This Data Processing Agreement (this “DPA”) amends and supplements any existing and currently valid agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Client”) and SEWN TECHNOLOGY SOLUTIONS AB (together with subsidiary(ies) and affiliated entities, collectively “SEWN”) and sets forth other terms that apply to the extent any information you provide to SEWN pursuant to the Agreement includes personal data (as defined below). This DPA is effective as of the effective date of the agreement. 

1. Definitions.  

“Client Personal Data” means Personal Data which is owned or controlled by Client, to which SEWN has access and/or otherwise Processes for the purpose and during the provision of the Marketplace and thereto related services, including, without limitation, data that is explicitly defined as a regulated category of data under Data Protection Laws applicable to Client.

“Data Protection Laws” means all applicable data protection and privacy laws that apply to the Processing of personal data under this Agreement, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). 

“EEA” means the European Economic Area.

“EEA Client Personal Data” means Client Personal Data which originate from a member state of the EEA. 

“Information Security Incident” means a breach of SEWN’s security obligations leading to the accidental or unlawful destruction, loss, alteration or unauthorized acquisition, disclosure, misuse or access to unencrypted Client Personal Data transmitted, stored or otherwise Processed by SEWN. 

“Personal Data” means data, which is defined as personal data in the GDPR.

“Process” means to view, access, collect, record, organize, structure, use, store, manipulate, adapt or alter, retrieve, disclose, transfer, analyze, or erase or destroy any Client Personal Data.

“Subprocessors” means third parties authorized under the terms of the Agreement to have access to and Process Client Personal Data in order to provide a portion of the Services.

The terms “controller,” “data subject,” “processor,” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.

2. Roles of the Parties and Compliance with Data Protection Laws.  

2.1 Roles of the Parties.  As between SEWN and Client, Client shall be, as applicable, the data controller/owner of Client Personal Data; and, as between SEWN and Client, SEWN shall be, as applicable, the data processor/licensee of Client Personal Data.     

2.2 Parties’ Acknowledgement.  Each Party will comply with the requirements of the Data Protection Laws as applicable to such Party with respect to the Processing of Client Personal Data.  The Client agrees that the Agreement (including the DPA), along with the product documentation and Client’s use and configuration of features in the Marketplace, are Client’s complete documented instructions to SEWN for the processing of Client Personal Data. In any instance where the GDPR applies and Client is a processor, Client warrants to SEWN that Client’s instructions, including appointment of SEWN as a processor or subprocessor, have been authorized by the relevant controller.

2.3 SEWN as a Processor.   SEWN will Process Client Personal Data only in accordance with Client’s documented Processing instructions as set forth in the Agreement, as applicable, unless otherwise required by law.

2.4 Adequate Rights to Client Personal Data.  Client warrants that it has obtained all necessary rights and provided all necessary notices to data subjects as required and that SEWN’s use of any Client Personal Data in accordance with the Agreement or this DPA will not violate any applicable law.  Furthermore, Client warrants that: (i) SEWN’s Processing of any Client Personal Data in accordance with any Client instruction shall be in compliance with applicable Data Protection Laws; and (ii) prior to transmitting Client Personal Data to SEWN, Client shall inform SEWN of any applicable requirements pertaining to the transmitted Client Personal Data and Client records.  Client shall be responsible for all liability and shall indemnify and hold SEWN harmless from and against all claims and damages, due to a breach of the foregoing warranties.

2.5 Suspension of Services.  SEWN may temporarily suspend the services or the access to the Marketplace in whole or in part immediately if SEWN determines that the continued use or provision of the services (i) poses a security risk for SEWN, Client or any third party or (ii) will cause SEWN or Client to be in violation of any applicable Data Protection Law, in which case, SEWN shall promptly notify Client and the Parties shall work together in good faith to resolve such issue in a timely manner. In no event shall either Party be required to perform any service or activity hereunder that violates any applicable Data Protection Law.

2.6 Unintended Data Transfers. The Parties agree that SEWN shall not have an affirmative duty to review any Client Personal Data.  However, if SEWN discovers that Client has provided Client Personal Data to SEWN that ought not to have been shared then SEWN shall promptly notify Client. SEWN reserves the right to refuse to Process Client Personal Data if SEWN suspects such Processing would violate any Data Protection Law.

3. Security Obligations of the Parties.

3.1 General.  SEWN shall implement technical and organizational security measures to safeguard Client Personal Data from unauthorized Processing or accidental loss or damage, as required by Data Protection Laws. 

3.2 Security Obligations.  Client acknowledges and agrees that, taking into account the ongoing state of technological development, the costs of implementation and the nature, scope, context and purposes of the Processing of Client Personal Data, as well as the likelihood and severity of risk to individuals, SEWN’s implementation of and compliance with the security measures set forth herein provide a level of security appropriate to the risk in respect of the Processing of Client Personal Data.  Client shall be solely responsible for determining whether the Services and SEWN’s security measures as set forth herein meet Client’s needs, including with respect to any Data Protection Laws. Client is further aware that the Marketplace is hosted on the cloud solution provided by AWS (defined below) and agrees that the security measures provided by AWS meet Client’s needs, including with respect to any Data Protection Laws.

4. Additional SEWN Responsibilities.

4.1 Documentation, Audits and Inspections.  SEWN shall make available to Client information reasonably requested by Client to demonstrate SEWN’s compliance with its obligations in this DPA and SEWN shall submit to audits and inspections by Client (or Client directed third parties provided that such third parties are not deemed as SEWN competitors) in accordance with a mutually agreed process designed to avoid disruption of the Marketplace and protect the confidential information of SEWN and its other clients.  Any such audit or inspection shall be subject to reasonable notice to SEWN, to occur no more frequently than once annually (unless otherwise required by an applicable regulatory agency), and further, such audit or inspection shall take no more than one business day to complete and shall be at the Client’s cost.  

4.2 Data Retention.  Upon expiration or termination of the Agreement, SEWN shall delete or return to Client all Client Personal Data within a maximum period of one hundred eighty (180) days.

4.3 Data Subject and Supervisory Authority Requests.  Taking into account the nature of the Services provided, SEWN shall:

4.3.1 provide assistance to Client as reasonably requested with respect to Client’s obligations to respond to requests from Client’s data subjects as required under applicable Data Protection Laws. Client shall be responsible for the reasonable costs of such assistance. SEWN will not independently respond to such requests from Client’s data subjects, but will refer them to Client, except where required by applicable law; and, 

4.3.2 provide assistance to Client as reasonably requested if Client needs to provide information (including details of the services provided by SEWN) to a competent supervisory authority, to the extent that such information is solely in the possession of SEWN or its Subprocessors.  Client shall be responsible for the reasonable costs of such assistance. 

4.4 Privacy / Data Protection Impact Assessments. Taking into account the nature of the Services provided and the information available to SEWN, SEWN shall provide assistance on a reasonable basis to Client as requested by Client for privacy / data protection impact assessments with respect to the Processing of Client Personal Data as required under applicable Data Protection Laws. Client shall be responsible for the reasonable costs of such assistance. 

4.5 SEWN’s Use of Client Personal Data.  SEWN will not use Client Personal Data other than to perform the services in accordance with the Agreement.  All SEWN Personnel, including subcontractors, authorized to Process Client Personal Data shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality.

4.6 Client Instructions.  SEWN shall follow Client’s instructions regarding the Processing of Client Personal Data; provided that, in the event Client requires that SEWN follow a Processing instruction despite SEWN’s notice that such instruction infringes or may infringe an applicable Data Protection Law, Client shall be responsible for all liability arising, and shall defend, indemnify and hold SEWN harmless against all claims and damages, arising  from any continued Processing in accordance with such instruction.  The foregoing shall not be construed as requiring SEWN to monitor or advise Client regarding any applicable Data Protection Law. 

5. Subprocessors. 

Notwithstanding anything to the contrary that may be set forth in the Agreement, Client specifically authorizes the engagement of third parties or subcontractors as Subprocessors as communicated by SEWN from time to time. 

The Client agrees and acknowledge that the Marketplace is hosted on a cloud solution provided by Amazon Web Services, Inc (“AWS”). By entering into the Agreement, the Client agrees to comply with AWS’ terms of use and agrees that the data protection obligations enforced by AWS are sufficient and provide adequate data protection safeguards.

SEWN shall contractually require any such Subprocessors to comply with data protection obligations that are compatible with those SEWN is required to comply with hereunder.  SEWN shall remain fully liable for the performance of the Subprocessor.  SEWN shall provide Client with 10 business days’ notice, which notice will be provided on the Marketplace, of any intended changes to the authorized Subprocessors and Client shall promptly, and in any event within 10 business days, notify SEWN in writing of any reasonable objection to such changes.  If Client’s objection is based on anything other than the proposed Subprocessor’s inability to comply with agreed data protection obligations, then any further adjustments shall be at Client’s cost.  

6. Transfers of EEA Client Personal Data.

Client Personal Data that originates from EEA and that SEWN Processes may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA. Taking into account such Data Protection Protocols, Client appoints SEWN to transfer Client Personal Data to the United States or any other country in which SEWN or its Subprocessors operate and to store and process Client Personal Data to provide the Marketplace. 

All transfers of Client Personal Data out of the EAA shall be preceded by the Parties (or Client/SEWN on behalf of Client and the relevant Subprocessor) ensuring appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR and complying with any other requirements (e.g. by signing standard contractual clauses).

7. Information Security Incidents.  

SEWN shall maintain procedures to detect and respond to Information Security Incidents.  If an Information Security Incident occurs which may reasonably compromise the security or privacy of Client Personal Data, SEWN will promptly notify Client without undue delay. SEWN will cooperate with Client in investigating the Information Security Incident and, taking into account the nature of the Services provided and the information available to SEWN, provide reasonable assistance to Client with respect to Client’s breach notification obligations under any applicable Data Protection Laws. 

8. Limitation of Liability 

Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties resulting from or arising out of any breach by such first-mentioned Party of this DPA which has been awarded in a final judgment or settlement approved by the indemnifying Party. Each Party’s aggregate liability under this indemnity shall, however, be subject to the limitation of liability as set out in the Agreement.