Data Processing Agreement

Last updated on: 2024-08-09

This Data Processing Agreement (“DPA”) applies to Opper’s provision of its AI integration platform and the associated services (collectively the “Services”) and form an integral part of the agreement between Opper and the Customer covering the Customer’s use of the Services (the “Main Agreement”). Opper and the Customer are hereinafter also referred to as a “Party” and together as “Parties”. Any capitalized terms used herein shall have the same meaning as defined in the Main Agreement unless specifically defined otherwise in this DPA.

1 Background

1.1 As part of the Services provided in accordance with the Main Agreement, Opper will be processing certain personal data on behalf of the Customer. The Customer is the data controller and Opper is the data processor regarding the processing of personal data described herein.

1.2 This DPA governs the conditions for Opper’s processing of, and access to personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and other relevant data protection legislation (all together ”Data Protection Legislation”).

1.3 The DPA consists of this document and the appendices. In the event of any contradictions between this document and the appendices or the Main Agreement, this document shall take precedence.

1.4 All terms defined in Article 4 of the GDPR shall have the same meaning in the DPA, unless expressly stated otherwise.

2 Scope of processing

2.1 The personal data processed under this DPA ("Included Personal Data”) is described at https://opper.ai/privacy-policy.

2.2 Opper shall only process Included Personal Data in accordance with the Customer’s written instructions, which are set out in this DPA, unless further processing is required under applicable EU or Member State law to which Opper is subject. In such case Opper shall inform the Customer of this legal obligation unless such disclosure is prohibited by law.

3 Security and assistance

3.1 Opper will apply suitable technical and organizational safeguards to protect Included Personal Data, as required under Article 32 of the GDPR. This includes implementing measures for preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Included Personal Data. Opper’s security measures are listed at https://opper.ai/security-overview.

3.2 Opper shall assist the Customer in fulfilling its obligations under Articles 32 to 36 in the GDPR, especially regarding the security of processing and personal data breaches. Opper shall notify the Customer without undue delay and within 48 hours after Opper has learned of a personal data breach affecting the Included Personal Data.

3.3 Opper will assist the Customer in meeting its obligations under Chapter III of the GDPR, including data subject rights such as access, deletion, correction, and data portability. Opper will notify the Customer without undue delay of any such requests from data subjects.

4 Sub-processing

4.1 Opper has the Customer’s general authorization to engage sub-processors for the processing of Included Personal Data on behalf of the Customer (“Sub-processors”), provided that if Opper engages Sub-processors, Opper shall enter into a sub-processing agreement with the same obligations as in this DPA.

4.2 Opper shall notify the Customer through the Services at least 30 days in advance of any intended addition or replacement of a Sub-processor. The Customer is responsible for regularly checking the Service for such updates. The Customer is entitled to object to such changes, based on objective grounds relating to the security of the processing under the DPA. If the Customer has not objected prior to the change taking effect, the Customer is assumed to have approved the engagement. If the Customer makes an objection and Opper does not accept to replace the Sub-processor or refrain from using it, either Party is entitled to terminate the affected service, by giving the other Party 30 days’ written notice.

4.3 Opper shall be fully liable for the actions and performance of any Sub-processors engaged in the processing of Included Personal Data on behalf of the Customer.

4.4 Opper shall maintain an updated list of Sub-processors and shall submit a copy of the list to the Customer upon request. The current Sub-processors are listed at https://opper.ai/sub-processors.

4.5 Without prejudice to Opper’s obligations in Section 3 and 4 of this DPA, if a certain Sub-processor is engaged due to the way the Customer chooses to configure the Services, the Customer acknowledges and agrees that it is solely responsible for these configurations and that Customer is responsible for implementing those configurations in a secure manner that complies with applicable Data Protection Legislation.

5 Third country transfers

Opper has the Controller’s general authorization to, by itself or through its Sub-processors, process Included Personal Data outside of the European Economic Area (EEA), provided that prior to commencing such transfer or provision of access, Opper or Sub-processor, as applicable, meets the requirements and undertakings regarding third-country transfers under the GDPR.

6 Confidentiality

6.1 Opper shall restrict access to Included Personal Data solely to those of its employees, representatives and Sub-processors who require access for the sole purpose of providing the Services. Opper shall ensure that all such employees, representatives and Sub-processors are bound by confidentiality, either through commitment or statutory obligation.

6.2 Opper shall not disclose Included Personal Data or any information related to its processing under this DPA to third parties without express instruction from the Customer. This obligation excludes:

(i) Disclosure to Sub-processors for fulfilment of their obligations under a sub- processing agreement,

(ii) information that is publicly known (due to other reasons than a breach of the DPA),

(iii) information compelled by mandatory law or regulation. In such cases, Opper shall promptly inform the Customer and request guidance.

6.3 The confidentiality obligations herein shall apply without limitation in time.

7 Audit and inspection

Opper shall without undue delay make available to the Customer upon the Customer’s request, all information necessary to demonstrate that Opper is fulfilling its obligations under the DPA and the relevant Data Protection Legislation. Opper shall also enable and assist in audits, including inspections, which are conducted by the Customer or by a third party authorised by the Customer, at the Customer’s cost. Upon the Customer’s request, Opper will provide the Customer with information necessary to show that Opper is meeting its obligations under the DPA. Opper will cooperate with audits or inspections, which will occur no more than once a year and will be notified at least 10 business days in advance. These audits or inspections will be conducted by the Customer or an authorized third party, at the Customer’s cost.

8 Term and termination

8.1 The DPA shall remain in force as long as Opper processes personal data on behalf of the Customer, according to the Main Agreement between Opper and the Customer.

8.2 Opper shall upon termination of the Main Agreement or upon notice from the Customer, at the Customer’s choice, return or delete all Included Personal Data processed under the DPA, unless Opper is required to retain the Included Personal Data to comply with mandatory law or regulation.

8.3 Unless otherwise instructed by the Customer, Opper will delete Included Personal Data after 30 days from termination or expiry of the Main Agreement.

9 Notices

Unless otherwise specified, all notices under this DPA must be in writing and sent by email to the addresses set out in the introduction. Notices are deemed received on the date of transmission, provided the sender does not receive a delivery failure message. Either Party may change its email address for notices by providing written notice to the other Party.

10 Compensation

Opper shall be entitled to reasonable compensation for all work and all costs that arise due to the Customer’s instructions for processing if these exceed the features and level of security that Opper normally applies on its services or provides to its customers, e.g. in the case that Opper’s systems and/or Services require special adjustments or development following special requests from the Customer. Opper is not entitled to compensation for costs which arise based on compliance with requirements under the relevant Data Protection Legislation.

11 Liability and indemnification

Subject to mandatory law, the limitations of liability set out in the Main Agreement shall apply to this DPA. Notwithstanding the above, the Parties acknowledge that each Party shall bear any administrative fines pursuant to GDPR Article 83 imposed on the Party by the relevant supervisory authority.

12 Governing law and dispute resolution

This DPA shall be governed by the substantive law of Sweden. Disputes arising from this DPA shall be finally settled in accordance with the resolution of disputes clause stated in the Main Agreement.