Skip to content

Data Processing Agreement

This Data Processing Agreement ("DPA") is entered between The Customer, ("Controller")

and

QRatify AB, 559334-9813, Götgatan 15, Box 11264, 404 26 Göteborg, Sweden ("Processor")

Each of Controller and Processor are referred to as a "Party" and jointly as the "Parties".

1. Background and purpose

QRatify and the Customer have entered into an agreement which includes the service ("Service") defined in the main agreement (the "Agreement"). The Agreement consists of Terms of service ("Terms") ,this DPA and any other written agreements between the Parties. Under the Agreement and in accordance with this DPA, QRatify will from time to time and on behalf of the Customer process personal data for which the Customer is the Controller ("Personal Data").

The purpose of this DPA is to regulate QRatify's processing of Personal Data in the context of the Service, taking into account the requirements of the EU Data Protection Regulation EU 2016/679 ("GDPR"). This DPA is an integral part of the Agreement. If the provisions regarding the processing of Personal Data in this DPA and the Agreement conflict, the provisions in this DPA shall take precedence.

For processing of Personal Data where the Customer is a processor for its clients, QRatify is a sub-processor to the Customer. For the avoidance of doubt, the obligations of the Processor still apply to QRatify in relation to the Customer. When the Customer acts as a processor and QRatify as a sub-processor, the Customer undertakes to provide QRatify with the documented instructions (Appendix B) on behalf of the Customers own clients.

2. Definitions

Definitions without capitalized first letter, i.e. "processing","data subject", "personal data breach" has the same meaning as in GDPR. Definitions in singular have the same meaning if used in plural.

"Applicable Data Protection Legislation" means, unless otherwise agreed in writing between the Parties; (i) the GDPR and national data protection laws implementing or supplementing the GDPR (including, when applicable, opinions, binding guidance, and decisions published by supervisory authorities, court or other competent authority) applicable to the processing of Personal Data under this DPA in Sweden.

"Security Measures" means the appropriate technical and organizational measures necessary to comply with Applicable Data Protection Legislation, listed in Appendix A.

"Standard Contractual Clauses" means (i) the EU standard contractual clauses as adopted by the European Commission decision 2021/914 of 4 June 2021; (ii) to the extent applicable, any future European Commission decision amending or replacing this decision; or (iii) during any grace period granted under such applicable decision, the previous version thereof.

"Third Country" means a country outside EU/EEA.

3. Processing and obligations of Parties

QRatify should only process Personal Data in accordance with documented instructions of the Customer, listed in Appendix B, unless when required to do so under applicable European Union ("EU") or Member State law to which QRatify is subject. QRatify shall in such case inform Controller of such legal obligation unless prohibited by law. QRatify shall immediately inform Controller if the Controller’s documented instructions, are infringing Applicable Data Protection Legislation.

QRatify may not process Personal Data for its own purposes or other purposes except as set out in this DPA, Agreement and Privacy Policy. QRatify is entitled to process Personal Data for the purposes of providing, maintaining, improving and providing support for the Service. The Customer is responsible for the processing of Personal Data being carried out in compliance with the Applicable Data Protection Legislation in its capacity as Controller.

This DPA and the Agreement are the Customer’s instructions to QRatify with regard to processing of Personal Data. Any changes must be agreed separately in writing between the Parties, including but not limited to changes relating to Appendix B. If QRatify accepts the adjusted instructions, QRatify is entitled to reasonable compensation for adapting to such instructions.

QRatify should ensure that its personnel engaged in processing of Personal Data are subject to an obligation of confidentiality with regards to the Personal Data and have received appropriate training on their responsibilities.

QRatify should, taking into account the nature of processing and the information available to QRatify, at Customer’s cost, assist the Controller to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR.

If a data subject, supervisory authority or other third party contacts QRatify regarding Personal Data, QRatify must immediately refer the request to the Customer, unless prevented by law.

4. Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Customer and QRatify shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk pursuant to Article 32 of the GDPR. QRatify will implement the security measures as seen in Appendix A.

5. Data Subjects rights

QRatify should, if possible and with regard to the nature of the processing, assist the Customer through appropriate technical and organizational measures fulfilling its obligation to respond to the requests for exercising data subject's rights according to the GDPR.

6. Data protection impact assessment and prior consultation

Taking into account the nature of processing and the information available, QRatify should assist the Customer with data protection impact assessments regarding data protection and prior consultation with the supervisory authority according to article 35–36 GDPR, if the Customer requests it.

7. Audits

QRatify will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (however not a direct competitor of QRatify). QRatify must be informed about an inspection at least two (2) weeks in advance to the intended date of inspection with specification of the scope and purpose of the inspection. The audit shall be performed during QRatify’s normal working hours without disturbance to the normal operations. QRatify is entitled to reasonable compensation for the costs associated with an audit or inspection.

8. Personal Data Breach

If QRatify becomes aware of a Personal data breach, QRatify must inform the Customer without undue delay and in accordance with Applicable Data Protection Legislation.

9. Sub-processors

QRatify is given a general authorization to engage other processors ("Sub-processors") for the processing of Personal Data on behalf of the Customer. When QRatify engages a Sub-processor under this provision, QRatify will ensure that the contract entered into between QRatify and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. QRatify will in writing notify the Customer of any intended changes concerning the addition or replacement of Sub-processors, to which the Customer may object. If Customer has made no such objection within fourteen (14) days from the date of receipt of the notification, it will be assumed that the Customer has made no objection.

Should an objection be made, QRatify has the right to remedy an objection from the Customer. If no other option is reasonably available and the objection has not been remedied within thirty (30) days after receiving the objection, Parties may terminate the affected part of the Service or the Agreement.

If a Sub-processor fails to fulfil its data protection obligations, QRatify remains fully liable to the Customer for the performance of the Sub-processor’s obligations.

10. Third Country Transfers

QRatify may transfer Personal Data to third countries outside the EU or European Economic Area ("EEA"). QRatify must ensure a valid transfer mechanism is in place for a transfer of Personal Data to a Third Country. Such transfer mechanism may be Standard Contractual Clauses or other equivalent provisions under Chapter V of the GDPR, as applicable from time to time.

If Standard Contractual Clauses are applied as a legal basis for transfer of Personal Data to a Third Country, QRatify, may at its sole discretion determine which version and which modules of the Standard Contractual Clauses to be used in each case.

Both Parties are responsible for ensuring that any potential supplementary measures in place fulfil the requirements related to adequate safety for the Personal Data being processed under Applicable Data Protection Legislation. Upon the Customer’s reasonable request, QRatify will provide sufficient information to the Customer for its evaluation. Except for the Third Country Transfers listed in Appendix B, the Customer is solely responsible for the legality and the security of any third country transfers the Customer makes in the Service or it instructs QRatify to make to a connected cloud service when using the Service.

11. Compensation

In addition to what is stated in this DPA, QRatify is entitled to reasonable compensation for complying with the Customer's written instructions, unless the requested action is specifically stated in the Agreement. If QRatify is entitled to compensation for work performed under this DPA, QRatify’s current price list will apply unless otherwise stated in the Agreement.

12. Indemnification

Liability towards any person who suffered damage as a result of an infringement of GDPR or this DPA should be handled in accordance with GDPR article 82.

Each Party should on their own be liable for administrative penalties or fines issued by supervising authority or courts due to their processing.

All other damages and liabilities shall be handled in accordance with the Terms, including its limitation on damages.

13. Termination

This DPA is applicable from signing of the DPA and for the period of which QRatify processes Personal Data on behalf of the Customer. Upon termination of the DPA QRatify shall stop all processing of Personal Data performed on behalf of the Customer unless required to retain the Personal Data by applicable laws, rules and regulations.

QRatify must delete or return all Personal Data to the Customer as requested at the end of the DPA.

14. Governing law and dispute resolution

The provisions on governing law and dispute resolution in the Terms shall also applies to this DPA.

Appendix A Security Measures

At QRatify we take security seriously and continuously strive to be up to date with the evolvement of industry standards. The following describes a continuously evolving set of measures that we take to keep our platform secure.

Physical Security

The data centers running the Service are Microsoft Datacenters and meet a wide set of industry specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. The datacenters are routinely patrolled and monitored by video cameras inside the datacenters.

Read more about Microsoft Azure physical security here: Physical security of Azure datacenters - Microsoft Azure | Microsoft Learn

Encryption

QRatify uses 256-bit AES encryption for data at rest in addition to securing network communication with TLS 1.2 for encrypting data in transit.

User Passwords and Authentication

Given the nature of the architecture of the Service, being a multi-tenant Azure Active Directory Application, no user passwords are stored in the platform since users are authenticating using their own Azure Active Directory account (owned and managed by their organization).

This also means that if the user’s organization requires Multi-Factor Authentication this will also apply for the Service.

Monitoring and Logging

The platform is monitored 24/7 to ensure stability and availability. All requests sent to the platform, as well as all jobs running on the platform, are instrumented and logged thoroughly. This ensures that we can stay on top of possible bugs as well as detect malicious usage patterns and performance issues.

Infrastructure Security

The infrastructure is accessible to a privileged few in the case of exceptional circumstances. In such case users can only get access when:

  • Connecting from a compliant workstation
  • Using Multi Factor Authentication
  • Connecting from approved network locations

Also, to be part of the privileged few who can gain access to the infrastructure you would have to have signed an agreement of confidentiality.

Development Process

During the development of new features and bug fixes all changes goes through:

  • Code reviews by peer
  • Build verification tests
  • Unit tests
  • Style compliancy
  • User acceptance tests

As part of the development process, we regularly check for known vulnerabilities and address them without delay.

Disaster Recovery

Data backups are taken automatically at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored encrypted and separately in our storage service.

QRatify has taken great effort in describing the complete infrastructure as code and can therefore, in combination with the data backup, restore from a complete disaster without the loss of customer data or significant downtime. QRatify performs test of the recovery process on reoccurring basis to ensure that availability can be restored as quickly as possible should the disaster occur.

Audits

QRatify goes through reoccurring audits to ensure adequacy of security, privacy and availability measures. Findings are prioritized and tracked to resolution by the operational team at QRatify.

Appendix B Instructions on processing of personal data

The scope of the processing

The nature and purpose of the processing

The purposes of the processing are the delivery of the Service by QRatify to the Customer as stated in the Agreement and this DPA.

QRatify will process Personal Data in order to:

  • Provide the Service to the Customer
  • Provide support to the Customer

Categories of data subjects

  • The Customers employees
  • The Customers clients
  • The Customers suppliers
  • Any other data subject given the right by the Customer to access the Platform

Categories of personal data

  • User profile
    • User name
    • User email
    • UserObjectId (AAD)
    • TenantId (AAD)
  • Log data
    • User name
    • UserObjectId (AAD)
    • TenantId (AAD)
  • Data within the connected Cloud Services to the Platform as described in the Terms

Duration of the processing

  • Log data will be stored for 180 days
  • Data within the connected cloud services is managed by the Customer and follows the Customers own retention policy
  • All other categories of data is processed as long as the User has access to the Service

Sub-Processors

  • Microsoft, Azure (Hosting), Ireland
  • Microsoft, Azure (Hosting), Netherlands

Third Country Transfers

Company name Geographic location Service Transfer mechanism and safety measures (if applicable)
Microsoft Ireland Operations Ltd Ireland, Dublin Hosting SCC and additional safety measures, see link for more information. https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Microsoft Datacenter Netherlands B.V Netherlands, Noord-Holland Hosting SCC and additional safety measures, see link for more information. https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

It is the Customer's responsibility to ensure an adequate transfer mechanism and safety measures for any potential third country transfers performed between the Customers own connected cloud services when using the Service.