Last updated April 27, 2025

1. Introduction

This Data Processing Agreement (“DPA”) is entered into by and between Byteboost AB (“Data Processor”) and its clients (each a “Data Controller”). This DPA forms part of the Terms of Service or other agreement between the parties governing the provision of Byteboost’s services (the “Agreement”). By signing up for Byteboost’s services, the Data Controller agrees to the terms of this DPA.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

2.1 “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) and any applicable amendments or successor legislation.

2.2 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code Section 1798.100 et seq.) and any applicable amendments or successor legislation.

2.3 “Personal Data” means any information relating to an identified or identifiable natural person as defined under the GDPR or personal information as defined under the CCPA.

2.4 “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined under the GDPR or CCPA.

2.5 “Subprocessor” means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

2.6 “Privacy Laws” means the GDPR, CCPA, European Data Protection Legislation, and any other applicable data protection or privacy laws.

3. Scope and Applicability

3.1 This DPA applies when the Data Processor processes Personal Data on behalf of the Data Controller as part of the services provided under the Agreement.

3.2 Both parties agree to comply with their respective obligations under the GDPR, CCPA, and other applicable Privacy Laws.

4. Roles and Responsibilities

4.1 The Data Controller determines the purposes and means of the processing of Personal Data.

4.2 The Data Processor processes Personal Data on behalf of the Data Controller strictly in accordance with documented instructions provided by the Data Controller, as outlined in the Agreement and this DPA.

5. Data Processing

5.1 Nature and Purpose: The Data Processor will process Personal Data solely for the purpose of providing the services cited in Schedule 1.

5.2 Duration: Processing will continue for the duration of the Agreement, unless otherwise required by applicable laws.

5.3 Categories of Data Subjects: As determined by the Data Controller, which may include customers, employees, or other individuals.

5.4 Types of Personal Data: As determined by the Data Controller and transmitted to the Data Processor under the Agreement.

The processing entails no processing of special categories of personal data, as per Art. 9 GDPR.

6. Data Processor Obligations

The Data Processor will:

(a) Process Personal Data only on documented instructions from the Data Controller.

(b) Ensure personnel authorized to process Personal Data are committed to confidentiality.

(c) Implement appropriate technical and organizational measures to ensure the security of processing, as detailed in Byteboost’s security measures in schedule 3.

(d) Assist the Data Controller in responding to requests from Data Subjects under GDPR Chapter III or CCPA rights requests. To process requests for deletion or other GDPR rights, customers must specify the data to be removed. Once identified, we will search for and delete the data. The process begins within one month of receiving the request, ensuring compliance with legal timeframes.

(e) Notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach.

(f) Incident Response Process for Data Breaches

In the event of a data breach or exposure, the COO will lead the incident response team to manage the incident effectively. This team will consist of key stakeholders, including:

• Chief Technology Officer (CTO)

• Chief Product Officer (CPO)

• Additional resources as needed, such as representatives from legal, human resources, communications, or external IT-security experts.

The team is tasked with ensuring a timely, coordinated response in compliance with regulatory requirements and Byteboost’s internal policies.

(g) Commencing 30 days after the effective date of termination of the Agreement, Byteboost will initiate a process upon Customer’s written request to delete Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from further processing, unless required otherwise by Applicable Laws. Notwithstanding the foregoing, if Byteboost is required by Applicable Laws to retain some or all of the Customer Personal Data, Byteboost will not be obligated to delete the retained Customer Personal Data, and this DPA will continue to apply to the retained Customer Personal Data.
The Customer acknowledges that it is responsible for exporting any Customer Personal Data they wish to retain prior to the expiration of the 30-day period referenced in this Section, as outlined in the Agreement.

7. Subprocessors

7.1 The Data Controller provides a general authorization for the Data Processor to engage subprocessors to assist in providing services.

7.2 The Data Processor will publish a list of approved subprocessors in schedule 2.

7.3 The Data Processor ensures that all subprocessors are bound by data protection obligations consistent with this DPA.

7.4 Byteboost is generally authorized to engage subprocessors in accordance with this Section and to use the subprocessors listed on our Subprocessors List. We will update the Subprocessors List at least 30 days before appointing a new subprocessor and will provide you with a mechanism to receive notifications of new general subprocessors via our Subprocessors List.

7.5 If you have concerns about a new subprocessor regarding the protection of Customer Personal Data, you may object by sending an email to contact@glimt.support, outlining your legitimate, good-faith objection, within 15 days of receiving a notification (a ‘Change Notice’). We will address the objection by:
(a) Not using the new subprocessor to process Customer Personal Data;
(b) Taking corrective actions requested in the Objection Notice;
(c) Ceasing to provide the relevant parts of the services involving the new subprocessor processing Customer Personal Data, and adjusting remuneration accordingly.
If the objection cannot be resolved satisfactorily within 15 days, either party may terminate the affected order, and Byteboost will refund any unused amounts paid for the affected services, pro-rated to the remaining terms of the order. If we don’t receive an objection within the 15-day period, you will be deemed to have authorized our use of the subprocessor and waived your right to object.

8. Data Controller Obligations

The Data Controller is responsible for:

(a) The Controller shall ensure the Processing of Personal Data complies with the requirements of Applicable Data Protection Laws. For clarity, the Controller’s instructions for Processing Personal Data must align with Applicable Data Protection Laws, and the Processor reserves the right to refuse any instructions that fail to comply. The Controller is solely responsible for the accuracy, quality, and legality of Personal Data, as well as the means of its acquisition.

(b) The Controller shall establish and maintain any necessary legal basis for collecting, Processing, and transferring Personal Data to Byteboost. This includes authorizing Byteboost’s Processing of Personal Data and its Processing activities conducted on Your behalf.

9. Transfers of Personal Data

The Data Processor will ensure that any transfer of Personal Data outside the European Economic Area (EEA) or California complies with applicable data protection laws by implementing appropriate safeguards, such as EU Standard Contractual Clauses.

10. Change in Privacy Laws

Notwithstanding anything to the contrary in the Agreement (including this DPA), in the event of a change in Privacy Laws or a determination or order by a government authority or competent court affecting this DPA or the lawfulness of any processing activities under this DPA, the Data Processor reserves the right to make any amendments to this DPA as are reasonably necessary to ensure continued compliance with Privacy Laws or compliance with any such orders. Notice of such amendments will be provided to the Data Controller through an update to the DPA.

11. Audits and Inspections

Upon reasonable notice, the Data Controller may audit the Data Processor’s compliance with this DPA. The Data Processor will provide access to relevant documentation and personnel as needed to demonstrate compliance.

12. Liability

The responsibility for a GDPR sanction depends on the circumstances of the violation:

If the violation is due to our actions:
If fines arise because we, as the data processor, have failed to fulfill our obligations under GDPR or the DPA, we take responsibility in accordance with applicable laws and the agreement between the parties. However, our liability is capped at an amount equal to the fees you have paid for our services during the 12 months preceding the incident that led to the fines.

If the violation is due to the customer’s actions or instructions:
If fines are caused by the customer, as the data controller, providing us with instructions that conflict with GDPR, the data controller will bear the responsibility.

13. General Provisions

13.1 This DPA is governed by the laws of Sweden, and disputes will be resolved in the courts of Stockholm.

13.2 If any provision of this DPA is found invalid, the remaining provisions will remain in effect.