Legal

Data processing agreement

  1. NIORA LABS AB – DATA PROCESSING AGREEMENT 
    1. INTRODUCTION AND OBJECTIVE  

    1.1. Customer and Supplier (Niora Labs AB) have entered into an agreement (“Main  Agreement“) whereby Supplier shall provide services to Customer. This Data  Processing Agreement (“Processing Agreement” or “Data Processing Agreement”)  forms part of the Main Agreement and governs the processing of Personal Data in  connection with the Main Agreement. Except as may be otherwise required under Data  Protection Laws, Customer, on behalf of any other Controller (e.g., where applicable,  companies within its company group or other Controllers designated by Customer and  as may be agreed by Supplier in writing from time to time), shall serve as a single point  of contact for Supplier in all matters under this Data Processing Agreement and shall be  responsible for the internal coordination, review and submission of instructions or  requests to Supplier as well as the onward distribution of any information, notifications  and reports provided by Supplier hereunder. 

    1.2. Unless otherwise stipulated, the provisions of the Data Processing Agreement shall take  precedence over the provisions of the Main Agreement with regard to its subject matter.  In the event of a contradiction between the Standard Contractual Clauses (as defined  below, as applicable) and the provisions of the Main Agreement and/or this Data  Processing Agreement, the Standard Contractual Clauses shall always prevail.  

    1.3. This Data Processing Agreement is entered pursuant to the GDPRs requirement that  there shall be a written agreement on the Processor’s Processing of Personal Data on  behalf of the Controller. 

    1.4. This Data Processing Agreement is valid for the duration of the Main Agreement and  will consequently terminate concurrently upon termination or expiry of the Main  Agreement.  

    1. DEFINITIONS 

    2.1. “Customer” means the entity that has entered into a contract with Supplier and is  defined as the “Customer” in the Main Agreement. Customer shall, for the purpose of  this Processing Agreement, include, where applicable, also entities within Customer´s  group of companies. 

    2.2. “Controller” means the party that determines the purposes and means of Processing  Personal Data, acting alone or with others. 

    2.3. “Data Breach” means a breach of security leading to the accidental or unlawful  destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that  is Processed under the Data Processing Agreement. 

    2.4. “Data Protection Laws” means the applicable laws that aim at protecting the  fundamental rights and freedoms of individuals, and specifically their privacy. They  include Customer’s national legislation, where applicable, and Regulation (EU)  2016/679 of the European Parliament and of the Council (“GDPR”). 

    2.5. “Data Subject” means an identified or identifiable natural person, as defined under Data  Protection Laws.

    2.6. “Instructions” means written instructions for the Processing of Personal Data by  Customer. Such instructions are provided in this Data Processing Agreement, but may  be updated or modified from time to time by separate written instructions from  Customer. 

    2.7. “Personal Data” means any piece of information that refers to an identified or  identifiable natural person, as defined under Data Protection Laws. 

    2.8. “Processing” means any operation or set of operations which is performed on Personal  Data or on sets of Personal Data, whether or not by automated means, as defined  under Data Protection Laws. 

    2.9. “Processor” means a party that Processes Personal Data on Controller’s behalf. 

    2.10. “Standard Contractual Clausesor SCCs” means the standard contractual clauses  based on the European Commission Decision (EU) 2021/914 of 4 June 2021 on  standard contractual clauses for the transfer of personal data to third countries pursuant  to Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) or  any subsequent version or amendment thereof released by the Commission (which  shall automatically apply), including their Annexes.  

    2.11. “Subcontractor” means any third party which Processor engages to carry out its  obligations under this Data Processing Agreement in accordance with Section 6, and  which through this engagement Processes Personal Data for which Customer is  Controller. 

    2.12. “Supplier” is the Niora entity identified as such in the Main Agreement. 

    2.13. “Transfer” means a cross-border transfer of Personal Data to territories outside the EU  in accordance with Section 11.  

    1. PROCESSING OF PERSONAL DATA 

    3.1. Purpose and categories of Processing and types of Personal Data processed. The  nature and purpose of the Processing, the type of Personal Data and the categories of  Data Subjects covered under this Data Processing Agreement are specified in Appendix  1. 

    3.2. Controller. Without affecting any of the foregoing, Customer is Controller for Personal  Data Processed by Supplier under this Processing Agreement. Customer is responsible  for ensuring that all Personal Data Processed hereunder is collected legally and for the  accuracy and quality of the Personal Data. 

    3.3. Processor. Supplier and its Subcontractors are Processors for the Processing of  Personal Data under the Main Agreement and shall only process Personal Data on  behalf of Customer and in accordance with Customer’s Instructions. Supplier is  responsible for ensuring that the Subcontractors it engages will only Process Personal  Data in accordance with the Data Processing Agreement and Data Protection Laws.  

    3.4. Instructions. Customer is responsible for giving Supplier Instructions for the  Processing of Personal Data. Supplier shall only Process Personal Data in accordance  with this Data Processing Agreement and Instructions given by Customer. If Supplier  deems that the Instructions are in violation with Data Protection Laws, then Supplier  shall notify Customer thereof without delay. Supplier shall for the avoidance of doubt not  be obliged to perform a certain measure if could, according to Supplier´s reasonable  assessment, result in a breach of Data Protection Laws. Supplier, however, shall not be 

    obliged to perform own research, investigations or surveys in order to establish whether  there is a breach or not, or whether Instructions comply with applicable laws or not. 

    3.5. Controller’s original Instructions to Processor regarding the object and duration of the  Processing, the nature and purpose of the Processing, the type of Personal Data and  the categories of Data Subjects are listed in Appendix 1. 

    3.6. Remuneration. Without affecting Supplier´s obligations under Data Protection Laws,  Supplier is entitled to remuneration on a time and material basis for any added work  caused by amended Instructions by Customer (or additional work otherwise caused)  pursuant to section 3.4 or other added work not expressly undertaken by Supplier  herein. 

    1. SUPPLIERS PERSONNEL 

    4.1. Confidentiality. Supplier is responsible for ensuring that Supplier’s and its  Subcontractors’ personnel who Process Personal Data for which Customer is the  Controller shall maintain secrecy; have received suitable training on Personal Data and  are bound by non-disclosure undertakings. The obligation of confidentiality shall remain  in force after termination of this Data Processing Agreement.  

    4.2. Restricted access. Supplier is responsible for ensuring that only personnel of Supplier  (and Subcontractors) who need access to Personal Data in order to fulfil Supplier’s  undertakings under the Main Agreement (and this Data Processing Agreement) shall  have access to the Personal Data.  

    1. PROTECTION OF PERSONAL DATA 

    5.1. Technical and organisational measures. Supplier shall take the technical and  organisational measures for the protection of the Personal Data that are appropriate  with regard to the sensitivity of the Personal Data; the particular risks that exist; existing  technical capabilities and the costs of implementing the measures. Personal Data shall  be protected from any type of unauthorised Processing such as change, destruction or  unauthorised access and dissemination. Supplier, accordingly, undertakes to take  measures in accordance with Article 32 of the GDPR. Supplier shall be prepared to  comply with a competent authority’s decision on measures in compliance with security  requirements set out under Data Protection Laws.  

    5.2. Rights of Data Subjects. Supplier shall notify Customer without undue delay, if  Supplier receives a request from a Data Subject regarding his or her rights, such as  information, correction or deletion of the Data Subject’s Personal Data. Supplier shall  not respond to such a request without Customer’s written consent, except for the  purpose of notifying the Data Subject that the request has been received and forwarded  to Customer. Supplier shall assist Customer in managing Data Subjects’ inquiries and  rights, unless Supplier is prevented from doing so by law or by official decision. 

    5.3. Supplier shall assist Customer in fulfilling its duties as a Controller of Personal Data to  respond to requests regarding Data Subjects, pursuant to administrative procedures  and measures adopted and applied by Supplier for such purpose. Supplier shall further  render assistance to Customer, and perform measures, as required under Article 28 (3)  (a)-(h) of the GDPR. 

    5.4. Official communications. Supplier shall notify Customer without delay if a government  authority contacts Supplier regarding Personal Data Processed hereunder, unless  bound by law not to provide such a notification. At Customer’s request, Supplier shall, to  a reasonable extent, assist Customer with such official communication, and otherwise  provide information in order that Customer may respond to same within reasonable  time. Supplier is not entitled to respond on Customer’s behalf or act in Customer’s  name.

    5.5. Remuneration. Supplier is entitled to remuneration on a time and material basis for  work performed assisting Customer to fulfil its obligations in relation to Data Subjects  and authorities regarding Data Protection, unless otherwise expressly provided under  Data Protection Laws. 

    1. SUBCONTRACTORS 

    6.1. Use of Subcontractors. Supplier may engage Subcontractors for the Processing of  Personal Data hereunder subject to what is otherwise stipulated in this Section 6, and  only for the purposes specified in Appendix 1. The Subcontractors currently appointed  are listed in Appendix 1

    6.2. Contractual obligation. Supplier is responsible for ensuring that all Processing of  Personal Data performed by a Subcontractor is governed by a written agreement with  the Subcontractor that corresponds to the requirements of this Data Processing  Agreement. 

    6.3. Change in Subcontractors. Supplier has the right to terminate the agreement with  Subcontractors and/or engage new appropriate and reliable Subcontractors, provided  that the rules in Section 6 are applied. Before engaging a new Subcontractor, Supplier  shall notify Customer in writing of the engagement and shall endeavor, where this is  possible, to provide such notice not less than fourteen (14) days prior to the  engagement in question. Customer is entitled to object to the engagement, provided  that Supplier is notified in writing of the objection within ten (10) days of receipt of  Supplier’s notice. 

    6.4. Resolution of objections. If Customer has objected to a Subcontractor in accordance  with the above, the parties shall discuss various activities in order to resolve the  situation. If the parties cannot agree on a solution within reasonable time, which shall  not exceed thirty (30) days, then each party shall be entitled to terminate the Main  Agreement and this Processing Agreement by notifying the other party in writing to this  effect. Customer acknowledges and accepts that its objection to the appointment of a  subcontractor may adversely affect Supplier´s ability to perform its undertakings under  the Main Agreement (including availability, wholly or partly, of the services to be  provided by Supplier thereunder). Supplier is under no obligation to refund any  payments made in advance (if any) under the Main Agreement. 

    6.5. Supplier’s responsibility. Supplier is responsible for the Subcontractor’s Processing of  Customer´s Personal Data and is fully responsible for Subcontractors engaged under  the Data Processing Agreement. 

    6.6. List of Subcontractors. Supplier shall maintain a list of all Subcontractors who process  Personal Data under the Data Processing Agreement and shall provide Customer with a  copy of the list upon request. 

    1. AUDITS 

    7.1. Customer’s right to perform an audit. Supplier shall provide Customer and  Customer’s independent auditors with access to such information and Supplier’s  premises as may reasonably be necessary for Customer to be able to verify that  Supplier fulfils its obligations under this Data Processing Agreement and Data  Protection Laws. 

    Unless otherwise required by a government authority or Data Protection Laws,  Customer shall, by giving reasonable prior written notice (at least thirty (30) days), inform Supplier that it wishes to conduct an audit. Customer and any persons  conducting an audit, must enter into adequate confidentiality undertakings prior to such  audit and must furthermore adhere to Supplier´s security requirements at the site where  the audit shall be conducted. The audit must furthermore, in so far as possible, be  conducted so as not to disturb Supplier´s business operations or jeopardize the security  of information belonging to other customers. Notwithstanding the foregoing, Customer 

    will primarily rely on applicable existing audit reports or other available verification, if  any, to confirm Supplier’s compliance hereunder and to avoid unnecessary repetitive  audits; and, unless required by Data Protection Laws, audits will not be made more than  once in any twelve-month period. An audit shall not grant Customer access to trade  secrets or proprietary information unless required to comply with Data Protection Laws  (and Supplier will never be obliged, with regard to any information request or audit, to  provide access to any price or other commercial information). 

    7.2. Audit results. If an audit has shown that Supplier or a Subcontractor has not fulfilled its  obligations according to the Data Processing Agreement, then Supplier shall promptly  manage and correct this. 

    7.3. Remuneration. Without affecting Supplier´s obligations under Data Protection Laws, Supplier reserves the right to charge, on a time and material basis, for work performed  assisting the Customer in performing an audit. 

    1. INCIDENTS AND DATA BREACHES 

    8.1. Incident management. Subject to its adopted administrative procedures and quality  management system, Supplier shall evaluate and act upon events suspected to result in  unauthorised access or Processing of Personal Data (“Incidents”). If there is a risk that  the Incident may lead to unplanned or illegal deletion, loss, alteration or release of  Personal Data to unauthorised persons, then Supplier shall promptly notify Customer of  the Incident and shall provide all reasonably relevant information related to the Incident.  Supplier shall develop appropriate steps to manage the Incident and mitigate its effects and shall, where appropriate, cooperate with Customer in order to protect Personal  Data and with the aim of restoring the confidentiality, privacy and availability of the  Personal Data. 

    8.2. Data Breach. Supplier shall notify Customer without undue delay after becoming aware  of a Data Breach under this Data Processing Agreement. The notification shall be made in accordance with Art. 33 of the GDPR. Supplier shall promptly investigate the Data  Breach and take measures to reduce the damage, identify the basic problem and  prevent it from happening again. Customer shall be updated with relevant information  related to the Data Breach and Supplier’s work, while the work is proceeding, and  Supplier shall cooperate with Customer, as appropriate, in order to reduce the damage  and to protect the privacy of Data Subjects.  

    1. RETURN AND DELETION OF PERSONAL DATA 

    9.1. Return and deletion. Within thirty (30) days of expiration of the Main Agreement,  Supplier shall delete all Personal Data Processed by Supplier under this Data  Processing Agreement, including Personal Data managed in backups and the like.  Alternatively, Supplier shall, upon Customer’s written request (to be provided promptly  upon expiration of the Main Agreement), return all such Personal Data. 

    1. LIABILITY AND LIMITATION OF LIABILITY 

    10.1. Damages and penalties. Supplier is only liable for claims and damages from a Data  Subject or a third party and administrative penalties from an authority targeting  Customer or otherwise, where Supplier or a Subcontractor has failed to fulfil its  

    obligations under the Data Processing Agreement and/or relevant Data Protection  Laws. Customer shall indemnify Supplier with respect to any claims and damages from  a Data Subject or a third party and administrative penalties from an authority caused by  Customer. 

    10.2. Limitation of liability. Supplier’s aggregate liability under this Data Processing  Agreement shall under no circumstances exceed fifty (50) per cent of the remuneration  received under the Main Agreement during a period of twelve (12) months immediately  preceding the occurrence of the event upon which liability is based.

    1. TRANSFER OF PERSONAL DATA 

    11.1. The Processing activities (including storage) shall take place as set out herein (including  by Subcontractors as set out in Appendix 1).  

    11.2. The Parties acknowledge and agree that all processing of Personal Data under this  Agreement shall take place within the European Economic Area (“EEA”). No Personal  Data shall be transferred to, accessed from, or otherwise processed in a country outside  the EEA. 

    11.3. In the event that a transfer outside the EEA would be required during the term of this  Agreement, such transfer shall only take place following a prior written agreement  between the Parties and in compliance with applicable Data Protection Laws, including  the implementation of appropriate safeguards in accordance with Chapter V of the  GDPR.

    APPENDIX 1 

    1. DATA SUBJECTS 

    Employees of the Customer (including full-time, part-time, temporary staff, consultants), Customers  and end-users of the Customer’s services, prospective customers (leads, website visitors filling in  contact forms) and suppliers and business partners (including contact persons at such entities).  

    1. CATEGORIES OF PROCESSED DATA 

    Names, contact details (address, phone number, e-mail), employment-related information (position,  employer), account details, customer data (financial data – applicable to both customer and end user, product, cost, ERP system, contractual information), correspondence and technical identifiers  (IP address, log data). No special categories of personal data are processed under this  Agreement.” Purpose, nature, objective and duration of the processing 

    Customer is the party that decides on the purpose of the Processing of Personal Data under the  Main Agreement. The purpose of the Processing of Personal Data by Supplier is limited to:  

    1. a) Providing the agreed services such as the provision of software services, support and  other services in accordance with the Main Agreement;  
    2. b) Implementing, managing and monitoring any underlying infrastructure required to provide  services under the Main Agreement and to fulfil the stipulated technical and organisational  requirements for the protection of Personal Data;  
    3. c) Communicating with Customer and Customer’s personnel;  
    4. d) Implementing Customer’s Instructions in accordance with Section 3.4; and  e) Handling service problems, Incidents or Data Breaches.  

    The duration of the Processing is limited to the duration of the Main Agreement. 

    1. LIST OF SUBCONTRACTORS

     

    SUBCONTRACTOR 

    COUNTRY OF  

    JURISDICTION

    PROCESSING 

    JURISDICTION

    		BRIEF DESCRIPTION OF  PROCESSING
    Vercel Inc. United States United States Processing user content and file information
    Supabase United States United States Database for the Niora application
    Anthropic United States United States Inputs and outputs of LLM conversations
    Posthog Germany Germany Data- and user analytics

    APPENDIX 2 – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES 

    1. TECHNICAL AND ORGANISATIONAL MEASURES  

    Supplier shall take the technical and organisational measures for the protection of the Personal  Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that  exist; existing technical capabilities and the costs of implementing the measures. Personal Data  shall be protected from unauthorized processing such as change, destruction or unauthorised  access and dissemination.  

    Supplier, accordingly, undertakes to take all measures stipulated in Article 32 of the GDPR,  including: 1) the pseudonymisation and encryption of personal data; 2) the ability to ensure the  ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3)  the ability to restore the availability and access to personal data in a timely manner in the event of a  physical or technical incident; and 4) a process for regularly testing, assessing and evaluating the  effectiveness of technical and organisational measures for ensuring the security of the processing. 

    The technical and organisational measures we have implemented are summarized below. TECHNICAL MEASURES 

    • Access control systems (role-based access, multi-factor authentication, least privilege  principle). 
    • Encryption of data. 
    • Pseudonymisation of personal data where feasible. 
    • Regular patching and security updates of operating systems and applications. Firewalls, intrusion detection/prevention systems, and anti-malware solutions. Secure data backups performed regularly and stored in separate, protected environments. Logging and monitoring of system access and data processing activities. Segregation of environments (production, test, development) to prevent unauthorised  access to personal data. 

    ORGANISATIONAL MEASURES 

    • Information security policy approved by management and communicated to all employees. Mandatory confidentiality undertakings for employees and contractors with access to  personal data. 
    • Regular staff training on data protection, information security and incident response. Defined access request and approval procedures. 
    • Incident response plan and breach notification procedures. 
    • Vendor management processes, including data protection due diligence of sub-processors. Regular audits and risk assessments of IT and security controls. 
    • Business continuity and disaster recovery planning tested on a regular basis. 

    _______________________________________________________________________