DATA PROCESSING AGREEMENT - SUPERHUMANS AB
SERVICE AGREEMENT – DATA PROCESSING AGREEMENT
This Data Processing Agreement (‘DPA”) is the Data Processing Agreement referred to in the Superhumans Terms of Use between Superhumans AB (referred to as “Superhumans” in this DPA) and the Customer identified on the Project Description.
The defined terms in the Terms of Use shall apply to this DPA.
In addition, the following definitions shall apply: “Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including, but not limited to the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.
Terms used in this DPA shall have the same meaning as in the Data Protection Laws. Under the Service Agreement, Superhumans may be processing personal data on behalf of the Customer. This DPA sets out the details of that processing and the DPA is effective for so long as the Service Agreement is in force.
1. THE PROCESSING SHALL BE CARRIED OUT IN ACCORDANCE WITH THE DATA PROTECTION LAWS.
2. OBLIGATIONS OF THE CUSTOMER
2.1. In relation to the data subjects, the Customer is responsible for the processing’s compliance with the Data Protection Laws.
2.2. The Customer warrants that the processing is carried out in accordance with the purpose for which the personal data have been collected.
2.3. It is the Customer’s responsibility to ensure that Superhumans, at any time, is duly informed of the Customer’s written instructions regarding the processing. If the Customer provides additional instructions which deviate from the instructions that follow from the Service Agreement, and such additional instructions entail that the scope of the Services is materially changed, the matter must be handled under the Service Agreement.
2.4. All instructions provided by the Customer must be in writing.
3. OBLIGATIONS OF SUPERHUMANS
3.1. The processing is described in detail in Appendix A. Superhumans undertakes to only process personal data necessary for the performance of the Services, in accordance with the Service Agreement, this DPA or according to specific and documented instructions provided by the Customer in connection with the conclusion of the Service Agreement, which have been approved by Superhumans.
3.2. Upon receipt of written instructions from the Customer regarding the processing, such as provided for in Appendix A or additional written instructions, Superhumans must, within a reasonable period of time, take appropriate measures to ensure that the processing is carried out in accordance with the instructions.
3.3. Superhumans undertakes to ensure that any natural person acting under the authority of Superhumans, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with the DPA and the Customer’s documented instructions.
3.4. Superhumans is required to assist the Customer with appropriate technical and organisational measures for the fulfilment of the Customer’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
3.5. Superhumans must, without undue delay, notify the Customer after becoming aware of a personal data breach. Superhumans shall assist the Customer by providing information necessary for the fulfilment of the Customer’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Customer’s obligation to communicate the personal data breach to the affected data subjects.
3.6. Superhumans is required to assist the Customer in connection with any data protection impact assessments and prior consultations carried out by the Customer, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.
4. ENGAGEMENT OF SUB-PROCESSORS
4.1. By accepting this DPA, the Customer approves and acknowledges that Superhumans may engage subcontractors for the purpose of carrying out the processing (“sub-processors”).
4.2. When engaging a sub-processor for the purpose of carrying out the processing, Superhumans undertakes to enter into an agreement with the sub-processor regarding the processing activities, pursuant to which the sub-processor shall be bound by the same obligations as is Superhumans under this DPA.
4.3. Superhumans undertakes to inform the Customer in writing prior to engaging a sub-processor, and the Customer may, within five (5) days of receipt of Superhumans’ notice hereof, object to Superhumans’ choice of sub-processor. Superhumans may not engage the chosen sub-processor if the Customer has presented reasonable objections. The parties agree that the Customer, by accepting this DPA, is deemed to have been informed of Superhumans’ intended engagement of the sub-processors listed in Appendix B.
4.4. Any transfer of personal data to the sub-processors is made at Superhumans’ risk and does not alter the allocation of responsibility between Superhumans and the Customer.
5. DISCLOSURE OF INFORMATION
5.1. Superhumans may not disclose any personal data to third parties without the Customer’s prior written consent, unless the disclosure or transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, Superhumans is always entitled to transfer personal data to sub-processors in accordance with section 4.
5.2. Superhumans shall without undue delay notify the Customer in writing if it is approached by a supervisory authority with any matters regarding, or which may be of relevance for the processing. If Superhumans by operation of law or injunction is obligated to disclose personal data, section 7.2(iv) shall apply.
6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
6.1. Superhumans is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data covered by the processing. Superhumans shall determine how such measures are to be implemented in order to reach an appropriate level of security.
6.2. If the Customer makes probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the parties shall discuss the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. Superhumans is entitled to reasonable compensation for any extended or additional security measures taken.
6.3. If Superhumans lacks any instructions from the Customer that Superhumans deems necessary in order to carry out the processing, or if Superhumans deems the Customer’s instructions, wholly or partly, be in breach of the Data Protection Laws, Superhumans shall without delay notify the Customer, and await any further instructions that the Customer deems necessary.
7. CONFIDENTIALITY
7.1. Superhumans and the persons working under its authority must maintain confidentiality in all respects when carrying out the processing. This means that personal data may not be unduly disclosed to a third party. Superhumans undertakes to ensure that the individuals working under its authority and who will process personal data observe and comply with Superhumans’ confidentiality undertaking according to this section 7.
7.2. Superhumans undertakes not to disclose to any third party such information which Superhumans, in its capacity as data processor, has received from the Customer or any other such information which Superhumans processes in its capacity as data processor under this DPA. Superhumans undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 7. However, this confidentiality obligation shall not apply to:
(i) information which is generally known or becomes generally known other than as a result of a breach of the Service Agreement or this DPA;
(ii) information which Superhumans can prove was in Superhumans’ possession prior to being provided to Superhumans under the Agreement;
(iii) information which Superhumans, lawfully and without restrictions regarding the right to transfer such information, receives from any third party outside the scope of the Service Agreement or this DPA; or
(iv) information which Superhumans is obligated to disclose under law or any court judgment or public authority decision. In such a case, Superhumans must without undue delay inform the Customer in writing about the disclosure and request that the personal data are kept confidential by the recipient.
7.3. This confidentiality undertaking shall survive the termination of this DPA.
APPENDIX A
Instructions regarding the processing
Superhumans shall, in addition to complying with the provisions in this DPA and the Service Agreement, carry out the processing in accordance with the instructions below.
Purpose
The processing may only be performed in order to provide the Services under the Service Agreement. The personal data may not be processed or used for Superhumans’ own or any other purposes.
Types of processing
Superhumans may use any types of processing which are necessary in order to provide the Services, including, but not limited to, sorting, administering, storing, returning and erasing personal data.
Types of personal data
Superhumans may only process personal data concerning the Users including first name, last name, user name, password and email address as well as performance metrics extracted while using the services of such users who the Customer grants access to the Services. Superhumans may also process other types of personal data, if necessary to provide the Services, including personal data collected through any new feature implemented in the Services after the conclusion of this DPA, which the Customer acquires through the Service Agreement.
Categories of data subjects
The personal data processed by Superhumans may only concern the Users.
Duration of the processing
The personal data must be erased by Superhumans at the time of termination of the Service Agreement, as set forth in the Terms of Use. Furthermore, personal data shall be erased from time to time, in accordance with the Customer’s documented instructions.
APPENDIX B
Sub-Processors approved by the Customer
The Customer accepts and recognizes that Superhumans engages the following sub-processors in accordance with section 4.3 of the Agreement.
Amazon Web Service, AWS (Sweden/EU, https://aws.amazon.com/compliance/gdpr-center), for the operation and maintenance of the platform, including storage of data.