Ombori

DATA PROCESSING ADDENDUM (DPA)

VERSION: 1/2021

  1. Background and Scope

    1. This Data Processing Addendum (this “DPA”) constitutes an agreement between a controller and a processor as required by the GDPR (as defined below) and consists of this main document and the Specification (as defined below). Where applicable and subject to Section 6, standard contractual clauses adopted by the EU Commission from time to time shall be deemed incorporated into this DPA by reference. This DPA and the Terms of Service jointly form the Agreement.

    2. OmboriGrid will, as part of the Service, process Covered Personal Data (as defined below) on behalf of Customer and thus be Customer's processor.

    3. If Covered Personal Data includes personal data for which a third party is the data controller, Customer warrants and represents that it has been instructed by and obtained the mandate and authorization of all relevant data controllers to enter into this DPA with OmboriGrid on behalf of such third party data controller.

    4. For the avoidance of doubt, Personal Data collected and processed by OmboriGrid as the data controller is not subject to this DPA. Please see OmboriGrid's Privacy Policy for further information.

  2. Interpretation and Definitions

    1. This DPA constitutes an addendum and an integrated part of the Agreement. In the event of inconsistencies between any section in other Agreement documents and this DPA in regards to OmboriGrid's processing of Covered Personal Data, this DPA shall prevail and apply in lieu of such inconsistent section in other Agreement documents. Notwithstanding the foregoing, standard contractual clauses shall (if incorporated) have the highest priority in the event of any conflict or inconsistency with this DPA or other parts of the Agreement.

    2. Terms that are legally defined in the GDPR, such as ”controller”, ”processor”, ”personal data”, ”processing” and ”data subject”, shall be construed and applied in accordance with the GDPR.

    3. Terms defined in the Terms of Service shall have the same meaning when used in this DPA with an initial capital letter.

    4. In addition to the preceding Section sand to the terms defined above, the following terms shall have the meanings stated below:

      "GDPR"Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
      "Covered Personal Data"Personal data that is processed by OmboriGrid on behalf of Customer, see the Specification.
      "Specification"Means Annex A to this main document.
      "Supervisory Authority"A Swedish or EU authority such as the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) and, where applicable, any other supervisory authority with regulatory jurisdiction over Customer's business operations.
  3. Lawful Processing

    1. OmboriGrid undertakes to process Covered Personal Data in accordance with the GDPR, this DPA, the Agreement and Customer's written and documented instructions from time to time in accordance with Section 4.

  4. Instructions

    1. OmboriGrid and any Subprocessors and persons acting under the authority of OmboriGrid may only process Covered Personal Data in accordance with Customer's written and documented instructions. Customer's instructions upon entering into this DPA follow from this DPA and the Agreement.

    2. If the Customer has engaged an Approved Partner who is a Certified Solution Provider (as described in the Agreement), then Customer hereby instructs OmboriGrid to disclose and make available relevant Covered Personal Data to the Approved Partner to enable such Approved Partner to be able to provide application development and/or support services and other value-adds to the Customer. Following disclosure of Covered Personal Data by OmboriGrid to an Approved Partner in accordance with this Section 4.2, the relevant personal data will subsequently be processed by the Approved Partner as a data controller (unless otherwise agreed between the Customer and the Approved Partner).

    3. The Customer has the right to continuously instruct OmboriGrid in writing regarding the processing of Covered Personal Data (”Additional Instructions”), and OmboriGrid has a corresponding obligation to follow such Additional Instructions, provided that they are consistent with the terms and scope of the Agreement and this DPA.

    4. If OmboriGrid believes that Customer's instructions, in the opinion of OmboriGrid, might infringe the GDPR, OmboriGrid shall without undue delay notify Customer and await further instructions before continuing any processing of Covered Personal Data.

    5. This DPA will not in any way prevent or limit OmboriGrid from processing Personal Data to the extent necessary in order to comply with legal requirements under the GDPR and/or other laws to which OmboriGrid is subject.

    6. Notwithstanding any provisions regarding choice of law agreed between the parties in the Agreement, OmboriGrid will comply with data protection legislation applicable to data processors located in the EU, and the Customer shall comply with data protection legislation applicable to Customer as data controller.

  5. Technical and Organizational Measures

    1. OmboriGrid shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the processing of Covered Personal Data. The Customer agrees and acknowledges that technical and organizational measures are subject to technical progress and further development. Accordingly, OmboriGrid reserves the right to modify such measures provided that the functionality and security of the Service is not significantly degraded as a result of thereof. The Customer hereby discharges OmboriGrid of any obligation to notify and/or obtain prior approval from Customer of such changes. If the Customer so requests in writing, OmboriGrid shall provide information about the technical and organizational security measures which OmboriGrid has implemented, within fifteen (15) business days from Customer's request.

    2. OmboriGrid shall ensure that only personnel that needs access to Covered Personal Data in order to fulfil their obligations towards Customer have access to Covered Personal Data and that any person who has access to Covered Personal Data is subject to appropriate confidentiality undertakings, as determined by OmboriGrid (in its reasonable discretion).

    3. OmboriGrid shall, at no additional cost for Customer, comply with the Supervisory Authority's applicable decisions, guidelines and recommendations on necessary or recommended measures to comply with the security requirements in the GDPR.

  6. Transfer of Covered Personal Data Outside the EU/EEA

    1. Customer agrees that OmboriGrid or any of its Subprocessors may process Covered Personal Data on equipment, infrastructure or through resources that are physically located outside the EU/EEA, for the performance of OmboriGrid's undertakings under the Agreement and provided that OmboriGrid ensures a valid Transfer Mechanism.

    2. A valid “Transfer Mechanism” is any of the following:

      1. the third country in which the data recipient resides provides an adequate level of protection for Covered Personal Data, according to a valid adequacy decision by the EU Commission; or

      2. OmboriGrid and the data recipient enter into standard contractual clauses adopted by the EU Commission from time to time and Customer hereby authorizes and mandates OmboriGrid to enter into such standard contractual clauses on behalf of the Customer (if required); or

      3. the cross-border transfer is otherwise made in accordance with Chapter V of the GDPR.

    3. Regardless of OmboriGrid's choice of Transfer Mechanism, OmboriGrid shall take appropriate safeguards to ensure a level of protection for Covered Personal Data which is essentially equivalent to that of the GDPR.

    4. If during the term of the DPA, the EU Commission issues new or revised standard contractual clauses, such updated clauses shall automatically be incorporated and supersede the prior standard contractual clauses under this DPA, unless otherwise notified to Customer in writing by OmboriGrid. Where deemed necessary by OmboriGrid, the Parties shall at their own cost take necessary actions (if any) to properly implement the updated standard contractual clauses.

  7. Obligation to Provide Information and Assist Customer

    1. OmboriGrid shall assist Customer by appropriate technical and organizational measures for fulfilment of Customer's obligations regarding Covered Personal Data, such as to respond to requests on the exercise of data subjects' rights and, without undue delay, rectify, erase, restrict and/or block the processing of Covered Personal Data in accordance with Customer's instructions and to always do so in accordance with the GDPR.

    2. OmboriGrid undertakes to notify Customer in writing of any personal data breach involving Covered Personal Data, attributable to OmboriGrid or any of its Subcontractors, without undue delay after the personal data breach is detected by OmboriGrid. The notification shall be sent to the Customer's contact person (as specified in the Agreement).

    3. OmboriGrid's notification to the Customer in accordance with Section 7.2 shall include the following information:

      1. a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of Covered Personal Data records concerned; and

      2. a description of the measures taken or proposed to be taken by OmboriGrid to address the Covered Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

    4. Where, and in so far as, it is not possible to provide the information at the same time, OmboriGrid may provide the information to the Customer in phases and without undue delay.

    5. If a personal data breach is attributable to the Customer, OmboriGrid shall only be responsible for notifying Customer about the personal data breach and await written instructions from Customer about whether or not Customer wishes OmboriGrid to investigate the personal data breach on behalf of Customer (at Customer's sole cost).

    6. OmboriGrid shall otherwise, upon Customer's request, assist Customer to ensure that Customer can fulfil its obligations under the GDPR, including but not limited to providing Customer with all information that may reasonably be required to demonstrate OmboriGrid's compliance with its obligations as a processor set out in the GDPR. Such assistance may include data protection impact assessments and prior consultations.

  8. Contact with Data Subjects and Supervisory Authorities

    1. As the data controller, Customer shall act as the single-point-of-contact in relation to data subjects on all matters and issues related to the processing activities carried out under this DPA. OmboriGrid shall, subject to compensation as set out in Section 13, duly assist Customer in responding to requests from data subjects and to correct, erase, limit and/or block Covered Personal Data in accordance with Customer's instructions.

    2. In the event that a data subject, Supervisory Authority, or any other third party requests information from OmboriGrid regarding the processing of Covered Personal Data, OmboriGrid shall immediately refer such request to Customer, provided that OmboriGrid is not prohibited from doing so by a decision of a court or public authority.

    3. If a data subject's Covered Personal Data is not accessible to the Customer through the Service, OmboriGrid will, as necessary to enable Customer to meet its obligations under applicable data protection legislation, provide reasonable assistance to make such Covered Personal Data available to Customer. OmboriGrid is entitled to compensation from the Customer for any costs and expenses relating to OmboriGrid's assistance in accordance with Customer's request pursuant to this Section 8.3.

    4. If a data subject pursuant to mandatory law is entitled to exercise its right directly vis-à-vis OmboriGrid, OmboriGrid shall take relevant measures and shall be discharged of any obligation to inform or notify Customer.

    5. Customer agrees to provide or distribute information notices to data subjects about specific data processing operations in the Service in accordance with OmboriGrid's instructions in writing from time to time.

  9. Right to Audit

    1. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, OmboriGrid shall allow Customer, or a third party appointed by Customer, the right to audit OmboriGrid's business operations and the equipment used for the processing of Covered Personal Data in order to ensure that OmboriGrid and any Subprocessors engaged by OmboriGrid, comply with their respective obligations under this DPA and the GDPR. OmboriGrid shall provide reasonable assistance to Customer in connection with an audit. Audits may not be carried out by a direct competitor of OmboriGrid.

    2. Customer undertakes to inform OmboriGrid of Customer's intention to carry out an audit and its planned scope in reasonable time before an audit. The audit shall be carried out during normal business hours and in a manner that minimizes disturbance on OmboriGrid's and any Subprocessor's business operations and are otherwise in line with applicable OmboriGrid practices and policies. Furthermore, Customer shall ensure that each individual performing the inspection is imposed an obligation to follow security instructions and the same confidentiality obligations as Customer under the Agreement, or, at OmboriGrid's request, signs a non-disclosure agreement in relation to OmboriGrid. OmboriGrid shall under no circumstances be obliged to disclose information that is subject to secrecy in accordance with law or agreement, nor trade secrets or similar information of OmboriGrid, its other customers or Subprocessors.

    3. On-site audits shall be subject to at least sixty (60) days' prior written notice by the Customer to OmboriGrid.

    4. Customer shall strive to minimize the extent of an audit and conduct audits with a risk-based approach and subject to the principle of proportionality. Any and all costs and expenses related to Customer's audits shall be borne by the Customer, including any potential costs and expenses incurred by OmboriGrid due to OmboriGrid's or any Subprocessors participation in such audit.

    5. OmboriGrid may, at its option, conduct internal audits of its processing of Covered Personal Data, in order to verify its compliance with its obligations as a processor in accordance with the GDPR.

    6. OmboriGrid shall allow for any audits that a Supervisory Authority requires in order to ensure lawful processing of Covered Personal Data.

  10. Subprocessors

    1. Customer hereby grants OmboriGrid a general prior authorization to engage service providers (“Subprocessors”) to process Covered Personal Data and enter into data processing agreements with such Subprocessors with obligations no less restrictive than those set out in this DPA. Furthermore, Customer hereby approves the processing of Covered Personal Data by any Subprocessors engaged by OmboriGrid and the time of OmboriGrid and Customer entering into the Agreement, as specified in the Specification (if any).

    2. OmboriGrid may replace or add new Subprocessors at any time, provided that OmboriGrid notifies the Customer of any such change without undue delay, thereby giving Customer the opportunity to object to such change.

    3. A list of Subprocessors including geographical location can be provided by OmboriGrid upon Customer's written request.

    4. Customer may object to a Subprocessor processing Covered Personal Data, provided that such objection is reasonable and based on data protection and protection of data subject's rights and freedoms. If OmboriGrid is unable to accommodate Customer's objection, Customer may terminate, in whole or in part (where possible), the Agreement including this DPA by providing OmboriGrid a written notice of termination within one (1) month of OmboriGrid's notice in accordance with Section 10.2. OmboriGrid will refund a prorated portion of any pre-paid charges for the period after such termination date.

    5. OmboriGrid shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts or omissions were performed by OmboriGrid.

  11. Confidentiality

    1. Each Party's respective confidentiality undertakings under this DPA are set out in the Agreement.

    2. The confidentiality undertaking in accordance with Section 11.1 is not applicable in relation to Subprocessors with whom OmboriGrid has entered into a data processing agreement in accordance with Section 10. However, any such data processing agreement shall include a corresponding confidentiality obligation for the Subprocessor.

  12. Liability

    1. Each Party's respective liability under this DPA are subject to the exceptions and limitations set out in the Agreement.

  13. Compensation

    1. Unless expressly set out in this Section 13, OmboriGrid is not entitled to any additional compensation for its performance under this DPA.

    2. OmboriGrid is entitled to compensation on a time and material basis, for any work effort under this DPA which is not included in the Service, including work efforts related to:

      • Additional Instructions that go beyond what is included in the Service, except where the relevant Additional Instruction is an explicit requirement and obligation for OmboriGrid pursuant to the GDPR.

      • Assisting Customer in responding to requests from data subjects in accordance with Section 8.

      • Assisting Customer with data protection impact assessments and prior consultations, in accordance with Section 7.6.

      • Facilitating more than one (1) on-site audit per calendar year at OmboriGrid's premises, unless such audit is carried out due to a personal data breach related to Covered Personal Data attributable to OmboriGrid.

      • Assisting Customer in transferring Covered Personal Data to Customer in connection with the termination of the Agreement, as set out in Section 14.

    3. Compensation shall, unless agreed otherwise, be based upon the agreed hourly rates in the Agreement.

  14. Term and Termination

    1. This DPA enters into force upon the date of its execution by both Parties and shall remain in force for as long as OmboriGrid or any Subprocessor processes Covered Personal Data.

    2. Upon termination of the Agreement and during the Retention Period, OmboriGrid will provide Customer with a possibility to download and retrieve any Covered Personal Data in OmboriGrid's or any Subprocessor's possession in accordance with OmboriGrid's standard procedures for the Service. Upon expiry of the Retention Period, OmboriGrid shall delete or anonymize any Covered Personal Data, unless OmboriGrid is obligated under applicable law to continue storing the Covered Personal Data.

  15. Miscellaneous

    1. Without prejudice to the Agreement, this DPA shall constitute the entire agreement between the Parties on all issues to which the DPA relates. The contents of this DPA and its appendices supersede all previous written or oral commitments and undertakings between the Parties on the issues to which this DPA relates.

    2. Nothing in this DPA shall limit OmboriGrid or any of its Subprocessors from complying with applicable laws and/or orders from supervisory authorities, governmental agencies or regulatory bodies.

  16. Governing Law and Dispute Resolution

    1. Governing law as well as disputes regarding the interpretation or application of this DPA shall be settled in accordance with the governing law and dispute resolution provisions of the Agreement.


ANNEX A – SPECIFICATION

  1. Purpose

    1. This Annex A (Specification) to this DPA between OmboriGrid and Customer describes the processing of Covered Personal Data that OmboriGrid will carry out on behalf of Customer under this DPA.

    2. The purpose of this Annex A (Specification) is to clarify which processing and personal data that is covered by the Agreement, and to fulfil the requirements of the GDPR regarding the obligation to specify a processor's processing of personal data, see for example Article 28.3 GDPR.

  2. Description of the Processing of Covered Personal Data

Subject-matter and purpose of the processing

OmboriGrid will provide the Service to the Customer as described in the Agreement. The Service gives the Customer access to the OmboriGrid Marketplace with ready-to-use screen, IoT, cloud and mobile apps which can be configured depending on Customer's needs. OmboriGrid and the Customer may also agree on development of Customer-specific apps, where apps are developed for the Customer, based on the Customer's instructions in each case. Furthermore, Customer may be granted access to the OmboriGrid Platform for the purpose of developing its own apps and given the right to upload these apps to the OmboriGrid Marketplace, where they can be accessed by both the Customer and other customers. The processing of Covered Personal Data is necessary for the provision of the Service to the Customer.

Categories of Covered Personal Data

The Customer choose which categories of Covered Personal Data that will be processed when configuring the Service and the Apps running on the Service. Categories often include:

  • Contact details (such as name, address, e-mail, telephone number)
  • User ID
  • Device information (where relevant)
  • Azure Tenant information
  • Geographical location
  • Usage data
  • Pictures
Categories of data subjects

The Covered Personal Data concerns the following categories of data subjects:

  • Customer's employees and contractors/other resources (such as consultants)
  • The Customer's end-customers and visitors to it's public spaces
Duration of the processing and time of storage

Covered Personal Data will be processed and retained by OmboriGrid no longer than required for OmboriGrid to fulfil its obligations in relation to the Customer under the Agreement.

General description of the technical and organizational security measures

Please see OmboriGrid's Privacy Policy.

Authorized Subprocessors of Covered Personal Data

The following Subprocessors will be engaged by OmboriGrid for the processing of Covered Personal Data:

Name of SubprocessorProcessing carried out by SubprocessorLocation for processing
Microsoft CorporationInfrastructure servicesAll data storage on datacenters/regions inside EU/EEA by default, but the Customer can choose to store data in another Azure region when configuring the Service. Please note that cloud services may involve limited data transfers to locations outside EU/EEA, subject to applicable policies from Microsoft from time to time. Such transfers will be subject to the terms of this DPA
Hubspot, Inc.CRM and supportData is processed in the EU (Google Cloud) and subsequently stored in the US (AWS). For more information, see https://knowledge.hub spot.com/account/hu bspot-cloudinfrastructurefrequently-askedquestions
Authorized recipients of Covered Personal Data
  • Affiliates of OmboriGrid, if and when required to provide agreed services.
  • Approved Partners (where applicable) in accordance with Section 4.2.
  • Other recipients stated in OmboriGrid's Privacy Policy.
  • Governmental authorities, if and when required by law or binding court order.

Copyright © Ombori 2024