Data processing

This Data Processing Addendum (“DPA”) is incorporated into and forms a part of theAgreement between Journeybee AB (“Processor”) and any company (“Controller”)utilising the Processor’s services.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” shall have the meaning set forth in applicable Data Protection Laws.

“Data Protection Laws” shall mean any and all applicable data protection and privacy laws and regulations.

“Data Subject” shall have the meaning set forth in applicable Data Protection Laws.

“Sub-processor” shall mean any third party engaged by the Processor for theProcessing of Personal Data.

“Platform Data Sharing” means the sharing of information between companies utilising Processor’s services on the platform provided by Processor

This DPA set out the terms and conditions under which Processor shall Process Personal Data on behalf of Controller in connection with the services provided by Processor to Controller pursuant to the Agreement.

The Parties acknowledge and agree that the Controller is the data controller and Processor is the data processor in relation to any Personal Data Processed pursuant to this DPA.

Processor shall Process Personal Data only on behalf of and in accordance with the documented instructions of Controller, unless required to do so by applicable law.

Controller herby authorises Processor to engage Subprocessor’s for the Processing of Personal Data.

Processor shall maintain a list of sub processors engaged in the Processing of Personal Data on behalf of Controller. Upon written request from Controller, Processor shall provide Controller with a current list of sub processors. If Controller wishes to be notified of any changes to sub processors, Controller may request such notification in writing. Otherwise, Processor shall not be obligated to notify Controller of changes to sub-processors.

Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws regarding Personal Data.

Processor shall notify Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller’s Personal Data, providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data breach.

Processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with supervisory authorities, which Controller reasonably consider to be required by applicable Data Protection Laws.

Upon termination or expiration of the Agreement, Processor shall, at Controller’s choice, either delete or return all Personal Data to Controller, unless otherwise required by applicable law.

Companies utilising Processor’s services may share information with each other on the platform. Any data sharing between companies must comply with applicable data protection laws and regulations. Processor shall not access or use shared data except as necessary to provide the agreed-upon services. Personal Data shared between companies shall be processed only for the purposes specified in the Agreement and any documented instructions from the Controller. Processor shall maintain the confidentiality of shared Personal Data and implement appropriate technical and organisational measures to prevent unauthorised access or disclosure. Each company retains ownership of the data they share on the platform.

This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of law principles.

The parties acknowledge that the Processing of Personal Data under this DPA shall comply with the General Data Protection Regulation (GDPR) (EU) 2016/679

This DPA is made available on Journeybee AB’s website and applies to all companies utilising Processor’s services. By continuing to use the services, companies agree to be bound by the terms of this DPA.