Terms and Conditions
These Terms and Conditions (the “Terms”) govern the purchase and use of the Service (as defined below) from Controla AB, company reg. no. 559457-4005 (“Controla”) by the legal entity executing an order to or registering to use the Service (“Customer”). By accepting these Terms, either in connection with registering to use the Services through app.controla.ai or by executing other document referring to these Terms, Customer agrees that these Terms, together with applicable appendices, form part of a legally binding agreement between Customer and Controla (the “Agreement”). Controla and the Customer are hereinafter each referred to as a “Party” and jointly as the “Parties”.
1 ORDERING & START USING THE SERVICE
1.1 To start using the Service, the Customer will be required to provide Controla with certain information and follow the procedure set out on Controla’s website and the Customer’s account. The Customer’s registration for the Service constitutes a request to Controla to buy the requested Service. Controla’s acceptance of that offer and the formation of a legally binding contract between Customer and Controla according to these Terms will take place when Controla confirms the order of the Service by activating Customer´s account/use of the Services.
1.2 Controla may make additional Service features available to Customer from time to time and use of such features may be subject to Customer’s agreement to certain additional terms and conditions e.g., via an online click-through agreement or via the Customer’s Admin User account. Such features will be provided at Controla’s discretion to the Customer and may include fees in addition to those described in these Terms.
2 DEFINITIONS
“Admin User” means a User that is granted administrator rights for the Services on Customer’s behalf allowing such Admin User to invite Users, delegate tasks, access and manage Customer’s admin account for the Service to monitor team progress, risk score etc.
“Customer Material” means files, documents or other material shared by the Customer to the Service, generated from Customer´s use of the Service or otherwise communicated to or uploaded to the Service.
“Initial Subscription Period” means the initial subscription period specified in connection with Customer’s order to use the Service starting on the agreed Start Date.
“Service” means the provision of Controla's cybersecurity solutions, available on a software as a service (SaaS) basis via the Internet at Controla’s websites app.controla.ai.
“Software” means Controla’s proprietary software which is provided to Customer as part of the Service, including any changes, updates, upgrades, modifications and enhancements made thereto, and any related modules, code, add-ons, tools, browser plugins and applications as well as any documentation relating thereto.
“Start Date” means the date from which the Customer will have access to the Services.
“Subscription Renewal Period” means the agreed subscription renewal intervals beginning on the day immediately following the expiration of the Initial Subscription Period or after the expiration of a current Subscription Renewal Period,
“Trial Period” means the period during which the Customer may test the Services without charge.
“User” means an individual who interacts with the Services on Customer’s behalf.
3 THE SERVICE
3.1 Subject to the terms of this Agreement, Controla shall provide to Customer the Service set out in this Agreement in accordance with the agreed Subscription Plan. Controla hereby grants to Customer, subject to Customer’s timely payments of the applicable fees under this Agreement and Customer’s continuous compliance with all the terms of this Agreement, a limited, non-exclusive, non-transferable and non-sublicensable right to use the Service in Customer’s business operations.
3.2 Customer’s Admin User shall be able to create an account to access and manage Customer’s use of the Service, Controla does not provide the Customer with the means, including but not limited to devices and Internet connection, to use the Service, and the Customer is solely responsible for arranging the required means to connect to and use the Service.
3.3 Controla commits to providing the Service in a professional manner, in line with good market practice and in accordance with applicable laws.
4 SERVICE ABILITY AND MAINTENANCE
4.1 The Service is commonly available 24 hours a day, 365 days a year. However, Controla does not guarantee and cannot be held liable for sudden defects, delays and interruptions. Controla reserves the right to temporarily interrupt the performance of the Service for service purposes such as maintenance, upgrades, quality of delivery, and competitive strength.
4.2 Controla is allowed to take measures that affect the Service if they are required for technical, maintenance or operational reasons. Controla shall perform such actions promptly and in a manner that limits interference as far as possible.
5 RESPONSIBILITIES
5.1 Each party represents and warrants to the other party that: (i) it has all necessary rights and authority to enter into the Agreement and grant the rights and licenses under the Agreement; (ii) it shall comply with all applicable laws, and (iii) the execution or acceptance of the Agreement, and the performance of its respective obligations and duties pursuant to the Agreement, do not and will not violate any agreement to which such Party is bound.
5.2 The Customer is responsible for:
(a) having the necessary hardware Internet connections and equipment for the use of, and access to, the Service;
(b) the activities performed by the Customer and its Users within the framework of the Service;
(c) the accuracy of the information provided in connection with the Customer’s and its Users’ registration and use of the Service;
(d) to continuously update their contact information so that it is correct at all times;
(e) to keep their Admin User and other access rights up to date in the Service; and
(f) complying with all laws and regulations applicable for its use of the Service.
5.3 The Customer may not use the Service in such a way that Controla or anyone else suffers inconvenience or damage. The Customer undertakes not to handle Customer Material via the Service that is unlawful, infringes on the rights of third parties or that may be perceived as offensive or disorderly.
5.4 If Controla is made aware that Customer uses the Service in violation of the Agreement or in a manner which could pose a security risk to Controla or any third party, Controla has the right to suspend the Service for the Customer and (if the violation or security risk is material) terminate the Agreement with immediate effect. The same rights for Controla applies if Controla reasonably suspects that Customer uses the Service in violation of the Agreement and has contacted the Customer to resolve such suspected violation in good faith but has failed to resolve the matter within seven (7) days. Controla will reactivate the Customer’s access to the Service if Customer makes it probable that Customer has not used the Service in violation of the Agreement and there is no other reason for Controla to terminate the Agreement with Customer.
5.5 The Customer understands that it is the Customer’s responsibility as a data controller for the processing of User’s personal data (as defined under the General Data Protection Regulation (“GDPR”)) to ensure that Users, and other relevant data subjects, are provided with sufficient information on the processing of their personal data in line with the requirements under relevant Data Protection Laws (as defined in Appendix 1).
6 REMUNERATION
6.1 The Customer undertakes to pay to Controla the fees stipulated in the Agreement. All prices are exclusive of VAT and other taxes. Where the Parties have agreed on a Trial Period, all fees for the Services will apply on and from the end of such Trial Period and charged according to the agreed payment interval specified in connection with the Customer’s registration for the Service.
6.2 Controla, either directly or through its third-party payment processor (“Payment Processor”) will charge Customer for the fees via credit card or other payment mechanism agreed between the Parties. Controla has the right to charge Customer´s credit card or other agreed payment method for any services provided to Customer by Controla under the Agreement, including recurring fees. It is Customer´s sole responsibility to provide Controla with a current and up to date credit card or other applicable payment information; failure to provide such information may result in suspension of Customer´s access to the Services. Controla will also have the right to set-off any Fees due from Customer to Controla. If Customer pays the fees through a Payment Processor such payment processing will be subject to the terms, conditions, and privacy notices of such Payment Processor in addition to this Agreement. Controla is not responsible for any error by, or other acts or omissions of, the Payment Processor.
6.3 If authorized by the Customer through the Service or through Customer´s order of the Service, recurring charges (e.g., monthly or yearly billing) will be charged from Customer´s payment instrument without further authorization from Customer until Customer terminates this Agreement or changes its payment method in Customer´s Admin User account.
6.4 Controla reserves the right to change the prices set out in the Agreement and provide Customer with notification of such change which will have effect at the start of the next Subscription Renewal Period. If the price change is major and the Customer objects to such change, Customer may terminate the Agreement by notification in writing to Controla, effective thirty (30) days from Controla’s receipt of the termination notice.
7 AMENDMENTS
Controla reserves the right to change and/or make additions to these Terms at any time. Changes to the Terms shall be notified to the Customer by email and/or through the Service no later than one (1) month before the changed version takes effect. Notwithstanding the foregoing, Controla always has the right to immediately make such updates that may be necessary under applicable laws, ordinance or government decision. If changes to the Terms are to the significant detriment of the Customer, the Customer has the right to terminate the Agreement with effect from the date the new version enters into force. The Customer’s continued use of Controla’s Service after the updated Terms have become effective will constitute acknowledgment and acceptance of the modified Terms. The latest version of the Terms is always available at app.controla.ai.
8 PERSONAL DATA
The Data Processing Agreement in Appendix 1 governs the processing of personal data carried out by Controla on behalf of Customer in connection with Customer’s use of the Service.
9 CUSTOMER MATERIAL
The Customer, or its rightsholders, holds all rights to the Customer Material. Controla is provided with a non-exclusive, sub-licensable, free license to use the Customer Material to the extent necessary to provide the Service during the term of this Agreement. The license includes a right for Controla to share the Customer Material with authorized sub-contractors for the purpose of fulfilling its obligations under the Agreement and (subject to the DPA and confidentiality undertakings) to improve and develop the Service.
10 CONFIDENTIALITY
10.1 Any technical, commercial or other information of a confidential nature disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) shall be treated as strictly confidential and the Receiving Party shall use such information solely for activities that are necessary under the Agreement.
10.2 The Receiving Party undertakes to not, without prior written consent from the Disclosing Party, pass on any of the Disclosing Party’s confidential information to any person or party, except to those of the Receiving Party´s employees and authorized subcontractors and representatives for whom such information is required for the proper performance of their duties or rights under the Agreement and who are themselves bound by obligations of secrecy. The confidentiality undertakings in this Agreement shall, inter alia, apply to the terms and conditions of the Agreement, the Service, Software, license fees and all Customer Material and information about the Customer that Controla gains access to in connection with the Customer's use of the Service.
10.3 The confidentiality obligations set out above does not apply to confidential information which:
(a) the Receiving Party can establish has become publicly available prior to the initiation of the Service or which becomes publicly available without any breach of this Agreement;
(b) was known by the Receiving Party prior to the disclosure thereof by the Disclosing Party;
(c) properly comes into the possession of the Receiving Party from a third party which is not under any obligation to maintain the confidentiality; or
(d) the Receiving Party is obligated to disclose pursuant to a judicial or other government order, provided that the Receiving Party shall provide the Disclosing Party prompt notice prior to any disclosure so that the Disclosing Party may seek other legal remedies to maintain the confidentiality of the confidential information.
10.4 The Parties’ obligations of confidentiality shall survive termination of the Agreement for a period of five (5) years thereafter.
11 INTELLECTUAL PROPERTY
11.1 All rights, including but not limited to all intellectual property rights, to the Service and Software, including the technical solution and any content therein provided by Controla, belong to Controla or its rightsholders and are protected by law. The Agreement does not entail that any rights to the Service or rights created in connection with the performance of the Parties obligations under the Agreement are transferred to the Customer. For avoidance of doubt, this clause does not limit the Customer's right to the Customer Material.
11.2 The Customer may not reproduce, copy, modify, adapt, change or otherwise handle the Software, tools or other material belonging to the Service, nor transfer or grant any rights to such material to others, unless permitted under this Agreement or approved in writing by Controla.
11.3 Provided that full payment for the Service has been received, Controla grants a non-exclusive, non-transferable, non-sublicensable license to the Customer to use Controla's intellectual property rights to the extent required for the use of the Service and Software.
12 COMPENSATION OBLIGATIONS
12.1 The Customer understands that the Service may only be used for the purposes described in this Agreement and the Customer undertakes to indemnify Controla for any and all claims from third parties (including claims from authorities) directed against Controla due to the Customer's wrongful use of the Service.
12.2 The Customer shall compensate Controla for any costs incurred by Controla in connection with the Customer's failure to pay on the relevant due date, such as, for example, agency and debt collection costs.
12.3 Each Party shall defend, indemnify and hold harmless the other Party and its respective agents, affiliates, subsidiaries, directors, officers, employees, contractors and partners (as applicable), against any and all third-party claims resulting from the breach of such Party's representations and undertakings under this Agreement.
12.4 In connection with any such claim: (i) the indemnified Party shall provide prompt written notice to the indemnifying Party of any such claim (provided that the failure to provide such prompt notice shall not relieve the indemnifying Party of its indemnification obligations in the Agreement, except to the extent it has been damaged thereby); (ii) the indemnifying Party shall have sole control of the defense or settlement of the claim (provided that the indemnifying Party may not enter into any settlement that may adversely affect the rights or obligations of the indemnified Party without the indemnified Party's prior written consent); (iii) at the indemnifying Party's request and expense, the indemnified Party cooperating in the investigation and defense of such claim; and (iv) the indemnified Party shall have the right to participate in its defense with counsel of its own choosing at the indemnified Party's expense.
13 LIMITATION OF LIABILITY
13.1 Controla is neither responsible for any damages that arise due to the Customer providing incorrect information when registering for or using the Service, nor issues related to third party service providers who are not subcontractors to Controla.
13.2 Controla's total liability to the Customer under this Agreement for each twelve-month period during the term of the agreement is limited to an amount corresponding to 100 % of the amount paid or payable by Customer under the Agreement in the twelve (12) months immediately preceding the month in which the event (or first in a series of connected events) occurred.
13.3 In no event shall either Party be liable for indirect costs such as: (i) loss of revenue; (ii) loss of profits; (iii) loss of contracts; (iv) loss of business or anticipated savings; (v) loss of data; (vi) loss of goodwill or reputation; or (vii) for any other consequential, special or indirect losses whether or not such losses were within the contemplation of the Parties at the date of this Agreement, suffered or incurred by that Party arising out of or in connection with the provisions of, or any matter under, this Agreement.
14 TERM AND TERMINATION
14.1 After the Initial Subscription Period, the Agreement shall be automatically prolonged by consecutive Subscription Renewal Periods unless notice of termination is given by any of the Parties at least one (1) month before the end of the Initial Subscription Period or the then current Subscription Renewal Period. Customer may provide notice of termination to Controla by cancelling the Service through Customer’s account.
14.2 Termination must be made in writing or through such other termination method available in the Service from time to time in order to be valid.
14.3 Controla may terminate this Agreement, effective on written notice to Customer if Customer; (i) materially breaches this Agreement; (ii) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (iii) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (iv) makes or seeks to make a general assignment for the benefit of its creditors; or (v) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
14.4 Upon termination of the Agreement, unless otherwise is agreed in writing with the Customer or required by applicable law, Controla may delete the Customer Material, or in any other manner make it inaccessible for the Customer.
15 FORCE MAJEURE
15.1 A party is entitled to postpone the performance of its obligations and is relieved from the consequences of non-performance of its obligations under the Agreement where such performance is prevented, rendered significantly more complicated, or unduly rendered more costly due to a circumstance beyond the reasonable control of the Party, and which the Party neither could nor reasonably should have foreseen at the time of execution of the Agreement. Such circumstance (“Force Majeure Event”) can comprise, for example, war or warlike situations, civil war, military mobilisation or military conscription of a similar scope, insurrection and riot, terrorism, sabotage, fire, flood, natural disaster, epidemic, pandemic, break-down of means of transport, discontinuation of the supply of energy, strike, lock-out or other general or local industrial action (notwithstanding that the Party itself is a party to the action), requisition, seizure, public authority order, trade restrictions, payment restrictions, or currency restrictions, or circumstance comparable therewith. Any delay in delivery on the part of any party assisting Controla in the performance of the Agreement which is caused by any such Force Majeure Event, shall also constitute grounds for discharge from liability.
15.2 A Party shall notify the other Party in the event of a risk that an obligation cannot be performed or will be delayed due a Force Majeure Event. A failure to provide such notice within a reasonable time shall result in an obligation to compensate for the loss that could have been avoided had timely notice been given.
15.3 If a Force Majeure Event has persisted for three (3) months, each and every Party shall be entitled to terminate the Agreement with immediate effect.
16 MISCELLANEOUS
16.1 The Parties confirm that this Agreement represents the entire understanding and constitutes the whole agreement between the Parties relating to the subject matter hereof and supersedes any and all prior agreements, covenants, arrangements, communications, representations or warranties, whether oral or written, by any officer, agent, employee or representative of either of the Parties.
16.2 All notifications in connection with the agreement must be made by e-mail.
16.3 The waiver of a right under this agreement is valid only in writing. The failure of a Party to insist on adherence to any term of this Agreement shall not be considered a waiver of any right, nor shall it deprive that Party of the right thereafter to insist on adherence to that term or any other terms of the Agreement. A waiver of a specific breach of contract does not constitute a waiver of any other breach of contract.
16.4 A Party may not assign, pledge or otherwise encumber this Agreement or any of its rights or obligations under this Agreement without the prior written consent of the other Party.
16.5 Notwithstanding the above, Controla is allowed, without the Customer's consent, to transfer all or part of the Agreement, or its rights and obligations under the Agreement, to companies that are part of the same corporate group as Controla.
17 GOVERNING LAW AND JURISDICTION
17.1 This Agreement shall be governed by the substantive law of Sweden.
17.2 Any dispute, controversy or claim this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, considering the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.
17.3 The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English unless agreed otherwise.
17.4 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed during such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not be disclosed to a third party without the prior consent of the other Party. Exceptions to the foregoing shall only apply to the extent that disclosure may be required of a Party due to mandatory law, an order of a competent court or public authority, or to protect, fulfil or pursue a legitimate legal right or obligation or to enforce or challenge an award.
Appendix 1
DATA PROCESSING AGREEMENT (DPA)
Between the Customer (as identified in the Agreement) hereinafter referred to as the ”Data Controller” and Controla AB, company registration number 559457-4005, hereinafter referred to as the ”Data Processor”.
The Data Controller and the Data Processor are, each referred to as a “Party” and collectively as the “Parties”.
WHEREAS
The Parties have entered into the Agreement (as defined below) under which the Data Processor will process personal data on behalf of the Data Controller. The Parties enter into this Data Processing Agreement (the “DPA”) in order to provide adequate safeguards with respect to such processing of personal data. This DPA replaces any previous data processing agreements between the Data Processor and the Data Controller.
DEFINITIONS AND INTERPRETATIONS
The terms used in this DPA shall have the meaning stated below, unless the circumstances clearly require otherwise. Terms not defined in this DPA such as "data controller", "data processor", "personal data", "processing", “data subject” and "personal data breach" shall have the meaning set forth in Data Protection Laws or the Agreement.
Agreement means the agreement between the Parties regarding the Data Processor’s provision of the Service to the Data Controller.
GDPR means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
“Data Protection Laws” means:
(i) the GDPR and replacement acts;
(ii) applicable Swedish law regarding data protection; and
(iii) ordinances and regulations to i) and ii) above as well as guidelines issued by the Supervisory
Authority and applicable to the Parties' activities.
”Supervisory Authority” means the Swedish Authority for Privacy Protection (IMY) and, where applicable, other competent
supervisory authority which, by virtue of law,
exercises supervision over the Parties' activities.
“Third Country(ies)” means any country outside the European Economic Area which has not been deemed to ensure an
adequate level of data protection by the European Commission pursuant Articles 44-50 (Chapter V) of the GDPR.
1. CONTRACT DOCUMENTS AND APPLICATION
1.1. The DPA consists of this document, the specification of processing carried out by the Data Processor (Sub-appendix A) and the list of the approved Sub-processors (Sub-appendix B).
1.2. This DPA is part of and subject to the terms of the Agreement. In the event of a conflict between the provisions of this DPA and the Agreement, in matters concerning the
processing of personal data, this DPA shall take precedence over the Agreement.
2. THE PROCESSING OF PERSONAL DATA
2.1. The Data Processor undertakes to process personal data in accordance with the Data Protection Laws, this DPA and the Agreement. Any processing of personal data other than necessary to comply with the Data Processor's obligations under the Agreement, including processing for its own purposes by the Data Processor, is not permitted.
2.2. In addition to the above, the Data Processor may only process personal data in accordance with the Data Controller's instructions in this DPA and any amended or additional instructions provided by the Data Controller, by email to the email address specified in Sub-appendix A, unless required to do so by Union or Member State law to which the Data Processor is subject. The Data Processor shall inform the Data Controller of that legal requirement before processing unless the law prohibits such information on important grounds of public interest.
2.3. The Data Processor shall immediately inform the Data Controller if the instructions from the Data Controller, in the Data Processor’s opinion, infringes Data Protection Laws.
3. SECURITY
3.1. The Data Processor shall implement appropriate technical and organisational measures in accordance with Data Protection Laws to secure personal data against loss or any form of unlawful Processing. Considering the state of the art and the costs of implementation, the measures shall guarantee an appropriate security level given the risks associated with the relevant processing and the nature of the personal data to be protected. The measures are aimed at preventing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The Data Processor shall, upon request, inform the Data Controller of the measures taken.
3.2. The Data Processor further confirms that it has the expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of Data Protection Laws, including for the security of processing, and that those measures shall be reviewed and updated where necessary.
3.3. The Data Processor shall ensure that any person granted access to the Personal Data is bound to obligations of confidentiality or is under an appropriate statutory obligation of confidentiality.
4. SUB-PROCESSORS
4.1. The Data Processor is allowed to engage the sub-processors listed in Sub-appendix B.
4.2. If the Data Processor intends to engage a new or replace an existing sub-processor that will process personal data covered by this DPA, the Data Processor shall, prior to such engagement, inform the Data Controller thereof, allowing the Data Controller to object. Such objections must be made in writing within ten (10) days from the Data Controller’s receipt of the information. If the Data Controller does not revert to the Data Processor within thirty (30) days, the Data Controller is deemed to have approved the Data Processor's plan to engage/replace the sub-processor(s) that the Data Processor informed the Data Controller about. If the Data Processor, despite the objection of the Data Controller, intends to hire a sub-processor the Data Controller has the right to terminate this DPA and its appendices.
4.3. The Data Controllers approval according to the above shall be deemed as a special permission for the Data Processor to, in the individual case, on behalf of the Data Controller, enter into a data processing agreement with sub-processors who are to process Personal Data. In such data processing agreement, the Data Processor shall impose the same data protection obligations as set forth in this DPA, on each sub-processor, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable Data Protection Laws.
5. TRANSFER TO THIRD COUNTRIES
5.1. The Data Processor and, if applicable, its sub-processor shall not transfer personal data to a Third Country unless approved in writing by the Data Controller. Such written approval shall be stated in Sub-appendix A to this DPA. If the Data Processor, after such approval, transfers personal data to a Third Country, the Data Processor shall ensure that:
(i) the transfer is governed by and in accordance with a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including, without limitation binding, corporate rules for processors; or
(ii) the transfer is governed by and in accordance with the standard contractual clauses based on the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries, or any subsequent version thereof released by the European Commission (which shall automatically apply); and any relevant supplementary measures are taken in accordance with applicable court practice and guidelines from the European Data Protection Board.
6. INCIDENT MANAGEMENT
6.1. The Data Processor shall, without undue delay, notify the Data Controller in writing after becoming aware of a personal data breach. The information shall contain all necessary information required for the Data Controller to be able to comply with its obligations regarding reporting to the Supervisory Authority and / or the data subject, where applicable.
7. OBLIGATION TO ASSIST THE DATA CONTROLLER
7.1. The Data Processor shall, upon request of the Data Controller, to the extent required under Data Protection Laws, assist the Data Controller to ensure compliance with its obligations under Data Protection Laws. For example, (i) obligations regarding data subjects' rights; and (ii) obligations laid down in article 32-36 of the GDPR such as conducting data privacy risk assessments and consultation with the supervisory authority.
8. CONTACT WITH DATA SUBJECTS AND SUPERVISORY AUTHORITIES
8.1. The Data Processor shall inform the Data Controller, without undue delay, about any contact with data subjects about the data subjects’ rights, supervisory authorities or other third parties, regarding the processing of personal data by the Data Processor (including any requests or orders from such parties) and await further instructions from the Data Controller. The Data Processor has no right to represent or otherwise act on behalf of the Data Controller in contact with data subjects, supervisory authorities or other third parties regarding the processing of personal data under this DPA.
9. AUDIT RIGHTS
9.1. The Data Controller shall be entitled to take measures necessary to verify that the Data Processor complies with its obligations under this DPA. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
9.2. The Data Processor shall also allow for and contribute to audits, third party auditor mandated by the Data Controller, (provided that persons performing the audits enter into appropriate confidentiality agreements) or the Supervisory Authority.
9.3. The Data Controller shall provide reasonable notice prior to an audit unless the audit relates to an on-going incident. Audits shall as far as possible be conducted in the manner with the least possible impact on the Parties' respective ordinary activities. Audits of the Data Processor shall take place in compliance with the security measures set by the Data Processor, provided that the measures do not prevent or cause significant difficulties in carrying out the audit. Unless otherwise provided in special separate written agreement. Each Party shall bear its own costs of such audit and of the provision of information.
10. LIABILITY
10.1. If a Party breaches this DPA or Data Protection Laws, such Party shall indemnify the other Party for any damage caused by the breach. However, this shall not apply if the negligent Party can show that it is in no way responsible for the event, act or omission that caused the other Party damage, such as that the claim could not have been avoided by fulfilling the Party’s obligations under this DPA, Data Protection Laws or by the instructions issued by the Data Controller.
10.2. The Parties' right to compensation regarding claims from third parties is regulated in its entirety under Article 82 of the GDPR. This includes the right of the Party who paid full compensation for the damage suffered by a third party to claim back from the other Party, if involved in the same processing, the part of the compensation corresponding to that Party's part of responsibility for the damage.
10.3. This provision (Liability) shall survive the termination of this DPA.
11. ADDITIONS AND AMENDMENTS
11.1. The Data Controller is permitted to request changes to the content of this DPA to the extent necessary to be able to meet requirements that follow from Data Protection Laws. Such change will enter into force no later than thirty (30) days after the Data Controller has submitted a request for change to the Data Processor. In case the Data Processor for reasonable privacy related reasons does not accept such change, the Data Controller has the right to terminate the Agreement in whole or in part with immediate effect. Other additions and amendments to this DPA must, in order to be valid, be in writing and signed by both Parties.
12. TERM OF DPA
12.1. This DPA shall enter into force when signed by both Parties and shall remain valid for as long as the Data Processor is processing personal data on behalf of the Data Controller.
12.2. Upon expiry of this DPA, the Data Processor will within sixty (60) days after the Agreement has been terminated, at the choice of the Data Controller, either (i) return all personal data to the Data Controller in accordance with the Data Controller's reasonable instructions; or (ii) permanently delete and destroy the personal data (including back-up copies). When returning or deleting personal data in accordance with this clause, the Data Processor shall ensure that the data cannot be recovered.
13. ASSIGNMENT
13.1. Neither Party may transfer or otherwise assign, partially or in full, any of its rights or obligations under this DPA to any third party without the prior written consent of the other Party.
14. COMPENSATION
14.1. The Data Processor is entitled to reasonable compensation for work performed in accordance with the obligations in points 7, 9 and 11 of this DPA. However, this shall not apply to such work as is necessary for the Data Processor to perform to fulfil his obligations under the Data Protection Laws and in accordance with the Agreement.
15. GOVERNING LAW AND DISPUTE REGULATION
15.1. This DPA is governed by the substantive law of Sweden notwithstanding the rules or principles of conflicts of law. Any dispute regarding interpretation or application of this DPA shall be settled in accordance with the Agreement's provisions on dispute resolution.
Sub-appendix A - Instructions for the processing of Personal Data
1. Purpose, object and nature
1 a. The object and nature of the Processing of Personal Data by the Processor for the Controller is to:
Provide the Services in accordance with the Agreement
1 b. The purpose of the Processing of Personal Data by the Processor for the Controller is to:
Enable the Controller to utilize the Services provided under the Agreement, which are designed to enhance cybersecurity, protect against threats, and maintain the integrity and availability of systems and data.
1 c. Type and nature of the Processing:
- Collecting, organising, structuring, adaptation, retrieval, combination, restriction and other processing of the information that the Controller uploads to/enters in/creates and otherwise handles within the scope of the Services under the Agreement;
- Storage of Personal Data;
- Deletion upon request from the Controller; and
- Troubleshooting, consultation and support for the Services.
2. The Processing includes the following types of Personal Data
The Service may process the following types of personal data for each user invited to the platform by an administrator:
- **Identification and Contact Information**: Email address, name, and role at the company.
- **User Configuration and Security Data**: Security settings for the user in Google Workspace.
- **Activity Logs**: Audit events for sharing files in Google Drive.
- **Device and Connection Information**: Web browser model and version, operating system and version, and IP addresses for connections made to the platform.
The Service does not access or process the content within the user’s Google Drive files or folders unless explicitly configured by the Controller to include specific file metadata for auditing purposes. The default configuration limits the processing to activity logs, user settings, and system-level data for providing the agreed-upon Services.
3. The Processing covers the following categories of Data Subjects
- **Employees of the Controller**: Users invited by the Controller's administrator to use the platform.
- **Contractors or Consultants of the Controller**: Non-employees who are provided access to the platform by the Controller.
- **Administrators of the Controller**: Individuals responsible for managing the platform on behalf of the Controller.
4. Describe the technical and organisational security measures which will apply to the Processing of Personal Data by the Processor
Access control to systems and personal data:
- Access to systems and personal data is restricted based on the principle of least privilege
- Multi-factor authentication (MFA) is enforced for all users.
- Role-based access control (RBAC) ensures that access is granted based on the user's specific job function.
Access control to premises and spaces:
- The company does not own or control any premises or spaces.
- The company never physically prints personal information related to customers.
- All digital information related to customers is protected with strong cryptographic controls.
Transfer
- Personal data transmitted outside the control of the Processor is protected using end-to-end encryption.
- Secure protocols such as TLS 1.2 or higher are used for data in transit.
- Data transfers are logged, and integrity checks are performed to prevent unauthorized alterations.
Retention and deletion
- Personal data is retained only for as long as required by the Controller or applicable law.
- The company performs regular reviews of customer data for deletion.
Logging
- Logging mechanisms record access to personal data and significant system activities.
- Anomaly detection tools monitor logs for suspicious activities in real time.
Measures to prevent Personal Data Breaches:
- Continuous vulnerability assessments and internal penetration testing identify and remediate weaknesses in the system.
- Regular security patches and updates are applied to all systems to address known vulnerabilities.
Measures for handling Personal Data Breaches:
- An incident response plan addresses personal data breaches.
- Detected breaches are contained, investigated, and remediated promptly.
- Controllers are notified of relevant breaches without undue delay, including a summary of the incident and remediation steps.
- Post-incident reviews identify root causes and opportunities for improving security.
Development security:
- Continuous security scanning of the code identifies vulnerabilities.
- Third-party code is inventoried and regularly updated to address known vulnerabilities.
- The company enforces strict change control to ensure that all code deployed to production meets internal security standards. Code that has not been reviewed by someone with security expertise is not deployed.
Infrastructure security
- Systems are configured following the principle of least privilege.
- Systems are regularly patched and updated to address known vulnerabilities.
- The attack surface of systems is reduced by restricting network access and disabling or restricting unnecessary services and protocols.
- Suspicious activities are investigated promptly, and corrective actions are taken to mitigate risks.
5. Duration of Processing
The contract period according to the Agreement and time for return and/or deletion according to the Agreement.
Sub-appendix B – Approved list of Sub-processors
Approved Sub-Processors at the entry into force of this DPA. The current list of sub-processors is published at the Data Processor´s website:
Company/
organisation Address and contact details Location of Processing (country) Types of Personal Data Processed by the Sub-processor Purpose of processing by the Sub-processor Additional information about the Sub-processor’s Processing of Personal Data
Render support@render.com
Frankfurt Identification and Contact Information, User Configuration and Security Data, Activity Logs, Device and Connection Information https://render.com/privacy
Render support@render.com
Global infrastructure Identification and Contact Information, User Configuration and Security Data, Activity Logs, Device and Connection Information Forward data to backend servers Render backend servers in Frankfurt (see above) https://render.com/privacy
Google Cloud Not used but would like to have the possibility to replace Render. https://cloud.google.com/terms/data-processing-addendum
If you have any questions about these Terms, please contact us at: info@controla.com
Last Updated: 12th of March, 2025
