BuildSafe Data Processing Agreement

1. Parties

1.1 Customer as defined in the Agreement (”Customer” or “Controller”)

1.2 BuildSafe Sweden AB, company registration number 559001-9179 (”BuildSafe” or “Processor”)

1.3 Each of the Customer and BuildSafe may hereafter be referred to as “Party” and jointly as the “Parties“.

2. Background

2.1 This data processing agreement (the “Processing Agreement“) governs BuildSafe’s processing of personal data on behalf of the Customer in accordance with the agreement regarding provision of BuildSafe’s service entered into between the Customer and BuildSafe (the “Agreement“).

2.2 By entering into the Agreement, the Customer and BuildSafe becomes bound by this Processing Agreement which forms an integral part of the Agreement.

2.3 The Customer determines the purpose and means if the processing of Personal Data and is therefore according to Data Protection Legislation (as defined below) the data controller for the processing.

2.4 When providing services in accordance with the Agreement, BuildSafe may process Personal Data on behalf of the Customer. BuildSafe is therefore in accordance with Data Protection Legislation data processor for the processing.

2.5 Data Protection Legislation requires that the processor and controller enter into a written agreement regarding the processing of personal data on behalf of the controller. For the purpose of complying with such requirement, the Parties have entered into this Processing Agreement in accordance with Data Protection Legislation.

3. The General Data Protection Regulation

3.1 On the 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (”GDPR”) was adopted. The GDPR will replace local data protection laws in all EU member states and will be equally applicable in all EU member states with the exception of minor local deviations. The provisions set forth in the GDPR does not differ significantly from the current provisions on processing of personal data set forth in the Swedish Personal Data Act (Sw. personuppgiftslagen (1998:204)), except for the more extensive obligations on processors and  implementation of administrative fines for breaches against the GDPR. The GDPR will be applicable from 25 May 2018 and the provisions of this Processing Agreement aim to reflect the provisions of the GDPR.

4.  Definitions

4.1 In this Processing Agreement the following terms shall have the meaning set forth below:

  • Agreement Date” the date when the Agreement was approved by the Customer.
  • Data Protection Legislation” means the applicable national legislation implementing the European Directive 95/46/EC and any national legislation and/or European legislation which amends, replaces, re-enacts or consolidates such legislation, including the GDPR.
  • Data Subject” the individual that Personal Data is attributable to.
  • Personal Data” means personal data as defined in Data Protection Legislation and which the Processor, or sub-processor solicited by the Processor, processes on behalf of the Controller.
  • Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

4.2 Unless otherwise stated, all other terms in this Processing Agreement shall have the same meaning as set forth in the Agreement or, if applicable, be interpreted in accordance with Data Protection Legislation.

5. The Processor’s undertakings

5.1 The Processor undertakes to only process Personal Data in accordance with the Controller’s instructions set forth in this Processing Agreement, the Processor’s policies regarding processing of personal data applicable from time to time and the Controller’s written instructions, unless such processing is necessary according to applicable law, and in such case the Processor shall inform the Controller of the legal requirement prior to conducting the processing (unless applicable legislation prohibits such information).

5.2 The Processor undertakes to only process Personal Data in accordance with Data Protection Legislation and without undue delay comply with all decisions and judgments of the Swedish Data Protection Authority, other competent authority, court or, where appropriate, arbitration tribunal regarding Personal Data;

5.4 The Processor also undertakes to:

  • not without the Controller’s prior written authorisation transfer and/or disclose Personal Data to any third party;
  • keep all Personal Data strictly confidential and ensure that persons authorised to process Personal Data have undertaken to comply with confidentiality obligations in respect of Personal Data;
  • maintain written records of all processing activities relating to Personal Data in accordance with the requirements set forth in Data Protection Legislation; and
  • upon the Controller’s request, provide the Controller with all relevant information and documentation demonstrating the measures taken by the Processor to fulfil its obligations under this Processing Agreement.

5.5 Should the Processor, in its opinion, consider that the Controller’s instructions infringes Data Protection Legislation, the Processor shall immediately cease the processing based on such instructions and notify the Controller hereof and thereafter await further instructions.

5.6 The Processor shall promptly notify the Controller if the Processor suspects that Personal Data is subject to unauthorized, accidental or unlawful disclosure, destruction or alteration, and inform the Controller of other circumstances regarding the Processor’s processing of Personal Data which can be assumed to be of significant importance to the Controller.

6. Sub-processor

6.1 The Processor shall be entitled to solicit sub-processors for the processing of Personal Data on behalf of the Controller.

6.2 If the Processor solicits a sub-processor, the Processor and the sub-processor shall enter into a written agreement which sets forth the responsibilities and obligations equivalent or more far-reaching as set out in relation to the Processor under this Processing Agreement and from time to time applicable instructions and policies regarding processing of Personal Data.

6.3 The Processor shall notify the Controller at least two (2) weeks before a sub-processor commence processing of Personal Data. The Controller shall have a right to object to the processing of Personal Data by the sub-processor if it is justified with regards to Data Protection Legislation or other legally binding regulations that the Controller is subject to. If the Controller objects to the processing of Personal Data by the sub-processor, the Processor shall not provide the part of the Service that relates to processing performed by the sub-processor, however, the Processor shall continue to provide all other parts of the Service in accordance with the Agreement.

7. Assistance

7.1 The Processor shall assist the Controller to the extent necessary in order for the Controller to perform its obligations in relation to the rights of the Data Subject under Data Protection Legislation, such as correct, erase and limit the processing of Personal Data and provide a copy of the Personal Data being processed.

7.2 The Processor shall assist the Controller to the extent necessary in order for the Controller to fulfil its obligations to inter alia report personal data breaches to the supervisory authority and the Data Subject, conduct privacy impact assessments and consult with the supervisory authority in accordance with Data Protection Legislation.

8.Transfer of Personal Data outside the EU and EEA

8.1 The Processor may transfer Personal Data outside EU/EEA provided that the transfer is compliant with Data Protection Legislation and that the Processor takes all steps necessary to comply with such provisions, e.g. by signing the European Commission’s Standard Contractual Clauses (SCC). The Processor shall be entitled to enter into such Standard Contractual Clauses with any sub-processor on behalf of the Controller.

8.2 Upon notice of a new sub-processor in accordance with Section 3, the Controller shall have a right to object to change regarding sub-processors that involves transfer of Personal Data outside EU/EEA if it is justified with regards to Data Protection Legislation or other legally binding regulations that the Controller is subject to. Should the Controller object to such transfer of Personal Data outside EU/EEA and the Parties cannot agree on a solution, the Controller shall be entitled to terminate the Agreement in writing with thirty (30) days’ notice.

9. Disclosure of Personal Data

9.1 Should the Data Subject request access to or information regarding its Personal Data that the Processor processes, the Processor shall forward such request to the Controller.

9.2 The Processor may not disclose the Data Subjects’ Personal Data or give access thereto to any third party. Should the Processor receive a request regarding such disclosure or access, the Processor shall forward the request to the Controller. Notwithstanding the aforesaid, the Processor is not obliged to inform the Controller of such request, disclosure or access from an authority, court or other similar third party that the Processor is obligated to disclose the Personal Data to.

10. Audit rights

10.1 The Controller shall be entitled to, upon request and without cost, receive a written report specifying the measures taken by the Processor to fulfil its obligations under the Processing Agreement.

10.2 The Controller is entitled to through an independent third party auditor, audit and inspect the Processor’s processing of Personal Data and review whether the Processor’s processing of Personal Data is conducted in accordance with this Processing Agreement and Data Protection Legislation. The Processor shall provide access to the Processor’s venues and computer equipment to the extent necessary considering the purpose of the audit. The Controller shall notify the Processor in writing at least seven (7) business days prior to the audit and such audit shall be conducted during normal business hours.

10.3 Party shall bear its own costs for audits conducted in accordance with this Section 10.

11. Technical and organisational measures

11.1 The Processor undertakes to establish and maintain appropriate technical and organisational measures in order to protect Personal Data against unauthorised or unlawful processing and against accidental, unauthorised or unlawful destruction, loss, alteration or disclosure. Such measures shall be decided taking into account (i) state of the art, (ii) the costs of implementation, (iii) the risks of the processing, and (iv) the degree of sensitivity of the Personal Data being processed. Such measures are not limited to logging the data, maintain a security policy, a safe IT environment and physical safety measures and safety routines.

11.2 The Processor shall ensure that access to Personal Data is limited to those persons who need access in order for the Processor to meet its obligations under the Agreement. The Processor also undertakes to ensure that all employees of the Processor and other individuals that gets access to the Personal Data undertakes to observe the provisions of this Processing Agreement. The Processor shall ensure that access to Personal Data is logged to the extent and in such way that enables a third party to, upon the Controller’s request and without delay, to review if unauthorized access has occurred and in such case by whom.

11.3 The above mentioned technical and organizational measures shall include but not be limited to:

  • adoption of a company security policy and instructions on processing of Personal Data within the Processor’s organisation;
  • regular education of employees and other personnel involved in the processing of Personal Data, regarding the security policy, instructions and Data Protection Legislation;
  • implementation of a secure IT environment, including inter alia necessary security routines, encryption systems, user authorization and back-up routines, including retention of back-up copies; and
  • implementation of necessary physical security measures, such as access control system, fire alarm, flood alarm, burglary alarm, etc.

12. Limitation of liability

12.1 The Processor’s liability under this Processing Agreement is limited  to the extent and amount set out in BuildSafe General Terms and Conditions, unless otherwise stated in the Agreement.

13. Compensation

13.1 The Parties agree that the fees paid by the Controller under the Agreement include compensation for the Processor’s undertakings under this processing Agreement. Should the Controller request the Processor take any further measures than stated in this Processing Agreement, additional compensation therefore shall be payable.

14. Term and termination

14.1 The Processing Agreement comes into force on the Agreement Date and shall remain in force for the same term as the Agreement. Upon early termination of the Agreement the Processing Agreement shall automatically expire.

14.2 Upon termination of the Agreement the Processor shall in accordance with the Controller’s instructions and without delay return or, if the Controller so requests, destroy all Personal Data (including copies thereof) that is subject to the Processing Agreement. The return or destruction, if applicable, shall be conducted in a way that the Processor thereafter has no access to such Personal Data. The Processor shall thereafter in writing ensure to the Controller that return or destruction has been conducted.

15. Agreement documents and amendments

15.1 Amendments to the Processing Agreement shall be in writing and signed by both Parties to be valid.

15.2 In case of discrepancy between the Agreement and this Processing Agreement, the Processing Agreement shall prevail with respect to the processing of Personal Data.

15.3 This Processing Agreement constitutes the entire agreement between the Parties regarding the subject matter and replaces any and all previous written or oral agreements.

16. Applicable law and disputes resolution

16.1 Any dispute, controversy or claim arising out of or in connection with this Processing Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm, the language to be used in the arbitral proceedings shall be Swedish, unless otherwise agreed by the Parties. This Processing Agreement shall be governed by Swedish law without regard to its choice of law principles.

 

Appendix 1

Instructions

1. Categories of Data Subject

1.1 The Processor shall process Personal Data regarding the following categories of Data Subjects on behalf of the Controller:

  • users of the services,
  • customer’s contact persons, and
  • individuals working at or present at the customer’s work place.

2. Categories of Personal Data

2.1 The Processor shall process the following categories of Personal Data on behalf of the Controller:

  • name,
  • e-mail address,
  • role in project,
  • user name,
  • telephone number,
  • employer/principal,
  • picture,
  • abnormalities/observations/accident/incidents that the individual experiences or is involved in (may include health data),
  • different types of responsibilities for actions and measurements of achievements in the work place,
  • technical data, which may include the URL for access to the website, IP address, unique device ID, language, and
  • localisation data.

3. Purpose of the processing

3.1 The Processor shall process the Personal Data for the following purposes on behalf of the Controller:

  • name, in order to identify responsibilities and compile contact information,
  • e-mail address, in order to enable sending invites to the Service, to send messages and notifications and to send information regarding updates,
  • role in project, in order to inform users of formal responsibilities and permissions in the Service,
  • user name, in order to ensure that unauthorized persons do not access the Service,
  • telephone number, in order to meet requirements on complete contact information when documenting audits and to communicate with formally responsible persons upon emergency preparedness,
  • employer/principal, in order to identify the contact person for active companies at the work place, sort respective organizations responsibility and follow up each suppliers work,
  • picture in order to identify specific persons at the work place, in their capacity of a formal role or in connection with emergency preparedness,
  • pictures of individuals present at the work place for the purpose of handling notifications and reports related to the work place,
  • technical data in order to improve and develop the Service, new services and products, and to analyse the use of the Service, to ensure the technical functions of the Service and to prevent unauthorized use of the Service, and
  • localization data for language settings, time zone, identification of place for reported risks and identification of projects close by.

4. Sub-processors

Upon entering into this Processing Agreement, the Processor uses the following sub-contractors for the purpose of processing Personal Data on behalf of the Controller:

  • BuildSafe Tech LLC
  • Intercom, Inc
  • Mixpanel, Inc
  • Pipefy, Inc
  • Amazon Web Services Inc
  • Lilikoi Data Inc (Amity), och
  • Toyger Soft LLC (Kaiten)
  • Pipedrive OÜ
  • Branch Metrics, Inc
  • OneSignal, Inc
  • Wootric, Inc
  • SurveyMonkey, Inc