This agreement is signed by reference in our existing agreements. Do you want a stand-alone e-signed version of this agreement? Please contact: info@leadpilot.com or your contact at LeadPilot.

Agreement in accordance with the Data Protection Regulation (EU 2016/679).

Parties

Data Controller

Company name:

Registration number:

Postal address:

Zip code + Location:

Name of data controller:

E-mail:

Data Processor

Company name: LeadPilot AB

Registration number: 559203-9704

Postal address: Sankt Eriksgatan 63 B

Zip code + Location: 112 34 Stockholm

Definitions

Agreement

This main document and at each time applicable appendices, which includes the Terms of Service.

Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Applicable Law

Policies and procedures according to the Data Protection Regulation, national complementary law to the Data Protection Regulation, regulatory authorities including the European Data Protection Board’s

regulations, remarks, policies and Commission acts in the field of personal data.

Sub Processor

Physical or legal person, public authority, institution or other entity that in their role as a supplier to the Data Processor processes Personal Data on behalf of the Data Controller.

Data Subject

A physical person whose Personal Data is processed.

1. Purpose

This Agreement regulates the Data Processors processing of Personal Data on behalf of the Data Controller in accordance with the Data Subject’s rights and Applicable Law.

The Processing is required within the framework of the provision of LeadPilot's services.

2. The Data Controller’s Responsibilities

2.1. Processing of Personal Data

It is the Data Controller’s responsibility to ensure that, at each point in time, there is a legal reason for the Processing of Personal Data and that the Processing is carried out as stated in this Agreement and Applicable Law.

The Data Controller is responsible for notifying Data Subjects about the processing and to respect the Data Subject’s rights in accordance with Applicable Law and conduct any other action that is required by the Data Controller in Applicable Law.

2.2. Provisioning of Personal Data

The Data Controller should supply the Data Processor with correct and updated information, instructions and Personal Data that is required and appropriate for them to carry out their responsibilities towards the Data Controller.

3. The Data Processor’s Responsibilities

3.1. Processing of Personal Data

The Data Processor commits to only carry out the Processing of Personal Data in accordance with what is described in Appendix 1, this Agreement, Applicable Law and according to the Data Controllers documented instructions. The Data Processor commits to stay informed of Applicable law and any related laws of relevance to the Processing.

The Data Processor shall notify the Data Controller if an instruction is considered contrary to Applicable Law. In this case, the Data Processor shall await further instructions.

3.2. Transfer of Personal Data

The Data Processor shall ensure that the transfer of Personal Data to, or making available from, a place outside the EU or the EEA takes place in accordance with Applicable Law by e.g. the use of the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries, or provisions replacing them.

The Data Processor shall have the right to enter into such Standard Contractual Clauses with

Sub Processors on behalf of the Data Controller.

The Data Processor is transferring personal data to customers in the United Kingdom. The European Commission have decided that the United Kingdom ensures an adequate level of protection (adequacy decision). Data protection principles and compliance with other aspects of GDPR are followed in the transfers.

3.3. Security Measures

The Data Processor shall take all technical and organizational security measures required to prevent Personal Data Incidents, by ensuring that the Processing meets the requirements of the Data Protection Regulation and that the Data Subject's rights are protected.

The Data Processor shall systematically test, examine and evaluate the effectiveness of the technical and organizational measures that will ensure the security of the Processing and ensure that the security measures entail an appropriate level of confidentiality, integrity, availability and resilience.

3.4. Obligation to Notify

The Data Processor shall without delay inform the Data Controller of any contacts from the Data Subject, regulatory authority or third party that concern or may be of significance for the Processing of Personal Data.

‍Information about the Processing may not be provided to the Registered, supervisory authority or third party without the written consent of the Data Controller, unless it is clear from Applicable Law that information must be provided. The Data Processor shall assist with the dissemination of the information covered by a consent or legal requirement.

3.5. Inspection

The Data Controller has the right to inspect, at his own expense or through a third party, that the Data Processor complies with this Agreement and Applicable Law. The Data Processor shall then provide the Data Controller with the necessary assistance.

Inspections must be announced in advance by the Data Controller, at such a time that the Data Processor has the opportunity to meet the resources required to provide the assistance needed during the inspection.

3.6. Provisioning of Personal Data

The Data Processor provides the Data Controller with all information necessary to demonstrate that the Data Processor fulfills their obligations under Article 28 of the Data Protection Regulation. This includes access to information and documents that the Data Controller needs to exercise control over the Data Processors's survivability of the Agreement and Applicable Law. Such access shall be provided without unreasonable delay, but not later than 30 days, from the Data Controller's request.

3.7. Changes to the Processing

If the Data Processor intends to implement changes to the Processing or otherwise implement changes that may affect the security of the Data Subject, the Data Subject's rights or compliance with the Agreement or Applicable Law, the Data Processor shall inform the Data Controller in writing in advance. The Data Controller must give their consent to such changes.

3.8. Security

The Data Processor must evaluate the risks of the processing and take measures, such as encryption, to reduce them. The measures should ensure an appropriate level of security, including confidentiality, taking into account the latest developments and implementation costs in relation to the risks and the type of personal data to be protected.

The Data processor shall take reasonable technical and organizational steps to ensure that any natural and legal person performing work under the supervision of the Data Processor, and with access to Personal Data, only processes these in accordance with this Agreement and Applicable Law.

In order to protect Personal Data against unauthorized access, destruction and alteration in accordance with the requirements of the Swedish Data Inspection Board, with special regard to the requirements in Article 32. The Data Processor shall pay special attention to the Swedish Data Inspection Board’s instructions in its general advice “Security for personal data” or other policies that they publish.

3.9. Confidentiality

The Data Processor commits to ensure that all natural persons working under its management who process Personal Data have undertaken to observe confidentiality. The Data Processor must also ensure adequate authorization management.

3.10. Personal Data Incidents

In the event of a suspected or discovered personal data incident, the Data Processor shall immediately investigate the incident and take appropriate measures to mitigate its potential negative effects.

The Data Processor shall assist the Data Controller in ensuring that their obligations under the Applicable Law regarding Personal Data Incidents are fulfilled, taking into account the type of processing and the information that the Data Processor has available. This also applies if the Data Controller suspected or discovered a personal data incident.

When a personal data incident is discovered, the Data Processor shall inform the Personal Data Controller of this without undue delay. Such notification shall contain the information that the Data Controller needs in order to fulfill his obligations in relation to the supervisory authority. If and to the extent that it is not possible to provide the information at the same time, the information may be provided in batches without unnecessary further delay.

The notification obligation applies even if the Data Processor for some other reason cannot fulfill obligations under the Agreement or the documented instructions or alternatively becomes aware that personal data has been processed in violation of the Agreement.

3.11. Assist the Data Controller

The Data Processor shall assist the Data Controller in ensuring that the obligations under Articles 32-26 of the Data Protection Regulation are fulfilled, taking into account the type of processing and the information that the Data Processor has available.

3.12. Provisioning of Information

The Data Processor shall, in view of the nature of the Processing, assist the Data Controller to implement appropriate technical and organizational measures (as far as possible) so that the Data Controller can fulfill his obligation to respond to requests to exercise the Data Subject's rights in accordance with Chapter III. in the Data Protection Regulation.

4. Subprocessors

4.1. Appointing Subprocessors

The Data Processor shall not appoint any other personal data assistant (“Subprocessor”) than what is stipulated in this Agreement without a special or general written consent having been obtained from the Data Controller. By signing this agreement, the Data Controller is deemed to give a special written consent for the use of the Subprocessors specified in 4.4.

The Data Processor shall inform the Data Controller of plans for new Subprocessors and changes in the use of the old Subprocessors. The person responsible for personal data has the opportunity to object to the Data Processor's proposal to change its Subprocessor. Such an objection constitutes an obstacle for the Data Processor to implement the proposed change.

4.2. Allocation of Responsibilities

Appointing a Subprocessor is done under the responsibility of the Data Controller. It does not result in any change regarding the allocation of responsibilities that applies between the Parties under the Agreement.

4.3. Security of Subprocessors

If the Data Processor appoints a Subprocessor, the Data Processor shall with appropriate measures ensure that the Subprocessor meets all applicable provisions on the protection of personal data.

4.4. Subprocessor List

Company	Location of Company	Data Residency	Transfer Mechanism	Purpose
Google Ireland Ltd.	Ireland	Finland	EU SCC	Server capacity, cloud services and IT-infrastructure.
Nylas, Inc.	USA	Ireland	EU SCC	E-mail integration.

5. Liability for Damage

A registered or other person who has suffered damage as a result of a violation of applicable Data Protection Legislation is entitled to compensation from the Data Controller or the Data Processor for the damage that has occurred. The Data Controller is responsible for damage caused by processing that is contrary to the Data Protection Act. The Data Processor is responsible for damage caused as a result of the processing if he or she has not fulfilled the obligations specifically applicable to Data Processors, or acts outside or in violation of the Data Controller's legal instructions.

The Data Controller or Data Processor shall avoid liability for the Data Subject's damage if it shows that it is not in any way responsible for the event that caused the damage.

6. Period and Termination

The Agreement is valid from its signing and as long as the Data Processor processes Personal Data on behalf of the Personal Data Controller.

Upon termination of the agreement, the Data Processor shall ensure that all Personal Data processed on behalf of the Data Controller is destroyed in a secure manner, unless storage of the Personal Data is required by law to which the Data Processor is subjected to.

7. Changes to the Agreement

If required by the relevant legislation or binding regulatory authority, the Parties shall, without undue delay, renew this Agreement in a manner consistent with the legislation which gave rise to the change.

8. Notices

Notices and messages in accordance with the Agreement shall be made in writing. Notices to the Person responsible for Personal Data are made in accordance with the contact information specified in the Parties section. Notifications to the Data Controller are made in accordance with the contact information mentioned below.

The Data Controller, LeadPilot AB

Felix Kollin, felix@leadpilot.com

Sankt Eriksgatan 63 B

112 34 Stockholm

Personal data incidents must be reported by email to support@leadpilot.com.

9. Dispute

9.1. Interpretation and application

The agreement shall be interpreted and applied in accordance with Swedish law. Disputes concerning the interpretation or application of the Agreement shall be resolved in a general court in Sweden, provided that no other authority or court in another jurisdiction has exclusive jurisdiction to resolve the dispute.

Appendix 1: Specification of Processing of Personal Data

Data Subjects

The personal data that is processed refers to the following categories of Data Subjects.

User

Employees or subcontractors to the Data Controller who has access to an account used for our Services.

Mentioned

Data Subjects as included in User Content created by Users. May, for example, be in connection with quotes or other employees mentioned in an e-mail.

Contact

A person that a User has contacted or plans to contact through their use of the Services.

Purpose of Processing

The Processing is required for the following reasons:

• Account information: Log in, authenticate and manage accounts with access to LeadPilot on behalf of the Data Controller.
• Interactions: Improve future use of our Services and troubleshoot any issues.
• User Content: Create User Content in LeadPilot for use of the Service on behalf of the Data Controller.
• Contact information: Provision use of our Services on behalf of the Data Controller.

Data Categories

In connection with the use of our Services, we process:

• Account information: The information collected when registering an account for our Services, which includes full name, e-mail address, profile picture (optional), and the company the User belongs to.
• Interactions: Continuous collection of interactions performed by the User related to the use of the app.
• User Content: Personal information to the Mentioned which is part of content created by Users on behalf of the Personal Data Assistant (may for example include names or other Personal Information included in, for example, text and images in e-mails and signatures).
• Contact information: The information about the Contact that is collected from public sources on the internet or provided by the User on behalf of the Data Controller, which includes full name, the company where the Contact is employed, e-mail address linked to the company's domain, professional titles and social media usernames.

Processing Activities

• Account information: Collection and storage
• Interactions: Collection and storage
• User content: Collection, storage and distribution (only sending of e-mails on behalf of the Data Controller)
• Contact information: Collection, storage

Unstructured Data

All User Content is considered unstructured data.

Sensitive Data

No sensitive information Processed for Users or Contacts.

Sensitive information is only processed if it is included in User Content created by Users on behalf of the Data Processor for the purpose of providing the User Content as part of the Service.

Storage

• Account Information, Interactions, User Content: LeadPilot stores the personal data in an account with limited access 6 months after the termination of the Agreement or until the Data Controller requests that the information be deleted. The storage can be extended by a written agreement between the Data Controller and the Data Processor.
• Contact information: LeadPilot stores the personal data in an account with limited access for 6 months after the termination of the Agreement or until the User, Data Controller or the Contact requests that the information be deleted.