Weld’s Data Processing Agreement

This Data Processing Agreement is effective as of May 24, 2018.

1. Background

This Data Processing Agreement (“DPA”) has been entered into between Weld Your Own App AB (“Weld,” ”we,” “us” or “our”) as a data processor and Company Customer (as defined in the Terms) as the data controller.

This DPA forms an essential part of the Service Agreement entered into between Company Customer and us. Unless otherwise defined herein, terms used in this DPA shall have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and in the Terms.

This DPA shall apply, if and to the extent any Content submitted by Company Customer to the Application contains personal data within the meaning of the GDPR (“Data”). You acknowledge that we will not be able to control what Content you upload to the Application and use in connection with the services. You are responsible for notifying us of the existence of Data (including any special categories of personal data) within your Content.

2. Processing of personal data

You agree that this DPA together with the Service Agreement constitute the written instructions in accordance with which any Data shall be processed. Any additional instructions by you must be in writing and may be subject to additional fees payable by you to us for carrying out such instructions. You are entitled to terminate the Service Agreement if we decline to follow instructions requested by you.

We confirm that we will process Data in a lawful manner which meets requirements under the applicable legislation relating to the processing of personal data, including the GDPR.

Details of our processing of Data under this DPA:

  1. Purpose of the processing. The purpose of processing is to provide the Application in accordance with the Service Agreement.
  2. Nature of the processing. Hosting, storage and provision of Application under the Service Agreement.
  3. Duration of the processing. During the term of the Service Agreement, unless otherwise instructed by you.
  4. Type of personal data. Any personal data that you include in Content.
  5. Categories of data subjects. Any categories of data subjects that you include in Content.

3. Responsibilities of the data controller

You agree that it is exclusively your responsibility to comply with any and all obligations of data controller set out in the GDPR and other applicable data protection legislation (including to obtain explicit and legally valid consents from each data subject for the processing of Data or to ensure that another legal ground recognized under the GDPR applies for processing of Data, and to meet any information requirements thereunder). You further acknowledge that the service is provided “as is” and “as available” in accordance with the Service Agreement.

4. Assistance to you as the data controller

Taking into account the nature of the Service, we will assist you in providing any technical or organisational measures for the fulfilment of your obligations as data controller in relation to possible requests for exercising the data subjects’ rights laid down in the applicable legislation. Any assistance provided by us hereunder shall be at the sole cost of you.

Taking into account the nature of the data processing and the information available to us as the data processor, we will assist you in ensuring compliance with your obligations relating to the security of data processing, notifications of personal data breaches to the supervisory authorities and communications to data subjects and data protection impact assessments (articles 32-36 of the GDPR). Any assistance provided by us hereunder shall be at the sole cost of you.

We will notify you about any personal data breaches concerning your data as soon as possible and at the latest 48 hours after having become aware of such personal data breach.

5. Confidentiality and security

We confirm that our personnel involved in providing the service to you have committed themselves to confidentiality obligations with regard to processing of personal data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons we confirm that we have taken such technical and organisational security measures which ensure a level of security appropriate to the risk.

Please see further under “Data Security” in the Privacy Policy.

6. Sub-processors

You agree that we may engage third parties including other data processors in connection with the Application and that such third parties may be located, and your data may be processed, outside the European Economic Area (including e.g. in the United States) subject to applicable data protection legislation. We have listed the sub-processors currently engaged at our website.

If we intend to appoint a new sub-processor, we will, at least 30 days before the appointment of the new sub-processor, update our website with the following information in relation to the sub-processor (i) name and contact information, (ii) provision of services to us and (iii) location for processing of Data (including within or outside of the EU/EEA). If you object to the appointment of the sub-processor, we will inform you of whether the sub-processor will be appointed by us. If we appoint the sub-processor, despite of your objection, you may terminate this DPA and the Service Agreement.

If we engage a sub-processor for carrying out processing activities on your behalf, at least the same data protection obligations as set out in this agreement, shall also apply to such sub-processor. If such sub-processor fails to fulfil its data protection obligations, we shall remain fully liable to you for the performance of the sub-processor’s obligations.

We may provide information regarding such sub-processors upon request, and always subject to our confidentiality obligations.

7. Third-country transfers

We are entitled to process Data outside the European Economic Area. In case of such transfer, we will ensure that Data is transferred in accordance with the applicable law, for example, by using appropriate European Union Standard Contractual Clauses.

In some cases, you may be given the option and/or have chosen the option to have your Data processed in specific region(s) or in specific data center(s). In such cases we guarantee that processing of Data will be handled in accordance therewith and that any changes will be communicated to you in advance.

8. Retention of your data

We have no obligation to store and we will not store any of your data after the termination of your account and/or the Service Agreement, unless otherwise agreed or required under applicable law. We will, at your choice, delete or return all Data related to you after the end of the provision of services relating to processing.

9. Audit

You may have the right, in accordance with applicable legislation only, to receive information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR and, where and to the extent mandated under the GDPR to do so, we will allow for, and contribute to, audits, including inspections, conducted by you in relation to Data in relation to our Service provided to you only. The timing and other practicalities related to any such audit or inspection are determined by us and any such information and assistance are provided at exclusively your cost and expense, and we reserve the right to charge you for any additional work or other costs incurred by us in connection with you using such rights.

10. Discrepancies

This DPA forms a part of the Service Agreement. In the event of any discrepancies relating to the processing of Data between this DPA and the Service Agreement, the provisions of this DPA shall prevail.

Note: Please contact legal@weld.io if you need/would like a signed copy of this DPA.