Updated: 2024-01-11
Please contact us if you wish to view prior versions.
This agreement is incorporated by reference in our Terms of Use. Do you want a stand-alone e-signed version of this agreement? Please contact: info@leadpilot.com or your contact at LeadPilot.
This Data Processing Agreement (the “DPA”, “Agreement”) is entered into by and between:
1) [Company name] (“[Cn]”), a company with corporate registration number [corporate registration number] and address [address, zip code + location] (the “Data Controller”) and
2) LeadPilot AB ("LeadPilot”), a limited liability company incorporated under the laws of Sweden with corporate registration number 559203-9704 and address Sankt Eriksgatan 121 B, 113 43 Stockholm (the “Data Processor”)
Each of [Cn] and LeadPilot is referred to as a “Party” and together as the “Parties”.
1. Purpose
1.1. This Agreement regulates the Data Processors Processing of Personal Data on behalf of the Data Controller in accordance with the Data Subject’s rights and Applicable Law.
1.2. The Processing is required within the framework of the provision of the Data Processors services.
1.3. The Agreement applies to all agreements signed between the Parties and the Agreement applies as long as the Data Processor Processes Personal Data on behalf of the Data Controller.
2. Definitions
To the extent that the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "General Data Protection Regulation", “GDPR”), contains terms equivalent to those used in the Agreement, such terms shall be interpreted and applied in accordance with the GDPR.
In the Agreement, the terms listed below shall have the following meanings:
“Agreement”
This main document and at each time applicable annexes, which includes the Terms of Service.
“Personal Data”
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing”
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data Breach”
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Applicable Law”
Policies and procedures according to the General Data Protection Regulation, national complementary law to the General Data Protection Regulation, regulatory authorities including the European Data Protection Board’s regulations, remarks, policies, and Commission acts in the field of personal data.
“Sub Processor”
Natural or legal person, public authority, institution, or other entity that in their role as a supplier to the Data Processor Processes Personal Data on behalf of the Data Controller.
“Data Subject”
A natural person whose Personal Data is Processed.
“The Instruction”
The instruction refers to what the Data Controller, from time to time, within the framework of this Agreement, gives the Data Processor.
3. Annexes
3.1. The Agreement consists of this main document and the attached Instruction.
3.2. If there are contradictions between the main document and the attached Instruction, the main document shall take precedence, unless otherwise specifically stipulated or the circumstances clearly require otherwise.
4. The Data Controller’s Responsibilities
4.1. It is the Data Controller’s responsibility to ensure that, at each point in time, there is a legal reason for the Processing of Personal Data and that the Processing is carried out as stated in this Agreement and Applicable Law.
4.2. The Data Controller shall provide the Data Processor with the information and Personal Data that is needed and appropriate for the Data Processor to be able to fulfill its obligations under the Agreement and Applicable Law.
4.3. The Data Controller undertakes to Process only those Personal Data that are adequate and relevant for the specifically chosen purpose of the Processing and shall only give the Data Processor access to the Personal Data that is necessary in relation to the purpose of the Processing. This commitment concerns, for example, the amount of Personal Data, the scope of the Processing, how long the Personal Data is Processed and its availability.
4.4. The Data Controller is responsible for notifying Data Subjects about the Processing and to respect the Data Subject’s rights in accordance with Applicable Law and conduct any other action that is required by the Data Controller in Applicable Law.
4.5. The Data Controller shall supply the Data Processor with correct and updated information, instructions and Personal Data that is required and appropriate for the Data Processor to carry out its responsibilities towards the Data Controller.
5. Documented Instructions
The Data Controller shall provide the Data Processor with documented instructions. The Instructions shall, among other things, but not exclusively, state the categories of Personal Data and the categories of Data Subjects, the purpose of the Processing, the nature, scope, and duration of the Processing, and security measures.
6. The Data Processor’s Responsibilities
6.1. The Data Processor commits to only carry out the Processing of Personal Data in accordance with the Data Controllers Instructions described in Annex 1, this Agreement and Applicable Law. The Data Processor commits to stay informed of Applicable law and any related laws of relevance to the Processing.
6.2. The Data Processor shall ensure compliance with the principles for the Processing of Personal Data, including storage limitation. The Data Processor is responsible for ensuring that Personal Data that no longer is needed for the purpose is deleted. The Data Processor shall establish routines for how and which Personal Data is deleted.
6.3. The Data Processor guarantees that it possesses the necessary technical and organizational capacity and ability to fulfill its obligations under this Agreement and Applicable Law.
6.4. The Data Processor shall notify the Data Controller if an instruction is considered contrary to Applicable Law. In this case, the Data Processor shall await further instructions.
6.5. The Data Processor is responsible for restricting access to Personal Data and must thus ensure that not more people than necessary have access to the Personal Data.
6.6. The Data Processor and any person acting under the authority of the Data Controller or of the Data Processor, who has access to Personal Data, shall not process that data except according to the Instructions from the Data Controller, unless required to do so by Union or Member State law.
7. Security Measures
7.1. The Data Processor must evaluate the risks of the Processing and take measures, such as encryption, to reduce them. The measures should ensure an appropriate level of security, including confidentiality, considering the latest developments and implementation costs in relation to the risks and the type of Personal Data to be protected.
7.2. The Data Processor shall take all technical and organizational security measures required to prevent Personal Data Breaches, by ensuring that the Processing meets the requirements of the General Data Protection Regulation and that the Data Subject's rights are protected.
7.3. The Data Processor shall take reasonable technical and organizational steps to ensure that any natural and legal person performing work under the supervision of the Data Processor, and with access to Personal Data, only Processes these in accordance with the Instructions, this Agreement and Applicable Law.
7.4. The Data Processor shall systematically test, assess, examine, and evaluate the effectiveness of the technical and organizational measures that will ensure the security of the Processing and ensure that the security measures entail an appropriate level of confidentiality, integrity, availability, and resilience.
7.5. To protect Personal Data against unauthorized access, destruction, and alteration in accordance with the requirements of the Swedish Data Inspection Board, with special regard to the requirements in Article 32 GDPR, the Data Processor shall pay special attention to the Swedish Data Inspection Board’s instructions in its general advice “Security for personal data” or other policies that they publish.
7.6. If the Data Processor intends to implement changes to the Processing or otherwise implement changes that may affect the security of the Data Subject, the Data Subject's rights or compliance with the Agreement or Applicable Law, the Data Processor shall inform the Data Controller in writing in advance. The Data Controller must give its consent to such changes.
8. Personal Data Breaches
8.1. The Data Processor shall assist the Data Controller in ensuring that its obligations under the Applicable Law regarding Personal Data Breaches are fulfilled, considering the type of Processing and the information that the Data Processor has available. This also applies if the Data Controller suspected or discovered a Personal Data Breach.
8.2. In the event of a suspected or discovered Personal Data Breach, the Data Processor shall immediately investigate the Personal Data Breach and take appropriate measures to mitigate its potential negative effects.
8.3. When a Personal Data Breach is discovered, or suspected, the Data Processor shall inform the Data Controller of this without undue delay, but not later than 24 hours after such suspicion or knowledge has arisen. Such notification shall contain the information that the Data Controller needs to fulfill his obligations in relation to the supervisory authority. If and to the extent that it is not possible to provide the information at the same time, the information may be provided in batches without unnecessary further delay.
8.4. The notification obligation applies even if the Data Processor for some other reason cannot fulfill obligations under the Agreement or the Instructions or alternatively becomes aware that Personal Data has been Processed in violation of the Agreement.
8.5. The Data Processor undertakes to document all Personal Data Breaches, including the circumstances surrounding the Personal Data Breach, its effects and the corrective measures taken and of which the Data Processor is aware of. Upon request, the documentation shall be provided to the Data Controller as soon as possible.
9. Data protection impact assessment and Prior consultation
9.1. The Data Processor shall assist the Data Controller in ensuring that the obligations under Articles 32-36 of the General Data Protection Regulation are fulfilled, considering the type of Processing and the information that the Data Processor has available.
9.2. The Data Processor shall, in view of the nature of the Processing, assist the Data Controller to implement appropriate technical and organizational measures (as far as possible) so that the Data Controller can fulfill its obligation to respond to requests to exercise the Data Subject's rights in accordance with Section 3 in the General Data Protection Regulation. The same applies to the right to rectification, the right to erasure, the right to object, the right to lodge a complaint and the right to data portability.
10. Sub Processors
10.1. The Data Processor provides the Data Controller with all information necessary to demonstrate that the Data Processor fulfills its obligations under Article 28 of the General Data Protection Regulation. This includes access to information and documents that the Data Controller needs to exercise control over the Data Processors’ survivability of the Agreement and Applicable Law. Such access shall be provided without unreasonable delay, but not later than 30 days, from the Data Controllers’ request.
10.2. The Data Processor does not have the right to appoint a Sub Processor in accordance with this Agreement without first having obtained a special or general written consent from the Data Controller. By signing this Agreement, the Data Controller is deemed to give a special written consent for the use of the Sub Processors in the list in paragraph 10.7.
10.3. If the Data Controller has given a written approval – and regardless of whether it is a special or a general one – the Data Processor shall ensure that such Sub Processor enters into a written Data Processing Agreement before the Sub Processor begins work related to the Data Controller. Such a Data Processing Agreement shall contain at least the commitments and obligations arising from the Agreement. Sub Processors shall in such Data Processing Agreement provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the Processing meets the requirements of this Agreement and Applicable Law. The Data Controller shall have the right to access and approve such an agreement before it is signed and enters in force between the Data Processor and the Sub Processor.
10.4. The agreement between the Data Processor and the Sub Processor shall specifically regulate that the Sub Processor does not have the right to appoint another Sub Processor without the written approval of the Data Controller in advance.
10.5. The Data Processor shall inform the Data Controller of plans for new Sub Processors and changes in the use of the old Sub Processors. The person responsible for Personal Data can object to the Data Processor’s proposal to change its Sub Processors. Such an objection constitutes an obstacle for the Data Processor to implement the proposed change.
10.6. Appointing a Sub Processor is done under the responsibility of the Data Controller. It does not result in any change regarding the allocation of responsibilities that applies between the Parties under the Agreement.
10.7. List of Sub Processors:
| Company | Location of Company | Data Residency | Transfer Mechanism | Purpose | Compliance Documentation |
| Google Ireland Ltd. | Ireland | Finland |
EU SCC |
Server capacity, cloud services and IT-infrastructure. | https://cloud.google.com/security/compliance |
| Nylas, Inc. | USA | Ireland |
EU SCC |
E-mail integration. | https://www.nylas.com/security/ |
10.8. If the Sub Processor does not fulfill its obligations, the Data Processor shall be fully responsible to the Data Controller for the performance of the Sub Processor's obligations. The Data Processor is always responsible for the Sub Processor as for its own work and its own commitments and obligations.
11. Transfer to third countries
11.1. The Data Processor shall ensure that the transfer of Personal Data to, or making available from, a place outside the EU or the EEA takes place in accordance with Applicable Law by e.g. the use of the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries, or provisions replacing them.
11.2. The Data Processor shall have the right to enter such Standard Contractual Clauses with Sub Processors on behalf of the Data Controller.
11.3. The Data Processor is transferring personal data to customers in the United Kingdom. The European Commission has decided that the United Kingdom ensures an adequate level of protection (adequacy decision). Data protection principles and compliance with other aspects of GDPR are followed in the transfers.
12. Request for information
12.1. Information about the Processing may not be provided to the Registered, supervisory authority or third party without the written consent of the Data Controller, unless it is clear from Applicable Law that information must be provided. The Data Processor shall assist with the dissemination of the information covered by a consent or legal requirement.
12.2. The Data Processor shall without delay inform the Data Controller of any contacts from the Data Subject, regulatory authority or third party that concern or may be of significance for the Processing of Personal Data.
13. Inspection
13.1. The Data Controller has the right to inspect, at his own expense or through a third party, that the Data Processor complies with this Agreement and Applicable Law. The Data Processor shall then provide the Data Controller with the necessary assistance.
13.2. The Data Processor shall provide the Data Controller with access to premises and equipment for inspection to ensure that the Data Processor fulfills its obligations under the Agreement and Applicable Law.
Inspections must be announced in advance by the Data Controller, at such a time that the Data Processor can meet the resources required to provide the assistance needed during the inspection.
13.3. The Data Processor shall document, in writing, the measures it has taken to fulfill its obligations under this Agreement and Applicable Law. The Data Controller shall at any given time have the right to access the Data Processors’ documentation in accordance with this paragraph.
14. Liability for Damage
14.1. A registered or other person who has suffered damage because of a violation of applicable Data Protection Legislation is entitled to compensation from the Data Controller or the Data Processor for the damage that has occurred. The Data Controller is responsible for damage caused by processing that is contrary to the Data Protection Act. The Data Processor is responsible for damage caused because of the Processing if he or she has not fulfilled the obligations specifically applicable to Data Processors, or acts outside or in violation of the Data Controller's legal instructions.
14.2. The Data Controller or Data Processor shall avoid liability for the damage on the Data Subject if it shows that it is not in any way responsible for the event that caused the damage.
15. Period and Termination
15.1. The Agreement is valid from its signing and as long as the Data Processor Processes Personal Data on behalf of the Data Controller.
15.2. Upon termination of the Agreement, the Data Processor shall ensure that all Personal Data Processed on behalf of the Data Controller is destroyed in a secure manner, unless storage of the Personal Data is required by law to which the Data Processor is subjected to.
15.3. The Data Processor shall, at the request of the Data Controller, provide written information about the measures taken by the Data Processor to fulfill its obligations under this paragraph.
16. Confidentiality
The Data Processor shall ensure that all natural persons working under its management: its employees, and all other persons for whom the Data Processor is responsible and who are authorized to Process Personal Data covered by this Agreement, sign a confidentiality commitment approved by the Data Controller (unless this person is subject to a relevant and appropriate statutory duty of confidentiality).
17. Changes to the Agreement
If required by the relevant legislation or binding regulatory authority, the Parties shall, without undue delay, renew this Agreement in a manner consistent with the legislation which gave rise to the change.
18. Transfer of the Agreement
A Party does not have the right to assign, in whole or in part, its rights and/or obligations under the Agreement without the other Party’s prior written consent.
19. Notices
Notices and messages in accordance with the Agreement shall be made in writing. Notices to the person responsible for Personal Data are made in accordance with the contact information specified in the Parties section. Notifications to the Data Controller are made in accordance with the contact information mentioned below.
Personal Data Breaches must be reported by email to support@leadpilot.com.
The Data Controller,
[Company name][Contact person at the company], [e-mail address][address, zip code + location]
The Data Processor,
LeadPilot AB
Felix Kollin, felix@leadpilot.com
Sankt Eriksgatan 121 B, 113 43 Stockholm
20. Dispute
The agreement shall be interpreted and applied in accordance with Swedish law. Disputes concerning the interpretation or application of the Agreement shall be resolved in a general court in Sweden, provided that no other authority or court in another jurisdiction has exclusive jurisdiction to resolve the dispute.
_____________________________
Signatures
___________________ ___________________
[Signature name] Felix Kollin
Annex 1: Specification of Processing of Personal Data
The following document constitutes the Instruction.
Definitions used in the Instruction shall have the same meaning as in the Agreement unless the circumstances clearly state otherwise.
1. Processing of Personal Data
1.1. The Categories of Data Subjects
The Personal Data that is Processed refers to the following categories of Data Subjects.
“User”
Employees or subcontractors to the Data Controller who has access to an account used for its services.
“Mentioned”
Data Subjects as included in User content created by Users. May, for example, be in connection with quotes or other employees mentioned in an email.
“Contact”
A person that a User has contacted or plans to contact through their use of the services.
1.2. The Categories of Personal Data
In connection with the use of the Data Processors services, it Processes:
1.3. Special categories of Personal Data – Sensitive Data
No sensitive information is Processed for Users or Contacts. Sensitive information is only Processed if it is included in User content created by Users on behalf of the Data Processor for the purpose of providing the User content as part of the service.
1.4. The Purpose of Processing
The Processing is required for the following reasons:
1.5. Processing Activities of the Personal Data
1.6. Storage of the Personal Data
1.7. Unstructured Data
All User content is considered unstructured data.
2. Security Measures
The Data Processor shall take the following security measures as well as technical and organizational measures: