DATA PROCESSING AGREEMENT (DPA)
Version 2
Effective from: 2026-04-01
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service.
1. PARTIES
This DPA is entered into between:
OCM-Media Handelsbolag
Company registration no.: 969802-2457
Ardennervägen 19, 184 94 Åkersberga, Sweden
(the “Processor”)
and
The legal entity accepting the Terms of Service
(the “Controller” or the “Customer”).
2. PURPOSE AND APPLICABLE LAW
2.1 This DPA governs the Processor’s processing of personal data on behalf of the Controller.
2.2 Processing shall be carried out in accordance with:
Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)
Applicable national data protection laws within the EU/EEA
2.3 For Customers established outside the EU/EEA, including the United States, processing shall also take into account applicable data protection laws, including the California Consumer Privacy Act (CCPA/CPRA), where relevant.
3. ROLES
3.1 The Customer acts as data controller for personal data contained within Customer Data.
3.2 The Processor acts as data processor with respect to such data.
3.3 The Processor acts as an independent data controller with respect to:
security and operational logs
technical metadata
abuse prevention measures
processing required by law
the establishment, exercise, or defence of legal claims
3.4 For Customers subject to U.S. data protection laws, the Processor acts as a “service provider” (or equivalent role) and processes personal data solely for the purpose of providing the Service in accordance with the Customer’s instructions.
4. PURPOSE AND NATURE OF PROCESSING
4.1 The Processor processes personal data in order to:
provide the Service
enable communication between the Customer and its End Customers
provide optional AI features (if activated)
maintain security and functionality
4.2 Processing may include:
collection
recording
storage
structuring
transmission
deletion
5. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
5.1 Data subjects may include:
the Customer’s users
the Customer’s representatives
the Customer’s end customers
5.2 Personal data may include:
name
email address
telephone number
free-text data within cases
uploaded attachments
5.3 The Customer is responsible for ensuring that special categories of personal data are not processed without a valid legal basis.
6. INSTRUCTIONS
6.1 The Processor shall process personal data only on documented instructions from the Customer.
6.2 The instructions arising from:
the Service functionality
the Terms of Service
this DPA
shall constitute documented instructions.
6.3 If the Processor considers that an instruction infringes applicable data protection law, the Customer shall be informed without undue delay.
7. CONFIDENTIALITY
The Processor shall ensure that persons authorised to process personal data are bound by confidentiality obligations.
8. SECURITY MEASURES
8.1 The Processor shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR.
8.2 Such measures may include:
access control
authentication mechanisms
encryption in transit where applicable
system event logging
8.3 The Customer acknowledges that the Service is provided without any guarantee of backup or uninterrupted availability.
9. SUB-PROCESSORS
9.1 The Customer grants a general authorisation for the Processor to engage sub-processors.
9.2 Sub-processors may include providers of:
cloud infrastructure
backend services
email distribution (e.g., Mailgun)
payment processing (e.g., Stripe)
AI services
security services
9.3 The Processor shall ensure that sub-processors are bound by written agreements meeting GDPR requirements.
9.4 An up-to-date list of sub-processors shall be made available upon request.
10. INTERNATIONAL TRANSFERS
10.1 Processing shall primarily take place within the EU/EEA.
10.2 Where personal data is transferred outside the EU/EEA, appropriate safeguards shall be applied, including:
Standard Contractual Clauses (SCCs)
Equivalent legal mechanisms
11. PERSONAL DATA BREACHES
11.1 The Processor shall notify the Customer without undue delay upon becoming aware of a personal data breach.
11.2 The Processor shall provide reasonable assistance to enable the Customer to fulfil its obligations.
12. ASSISTANCE
The Processor shall reasonably assist the Customer with:
responding to data subject rights requests
conducting data protection impact assessments
cooperating with supervisory authorities
13. DELETION AND RETENTION
13.1 Upon termination, Customer Data shall be permanently deleted in accordance with the Terms of Service.
13.2 Deleted data cannot be restored.
13.3 The Processor may retain:
data required by law
necessary security and operational logs for up to 12 months
14. AUDIT
14.1 The Customer may request information demonstrating compliance.
14.2 Audits shall be conducted with reasonable notice and without disrupting operations.
15. LIABILITY
Liability under this DPA shall be governed by the limitation of liability provisions set out in the Terms of Service.
16. TERM
This DPA remains in force as long as the Processor processes personal data on behalf of the Customer.
17. US DATA PROTECTION ADDENDUM (CCPA/CPRA)
17.1 The Processor shall act as a “service provider” (or equivalent role) under applicable U.S. privacy laws.
17.2 The Processor shall:
process personal data only for the purpose of providing the Service
not sell personal data
not retain, use, or disclose personal data for any purpose other than as permitted under the agreement
17.3 The Processor shall assist the Customer, where reasonably required, in responding to verified consumer requests under applicable U.S. privacy laws.
17.4 The Processor shall implement reasonable security measures appropriate to the nature of the data processed.
17.5 The Processor shall notify the Customer if it can no longer meet its obligations under applicable data protection laws.
