IllustrationContact Us
Get Started
Get Started
IllustrationContact Us

Data Processing Agreement

1. RECITALS

This DPA lays out the Data Processor’s rights and obligations when the Data Processor processes personal data on behalf of the Data Controller.
This DPA have been prepared for the purpose of the parties’ observance of article 28(3) of the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
In connection with the delivery of the services agreed in appendix D, the Data Processor processes personal data on behalf of the Data Controller in compliance with this DPA.

The DPA supersedes in relation to any similar provisions in other agreements between the parties.

This DPA include six appendices, and the appendices form an integral part of the DPA.

Appendix A contains detailed information about the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

Appendix B contains the Data Controller’s terms for the Data Processor’s use of sub-processors and a list of sub-processors which the Data Controller has approved the use of.

Appendix C contains the Data Controller’s instructions as regards the Data Processor’s processing of personal data, a description of the security measures which the Data Processor must implement as a minimum, and how the Data Processor and any sub-processors are monitored.

Appendix D contains reference to the parties’ “order form”, including instructions and terms of delivery.

Appendix E of the data processing agreement contains any special terms.

Appendix F contains a FAQ about AI.

The DPA with attached appendices must be stored in writing, including electronically, by both parties.
This DPA do not release the Data Processor of obligations that the Data Processor is subject to under the General Data Protection Regulation and any other legislation.

2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER

The Data Controller is responsible for ensuring that the processing of personal data is made in compliance with the General Data Protection Regulation (see article 24 of the Regulation), data protection provisions in Union law or the national law of the EU/EEA member states and this DPA.
The Data Controller has a right and a duty to make decisions as regards for which purpose(s) and by which means processing of personal data may take place.
The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis

3. THE DATA PROCESSOR ACTS ACCORDING TO INSTRUCTIONS

The Data Processor may only process personal data according to documented instructions from the Data Controller, unless required under Union law or the national law of member states to which the Data Processor is subject. All of these instructions must be specified in appendix A, C and D. Subsequent instructions may also be given by the Data Controller, while processing of personal data takes place, but the instructions must always be documented and stored in writing, including electronically, together with this DPA.
The Data Processor must inform the Data Controller immediately if in the Data Processor’s opinion any instructions are contrary to the General Data Protection Regulation or data protection provisions in other Union law or the national law of the member states.

4. CONFIDIENTIALITY

The Data Processor may only grant access to personal data which is processed on behalf of the Data Controller to persons, who are subject to the Data Processor’s powers of direction, who have undertaken a duty of confidentiality or are subject to an appropriate mandatory duty of confidentiality and only to the extent necessary. The list of persons who have been granted access must be reviewed on an ongoing basis. Based on this review, the access to personal data may be closed if the access is no longer necessary, and the personal data must then no longer be accessible to these persons.
At the request of the Data Controller, the Data Processor must be able to demonstrate that the said persons who are subject to the Data Processor’s powers of direction, are subject to the above duty of confidentiality.

5. SECURITY OF PROCESSING

Article 32 of the General Data Protection Regulation stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Controller must assess the risks of the natural persons’ rights and freedoms that the processing constitutes and implement measures to address these risks. Depending on their relevance, it may include:

  1. Pseudonymisation and encryption of personal data
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

According to article 32 of the General Data Protection Regulation, the Data Controller must – independently of the Data Controller – also assess the risks of the natural persons’ rights that the processing constitutes and implement measures to address these risks. For the purpose of this assessment, the Data Controller must make available the necessary information to the Data Processor which enables the Data Processor to identify and assess such risks.

In addition, the Data Processor must assist the Data Controller with its compliance of the Data Controller’s obligations under article 32 of the General Data Protection Regulation, by i.a. making the necessary information available to the Data Controller concerning the technical and organisational security measures that the Data Processor has already implemented pursuant to article 32 of the General Data Protection Regulation, and all other information required for the Data

Controller’s compliance with its obligation under article 32 of the Regulation.
If – in the assessment of the Data Controller – the addressing of the identified risks requires implementation of additional measures than the measures already implemented by the Data Processor, the Data Controller must state the additional measures that must be implemented, in appendix C.

6. USE OF SUB-PROCESSORS

The Data Processor must comply with the conditions that are referred to in article 28(2) and (4) of the General Data Protection Regulation, to make use of another Data Processor (a sub-processor).

Thus, the Data Processor may not use a sub-processor without prior general written approval from the Data Controller.
The Data Processor has the Data Controller’s general approval to use sub-processors. The Data Processor must inform the Data Controller in writing of any planned changes concerning addition or replacement of sub-processors giving at least 45 days’ prior written notice and thus give the Data Controller the possibility of objecting to such changes before the use of the said sub-processor(s). The list of sub-processors already approved by the Data Controller appears from appendix B.

When the Data Processor uses a sub-processor in connection with the performance of specific processing activities on behalf of the Data Controller, the Data Processor must, via a contract or other legal document under the Union law or the national law of the EU/EEA member states, impose on the sub-processor the same data protection obligations as those specified in this DPA, whereby in particular the required warranties are made that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements in this DPA and the General Data Protection Regulation.
The Data Processor is therefore responsible for demanding that as a minimum the sub-processor complies with the Data Processor’s obligations under this DPA and the General Data Protection Regulation.

Sub-processing agreement(s) and any later amendments are sent, at the Data Controller’s request to that effect, in copy to the Data Controller who thus has the possibility of ensuring that similar data protection obligations that follow from this DPA have been imposed on the sub-processor. Provisions about commercial terms which do not impact the data protection law contents of the sub-processing agreement, should not be sent to the Data Controller.
In its agreement with the sub-processor, the Data Processor must include the Data Controller as a beneficiary third party in case of the Data Processor’s bankruptcy, so that the Data Controller can adopt the Data Processor’s rights and rely on them to sub-processors which e.g. enables the Data Controller to instruct the sub-processor in erasing or returning the personal data.
If the sub-processor fails to fulfil its data protection obligations, the Data Processor remains fully liable to the Data Controller for the compliance of the sub-processor’s obligations. This will not affect the rights of data subjects which follow from the General Data Protection Regulation, in particular articles 79 and 82 of the Regulation, vis-à-vis the Data Controller and the Data Processor, including the sub-processor.

7. TRANSFER OF INFORMATION TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

Any transfer of personal data to third parties or international organisations may only be made by the Data Processor on the basis of documented instructions to that effect from the Data Controller, and must always be made in compliance with chapter V of the General Data Protection Regulation.

If transfer of personal data to third countries or international organizations that the Data Processor has not been instructed to make by the Data Controller, is required according to Union law or the national law of  EU/EEA member states to which the Data Processor is subject, the Data Processor must inform the Data Controller of this legal requirement before processing unless the said legislation prohibits such notification for the purpose of important grounds of public interest

Without documented instructions from the Data Controller, the Data Processor thus cannot, within the framework of this DPA:

  1. transfer personal data to a Data Controller or a Data Processor in a third country or an international organisation
  2. entrust a sub-processor in a third country with processing personal data
  3. process the personal data in a third country

The Data Controller’s instructions concerning transfer of personal data to a third country, including any transfer basis in chapter V of the General Data Protection Regulation, on which the transfer is based, must be specified in appendix C.6.

This DPA should not be confused with the standard contractual clauses mentioned in article 46(2) point (c) and (d) of the General Data Protection Regulation, and this DPA cannot form a basis for transfer of personal data as mentioned in chapter V of the General Data Protection Regulation.

8. ASSISTANCE TO THE DATA CONTROLLER

Taking into consideration the nature of the processing, the Data Processor will assist the Data Controller to the extent possible by means of appropriate technical and organisational measures to fulfil the Data Controller’s obligations to reply to requests for exercise of the rights of the data subjects as stipulated in chapter III of the General Data Protection Regulation.

This entails that to the extent possible the Data Processor must assist the Data Controller in connection with the Data Controller’s ensuring compliance with:

This entails that to the extent possible the Data Processor must assist the Data Controller in the Data Controller’s compliance with:

  1. the right to be informed when collecting personal data from the data subject
  2. the right to be informed when personal data have not been obtained from the data subject
  3. the right of access by the data subject
  4. the right to rectification
  5. the right to erasure (“the right to be forgotten”)
  6. the right to restriction of processing
  7. the notification obligation regarding rectification or erasure of personal data or restriction of processing
  8. the right to data portability
  9. the right to object
  10. the right not to be subject to a decision which is solely based on automatic processing, including profiling

In addition to the Data Processor’s obligation to assist the Data Controller under Provision 6.3, the Data Processor shall, taking into account the nature of the processing and the information that is available to the Data Processor, also assist the Data Controller with:
the Data Controller’s obligation, without undue delay and where possible no later than 72 hours after having been made aware thereof, to report personal data breaches to, the competent supervisory authority, the Danish Data Protection Authority, , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
the Data Controller’s obligation, without undue delay, to notify the data subject of the personal data breach, when the breach is likely to entail a high risk of the rights and freedoms of natural persons
the Data Controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment)
the Data Controller’s obligation to consult the Danish Data Protection Agency, before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures implemented by the Data Controller to limit the risk.

In appendix C, the parties must set out the required technical and organisational measures with which the Data Processor must assist the Data Controller and to which extent. It applies to the obligations that follow from provisions 9.1 and 9.2.

9. COMMUNICATION OF A PERSONAL DATA BREACH

In case of any personal data breach, the Data Processor shall, without undue delay after having become aware of it, notify the Data Controller of the personal data breach.

The Data Processor’s notification to the Data Controller must, where possible, be made no later than 24 hours after having become aware of the breach, so that the Data Controller can comply with its obligation to report the personal data breach to the Danish Data Protection Agency within 72 hours, see article 33 of the General Data Protection Regulation.

In compliance with Provision 9.2.a, the Data Processor must assist the Data Controller with reporting the breach to the competent supervisory authority. This means that the Data Processor must assist in providing the information below, which according to article 33(3) of the General Data Protection Regulation must be specified in the Data Controller’s reporting of the breach to the competent supervisory authority:

  1. the nature of the personal data breach, including, where possible, the categories and the approximate number of affected data subjects, and the categories and the approximate number of affected personal data records
  2. the likely consequences of the personal data breach
  3. the measures taken or proposed to be taken by the Data Controller or suggested to be made to handle the personal data breach, including where relevant, measures to mitigate potential adverse effects.

In appendix C, the parties must state the information which the Data Processor must obtain in connection with its assistance to the Data Controller with the obligation to report personal data breaches to the competent supervisory authority.

10. ERASURE AND RETURN OF INFORMATION

On expiry or termination of the services concerning processing of personal data, the Data Processor is obliged to erase all personal data which has been processed on behalf of the Data Controller and confirm to the Data Controller that the information has been erased, unless the Union law or the national law of the EU/EEA member requires storage of the personal data.

The Data Processor undertakes to only process the personal data for the purpose(s), in the period and under the conditions that these rules prescribe.

11. REVIEW, INCLUDING INSPECTION

The Data Processor shall make available all information required to prove compliance with article 28 of the General Data Protection Regulation and this DPA to the Data Controller and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor authorised by the Data Controller.

The procedures for the Data Controller’s audits, including inspections, ofthe Data Processor and sub-processors are specified in Appendix C.7 and C.8.
The Data Processor is obliged to give supervisory authorities which according to applicable law have access to the facilities of the Data Controller or the Data Processor, or representatives who act on behalf of the supervisory authority, access to the physical facilities of the Data Processor against appropriate identification.

12. THE PARTIES’ AGREEMENTS ON OTHER MATTERS

The parties may agree on other provisions concerning the service and processing of personal data about e.g. liability in damages as long as these other provisions are not directly or indirectly contrary to this DPA or impedes the basic rights and freedoms of the data subject that follow from the General Data Protection Regulation.

13. COMMENCEMENT AND EXPIRY

This DPA enters into force on the date of both parties’ acceptance.

Both parties may require that the DPA be re-negotiated if law amendments or inappropriateness of the DPA give rise to that.

The DPA are valid for as long as the service concerning processing of personal data lasts. In this period, the DPA cannot be terminated unless other provisions regulating the delivery of the service concerning processing of personal data are agreed between the parties.

de If the delivery of the services concerning processing of personal data ceases, and the personal data has been erased or returned to the Data Controller in compliance with the provisions 11.1 and Appendix C.4, this DPA can be terminated by written notice by both parties.

 

Appendix A. Information about the processing

A.1. The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller

Category of persons

Purpose

Customer Admin

Administer employee access to productivity tool box and underlying platforms

Productivity toolbox End users

(Employees and other customer personell)

Provide Single Sign On access and personalisation in the productivity tool box

Allow end user usage of the Productivity toolbox incl. processing of AI prompts

A.2. The Data Processor’s processing of personal data on behalf of the Data Controller is primarily about the services (nature of the processing) described in Appendix D or the Order form.

A.3. The processing includes the following types of personal data about the data subjects.

General personal data (such as name, email, IP address and data generated through usage of Productivity Toolbox incl. processing of AI prompts).

Confidential personal data N/A.

Sensitive and special personal data N/A,

A.4. The processing includes the following categories of data subjects

Category of persons

Description

Customer Admin

Employees and other customer personell with admin access

Productivity toolbox End users

(Employees and other customer personell)

Employees and other persons who are Users of the solution provided by the Data Processor.

A.5. The Data Processor’s processing of personal data on behalf of the Data Controller can be commenced once this DPA have entered into force. The processing has the duration specified in Appendix D or the Order form

Appendix B. Sub-processors

B.1. Approved sub-processors

Subcontractor

Address

Description

Zendesk, Inc.

989 Market St, San Francisco, CA 94103, USA

Zendesk is a customer service software company that provides a complete service solution, integrating AI to enhance customer support and engagement.

Zendesk

Zuro AI Inc.

548 Market St, PMB 22561,

San Francisco, CA 94104-5401, USA

Uses Amazon Data Services Sweden Malmskillnadsgatan 36, 111 57, Stockholm

IP: 13.61.11.151

Zuro AI, operating under the brand Auralis, specializes in AI-driven solutions, focusing on data processing and privacy compliance services. The AI component is developed on the Open Source Model Llama and categorises sprint365 content into references based on a user prompt.

eloomi Inc.

300 S Orange Ave, Orlando, FL 32801-3372, USA

eloomi offers a learning management system (LMS) and people development platform, utilizing AI to enhance eLearning and employee training experiences.

Dun & Bradstreet

Gluu ApS

Rentemestervej 2A, 2400 Copenhagen NV, Denmark

Gluu provides a business process management platform designed to help organizations map, execute, and improve their processes efficiently.

Microsoft Data Center-South County Business Park

One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland

Hosting

Data Controllers own data

Data Processors’ internal data

On commencement of the DPA, the Data Controller has approved the use of the above sub-processors for the described processing activity. The Data Processor may not – without the Data Controller’s written approval – make use of a sub-processor for another processing activity than the one described or agreed or use another sub-processor for this processing activity.

Appendix C. Instructions concerning the processing of personal data

C.1. The subject of the processing/instructions

The Data Processor’s processing of personal data on behalf of the Data Controller is made by the processing by the Data Processor described in the Order form

C.2. Security of processing

The following security measures have been taken:

When dealing with confidential, sensitive or personal data, a “high” security level must always be established.

Technical security measures (external):

  • SSL encrypted connection with client and server
  • 2-factor validation by external login
  • Password is encrypted
  • Password is changed regularly.
  • Ongoing backup and logging.
  • Sub-processors are in the EU or the US (all with legal basis for processing)
  • The operating environment is separate from development and testing environments.

Technical security measures (internal):

  • Updated Antivirus on all devices that can access personal data.
  • Updated Firewall on devices that can access personal data as well as on servers / operating centers that may hold personal data.
  • Password is changed regularly.
  • Continuous updating of operating systems and applications.
  • Ongoing backup and logging.
  • Encryption is used to transfer confidential, sensitive or special personal data.

Organizational security measures:

  • All employees are instructed in the protection of personal data and have signed an employee instruction.
  • The employee instruction is updated and reviewed at least once a year.
  • Employee instructions are always reviewed with new employees in connection with the employment.
  • All employees are under a duty of confidentiality.
  • The overall responsibility for compliance with the security requirements lies with the Data Processor’s management, which is typically represented by the IT manager.
  • Personal data is only available to employees who have an authorization and reason for being able to access this data and must always be treated confidentially.
  • If there is a large amount of sensitive personal data, then data should be separated where possible so that access is kept to an absolute minimum.
  • Background checks are performed on new employees in key positions processing Personal Data for the Data Controller.

Physical precautions:

  • Offices and buildings are locked when there is no one on site.
  • Ensure that operation can continue in the event of power loss and loss of communication links (Might be with possibly redundant power and/or communication links).
  • Files with sensitive personal data are always kept locked. And there is established alarms and surveillance equipment.
  • Backup is kept locked (both internal and external). Restore of backup will be made periodically, to ensure that data is valid.
  • All physical media (paper, USB drive, etc.) will be destroyed if they have been used to store personal data.

Operational security:

  • Development, Testing and Production environments are separated.
  • Development and Testing is done by different people.
  • Continuous capacities are adapted and controlled in relation to maintaining operations.
  • Ongoing password change on both internal and external systems.
  • Logging of rejected logon attempts with automatic alarm.

C.3. Assistance to the Data Controller

To the extent possible, the Data Processor must assist the Data Controller in compliance with the DPA 9.1 and 9.2 by implementing the technical and organisational measures specified in Appendix C.2.

C.4. Storage period/deletion routines

Personal data is kept with the Data Processor until the Data Controller requests to have the data erased or returned, unless otherwise agreed in Appendix D/the Order form or in special terms.

On expiry of the service concerning processing of personal data, the Data Processor must either erase or surrender the personal data in compliance with provision 11.1, unless the Data Controller has changed its initial choice, after having signed these DPA. Such changes must be documented and be stored in writing, including electronically, in connection with the DPA.

C.5. Place of processing

Processing of the personal data included in the DPA cannot take place without the Data Controller’s prior written approval in other places than the premises of the Data Processor or sub-processor.

C.6. Instructions concerning transfer of personal data to third countries

The Data Processor does not transfer personal data to third countries unless to the generally approved sub-processors listed in Appendix B.

C.7. Procedures for the Data Controller’s audits, including inspections, of the processing of personal data which has been left to the Data Processor

The Data Processor must once a year, at its own expense, obtain a report from an independent third party concerning the Data Processor’s compliance with the General Data Protection Regulation, data protection provisions in other Union law or the national laws of the EU/EEA member states, and this DPA.

The report is made visible/submitted without undue delay to the Data Controller for its information. The Data Controller may dispute the framework of and/or the method in the report, and can in such cases request a new report in another framework and/or with the use of another method.

Based on the results of the report, the Data Controller is entitled to request implementation of further measures for the purpose of ensuring the compliance with the General Data Protection Regulation, data protection DPA in other Union law or the national law of the EU/EEA member states, and these DPA.

The Data Controller or a representative of the Data Controller also has access to make inspections, including physical inspections, of the premises from which the Data Processor processes personal data, including physical premises and systems that are used for or in connection with the processing. Such inspections can be carried out when the Data Controller finds it necessary. Physical inspection requires prior agreement with the Data Processors and prior notice of three weeks so that the Data Processor is prepared to be able to allocate the necessary resources.

Any costs of the Data Controller in connection with a physical inspection are paid by the Data Controller. However, the Data Processor is obliged to allocate the resources (mainly time) required in order that the Data Controller may carry out its inspection.

C.8. Procedures for reviews, including inspections, of the processing of personal data which has been left to sub-processors

The Data Processors reviews, including inspections, of the processing of personal data left to the sub-processor, are made in the same way as the Data Controller’s reviews with the Data Processor, see clause C.7.

Appendix D. The parties’ regulation of other matters, including instructions concerning the processing of personal data

See the concluded Order Form /contract entered into between the parties to which this DPA is attached.

Appendix E. Special terms

Clause 7.6 is replaced by the following text:

In its agreement with the sub-processor, where possible, the Data Processor must include the Data Controller as a beneficiary third party in case of the Data Processor’s bankruptcy, so that the Data Controller can adopt the Data Processor’s rights and rely on them to sub-processors which e.g. enables the Data Controller to instruct the sub-processor in erasing or returning the personal data.

Appendix F. FAQ

Enhanced Data Processing Agreement (DPA) with AI-Specific Client Clarifications

What is the AI part of the services here; what does the AI model do?

The AI categorizes Sprint365 content based on the users prompt into specific references displayed as options within in the chat window

Which Model does the AI chat bot use?

The model uses an open-source Llama AI model, fine-tuned for Microsoft Dynamics 365 (MSD365)

Will the AI model have access to any customer data?

No, the AI does not inherently have access to Customer data. Access is only granted if the customer specifically shares its own content or data explicitly.

Can we explicitly confirm from the vendor that their AI models are not trained on any customer data of any kind?

Yes. The AI model is used for a Retrieval-Augmented Generation (RAG) pipeline to generate more relevant content and to phrase the answers in a user friendly way, adding words and sentences that are generated in the model, but does not rest upon customer data unless explicitly provided by the customer.

How do you use the customer prompts for learning and model improvement?

Prompts, entered by the end-user are purged every 30 days. Prompts are not used for learning and model improvement.