OmboriGrid is now Phygrid Read more
Phygridv6
LoginContact Sales

Data Processing Addendum (DPA)

  1. BACKGROUND AND SCOPE

    1. This Data Processing Addendum (this “DPA”) constitutes an agreement between a controller and a processor as required by the GDPR (as defined below) and consists of this main document and the Specification (as defined below). Where applicable and subject to Section 6, standard contractual clauses adopted by the EU Commission from time to time shall be deemed incorporated into this DPA by reference. This DPA and the Terms of Service jointly form the Agreement.
    2. Phygrid will, as part of the Service, process Covered Personal Data (as defined below) on behalf of Customer and thus be Customer’s processor.
    3. If Covered Personal Data includes personal data for which a third party is the data controller, Customer warrants and represents that it has been instructed by and obtained the mandate and authorization of all relevant data controllers to enter into this DPA with Phygrid on behalf of such third party data controller.
    4. For the avoidance of doubt, Personal Data collected and processed by Phygrid as the data controller is not subject to this DPA. Please see Phygrid’s Privacy Policy for further information.
  2. INTERPRETATION AND DEFINITIONS

    1. This DPA constitutes an addendum and an integrated part of the Agreement. In the event of inconsistencies between any section in other Agreement documents and this DPA in regards to Phygrid’s processing of Covered Personal Data, this DPA shall prevail and apply in lieu of such inconsistent section in other Agreement documents. Notwithstanding the foregoing, standard contractual clauses shall (if incorporated) have the highest priority in the event of any conflict or inconsistency with this DPA or other parts of the Agreement.
    2. Terms that are legally defined in the GDPR, such as ”controller”, ”processor”, ”personal data”, ”processing” and ”data subject”, shall be construed and applied in accordance with the GDPR.
    3. Terms defined in the Terms of Service shall have the same meaning when used in this DPA with an initial capital letter.
    4. In addition to the preceding Section sand to the terms defined above, the following terms shall have the meanings stated below:
Term Definition
"GDPR" Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Covered Personal Data" Personal data that is processed by Phygrid on behalf of Customer, see the Specification.
"Specification" Means Annex A to this main document.
"Supervisory Authority" A Swedish or EU authority such as the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) and, where applicable, any other supervisory authority with regulatory jurisdiction over Customer's business operations.
  1. LAWFUL PROCESSING

    1. Phygrid undertakes to process Covered Personal Data in accordance with the GDPR, this DPA, the Agreement and Customer’s written and documented instructions from time to time in accordance with Section 4.
  2. INSTRUCTIONS

    1. Phygrid and any Subprocessors and persons acting under the authority of Phygrid may only process Covered Personal Data in accordance with Customer’s written and documented instructions. Customer’s instructions upon entering into this DPA follow from this DPA and the Agreement.
    2. If the Customer has engaged an Approved Partner who is a Certified Solution Provider (as described in the Agreement), then Customer hereby instructs Phygrid to disclose and make available relevant Covered Personal Data to the Approved Partner to enable such Approved Partner to be able to provide application development and/or support services and other value-adds to the Customer. Following disclosure of Covered Personal Data by Phygrid to an Approved Partner in accordance with this Section 4.2, the relevant personal data will subsequently be processed by the Approved Partner as a data controller (unless otherwise agreed between the Customer and the Approved Partner).
    3. The Customer has the right to continuously instruct Phygrid in writing regarding the processing of Covered Personal Data (”Additional Instructions”), and Phygrid has a corresponding obligation to follow such Additional Instructions, provided that they are consistent with the terms and scope of the Agreement and this DPA.
    4. If Phygrid believes that Customer’s instructions, in the opinion of Phygrid, might infringe the GDPR, Phygrid shall without undue delay notify Customer and await further instructions before continuing any processing of Covered Personal Data.
    5. This DPA will not in any way prevent or limit Phygrid from processing Personal Data to the extent necessary in order to comply with legal requirements under the GDPR and/or other laws to which Phygrid is subject.
    6. Notwithstanding any provisions regarding choice of law agreed between the parties in the Agreement, Phygrid will comply with data protection legislation applicable to data processors located in the EU, and the Customer shall comply with data protection legislation applicable to Customer as data controller.
  3. TECHNICAL AND ORGANIZATIONAL MEASURES

    1. Phygrid shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the processing of Covered Personal Data. The Customer agrees and acknowledges that technical and organizational measures are subject to technical progress and further development. Accordingly, Phygrid reserves the right to modify such measures provided that the functionality and security of the Service is not significantly degraded as a result of thereof. The Customer hereby discharges Phygrid of any obligation to notify and/or obtain prior approval from Customer of such changes. If the Customer so requests in writing, Phygrid shall provide information about the technical and organizational security measures which Phygrid has implemented, within fifteen (15) business days from Customer’s request.
    2. Phygrid shall ensure that only personnel that needs access to Covered Personal Data in order to fulfil their obligations towards Customer have access to Covered Personal Data and that any person who has access to Covered Personal Data is subject to appropriate confidentiality undertakings, as determined by Phygrid (in its reasonable discretion).
    3. Phygrid shall, at no additional cost for Customer, comply with the Supervisory Authority’s applicable decisions, guidelines and recommendations on necessary or recommended measures to comply with the security requirements in the GDPR.
  4. TRANSFER OF COVERED PERSONAL DATA OUTSIDE THE EU/EEA

    1. Customer agrees that Phygrid or any of its Subprocessors may process Covered Personal Data on equipment, infrastructure or through resources that are physically located outside the EU/EEA, for the performance of Phygrid’s undertakings under the Agreement and provided that Phygrid ensures a valid Transfer Mechanism.
    2. A valid “Transfer Mechanism” is any of the following:
      • the third country in which the data recipient resides provides an adequate level of protection for Covered Personal Data, according to a valid adequacy decision by the EU Commission; or
      • Phygrid and the data recipient enter into standard contractual clauses adopted by the EU Commission from time to time and Customer hereby authorizes and mandates Phygrid to enter into such standard contractual clauses on behalf of the Customer (if required); or
      • the cross-border transfer is otherwise made in accordance with Chapter V of the GDPR.
    3. Regardless of Phygrid’s choice of Transfer Mechanism, Phygrid shall take appropriate safeguards to ensure a level of protection for Covered Personal Data which is essentially equivalent to that of the GDPR.
    4. If during the term of the DPA, the EU Commission issues new or revised standard contractual clauses, such updated clauses shall automatically be incorporated and supersede the prior standard contractual clauses under this DPA, unless otherwise notified to Customer in writing by Phygrid. Where deemed necessary by Phygrid, the Parties shall at their own cost take necessary actions (if any) to properly implement the updated standard contractual clauses.
  5. OBLIGATION TO PROVIDE INFORMATION AND ASSIST CUSTOMER

    1. Phygrid shall assist Customer by appropriate technical and organizational measures for fulfilment of Customer’s obligations regarding Covered Personal Data, such as to respond to requests on the exercise of data subjects’ rights and, without undue delay, rectify, erase, restrict and/or block the processing of Covered Personal Data in accordance with Customer’s instructions and to always do so in accordance with the GDPR.

    2. Phygrid undertakes to notify Customer in writing of any personal data breach involving Covered Personal Data, attributable to Phygrid or any of its Subcontractors, without undue delay after the personal data breach is detected by Phygrid. The notification shall be sent to the Customer’s contact person (as specified in the Agreement).

    3. Phygrid’s notification to the Customer in accordance with Section 7.2 shall include the following information:

      • description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of Covered Personal Data records concerned; and
      • description of the measures taken or proposed to be taken by Phygrid to address the Covered Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    4. Where, and in so far as, it is not possible to provide the information at the same time, Phygrid may provide the information to the Customer in phases and without undue delay.

    5. If a personal data breach is attributable to the Customer, Phygrid shall only be responsible for notifying Customer about the personal data breach and await written instructions from Customer about whether or not Customer wishes Phygrid to investigate the personal data breach on behalf of Customer (at Customer’s sole cost).

    6. Phygrid shall otherwise, upon Customer’s request, assist Customer to ensure that Customer can fulfil its obligations under the GDPR, including but not limited to providing Customer with all information that may reasonably be required to demonstrate Phygrid’s compliance with its obligations as a processor set out in the GDPR. Such assistance may include data protection impact assessments and prior consultations.

  6. CONTACT WITH DATA SUBJECTS AND SUPERVISORY AUTHORITIES

    1. As the data controller, Customer shall act as the single-point-of-contact in relation to data subjects on all matters and issues related to the processing activities carried out under this DPA. Phygrid shall, subject to compensation as set out in Section 13, duly assist Customer in responding to requests from data subjects and to correct, erase, limit and/or block Covered Personal Data in accordance with Customer’s instructions.
    2. In the event that a data subject, Supervisory Authority, or any other third party requests information from Phygrid regarding the processing of Covered Personal Data, Phygrid shall immediately refer such request to Customer, provided that Phygrid is not prohibited from doing so by a decision of a court or public authority.
    3. If a data subject’s Covered Personal Data is not accessible to the Customer through the Service, Phygrid will, as necessary to enable Customer to meet its obligations under applicable data protection legislation, provide reasonable assistance to make such Covered Personal Data available to Customer. Phygrid is entitled to compensation from the Customer for any costs and expenses relating to Phygrid's assistance in accordance with Customer's request pursuant to this Section 8.3.
    4. If a data subject pursuant to mandatory law is entitled to exercise its right directly vis-à-vis Phygrid, Phygrid shall take relevant measures and shall be discharged of any obligation to inform or notify Customer.
    5. Customer agrees to provide or distribute information notices to data subjects about specific data processing operations in the Service in accordance with Phygrid’s instructions in writing from time to time.
  7. RIGHT TO AUDIT

    1. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, Phygrid shall allow Customer, or a third party appointed by Customer, the right to audit Phygrid’s business operations and the equipment used for the processing of Covered Personal Data in order to ensure that Phygrid and any Subprocessors engaged by Phygrid, comply with their respective obligations under this DPA and the GDPR. Phygrid shall provide reasonable assistance to Customer in connection with an audit. Audits may not be carried out by a direct competitor of Phygrid.
    2. Customer undertakes to inform Phygrid of Customer’s intention to carry out an audit and its planned scope in reasonable time before an audit. The audit shall be carried out during normal business hours and in a manner that minimizes disturbance on Phygrid’s and any Subprocessor’s business operations and are otherwise in line with applicable Phygrid practices and policies. Furthermore, Customer shall ensure that each individual performing the inspection is imposed an obligation to follow security instructions and the same confidentiality obligations as Customer under the Agreement, or, at Phygrid's request, signs a non-disclosure agreement in relation to Phygrid. Phygrid shall under no circumstances be obliged to disclose information that is subject to secrecy in accordance with law or agreement, nor trade secrets or similar information of Phygrid, its other customers or Subprocessors.
    3. On-site audits shall be subject to at least sixty (60) days’ prior written notice by the Customer to Phygrid.
    4. Customer shall strive to minimize the extent of an audit and conduct audits with a risk-based approach and subject to the principle of proportionality. Any and all costs and expenses related to Customer’s audits shall be borne by the Customer, including any potential costs and expenses incurred by Phygrid due to Phygrid’s or any Subprocessors participation in such audit.
    5. Phygrid may, at its option, conduct internal audits of its processing of Covered Personal Data, in order to verify its compliance with its obligations as a processor in accordance with the GDPR.
    6. Phygrid shall allow for any audits that a Supervisory Authority requires in order to ensure lawful processing of Covered Personal Data.
  8. SUBPROCESSORS

    1. Customer hereby grants Phygrid a general prior authorization to engage service providers (“Subprocessors”) to process Covered Personal Data and enter into data processing agreements with such Subprocessors with obligations no less restrictive than those set out in this DPA. Furthermore, Customer hereby approves the processing of Covered Personal Data by any Subprocessors engaged by Phygrid and the time of Phygrid and Customer entering into the Agreement, as specified in the Specification (if any).
    2. Phygrid may replace or add new Subprocessors at any time, provided that Phygrid notifies the Customer of any such change without undue delay, thereby giving Customer the opportunity to object to such change.
    3. A list of Subprocessors including geographical location can be provided by Phygrid upon Customer’s written request.
    4. Customer may object to a Subprocessor processing Covered Personal Data, provided that such objection is reasonable and based on data protection and protection of data subject’s rights and freedoms. If Phygrid is unable to accommodate Customer’s objection, Customer may terminate, in whole or in part (where possible), the Agreement including this DPA by providing Phygrid a written notice of termination within one (1) month of Phygrid’s notice in accordance with Section 10.2. Phygrid will refund a prorated portion of any pre-paid charges for the period after such termination date.
    5. Phygrid shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts or omissions were performed by Phygrid.
  9. CONFIDENTIALITY

    1. Each Party’s respective confidentiality undertakings under this DPA are set out in the Agreement.
    2. The confidentiality undertaking in accordance with Section 11.1 is not applicable in relation to Subprocessors with whom Phygrid has entered into a data processing agreement in accordance with Section 10. However, any such data processing agreement shall include a corresponding confidentiality obligation for the Subprocessor.
  10. LIABILITY

    1. Each Party’s respective liability under this DPA are subject to the exceptions and limitations set out in the Agreement.
  11. COMPENSATION

    1. Unless expressly set out in this Section 13, Phygrid is not entitled to any additional compensation for its performance under this DPA.
    2. Phygrid is entitled to compensation on a time and material basis, for any work effort under this DPA which is not included in the Service, including work efforts related to:
      1. Additional Instructions that go beyond what is included in the Service, except where the relevant Additional Instruction is an explicit requirement and obligation for Phygrid pursuant to the GDPR.
      2. Assisting Customer in responding to requests from data subjects in accordance with Section 8.
      3. Assisting Customer with data protection impact assessments and prior consultations, in accordance with Section 7.6.
      4. Facilitating more than one (1) on-site audit per calendar year at Phygrid’s premises, unless such audit is carried out due to a personal data breach related to Covered Personal Data attributable to Phygrid.
      5. Assisting Customer in transferring Covered Personal Data to Customer in connection with the termination of the Agreement, as set out in Section 14.
    3. Compensation shall, unless agreed otherwise, be based upon the agreed hourly rates in the Agreement.
  12. TERM AND TERMINATION

    1. This DPA enters into force upon the date of its execution by both Parties and shall remain in force for as long as Phygrid or any Subprocessor processes Covered Personal Data.
    2. Upon termination of the Agreement and during the Retention Period, Phygrid will provide Customer with a possibility to download and retrieve any Covered Personal Data in Phygrid’s or any Subprocessor’s possession in accordance with Phygrid’s standard procedures for the Service. Upon expiry of the Retention Period, Phygrid shall delete or anonymize any Covered Personal Data, unless Phygrid is obligated under applicable law to continue storing the Covered Personal Data.
  13. MISCELLANEOUS

    1. Without prejudice to the Agreement, this DPA shall constitute the entire agreement between the Parties on all issues to which the DPA relates. The contents of this DPA and its appendices supersede all previous written or oral commitments and undertakings between the Parties on the issues to which this DPA relates.
    2. Nothing in this DPA shall limit Phygrid or any of its Subprocessors from complying with applicable laws and/or orders from supervisory authorities, governmental agencies or regulatory bodies.
  14. GOVERNING LAW AND DISPUTE RESOLUTION

    1. Governing law as well as disputes regarding the interpretation or application of this DPA shall be settled in accordance with the governing law and dispute resolution provisions of the Agreement.

ANNEX A – SPECIFICATION

  1. PURPOSE

    1. This Annex A (Specification) to this DPA between Phygrid and Customer describes the processing of Covered Personal Data that Phygrid will carry out on behalf of Customer under this DPA.
    2. The purpose of this Annex A (Specification) is to clarify which processing and personal data that is covered by the Agreement, and to fulfil the requirements of the GDPR regarding the obligation to specify a processor’s processing of personal data, see for example Article 28.3 GDPR.
  2. DESCRIPTION OF THE PROCESSING OF COVERED PERSONAL DATA

Name of Subprocessor Processing carried out by Subprocessor Location for processing
Microsoft Corporation Infrastructure services All data storage on datacenters/regions inside EU/EEA by default, but the Customer can choose to store data in another Azure region when configuring the Service. Please note that cloud services may involve limited data transfers to locations outside EU/EEA, subject to applicable policies from Microsoft from time to time. Such transfers will be subject to the terms of this DPA
Hubspot, Inc. CRM and support Data is processed in the EU (Google Cloud) and subsequently stored in the US (AWS). For more information, see https://knowledge.hubspot.com/account/hubspot-cloudinfrastructurefrequently-askedquestions

Authorized recipients of Covered Personal Data

  • Affiliates of Phygrid, if and when required to provide agreed services.
  • Approved Partners (where applicable) in accordance with Section 4.2.
  • Other recipients stated in Phygrid's Privacy Policy.
  • Governmental authorities, if and when required by law or binding court order.