In relation to all other claims arising out of a breach of this DPA, the liability provisions and limitations thereof set out in the Agreement shall apply to this DPA.
29. MISCELLANEOUS
    1. Neither Party may assign its rights or obligations under this DPA without the prior written consent of the other Party.
    2. This DPA sets forth and constitutes the entire agreement and understanding between the Parties with respect to the subject matter hereof and all prior agreements, understandings or promises with respect thereto are superseded hereby.
    3. No amendment, modification, release or discharge of this DPA shall be binding upon the Parties unless in writing and duly executed by authorised representatives of both Parties.
30. GOVERNING LAW
    1. Provisions regarding governing law and disputes are set forth in the Agreement.

Appendix 1 – subcontractors

Dema.ai Platform Subprocessors

AWS

410 Terry Ave N, Seattle, WA 98109

Location: EU

Clerk

Osano International Compliance Services Limited

Location: US

Intercom

55 2nd Street, 4th Fl., San Francisco, CA 94105, USA

Location: US

Hotjar

Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta

Location: EU

Sentry

Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105

Location: US

Mixpanel

One Front Street, 28th Floor, San Francisco, CA 94111

Location: EU

Demai.ai Business Operations Subprocessors

Asana

1550 Bryant St., San Francisco, CA 94103

Location: US

HubSpot, Inc.

Two Canal Park, Cambridge, MA 02141, USA

Location: EU

Mailchimp (The Rocket Science Group, LCC)

675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA

Location: US

Alva labs

Luntmakargatan 66, 113 51 Stockholm, Sweden

Location: EU

Teamtailor

Östgötagatan 16, 116 21 Stockholm

Location: EU