Data Processing Agreement PDF

Data Processing Agreement


– hereinafter referred to as “Data Controller” –


84codes AB, 556898-0782, and its wholly-owned affiliates

– hereinafter referred to as “Data Processor” –


This Data Processing Agreement (the “DPA”) is an enclosure to the Terms of Service (hereinafter
referred to as Terms), agreed between the Data Controller and the Data Processor in connection
with registration for the Service and regulates in detail the measures for processing personal
related data under commission.

Unless otherwise defined in the Terms, all capitalized terms used in this DPA shall have the
meaning given to them below:

Additional Instructions: means any instructions from Data Controller to the Data Processor
which have not been fixed in this DPA upon its execution.

Applicable Data Protection Law: means EU Data Protection Directive 95/46/EC, or other EU
legislation that may be declared from time to time, any national or internationally binding data
protection laws or regulations applicable at any time during the term of this DPA on, as the case
may be, the Data Controller or the Data Processor. “Applicable Data Protection Laws” includes
any binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as
applicable, as well as the forthcoming European Union General Data Protection Regulation
(hereinafter referred to as “GDPR”) when it enters into force on the 25th May 2018 and the national
laws adopted pursuant to the GDPR.

Data Controller: means the entity which determines the purposes and means of the Processing
of Personal Data.

Data Processor: means the entity which Processes Personal Data on behalf of the Data

Data Subject: means an identified or identifiable individual, who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an ID number, location data,
an online ID or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.

Personal Data: means any information relating to an identified or identifiable individual, to the
extent that such information is protected as Personal Data under Applicable Data Protection Law.

Personal Data Breach: means any unauthorized or unlawful breach of security leading to, or
reasonably believed to have led to, the unauthorized or accidental destruction loss, alteration,
unauthorized disclosure of or access to Personal Data.

Process or Processing: means any operation or set of operations which is performed on

Personal Data or on sets of Personal Data, whether or not by automated means, such as
collection, recording, organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.

Service or Service Offering: means the Service provided by 84codes AB that is the base of the
Terms and this DPA.

Subprocessor: means a third party subprocessor engaged by the Data Processor which, as part
of the subprocessor’s role of delivering the services, will Process Personal Data on behalf of the
Data Controller.

Supervisory Authority: means an independent public authority which is established pursuant to

GDPR Article 51 for example in Sweden “Integritetsskyddsmyndigheten”.

Terms: The Terms of Service for the Service Offering.

Third Country: means a country or region outside the European Union (“EU”) or the European
Economic Area (“EEA”).
1. Scope of the DPA

1.1 This DPA applies to the Data Processor’s Processing of Personal Data on behalf of the
Data Controller. The Data Processor shall Process Personal Data as necessary to perform
the Service pursuant to the Terms and as further instructed by the Data Controller in its
use of the Service. This DPA regulates the measures to protect Personal Data according
to Art. 28 of the GDPR.

1.2 The Personal Data Processed by the Data Processor under this DPA and details of the
Processing is described in Appendix 1 (“Data Processing Instructions”) attached to this

1.3 Additional Instructions or terms (if any) outside the scope of this DPA requires prior written
agreement between Data Processor and the Data Controller. An agreement on any
additional fees payable by Data Controller to the Data Processor for carrying out further
instructions and/or terms must also be established.

2. Rights and Obligations of the Data Controller

2.1 The Data Controller shall be responsible within the framework of this DPA for complying
with the legal provisions of the Applicable Data Protection Law, particular in relation to the
allocation of Processing with respect to the Data Processor, and for the Processing itself.

2.2 The Data Controller has the right to give instructions to the Data Processor in the following

• With regard to the handling of the order

• With regard to the procedure in case of data privacy breaches
• With regard to additional data security measures

2.3 The instructions shall be written and at first be fixed in this DPA and in Appendix 1. These
instructions may subsequently be amended, supplemented or replaced by written
Additional Instructions of the Data Controller to the Data Processor. Additional Instructions
(if any) need to be agreed upon beforehand as per section 1.3. If the parties cannot agree
on eventual Additional Instructions, the Data Controller is entitled to terminate this DPA
and the Terms with immediate effect.

2.4 The Data Controller shall assure that its instructions and usage of the Service comply with
the Applicable Data Protection Law and that the Data Controller’s instructions will not
cause the Data Processor to be in breach of the Applicable Data Protection Law.

2.5 Notification(s) of information concerning the Processing or Personal Data Breach (if any),
will be delivered to the Data Controller’s registered team notification email address and
DPO email address. It is the Data Controller’s sole responsibility to ensure that it maintains
accurate contact information on the service management console and secure transmission
at all times.

2.6 The Data Controller has the right to perform controls of the technical and organizational
measures taken by the Data Processor according to section 9 and as further described in
Appendix 2 (“Technical and Organizational Measures / Security Concepts”) before
starting the Processing and to check them afterward in regular intervals. These controls
could also be performed by an independent auditor on behalf of the Data Controller.

2.7 The Data Controller shall inform the Data Processor without delay when it notices any
mistakes or irregularities while performing controls according to section 2.6. The Data
Processor shall without delay correct such errors or irregularities and notify the Data
Controller when corrections have been made.

2.8 If claims are placed on one of the contracting parties by a Data Subject in connection with
any claim as per Art. 82 of the GDPR, the contracting party concerned shall notify the
other party without delay. The contracting parties shall support one another in defending
the claim.

3. Processing of Personal Data

3.1 The Data Processor ensures that, during the term of this DPA, it has implemented and
further undertakes to comply with appropriate technical and organizational measures in
such a manner that its Processing of Personal Data under this DPA will meet the
requirements of Applicable Data Protection Law and ensure the protection of the rights of
the Data Subject.

3.2 The Data Processor undertakes to only Process the Personal Data pursuant to the Data
Controller's documented instructions and within the framework of the Service Offering,
unless in exceptional cases as per Applicable Data Protection Law. The Data Controller’s
initial instructions to the Data Processor regarding the subject-matter and duration of the
Processing, the nature and purpose of the Processing, the type of Personal Data and
categories of Data Subjects are set forth in this DPA and in Appendix 1.

3.3 The Data Processor shall inform the Data Controller without undue delay if it would
discover that an instruction of the Data Controller would violate the Applicable Data
Protection Law. The Data Processor shall be authorized to interrupt the performance of
this instruction until it is confirmed or changed by the responsible person of the Data

3.4 For the Processing of Personal Data, the Data Processor shall ensure to apply all
measures which are defined in this DPA.

3.5 The Data Processor shall produce and update a list of all categories of activities which it
carries out on behalf of the Data Controller including the compulsory specifications
according to Art. 30 para. 2 of the GDPR as set out in Appendix 1.

3.6 The Data Processor shall not use the data for other purposes than specified by the Data
Controller and shall not keep them any longer than the Data Controller has determined.
Copies or duplicates may not be generated without knowledge of the Data Controller.

3.7 The Data Processor shall not view, access, edit, or use the Personal Data without specified
permission, or when required to maintain the Service, or as necessary to comply with the
law or binding order of the Supervisory Authority.

3.8 Processing by telecommuting is allowed for engineers of the Data Processor. The Data
Processor ensures that the Processing by telecommuting complies with required data
protection measures, meaning that the data is protected against unauthorized access.
This means e.g., safe and encrypted end-to-end communication, no print-out possibility of
Data Controller’s data in the home office, no access possibility to IT-Systems for an
unauthorized person in the home office.

3.9 Data for testing purposes will be kept closed until the Data Controller instructs the Data
Processor to destroy, erase or block it in accordance with the data protection law or to
return it to the Data Controller. The erasure or destruction shall be confirmed to the Data
Controller with a date in writing.
3.10 The Data Processor shall appoint the contact partner for the Data Controller for data
protection questions arising within the framework of the Terms and this DPA. The Data
Controller shall be notified on beforehand (or at least 2 weeks before) of any changes of
the contact partner.

4. Confidentiality and Integrity

4.1 The Data Processor is obliged to ensure that the persons authorized to Process the
Personal Data have committed themselves to confidentiality in writing before taking up the
activity. Furthermore, the Data Processor shall ensure that its associates are sufficiently
informed on the regulations of the GDPR as well as on further relevant data protection
requirements and are familiar with the instructions of the Data Controller. The Data
Processor shall supervise the compliance of the data protection regulations.

4.2 The Data Controller shall be obliged to respect the confidentiality of all business secrets
and data protection measures of the Data Processor which may be disclosed within the
framework of the contractual relationship.

4.3 The confidentiality and integrity obligation shall continue to apply also after termination of
the contractual relationship for a period of five (5) years.

5. Disclosure of Personal Data and Information etc.

5.1 The Data Processor shall without undue delay forward any request to the Data Controller
from a Data Subject, Supervisory Authority or any other third party, who is requesting
receipt of information regarding Personal Data that the Data Processor is Processing
under this DPA. The Data Processor, or anyone working under the Data Processor’s
supervision, shall not disclose Personal Data, or information about the Processing of
Personal Data, without the Data Controller’s expressed instruction or as provided in this
DPA, unless required by Applicable Data Protection Law. In the event that the Data
Processor is obliged to disclose Personal Data according to Applicable Data Protection
Law, the Data Processor shall take all measure to request confidentiality in connection
with the requested information and immediately inform the Data Controller accordingly,
unless the Data Processor is prevented from doing so under Applicable Data Protection

6. Request from Data Subjects

6.1 Taking into account the nature of the Processing, the Data Processor shall assist the Data
Controller by taking appropriate technical and organisational measures insofar as this is
possible, in observing its legal obligations in relation to the rights of Data Subjects under
Applicable Data Protection Law. This includes, but shall not be limited to, the Data
Controller’s obligation to respond to requests concerning the right of Data Subjects to
receive information and, upon request by Data Subjects, rectify, block or erase Personal

6.2 The Data Processor shall assist the Data Controller in fulfilling potential duties under
Applicable Data Protection Law to enable data portability regarding Personal Data which
the Data Processor is Processing under this DPA.
7. Contact with Supervisory Authority

7.1 The Data Processor shall inform the Data Controller any inquiries from Supervisory
Authority concerning Processing of Personal Data under the DPA. The Data Processor is
not entitled to represent the Data Controller or act on the Data Controller’s behalf in relation
to Supervisory Authority.

8. Subprocessing

8.1 The Data Processor may only subcontract Processing to third parties based on the Data
Controller’s prior written consent. The Data Processor may use Subprocessors to fulfill its
contractual obligations under this DPA or to provide specific services on its behalf, such
as providing support services. The Subprocessors assigned by the Data Processor are
listed in Appendix 3 (“Subprocessors of the Data Processor”) to this DPA. For the
Subprocessors referred to in Appendix 3, authorization is granted by the Data Controller
upon execution of this DPA.

8.2 When engaging a Subprocessor, the Data Processor shall ensure the compliance with Art
28.2 and 28.4 of the GDPR. In particular, the Data Processor is responsible for ensuring
that such Subprocessor provides sufficient guarantees to implement appropriate technical
and organizational measures, in such a manner that the Processing meets the
requirements of Applicable Data Protection Law. The Data Processor shall inform the Data
Controller of any intended changes concerning the addition or replacement of
Subprocessor at least thirty (30) days before planned use of a new Subprocessor, thereby
giving the Data Controller the opportunity to object to the change. The Data Controller
shall notify the Data Processor of such objection within ten (10) days of receiving the notice
of the change.

8.3 The Data Processor shall ensure by contract that the provisions fixed between the Data
Controller and the Data Processor shall apply accordingly to the Subprocessor(s). Thus,
the Data Processor shall enter into a written agreement with its Subprocessor(s). To the
extent that the Subprocessor(s) is performing the same Processing services that are being
provided by the Data Processor under this DPA, the Data Processor will impose on the
Subprocessor(s) the same contractual obligations that the Data Processor has under this

8.4 The Data Processor shall on annual basis (or when necessary) verify the Subprocessor’s
compliance with the DPA. The Data Processor shall document the results of these

8.5 Subcontracting in the meaning of these provisions does not include any additional services
ordered by the Data Processor from third parties to assist in the performance of the DPA,
such as telecommunications services, maintenance or user support, cleaning, auditing or
the disposal of data media. To ensure the protection and security of the Data Controller’s
data, the Data Processor must conclude adequate and conformable to law agreements,
and undertake monitoring activities, when any additional services are taken from third

9. Technical and Organizational Measures / Security Concepts

9.1 Within the area of its responsibilities, the Data Processor shall organize the internal
organization in a way to meet the special requirements of data protection. The Data
Processor will take technical and organizational measures to adequately protect the data
of the Data Controller by meeting the requirements of Art. 32 of the GDPR.
9.2 The technical and organizational measures shall ensure the confidentiality, integrity,
availability, and resilience of the systems and services related to the Processing on a long-
term basis. Measures must also be taken to restore the availability of Personal Data and
access to them immediately after a physical or technical incident, as well as to use a
procedure for the regular review of the effectiveness of the technical and organizational
measures to ensure the safety of the Processing. The measures to be taken include the
pseudonymization and encryption of Personal Data, to the extent it is necessary to ensure
an appropriate level of security.

The technical and organizational measures taken by the Data Processor as per enclosed
Appendix 2, are verified by the Data Controller by agreeing to this DPA and are confirmed
as being binding.

9.3 The Data Processor shall support the Data Controller in accordance with Art. 28 para. 3
e) of the GDPR as far as possible using appropriate technical and organizational protective
measures to enable the latter to fulfill its existing obligations towards the Data Subject, as
per section III of the GDPR. This may include for example the information and access
provided to the Data Subject, the rectification or erasure and forgetting of data, the
restriction of Processing and the right to data portability or to object.

9.4 The Data Processor shall assist, in compliance with Art. 28 para. 3 f) of the GDPR to
establish a data protection impact assessment (DPIA) according to Art. 35 of the GDPR
and, where applicable, in the prior consultation of the Supervisory Authorities according to
Art. 36 of the GDPR.

9.5 The Data Processor shall authorize the Data Controller to inspect the Data Processor’s
compliance with Applicable Data Protection Law as well as its compliance with the Data
Controller’s instructions by the latter or by third parties, especially by requesting
information and inspecting the storage of Personal Data and the Processing systems or
by inspections of the Data Processor’s premises. The Data Processor shall assure to
support such inspections, if necessary.

9.6 The Data Processor shall provide the Data Controller with the necessary details and
documents upon request, and in particular to provide evidence of the implementation of
technical and organizational measures. If there is some information requested by the Data
Controller that the Data Processor declines to provide, the Data Controller is entitled to
terminate this DPA and the Terms.

9.7 The Data Processor shall immediately notify the Data Controller if the safety measures
taken by the Data Processor differ from the requirements agreed upon, or if serious
disturbances occur in the operating procedure, or in case of violations of Applicable Data
Protection Law or the provisions made in this DPA by the Data Processor or the persons
employed by it, as well as in the case of suspicion of data breaches as per section 11
below or irregularities in the processing of Personal Data.

10. Transfer of Personal Data to Third Country

10.1 The Data Processor may only undertake transfer of Personal Data to a Third Country with
prior written consent of the Data Controller. If the Data Controller consents to such transfer,
the Data Processor and/or Subprocessor who is Processing Personal Data in a Third
Country shall ensure that such transfer and Processing is in compliance with Applicable
Data Protection Law and specifically Art. 44 to 50 of the GDPR.
10.2 The Data Processor provides the option for the Data Controller to use the Service in a
Third Country, including countries that may not provide an adequate level of protection for
Personal Data according to Applicable Data Protection Law. In this respect, the Data
Controller is solely responsible for which data center and region(s) it chooses for the
Service (i.e. where the Personal Data will be Processed). Once the Data Controller has
made its choice, the Data Processor will not transfer the Personal Data from the Data
Controller’s selected data center and region(s), unless upon written instruction from the
Data Controller or except as described in section 5.1 of this DPA.

10.3 If the Data Controller selects a data center or region(s) in a Third Country, such selection
is regarded as consent of transfer to Third Country as per section 10.1. The Data Controller
shall in this case ensure that the transfer of Personal Data based on such selection is in
compliance with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR.
The Data Controller shall without undue delay notify the Data Processor of such selection
and the Data Processor shall support the Data Controller in ensuring compliance.

10.4 For the strict and necessary purposes of enabling the contractual relationship with you,
your Personal Data may be communicated to third party judicial subjects of foreign
countries whether within or outside the European Union always with respect to the rules
contained in art. 44 to 50 of the GDPR.

11. Personal Data Breach

11.1 In case of a Personal Data Breach involving Personal Data Processed on behalf of the
Data Controller, the Data Processor shall take into account the nature of Processing and
the information available to the Data Processor to support the Data Controller in ensuring
compliance with the Data Controllers obligations pursuant to article 33 in the GDPR.

11.2 If the Data Processor becomes aware of a Personal Data Breach, the Data Processor
shall without undue delay notify the Data Controller of the Personal Data Breach. The
notification shall at least:

• Describe the nature of the violation, the categories concerned, and the approximate
number of individuals and datasets affected;
• Describe the likely consequences of the Personal Data breach;
• Describe the measures taken or proposed to be taken by the Data Controller to
mitigate the effects and to minimize any damage resulting from the Personal Data
Breach; and
• Provide the name and contact details of a contact partner for further information.

12. Liability

12.1 The liability of each party arising out of or related to this DPA (whether in contract, tort or
any other theory of liability) shall be subject to the exclusions and limitations of liability set
out in the Terms. The Data Controller agrees that any regulatory penalties incurred by the
Data Processor in relation to the Personal Data that arise as a result of, or in connection
with, Data Controller’s failure to comply with its obligations under this DPA and the
Applicable Data Protection Law shall count towards and reduce the Data Processor’s
liability under the Terms as if it were liability to the Data Controller under the Terms.

12.2 Subject to section 12.1, the Data Controller shall indemnify and hold the Data Processor
harmless for any direct claims, including any claim from Data Subjects, against the Data
Processor due to Processing of Personal Data which violates the Applicable Data
Protection Law, if such violation is due to unclear, inadequate or inadmissible instructions
from the Data Controller, inadequate information from the Data Controller regarding the
categories of Personal Data being Processed (e.g. if sensitive Personal Data is Processed
without the Data Controller having informed the Data Processor about this) or otherwise
due to circumstance on the Data Controller’s side.

13. Term and Termination

13.1 This DPA shall continue in force until the termination of the Service (the “Termination

13.2 Upon termination of this DPA, the Data Processor shall return to the Data Controller, or
permanently erase, or completely block for access, all business-related information,
documentation, and data provided by the Data Controller, including Personal Data created
in connection with this DPA, unless there is an obligation for the storage of Personal Data
according to EU laws or the rights of member states (see Art. 28 para. 3 lit. g GDPR). The
Data Processor shall confirm at the latest 30 days after the request of the Data Controller
the return, destruction, erasure, and blocking of all information and records. The same
applies to Subprocessors.

14. Changes and Additions etc.

14.1 Amendments and additions to this DPA and all its constituent elements (including any
assurances granted by the Data Processor) shall be made in the form of a written
agreement, which may also be in electronic form, with a specific indication that it is an
amendment or addition to this DPA. This shall also apply to the waiver of the requirements
of this format.

14.2 If any provision of this DPA should be, or become, party invalid or unenforceable, it shall
not invalidate the whole agreement. Any provision of this DPA that is held invalid or
unenforceable only in part or degree shall be rewritten by mutual agreement to closely
reflect the invalid or unenforceable provision while being valid and enforceable.

15. General

15.1 What follows from the Terms shall also apply to the Data Processor’s Processing of
Personal Data and the commitments according to this DPA. For avoidance of doubt; where
there are conflicting provisions in the Terms and the DPA, the provisions in the DPA shall
take precedence regarding all Processing of Personal Data and nothing in the Terms shall
be considered to limit or change the commitments according to this DPA to the extent this
would mean the Data Controller does not comply with the Applicable Data Protection Law.

15.2 Swedish law applies in all aspects to the Data Processor’s Processing of Personal Data
under this DPA.

15.3 Any dispute arising out of or in connection with the DPA shall be settled in accordance
with the dispute resolution provision in the Terms.
Appendix 1: Data Processing Instructions

The following instructions apply to the Processing of the Personal Data under this DPA. In addition
to what is stated in this DPA the Data Processor shall comply with the instructions below:

Processing operations The Processing shall include the following operations

and purposes and purposes:
Please specify all • Storage and forwarding of data and other
Processing activities to be Processing necessary to provide, maintain, and
conducted by the Data improve the Service provided to the Data
Processor Controller;
• To provide technical support to the Data
Controller; and
• Disclosures in accordance with the DPA, as
compelled by law
Categories of Data The Personal Data Processed might include the
Please specify the following Categories of Data:
categories of Personal Data • First and last name
that will be Processed by • Title
the Data Processor • Position
• Employer
• Contact information (company, email, phone,
business address)
• ID data
• Professional life data
• Personal life data
• Connection data
• Localization data
Categories of Data The Personal Data Processed might include the
Subjects following Categories of Data Subjects:
Please specify the • Data Controller’s business management and
categories of Data Subjects employees
whose Personal Data will • Customers
be Processed by the Data • Prospects
Processor • Subscribers
• Suppliers
• Trade representatives
• Contact partners
• Job applicants
Retention period The Personal Data shall be erased at the request of the
Please specify the period Data Controller pursuant to the Data Controller’s
for which the Personal Data instructions.
Processed by the Data
Processor is retained and
when it shall be removed.
Appendix 2: Technical and Organizational Measures / Security Concepts
The following TOMS are agreed between the Data Controller and the Data Processor and
specified in the present individual case, see specimen list.

1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b of the GDPR)

Physical access control

• No unauthorized access to Processing systems is provided. Data is stored in highly
secure data centers. All data centers that run the Service are secured and monitored
24/7. Physical access to the data center facilities is strictly limited to selected cloud

Logical access control

• No unauthorized system usage. SSH keys are required when identifying trusted
computers along with usernames and passwords. 2-step authentication is enabled on
every cloud platform that is providing it (platforms as AWS and Heroku). Individual
authentication credentials are not shared. SSH keys are frequently rotated. All end-
points (computers, laptops, mobile phones) are using encrypted storage, secure
passwords, and auto-locking mechanisms.

Data access control

• No unauthorized reading, copying, changing or removing within the system.

Separation control
• Personal Data is Processed in dedicated systems. Data are not shared with other
services, applications or corporate entities. Within individual systems and databases,
data is segregated with logical access control. Personal Data will not be used for
different purposes other than what it has been collected for without explicit customer

2. Measures to ensure integrity (Art. 32 para. 1 lit. b of the GDPR)

Transfer control
• No unauthorized reading, copying, changing or removing during electronic
transmission or transport. Data in transit can be encrypted and encrypted storages can
be used, which can be specified by the Data Controller while setting up the service.

Input control
• Determination of whether and by whom Personal Data was entered, changed or
removed by the Data Controller is not logged by the Data Processor.

3. Measures to ensure availability and resilience (Art. 32 para. 1 lit. b of the GDPR)

Availability control
• Protection against accidental damage or destruction or loss via escalation ways and
emergency plans.

Order control
• No Processing under commission according to Art. 28 of the GDPR without
corresponding instructions from the Data Controller via explicit contract design,
formalized order management, stringent selection of the service provider, obligation to
convince in advance, follow-up inspections.
• Systems and services are designed in a way that intermittent high stresses or high
constant loads of Processing can be ensured.

4. Measures for the pseudonymization of Personal Data

• Use of personnel, customer, and supplier IDs instead of names.

5. Measures for the encryption of Personal Data

• Data encryption can be enforced by the Data Controller when using the Service.

6. Measures to quickly restore the availability of Personal Data to the Data Controller
after a physical or technical incident
• The Data Controller has the option to set up redundancy for Personal Data Processed
via the Service.

7. Procedures for periodical review, assessment, and evaluation (Art. 32 para. 1 lit. d
of the GDPR; Art. 25 para. 1 of the GDPR)
• Privacy management to prevent the flow of important information to unauthorized
• Incident Response Management Plan
• Data Breach Management Plan
• Data Protection Policy
• Business Continuity Plan
• Data protection by default (Art. 25 para. 2 of the GDPR)
Appendix 3: Subprocessors of the Data Processor

Company name, Content of assignment (Scope of Place of Processing Transmission of/access to

direction and the commission by the Personal Data of the Data
nomination of possible Processor) Controller (category of data and
Data Protection Data Subjects)
Officer/contract partner
for data protection
1. Amazon Web Services Data center Dependent on the Data Controller Storage of data
2. Google Cloud Platform Data center Dependent on the Data Controller Storage of data
3. Azure Data center Dependent on the Data Controller Storage of data
4. Softlayer Data center Dependent on the Data Controller Storage of data
5. Digital Ocean Data center Dependent on the Data Controller Storage of data
6. Rackspace Data center Dependent on the Data Controller Storage of data

7. Alibaba Cloud Data center Dependent on the Data Controller Storage of data

Please note that the data center is chosen on behalf of the Data Controller. Thus, not all data centers listed as Subprocessors will have access to the
Data Controller’s data. Only the data center of the Data Controller’s choice will have access to the data and is considered as a Subprocessor in the
means of this DPA.

