Data Processing Agreement

Last updated 21 October 2021

This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Personal Data under and in connection with the Agreement. This DPA forms an inseparable part of the Agreement.

The Parties acknowledge that the provision of the Service involves Processing of Personal Data. To the extent Personal Data is processed in connection with the Service, the Parties acknowledge that the Customer is a Controller and Swarmia is a Processor processing Personal Data on behalf of the Customer.

In the event of any discrepancy between this DPA and Terms of Service, this DPA prevails.

1. Definitions

   1. The terms used in this DPA, such as “Controller”, “Processor”, “Data Subject”, “Special Categories of Personal Data”, “Processing”, “Data Protection Impact Assessment” and “Personal Data Breach”, shall have the meanings as defined in the Data Protection Regulation.
   2. “Personal Data” means any information relating to an identified or identifiable person, which Swarmia processes on behalf of the Customer or its Affiliates under the Agreement.
   3. “Data Protection Regulation” means all applicable laws relating to protection of Personal Data, including without limitation the GDPR and the national laws supplementing the GDPR and the laws implementing EU Directive 2002/58/EC; and
   4. “GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
   5. “Standard Contractual Clauses” means the Decision (EU) 2021/914 issued by the European Commission on 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, or any following decision of the Commission, and any amendments thereto.

2. Description of Processing

   1. Swarmia processes Personal Data under the Agreement for the purpose of providing the Service to the Customer. Processing of Personal Data in this context refers to access to and analysis of data provided by the Customer in connection with the provision of the Service.
   2. Data Subjects are employees of the Customer or other individuals, whose Personal Data the Customer has provided to Swarmia in connection with the provision of the Service.
   3. Categories of Personal Data contain metadata on employees who use the Service in connection with a software development project, such as nature and time of modifications as well as identifiers of the individual who made the modification. Swarmia may also process other categories of Personal Data when such Personal Data is included in the Customer Material.

3. Responsibilities of Customer

   1. The Customer shall comply with the obligations applicable to it as a Controller as set out in the Data Protection Regulation and this DPA.
   2. The Customer's documented instructions to Swarmia on the processing of Personal Data are given in this DPA. Additional instructions require prior written agreement between the Parties.
   3. The Customer shall be solely responsible for providing appropriate access rights to Swarmia and limiting access to Personal Data as strictly necessary for the purpose of the Service.

4. Responsibilities of Swarmia

   1. Swarmia shall process Personal Data in accordance with this DPA and Data Protection Regulation.
   2. Swarmia shall ensure that personnel with access to Personal Data are subject to confidentiality obligation.
   3. Swarmia shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing. Security measures are described in our support center.
   4. Swarmia shall notify the Customer of Personal Data Breaches without undue delay after Swarmia has become aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such. The notification shall contain at least the information required by the Data Protection Regulation. If it is not possible to provide the information at the same time, the information may be provided in phases. Swarmia shall document Personal Data Breaches and provide the documentation to the Customer upon request.
   5. Swarmia shall, upon the Customer's request, to a reasonable extent assist the Customer, for example by means of appropriate technical and organizational measures, in carrying out the requests of Data Subjects and supervisory authorities and carrying out Data Protection Impact Assessment when required by the Data Protection Regulation. The Customer shall reimburse Swarmia reasonable costs and expenses incurred from such assistance.
   6. Swarmia shall to a reasonable extent assist the Customer in demonstrating compliance with the Data Protection Regulation, and for such purposes, make available to the Customer all information available to Swarmia reasonably required and necessary for the Customer to demonstrate its compliance.
   7. Swarmia may use its Affiliates and third parties as subcontractors to provide certain parts of the Service. The Customer hereby authorises Swarmia to use these subcontractors for the processing of Personal Data. Swarmia may remove or appoint other suitable and reliable subcontractors at its own discretion. Swarmia will notify the Customer in writing of a new subcontractor at least fourteen (14) days prior to the appointment or replacement of a subcontractor. The Customer may, on reasonable grounds related to protection of Personal Data, object a subcontractor, in which case Swarmia shall use reasonable efforts to find and implement an alternative solution which does not include engaging such subcontractor. If no alternative solution is reasonably available, the Customer may terminate, with immediate effects, the Agreement and related Order(s). Upon the Customer's request, Swarmia shall provide a list of used subcontractors with access to Personal Data, including their processing location and the specific processing activities they are engaged for.
   8. Swarmia shall ensure that its subcontractors, who have access to Personal Data, comply with equivalent obligations as set out in this DPA, including security and confidentiality requirements. Swarmia remains liable for its subcontractors and the work of its subcontractors as for its own.
   9. The Service is hosted within the European Economic Area (”EEA“). The Customer acknowledges, however, that some of the subcontractors are located in or have access to Personal Data outside of EEA. To the extent Personal Data is processed outside of EEA by subcontractors, the Customer hereby approves the processing of Personal Data outside of EEA. Where Personal Data is transferred (or accessed) outside of EEA, Swarmia and its subcontractor shall enter into Standard Contractual Clauses (Module Three, Transfer processor to processor) and where necessary, supplementary measures to ensure adequate level of data protection.

5. Auditing

   1. At the Customer's written request and the Customer's sole cost and expense, the Customer, or a third party appointed by the Customer, is entitled, once every twelve (12) months, to audit Swarmia's compliance with this DPA. The audit report and related information shall at all times be deemed as Swarmia's confidential information. The Customer shall notify Swarmia in writing at least thirty (30) days prior to conducting the audit, unless otherwise required by applicable law or authority decision.

6. Term and Termination

   1. This DPA shall continue in force until the termination of the Agreement or as long as Swarmia processes Personal Data on behalf of the Customer.
   2. Upon termination or expiry of the Agreement, or upon the Customer's written request, Swarmia shall either destroy or return, either to the Customer or to a third party designated by the Customer in writing, the Personal Data processed, unless otherwise required by Data Protection Regulation or other applicable legislation.

7. Changes

   1. Any changes to this DPA shall be made in writing and signed by both Parties in order to be valid and binding.