Data Processing Agreement

Last updated: December 17, 2024

This Data Processing Agreement (“DPA”) is between:

1. SalesKong (“Processor”), and
2. Subscriber (“Controller”),

each a “Party” and together the “Parties.”

Background:

• The Parties have entered into an agreement (“Agreement”) under which SalesKong provides services (“Services”) to Subscriber.
• This DPA forms part of the Agreement and prevails over any conflicting terms in the Agreement with respect to data processing and protection.

1. Purpose and Scope

• This DPA sets out the terms under which SalesKong, as Processor, will process personal data (“Personal Data”) on behalf of Subscriber, as Controller.
• Personal Data is processed solely to provide the Services under the Agreement.

2. Definitions

• “Applicable Data Protection Laws” means all data protection laws and regulations applicable to the processing, including the GDPR and EU/EEA data protection laws.
• Other capitalized terms used in this DPA shall have the meanings given in the Agreement or Applicable Data Protection Laws.

3. Controller’s Instructions

• SalesKong shall process Personal Data only on documented instructions from Subscriber, as set out in this DPA, the Agreement, and any lawful written instructions subsequently provided by Subscriber.
• If SalesKong believes an instruction violates Applicable Data Protection Laws, it shall promptly inform Subscriber.

4. Processor’s Obligations

SalesKong shall:

• Comply with Applicable Data Protection Laws.
• Process Personal Data only for the agreed purposes and in accordance with Subscriber’s instructions.
• Ensure that persons authorized to process Personal Data are subject to confidentiality.
• Implement appropriate technical and organizational measures to protect Personal Data (see Appendix C).
• Assist Subscriber with data subject requests and other legal obligations where possible.
• Notify Subscriber without undue delay if it becomes aware of a Personal Data breach.
• At Subscriber’s choice, securely delete or return all Personal Data at the end of the Services, unless required by law to retain it.

5. Subscriber’s Obligations

Subscriber shall:

• Ensure that it has all necessary rights and consents to provide Personal Data to SalesKong.
• Comply with Applicable Data Protection Laws and provide clear, lawful instructions.
• Provide Personal Data to SalesKong only through agreed secure methods.

6. Confidentiality and Disclosure

• SalesKong shall not disclose Personal Data to third parties without Subscriber’s prior written consent, except as required by law.
• If compelled by law to disclose Personal Data, SalesKong shall (where legally permitted) inform Subscriber before disclosure and seek confidentiality to the extent possible.

7. Sub-Processors and International Transfers

• SalesKong may engage sub-processors to assist with processing, subject to written agreements ensuring the same level of data protection as this DPA.
• SalesKong will inform Subscriber of any intended changes to its sub-processors, giving Subscriber a reasonable opportunity to object.
• If Personal Data is transferred outside the EU/EEA, SalesKong will ensure appropriate safeguards (e.g., Standard Contractual Clauses).

8. Audits and Assistance

• Subscriber may conduct reasonable audits to verify SalesKong’s compliance with this DPA.
• SalesKong shall cooperate with Subscriber to provide relevant information and assistance.

9. Data Subject Rights

• SalesKong shall assist Subscriber in responding to data subjects’ rights requests.
• If SalesKong receives such a request directly, it will promptly forward it to Subscriber.

10. Personal Data Breach Notification

• SalesKong shall inform Subscriber without undue delay (no later than 72 hours after becoming aware) of any Personal Data breach and assist Subscriber in meeting legal notification obligations.

11. Term and Termination

• This DPA applies as long as SalesKong processes Personal Data under the Agreement.
• Upon termination of the Services, SalesKong shall, at Subscriber’s choice, delete or return all Personal Data unless legally required to retain it.

12. Governing Law and Dispute Resolution

• This DPA is governed by Swedish law.
• Disputes shall be resolved as set forth in the Agreement.

Appendix A – Specification of Data Processing

Purposes: Providing and managing the Services

Data Subjects: Subscriber’s employees, contractors, end-users, or similar authorized individuals.

Categories of Data:

• User data (e.g., name, email)
• Content (e.g., text, audio, video, chat)
• Performance metrics (e.g., progress)
• Device data (e.g., IP address)
• Activity data (e.g., event logs)
• Support data (e.g., troubleshooting tickets)

Processing Operations: Collection, storage, retrieval, analysis, and deletion as required to provide the Services.

Appendix B – Pre-Approved Sub-Processors

For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfill its purpose.