Data Processing Agreement

Last updated: April 25 2024

 This is a Data Processing Agreement(“DPA”) regarding the processing of personal data in connection with the subscription services under the Terms of Service(Also referred to as the Agreement in this DPA). The DPA is an integral part of the Agreement and takes precedence over the Agreement in case of any conflict or inconsistency.

 Updates to this agreement

We update this agreement periodically. We will use in-app messages and email to notify you of term updates.

 

1. Definitions

 

“Agreement” means the Terms of Service.

“Processing”, “Personal data controller”, “Personal data”, “Personal data processor”, “Personal data incident”, and “Registered” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with reference to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation) (the “Data Protection Regulation”);

 “Applicable Law” means applicable laws and regulations as well as rules in the EU and in relevant Member States that apply;

“Non EU/EEA country” means a state that is not a member of the European Union (EU) or is affiliated to the European Economic Area (EEA).

2. The processing of Personal Data

  1. Nebulr may process Personal Data, for which Customer as the Personal Data Controller is responsible, in its capacity as Personal Data Processor to Customer.

     

  2. Nebulr undertakes to Process personal data on behalf of the Customer in accordance with the provisions of this Personal Data Processing Agreement and in accordance with applicable data protection legislation.

     

  3. The purpose of the processing of personal data is to fulfill the obligations on the parties under the Personal Data Processing Agreement and the Agreement; to manage customer relationships and to provide and administer services and products. The purpose of the processing is also to fulfill the obligations on the parties by law.

     

  4. The storage of Personal Data will not take place for a longer period than is necessary for the purposes for which the personal data is processed.

     

  5. Nebulr’s handling and instructions are defined in Annex 1 – (“Instructions for Nebulr’s processing of personal data on behalf of the Customer”).

3. General Obligations for Personal Data Processing

To the extent that Nebulr processes Personal Data on behalf of the Customer, Nebulr shall only Process Personal Data in accordance with this Personal Data Processing Agreement, the Agreement and the additional documented instructions that Customer provides and not for any other own purposes

Applicable Personal Data Law

  1. Nebulr may process Personal Data to the extent necessary for Nebulr to be able to fulfill its obligations in accordance with Applicable Law. However, it is up to Nebulr to inform the Customer of the legal obligation before starting to process and to obtain the Customer’s approval for the processing.

     

  2. However, this only applies unless Nebulr is prevented by Applicable Law from providing such information. Furthermore, Nebulr has the right to terminate the Agreement if the Customer opposes such processing that applies to Nebulr in accordance with Applicable Law.

     

  3. Applicable Personal Data Legislation shall apply to the Processing of Personal Data covered by this Data Processing Agreement.

     

  4. Nebulr shall immediately inform Customer if Nebulr is unable to fulfill its obligations under this Personal Data Processing Agreement or if Nebulr considers that an instruction provided by Customer regarding the Processing of Personal Data would be contrary to Applicable Personal Data Law, unless Nebulr is prevented from providing such information to Customer in accordance with Applicable Law.

     

  5. Nebulr shall, at the Customer’s request, provide documentation and all other information to show that Nebulr fulfills its obligations under this Personal Data Processing Agreement and Applicable Personal Data Legislation.

     

  6. Nebulr shall without delay inform the Customer of any contact with the Data Protection Authority, other authorized authority or other third party that concerns or may be of significance for Nebulr’s processing of personal data in accordance with this Personal Data Processing Agreement. Nebulr may not in any way act on behalf of the Customer or as an agent for him.

     

  7. Nebulr shall immediately notify the Customer in writing upon a request from the supervisory authority for access to the Personal Data that Nebulr Processes on behalf of the Customer and Nebulr may not grant the supervisory authority’s request for access to Nebulr premises for the purpose of controlling the Customer’s Processing of Personal Data without Customer prior written approval.

     

  8. Nebulr is not entitled to any special compensation for the fulfillment of its obligations under this Personal Data Processing Agreement, unless the Parties have specifically agreed otherwise.

     

4 Security Measures

Obligations to take technical and organizational measures to protect Personal Data

1. Nebulr shall take appropriate technical and organizational measures to protect the Personal Data Processed against Personal Data Incidents. The measures shall at least equal the level of security that follows from Applicable Personal Data Legislation, the relevant regulations and guidelines from the relevant supervisory authorities regarding security for Personal Data, and what is otherwise appropriate in relation to the risk with the Processing, including but not limited to:

– Pseudonymisation, where appropriate, of Personal Data;
– Measures to prevent the transfer of Personal Data to unauthorized recipients, including measures to ensure the secure transfer of Personal Data;
– The ability to continuously ensure the confidentiality, integrity, availability and resilience of the processing system and processing services;
– The ability to restore the availability and access to Personal Data in a reasonable time in the event of a physical or technical incident, e.g. through regular backup of the Personal Data;
– A procedure for regularly testing, examining and evaluating the effectiveness of the technical and organizational measures to ensure the safety of the processing; and
– Nebulr shall further assist the Customer at the Customer’s request with the necessary information so that the Customer, where applicable, can fulfill its obligations to carry out an impact assessment and consultation with the relevant supervisory authorities regarding the Processing of Personal Data covered by this Personal Data Processing Agreement.

2. Authorization control and confidentiality of Personal Data
– Nebulr shall ensure that access to the Personal Data is limited to the personnel at Nebulr who need access to the Personal Data in order for Nebulr to be able to fulfill its obligations to the Customer in accordance with this Personal Data Processing Agreement and the Agreement.
– Nebulr shall further ensure that all personnel who are authorized to access and Process the Personal Data observe confidentiality in the handling of the Personal Data covered by this Personal Data Processing Agreement.
– Nebulr shall also ensure that access to Personal Data that Nebulr handles in accordance with this Personal Data Processing Agreement is logged and that this log is saved to enable the investigation of Personal Data Incidents.

Personal data incident

1. In the event of a Personal Data Incident, Nebulr shall notify the Customer in writing without undue delay, but no later than within 24 hours of the Personal Data Incident becoming known to Nebulr.

2. Nebulr shall, immediately after a Personal Data incident has come to Nebulr’s notice:
– initiate an investigation of the Personal Data Incident to investigate the extent, nature of — the Personal Data Incident and its probable consequences.
take appropriate counteractive action to prevent or limit the potential negative effects of the Personal Data Incident.
– consult with the Customer to determine whether the Customer would be obliged, if applicable, in accordance with Applicable Personal Data Legislation to report the Personal Data Incident to the relevant supervisory authority and / or inform the data subjects concerned about the Personal Data Incident.

3. As soon as possible after the start of the investigation, Nebulr shall provide the following information to the Customer regarding the Personal Data Incident:
– a description of the nature of the Personal Data Incident, categories of and number of Registered data subjects affected, as well as categories of and number of personal data items affected.
– the probable consequences of the Personal Data Incident.
a description of the measures that Nebulr, if any, has already taken or intends to take to counteract the Personal Data Incident and / or to limit the possible negative effects of the Personal Data Incident.
– If and to the extent that it is not possible for Nebulr to provide the information at the same time, the information may be provided in installments without unnecessary further delay. Nebulr shall assist the Customer to the necessary extent to investigate the Personal Data Incident and for Nebulr to be able to fulfill the notification and information obligation to the relevant supervisory authorities and relevant Registered data subjects in accordance with Applicable Personal Data Legislation.

Right to review and inspections

1. Nebulr shall allow and contribute to audits, including inspections, conducted by the Customer or by a third party appointed by the Customer to verify that Nebulr is fulfilling its obligations under this Personal Data Processing Agreement. Customer shall give Nebulr reasonable notice in the event that Customer wishes to exercise its right to conduct a review or inspection. Each Party shall bear its own costs in connection with such review or inspection. However, if the Customer has appointed a third party to carry out the inspection or inspection on behalf of the Customer, the Customer shall bear the cost for the third party, unless the Parties agree otherwise in writing.

2. If an audit shows that Nebulr has breached its obligations under this Personal Data Processing Agreement or applicable data protection legislation, Nebulr shall without undue delay correct such deficiency.

Documentation

Nebulr shall document in writing the measures taken by Nebulr to fulfill its obligations section 4 of this Personal Data Processing Agreement, e.g. in a security policy. Upon request, the customer shall have the right to receive a copy of the documentation.

5 Confidentiality

Nebulr shall keep all Personal Data Processed on Customer’s behalf strictly confidential. 

Nebulr ensures that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

 

6 Limitiations of Liability

The liability of each party will be subject to the limits outlined in the “Limitation of Liability” section of the Agreeement, which applies to all affiliates of each party. If Nebulr is not a party to the Agreement, the “Limitation of Liability” section will still apply. However, neither party’s liability will be limited regarding any individual’s data protection rights under this DPA or otherwise.

 

7 Data Subject Requests

  1. Nebulr shall assist the Customer by taking the technical and organizational measures necessary for the Customer to be able to fulfill its obligation to respond to a request for the exercise of a Registered data subject’s right in accordance with Applicable Personal Data Act.

     

  2. If a Data Subject Request or other communication regarding Processing of Personal Data under this agreement reaches us, weshall without undue delay refer such request to the Customer.

8 Transfer to and Processing Personal Data in Non EU/EEA Countries

  1. In the event that Personal Data, with the Customer’s written consent in advance, will be transferred to or Processed in a Non EU/EEA country, the Parties shall before that:

    – examine whether the Non EU/EEA country ensures an adequate level of protection for Personal Data in accordance with a decision issued by the European Commission and, if so, Personal Data may be transferred to that Non EU/EEA country; and if such a decision does not exist.


    – ensure that there are appropriate protection measures in place in accordance with Applicable Personal Data Legislation, e.g. standardized data protection regulations adopted by the European Commission, which include the transfer and processing of personal data; or (in the absence of such safeguards).

    – examine whether it is possible to rely on an exemption under Applicable Personal Data Law for the transfer of Personal Data and if so, the Personal Data may be transferred to Third Countries only to the extent (i) that the relevant exemption covers the transfer and Processing of Personal Data; and (ii) Customer believes that it is possible to rely on the current exemption.

     

  2. For the avoidance of doubt, Personal Data may not be transferred to or Processed in a Non EU/EEA country if none of the conditions in 8.1 exist.

 

9 Measures when the processing of Personal data is completed

  1. When this Personal Data Processing Agreement terminates, Nebulr shall, depending on the Customer’s instructions, delete or return all personal data processed in accordance with the Personal Data Processing Agreement within thirty (30) days after the termination of the Agreement, unless storage of personal data is required by Swedish or European law.

     

  2. At the request of the Customer, Nebulr shall confirm in writing what measures have been taken regarding the personal data after the end of the processing.

 

10 Transfer

Neither Party shall have the right to transfer or assign, in whole or in part, its rights or obligations under this Agreement without the written consent of the other Party.

 

Annex 1 – Instructions for Nebulr’s processing of personal data on behalf of the Customer

 

Purpose

The purposes for which personal data are to be processed by the Personal Data Processor 

The purpose of Northwhistle is to enable individuals and employees to blow the whistle completely anonymously and for a number of appointed employees to be able to follow up on these reports and communicate with the whistleblower in an anonymous and secure manner. We do not store more information than necessary to satisfy this function.

Personal Data Categories

 

The categories of personal data to be processed by the Personal Data Processor

As categories of personal data depend on what the customer states in the case, the following is not an exhaustive list of personal data that may be processed: Full name, social security number, organization number, telephone number, gender, e-mail address, account and payment information.

Categories of registered data subjects

 

The personal data processor will process personal data about data subjects, which consists of the following:

Customers’ Customers and Employees

Processing activities

 

The processing activities that will be performed by the Personal Data Processor

 

Nebulr will store and handle all the information needed to report and handle a case.

Physical Location

 

Personal data will be processed by the Personal Data Processor in the following channels and in the following locations

 

The processing of personal data may only take place in such a way that the physical location of the storage and processing of data is carried out in an EEA country.

Preservation of data

1 month after the end of the Agreement

 

Sub-processors

 

To help us deliver our Service we use sub-processors. This list details the sub-processors and their purpose.

Security and safety routines

 

Access to information

No employees have access to accounts or any sensitive data.

System administrators who are responsible for the operation and maintenance of server infrastructure have, if necessary, temporary access to databases and thus also access to information.

Technical protection

The server infrastructure is located in a Virtual Private Cloud (VPC).

The only open entry points are port 80 (HTTP) and 443 (HTTPS).

Port 80 is automatically redirected to 443. All communication between browser and server is encrypted.

All information saved is encrypted both in transmission and when stored.

Servers can only be logged in to through authentication with key pairs and a selected geographical location.

 Access to databases is provided only when needed. This is done by opening up temporary access for a specific IP address.

Safety routines

The system’s security is automatically tested  commercially available penetration testing and security testing tools, which performs a penetration test for the most common security attacks and OWASP 10. This is performed every six months. We also perform a security audit with AWS Trusted Advisor twice a year.

 Infrastructure security is monitored by the CTO. The CTO is responsible for allocating access and rights for the infrastructure. Security settings and other infrastructure settings are handled by system administrators and CTOs.

 Access to system logs is provided temporarily when needed.

 Nebulr’s organization restricts access to systems and information to each area of ​​responsibility

  • System administrators have access to servers and logs.
  • Database access is turned off and opened temporarily when needed.

 

User access is reviewed twice a year.

 Safety routines are reviewed annually.

 A review of safety routines takes place for new employees and once a year for existing employees.

Nebulr must observe the above instructions when processing personal data. Nebulr must also comply with the Data Protection Authority’s general advice on security for personal data.

 Nebulr employees, consultants and other assistants must receive information from Nebulr about the rules and instructions that apply to the processing of personal data.

 Employees, consultants and other assistants at Nebulr shall only have access to personal data that they need to perform their duties for the fulfillment of the Agreement.

 Nebulr must have an access control system that prevents unauthorized use or access to Personal Data.

 The premises used by Nebulr must be protected by adequate alarm equipment for fire, water damage, intrusion, etc. Furthermore, there should be routines and equipment in the form of alarms, barriers, locks, etc. which regulates access to the premises.

 It must be possible to log and track personal data processing.

 Nebulr should have updated virus software. Updates must be installed immediately and the virus software must be present on all workstations, desktops, laptops and servers.

 

Embark on a new beginning

Join us on our mission to change whistleblowing. Keep whistleblowers safe, empower individuals to uphold what is right, and create a safe space where speaking up is easy.

Terms  –  Privacy  –  Cookies

A Nebulr® company

Copyright 2023