GDPR

1. This Data Processing Addendum reflects the Parties’ agreement with respect to the terms governing the processing and security of Customer Data under the Agreement according to the requirements of GDPR and any other European Data Protection Legislation. 
2. The parties acknowledge and agree that the European Data Protection Legislation, including the GDPR, will apply to the processing of Personal Data if, the Personal Data is personal data relating to data subjects who are in the EU/EEA and the processing relates to the offering to them of goods or services in the EU/EEA or the monitoring of their behavior in the EU/EEA as well as when the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EU/EEA. 
3. The Parties agree that the sets of data processing and transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with Severalnines qualifying as a processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement. 
4. In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Customer to Severalnines of the personal data, the Parties have entered into this DPA. 
5. The Parties agree that Severalnines shall have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance or orders issued by competent Union or Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.

Processor and Controller 

1. Severalnines is a processor of Personal Data. 
2. Customer is a controller of Personal Data. 
3. Each Party will comply with the obligations applicable to it under the European Data Protection Legislation concerning the processing of that Personal Data. 
4. Customer warrants to Severalnines that Customer’s instructions and actions concerning that Personal Data, are legitimate and permitted under the applicable European Data Protection Legislation. 
5. Customer is responsible for the processing activities relating to the personal data, as specified in this DPA, which are lawful, fair, and transparent in relation to the data subjects concerned.

Scope of Processing 

1. By entering into this Data Processing Addendum, the Customer instructs Severalnines to process Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Customer’s use of the Services and related technical support; (c) as documented in the applicable Agreement, including the applicable Terms of Service and this Data Processing Addendum; and (d) as further documented in any other written instructions given by the Customer and acknowledged by Severalnines as constituting instructions for purposes of this Data Processing Addendum. 
2. Any further instructions of processing, given by the Customer to Severalnines that go beyond the instructions contained in this DPA or the Agreement shall be considered within the subject matter of the Services Agreement and this DPA and Severalnines acts of processing shall be considered lawful and compliant with the GDPR and other applicable legislation. It shall be the Customer’s responsibility to guarantee the legality of any personal data processing of which the Customer has given instructions to Severalnines to perform. 
3. The Customer acknowledges that the Services, provided by Severalnines to the Customer include, among others described above, the provision by Severalnines to the Customer and all End Users, using the Service on behalf of the Customer, of notifications on the scope of Services, their update, upgrade, amendment, new releases, development and/or termination via Newsletters, emails and other electronic and non-electronic means of communication, which may be applicable. 
4. Severalnines will comply with the instructions described above (Customer’s Instructions) (including with regard to data transfers) unless EU or Swedish State law requires other processing of Personal Data by Severalnines, in which case Severalnines will inform the Customer (unless that law prohibits Severalnines from doing so on important grounds of public interest). Upon providing such notification, Severalnines is not obliged to follow the Customer’s instructions. 
5. For clarity, Severalnines will not process Personal Data for Advertising purposes or serve Advertising in the Services. Notifications from Severalnines to the Customer and all End Users on the scope of Services, their update, upgrade, amendment, new releases, developments and/or termination via Newsletters, emails, and other electronic and non-electronic means of communication, which may be applicable, shall not be considered advertising, marketing or other activity, not included in the Services. Such notifications shall be considered part of the Services provided by Severalnines to Customers. 
6. If at any time the Customer or any End User would like to unsubscribe from receiving future emails, he or she must follow the instructions on how to unsubscribe at the bottom of Severalnines emails.

Subject Matter 

Severalnines’s provision of the Services and related technical support to Customer. 

Data Subjects 

Subjects, whose personal data is entered by the End Users. 

Nature and Purpose of the Processing 

Severalnines will process Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Service for the purposes of providing the Services and related technical support to the Customer in accordance with the Data Processing Addendum. 

Duration of the Processing 

The applicable Term plus the period from expiry of the Term until deletion of all Customer Data by Severalnines in accordance with the Data Processing Addendum, unless the GDPR requires otherwise. 

Categories of Data and Purpose of its Processing 

1. Personal Data data submitted, stored, sent or received by Customer or End Users via the Services may include the following categories of data: 
   1. Email address – necessary for authenticating the End Users before allowing its access to the Service and Customer Data, including Personal Data, as well as for providing technical support. 
   2. other data, uploaded by Customer and End Users – entering and upload of any other personal data is at the full discretion of the Customer. 
2. Severalnines shall not use any other personal data, entered by Customer or End User, except for categories of data, described in Section (a) above.
3. It is not Severalnines’s obligation to monitor personal data, entered or uploaded by Customer or End User, to categorize or process it in any other way. 
4. It is the Customer’s responsibility to provide and guarantee that the processing of personal data activities, performed by Customer and End Users with the Service shall be compliant with the requirements of the GDPR. 

Method of collection 

1. Each user of the Service provides personally the Personal Data data, entered or uploaded in the Service. 
2. Customers and End-users shall enter Third-party personal data only with due authorization or GDPR compliant consent by such party. Customer and End users are responsible for entering somebody else’s personal data without acquiring their preliminary due authorization or GDPR compliant consent. Severalnines does not control the content, entered by the Customer and End User. Severalnines has no contact with any third parties, whose personal data the Customer or End User may enter in the Service. In the event of a third-party claim or sanctions by a competent authority in respect of entering Third-party personal data in the Service in violation of GDPR by Customer or End User, Customer shall compensate Severalnines for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.

Data Subjects 

1. Personal Data data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s Customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users. 
2. Customers shall grant access to End Users after acquainting them to the information provided to Customer in this DPA, the rights of the End Users under the GDPR and the methods of their implementation. Customers will acknowledge that such provision of information is required by GDPR and is necessary for the implementation of GDPR principles of data protection. Customers shall also grant access to End Users, who have accepted the terms and conditions of data protection, included in this DPA. In the event of a Data Subject claim or sanctions by a competent authority in respect of entering or processing personal data in the Service in violation of GDPR by Customer or End User, Customer shall compensate Severalnines for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc. 

Cookies 

1. To the extent as permitted under applicable European Data Protection legislation, parties agree that Severalnines may use Cookies on the Website and collect information about the preferences and interests of the visitors and to analyse data about the people browsing the Website. 
2. Information about the collected information and processing of any Website uses cookies shall be used by Severalnines to improve the quality of the services offered.
3. Disabling Website cookies may affect some features of the Website and these may not work as intended. 

Additional Services 

1. If Severalnines, at its option, makes any Additional Services available to Customer in accordance with the Terms of Service and if Customer opts to install or use those Additional Services, the Services may allow those Additional Services to access Personal Data as required for the operation of the Additional Services. For clarity, this Data Processing Addendum shall apply to the processing of personal data in connection with the provision of any Additional Services installed or used by Customer, including personal data transmitted out of the EU. 
2. Even if the Customer has not objected initially to the transfer of data out of EU, the Customer may at all times inform in writing Severalnines that Customer does not want personal data to be transferred any more to third parties in case of Additional service integration and Severalnines shall not transfer in the future such data after the date on which Severalnines has received the communication from the Customer. However, if the Customer has initially accepted such transfer and has not later on informed Severalnines in writing about any objection, it shall be considered that the Customer has instructed Severalnines to provide the Additional Service and execute data transfers until the date of the objection. If the Customer objects to such transfer, the Customer and the End Users shall not be able to use those Additional Services anymore. 

Data Deletion 

1. Severalnines will enable Customer and/or End Users to delete Customer Data during the applicable Term in a manner consistent with the functionality of the Services if such deletion is in accordance with applicable law. Severalnines will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days unless EU or Swedish law requires storage. 
2. With this DPA the Customer instructs Severalnines to delete on expiry of the applicable Term Customer all Customer Data (including existing copies) from Severalnines’s systems in accordance with applicable law. Severalnines will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or Swedish law requires storage. Customer acknowledges and agrees that Customer will be responsible for exporting before the applicable Term expires, any Customer Data it wishes to retain afterwards. 
3. To the extent any Customer Data covered by the deletion instruction described in Section (b) is also processed, when the applicable Term expires, in relation to an Agreement with a continuing Term, such deletion instruction will only take effect with respect to such Customer Data when the continuing Term expires. 
4. For clarity, this Data Processing Addendum will continue to apply to Customer Data until its deletion by Severalnines. 

Data Security 

1. Severalnines will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Technical and organizational measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Severalnines’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Severalnines may update or modify the Technical and organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. 
2. Severalnines will take appropriate steps to ensure compliance with the Technical and organizational Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 
3. Customer agrees that Severalnines will (taking into account the nature of the processing of Personal Data and the information available to Severalnines) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Technical and organizational measures in accordance with the GDPR; (b) complying with the procedures for Data Incidents notification and regulation as required by the GDPR; (c) providing Customer with the necessary information and documentation as required by the GDPR. 

Data Incidents 

1. If Severalnines becomes aware of a Data Incident and if it is required by the GDPR, Severalnines will notify the Customer of the Data Incident promptly and without undue delay; and promptly take reasonable steps to minimize harm and secure Customer Data. 
2. Notifications made pursuant to this section will implement the requirements of the GDPR and will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Severalnines recommends Customer take to address the Data Incident. 
3. Notification of any Data Incident will be delivered to the Email Address of the Customer, recorded in the Agreement or, at Severalnines’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Customer’s Email Address is current and valid. 
4. Severalnines will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident. 
5. Severalnines’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgment by Severalnines of any fault or liability with respect to the Data Incident. 
6. Customer acknowledges that although Severalnines will take all reasonable precautions to keep personal data safe and secure, Severalnines shall not be liable for extraneous circumstances such as theft, communication errors or malicious tampering. 

2. Customer agrees that Severalnines has no obligation to protect Customer Data that Customer elects to store or transfer outside of Severalnines and its Subprocessors’ systems (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Technical and organizational Measures except to the extent Customer has opted to use them. 
3. Customer is solely responsible for reviewing Severalnines’s Technical and Organisational Measures and evaluating for itself whether the Services, the Technical and organizational Measures and Severalnines’s commitments under DPA will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation, as applicable. 
4. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Personal Data Data as well as the risks to individuals) the Technical and organizational implemented and maintained by Severalnines as set out in this DPA provide a level of security appropriate to the risk in respect of the Customer Data. 

Impact Assessments 

1. Customer agrees that Severalnines may (taking into account the nature of the processing and the information available to Severalnines) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the Customer with Severalnines’s Technical and Organisational Measures and providing other information contained in the applicable agreement including this Data Processing Addendum. 
2. Severalnines may charge a fee (based on Severalnines’s reasonable costs) for any assistance under Section (a) above. Severalnines will provide the Customer with details of any applicable fee, and the basis of its calculation, in advance of any such assistance. 
3. Severalnines may object in writing to providing any assistance under Section (a) above at its own discretion if it will harm or may harm in any way Severalnines’s legal rights, business interests, the normal course of activities, or maybe otherwise manifestly unsuitable. 

Monitoring 

In order to assist the Customer with its legal obligation to diligently choose a service provider, Severalnines shall monitor, by appropriate means, its own compliance and the compliance of its employees and Subprocessors with the respective data protection obligations of a Processor laid down in Art. 28 of the GDPR and in this DPA in connection with the Services. Severalnines shall make available to the Customer any information necessary to demonstrate compliance with such obligations when required by the GDPR. 

Reviews and Audits of Compliance 

1. If the European Data Protection Legislation requires, Severalnines will allow Customer or an independent auditor appointed by Customer to conduct audits to verify Severalnines compliance with its obligations under this Data Processing Addendum. Severalnines will contribute to such audits by providing information and documentation as described in Section (a) above or to the extent required by GDPR and Swedish data protection legislation. 
2. Following receipt by Severalnines of a request for an audit, Severalnines and Customer will discuss and agree in advance on reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
3. Severalnines may charge a fee (based on Severalnines’s reasonable costs) for any audit. Severalnines will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. 
4. Severalnines may object in writing to an auditor appointed by Customer to conduct any audit, if the auditor is, in Severalnines’s reasonable opinion, not suitably qualified or independent, a competitor of Severalnines, or otherwise manifestly unsuitable. Any such objection by Severalnines will require the Customer to appoint another auditor or conduct the audit itself. 

Data Subject Rights 

1. During the applicable Term, Severalnines will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Severalnines as described in this DPA and to export Customer Data. 
2. Severalnines agrees and warrants that it will deal promptly and properly with all inquiries from the Customer relating to its processing of the Personal Data and to abide by the advice of the supervisory authorities with regard to the processing of the Personal Data. 
3. Customer agrees that (taking into account the nature of the processing of Personal Data) Severalnines will assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the GDPR obligatory requirements. 

Transfers of Data Out of the EU/EEA 

1. Customer agrees that Severalnines may store and process Customer Data in the United States and any other country in which Severalnines or any of its Subprocessors maintains facilities. 
2. If the storage and/or processing of Personal Data involves transfers of Personal Data out of the EU/EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data Data”), Severalnines may enter into Standard Contract Clauses with Subprocessors as provided by the respective Subprocessors and that the transfers are made in accordance with such Standard Contract Clauses. Taking into account the state of technologies and the extensive use of the internet in acquiring some services, the Customer agrees that Severalnines may also accept Subprocessors’ Terms of Service or any equivalent or alternative, provided by Subprocessors via their websites. 
3. In respect of Transferred Personal Data, shall be considered as a contractual obligation of Severalnines in fulfilling Severalnines obligation to provide the Services and more specifically as a Customer’s instruction in the meaning of GDPR. 
4. Whenever Severalnines has entered into Standard Contract Clauses, Severalnines will ensure that any disclosure of Customer’s personal data, and any notifications relating to any such disclosures, will be made in accordance with such Standard Contract Clauses, the requirements of applicable European Data Protection Legislation and the binding decisions of the European Commission and the European Court of Justice. 
5. In respect of Transferred Personal Data, Customer agrees that any such Transfer of Data, executed in compliance with this Section 22, shall be considered as a suitable guarantee and an effective legal tool for personal data protection. 

Subprocessors 

1. Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third-party Subprocessors”). In order to provide Customer’s optimal comfort, thorough understanding and effective use of the Service, Severalnines may also from time to time engage Subprocessors, local to Customer and/or speaking the language of Customer’s country of registration or operation.  
2. Information about the Severalnines Subprocessors is available in Appendix 1 below and may be updated by Severalnines from time to time. When any new Subprocessor is engaged during the applicable Term, Severalnines will spend reasonable efforts to inform the Customer of the engagement either by sending a Newsletter or an email to the Customer Email Address or via the Admin Console. Customer agrees and instructs Severalnines that Subprocessors, engaged in order to facilitate communication between parties in the language of the Customer, shall not be listed in Appendix 1 or announced via Newsletter or an email or the Admin Console. Customer accepts and agrees that Severalnines may introduce such native-speaking Subprocessor to the Customer via email. 
3. When engaging any Subprocessor, Severalnines will ensure via a written contract or another suitable electronic form that: (i) the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with any Standard Contract Clauses entered into by Severalnines; and (ii) if the GDPR applies to the processing of Personal Data , the data protection obligations set out in Article 28(3) of the GDPR, as required by the GDPR, are imposed on the Subprocessor. 
4. Subprocessor remains fully liable for all obligations subcontracted to them and all acts and omissions of the Subprocessor except for all cases when the GDPR transfers the liability for Subprocessors to Severalnines in its capacity of a processor. 
5. When any Additional service is engaged via a Third-party Subprocessor during the applicable Term, Severalnines will inform the Customer of the engagement either by sending a Newsletter or an email to the Customer’s Email Address or via the Admin Console. 
6. Customer may object to any new Third-party Subprocessor by terminating the applicable Agreement or the Service, provided by the Subprocessor immediately upon written notice to Severalnines, on condition that Customer provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is the Customer’s sole and exclusive remedy if Customer objects to any new Third-party Subprocessor. 

Records 

Customer acknowledges that Severalnines is required under the GDPR to (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Severalnines is acting and, where applicable, of such processor or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Personal Data, the Customer will, where requested, provide such information to Severalnines and will ensure that all information provided is kept accurate and up-to-date. 

Liability 

Nothing in this DPA will affect the remaining terms of the applicable Agreement relating to liability (including any specific exclusions from any limitation of liability). 

Applicable law 

This DPA shall be governed by the law of Sweden. The place of jurisdiction for all disputes regarding this DPA shall be Stockholm, Sweden, except as otherwise stipulated by applicable data protection law. 

Appendix 1: Subprocessors 

For providing quality services to our customers, Severalnines engages a number of Subprocessors that are carefully selected according to their capacity for Personal Data protection and processing in compliance with Severalnines’s obligations under this DPA and the GDPR. 

All Subprocessors, situated out of the EU, whose services require the transfer of personal data out of the EU, shall be compliant with the requirements of the relevant agreements of the EUAA. 

Severalnines uses as Subprocessors and Personal Data may be transferred to the providers of the following services: 

• Email (Gmail and SendGrid) 
• Payment Gateway (Stripe) 
• Cloud Hosting Services (Amazon Web Services and Google Cloud) 
• Marketing and Sales Automation Software (Salesforce) – Personal data (email) is transferred upon explicit request by the user to receive notifications and blog content. 
• Marketing and Sales Automation Software (Pardot) – Personal data (email) is transferred following a double opt-in process (contacts will receive an extra confirmation email in order to verify their email address). 

Severalnines may replace their Subprocessors from time to time following the above rules of strict selection. Updated information about the list of current Subprocessors may be found at all times here on our website and we may inform you about such updates via our monthly newsletters. 

Customer may object to any new Third-party Subprocessor by terminating the applicable Agreement or the Service, provided by the Subprocessor immediately upon written notice to Severalnines, on condition that Customer provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is the Customer’s sole and exclusive remedy if Customer objects to any new Third-party Subprocessor.