Data Processing Agreement

1. Background

This Data Processing Agreement (“DPA”) is entered into by, and between, Tendium AB, company registration number 559169-6843 (“Tendium”), and a customer to Tendium (the “Customer”). This DPA is part of the agreement between Tendium and the Customer (the “Agreement”) governing the Customer’s use of Tendium’s online service, available at https://app.tendium.com (the “Platform”). The provisions in this DPA set forth the legally binding terms between Tendium and the Customer where Tendium holds the role as the processor of the personal data and the Customer holds the role as the controller of the personal data.

2. General

Tendium is below referred to as the “Processor” and the Customer is referred to as the “Controller”. The Processor and the Controller are also defined as a “Party” and collectively as “Parties”.

Terms used in this DPA shall have the same meaning as in the General Data Protection Regulation (2016/679) (“GDPR”) and be interpreted accordingly, unless otherwise specified. 

The Parties have entered into this DPA in order to guarantee that personal data is being processed in accordance with the GDPR and/or other applicable data protection legislation (“Data Protection Legislation”). The purpose of this DPA is to regulate the relationship, including rights and obligations, between the Parties, and to ensure that both Parties protect the data subjects’ personal data.

3. Scope

3.1. During the term of the Agreement, Tendium will process personal data on behalf of the Customer for the purpose of fulfilling the obligations set forth in the Agreement. Most of the processing of personal data carried out by Tendium under the Agreement is carried out by Tendium as a data controller and such parts of the service are not subject to this DPA. However, the Agreement provides for situations under which Tendium will process personal data on behalf of the Customer, i.e. as a data processor, and such processing is subject to this DPA. 


3.2. Schedule 1 of this DPA sets forth the subject-matter and duration of the processing of personal data, the type of personal data being processed, and categories of data subjects affected by the processing.

4. Documented Instructions

4.1. The Processor shall process personal data in accordance with documented instructions from the Controller, including instructions with regard to transfers of personal data to a third country or an international organisation.

4.2. The Controller shall ensure that lawful ground recognised under Data Protection Legislation applies for processing of the personal data. The Controller shall further meet all other obligations of a controller under Data Protection Legislation.

4.3. The Controller’s instructions shall include the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, and the categories of data subjects affected by the processing.

4.4. In the event that the Processor considers that any instruction from the Controller violates Data Protection Legislation, the Processor shall refrain from acting on such instructions, promptly notify the Controller, and await amended instructions.

4.5. Provided that the Processor acts for and within the scope of the purposes set forth in this DPA, the Processor may undertake day-to-day actions with the personal data without having received a specific written instruction from the Controller.

5. Confidentiality

5.1. The Processor shall ensure that the persons authorised to process personal data are committed to a confidentiality undertaking.

5.2. The Processor may disclose information if the Processor is obliged to do so by law, judgement by court or decision by authority. If such obligation arises, the Processor shall promptly notify the Controller before disclosure, unless restricted from doing so by law.

6. Security Measures

The Processor shall maintain adequate security measures to ensure security and protection of personal data. Such security measures taken by the Processor include, among other things: 

(i)  maintaining regular activity and access logs for all personnel;

(ii) performing regular access control to ensure that no unauthorised personnel gain access to confidential data in order to protect personal data against destruction, modification, and proliferation;

(iii) ensuring that only authorised persons who need access to personal data have access to personal data and that such processing follows this DPA and the instructions provided by the Controller;

(iv) maintaining certain security measures and performing regular back-ups, such as applying TLS v.1.2 or higher, hashing user passwords and encrypting all data to ensure that data is not compromised; and

(v) ensuring that data is hosted with a certified host.

7. Assisting the Controller

7.1. The Processor shall, taking into account the nature of the processing, assist the Controller by ensuring and maintaining appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights.

7.2. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to articles 32-36 in the GDPR, taking into account the nature of the processing and the information available to the Processor. Such obligations include ensuring the security of the processing, impact assessments regarding data protection, and prior consultations.

7.3. If the Processor becomes aware of a personal data breach, the Processor shall, without undue delay, notify the Controller. The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations to document any personal data breach, notify the supervisory authority, and communicate such personal data breach to the data subjects.

8. Sub-Processor(s)

8.1. The Controller accepts that the Processor may engage another processor for carrying out processing activities on behalf of the Controller (“Sub-Processor”). When engaging a Sub-Processor, the same data protection obligations as set forth in this DPA shall be imposed on the Sub-Processor by way of contract.

8.2. If the Processor intends to engage a new Sub-Processor, the Processor shall inform the Controller thereof on the Tendium website (https://tendium.ai). The Processor will update the applicable website and provide the Controller with a mechanism to obtain notice of the engaged Sub-Processor. The Processor will provide the Controller with updates at least 20 days before engaging a new Sub-Processor. 

8.3. If the Controller objects to a new Sub-Processor engaged in accordance with section 8.2 above and the Processor still chooses to engage such Sub-Processor, the Controller may (i) terminate the Agreement pursuant to its terms; or (ii) if possible, cease using part of the service for which the Processor has engaged the Sub-Processor. If the Agreement or part of the service is terminated in accordance with this Clause 8.3, the Controller shall not be entitled to (i) recover any excess amount of payments made in accordance with the Agreement or this DPA; or (ii) other compensation for damage or loss.

8.4. Before intended changes concerning the addition or replacement of Sub-Processors, the Processor will make an assessment connected to the intended Sub-Processor’s technical and organisational measures, expertise, reliability, and resources. If a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of such Sub-Processor’s obligations.

8.5. A list of the currently engaged and approved Sub-Processors can be found in Schedule 1 to this DPA.

9. Information and Audits

9.1. The Processor will, upon the request of the Controller, make necessary information and documentation available to the Controller, as the Processor sees fit, in order to demonstrate the Processor’s compliance with its obligations. Such a request from the Controller shall be made in writing and the Processor shall, at least, make necessary information available to the Controller within 30 days. 

9.2. The Processor shall allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller. The Controller shall notify the Processor in writing at least 45 days prior to the potential audit and carry the costs for an audit. The Processor undertakes to assist the auditor and disclose information and documentation necessary for the auditor to carry out the audit. The Controller may conduct such an audit once every calendar year.

10. Transfers to Third Countries

The Processor may transfer or give access to personal data outside of the EU/EES. The Processor shall ensure that such countries maintain adequate safeguards, sufficient guarantees, or that standard clauses are in place. The provisions in this Section 10 shall also apply for engagement of Sub-Processor’s in a third country.

11. Term and Termination

11.1. This DPA applies between the Parties as long as the Processor processes personal data on behalf of the Controller or until it is replaced by another data processing agreement.

11.2. The Processor shall, upon termination of the Agreement, make sure that the personal data is returned to the Controller or deleted, if not otherwise agreed upon or unless the processing requires storage of the personal data according to applicable legislation. The Processor undertakes to delete any copies of personal data.

11.2. If the Controller requests return of personal data upon termination of the Agreement, the Processor shall have the right to request compensation from the Controller for costs incurred, connected to the Processor’s measures of fulfilling such a request, at an hourly rate of 500 SEK.

12. Compensation

If the Controller changes the instructions or adds instructions for the processing of personal data that requires certain tasks, services, or actions to be performed by the Processor, the Controller shall compensate the Processor for investments and other costs incurred as a result of the changed or additional instructions. The Processor shall be entitled to compensation on time and material basis as agreed upon between the Parties. This section 12 does not apply for minor changes or additions to the Controller’s instructions.

13. Limitation of Liability

13.1. If a Party acts in violation of this DPA, instructions connected with this DPA, and/or Data Protection Legislation, such Party shall remain liable to the injured Party for direct damages or losses/costs caused by such violation. The extent of such liability shall be limited to the amount set forth in Tendium’s prevailing Terms of Service. Neither Party shall be liable for any loss of production, loss of business or profit, loss of use, loss of goodwill, or any indirect or consequential damages. The limitations of liability set out in this section shall not apply in case of the liable Party’s gross negligence or wilful misconduct.

13.2. If a Party receives claims of payments from third parties (including data subjects), due to the other Party’s illegal processing or violation of its responsibilities under applicable legislation and/or this DPA, such Party shall have the right to compensation from the other Party.

14. Other

14.1. The Processor shall cooperate with the supervisory authority.

14.2. Section 5 (CONFIDENTIALITY) and 11 (TERM AND TERMINATION) shall survive the termination of the Agreement.

14.3. This DPA and any non-contractual obligations arising out of or in connection therewith shall be governed and constructed in accordance with what is set out in the Agreement.

Schedule 1 – Details of the processing and instructions

Purpose

Tendium offers a monitoring and tendering platform that makes it easier and more efficient for suppliers to work with public procurements. Users will monitor public procurement opportunities, communicate with colleagues, structure bidding processes including assigning team members to tasks, and may generate answers to public procurement questions. Personal data relating to the Customer and its team members, partners and other parties involved in public procurement processes is processed by Tendium to facilitate the Customer’s work with public procurements, to manage the Customer’s subscription to the Platform, and to maintain the Customer’s relationship with Tendium.

Duration

The Processor will process personal data for the duration of the Agreement and provision of the Platform thereunder, unless otherwise agreed upon in writing, subject to any section of this DPA and/or the Agreement referring to the duration of the processing and the consequences of the termination or expiration thereof.

Type of Personal Data

The Customer may submit personal data on the Platform, the type and extent of which is determined and controlled by the Customer in its sole discretion.

Categories of personal data:

(i) contact details

(ii) personal data included in comments using the @-mention function

Categories of Data Subjects

The categories of data subjects relating to the personal data that will be processed by the Processor are dependent on the Customer, and may include, but are not limited to, any of the following categories: 

(i) employees, agents, advisors, and freelancers of the Customer; 

(ii) prospects, customers, business partners, and vendors of the Customer; 

(iii) employees or contact persons of the Customer’s prospects, customers, business partners, and vendors; and

(iv) any other third party individual with whom the Customer decides to communicate through the Platform.

Sub-Processors

The Customer approves that the Processor engages and uses the Sub-Processor’s set forth in the list available at: https://tendium.ai/sub-processors in order to fulfil its obligations in this DPA and the Agreement.