IT IS AGREED
1. INTRODUCTION 1.1 The Parties have previously - or in connection with this Agreement - entered into an agreement regarding the usage of the Service (the “Main Agreement”). 1.2 Within the obligations arising from the Main Agreement, the Processor may process Personal Data and other information on behalf of the Controller. 1.3 As a result, the Parties hereby agree this Agreement to regulate the conditions for Processor’s access to – and other processing of - Personal Data belonging to the Controller. The Agreement applies as long as the Processor processes Personal Data on behalf of the Controller. 1.4 The Agreement aims to ensure that the Processor carries out the processing of Personal Data on behalf of the Controller in accordance with the applicable Data Protection Laws. 2. DEFINITIONS AND INTERPRETATION 2.1 “GDPR” means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2.2 “Data Protection Laws” means: (i) the GDPR and replacement acts; (ii) applicable Swedish law (or otherwise applicable Member State law) regarding data protection; and (iii) ordinances and regulations to i) and ii) above as well as guidelines issued by the Supervisory Authority and applicable to the Parties’ activities. 2.3 **”Supervisory Authority” means **the Swedish Authority for Privacy Protection (IMY) and, where applicable, other competent authority. 2.4 “In writing” and “written” shall have the same meaning as in Article 28(9) GDPR and include the electronic form (e.g. via email). 2.5 Unless circumstances clearly show otherwise, the definitions used in the Agreement shall have the corresponding definition as set out in Article 4 GDPR. 3. PERSONAL DATA PROCESSING 3.1 The Processor may only process the Personal Data for the Controller in accordance with the purposes of the Main Agreement, the provisions of the Agreement and in accordance with the written instructions provided by the Controller from time to time, unless the Processor is required otherwise by applicable union or member state law. The Processor may not process the data for its own purposes. The Processor hereby informs the Controller that the Processor is subject to legal retention obligations relating to tax legislation and is obliged to ensure an adequate level of security of the processing. 3.2 The Processor shall be entitled to compensation for additional costs incurred by the Processor due to the Controller’s specific requests that go beyond Processor’s reasonable adjustments to legal requirements. 3.3 Processor shall inform Controller without undue delay if, in its opinion, an instruction infringes applicable Data Protection Laws. 4. COOPERATION 4.1 The Processor shall, as far as possible, assist the Controller in fulfilling its obligations according to Art. 32-36 of the GDPR and to enable Data Subjects to exercise their rights under the GDPR, such as the right to access and the right to erasure. The Processor shall be entitled to compensation from the Controller for the additional costs that this entails. 4.2 The Processor shall, with due consideration of the type of treatment and information available to the Processor, assist the Controller in ensuring that the safety of the treatment is adequate, e.g. in the case of pseudonymization and encryption, system resilience, etc., see more about security below. Furthermore, taking into the account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organisational measures, in the fulfilment of the Controller’s obligation to respond to Data Subject requests. 5. AUDITS 5.1 Processor shall make available to Controller all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller at Controller’s cost. Audits will be coordinated and carried out in a reasonable manner (remote-first where feasible), with access limited to information strictly necessary to verify compliance. An audit or request for information shall not grant the Controller access to the Processor’s, or a third party’s, trade secrets or proprietary information 6. SECURITY 6.1 The Processor shall, taking into account the nature of the processing, take adequate technical and organizational measures to protect the Personal Data processed by the Processor under the Agreement. 6.2 The measures should be adapted to a level appropriate to the sensitivity of Personal Data, the particular risks, existing technical capabilities and implementation costs. The Processor shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. 6.3 Accession to such an approved code of conduct as referred to in Article 40 GDPR or an approved certification mechanism referred to in Article 42 GDPR may be used by the Processor to demonstrate that the Processor meets the above-mentioned security requirements. 6.4 The Processor shall ensure the eligibility of employees handling the Controller’s Personal Data and that the processing is performed only in accordance with the Controller’s written instructions and in accordance with this Agreement, see also section 11.1. 6.5 At the Controller’s request, the Processor shall provide a security policy that describes in more detail the security measures taken by the Processor to protect Personal Data. The policy includes information about the Processor’s routines for logging, authorization assignment and management of security incidents, see also section 7.1. 6.6 The Processor is generally obliged to obtain the Controller’s authorization before making changes to security measures. The Controller hereby grants its consent to the Processor to change any security measures that do not lead to a reduction in the overall level of security. For such changes, the Processor is exempted from the obligation to obtain separate authorization. Obtaining authorization for changes to security measures is generally not subject to any formal requirements. 6.7 The Processor shall not, without the Controller’s prior consent, cause or allow Personal Data to be transferred to and processed outside the European Economic Area or other countries that the European Commission has determined to provide an adequate level of data protection in accordance with the GDPR. The Controller hereby consents to the third-country transfers and processing carried out by Processor and/or Sub-processors as described in this Agreement. Where any third-country transfer occurs, Processor shall implement a valid transfer mechanism (e.g., EU Standard Contractual Clauses), conduct a transfer impact assessment, and apply appropriate supplementary measures where required. 7. SECURITY INCIDENT 7.1 In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (“Personal Data Breach”), the Processor shall notify the Controller in writing without undue delay after the Processor has been informed of the Personal Data Breach. Such information shall at least: a) describe the nature of the Personal Data Breach, including the categories and number of data subjects concerned and categories of Personal Data concerned if possible; b) provide name and contact details to the contact person where further information can be obtained; c) describe the likely consequences of the Personal Data Breach; and d) describe the actions that have been taken, or actions the Processor proposes, to correct the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects. 7.2 If such information is not possible to provide at the same time as the notification of a Personal Data Breach, the information shall be provided in phases without undue further delay. 8. SUB-PROCESSING 8.1 Through the Agreement, the Processor has obtained a general prior authorization from the Controller to hire sub-processors. If the Processor intends to hire a new sub-processor, the Processor shall give the Controller reasonable (no less than thirty (30) days) prior written notice so that the Controller may make any objections of its reasonable concerns. Such objection shall be given detailed in writing within fifteen (15) working days from the Processor’s original notice, whereafter the Parties shall in good faith endeavour to settle the situation. If the Controller’s concerns remain after conclusion of such good faith effort, the Controller shall have the right to terminate the Agreement by written notice without liability for either Party. 8.2 If the Processor commits a sub-processor in accordance with clause 8.1, the Processor shall sign an agreement that makes the sub-processor subject to the same obligations as the Processor has in relation to the Controller under this Agreement. The Processor shall be fully liable to the Controller in the event that the sub-processor fails to fulfil its obligations under the agreement. 9. LIABILITY 9.1 If a Party breaches this Agreement or Data Protection Laws, such Party shall indemnify the other Party for any damage caused by the breach. However, this shall not apply if the negligent Party can show that it is in no way responsible for the event, act or omission that caused the other Party damage, such as that the claim could not have been avoided by fulfilling the Party’s obligations under this Agreement, Data Protection Laws or by the instructions issued by the Controller. 9.2 The Parties’ right to compensation regarding claims from third parties is regulated in its entirety under Article 82 of the GDPR. This includes the right of the Party who paid full compensation for the damage suffered by a third party to claim back from the other Party, if involved in the same processing, the part of the compensation corresponding to that Party’s part of responsibility for the damage. 9.3 This provision (9) shall survive the termination of this Agreement. 10. TERMINATION OF THE AGREEMENT 10.1 This Agreement remains in force at least as long as the Processor processes Personal Data on behalf of the Controller. 10.2 After the Processor discontinues processing of Personal Data on behalf of the Controller, the Processor shall either return all Personal Data to the Controller in the manner notified by the Controller or delete any information relating to the Agreement. 10.3 If the data processing ceases as a result of the termination of the Main Agreement, the Controller must reclaim the Personal Data within 14 days from the date of termination of the Agreement. The Personal Data will be deleted if the Controller has not made such claim within the above-specified time. 11. CONFIDENTIALITY 11.1 Without prior written consent from the Controller, the Processor shall not disclose the whole or any part of the Personal Data to any person except its employees or consultants subject to the same policies and requirements as employees, and then only to those who need to know the same, and only to the extent necessary to fulfil the obligations of the Agreement. The Processor shall ensure that the Processor’s employees and consultants, with the right to process Personal Data on behalf of the Controller, adheres to confidentiality in connection with the Personal Data. 12. ASSIGNMENT OF AGREEMENT 12.1 No Party is entitled to transfer all or part of its rights and / or obligations under the Agreement without the prior written consent of the other Party. 13. SETTLEMENT OF DISPUTES 13.1 This Agreement shall be construed in accordance with and governed by the laws of Sweden. 13.2 Any dispute, controversy or claim arising out of or in connection with this contract, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the SCC Arbitration Institute. 13.3 The seat of arbitration shall be Stockholm. 13.4 The language to be used in the arbitral proceedings shall be Swedish. Arbitration with reference to this arbitration clause is subject to confidentiality. The confidentiality includes all information that emerges during the proceedings as well as any decision or arbitration given in connection with the procedure. Information subject to confidentiality may in no way be forwarded to third parties without the consent of the other Party. EXHIBIT 1 – SPECIFICATION Subject-matter & PurposeProvision and operation of the Cryptolens/Devolens SaaS (software licensing/entitlements, payment processing, analytics, necessary and optional telemetry, and support for account administration/billing, and security/service integrity strictly to deliver the Service to Controller. Nature of Processing
Collection, storage, retrieval, transmission, logging, analysis strictly for Service operation, and deletion. Duration
For the term of the Main Agreement and this Agreement, plus limited retention for operations and compliance (backups ≤ 35 days; security/system logs ≤ 90 days, unless a longer period is required by law). Categories of Data Subjects
- Controller’s administrators and technical/operations personnel who manage the Service.
- Personnel of the Controller’s customers who activate or use licenses issued by the Controller (end-users/seat holders).
- Personnel of the Controller’s resellers/distributors who manage license issuance on the Controller’s behalf (if applicable).
- Controller’s billing/finance contacts.
- Business contact data (name, employer, role/title, work email, optional phone).
- Account/license identifiers (tenant/account IDs, license/activation key IDs, installation/device/instance IDs).
- Auth/access metadata (usernames and salted/hashed credentials if used, tokens, roles/permissions, audit trails).
- Technical/telemetry events (timestamps, IP addresses, user agent, client/app version, request IDs, error/performance metrics).
- Support content (chat/ticket messages/attachments).
- Billing metadata (billing contact details, invoice references, payment status; payment instruments handled by Stripe, not stored by Processor).
Microsoft Azure North Europe (Ireland), West Europe (Nethlernads) and Sweden; Hetzner Finland; AWS Sweden (Stockholm).
Controller Instructions & Contacts
Processing on documented instructions from Controller. Processor contact: support@cryptolens.io. International Transfers
If any third-country access occurs (e.g., US-hosted support/chat), Processor will implement EU SCCs, conduct a TIA, and apply appropriate supplementary measures. Approved sub-processors:Approved Sub-Processors at the entry into force of this DPA.
| Company/ organisation | Address and contact details | Location of personal data (address, country) | Types of personal data processed by the sub-processors | Purpose of processing by the sub-processor | Processing time | Additional information about the sub-processor’s processing of personal data |
|---|---|---|---|---|---|---|
| Microsoft Ireland Operations Ltd | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland | Microsoft Azure Region: North Europe (Dublin, Ireland) and West Europe (Netherlands), Sweden Central. | Email address, IP address, machine identifiers and other information submitted by the Controller. | Cloud infrastructure (IaaS/PaaS) for hosting the application, databases, storage, networking, and backups/DR used to deliver the Service. | For the term of the Main Agreement and this DPA; | Data residency in EEA region(s) listed above; encryption in transit and at rest. If any support access from outside the EEA occurs, it is subject to EU SCCs (2021) and supplementary measures under Microsoft’s data protection terms. |
| Hetzner Online GmbH | Industriestr. 25, 91710 Gunzenhausen, Germany | Hetzner Data Center – Helsinki region, Finland (EEA) | Service/telemetry logs associated with licensing activity (timestamps, IP addresses), license/installation/device identifiers and other configuration/metadata stored by the Service for analytics; CDN request logs and short-lived cached copies of public/static assets. No special categories expected. | Hosting for analytics modules (compute/storage) and content delivery (CDN) to serve static assets and improve performance/availability; associated networking, backup/DR. | For the term of the Main Agreement and this DPA | |
| Intercom R&D Unlimited Company (and affiliates, including Intercom, Inc., as applicable) | Intercom R&D Unlimited Company, Dublin, Ireland | United States of America (primary hosting and processing) | Customer support/messaging platform to communicate with the Controller; ticketing, follow-ups and searchable conversation history limited to that Controller. | Personal data of a designated users of the Controller only: - Business contact data (name, email, optional phone) - In-app chat/conversation content and attachments sent by that user - Technical/session metadata for that user (timestamps, IP address, user/tenant ID, browser/OS) No other users’ data and no end-user/licensee data are processed by Intercom. No special categories expected. | For the term of the Main Agreement and this DPA | For data transfer to outside of EEA, it is subject to EU SCCs (2021) and supplementary measures under Intercom’s data protection terms. |
| Amazon Web Services EMEA SARL (and affiliates) | 38 Avenue John F. Kennedy, L-1855 Luxembourg https://aws.amazon.com | privacy@amazon.com | AWS Region: eu-north-1 (Stockholm, Sweden) – primary processing/hosting | Business contact data of designated admin/billing recipients (name if present, email address); transactional email content and headers generated by the Service (e.g., account notices, license issuance/activation links, password resets, receipts); technical delivery metadata (from/to, subject, message ID, timestamps, IPs, SMTP logs, bounce/complaint feedback). No special categories expected. | Transactional email delivery for the Controller’s designated recipients (account/security notifications, license/entitlement emails, billing receipts) as instructed by the Controller. | Message content retained only transiently for delivery (typically seconds to a few days); delivery/bounce/complaint logs retained up to 90 days; backups up to 35 days unless a longer period is required by law or configured by the Processor. | Data is processed in the EEA region listed above with encryption in transit (TLS where supported by recipient servers) and at rest. Email delivery necessarily transmits messages to the recipient’s mail system, which may be outside the EEA, under the Controller’s instructions. Where AWS personnel outside the EEA may access support data, such access is subject to EU Standard Contractual Clauses (2021) and appropriate supplementary measures. |
| Google Ireland Limited (with Google LLC as affiliated US entity) | Gordon House, Barrow Street, Dublin 4, Ireland https://analytics.google.com | support.google.com/analytics | Primary processing in the EEA when EU data-regionalisation features are enabled; however, support/maintenance access by Google LLC may occur from the USA (third-country transfer). | Pseudonymous analytics event data generated by the Service’s interfaces used by Controller’s users: page views, clicks, session and event timestamps, URLs/referrers, approximate geolocation (derived from IP), device/OS/browser info, and identifiers such as GA client_id and (if configured) user_id. GA4 does not store full IP addresses; no special categories expected. No customer content. | Website/product analytics to understand usage and performance, generate aggregate metrics, and troubleshoot service issues for the Controller’s tenant. | Per GA4 property settings; event data typically retained 2 or 14 months (configurable). Aggregated reports may persist without personal data. | This may involve a third-country transfer to the USA**. Processor has entered into EU SCCs (2021, Module 3 – processor → sub-processor), completed a transfer impact assessment, and applies supplementary measures (e.g., IP de-identification, restricted data collection, disabling ads features/Google signals, and enforcing Consent Mode where applicable). Controller instructs Processor not to send PII in URLs or event parameters. |
| DigitalOcean, LLC (and affiliates) | 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA https://www.digitalocean.com | privacy@digitalocean.com | DigitalOcean data center – Frankfurt, Germany (EEA) | Minimal web/hosting data related to the help/docs site: HTTP request logs (timestamps, source IP address, user agent, URL/referrer, request IDs), and short-lived cached copies of static documentation assets. No customer content is stored; no special categories expected. | Hosting of public help pages and documentation and delivery of static assets linked from the Service. | For the term of the Main Agreement and this DPA; | Data residency confined to the EEA location listed above; encryption in transit and at rest. Operational support access by DigitalOcean personnel may occur from outside the EEA; where applicable, such access is subject to EU Standard Contractual Clauses (2021) and appropriate supplementary measures. |
| Mixpanel, Inc. (and EU affiliate, as applicable) | San Francisco, CA, USA https://mixpanel.com | privacy@mixpanel.com | Mixpanel EU data residency enabled – data stored/processed in the EEA (e.g., EU data center such as Frankfurt, Germany). | Pseudonymous product/usage analytics events generated by the Service interfaces used by Controller’s users: event names and properties (page/screen views, clicks, navigation paths), timestamps, session identifiers, approximate geolocation (derived from IP), device/OS/browser/app version, referrers/URLs, user_id or device_id (if configured). No special categories expected. Processor instructs that no PII (e.g., names, emails) be sent as event properties or URLs. | Product analytics to understand navigation between pages/screens, measure funnels and retention, monitor performance, and improve the Service experience for the Controller’s tenant. | Per project retention settings configured by the Processor/Controller (e.g., months to years). Backups retained up to 35 days; security/system logs up to 90 days unless a longer period is required by law. | Configured for EU-only data residency; no routine third-country transfers by this sub-processor. If an exceptional support escalation would require non-EEA access, it would be governed by EU SCCs (2021), a documented transfer impact assessment, and supplementary measures. Processor enforces “no PII in events” and limits data collection to what is necessary for service analytics. |