Data Processing Agreement
Last updated 21 May 2021
This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Personal Data under and in connection with the Agreement. This DPA forms an inseparable part of the Agreement.
The Parties acknowledge that the provision of the Service involves Processing of Personal Data. To the extent Personal Data is processed in connection with the Service, the Parties acknowledge that the Customer is a Controller and Swarmia is a Processor processing Personal Data on behalf of the Customer.
In the event of any discrepancy between this DPA and Terms of Service, this DPA prevails.
- The terms used in this DPA, such as “Controller”, “Processor”, “Data Subject”, “Special Categories of Personal Data”, “Processing”, “Data Protection Impact Assessment” and “Personal Data Breach”, shall have the meanings as defined in the Data Protection Regulation.
- “Personal Data” means any information relating to an identified or identifiable person, which Swarmia processes on behalf of the Customer under the Agreement.
- “Data Protection Regulation” means all applicable laws relating to protection of Personal Data, including without limitation the GDPR and the national laws supplementing the GDPR and the laws implementing EU Directive 2002/58/EC; and
- “GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
- “Standard Contractual Clauses” means the contractual clauses issued by the European Commission by the decision 2010/87/EU for international transfers of Personal Data, and any amendments thereto.
Description of Processing
- Swarmia processes Personal Data under the Agreement for the purpose of providing the Service to the Customer. Processing of Personal Data in this context refers to access to and analysis of data provided by the Customer in connection with the provision of the Service.
- Data Subjects are employees of the Customer or other individuals, whose Personal Data the Customer has provided to Swarmia in connection with the provision of the Service.
- Categories of Personal Data contain metadata on employees who use the Service in connection with a software development project, such as nature and time of modifications as well as identifiers of the individual who made the modification. Swarmia may also process other categories of Personal Data when such Personal Data is included in the Customer Material.
Responsibilities of Customer
- The Customer shall comply with the obligations applicable to it as a Controller as set out in the Data Protection Regulation and this DPA.
- The Customer's documented instructions to Swarmia on the processing of Personal Data are given in this DPA. Additional instructions require prior written agreement between the Parties.
- The Customer shall be solely responsible for providing appropriate access rights to Swarmia and limiting access to Personal Data as strictly necessary for the purpose of the Service.
Responsibilities of Swarmia
- Swarmia shall process Personal Data in accordance with this DPA and Data Protection Regulation.
- Swarmia shall ensure that personnel with access to Personal Data are subject to confidentiality obligation.
- Swarmia shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing. Security measures are described in our support center.
- Swarmia shall notify the Customer of Personal Data Breaches without undue delay after Swarmia has become aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such. The notification shall contain at least the information required by the Data Protection Regulation. If it is not possible to provide the information at the same time, the information may be provided in phases. Swarmia shall document Personal Data Breaches and provide the documentation to the Customer upon request.
- Swarmia shall, upon the Customer's request and the Customer's sole cost and expense, to a reasonable extent assist the Customer, for example by means of appropriate technical and organizational measures, in carrying out the requests of Data Subjects and supervisory authorities and carrying out Data Protection Impact Assessment when required by the Data Protection Regulation.
- Swarmia shall to a reasonable extent assist the Customer in demonstrating compliance with the Data Protection Regulation, and for such purposes, make available to the Customer all information available to Swarmia reasonably required and necessary for the Customer to demonstrate its compliance.
- The Customer hereby authorises Swarmia to use subcontractors for the purposes of providing the Service. Swarmia provides information on its subcontractors and any changes thereto at its Web Site.
- Swarmia shall ensure that its subcontractors, who have access to Personal Data, comply with equivalent obligations as set out in this DPA, including security and confidentiality requirements. Swarmia remains liable for its subcontractors and the work of its subcontractors as for its own.
- The Service is hosted within European Economic Area (”EEA“). To the extent Personal Data is otherwise processed outside of EEA by Swarmia or its subcontractors, the Customer hereby approves the processing of Personal Data outside of EEA as necessary for the performance of the Service under the Agreement. To the extent Personal Data is processed outside of EEA, the mechanism to export Personal Data shall be Standard Contractual Clauses or another valid mechanism under Data Protection Regulation.
- At the Customer's written request and the Customer's sole cost and expense, the Customer, or a third party appointed by the Customer, is entitled, once every twelve (12) months, to audit Swarmia's compliance with this DPA. The audit report and related information shall at all times be deemed as Swarmia's confidential information. The Customer shall notify Swarmia in writing at least thirty (30) days prior to conducting the audit, unless otherwise required by applicable law or authority decision.
Term and Termination
- This DPA shall continue in force until the termination of the Agreement or as long as Swarmia processes Personal Data on behalf of the Customer.
- Upon termination or expiry of the Agreement, or upon the Customer’s written request, Swarmia shall either destroy or return, either to the Customer or to a third party designated by the Customer in writing, the Personal Data processed, unless otherwise required by Data Protection Regulation or other applicable legislation.
- Any changes to this DPA shall be made in writing and signed by both Parties in order to be valid and binding.