Data Processing Agreement (DPA)

Processor and Subprocessor Relationships

  • Provider as Processor.

    In situations where Customer is a Controller of the Customer Personal Data, Provider will be deemed a Processor that is Processing Personal Data on behalf of Customer.

  • Provider as Subprocessor.

    In situations where Customer is a Processor of the Customer Personal Data, Provider will be deemed a Subprocessor of the Customer Personal Data.

Processing

  • Processing Details.

    Annex I to this DPA describes the subject matter, nature, purpose, and duration of this Processing, as well as the Categories of Personal Data collected and Categories of Data Subjects.

  • Processing Instructions.

    Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement (which incorporates this DPA); and (d) as documented in any other written instructions given by Customer and acknowledged by Provider about Processing Customer Personal Data under this DPA. Provider will abide by these instructions unless prohibited from doing so by Applicable Laws. Provider will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

  • Processing by Provider.

    Provider will only Process Customer Personal Data in accordance with this DPA, including the details in Annex I. If Provider updates the Service to include new products, features, or functionality, Provider may change the details in Annex I (such as Categories of Data Subjects, Categories of Personal Data, Nature and Purpose of Processing, etc.) as needed to reflect the updates by notifying Customer of the updates and changes, provided such changes do not materially decrease the level of protection afforded to Customer Personal Data.

  • Customer Processing.

    Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.

  • Consent to Processing.

    Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

  • Subprocessors.

    • Provider will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors is maintained at the URL specified in Annex III and includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. Provider will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the Provider begins using the new Subprocessor(s). Provider will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Provider will cooperate in good faith to resolve Customer’s objection or concern.
    • When engaging a Subprocessor, Provider will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement and this DPA.
    • If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Provider’s agreement with the Subprocessor will incorporate these obligations, including details about how Provider and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, Provider will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Provider may redact the text of its agreement with its Subprocessor prior to sharing a copy.
    • Provider remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Provider will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Provider and the Subprocessor.

Restricted Transfers

  • Authorization.

    Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Provider will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws, typically through the use of the EEA SCCs and/or UK Addendum as described below.

  • Ex-EEA Transfers.

    Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Provider outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into the Agreement (which incorporates this DPA), Customer and Provider are deemed to have signed the EEA SCCs and their Annexes, which are incorporated herein by reference and are considered completed with the information in Annexes I, II, and III of this DPA. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
    • Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Provider is Processing Customer Personal Data for Customer as a Processor.
    • Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Provider is Processing Customer Personal Data on behalf of Customer as a Subprocessor.
    • For each module, the following applies (when applicable): (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are removed; (v) In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Sweden; (vi) In Clause 18(b), disputes will be resolved in the courts of Stockholm, Sweden; and (vii) Annexes I, II, and III to this DPA contain the information required in Annex I, Annex II, and Annex III of the EEA SCCs respectively.

  • Ex-UK Transfers.

    Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Provider outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into the Agreement (which incorporates this DPA), Customer and Provider are deemed to have signed the UK Addendum and its Annexes, which are incorporated herein by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
    • Section 3.2 of this DPA (as applicable depending on roles) contains the information required to complete Table 2 of the UK Addendum.
    • Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent the ICO issues a revised Approved Addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.
    • Annexes I, II, and III to this DPA contain the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum respectively.

  • Other International Transfers.

    For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

Security Incident Response

  • Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Provider’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Provider of any fault or liability for the Security Incident.

Audit & Reports

  • Audit Rights.

    Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and Applicable Data Protection Laws. Provider will allow for and contribute to audits, including inspections mandated by Customer’s competent supervisory authority or conducted by Customer or its designated auditor (provided such auditor is bound by confidentiality obligations), to assess Provider’s compliance with this DPA. However, Provider may restrict access to data or information if Customer’s access to the information would negatively impact Provider’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will generally exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Provider to comply with the reporting and due diligence requirements below, unless a direct inspection is necessary due to regulatory mandate or following a confirmed Security Incident. Provider will maintain records of its compliance with this DPA as required by Applicable Data Protection Laws.

  • Security Reports.

    Customer acknowledges that Provider and/or its key Subprocessors may be regularly audited against relevant security standards (e.g., SOC 2) by independent third-party auditors. Upon written request (no more than annually, unless following a Security Incident), Provider will provide Customer, on a confidential basis, a summary copy of relevant then-current certifications or audit report summaries (such as SOC 2 Type II reports, where available) to assist Customer in verifying Provider’s and its key Subprocessors’ security posture.

  • Security Due Diligence.

    In addition to any available Reports, Provider will respond (no more than annually, unless following a Security Incident or significant service change) to reasonable written requests for information made by Customer to confirm Provider’s compliance with this DPA, such as reasonable security questionnaires related to the Service. All such requests must be made in writing to the Provider Security Contact identified in Annex II.

Coordination & Cooperation

  • Response to Inquiries.

    If Provider receives any inquiry or request directly from a data subject concerning the Processing of Customer Personal Data, Provider will promptly notify Customer and will advise the data subject to submit their request to the Customer. Provider will not respond directly to such data subject requests unless legally required or expressly authorized by Customer. If Provider receives a legally binding request (such as a judicial or administrative order) for disclosure of Customer Personal Data from a law enforcement or other public authority, Provider will promptly notify Customer before disclosure, unless prohibited by Applicable Law. Provider will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, regarding data subject requests and regulatory inquiries related to Provider’s Processing of Customer Personal Data under this DPA.

  • DPIAs and DTIAs.

    If required by Applicable Data Protection Laws, Provider will provide reasonably requested information and assistance to Customer to help Customer conduct any mandated data protection impact assessments (DPIAs) or data transfer impact assessments (DTIAs) and related consultations with relevant data protection authorities, taking into consideration the nature of the Processing and the information available to Provider.

Deletion of Customer Personal Data

  • Deletion by Customer.

    Provider will enable Customer to delete Customer Personal Data during the term of the Agreement in a manner consistent with the functionality of the Service.

  • Deletion at DPA Expiration.

    • Upon termination or expiration of the Agreement, Provider will delete all Customer Personal Data (including existing copies) from Provider’s systems in accordance with its standard data retention and deletion timelines (typically within 60-90 days), unless further storage is required or authorized by Applicable Law (such as for compliance with legal obligations).
    • If return or destruction is impracticable or prohibited by Applicable Laws, Provider will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control in accordance with this DPA.
    • Provider will provide certification of deletion of Customer Personal Data only upon Customer’s written request.

Limitation of Liability

  • Liability Caps and Damages Waiver.

    To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the main body of the Agreement (Cloud Service Agreement).

  • Related-Party Claims.

    Any claims made against Provider or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

  • Exceptions.

    Nothing in this DPA is intended to limit or exclude any liability which cannot be limited or excluded under Applicable Data Protection Laws, including liability towards data subjects concerning their data protection rights or liability arising from violations of the incorporated EEA SCCs or UK Addendum.

Conflicts Between Documents

  • This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA (including its incorporated Annexes and transfer mechanisms like the EEA SCCs or UK Addendum), and the main body of the Agreement, the terms providing the higher level of protection for Personal Data or more stringent obligations shall prevail with regard to data protection matters. Specifically, the order of precedence for data protection matters shall be: (1) the EEA SCCs or the UK Addendum (where applicable); (2) this DPA (including its Annexes); and then (3) the main body of the Agreement.

Term of Agreement

  • This DPA becomes effective when the Agreement becomes effective and terminates automatically upon termination or expiration of the Agreement. Obligations related to confidentiality, data deletion, and liability limitations shall survive termination or expiration as set forth herein or in the Agreement. Provider and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws as long as Provider Processes Customer Personal Data.

Definitions

  • “Agreement” means the Cloud Service Agreement between Provider and Customer into which this DPA is incorporated by reference.
  • “Applicable Laws” means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.
  • “Applicable Data Protection Laws” means the Applicable Laws that govern how the Service may process or use an individual’s personal information, personal data, personally identifiable information, or other similar term, including but not limited to GDPR and UK GDPR where applicable.
  • “Controller” will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.
  • “Customer Personal Data” means Personal Data that Customer uploads or provides to Provider, or that is otherwise Processed by Provider on behalf of Customer, as part of the Service and that is governed by this DPA.
  • “DPA” means these Data Processing Agreement Standard Terms, including Annexes I, II, and III hereto.
  • “EEA SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council, as incorporated by reference herein.
  • “European Economic Area” or “EEA” means the member states of the European Union, Norway, Iceland, and Liechtenstein.
  • “GDPR” means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.
  • “Personal Data” will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.
  • “Processing” or “Process” will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of an operation on, Personal Data, including by automatic methods.
  • “Processor” will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.
  • “Provider Security Contact” means the email address specified in Annex II.
  • “Report” means audit reports or certifications (such as SOC 2 Type II reports or ISO 27001 certifications) prepared by independent third-party auditors regarding Provider’s or its key Subprocessors’ security controls.
  • “Restricted Transfer” means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
  • “Security Incident” means a Personal Data Breach as defined in Article 4(12) of the GDPR.
  • “Service” means the product and/or services described in the Agreement.
  • “Special Category Data” will have the meaning given in Article 9 of the GDPR.
  • “Subprocessor” means a third party engaged by Provider to Process Customer Personal Data in order to provide parts of the Service.
  • “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.
  • “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under S119A(1) of the UK Data Protection Act 2018, version B1.0, as incorporated by reference herein.

Last updated 2025-05-12

Annex I: Details of Processing

(A) List of Parties

Data Exporter:

Customer (as identified in the Agreement). Activities relevant to the data transferred under these Clauses: Use of the Service as described in the Agreement. Role (Controller/Processor): Controller (or Processor, if Customer is acting as a Processor for its own clients, in which case Provider acts as Subprocessor – see Section 1.2 and 3.2(b)/3.3).

Data Importer:

Provider (Distill Intelligence AB, Löjtnantsgatan 4, 115 50 Stockholm, Sweden). Activities relevant to the data transferred under these Clauses: Provision of the Service as described in the Agreement and this DPA. Role (Controller/Processor): Processor (or Subprocessor, if Customer is acting as a Processor).

(B) Description of Transfer and Processing Activities

  • Categories of Data Subjects:

    The Personal Data transferred concern the following categories of data subjects (as determined and controlled by Customer): Primarily employees, contractors, and authorized users of the Customer who access and use the Service.

  • Categories of Personal Data:

    The Personal Data transferred concern the following categories of data (as determined and controlled by Customer): Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion. Such Personal Data may include, but is not limited to:
    • Contact Information:
      such as name, email address, phone number.
    • Account Information:
      such as user ID, account settings, transactional data related to the Service subscription.
    • Usage and Analytics Data:
      such as user interaction data, device information (e.g., browser type, OS), IP addresses, logs related to Service access and use.
    • Location Information:
      potentially derived from IP address or user input.

  • Special Category Data:

    No Special Categories of Data (as defined in GDPR Article 9) are intended to be processed. Customer agrees not to upload or provide Special Category Data to the Service.

  • Frequency of Transfer:

    The transfer of Personal Data from Customer to Provider is performed on a continuous basis during the term of the Agreement.

  • Nature and Purpose of Processing:

    The nature and purpose of the Processing are the provision of the Cloud Service (Distill market intelligence platform) by Provider to Customer as set out in the Agreement. This includes purposes such as: enabling Service access and functionality, user authentication, hosting Customer data, providing market intelligence information and insights, monitoring Service performance, providing technical support, improving the Service, security monitoring, and complying with legal obligations.

  • Duration of Processing:

    Personal Data will be processed for the duration of the Subscription Period specified in the Agreement, and subsequently only as necessary for post-termination deletion obligations outlined in Section 7.2 of this DPA or as required by Applicable Law.

(C) Competent Supervisory Authority

For the purposes of the EEA SCCs (Clause 13), the competent supervisory authority will be the authority identified in accordance with the SCCs, typically the authority of the EU Member State in which the Data Exporter (Customer) is established or primarily concerned. If the UK Addendum applies, the competent supervisory authority is the UK Information Commissioner’s Office (ICO).

Annex II: Technical and Organisational Measures (TOMs)

Provider implements and maintains technical and organizational measures designed to protect the security, confidentiality, and integrity of Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Provider utilizes Supabase Inc. as a key subprocessor for database and authentication services. Supabase maintains comprehensive, industry-standard security measures as detailed in their security documentation (available at https://supabase.com/security or successor URL). Provider relies on these measures for the relevant parts of the Service infrastructure.
In addition, Provider maintains its own security practices consistent with commercially reasonable industry standards applicable to the Service provided. These may include measures related to access control, encryption (where applicable), logging, monitoring, incident response, and personnel security.
Provider reserves the right to update these measures from time to time, provided that such updates do not materially decrease the overall security of the Service provided to Customer.

Provider Security Contact:

support@distillintelligence.com

Annex III: List of Subprocessors

Provider uses certain subprocessors to assist in providing the Service. The current list of approved Subprocessors, including their location and the service they provide, is maintained at: https://www.distillintelligence.com/subprocessors
Customer authorizes Provider to use the Subprocessors listed at the above URL in accordance with Section 2.6 of this DPA.

Last updated 2025-05-12