‍

DATA PROCESSOR AGREEMENT FOR AIRA

1. Background and Interpretation

1.1. In order to fulfil the Agreement between the Customer and Upsales regarding the Customer’s use of Aira, Upsales will in certain cases, as a processor, process personal data on behalf of the Customer which is the controller, except when the Customer acts as a processor on behalf of a third-party controller, in which case Upsales is a sub-processor to the Customer. When a third party is the controller of personal data processed by Upsales under this DPA, the obligations that Upsales has towards the Customer under this DPA shall apply towards such third-party controller, insofar as is necessary in order to comply with existing data protection laws, including GDPR.

1.2. This Data Processor Agreement (“DPA”) forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processor agreements as well as to ensure adequate protection for the personal data processed by Upsales as a processor within the scope of the Agreement.

1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and otherwise in accordance with the Agreement, unless otherwise is clearly indicated by the circumstances.

2. Instructions and Responsibilities

2.1. The subject-matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, are described in the instructions on processing of personal data in the appendix to this DPA as made available at the website for Aira, www.aira.app, at any given time (the “Written Instructions”).

2.2. The Customer is responsible for complying with the GDPR. The Customer shall in particular:

a. be contact person towards data subjects and respond to their inquiries regarding the processing of personal data;

b. ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;

c. provide Upsales with documented instructions for Upsales’ processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;

d. immediately inform Upsales of changes that affect Upsales’ obligations under this DPA;

e. immediately inform Upsales if a third party takes action or lodges a claim against the Customer as a result of Upsales’ processing under this DPA; and

f. immediately inform Upsales if anyone is joint controller with the Customer of the relevant personal data.

2.3. When processing personal data on behalf of Customer, Upsales shall:

a. only process personal data in accordance with the Customer’s documented instructions, which at the time of the parties’ entering into this DPA are set out in the Written Instructions, unless required to do so by EU law or applicable national law of an EU Member State to which Upsales is subject; in such a case, Upsales shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b. ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c. take all measures required pursuant to Article 32 of the GDPR as further set out in Section 4 below;

d. respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

e. taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;

f. assist the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Upsales;

g. at the choice of the Customer, delete or return all the personal data to the Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and

h. make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor agreed upon by the parties. Such audits may occur up to one (1) time a year and shall be conducted during normal business hours and at the Customer’s expense. Upsales may use external auditors to verify and demonstrate compliance with its obligations following from the GDPR. Upsales will then, upon the Customer’s request, make available a confidential summary report to the Customer of such audits.

2.4. Upsales shall notify the Customer without undue delay, if, in Upsales’ opinion, an instruction infringes the GDPR. In addition, Upsales is to immediately inform the Customer of any changes affecting Upsales’ obligations pursuant to this DPA.

3. Disclosure of Personal Data etc.

3.1. Upsales shall without undue delay forward any request to the Customer from a data subject, supervisory authority or any other third party, who is requesting receipt of information regarding personal data that Upsales processes on behalf of the Customer. Upsales, or anyone working under Upsales’ supervision, shall not disclose personal data, or information about the processing of personal data, without the Customer’s instruction, unless required by EU law or applicable national law of an EU Member State.

3.2. Upsales shall without undue delay inform the Customer of any contacts from supervisory authority that concern the processing of personal data on behalf of the Customer. Upsales is not entitled to represent the Customer or act on the Customer’s behalf towards the supervisory authority.

4. Security

4.1. Upsales shall implement technical and organizational security measures in order to protect the personal data against destruction, alteration, unauthorized disclosure and unauthorized access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Upsales may amend its technical and organizational measures.

4.2. Upsales shall notify the Customer of accidental or unauthorized access to personal data or any other personal data breach without undue delay after becoming aware of such data breach. Such notification shall not in any manner imply that Upsales has committed any wrongful act or omission, or that Upsales shall become liable for the personal data breach.

4.3. If the Customer during the term of this DPA requires that Upsales takes additional security measures, Upsales shall, as far as Upsales deems reasonably possible, meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.

5. Sub-processors and Transfers to Third Countries

5.1. The Customer hereby gives Upsales a general authorization to engage sub-processors provided at the website for Aira, www.aira.app. Upsales shall enter into an agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor. Upsales shall remain responsible to the Customer for the performance of the sub processor’s obligations in accordance with its contract with Upsales.

5.2. Upsales shall inform the Customer of any changes concerning the addition or replacement of sub-processors by updating the listed sub-processors at the website for Aira, www.aira.app. The Customer is responsible for regularly reviewing the listed sub-processors to stay informed of any updates and the Customer thereby has the opportunity to object to such changes.

5.3. In the event that the Customer wants to object to changes concerning sub-processors, the Customer shall make such objection in writing and within thirty (30) calendar days after Upsales has informed the Customer about the change by updating the listed sub-processors at the website for Aira, www.aira.app. If the Customer objects to Upsales engaging a sub-processor and the parties are unable to agree within a reasonable time, the Customer shall have the right to terminate the DPA and/or relevant parts of the Agreement in whole or in part with immediate effect. If Upsales chooses to adapt to such objection from the Customer, Upsales shall be entitled to reasonable compensation from the Customer for the costs that Upsales incurs as a result of the adaptation

5.4. Upsales strives to store and process personal data within the EU/EEA. However, since Upsales uses various IT-services in connection with Aira, the Customer’s use of Aira could entail that the processing of personal data takes place outside of the EU/EEA. If Upsales and/or sub-processors transfer personal data outside the EU/EEA, such transfer shall comply with the applicable data protection requirements according to the GDPR. Upon the Customer’s request, Upsales shall inform the Customer about the legal grounds for the transfer.

6. Compensation and Limitation of Liability

6.1. Upsales is entitled to reasonable compensation for all work, costs and expenditures stemming from Upsales’ performance of Sections 2.3 e, 2.3 h, 4.2, 7 and 8 as well as for all work, costs and expenditures stemming from Upsales following the Customer’s instructions for processing, which are not clearly documented in the Agreement, when this results in work that goes beyond functions and the level of security following from the services that Upsales normally provides to its customers.

6.2. Subject to the limitations of liability that follows in the Agreement, each party shall be responsible for and bear any damages and administrative fines imposed on it under articles 82 and/or 83 of the GDPR.

6.3. This Section 6 shall remain in force after termination of this DPA.

7. Term and Termination

7.1. The DPA enters into force upon the Order date and shall remain in force as long as Upsales processes personal data on behalf of the Customer including deletion or returning of personal data according to Section 7.2 below. This DPA shall thereafter cease to apply. Sections 6, 7.1 and 10.1shall continue to apply even after this DPA has been terminated.

7.2. Upon termination of the Agreement or the DPA (depending on which is first terminated), Upsales shall, at the choice of the Customer, delete or return the personal data that the Customer has transferred to Upsales and any existing copies, where appropriate, unless storage of the personal data is required by EU law or applicable EU Member State law.

8. Changes

8.1. If competent authority issues decisions or judgment, or if provisions of the GDPR change, or if a supervisory authority or the European Data Protection Board issues guidelines, recommendations or similar, with the result that this DPA, or part thereof does not meet the requirements in the GDPR, the parties shall change this DPA to meet such requirements. Such changes shall enter into force no later than thirty (30) days after a party sends a notice of any necessary changes to the other party, or otherwise no later than prescribed by the GDPR, guidelines, decisions or regulations of the supervisory authority. Upsales may send notice of such changes to the Customer by publishing an updated version of the DPA at the website for Aira, www.aira.app. The Customer is responsible to regularly review such updates to stay informed at all times.

8.2. Unless otherwise stated in the DPA, Upsales shall have the right to update this DPA at its sole discretion. Changes to this DPA made by Upsales other than following from Section 8.1, shall start to apply when Upsales has informed the Customer about such changes by publishing an updated version of this DPA at the website for Aira, www.aira.app, or otherwise communicated such updates to the Customer. The Customer is responsible to regularly review such updates to stay informed at all times.

8.3. Any other changes to this DPA than following from Section 8.1 or 8.2 above, shall be made in writing and signed by the parties’ authorized representatives to be binding.

9. Miscellaneous

9.1. Upsales shall communicate with the Customer about notices, information and other matters related to this DPA in such a way that Upsales deems appropriate, which may include notices in Aira or at the website for Aira, www.aira.app. The Customer is responsible to regularly review such notices to stay informed at all times.

9.2. In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.

9.3. This DPA supersedes and replaces all data processor agreements relating to Aira between the parties potentially existing prior to this DPA.

10. Governing Law and Dispute Resolution

10.1. Swedish law applies in all aspects to Upsales’ processing of personal data under the DPA. Any dispute arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution provision in the Agreement.

WRITTEN INSTRUCTIONS ON PROCESSING OF PERSONAL DATA
Purposes Please specify all purposes for which the personal data will be processed by Upsales as processor	Upsales will process personal data on behalf of the Customer for the purpose of providing Aira to the Customer.
Types of personal data Please specify the personal data that will be processed by Upsales as processor	The type of personal data that will be processed by Upsales as a processor is dependent on the Customer’s use of Aira. The type of personal data may include but is not limited to; – Contact information: name, telephone number, email address, job title, company name – Professional information: board memberships, decision-making roles – Other type of personal data that the Customer submits to Aira or is generated by the Customer’s use of Aira, such as from meeting recordings (audio/video) and meeting transcripts, and other information that the Customer collects and process about individuals by the use of Aira The Customer’s use of Aira should not include to submit, store or in other ways process “special” or “sensitive” categories of personal data (as defined under the GDPR).
Categories of data subjects Please specify the categories of data subjects whose personal data will be processed by Upsales as processor	– Contact persons of the Customer’s prospects and customers – The Customer’s Users, including employees and any other persons that the Customer accepts to use Aira – Other persons linked to the Customer and the Customer’s prospects and customers, such as meeting participants or other individuals that the Customer collects and process information about
Retention time Please specify the retention time that applies for the personal data processed by Upsales	Personal data are processed as long as necessary to provide Aira under the Agreement between the parties and in accordance with the applicable Written Instructions. The Customer and its Users can also at any time choose to delete the personal data from Aira.
Processing operations Please specify all processing activities to be conducted by Upsales as processor	Upsales will process personal data on behalf of the Customer for the purpose of providing Aira to the Customer. The processing operations, whether or not by automated means (including by AI-tools), is based on the Customer’s use of Aira, and may include but is not limited to; storage, analyzing and summarizing, data enrichment, reading, restriction (e.g. encryption) and backup, as well as any deletion, modification, restoration, collection, sharing to Upsales’ sub-processors for e.g. hosting and the technical operation of Aira, and other measures performed according to the Customer’s instructions (according to the terms in the Agreement).
Location of processing operations Please specify all locations where the personal data will be processed by Upsales as processor and – when applicable – by sub-processor	As stated at the website for Aira, www.aira.app, at any given time. If Upsales and/or sub-processors transfer personal data outside the EU/EEA, such transfer is informed to the Customer at the website for Aira, www.aira.app.

INFORMATION SECURITY MEASURES
System Access Control	Upsales shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, IP-blocking, and logging of access on several levels.
Data Access Control	Upsales shall take reasonable measures to ensure that personal data is accessible and manageable only by properly authorized staff. Direct database query access is restricted, and application access rights are established and enforced by the Customer when Upsales’ personnel requires application access to provide support, as applicable under the General Terms and Conditions for Aira.
Back-up	Back-ups of the databases in Aira are taken on a regular basis, are secured, and encrypted to ensure that personal data is protected against accidental destruction or loss when hosted by Upsales.
Encryption of data communication (Transmission control)	Upsales shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged, so that data in Aira cannot be read, copied, modified, or removed without authorization during electronic transmission or transport from Aira to the end user.
Deletion	After thirty (30) days following the termination of the Customer’s access to and use of Aira, Upsales shall have the right to delete all Aira data stored or processed by Upsales on behalf of the Customer in accordance with Upsales’ deletion policies and procedures.