Data Processing Agreement

Effective Date: 2025-04-22

1. Definitions

For the purposes of this Agreement:

  • “Applicable Data Protection Law” means the General Data Protection Regulation (EU 2016/679) (GDPR) and any applicable national laws implementing or supplementing the GDPR, as well as any other relevant data protection or privacy laws.
  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) as defined in Article 4(1) of the GDPR.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
  • “Controller” means the legal entity or person that determines the purposes and means of the processing of Personal Data.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller.
  • “Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Supervisory Authority” means a data protection authority established under Article 51 of the GDPR.
  • “Standard Contractual Clauses” (SCCs) means the contractual clauses adopted by the European Commission to provide appropriate safeguards for the transfer of personal data to a third country.
  • “Third Country” means a country outside the European Economic Area (EEA) that does not benefit from an adequacy decision by the European Commission.

2. Purpose and Scope

This Agreement governs the Processor’s Processing of Personal Data on behalf of the Controller. The purpose of the Processing is to provide the MeetVista platform and related services, including:

  • Real-time collaboration tools and whiteboards.
  • Accounts, Workspace and user management.
  • Integration with third-party services such as monday.com.
  • Technical support and operational performance improvements.

The Processor shall process Personal Data strictly in accordance with the Controller’s documented instructions and only to the extent necessary to provide the services. The Processor shall not process Personal Data for its own purposes or for any unauthorized third parties.

3. Roles and Responsibilities

  • The Controller is responsible for ensuring that Personal Data is processed in accordance with Applicable Data Protection Law and shall provide lawful instructions to the Processor.
  • The Processor agrees to:
    • Process Personal Data only on documented instructions from the Controller.
    • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
    • Ensure that persons authorized to process the Personal Data are bound by confidentiality.
    • Assist the Controller in responding to data subject requests and ensuring compliance with Articles 32 to 36 of the GDPR.
    • Make available all necessary information to demonstrate compliance and allow for audits.
    • Notify the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Categories of Data

  • Categories of Data Subjects:
    • Employees, contractors, and representatives of the Controller
    • Users, guests, collaborators, or other individuals interacting with the MeetVista service via the Controller’s workspace
  • Categories of Personal Data:
    • Contact details (e.g., full name, email address)
    • Technical and usage data (e.g., IP address, device identifiers, login timestamps, usage activity)
    • User-generated content (e.g., text, images, comments, whiteboard elements) that may include personal references or identifiers
    • Workspace-related metadata (e.g., project names, roles, sharing activity, permissions), where such data can be linked to identifiable individuals
  • Excluded Non-Personal Metadata:
    Metadata solely associated with design elements or content attributes (e.g., position coordinates, color values, shape dimensions, timestamps of visual changes) that are not tied to identifiable individuals are not considered personal data under this Agreement. However, if such metadata becomes reasonably linkable to a natural person (e.g., through persistent session identifiers, audit trails, or user-linked logs), it will be treated as personal data in accordance with the GDPR.

5. Subprocessing

The Processor may engage subprocessors to support the delivery of the services. All subprocessors shall be contractually bound by obligations that are no less protective than those set out in this Agreement.

A list of current subprocessors, including their country of operation and purpose, is available at:

Subprocessors

The Processor will notify the Controller of any intended changes concerning the addition or replacement of subprocessors. The Controller may object to such changes on reasonable data protection grounds within 10 business days.

If the Processor engages a subprocessor located in a Third Country, it shall ensure appropriate safeguards are in place (e.g., SCCs) before any transfer or processing begins.

The Processor shall remain liable for the performance of its subprocessors only to the extent that the Processor failed to exercise reasonable due diligence in their selection, contracting, or oversight. The Processor’s liability for subprocessors shall be subject to the limitations set forth in Section 12 of this Agreement.

6. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required under Article 32 of the GDPR. These include, but are not limited to:

  • Encryption of Personal Data both in transit and at rest.
  • Role-based access controls and authentication procedures.
  • Multi-factor authentication for administrative access.
  • Intrusion detection and prevention systems.
  • Ongoing vulnerability management and patching.
  • Regular staff training and confidentiality agreements.
  • Secure data backups and disaster recovery protocols.
  • Logging and monitoring access and system events.
  • Incident response planning and breach mitigation processes.

The effectiveness of these measures is reviewed regularly, and enhancements are made as necessary. Details may be made available upon written request.

7. International Data Transfers

Where the Processor transfers Personal Data to a Third Country or international organization, such transfer shall be conducted only:

  • To jurisdictions for which the European Commission has issued an adequacy decision.
  • Based on Standard Contractual Clauses (SCCs) or another valid transfer mechanism.
  • With additional supplementary measures, where necessary, to ensure an equivalent level of protection.

The applicable module of the SCCs (e.g., Module Two or Three) depends on the nature of the transfer and roles of the parties involved. Records of data transfer mechanisms will be provided to the Controller upon request.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations regarding data subject rights under Chapter III of the GDPR. This includes:

  • Responding to requests for access, rectification, erasure, restriction, and portability of Personal Data.
  • Responding to objections and withdrawal of consent where applicable.
  • Communicating any correction or erasure of Personal Data to each recipient where feasible.

If the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller without responding directly, unless legally required to do so.

The Processor will provide reasonable support in managing these requests. Any support exceeding standard levels may be subject to an additional charge, provided such costs are agreed in advance.

9. Personal Data Breach Notification

In the event of a personal data breach affecting the Controller’s data, the Processor shall notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of the breach.

The notification shall include, where possible:

  • A description of the nature of the breach, including categories and approximate numbers of affected data subjects and data records;
  • The contact details of the Processor’s designated point of contact;
  • Likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate its possible adverse effects.

If it is not possible to provide all information at once, the Processor may provide information in phases without undue further delay.

The Controller remains responsible for notifying any Supervisory Authority and affected data subjects, unless agreed otherwise in writing. The Processor shall cooperate fully in investigating and remediating any breach.

10. Return and Deletion of Data

Upon termination or expiration of the services, or upon the Controller’s written request, the Processor shall:

  • Return all personal data to the Controller in a structured, commonly used, machine-readable format, or
  • Permanently delete all personal data, including backups, unless legal obligations require retention.

The Processor shall confirm secure deletion upon request. Where deletion is not immediately possible due to backup schedules or technical limitations, the Processor will restrict access and ensure deletion at the next available opportunity in accordance with its internal data retention policy.

11. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Article 28 of the GDPR. The Controller may:

  • Conduct an audit or inspection no more than once per year, unless required by law or due to a suspected breach;
  • Request relevant third-party audit reports or certifications (e.g., ISO 27001, SOC 2);
  • Conduct the audit with 30 days’ notice, during normal business hours, and in a manner that minimizes disruption.

The Controller shall bear the costs of any audits unless the audit reveals a material breach by the Processor.

12. Liability

To the maximum extent permitted by applicable law:

Each party shall be liable only for direct damages resulting from its own proven violation of this Agreement or Applicable Data Protection Law.

The total aggregate liability of the Processor under this Agreement, for all claims combined, shall not exceed the total amount paid by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation applies regardless of the form of action, whether in contract, tort (including negligence), or otherwise.

In no event shall the Processor be liable for:

  • Indirect, incidental, special, or consequential damages;
  • Loss of profits, revenue, goodwill, or data;
  • Business interruption or loss of anticipated savings;
  • Acts or omissions of the Controller or any third party, including subprocessors engaged with appropriate due diligence;
  • Data loss or access issues not resulting from gross negligence or willful misconduct by the Processor.

Nothing in this Agreement shall exclude or limit either party’s liability for:

  • Death or personal injury caused by its negligence;
  • Fraud or fraudulent misrepresentation;
  • Any liability that cannot lawfully be excluded under applicable law.

13. Term and Termination

This Agreement remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.

It may be terminated:

  • Along with or following the termination of the main service agreement;
  • By either party with 30 days’ written notice;
  • Immediately, by either party, if the other party commits a material breach and fails to remedy it within 15 days.

Upon termination, Section 10 (Return and Deletion), Section 11 (Audit), and Section 12 (Liability) shall survive.

14. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of Sweden, without regard to conflict of law principles.

Any dispute or claim arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Uppsala, Sweden.

Nothing in this Agreement shall limit either party’s right to seek injunctive or equitable relief in urgent circumstances in any competent jurisdiction.