VERSION 2026-03-04

Data Processing Agreement

This data processing agreement (the “Data Processing Agreement”) is entered between the Licensee and DbVis Software AB, the Licensor and forms an integrated part of the EULA. By using the Software the Licensee accepts to be bound by the terms and conditions of the Data Processing Agreement. The Licensor and the Licensee are hereinafter jointly referred to as the “Parties” and each individually as a “Party”.

DOWNLOAD DPA

PDF DOCUMENT (.PDF)

Introduction

  1. The Parties have previously (or in connection with this Data Processing Agreement) entered into the EULA. This Data Processing Agreement is an appendix to the EULA.
  2. Within the undertakings arising from the EULA, the Licensor might process personal data and other information on behalf of the Licensee. For that reason, the Parties enter into this Data Processing Agreement to regulate the conditions for the Licensor’s processing of, and access to, personal data on behalf of the Licensee, in accordance with the definitions below.

1. Definitions

Unless the circumstances clearly indicate otherwise, definitions or terms used in this document shall be defined as set forth below and any such definition or term which is used in the General Data Protection Regulation and which is not stated below shall be defined as follows from Article 4 of the General Data Protection Regulation. Definitions are also set out in the EULA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Data Subject” means the living natural person whose Personal Data is Processed.

“General Data Protection Regulation” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

“Instruction” means the instructions the Licensee gives the Licensor within the scope of this Data Processing Agreement.

Other Regulatory Regime” means national laws applicable from time to time to Processing of Personal Data (excluding the General Data Protection Regulation).

Personal Data” means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means a natural or legal person, public authority, agency or another body which Processes Personal Data on behalf of the Controller.

2. Documents

  1. The Data Processing Agreement consists of this document and the attached Instruction. In the event of any contradiction between this document and the Instruction, this document shall prevail, unless otherwise specified or unless circumstances clearly dictate otherwise.
  2. Irrespective of what the Parties have otherwise agreed regarding conflicts, the provisions of this Data Processing Agreement shall take precedence over all other provisions of the EULA and its appendices in cases where the conflict relates to Processing of Personal Data.

3. Generally Regarding the Processing

  1. The Licensee is the Controller of the Personal Data Processed in connection with performance and provision of services under the EULA and its appendices.
  2. The Licensor is to be considered as Processor on behalf of the Licensee. As a Processor, the Licensor is responsible for carrying out all Processing of Personal Data on behalf of the Licensee in accordance with this Data Processing Agreement, the Instruction, and the General Data Protection Regulation.
  3. The Licensor has provided sufficient warranties regarding implementation of appropriate technical and organisational measures in such manner that the Processing of Personal Data fulfils the requirements of the General Data Protection Regulation and Other Regulatory Regime, and to ensure that the rights of the Data Subject are protected.
  4. Taking into account the nature of the Processing, the Licensor shall, through appropriate technical and organisational measures, assist the Licensee, to the extent possible, so that the Licensee can fulfil its obligation to respond to requests regarding exercise of the rights of the Data Subject in accordance with Chapter III of the General Data Protection Regulation.
  5. If the Licensor believes that the Instruction or other instruction or communication from the Licensee is in breach of the General Data Protection Regulation or Other Regulatory Regime, the Licensor is entitled to notify the Licensee and suspend the Processing in question.

4. Purpose and type of Personal Data etc.

The Instruction shall, inter alia, state the subject of the Processing, the duration, nature and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects.

5. The Licensor’s Personnel etc.

  1. The Licensor, its employees, and other persons carrying out work under the Licensor’s supervision, and who are given access to Personal Data by the Licensee, may only Process such Personal Data as instructed by the Licensee, unless otherwise follows from an obligation under EU or Swedish national law.
  2. The Licensor shall ensure that its employees and all other persons for whom the Licensor is responsible and who are authorised to Process Personal Data covered by this Data Processing Agreement undertake to observe confidentiality (unless such person is subject to a relevant and appropriate statutory duty of confidentiality).

6. Security

  1. The Licensor shall take all necessary security measures required in accordance with Article 32 of the General Data Protection Regulation and this Data Processing Agreement.
  2. In assessing the appropriate level of security in accordance with the clause above, particular account shall be taken of the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss or alteration, or from unauthorised disclosure of, or access to, the Personal Data transmitted, stored, or otherwise Processed.
  3. Taking into account the type of the Processing and the information in possession of the Licensor, the Licensor shall assist the Licensee in ensuring that the latter’s obligations regarding security can be fulfilled in the manner which follows from Article 32 of the General Data Protection Regulation.

7. Personal Data Breach

  1. Taking into account the type of Processing and the information available to the Licensor, the Licensor shall assist the Licensee in ensuring that the obligations in connection with any Personal Data Breach can be fulfilled in the manner which follows from Articles 33–34 of the General Data Protection Regulation.
  2. The Licensor shall notify the Licensee without undue delay after the Licensor becomes aware of a Personal Data Breach.

8. Impact Assessment and Prior Consultation

The Licensor shall, taking into account the nature of the Processing and the information available to the Licensor, assist the Licensee in fulfilling its obligations, if any, regarding the performance of a data protection impact assessment and/or prior consultation with a supervisory authority in accordance with Articles 35 and 36 of the General Data Protection Regulation.

9. Instruction

The Licensor may only Process Personal Data covered by this Data Processing Agreement based on the Licensee’s documented instructions (including in respect of transfers of Personal Data to a third country or an international organisation, unless such Processing is required by EU law or by a Member State’s national law to which the Licensor is subject, in which case the Licensor shall inform the Licensee of the legal requirement prior to Processing of the data, unless such information is prohibited on grounds of important public interest under the relevant national law).

10. Subprocessors

  1. The Licensee hereby gives the Licensor a general prior written authorisation to engage subprocessors to carry out Processing of Personal Data under this Data Processing Agreement. Where the Licensor intends to engage a new subprocessor or replace an existing subprocessor, the Licensor shall inform the Licensee of any plans to retain a new subprocessor or if an existing subprocessor is to be replaced by another, so that the Licensee has an opportunity to object to such a change (however, an objection may not be made unless there are objectively acceptable reasons).
  2. The Licensor shall ensure that any subprocessor engaged enters into a written data processing agreement before the subprocessor commences work that has a connection to the Licensee. Such a data processing agreement must contain, at a minimum, the undertakings and obligations which follow from the Data Processing Agreement. In such data processing agreement, the subprocessor shall provide sufficient warranties regarding implementation of appropriate technical and organisational measures in such manner that the Processing fulfils the requirements of the General Data Protection Regulation.
  3. In the event the subprocessor fails to fulfil its obligations, the Licensor shall subject to the terms of this Data Processing Agreement be liable to the Licensee for the performance of the subprocessor’s obligations
  4. The Licensor will provide the Licensee with a list of subprocess upon reasonable request.

11. Transfer to Third Countries

All of the Licensor’s Processing of Personal Data on behalf of the Licensee takes place within the EU/EEA or the US. The Licensor warrants that no Personal Data will be moved, stored, transferred, or otherwise Processed outside the EU/EEA or the US. All transferring of Personal Data outside the EU/EEA, will be in compliance with applicable transfer mechanisms.

12. Request for Information

  1. If a Data Subject or other third-party requests information from the Licensor regarding Processing of Personal Data carried out on behalf of the Licensee, the Licensor shall refer such Data Subject or other third party to the Licensee.
  2. If a public authority requests such data as follows from the above clause, the Licensor shall immediately notify the Licensee of the request and, in consultation with the Licensee, agree on an appropriate course of action.

13. Right to Transparency

  1. The Licensor shall provide the Licensee with access to all information required to demonstrate that the obligations which follow from Article 28 of the General Data Protection Regulation have been fulfilled, and to make possible and assist in audits, including inspections, conducted by the Licensee or by other auditor authorised by the Licensee. The Licensor shall always be entitled to reasonable notice in the event the Licensee wishes to exercise its right to conduct an audit or inspection and the Licensee shall reimburse the Licensor for its costs in connection with such audit or inspection.
  2. The Licensee is responsible for ensuring that personnel and others retained by the Licensee to conduct an audit in accordance with the clause above have entered into a customary confidentiality undertaking that prevents the dissemination of data covered by the audit.

14. Remuneration

The Licensor shall receive remuneration for measures that it takes in respect of Processing of Personal Data in accordance with this Data Processing Agreement, or in accordance with the EULA and appendices in general.

15. Liability

A Party is liable to compensate for damage/loss that it, or another party for which it is liable, has caused to the other Party in connection with Processing of Personal Data, or in the event of actions in breach of this Data Processing Agreement, covered by the limitation of liability in clause 9 of the EULA. Notwithstanding the foregoing, the Licensor’s liability in relation to the Licensee will never exceed an amount corresponding to the fees paid or payable by Licensee for the Software in the twelve (12) months preceding the claim.

16. Termination of the Data Processing Agreement

  1. This Data Processing Agreement will remain in force as long as the EULA remains in force.
  2. After termination of the Data Processing Agreement, the Licensor may not keep any Personal Data received under this Data Processing Agreement, and as soon as the Licensor has complied with the clause above, the Licensor’s right to Process or otherwise use the Personal Data ceases (unless storage of the Personal Data is required by national legislation or EU law or the Licensor has a legal basis to Process relevant Personal Data).

Sub-appendix 1

Instruction to the Data Processing Agreement

Definitions used in this Instruction shall have the same meaning as in the Data Processing Agreement, unless the circumstances clearly indicate otherwise.

Subject Matter of the Processing

The subject matter of the Licensor’s Processing of Personal Data on behalf of the Licensee is:

  • User support and technical service requests.
  • License information to enable access to the Software.
  • Commercial information related to purchases of the Software
    or other business undertakings between the parties.
  • Services for the management of Software.
  • AI features in the Software.
  • “Check for Update” functionality to download new versions of the SW, unless disabled by Licensee.

Purpose of each Processing

The purpose of the Licensor’s Processing of Personal Data on behalf of the Licensee is:

  • To provide the user support with technical service requests.
  • To provide the user license information to enable access to the Software.
  • To provide the user commercial information related to purchases of the Software.
  • To provide services for the management of Software.
  • To provide the user with AI features in the Software.

Categories of Processing

The measures carried out by the Licensor as part of the Processing of Personal Data on behalf of the Licensee are:

  • Storage
  • Structuring
  • Adaptation

Categories of Personal Data

The Licensor is entitled to Process the following categories of Personal Data on behalf of the Licensee:

  • Name
  • Organization (name, id number, VAT number)
  • Email address
  • Physical address
  • Phone/fax number
  • Unit identifier (host name, OS, machine ID)
  • PO number
  • Revision logs
  • Token for credit card

Categories of Data Subjects

The Licensor is entitled to Process Personal Data relating to the following categories of Data Subjects:

  • Authorized Users
  • Business contacts and similar in customer organizations

    
Duration of the Processing

    
The Licensor will Process Personal Data during the following time period:

  • During the duration of the EULA or for ongoing business.

Technical and Organisational Security Measures

    
The Licensor shall take the following technical and organisational security measures as part of the Processing of Personal Data on behalf of the Licensee:

  • Organizational Measures
    • Licensor has internal personal data processing policies in place. Every employee of Licensor is obliged to familiarize themselves with the policies before accessing personal data.
    • Every employee of Licensor undergoes a background check before commencing their work at Licensor.
    • The policies are reviewed annually to keep them up-to-date in accordance with the industry standards. The review is based upon testing, assessing, and evaluating the effectiveness of the covered measures for ensuring the security of the processing of personal data.
    • Security breaches are reported to the Licensor’s senior management.
    • To achieve compliance with up-to-date security standards, Licensor runs security audits for business-critical applications.
    • Licensor maintains a personal data processing policy and ensures reasonable awareness of it within the company.
    • Licensor ensures the compliance of Subprocessors and data processing partners with applicable data protection regulations.
    • Licensee ensures reasonable awareness of the applicable data protection regulations within the company.
  • Technical Measures
    • Licensor makes commercially reasonable efforts to protect processed personal data from unauthorized access and to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
    • Data storages are encrypted when the encryption noticeably improves data security.
    • The transfer of data outside Licensee  premises or premises Licensor maintains is secured with certificates of actual TLS versions, in order to prevent any unauthorized subject from capturing and reading the personal data that are subject to the transfer.
  • Data Access Measures
    • Physical access to production environment of Products or Services hosted by Licensor
      • Licensor uses Google Cloud Platform  or other hosting providers as identified in the Approved Subprocessors list.
      • Employed hosting providers utilize secure premises for storage and encrypted physical communications channels compliant with recent security standards.
    • Availability
      • Licensor uses scalable applications for business-critical functionality to provide full availability of its Products and Services to its users.
      • Licensor employs third-party hosting providers’ stable infrastructure to improve the availability of its Products and Services.
      • Employed service providers provide Licensor with the functionality of restoring from backups for business-critical processes and restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
    • System access
      • Access to production systems is limited to authorized employees who require the access to perform their duties.
      • Accounts used for access to production systems are terminated when an employee leaves Licensor.
    • Permissions management
      • Access to data or systems is provided on a “need-to-know” basis.
      • Employees involved in development do not have access to production infrastructure unless it is required for the support or provision of services.
      • Licensor keeps track of (logs) any important data processing activities, i.e. copying, amendment, deletion, etc., in order to enable Licensor and Licensee to demonstrate due protection of any personal data processed and compliance with data protection regulations in general.

Storage Minimization

Personal Data may not be stored longer than is necessary for the purpose of the Processing.

Approved Subprocessors

The Licensee has approved the Licensor’s use of the following subprocessors:

[Name][Type of service/processing][Location/country for the sub-processor's processing]
Freshdesk IncSales / Support ticket systemUnited States
Google Cloud EMEAInternal productivity / email systemsUnited States
Campaign MonitorCampaign management systemUnited States
Cleverbridge AGPayment services providerGermany
OpenAIAI ServiceUnited States
Digital OceanLicense Management SystemUnited States