Data Processor Addendum

Terms governing our processing of personal data on your behalf.

Effective Date: 1 January 2024

Last Updated: 15 December 2024

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement between Cention AB ("Processor") and the Customer ("Controller") and governs the processing of personal data.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Subject" means an individual whose Personal Data is processed.
  • "Subprocessor" means a third party engaged by Processor to process Personal Data.

3. Scope of Processing

Processor will process Personal Data only:

  • On documented instructions from Controller
  • To provide the Services under the Agreement
  • In compliance with applicable data protection laws

4. Processor Obligations

Processor shall:

  • Process Personal Data only as instructed by Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist Controller with data subject rights requests
  • Delete or return Personal Data upon termination
  • Make available information to demonstrate compliance

5. Security Measures

Processor implements security measures including:

  • Encryption of Personal Data at rest and in transit
  • Access controls and authentication
  • Regular security testing
  • Incident response procedures
  • Business continuity measures

6. Subprocessors

Controller authorises Processor to engage Subprocessors. Processor will:

  • Maintain a list of current Subprocessors
  • Notify Controller of new Subprocessors
  • Ensure Subprocessors are bound by equivalent data protection obligations

7. Data Subject Rights

Processor will assist Controller in responding to data subject requests including access, rectification, erasure, and portability requests.

8. Data Breach Notification

Processor will notify Controller without undue delay upon becoming aware of a Personal Data breach, providing information necessary for Controller to meet notification obligations.

9. International Transfers

Personal Data may be transferred internationally using:

  • Standard Contractual Clauses
  • Adequacy decisions
  • Other lawful transfer mechanisms

10. Audit Rights

Controller may audit Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations.

11. Term

This DPA remains in effect for the duration of the Agreement. Data processing obligations survive termination until all Personal Data is deleted or returned.

Back to Trust Center