Data Processing Agreement (DPA) – Mason

Between the You (hereinafter referred to as the ”Data Controller”) and Mason Data AB, corporate registration number 559325 – 6463 (hereinafter referred to as the ”Data Processor”).

The Data Controller and the Data Processor, each being a “Party” to the Data Processing Agreement, are hereinafter collectively referred to as the “Parties”.

The Data Controller and the Data Processor are each referred to as “Party” and collectively as the “Parties”.

1. Whereas

The Parties have entered into the ”Agreement” (as defined below) under which the Data Processor will process personal Data on behalf of the Data Controller. The Parties enters into this Data Processing Agreement (the “DPA”) in order to provide adequate safeguards with respect to such processing of personal data. This DPA replaces any previous data processing agreements between The Data Processor and The Data Controller.

2. Definitions and interpretations

The terms used in this DPA shall have the meaning stated below unless the circumstances clearly require otherwise. Terms not defined in this DPA such as "data controller", "data processor", "personal data", "processing", “data subject” and "personal data breach" shall have the meaning set forth in Data Protection Laws or the Agreement.

• “Agreement” means the agreement between the Parties regarding the Data Processor’s provision of services to the Data Controller.

• “GDPR” means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

• ”Data Protection Laws” means: (i) the GDPR and any replacement acts; (ii) applicable Swedish law regarding data protection; and (iii) ordinances and regulations to i) and ii) above as well as guidelines issued by the Supervisory Authority and applicable to the Parties' activities.

• ”Supervisory Authority” means the Swedish Authority for Privacy Protection (IMY) and, where applicable, other competent supervisory authority which, by virtue of law, exercises supervision over the Parties' activities.

• “Third Country(ies)” means any country outside the European Economic Area which has not been deemed to ensure an adequate level of data protection by the European Commission pursuant to Articles 44-50 (Chapter V) of the GDPR.

3. Contract documents and application

3.1 The DPA consists of this document and the Specification (Appendix 1) of processing carried out by the Data Processor.

3.2 This DPA is part of and subject to the terms of the Agreement. In the event of a conflict between the provisions of this DPA and the Agreement, in matters concerning the processing of personal data, this DPA shall take precedence over the Agreement.

4. The processing of Personal Data

4.1 The Data Processor undertakes to process personal data in accordance with the Data Protection Laws, this DPA, and the Agreement. Any processing of personal data other than necessary to comply with the Data Processor's obligations under the Agreement, including processing for its own purposes by the Data Processor, is not permitted.

4.2 In addition to the above, the Data Processor may only process personal data in accordance with the Data Controller's instructions in this DPA and any amended or additional instructions provided by the Data Controller, unless required to do so by Union or Member State law to which the Data Processor is subject. The Data Processor shall inform the Data Controller of that legal requirement before processing unless the law prohibits such information on important grounds of public interest.

4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes Data Protection Laws.

5. Security

5.1 The Data Processor shall implement appropriate technical and organisational measures in accordance with Data Protection Laws to secure personal data against loss or any form of unlawful Processing. Considering the state of the art and the costs of implementation, the measures shall guarantee an appropriate security level given the risks associated with the relevant processing and the nature of the personal data to be protected. The measures are aimed at preventing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The Data Processor shall, upon request, inform the Data Controller of the measures taken.

5.2 The Data Processor further warrants that it has the expert knowledge, reliability, and resources, to implement technical and organisational measures which will meet the requirements of Data Protection Laws, and that those measures shall be reviewed and updated where necessary.

5.3 The Data Processor shall ensure that any person granted access to the Personal Data is bound to obligations of confidentiality or is under an appropriate statutory obligation of confidentiality

6. Sub-Processor

6.1 The Data Controller hereby authorizes the Data Processor to engage new or replace existing sub-processors. The Data Processor will provide a list of engaged sub-processors on its website at mason.app/legal/dpa, and will by updating the website and send an email notification to Data Controller to inform the Data Controller of any intention to add or replace sub-processors. The information on intended addition or replacement of sub-processors shall be made available on the website with reasonable time prior to the new sub-processor commence any processing of Personal Data. Data Controller may object to the engagement of such new/changed sub-processor by notifying Data Processor within 10 days of Data Processor’s notification, provided that such objection must be on reasonable, substantial grounds, directly related to such new sub-processor's ability to comply with substantially similar obligations to those set out in this DPA (an “Objection”). Data Processor shall have the right to cure any Objection, provided, that if it determines the same is not curable, it will notify Data Controller and if the parties are not able to reach a reasonable resolution, either party may terminate the Agreement upon thirty (30) days’ notice. If the Data Controller does not object, the engagement of the new sub-processor shall be deemed accepted by the Data Controller.

6.2 When engaging a sub-processor, the Data Processor shall enter into a written data processor agreement with the sub-processor, imposing the same data protection obligations as set forth in this DPA, and providing sufficient guarantees on appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Applicable Data Protection Regulation.

6.3 The Data Processor is liable for its sub-processors as for its own acts and omissions.

7. Transfer to Third Countries

7.1 The Data Processor and, if applicable, its sub-processor shall not transfer personal data to a Third Country unless approved by the Data Controller. Such approval shall be deemed provided by the Data Controller if stated in Appendix 1 to this DPA or if the Data Controller does not object to the Data Processor´s engagement of a new sub-processor per the process in section 6 including (where applicable) Third country processing by such sub-processor. If the Data Processor, in line with such approval, transfers personal data to a Third Country, the Data Processor shall ensure that:

1. the transfer is governed by and in accordance with a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including, without limitation binding, corporate rules for processors; or

2. the transfer is governed by and in accordance with the standard contractual clauses based on the European Commission Decision of 4 June, 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries, or any subsequent version thereof released by the European Commission (which shall automatically apply); and any relevant supplementary measures are taken in accordance with applicable court practice and guidelines from the European Data Protection Board.

8. Incident management

The Data Processor shall, without undue delay notify the Data Controller in writing after becoming aware of a personal data breach. The information shall contain all necessary information required for the Data Controller to be able to comply with its obligations regarding reporting to the Supervisory Authority and/or the data subject, where applicable.

9. Obligation to assist the Data Controller

The Data Processor shall, upon request of the Data Controller, to the extent required under Data Protection Laws, assist the Data Controller to ensure compliance with its obligations under Data Protection Laws. For example (i) obligations regarding data subjects' rights; and (ii)obligations laid down in article 32-36 of the GDPR such as conducting data privacy risk assessments and consultation with the supervisory authority.

10. Contact with Data Subjects and supervisory authorities

The Data Processor shall inform the Data Controller, without undue delay, about any contact with data subjects, supervisory authorities or other third parties, regarding the processing of personal data by the Data Processor (including any requests or orders from such parties) and await further instructions from the Data Controller. The Data Processor has no right to represent or otherwise act on behalf of the Data Controller in contact with data subjects, supervisory authorities or other third parties.

11. Audit rights

11.1 The Data Controller shall be entitled to take measures necessary to verify that the Data Processor complies with its obligations under this DPA. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

11.2 The Data Processor shall also allow for and contribute to audits, including on-site inspections, conducted by the Data Controller, third party auditor mandated by the Data Controller (provided that all parties and individuals performing the audits enter into appropriate confidentiality agreements) or the Supervisory Authority.

11.3 The Data Controller shall provide reasonable notice prior to an audit unless the audit relates to an on-going incident. Audits shall as far as possible be conducted in the manner with the least possible impact on the Parties' respective ordinary activities. The Data Controller shall bear the costs of an audit and of the provision of information unless the audit reveals breaches by the Data Processor of this DPA or Data Protection Laws in which case the Data Processor shall bear the cost for the audit.

12. Liability

12.1 If a Party breaches this DPA or Data Protection Laws, such Party shall indemnify the other Party for any damage caused by the breach. However, this shall not apply if the negligent Party can show that it is not responsible for the event, act, or omission that caused the other Party damage, such as that the claim could not have been avoided by fulfilling the Party’s obligations under this DPA, Data Protection Laws or the instructions issued by the Data Controller.

12.2 The Parties' right to compensation regarding claims from third parties is regulated in its entirety under Article 82 of the GDPR. This includes the right of the Party who paid full compensation for the damage suffered by a third party to claim back from the other Party, if involved in the same processing, the part of the compensation corresponding to that Party's part of responsibility for the damage.

12.3. This provision (12) shall survive the termination of this DPA.

13. Additions and amendments

13.1 The Data Controller is permitted to request changes to the content of this DPA to the extent necessary to be able to meet requirements that follow from Data Protection Laws. Such change will enter into force no later than thirty (30) days after the Data Controller has submitted a request for change to the Data Processor. In case the Data Processor does not accept such change, The Data Controller has the right to terminate the Agreement in whole or in part with immediate effect. Other additions and amendments to this DPA must, to be valid, be in writing and signed by both Parties.

13.2 Any amended or additional instructions, in addition to those that follow from this DPA must be submitted in writing by email to: hello@mason.app

14. Term of DPA

14.1 This DPA shall enter into force when signed by both Parties and shall remain valid for as long as the Data Processor is processing personal data on behalf of the Data Controller.

14.2 Upon expiry of this DPA, the Data Processor will, at the choice of the Data Controller, either (i) return all personal data to the Data Controller in accordance with the Data Controller's reasonable instructions; or (ii) permanently delete and destroy the personal data (including back-up copies). When returning or deleting personal data in accordance with this clause, the Data Processor shall ensure that the data cannot be recovered.

15. Assignment

Neither Party may transfer or otherwise assign, partially or in full, any of its rights or obligations under this DPA to any third party without the prior written consent of the other Party.

16. Governing law and dispute regulation

This DPA is governed by the substantive laws of Sweden notwithstanding the rules or principles of conflicts of law. Any dispute regarding the interpretation or application of this DPA shall be settled in accordance with the Agreement's provisions on dispute resolution.

APPENDIX 1 – SPECIFICATION

Brief description of the processing of personal data:

The Data Processor offers a data analytics platform on a Software-as-a-Service basis (SaaS) where the Data Controller can gather, process, and store data, which may include Personal Data. 

Purposes:

Covered Personal Data is Processed for the following purposes:

• Mason will process Personal Data in order to provide You with the data analytics Services as described in the Agreement.

Covered Personal Data:

• Personal data included in Your Data or otherwise provided to or shared with Mason by You in connection with e.g. Account creation or use of the Services.

Categories of data subjects:

• Data subjects include the individuals about whom the Covered Personal Data relate to.

Approved Sub-Processors:

Please note that data from connections linked to Mason are exclusively shared with Google Cloud EMEA Ltd, hosted in Europe, and no other sub-processor. This excludes metadata about the database schema.

• Google Cloud EMEA Ltd.

  • Service provided: Data storage & processing

  • Data used: Email, Name, In-app behavior of Mason users, and query results.

  • Hosting location: Europe
    
    

• Datadog, Inc

  • Service provided: Logging infrastructure

  • Data used: Anonymized session data of Mason users

  • Hosting location: Europe
    
    

• Functional Software, Inc (Sentry)

  • Service provided: Error tracking

  • Data used: IP address and In-app behavior of Mason users

  • Hosting location: USA
    
    

• Stripe, Inc

  • Service provided: Payments service

  • Data used: Billing information of Mason users

  • Hosting location: USA
    
    

• OpenAI, Inc

  • Service provided: AI service provider

  • Data used: Database schema and query history

  • Hosting location: USA
    
    

• Mailgun Technologies, Inc

  • Service provided: Email service provider

  • Data used: Email of Mason users

  • Hosting location: Europe
    
    

• The Rocket Science Group LLC (Mailchimp)

  • Service provided: Email service provider

  • Data used: Email of Mason users

  • Hosting location: USA
    
    

• Pinecone Systems, Inc

  • Service provided: Vector database

  • Data used: Database schema

  • Hosting location: USA