Data Processing Agreement

Last updated: 2025-10-15

This Data Processing Agreement has been entered into between “The Supplier” Vyer Technologies AB, org.no 559089-5891, Storgatan 23C 12, 114 55 Stockholm, (Data Processor) and “The Customer” (Data Controller) in connection with the Customer's acceptance of the terms in the Supplier's Subscription Agreement upon the electronic signing of the Order Form regarding the service “Vyer”. The agreement entails, among other things, that the Supplier, in its capacity as data processor, will process personal data on behalf of the Customer (Personal Data).

Definitions

Terms that are not used with capital letters, e.g. “processing”, “data subject”, “personal data breach” etc., shall have the same meaning as in the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”). Other terms with capital letters that are not defined in the Data Processing Agreement have the same meaning as in the Subscription Agreement.

The Processing

GDPR

The parties undertake to fulfill their obligations under the GDPR and laws implementing or complementing the GDPR (the “Applicable Data Protection Legislation”).

Purpose

The Supplier may only process Personal Data for the purposes set out in Appendix A and/or according to the Customer's written instructions. The Supplier shall immediately inform the Customer if the Supplier believes that the Customer's instructions conflict with Applicable Data Protection Legislation.

Security and Confidentiality

Authorization Requirements

The Supplier shall implement and maintain all measures required under Article 32 of the GDPR. The Supplier shall ensure that all persons authorized to process Personal Data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.

Personal Data Breaches

Procedure

The Supplier shall without undue delay (if possible, no later than 36 hours) notify the Customer if the Supplier discovers any personal data breach concerning Personal Data. The notification shall contain the information necessary for the Customer to fulfill its obligations under Articles 33–34 of the GDPR.

Impact Assessments and Prior Consultation

Advisory

The Supplier shall assist the Customer with impact assessments regarding data protection and prior consultations with the supervisory authority under Articles 35–36 of the GDPR, if the Customer requests it.

Communication

Referral

If any data subject, supervisory authority, or other third party contacts the Supplier regarding Personal Data, the Supplier shall immediately refer the inquiry to the Customer.

Data Subject Rights

Rights

If possible and considering the nature of the processing, the Supplier shall, through appropriate technical and organizational measures, assist the Customer in fulfilling its obligation to respond to requests for exercising the rights of the data subjects under the GDPR.

Sub-processors

Prior Authorization

The Supplier hereby receives general prior authorization to engage sub-processors for processing Personal Data (the “Sub-processors”). The Supplier shall enter into written processing agreements with all its Sub-processors, with at least the same level of obligations as the Supplier has under this Processing Agreement.

Information Obligation

The Supplier shall inform the Customer of any plans to engage new or replace Sub-processors, so that the Customer has the opportunity to raise objections to such changes. Such an objection must be communicated to the Supplier within thirty (30) days from the time the Supplier informed the Customer of its plans; thereafter, the Customer shall be deemed to have accepted the relevant Sub-processor.

Exceptions

If the Customer's objection to engaging a Sub-processor, in the Supplier's opinion, hinders the effective provision of the Supplier's services, the Supplier may terminate the Subscription Agreement without any liability or obligation to pay a penalty due to such termination with a notice period of thirty (30) days.

Liability

The Supplier is liable for its Sub-processors as if the processing had been carried out by the Supplier itself. A list of sub-processors deemed approved when the Data Processing Agreement is entered into is set out in Appendix A.

Transfer Outside the EU/EES

Protective Measures

The Supplier may only transfer Personal Data outside the EU/EES if the Supplier ensures that the transfer is covered by appropriate protective measures, or is otherwise permitted under Applicable Data Protection Legislation.

Permitted Transfer Mechanism

If the transfer mechanism used to ensure that the transfer is permitted under Applicable Data Protection Legislation is declared invalid or illegal by the EU Court, European Commission, or other competent EU institution or national court or authority, the Supplier shall ensure that all processing of Personal Data outside the EU/EES is conducted based on another permitted transfer mechanism under Applicable Data Protection Legislation.

Authority

By entering into this Processing Agreement, the Customer grants the Supplier authority to represent the Customer in signing standard contractual clauses (annex to the European Commission Decision 2010/87/EU of February 5, 2010, regarding the transfer of Personal Data outside the EU/EES, or such approved clauses that replace or supplement these), in the Customer's name and on the Customer's behalf. In addition, the Customer expressly agrees that the Supplier may also represent the relevant Sub-processor in relation to the standard contractual clauses.

Audit and Control

Controls

The Supplier shall provide the Customer with access to all information that the Customer needs to verify that the Supplier meets its obligations under this Processing Agreement. The Supplier shall also enable and assist with audits/inspections that the Customer carries out, with at least ten (10) days' notice, either by itself or with the assistance of a third party (but not a competitor of the Supplier).

Confidentiality Agreements

The Customer may only conduct audits/inspections on-site at the Supplier during the Supplier's normal office hours and shall be done in a manner that does not hinder the Supplier's obligations towards its customers, subcontractors, or third parties. The Customer and others participating in reviewing/inspecting the Supplier must first sign customary confidentiality agreements with the Supplier.

Transfer and Deletion

Upon Termination of Agreement

When the Subscription Agreement terminates or when the Customer requests it, the Supplier shall, without undue delay and according to the Customer's instructions, delete all Personal Data or transfer all Personal Data to the Customer and thereafter delete existing copies.

Exceptions

The Supplier may retain/process Personal Data notwithstanding this Processing Agreement if required by the Supplier to comply with its legal obligations and the Supplier first informs the Customer of the legal requirement.

Applicable Law and Dispute

Legal Application

Swedish law applies to this Processing Agreement, with the exception of choice of law regulations that imply the application of foreign law. The provisions of the Subscription Agreement regarding dispute resolution also apply to this Processing Agreement.

Liability

In Case of Breach of Contract

The Supplier shall compensate the Customer for its damages to the extent that the Supplier's actions have constituted a breach of the Data Processing Agreement or Applicable Data Protection Legislation. To the extent that Applicable Data Protection Legislation allows, the Supplier's liability shall under no circumstances exceed 100% of the compensation paid by the Customer during a calendar year. Otherwise, the same liability limitations as set out in the Subscription Agreement shall apply.

Term of Agreement

Validity

This Processing Agreement is valid from the date it is signed by the parties and until the date the Supplier ceases to process Personal Data.

Compensation

Cost Price

The Supplier has the right to invoice the Customer for its costs (cost price) for assisting the Customer with impact assessments, prior consultations, individual requests for exercising the rights of data subjects, and for transferring and deleting Personal Data. The Supplier also has the right to invoice the Customer for the Supplier's costs (cost price) in connection with the Customer's potential audits/inspections, unless these show that the Supplier has significantly failed in its obligations under this Processing Agreement.

Interpretation

Interpretative Precedence

This Processing Agreement shall take precedence over the Subscription Agreement in all matters related to Personal Data.

Appendix A

The Subject of the Processing

In connection with the use of the service Vyer, the Customer and the Customer's Users have the opportunity to save information in their Organizational Account, for example, when labeling details in the premises and reporting faults. The information may contain personal data.

The Nature and Purpose of the Processing

The Supplier will process Personal Data for the purpose of:

Providing the service according to the Subscription Agreement, as well as otherwise according to the Customer's documented instructions.
Storing information for the Customer that the Customer chooses to save in its Organizational Account in the service Vyer.

Categories of Data Subjects

The Customer's employees and other persons whose data is necessary for the use of the service Vyer.

Categories of Personal Data

Name
Phone
Email
Position
Responsibilities

Processing Time - Retention Periods

The Supplier will process Personal Data for as long as the Subscription Agreement is in force and for a limited time thereafter according to this Processing Agreement unless Personal Data is deleted beforehand by the Customer.

Sub-processors