You can also download the PDF file here: Data Processing Agreement (DPA).pdf

This Data Processing Agreement (“DPA”) is entered into between EDGE Associates AB (with EdgeFlow)) and the Customer.

1.  GENERAL

EDGE Associates AB (with EdgeFlow)) will on behalf of the Customer Process Personal Data during the provision of the Services under the Agreement in its capacity as Customer’s data processor. For the purpose of ensuring compliance with the Data Protection Legislation, the Parties have entered into this DPA which forms an integral part of the Agreement.

2.  DEFINITIONS

“Data Protection Legislation”means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”) as well as supplementary local adaptions.

“Data Subject”means the identified or identifiable natural person whom the Personal Data relates to.

“Personal Data”means any information, which directly or indirectly relates to a Data Subject and which EDGE Associates AB (with EdgeFlow)) Processes on behalf of the Customer under this DPA.

”Processing”means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means.

”Sub-Processor”means any third party that Processes Personal Data on behalf of EDGE Associates AB (with EdgeFlow)) (including, but not limited to, EDGE Associates AB (with EdgeFlow))’s partners and subcontractors)

”Supervisory Authority”means the independent public supervisory authority/supervisory authorities, authorized to conduct supervision of the Processing of Personal Data or considered to be a “supervisory authority concerned” in accordance with the Data Protection Legislation.

• Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Legislation and otherwise in the Agreement, unless the circumstances obviously require another

3.  RESPONSIBILITY AND INSTRUCTION

• The Personal Data that EDGE Associates AB (with EdgeFlow)) on behalf of the Customer will Process is in particular contact details, Employee CVs, Sub-Contractors and partners CVs and specific Employment data as further specified in Sub-Appendix 1 (Data Processing Instructions).
• The Customer is the data controller of all Personal Data Processed by EDGE Associates AB (with EdgeFlow)) on behalf of the Customer under this EDGE Associates AB (with EdgeFlow)) shall comply with the Data Protection Legislation applicable to EDGE Associates AB (with EdgeFlow))’s Processing.
• EDGE Associates AB (with EdgeFlow)), and anyone working under EDGE Associates AB (with EdgeFlow))’s supervision, shall only be Processing Personal Data in accordance with the Customer’s documented instructions and not for any other purposes than the purposes the Customer has engaged EDGE Associates AB (with EdgeFlow)) for under the The instructions that apply on the date of signature of this DPA are specified in Sub-appendix 1. In addition, the Agreement constitutes the Customer’s instructions. The Customer shall immediately inform EDGE Associates AB (with EdgeFlow)) of changes that affect EDGE Associates AB (with EdgeFlow))’s obligations according to this DPA. Processing may also be performed where required by EU law or applicable member state law, which EDGE Associates AB (with EdgeFlow)) or any Sub- Processor is subject to. In the event of such requirement pursuant to EU or applicable member state law, EDGE Associates AB (with EdgeFlow)) shall inform the Customer of such obligation that is binding on EDGE Associates AB (with EdgeFlow)) or any Sub-Processor. Such information shall be provided to the Customer prior to the processing of Personal Data for this purpose, unless that law prohibits such information on important grounds of public interest.

4.  SECURITY MEASURES

• EDGE Associates AB (with EdgeFlow)) shall implement technical and organizational measures, as required by the Data Protection Legislation in order to ensure a level of security that is appropriate to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of, or access to, the Personal Data being [Sub-Appendix 1].

EDGE Associates AB (with EdgeFlow)) shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to EDGE Associates AB (with EdgeFlow)).

• EDGE Associates AB (with EdgeFlow)) shall notify the Customer without undue delay and no later than twenty-four (24) hours after becoming aware of a personal data breach pursuant to Article 33 of the

5.  DISCLOSURE OF PERSONAL DATA AND INFORMATION ETC.

• EDGE Associates AB (with EdgeFlow)) shall forward any request to the Customer from the Data Subject, the Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that EDGE Associates AB (with EdgeFlow)) Processes on behalf of the Customer, without undue EDGE Associates AB (with EdgeFlow)), or anyone working under EDGE Associates AB (with EdgeFlow))’s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without the Customer’s express instruction or as laid down in this DPA, unless required by the Data Protection Legislation.
• By technical and organizational measures, which are appropriate taking into account the nature of the Processing, EDGE Associates AB (with EdgeFlow)) shall assist the Customer, insofar as this is possible based on the information available to EDGE Associates AB (with EdgeFlow)), for the fulfilment of the Customer’s obligation to respond to requests from the Data Subject, when the Data Subject exercises its rights in accordance with the Data Protection Such assistance shall be prompt and in consideration of the limited time period that the Customer has to respond to such requests.
• EDGE Associates AB (with EdgeFlow)) shall inform the Customer of any contacts from the Supervisory Authority that concern the Processing of Personal Data on behalf of the EDGE Associates AB (with EdgeFlow)) is not entitled to represent the Customer or act on the Customer’s behalf towards the Supervisory Authority.
• EDGE Associates AB (with EdgeFlow)) shall assist the Customer in fulfilling potential duties to enable data portability regarding Personal Data, which EDGE Associates AB (with EdgeFlow)) Processes under this

6.  SUB PROCESSORS

• The Customer hereby gives EDGE Associates AB (with EdgeFlow)) prior, general authorization to engage Sub- Processors in the Processing of Personal Data, provided that EDGE Associates AB (with EdgeFlow)) enters into a data processing agreement with each Sub-Processor, in which data protection obligations are, at a minimum, equally stringent as the ones set out in this DPA are imposed upon the Sub-Processor. Before the Effective Date, EDGE Associates AB (with EdgeFlow)) shall enter into such corresponding data processing agreements with each Sub-Processor. If the Sub- Processor fails to fulfil its data protection obligations, EDGE Associates AB (with

EdgeFlow)) shall remain liable towards the Customer for the performance of the Sub- Processor’s data protection obligations.

• EDGE Associates AB (with EdgeFlow)) is in particular responsible for ensuring the compliance of Articles 2 and 28.4 of the GDPR when engaging Sub-Processors and ensure that Sub-Processors provide sufficient guarantees to implement appropriate technical and organizational measures, in such a manner that the Processing meets the requirements of the GDPR.
• EDGE Associates AB (with EdgeFlow)) shall inform the Customer in writing of any intended changes concerning an addition or replacement of a Sub-Processor, to which the Customer may If the Customer does not issue such reasonable objection within twenty (20) days from the receipt of the information, the Customer is assumed to not have made an objection. For the purpose of clarity, EDGE Associates AB (with EdgeFlow)) commits to promptly provide information regarding the Processing by Sub- Processors when requested by the Customer. EDGE Associates AB (with EdgeFlow)) has the right to cure an objection from the Customer as described above. If no corrective option is available and if the objection has not been cured by EDGE Associates AB (with EdgeFlow)) within thirty (30) days, the Parties shall be entitled to terminate the Agreement and/or this DPA, partially or wholly, or in relation to specific additional services, by issuing the other Party thirty (30) days’ notice.

7.  AUDITS ETC

Promptly, and in any case without undue delay, upon the Customer’s request, EDGE Associates AB (with EdgeFlow)) shall make available all information necessary to demonstrate EDGE Associates AB (with EdgeFlow))’s compliance with its obligations following from the Data Protection Legislation, including as part of the audits or inspections carried out by the Customer or an independent auditor mandated by the Customer and accepted by EDGE Associates AB (with EdgeFlow)) pursuant to Article 28

(h) GDPR. For the avoidance of doubt, each Party shall bear its own costs for any audit or inspection pursuant to this section 7 or Article 28(3)(h) GDPR.

8.  TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA AND DATA PORTABILITY

• EDGE Associates AB (with EdgeFlow)) shall not transfer personal data to a third country that has not received an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, unless EDGE Associates AB (with EdgeFlow)) has obtained prior, specific consent for such If EDGE Associates AB (with EdgeFlow)) and/or Sub-Processors transfer Personal Data to a location outside of the EU/EEA, EDGE Associates AB (with EdgeFlow)) and/or Sub-Processor shall ensure that such transfer complies with applicable Data Protection Legislation including but not

limited to ensuring that an appropriate assessment of the circumstances of the transfer as well as an assessment of the third country are made and documented prior to the transfer. EDGE Associates AB (with EdgeFlow)) shall ensure that a transfer is made on the basis of an appropriate safeguard, such as the Commission implementing decision (EU) 2021/S14 – of 4 June 2021 – on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 201C/C7S of the European Parliament and of the Councilor the decision or clauses that may replace them.

EDGE Associates AB (with EdgeFlow)) shall ensure that appropriate supplementary measures are implemented. Upon request by the Customer, EDGE Associates AB (with EdgeFlow)) shall provide all relevant information regarding the transfer and the measures undertaken pursuant to Data Protection Legislation and this clause 8.1.

• Notwithstanding the general provisions on international transfers, certain optional AI features rely on third-party providers (currently Microsoft Azure AI) and are processed in the United Use of these features constitutes explicit consent by the Customer to such processing.

G.  CONFIDENTIALITY

• EDGE Associates AB (with EdgeFlow)) shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of This undertaking does not apply to information that the Processor is required to disclose under mandatory law or other statutory rules pursuant to clause 3.3 above. This confidentiality obligation shall remain in force after termination of this DPA.

10.  LIABILITY

• If EDGE Associates AB (with EdgeFlow)), anyone working under EDGE Associates AB (with EdgeFlow))’s supervision or Sub-Processors, Processes Personal Data in violation of this DPA or contrary to lawful instructions of the Customer, EDGE Associates AB (with EdgeFlow)) shall pay damages to the Customer for the damage suffered due to incorrect EDGE Associates AB (with EdgeFlow)) shall indemnify and keep indemnified the Customer from any damages.
• EDGE Associates AB (with EdgeFlow))´s total and aggregate liability under the Agreement is, for each calendar year and regardless of the number of damages limited to the fees paid by Customer during the 6 month period prior to the time when the damage(s) EDGE Associates AB (with EdgeFlow))’s liability for Third-Party Applications will never exceed such amount that EDGE Associates AB (with EdgeFlow)) is entitled to recover from the provider(s) of such Third-Party Application.
• A Party shall not be liable to the other Party for loss of revenue or other indirect Damages, costs and expenses set forth in Section 10.1 shall be deemed direct damages.
• During the term of this DPA, the Customer shall indemnify and hold EDGE Associates AB (with EdgeFlow)) harmless from any direct or indirect damage, g. requirements from the Data Subject and other Controllers of the Personal Data than the Customer, when EDGE Associates AB (with EdgeFlow)) has suffered such damage due to unlawful instructions from the Customer, or otherwise, depending on the circumstances on the Customer’s side. Customer’s indemnification and holding harmless EDGE Associates AB (with EdgeFlow)) shall only apply in the event that EDGE Associates AB (with EdgeFlow)) has informed the Customer that its instructions infringe Data Processing Legislation prior to the occurrence of the damage and if, upon such information, the Customer has not amended such instructions.
• EDGE Associates AB (with EdgeFlow))’s obligation to pay damages, laid down in section 1 above, only applies, provided that i) the Customer without undue delay informs EDGE Associates AB (with EdgeFlow)) in writing of any claims against the Customer; and ii) the Customer allows EDGE Associates AB (with EdgeFlow)) to control the defense of the claim and make independent decisions regarding conciliation. Such defense and decisions made by EDGE Associates AB (with EdgeFlow)) shall be carried out in good faith, and with due care in relation to the Customer.

EDGE Associates AB (with EdgeFlow)) shall make reasonable efforts to keep the Customer informed about any decisions related to the defense of the claim that may affect the Customer’s rights or obligations. In the event EDGE Associates AB (with EdgeFlow)) intends to make a decision or take an action in the defense of the claim that the Customer reasonably believes may adversely affect the Customer’s interests, the Customer shall have the right to object to such decision or action as soon as possible, but no later than 10 business days from the date of notification by EDGE Associates AB (with EdgeFlow)).

In the event of the Customer’s objection, the Parties shall engage in good faith discussions with the Customer to resolve any concerns.

• The limitations set out in the Agreement shall not apply in relation to a loss or damage caused by gross negligence, intentional acts or breaches against the confidentiality undertakings in this

11.  TERM AND TERMINATION

• This DPA enters into force when duly signed by both Parties and remains in force as long as EDGE Associates AB (with EdgeFlow)) Processes Personal Data on behalf of the
• Upon termination of the Agreement or this DPA (depending on which is first terminated), EDGE Associates AB (with EdgeFlow)) shall in accordance with the Customer’s instructions return or delete the Personal Data that the Customer has transferred to EDGE Associates AB (with EdgeFlow)) and delete any existing copies, where appropriate, and unless storage of the Personal Data is required by EU law or applicable member state law and ensure that each Sub-Processor does the EDGE Associates AB (with EdgeFlow)) shall certify to the Customer in writing that such deletion has been carried out.

12.  CHANGES AND ADDITIONS

• If the Data Protection Legislation is changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions, or regulations concerning the application of the Data Protection Legislation that result in this DPA no longer meeting the requirements for a DPA, the Parties shall make the necessary changes to this DPA, in order to meet such new or additional Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Legislation, guidelines, decisions or regulations of the Supervisory Authority.

13.  MISCELLANEOUS

• This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the
• Swedish law applies in all aspects to EDGE Associates AB (with EdgeFlow))’s Processing of Personal Data under this Any dispute arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution provision in the Agreement.

Sub-Appendix 1 – Data processing instructions

In these data processing instructions, all capitalized words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.

Purposes

Please specify all purposes for which the Personal Data will be Processed by theSupplier as the Customer’s data processor:

To facilitate normal operation of the Service on Customer’s behalf. The personal data is not processed by EDGE Associates AB (with EdgeFlow)) in any other way.

EDGE provides an online consultant management tool and subsequently processes personal data of employees, sub-contractors and partners of the Customer and other authorised users of the Service who use said authorised users of the Service who use said tool. EDGE does not control all the specific data the Customer asks the employees and users to provide through said tool, or which specific data users provide to the Customer through said tool, and consequently which personal data is processed by EDGE through said tool.

Categories of data

Please specify the Personal Data that will be Processed by the Supplier as dataprocessor:

The following Personal Data may be processed depending on services used by the customer:

• Information related to the data subject’s employment at the customer e. name, profile image, social security number, address, phone, scheduling, information related to salary, terms of employment, CV’s, educational history and certificates, notes from feedback sessions and other, for the employment, relevant information that is required for the named tool.
• Documents associated with the employment of the Data subject at the
• Information related to the data subject’s partnership (supplier, client) at the customer, e. name, address, phone and other relevant agreement information that is required for the named tool.

Special categories of data

Please specify the Special Personal Data that will be Processed by the Supplier as dataprocessor:

The following Special Personal Data may be processed depending on services used by the customer:

• Custom fields, defined and set up by the Customer, related to the Customers handling of its employees, may include other types of Special Personal

The processing of sensitive personal data shall be carried out with special care and security. Where a customer processes sensitive data, it should take the necessary measures to ensure data protection and security in accordance with applicable law.

Categories of data subjects

Please specify the categories of data subjects whose Personal Data will be Processedby the Supplier as data processor:

Employees and board members at the Customer. Relevant consultancy

agreements. Relevant clients’ agreements. Employees of partners and sub-contractors that the Customer has entered an agreement to process data for.

Processing operations

Please specify all Processing activities to be conducted by the Supplier as dataprocessor:

Processing operations are limited to modules used by the Customer.

Location of processing operations

Please specify all locations where the Personal Data will be Processed by the Supplieras data processor and – when applicable – by Sub-processors:

All data is stored at Microsoft Azure and in their data centers in Sweden or within EU.

Retention requirements When applicable

Please specify the retention time of Personal Data stored by the Supplier:

Personal data is retained until removal is requested by Customer. Backups may be kept up to 30 days.

INFORMATION SECURITY MEASURES

Technical and Organizational security measures

Security policies and procedures

We have an Information security policy that is based on the ISO-standard ISO27001. This policy provides guidelines for management, and mitigation of threats to information security at EDGE. It encompasses the entire organization and all employees at EDGE. The main purpose of this document is to ensure proper handling of information and mitigation of security risks. All employees sign this policy.

Continuous improvement

The Information policy is revised and internally controlled twice a year to review and improve security controls and practices to ensure they are effective and up-to-date with evolving threats and risks.

Security awareness training

All employees at EDGE are informed upon their onboarding and during their employment in IT security and GDPR.

Multi-factor authentication

EDGE has two factor authentication turned on for all employees, requiring SMS or authenticator code validation, in addition to password protection.

Regular software updates and patches

Computers and mobile devices are updated continuously to keep software updated and latest security patches installed to address known vulnerabilities and protect against cyberattacks.

Regular security assessmentVulnerability scans are made continuously. Data backup and recovery

Backups are facilitated by our sub-processors and may be kept up to 30 days. Backups are retained offsite, i.e. geographically separate from where databases and file storages are located.

Data classification and retention

Personal data in EDGE is classified based on its sensitivity and an appropriate retention policy is implemented to ensure it is disposed of when no longer needed.

Firewalls, separation of environments and antivirus ProtectionFirewalls environments and antivirus is provided by Microsoft Azure. Service and repair of devices where Personal Data is stored

All Personal data is stored in Microsoft Azure.

Access control

All services are protected by OIDC and a centralized login.

Authorisation and permissions

�

Roles are limited to Employees, Managers, People officers and Company administrators, each having a range of permissions to use the Service. Apart from system administrators at EDGE Associates AB (with EdgeFlow)), who have access at a database level, there is no way for anyone at EDGE Associates AB (with EdgeFlow)) to access Personal data.

Sub-Appendix 2 – Sub-Processors