DATA PROCESSING AGREEMENT
between
BRANDOX AB
and
CUSTOMER
regarding the processing of personal data through Brandox Services
Data Processing Agreement – Brandox
This Data Processing Agreement (‘DPA”) is the Data Processing Agreement referred to in the Brandox Terms of Service between Brandox AB (referred to as “Brandox” in this DPA) and the Customer identified in the Terms of Service.
The defined terms in the Terms of Service shall apply to this DPA.
The Terms of Service and this DPA are connected and cannot be terminated separately. This DPA may, however, be replaced by a new valid DPA without this affecting the Terms of Service. In the event of any conflict or inconsistency between this DPA and the Terms of Service, the DPA shall prevail.
In addition, the following definitions shall apply:
“Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including, but not limited to the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.
Terms used in this DPA shall have the same meaning as in the Data Protection Laws.
Under the Terms of Service, Brandox will be processing personal data on behalf of the Customer. This DPA sets out the details of that processing and the DPA is effective for so long as the Terms of Service is in force.
Brandox’s standard Customer DPA is available upon request by sending an email to [email protected].
1. The processing shall be carried out in accordance with the data protection laws.
2. Obligations of the Customer
- In relation to the data subjects, the Customer is responsible for the processing’s compliance with the Data Protection Laws.
- The Customer warrants that the processing is carried out in accordance with the purpose for which the personal data have been collected.
- It is the Customer’s responsibility to ensure that Brandox, at any time, is duly informed of the Customer’s written instructions regarding the processing. If the Customer provides additional instructions which deviate from the instructions that follow from the Terms of Service, and such additional instructions entail that the scope of the Services is materially changed, the matter must be handled under the Terms of Service.
- All instructions provided by the Customer must be in writing.
3. Obligations of Brandox
- The types of personal data that we collect and the use of personal data is described in detail in the Privacy Policy. Brandox undertakes to only process personal data necessary for the performance of the Services, in accordance with the Terms of Service, this DPA or according to specific and documented instructions provided by the Customer in connection with the conclusion of the Terms of Service, which have been approved by Brandox.
- Upon receipt of written instructions from the Customer regarding the processing, such as provided for in Appendix A or additional written instructions, Brandox must, within a reasonable period of time, take appropriate measures to ensure that the processing is carried out in accordance with the instructions.
- Brandox undertakes to ensure that any natural person acting under the authority of Brandox, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with the DPA and the Customer’s documented instructions.
- Brandox is required to assist the Customer with appropriate technical and organizational measures for the fulfilment of the Customer’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
- Brandox must, without undue delay, notify the Customer after becoming aware of a personal data breach. Brandox shall assist the Customer by providing information necessary for the fulfilment of the Customer’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Customer’s obligation to communicate the personal data breach to the affected data subjects.
- Brandox is required to assist the Customer in connection with any data protection impact assessments and prior consultations carried out by the Customer, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.
4. Engagement of sub-processors
- Brandox uses certain sub-processors, listed in Appendix A, to assist in providing the services as described in the Terms of Services between the Customer and Brandox. By accepting this DPA, the Customer approves and acknowledges that Brandox may engage subcontractors for the purpose of carrying out the processing (“sub-processors”).
5. Disclosure of Customer Information
- Brandox respects your privacy and does not share or in any other way disclose of Customer Information to third parties, unless in the following circumstances:
- You have given us your consent to disclose Your Information.
- It is necessary for us to share Your Information in order to deliver the product or the service that you have requested.
- It is necessary for us to disclose Your Information to a third party content partner in order to deliver a product or service to you. Unless otherwise provided, these third parties may not use Your Information for other purposes than assisting us.
- Disclosure of Your Information is requested by law or necessary for us to comply with legal process, respond to claims or protect the rights, property or safety of our company, employees, customers or the public.
6. Technical and organizational security measures
- We take the security of your information seriously and we are committed to protecting the information we receive from you. We use commercially reasonable security measures to protect against the loss, misuse and alteration of your information under our control. Notwithstanding such measures, please be aware that no security measures are perfect or impenetrable, and we cannot guarantee the security of any information transmitted to or from the Service.
7. Confidentiality
- Brandox and the persons working under its authority must maintain confidentiality in all respects when carrying out the processing. This means that personal data may not be unduly disclosed to a third party. Brandox undertakes to ensure that the individuals working under its authority and who will process personal data observe and comply with Brandox’s confidentiality undertaking according to this section 7.
- Brandox undertakes not to disclose to any third party such information which Brandox, in its capacity as data processor, has received from the Customer or any other such information which Brandox processes in its capacity as data processor under this DPA. Brandox undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 7. However, this confidentiality obligation shall not apply to:
- information which is generally known or becomes generally known other than as a result of a breach of the Service Agreement or this DPA;
- information which Brandox can prove was in Brandox’s possession prior to being provided to Brandox under the Agreement;
- information which Brandox, lawfully and without restrictions regarding the right to transfer such information, receives from any third party outside the scope of the Terms of Service Agreement or this DPA; or
- information which Brandox is obligated to disclose under law or any court judgment or public authority decision. In such a case, Brandox must without undue delay inform the Customer in writing about the disclosure and request that the personal data are kept confidential by the recipient.
- 3. This confidentiality undertaking shall survive the termination of this DPA.
Appendix A – Subprocessor list
Company approves that Brandox engages the following subprocessors.
Infrastructure provider
Brandox engages the following sub-processor to host and store Customer Data.
Subprocessor | Entity type | Location |
Amazon Web Services | Cloud Service Provider | Burlington Plaza, Burlington Rd, Dublin 4, D04 N9W8, Ireland |
Other Sub-Processors
Brandox works with certain third parties, as listed below, to provide specific functionalities within the Brandox Services. In order to provide the relevant functionality these sub-processors access Customer Data. Their use is limited to the indicated activities:
Subprocessor | Sub-processor activities | Location |
DigitalOcean | Application Servers | 101 Avenue of the Americas, New York, NY 10013, USA |
Stripe | Payments | 510 Townsend Street, San Francisco, CA 94103, USA |
Updates
As Brandox is continuously improving its product(s), the sub-processors used may also change. Brandox will promptly update this page with any new or replacement sub-processors and notify customers before, and how, such sub-processors will process personal data. Please check back frequently for updates.