DATA PROCESSING AGREEMENT (DPA)

Version 1 – Flexible Sub‑processor Model
Effective from: [2026-03-01]

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service.

1. Parties

Between:

OCM‑Media Handelsbolag
Company registration no.: 969802‑2457
Ardennervägen 19, 184 94 Åkersberga, Sweden
(the “Processor”)

and

The legal entity accepting the Terms of Service
(the “Controller” or the “Customer”).

2. Purpose and Applicable Law

2.1 This DPA governs the Processor’s processing of personal data on behalf of the Controller.

2.2 Processing shall be carried out in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”),

  • Applicable national data protection laws within the EU/EEA.

3. Roles

3.1 The Customer acts as data controller for personal data contained within Customer Data (cases, messages, attachments, etc.).

3.2 The Processor acts as data processor with respect to such data.

3.3 The Processor acts as an independent data controller with respect to processing relating to:

  • security and operational logs,

  • technical metadata,

  • abuse prevention measures,

  • processing required by law,

  • the establishment, exercise or defence of legal claims.

4. Purpose and Nature of Processing

4.1 The Processor processes personal data in order to:

  • provide the Service,

  • enable communication between the Customer and its End Customers,

  • provide optional AI features (if activated),

  • maintain security and functionality.

4.2 Processing may include:

  • collection,

  • recording,

  • storage,

  • structuring,

  • transmission,

  • deletion.

5. Categories of Data Subjects and Personal Data

5.1 Data subjects may include:

  • the Customer’s users,

  • the Customer’s representatives,

  • the Customer’s end customers (consumers or businesses).

5.2 Personal data may include:

  • name,

  • email address,

  • telephone number,

  • free‑text data within cases,

  • uploaded attachments.

5.3 The Customer is responsible for ensuring that special categories of personal data under Article 9 GDPR are not processed without a valid legal basis.

6. Instructions

6.1 The Processor shall process personal data only on documented instructions from the Customer.

6.2 The instructions arising from:

  • the Service functionality,

  • the Terms of Service,

  • this DPA

shall constitute documented instructions.

6.3 If the Processor considers that an instruction infringes GDPR, the Customer shall be informed without undue delay.

7. Confidentiality

The Processor shall ensure that persons authorised to process personal data are bound by confidentiality obligations or are subject to statutory confidentiality.

8. Security Measures

8.1 The Processor shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR.

8.2 Such measures may include:

  • access control,

  • authentication mechanisms,

  • encryption in transit where applicable,

  • system event logging.

8.3 The Customer acknowledges that the Service is provided without any guarantee of backup or uninterrupted availability, as stated in the Terms of Service.

9. Sub‑processors (Flexible Model)

9.1 The Customer hereby grants a general prior authorisation for the Processor to engage sub‑processors.

9.2 Sub‑processors may be engaged for, for example:

  • cloud infrastructure,

  • backend operations,

  • email distribution,

  • AI services,

  • security services.

9.3 An up‑to‑date list of sub‑processors shall be made available by the Processor upon request.

9.4 The Processor may update the sub‑processors used, provided that an adequate level of data protection is maintained.

9.5 The Processor shall ensure that sub‑processors are bound by written agreements meeting the requirements of Article 28 GDPR.

10. International Transfers

10.1 Processing shall primarily take place within the EU/EEA.

10.2 Any transfer of personal data to a third country shall be carried out in accordance with Chapter V GDPR.

11. Personal Data Breaches

11.1 The Processor shall notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data.

11.2 The Processor shall provide reasonable assistance to enable the Customer to fulfil its obligations under Articles 33–34 GDPR.

12. Assistance

Taking into account the nature of processing, the Processor shall reasonably assist the Customer with:

  • responding to data subject rights requests,

  • conducting data protection impact assessments (DPIAs),

  • cooperating with supervisory authorities.

13. Deletion and Retention

13.1 Upon termination of the Service, Customer Data shall be permanently deleted in accordance with the Terms of Service.

13.2 Deleted data cannot be restored.

13.3 The Processor may retain:

  • data required by law (e.g., accounting records),

  • necessary security and operational logs for up to twelve (12) months following termination.

14. Audit

14.1 The Customer has the right to request information demonstrating the Processor’s compliance with this DPA.

14.2 Audits shall be conducted with reasonable notice and without unreasonably disrupting the Processor’s operations.

15. Liability

Liability under this DPA shall be governed by the limitation of liability provisions set out in the Terms of Service.

16. Term

This DPA shall remain in force for as long as the Processor processes personal data on behalf of the Customer.

Platform

Features

Pricing

Log In

Resources

Help Center

Blog

API Docs

Company

About

Careers

Contact

Legal

Terms

Privacy

© OCM-Media Handelsbolag 2026