STORE
0

Data Processing Agreement (DPA)

Emoco Labs AB Last updated: 2025-11-12

This Data Processing Agreement ("Agreement") is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and forms part of the Terms of Service or other agreement ("Principal Agreement") between:

  • Customer ("Data Controller"), and
  • Emoco Labs AB, registered in Sweden (org. no. 559117-7596), having its principal place of business in Sweden ("Data Processor").

This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including storage.
  • "Controller" means the party who determines the purposes and means of the processing of Personal Data.
  • "Processor" means the party who processes Personal Data on behalf of the Controller.
  • "Service" means the Emoco Labs AB SaaS application provided at emoco.com.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2. Subject Matter, Duration, Nature and Purpose of Processing

Subject Matter: Processing of Personal Data necessary to provide and maintain the Service, including user account management, content storage, collaboration features, and service operations.

Duration: This Agreement remains in effect for the duration of the Principal Agreement and continues until all Personal Data has been deleted or returned in accordance with Section 8.

Nature and Purpose of Processing:

  • Provision of the SaaS application and related services
  • Storage and management of user-generated content
  • User authentication and access control
  • Service maintenance, support, and improvements
  • Security monitoring and incident response
  • Backup and disaster recovery

Categories of Personal Data:

  • Contact information (names, email addresses)
  • Account credentials (usernames, hashed passwords)
  • User-generated content (documents, files, shared data)
  • Usage data and logs (IP addresses, access times, feature usage)
  • Payment information (processed by subprocessor Stripe)
  • Any additional Personal Data uploaded by the Customer or its users

Categories of Data Subjects:

  • Customer's employees and authorized users
  • Customer's clients or end-users (if applicable)
  • Other individuals whose Personal Data the Customer processes using the Service

3. Roles of the Parties

For all Personal Data submitted, stored, or created by the Customer or its users within the Service (including user-generated documents and shared content):

  • Customer acts as Data Controller.
  • Emoco Labs AB acts as Data Processor.

Emoco Labs AB processes Personal Data only on behalf of the Customer and in accordance with this Agreement and the Customer's documented instructions.

4. Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including:

  • This Agreement and its terms
  • Instructions provided through the Service interface
  • Written instructions provided via email or support channels
  • Instructions necessary to comply with applicable laws

If the Processor believes that any instruction violates the GDPR or other applicable data protection laws, the Processor shall:

  • Immediately inform the Controller
  • Suspend processing of the instruction until the Controller confirms or modifies it
  • Not be liable for any delays resulting from such suspension

The Controller may issue additional documented instructions consistent with this Agreement. The Processor will inform the Controller if additional fees are required for processing instructions beyond the scope of the Service.

5. Customer Responsibilities

The Customer is responsible for:

  • The lawfulness of Personal Data it enters into the Service.
  • Ensuring a valid legal basis for Processing such data.
  • Ensuring Personal Data shared with other users is appropriate.
  • If the Customer stores special categories of data (e.g., health, religion, ethnicity), the Customer is responsible for ensuring it has a lawful basis for doing so.

6. Processor Obligations

Emoco Labs AB shall:

  • Process Personal Data only to provide and maintain the Service.
  • Not access user-generated content unless:
    • Required for security or maintenance, or
    • Explicitly requested by the Customer for support.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
    • Pseudonymization and encryption of Personal Data in transit (TLS 1.3+) and at rest (AES-256 or equivalent)
    • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
    • Access control and authentication (multi-factor where appropriate)
    • Role-based access control and least-privilege permissions
    • Regular security testing and vulnerability assessments
    • Secure backup and disaster recovery procedures
    • Ability to restore availability and access to Personal Data in a timely manner
    • Regular testing and evaluation of the effectiveness of security measures
  • Ensure that all personnel authorized to process Personal Data:
    • Are bound by confidentiality obligations
    • Receive appropriate training on data protection
    • Process Personal Data only as instructed
  • Notify the Customer of any Personal Data breach without undue delay and in any event within 72 hours of becoming aware of the breach, including:
    • Nature of the breach and categories of data affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  • Assist the Customer in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing necessary information and technical measures within a reasonable timeframe.

7. Subprocessors

The Customer provides general authorization for Emoco Labs AB to engage subprocessors necessary to operate the Service, including infrastructure and payment providers.

Current subprocessors include:

SubprocessorPurposeLocationSafeguards
Stripe Payments Europe Ltd.Payment processing, fraud preventionEU / GlobalStandard Contractual Clauses (SCCs)
Glesys ABHosting and database infrastructureSwedenSCCs / EU Data Residency
Oderland ABTransactional email deliverySwedenSCCs

Subprocessor Changes:

  • The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors at least 30 days in advance via email or notification through the Service.
  • The Controller may object to the engagement of a new subprocessor on reasonable data protection grounds within 14 days of notification.
  • If the Controller objects, the parties will work together in good faith to find a resolution. If no resolution is found, the Controller may terminate the affected portion of the Service.
  • The Processor ensures that subprocessors are bound by data protection obligations equivalent to those in this Agreement, including obligations under Article 28(3) of the GDPR.
  • The Processor remains fully liable to the Controller for the performance of subprocessor obligations.

8. International Data Transfers

If Personal Data is transferred outside the EU/EEA:

  • Such transfer is subject to EU-approved Standard Contractual Clauses (SCCs) in accordance with Articles 46 and 49 of the GDPR.
  • Additional safeguards are applied where required, including technical measures and supplementary protections.
  • The Processor will inform the Controller if it becomes aware that it can no longer meet its obligations under the SCCs.

9. Data Subject Rights

The Processor will assist the Customer in responding to requests related to:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure ("right to be forgotten") (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

The Processor shall assist the Controller by providing:

  • Appropriate technical and organizational measures to enable compliance with Data Subject requests
  • Access to relevant Personal Data within 10 business days of a Controller request
  • Data export in a structured, commonly used, and machine-readable format

Customer may request full account data export or deletion at any time through the Service interface or by contacting support.

10. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller in:

  • Conducting Data Protection Impact Assessments (DPIAs) when required under Article 35 of the GDPR
  • Prior consultation with supervisory authorities under Article 36 of the GDPR
  • Providing information about the technical and organizational measures, security practices, and processing operations necessary for such assessments

11. Data Retention, Return, and Deletion

During the Agreement:

  • Personal Data is retained as long as necessary to provide the Service and as instructed by the Controller.

Upon termination or expiry of the Agreement:

  • At the Controller's choice, the Processor shall either delete or return all Personal Data to the Controller within 30 days, unless retention is required by EU or Member State law.
  • Upon request, the Processor will provide the Controller with a data export in a structured, commonly used, and machine-readable format.
  • After the data is returned or deleted, the Processor shall securely delete all existing copies of Personal Data, except where EU or Member State law requires storage.
  • Backups containing Personal Data shall be securely deleted according to the backup retention schedule (maximum 90 days) unless legal obligations require longer retention.
  • The Processor will provide written certification of deletion upon request.

Early Deletion:

  • The Customer may request earlier deletion at any time, which will be completed within 10 business days.

12. Audit Rights and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

Audit and Inspection Rights:

  • The Controller has the right to conduct audits and inspections to verify the Processor's compliance with this Agreement and the GDPR.
  • The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
  • Audit requests must be made in writing with at least 30 days' notice and shall be conducted during regular business hours.
  • Audits shall not be conducted more than once per year unless there is reasonable suspicion of non-compliance or a Personal Data breach has occurred.
  • The Controller shall bear the costs of audits unless the audit reveals material non-compliance, in which case the Processor shall bear reasonable costs.
  • The Processor may require the auditor to sign a confidentiality agreement before providing access to facilities or information.

Compliance Documentation:

  • The Processor will maintain records of processing activities in accordance with Article 30 of the GDPR.
  • Upon request, the Processor will provide evidence of compliance certifications, security audits, or penetration test results (subject to confidentiality).

13. Liability

Nothing in this Agreement removes or limits the liability of either party under applicable data protection laws, including the GDPR.

Each party shall be liable for damages caused by processing that violates the GDPR or this Agreement, subject to the liability limitations in the Principal Agreement, except where such limitations conflict with mandatory GDPR requirements.

14. Governing Law and Jurisdiction

This Agreement is governed by and interpreted under the laws of Sweden and disputes shall be resolved in Swedish courts.

Signed on behalf of the Data Processor:

Emoco Labs AB Date: 2025-11-12

Signed on behalf of the Data Controller (Customer):

The Customer accepts this DPA by using the Service or entering into the Principal Agreement.