Data Processing Agreement

Last revised: October 2, 2024

DATA PROCESSING AGREEMENT

between

Albacross Nordic AB

and

Customer

regarding processing of personal data through the Albacross Services

‍

This DATA PROCESSING AGREEMENT (the “DPA”) is entered into by and between:

1. Albacross Nordic AB, a limited liability company incorporated under the laws of Sweden with corporate registration number 556942-7338 (“Albacross”); and
2. The entity accepting the Terms of Service (“Customer”).

Each of Albacross and the Customer is referred to as a “Party” and together as the “Parties”.

‍

BACKGROUND

(a) Albacross is a business intelligence company that provides a number of services designed to help companies optimize their marketing and sales processes including but not limited to identifying potential prospects and providing insights based on various topics and industries, as further described by Albacross’ Terms of Service (the “Terms of Service”) and collectively referred to as the “Services.”.

(b) Customer has accepted the Terms of Service with Albacross in order to use the Services in its business operations, which forms the subject matter of the processing of Personal Data under this DPA.

(c) In order for Albacross to provide the Services in accordance with the Terms of Services, Albacross will process personal data on behalf of the Customer for which the Parties acknowledge that Customer is the controller, and Albacross is the processor in accordance with Data Protection Laws (as defined below). In light of the above, Albacross and Customer have agreed on the following terms and conditions set out in this written DPA concerning the processing of Personal Data under this DPA.

1. Definitions

“Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.

“Data Protection Laws” shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016⁄679) and their national implementations and related national legislation.

“EEA” shall mean the European Economic Area.

“EU” shall mean the European Union.

“Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc, and which Albacross process on behalf of the Customer under the Terms of Service and this DPA.

“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. General Terms

1. Albacross may under this DPA process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer, and the Customer takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.
2. This DPA is intended to constitute and shall be interpreted as a written data processing agreement between the Customer and Albacross pursuant to applicable Data Protection Laws.

3. The processing

1. Albacross shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.
2. Albacross shall process the Personal Data for the purpose of providing the Service to the Customer.

4. Term of processing

1. This DPA shall enter into force upon the Customer’s acceptance of the Terms and Service and, subject to the below section 4.2, shall remain effective until the Terms of Service is terminated or expires.
2. Upon the termination or expiry of the Terms of Service, without entering into a new data processor agreement replacing this DPA, the provisions of this DPA, subject to the discretion of the Customer, shall continue to apply as long as and to the extent Personal Data is processed by Albacross pursuant to the instructions of the Customer.

5. Albacross’ obligations

1. Albacross may process Personal Data only for purposes necessary for the due performance of the Terms of Service and only in accordance with the Data Protection Laws applicable to Albacross and in accordance with the written instructions from the Customer as further detailed in Schedule 2 and as otherwise instructed by the Customer in writing from time to time. Albacross may not disclose any Personal Data to a third party without the prior written approval from the Customer or if otherwise required by law.
2. If Albacross does not have sufficient instructions to enable Albacross to deliver the Services or otherwise fulfil its obligations, Albacross shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant processing of the Personal Data.
3. Albacross shall implement and maintain appropriate and adequate technical and organisational measures as set forth in Schedule 2 to ensure the security for the processed data. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by Albacross. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed.
4. Albacross undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the processing operations carried out by Albacross to comply with confidentiality obligations and access restrictions with regards to the processing of Personal Data. Albacross shall ensure that only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.
5. Taking into account the nature of the processing, Albacross shall, at Customer’s cost upon Customer’s request in accordance with Customer’s written instructions, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject’s rights under applicable Data Protection Laws.
6. Albacross, taking into account the nature of processing and the information available to the processor, undertakes to assist the Customer, at Customer’s cost upon Customer’s reasonable request substantiating the necessity, in ensuring compliance with applicable Data Protection Laws with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.

6. Notification

1. Albacross shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
2. Albacross shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.
3. In the event Albacross is required to disclose information, including but not limited to the processed Personal Data or information relating to the processing, according to Applicable Laws or the decisions of public authorities or courts, Albacross shall be obligated to inform the Customer thereof immediately, insofar permitted by Applicable Laws, and request confidentiality in conjunction with the disclosure of requested information.

7. Information and audit

1. Albacross is obliged to, upon Customer’s reasonable request and at Customer’s cost, make available to the Customer all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of the data processor under applicable Data Protection Laws.
2. Customer may, pursuant to the relevant provision of the Terms of Service but in any case notwithstanding what is set out in the Terms of Service once per calendar year at the cost of the Customer, carry out or mandate a third party auditor, which is not direct competitor to Albacross and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying Albacross’ compliance with the obligations of data processors under applicable Data Protection Laws. The audit shall be carried out during Albacross’ normal working hours without disturbance to the normal operations of Albacross.

8. Subprocessors

1. Customer hereby gives general written authorisation for Albacross to engage subprocessors for carrying out specific processing activities on behalf of the Customer. When engaging subprocessors, Albacross undertakes to ensure that the contract entered into between Albacross and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this DPA.
2. Albacross shall notify the Customer of any intended changes concerning the addition or replacement of the subprocessors in Schedule 3, to which the Customer may object. If the Customer has made no such objection within ten (10) days from the date of receipt of the notification, the Customer is assumed to have made no objection.
3. Albacross may transfer (including allowing access to) Personal Data to its subprocessors outside the EEA. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfer is in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA).

9. Warranty

1. If and to the extent another legal entity than the Customer is the controller, independently or jointly, for all or part of the Personal Data processed by Albacross on behalf of the Customer under this DPA, the Customer warrants that it has necessary authority and mandate to enter into this DPA on behalf of such legal entity.
2. The Customer warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licences, permits or approvals for the processing and notifying the processing to competent authorities or data protection officials and informing the data subjects of the processing.

10. Limitation of liability

1. Unless caused by the gross negligence or intent of Albacross, Albacross shall in no event be liable to the Customer for any losses or damages, whether direct or indirect (including, without limitation, damages for loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages) arising out of or in connection with this DPA.

11. Indemnification

1. The Customer shall hold Albacross harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Albacross is held liable by a competent court, authority or any other dispute resolution body for processing of Personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Albacross’ failure to perform its obligations under this DPA.

12. Remuneration

1. Albacross is not entitled to additional remuneration on the basis of the provisions of this DPA and shall, unless otherwise agreed by the Parties, or in accordance with the Terms of Service.

13. measures upon completion of processing

1. When the provisions of this DPA cease to be effective, Albacross shall, upon and in accordance with Controller’s request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require Albacross to store the Personal Data.

14. Assignment

1. The Customer may only assign the rights or obligations under this DPA to a third-party with the prior written consent of Albacross.
2. Albacross may assign its rights and obligations under this DPA to (i) any company within its group of companies, or (ii) a third party in case of a merger, joint venture or transfer of businesses or substantially all parts of businesses. Any such assignment of rights shall not be considered as Albacross engaging a subprocessor.

15. Entire Agreement

1. This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.

Albacross is entitled to amend this DPA from time to time, provided that the level of protection of the Personal Data is not substantially decreased. The Customer’s continued use of the Services after the posting of any amendments will constitute the Customer’s acceptance to be bound by such amendments and the revised version the DPA.

16. Governing Law and Disputes

1. This DPA shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.
2. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless otherwise agreed.
3. The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
4. The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.

‍

Schedule 1 – Processing of Personal Data

Type of Personal Data

The following types of Personal Data are processed by Albacross on behalf of the Customer under the DPA:

Tracking Data Collected via Script

This section refers to data collected automatically through Albacross’ tracking script installed on the Customer’s website.

(a) IP address (IPv4 or IPv6);
(b) location based on IP address;
(c) URL, including “Query String”;
(d) referrer/origination website for the visitor;
(e) domain from form input fields (e.g. albacross.com); and
(f) cookies (nQ_cookieId and nQ_visitId).

Enriched Contact Data from Sub-Processor

This section refers to personal data provided by a sub-processor, typically after a customer request for additional information on a specific prospect.

(g) contact name;
(h) contact employer;
(i) contact title/position;
(j) contact LinkedIn ID;
(k) contact link to Linkedin profile;
(l) contact email address;
(m) contact business telephone number;
(n) contact twitter profile;
(o) contact country;
(p) contact location;
(q) contact department; and
(r) contact seniority level. 

Categories of data subjects

The processed Personal Data concerns the following categories of data subjects:

(a) visitors to the Customer’s website;
(b) employees of companies identified as leads by the Customer; and
(c) employees of the Customer’s clients, for the purpose of drafting personalised messages on behalf of the Customer.

Processing operations

The following processing operations will be carried out by Albacross under this DPA for the below specified purposes:

Processing operations:

• collection of Personal Data via the Albacross tracking codes;
• extraction of location information based on IP address;
• use of cookie data to enhance the accuracy and reliability of information collected through the tracking code;
• cross checking of Personal Data with the Albacross database with IP-addresses;
• erasure of the Personal Data if there is not a match with a company IP-address;
• use of Personal Data to target advertising for the account based marketing service, through a sub-processor;
• collection of contact details to representatives of companies identified as leads by the Customer;
• drafting of personalised messages from customers employees to representatives of companies identified as leads by customers; and
• sending of Messages to leads identified by the Customer.

Purposes:

• to identify which IP-address collected via the Albacross tracking code belongs to a company, thereby identifying which companies have visited the Customer’s website;
• to display contact details to representatives of companies to Customer;
• to use those contact details, and sender details for drafting and sending of messages to contacts;
• to use those contact details to connect with contacts on social media platforms; and
• to make accurate advertising to specific businesses based on the data.

Processing duration:

• Personal Data types listed in points (a) to (f) above is stored in Albacross’ database for the time required to provide the service;
• Notwithstanding the above, the information contained in (a), (c) (e) and (h), above, may be stored to improve the database. This processing is carried out by Albacross as the controller.

Albacross may not process the Personal Data for any other purposes under this DPA and its schedules.

‍

Schedule 2 – Instructions

1. Instructions for processing of the Processed Data on behalf of the Data Controller

Albacross shall comply with the instructions set forth below with respect to the processing of the Personal Data under this DPA.

2. Handling and processing of the Personal Data

Security

The premises used by Albacross shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Albacross shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.

Albacross should possess an updated and implemented security policy which states for example the manner in which the Personal Data shall be processed, to whom Albacross’ personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.

Albacross should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.

3. Data subjects’ requests

Albacross shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.

Albacross shall, subject to the provisions of this DPA, forward all requests from the data subjects to the Customer and shall only act upon the prior authorization and pursuant to the instruction of the Customer.

Subject to the above, Albacross shall rectify, block, delete, modify, or erase the processed Personal Data in accordance with Customer’s instructions.

Subject to the provisions of this DPA, Albacross shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.

4. Accounts with third party suppliers

If instructed by the Customer, the provision of the Services may require Albacross to set up accounts with third party suppliers on behalf of the Customer and in the Customer’s name.

If so, the relevant supplier’s terms and conditions for the service will be applicable directly between the Customer and the supplier in question, and the supplier will, where applicable, be a processor, separate controller, or joint controller with, the Controller in accordance with the terms of the supplier’s service, and the supplier will not be a sub-processor to Albacross.

For the avoidance of doubt, an account with a third party supplier is only set up on behalf of the Customer and in the Customer’s name if the Customer has instructed Albacross to do so.

‍

Schedule 3 – Subprocessors

Customer approves that Albacross engages the following subprocessors.