1.1 Rumblestrip will, upon performance of the Agreement when providing its services, process personal data on behalf of the Customer in capacity of the Customer’s processor. The purpose of this data processing agreement (the “DPA”) is to guarantee a secure, correct and legal processing of personal data and meet current requirements according to law. This DPA forms an integral part of the Agreement.

1.2 Terms and concepts applied or referred to in this DPA shall be interpreted in accordance with GDPR and corresponding applicable national legislation of EU member states regarding data protection (jointly, the “Data Protection Rules”). The concepts in the DPA shall have the meaning as stipulated primarily in the Data Protection Rules and otherwise in the Agreement, unless otherwise clearly stated in this DPA or the Agreement.

2.1 The type of personal data and categories of data subjects processed by Rumblestrip under this DPA and the purpose, nature, duration of the processing is specified in Appendix A (Data Processing instructions).

2.2 The Customer is the data controller of all personal data processed by Rumblestrip on behalf of the Customer under this DPA. Rumblestrip shall:

(a) only process personal data in accordance with the Customer’s documented instructions and not for other purposes than those Rumblestrip has been engaged for;

(b) comply with obligations laid down in the Data Protection Rules, of which the Customer has informed Rumblestrip of and instructed Rumblestrip to comply with;

(c) put in relation to the degree of sensitivity to the personal data being processed, implement appropriate technical and organisational measures, as required by the Data Protection Rules (including Article 32 of the GDPR) in order to ensure a level of security that is appropriate to protect the processed personal data from accidental or illegal destruction, loss, alteration, unauthorised disclosure of or unauthorised access to the personal data being processed;

(d) assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Rumblestrip, which includes assisting with data protection impact assessments and notifying the Customer of a personal data breach without undue delay after becoming aware of such breach;

(e) provide the Customer with such information required to demonstrate that Rumblestrip´s obligations under the Data Protection Rules have been met. This shall be done within reasonable time from the Customer’s request and to the extent that the Customer has specified the content and scope of such information in a reasonable time in advance;

(f) enable and contribute to audits, including inspections, carried out by the Customer or by an independent auditor authorised by the Customer and which Rumblestrip can reasonably accept;

(g) inform the Customer about any contacts with the supervisory authority in matters regarding processing of personal data;

(h) assist the Customer, to the extent possible and by technical and organisational measures that are appropriate with regard to the nature of the processing, in fulfilling the Customer’s duty to respond to a request from the data subject when the data subject is exercising his or her rights laid down in the Data Protection Rules; and

(i) ensure that the Customer can fulfill any obligations to enable data portability for the personal data that Rumblestrip is processing on behalf of the Customer under this DPA.

2.3 The Customer, as controller, is responsible for compliance with the Data Protection Rules. The Customer specifically undertakes:

(a) to give Rumblestrip instructions of the processing and promptly inform Rumblestrip of change of the Customer’s processing affecting Appendix A;

(b) to promptly inform Rumblestrip if a third party takes action or makes claim against Rumblestrip as a result of Rumblestrip´s processing under this DPA;

(c) in conducting audits, including inspections in accordance with section 2.2(f), make the necessary confidentiality undertakings and comply with Rumblestrip´s security regulations at the place where the inspection is to be carried out, without risking hindering Rumblestrip´s operations or the protection of Rumblestrip´s other customers´ data; and

(d) to promptly inform Rumblestrip in case anyone else jointly with the Customer is controller of the personal data.

2.4 The documented instructions from the Customer to Rumblestrip, which apply for the term of this DPA, are set out in Appendix A (Data Processing instructions). In addition to the instructions, this DPA and the Agreement shall be deemed to constitute the Customer’s documented instructions to Rumblestrip regarding the processing of personal data.

2.5 The security measures that Rumblestrip takes in accordance with this DPA are, in the Customer´s assessment, sufficient for Rumblestrip to fulfil its obligations under the DPA. If the Customer requires additional security measures during the term of the DPA Rumblestrip shall, as far as possible, meet these requirements. The Customer shall compensate Rumblestrip for all costs for the adoption of such additional security measures that goes beyond the security measures that Rumblestrip has implemented for its other customers or what the Data Protection Rules require.

2.6 If Rumblestrip discovers that an instruction, e.g. regarding agreed security measures, is in breach of the Data Protection Rules, Rumblestrip shall within a reasonable time notify the Customer of its finding and await the Customer´s changed written instructions. If the Customer does not submit new instructions within a reasonable time, Rumblestrip shall have the right to take reasonable and necessary security measures to comply with the Data Protection Rules at the Customer´s expense.

2.7 Notwithstanding the provisions of this paragraph 2, Rumblestrip may process personal data for the Customer if such processing is required under Union law or EU member state law to which Rumblestrip or the entity hired by Rumblestrip to process personal data on behalf of the Customer (“Sub-Processor”) fall under. In this case, Rumblestrip or the Sub-Processor shall inform the Customer of the legal requirement before processing, to the extent that such information is not prohibited.

2.8 Rumblestrip has the right to, during the term of this DPA and thereafter, store and otherwise process user data originating from the Customer and Users for analysis purposes, provided that such data is aggregated and processed only for the purposes stated in the Agreement.

3.1 Rumblestrip shall ensure all personal data are kept secret and persons authorised to process the personal data are under an appropriate contractual or statutory obligation of confidentiality. This confidentiality obligation is valid during the term of this DPA and shall remain in force after termination. The commitment does not apply to information that Rumblestrip is required to disclose to an authority or that Rumblestrip is required to disclose in order to comply with the Data Protection Rules or other statutory rules.

3.2 Rumblestrip shall forward any received request of receipt of information, regarding personal data that Rumblestrip processes on behalf of the Customer, to the Customer. Rumblestrip, or anyone working under Rumblestrip´s supervision, shall not disclose personal data, or information about the processing of personal data, without the Customer’s express instruction within ten (10) days, unless required by the Data Protection Rules or other legislation to which Rumblestrip or Sub-Processor is subject.

4.1 The Customer hereby gives Rumblestrip a prior, general authorisation to engage Sub-Processors for processing of personal data. The Sub-Processor may only process personal data if Rumblestrip and the Sub-Processor enters into a written agreement, or other legal act under Union law or EU member state law, in which such data protection obligations that correspond to those imposed on Rumblestrip under this DPA, shall be imposed upon the Sub-Processor.

4.2 Rumblestrip is responsible for ensuring compliance with Articles 28.2 and 28.4 of the GDPR when engaging Sub-Processors, and to ensure that Sub-Processors provide sufficient guarantees about implementing appropriate technical and organisational measures, in such a manner that the processing meets the requirements of the GDPR.

4.3 Upon the Customer’s request, Rumblestrip shall provide the Customer with information regarding which Sub-Processors have been engaged and provide the Customer with such specified information regarding the processing by Sub-Processors, which the Customer may reasonably request according to the Data Protection Rules. Sub-Processors engaged at the conclusion of the Agreement are listed in Appendix A.

4.4 Rumblestrip shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors thirty (30) days before Rumblestrip intends to make such changes. Rumblestrip informs the Customer by updating the list of Sub-processors on Rumblestrip’s website. The Customer is entitled to object to such changes and Rumblestrip shall then, at the Customer´s expense, take reasonable measures to satisfy the Customer´s objection. The Customer´s objection must be made in writing and within thirty (30) days from Rumblestrip´s information about the engagement or replacement as above. If Rumblestrip cannot reasonably satisfy the Customer´s objection, Rumblestrip has the right to terminate this DPA and/or relevant parts of the Agreement in whole or in parts with a thirty (30) day notice period.

4.5 As a main rule Rumblestrip only processes personal data within the EU/EEA. The personal data processed in the Service is stored within the EU. Rumblestrip’s Sub-Processor may however, by way of exception, in one situation process personal data outside the EU/EEA. Such transfer of personal data will only regard certain employees in an executive position and only for a transitional period. In these cases, Rumblestrip always makes the transfer in accordance with the Data Protection Rules, e.g. by using the European Commission´s standard contractual clauses for the transfer of personal data to third countries or provisions replacing them. The Customer hereby gives Rumblestrip the right to enter into such standard contractual clauses with Sub-Processor on behalf of the Customer.

5.1 This DPA effective when the Service Agreement has been entered into and remains in force as long as Rumblestrip process personal data on behalf of the Customer, including by deleting or returning personal data in accordance with paragraph 5.2 below.

5.2 Upon termination of the Agreement and to the extent Rumblestrip stores any personal data, Rumblestrip shall delete, in accordance with instructions provided by Customer, all personal data that Rumblestrip processes under this DPA, including any existing copies, unless storage of the personal data is required by applicable law. Rumblestrip can, if the Customer wish so at the termination of the Agreement, return the personal data instead of deleting it.

6.1 If the Data Protection Rules are changed during the term of this DPA, or if the supervisory authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in this DPA no longer meeting the requirements for a data processing agreement, necessary changes shall be made to this DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than thirty (30) calendar days after Rumblestrip sends a notice of change to the Customer, or otherwise no later than prescribed by the Data Protection Rules, guidelines, decisions or regulations of the supervisory authority.

6.2 Any change to Appendix A (Data Processing instructions) must be documented and notified to Rumblestrip in writing no later than thirty (30) days before the change takes effect. If Rumblestrip within these thirty (30) days notifies the Customer that Rumblestrip has objective reasons to oppose the Customer´s amendments to the instructions in Appendix A, Rumblestrip shall have the right to terminate the Agreement in accordance what is stated in the Agreement.

6.3 Other amendments to this DPA shall enter into force thirty (30) days after Rumblestrip has informed the Customer of an updated version, if the Customer has not objected to such amendments within the same time period. If the parties cannot agree to the updated version each party shall have the right to terminate this Agreement in accordance with what is stated in the Agreement.

7.1 This DPA supersedes and replaces any prior data processing agreements entered into between the parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, notwithstanding anything to the contrary in the Agreement.

7.2 Rumblestrip shall be entitled to compensation in accordance with the current price list for all assistance and work that Rumblestrip shall perform according to this DPA, including compensation for work and additional costs that arise as a result of changes in the Customer´s instructions that require Rumblestrip to make special adjustments on behalf of the Customer.

7.3 If any section of this DPA is held invalid or unenforceable, the validity of the remaining sections shall not be affected. To the extent that the invalidity has a materially burdensome effect regarding the parties´ obligations under the DPA, reasonable adjustment of the DPA shall take place.

7.4 If a party transfers the Agreement, the DPA shall also be deemed to have been transferred as a part of the Agreement. However, this DPA may still be valid between the original parties.

7.5 What is stipulated in the Agreement shall apply also in relation to this DPA, for example any limitation of liability.

7.6 This DPA shall be governed by and construed in accordance with the laws of Sweden. Any dispute arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution provision in the Agreement.