Last changed: 1 march 2022
Get notified about changes to this page by submitting form here
This Storykit Standard Data Processing Agreement (the "Data Processing Agreement") forms part of the agreement entered into concerning services relating to Storykit (the "Main Contract"). The Main Contract was entered into by signing an order form or other written or electronic agreement related to the Storykit services.
The Data Processing Agreement is entered into between Storykit AB, a corporation of Sweden with registration no 556980-8404 and place of business at Tulegatan 4, 113 53 Stockholm ("Storykit"), acting as the processor and the customer signing the Main Contract (the "Customer"), acting as the controller.
Storykit and the Customer are individually referred to as "Party" and jointly as the "Parties".
RECITALS:
- Under the Main Contract, Storykit shall provide certain services to the Customer as detailed in the Main Contract (the "Services").
- The Customer may choose to include personal data in the information, data, text, notices, and other material provided or created by the Customer in conjunction with using the Services (hereinafter referred to collectively as "User Content"). Subject to the terms and conditions in this Data Processing Agreement, Storykit agrees to process such personal data in the User Content on behalf of the Customer as a data processor and as further detailed in Appendix 1. For the avoidance of doubt, if the Customer chooses not to include any personal data in the User Content, no personal data will be processed by Storykit on behalf of the Customer.
- If any provision of the Main Contract conflicts with the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall prevail.
1. DEFINITIONS
In this Data Processing Agreement the following terms shall have the meanings set forth below:
"Agreement Date" means the date that the parties entered into the Main Contract as indicated above;
"Applicable Legislation" means laws and regulations under EU law and relevant Member State laws that from time to time apply to Storykit and the Customer;
"Applicable Data Protection Legislation" means all legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to Storykit and the Customer, including without limitation the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR"), including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority;
"Data Processing Agreement" means this Data Processing Agreement and the appendices attached hereto (as amended from time to time in accordance herewith); and
"Third Country" means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).
The terms "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR.
2. STORYKIT'S OBLIGATIONS
-
- Storykit undertakes to only process personal data in accordance with the Customer's documented and lawful instructions, including any processing instructions set out in this Data Processing Agreement and the Main Contract. Storykit will not process personal data for its own purposes unless required to do so by Applicable Legislation.
- In the event the Customer submits new instructions which requires Storykit to take measures that falls outside the scope of the Services or otherwise are not included in the Main Contract, Storykit shall be entitled to remuneration on a time and material basis. New instructions subject to this section 2 shall be subject to any change mechanisms (if any) included in the Main Contract.
- Notwithstanding what is stated in section 1 above, Storykit may process personal data to the extent it is necessary in order to comply with legal requirements under Applicable Legislation, to which Storykit is subject. In such event Storykit shall notify the Customer about the legal requirement before commencing the processing, unless Applicable Legislation prohibits Storykit from providing this information to the Customer.
- Storykit shall as soon as possible notify the Customer if Storykit (i) lacks instructions from the Customer, (ii) cannot fulfil its obligations under this Data Processing Agreement, or (iii) is of the view that an instruction regarding the processing of personal data given by the Customer would be in breach of Applicable Data Protection Legislation, unless Storykit is prohibited from notifying the Customer under Applicable Legislation. The notice shall be sent to the e-mail address provided by the "Approved purchaser" in the order form or to such other e-mail address explicitly referred by the Customer for such notices.
3. THE CUSTOMER'S OBLIGATIONS
-
- The Customer undertakes to comply with the Customer's obligations under the Applicable Data Protection Legislation, including but not limited to ensuring that there is legal basis for the processing of any personal data in the User Content.
4. SECURITY MEASURES
-
- Technical and Organizational Security Measures
- Storykit shall take appropriate technical and organizational measures in order to protect the personal data processed by Storykit. The measures shall at least maintain a level of security which is deemed appropriate under Applicable Data Protection Legislation.
- Storykit shall, upon the Customer's written request, provide necessary information (available to Storykit) in order to allow the Customer to fulfil its obligations to, where applicable, carry out data protection impact assessments (DPIAs) and prior consultations with the relevant supervisory authority under Applicable Data Protection Legislation in relation to the processing of personal data covered by this Data Processing Agreement. In the event the Customer requests assistance from Storykit with respect to the establishment of a DPIA although the Customer is not obligated to conduct a DPIA according to Applicable Data Protection Legislation, Storykit shall be entitled to charge the Customer on a time and material basis for such assistance.
- Access Control, Confidentiality and Logging
- Storykit shall ensure that access to the personal data is restricted to those employees, consultants or other personnel at Storykit who need access to the personal data in order for Storykit to fulfil its obligations under this Data Processing Agreement and the Main Contract. Storykit shall continuously manage the access rights to ensure that access is stripped when no longer necessary.
- Storykit shall through a non-disclosure agreement or other similar confidentiality arrangement ensure that all employees, consultants or other personnel authorized to access, and process personal data have committed themselves to confidentiality in relation to the processing of personal data covered by this Data Processing Agreement.
- Technical and Organizational Security Measures
5. PERSONAL DATA BREACH
-
-
- In the event of a personal data breach at Storykit, Storykit shall notify the Customer in writing without undue delay from when Storykit became aware of the Personal Data Breach. The notice shall be sent to the e-mail address provided by the "Approved purchaser" in the order form or to such other e-mail address explicitly referred by the Customer for such notices.
- Storykit shall immediately upon becoming aware of the personal data breach conduct a risk analysis to assess the severity and scope of the personal data breach. Unless such risk analysis shows that it is unlikely that the personal data breach will purport any risk to the personal integrity of the data subjects, Storykit shall promptly take appropriate remedial measures to prevent or limit the potential adverse effects of the personal data breach.
- Upon the Customer's request, Storykit shall provide the Customer with:
- a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken by Storykit to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where and insofar as it is not possible for Storykit to provide the abovementioned information at the same time, the information may be provided in phases without further undue delay.
- To the extent a personal data breach has occurred due to the Customer's act or omission, or otherwise as a consequence of any circumstances on the Customer's side in relation to which Storykit has no involvement or responsibility, then any assistance by Storykit requested by the Customer will be charged by Storykit on a time and material basis.
-
6. ACCESS TO INFORMATION
-
-
- The Customer is entitled to, once (1) per year, either by itself or through a third party, conduct audits at Storykit to inspect whether Storykit is complying with its obligations regarding the security of the processing. Storykit shall be notified about such audit at least fourteen (14) days prior to the audit. Any and all costs and expenses arising out of an audit in accordance with this section 1 shall be borne by the Customer. For the avoidance of doubt, an audit according to this section 6 shall only relate to information that is strictly necessary in order for the Customer to comply with its obligation to inspect the processing under Applicable Data Protection Legislation such as technical descriptions and internal records (subject to art. 30(2) GDPR) and internal data protection policies, and shall not under any circumstances include information pertaining to Storykit's business which is irrelevant in relation to Storykit's processing of personal data on behalf of the Customer.
- In the event the Customer assigns a third party, the Customer shall ensure that such third party signs a confidentiality undertaking relating to any and all information which is disclosed to such third party during the audit, such confidentiality undertaking not to be less restrictive than the confidentiality undertaking set forth in section 2 below.
- Customer shall be liable for the acts or omissions by any third-party auditor that assists Customer with the inspection subject to this section 6.
-
7. SUB-PROCESSORS AND TRANSFERS TO THIRD COUNTRY
-
-
- Storykit has the right to engage or replace third parties as sub-processors for the processing of personal data in accordance with this Data Processing Agreement (so called "Sub-processing") provided that Storykit and the sub-processor enters into a written contract and that the Sub-processing complies with this Data Processing Agreement and Applicable Legislation. Storykit shall remain responsible for any sub-processors. Storykit may also transfer personal data to a Third Country provided that Storykit shall comply with the provisions of the GDPR relating to the transfer of personal data outside the EU/EEA and undertakes to take all steps necessary to comply and allow the Customer to comply with such provisions, e.g. by entering into the at each time applicable Standard Contractual Clauses adopted by the EU Commission. Storykit shall be entitled to enter into Standard Contractual Clauses with any sub-processor on behalf of the Customer provided that all necessary steps have been taken with respect to assessing the legal landscape of the receiving country and that necessary measures are taken as a consequence of the Third Country's legislation.
- Storykit shall keep the Customer informed in accordance with section 3 below of any new appointments or replacement of sub-processors and provide the Customer with the possibility to object to a change of sub-processors, such objection shall be delivered in writing to Storykit no more than 14 days after Storykit informed the Customer of the change of sub-processors. Provided that the Customer's objection is reasonable and based on justified data privacy reasons, the Customer's remedy if the Customer does not approve of a new sub-processor is to terminate the Main Contract and this Data Processing Agreement by providing thirty 30 days' prior written notice, in which case Storykit shall refund Customer any pre-paid fees. Upon amendments to the list of sub-processors as set forth in this section 7, the Customer shall without undue delay object to any changes that involves transfer of personal data to a Third Country if the Customer has reasonable grounds to doubt such transfer does not comply with the GDPR.
- The sub-processors and transfers listed at storykit.io/legal/sub-processors are approved for processing of personal data under the circumstances specified in this Data Processing Agreement. In order for the Customer to receive notifications of updates to the list of sub processors, the Customer is referred to use a URL tracking service such as https://visualping.io/.
-
8. CONFIDENTIALITY
-
-
- Without prejudice to any confidentiality undertakings included in the Main Contract, Storykit shall keep and maintain all personal data in strict confidence and not disclose the personal data to a third party, unless otherwise authorized in advance in writing by the Customer or otherwise required by Applicable Legislation or for the performance of this Data Processing Agreement or the Main Contract.
- Subject to any confidentiality undertakings in the Main Contract, the Customer undertakes to keep any and all information that the Customer may receive about Storykit's security measures, routines, IT systems or that is otherwise of confidential nature, strictly confidential and not disclose confidential information about Storykit or its sub-processors to any third party. The Customer may only disclose such information if the Customer is obligated to disclose such information according to Applicable Legislation or according to the Main Contract or this Data Processing Agreement. The Customer accepts that this confidentiality undertaking shall survive the termination of this Data Processing Agreement.
-
9. LIABILITY
-
-
- The Parties are liable jointly and severally in relation to claims from data subjects. The Party compensating the data subject shall have a right to recourse in accordance with the provisions under art. 82 of the GDPR.
- The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data Protection Legislation.
- For the purposes of section 2 above, both Parties shall, to a reasonable extent, provide information to the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
-
10. DATA SUBJECTS' RIGHTS
-
-
- Storykit shall, insofar it is possible, take necessary technical and organizational measures in order to assist the Customer in its obligation to respond to requests from data subjects to exercise the data subject's rights according to Applicable Data Protection Legislation. Storykit shall upon Customer's request cooperate with Customer and provide Customer with guidance related to the possibilities to respond to the data subject's right request, e.g. by demonstrating to the Customer how personal data can be extracted from the Services.
- If Storykit receives a request directly from a data subject relating to processing operations subject to this Data Processing Agreement, Storykit shall immediately and no later than within forty-eight (48) hours forward the request to Customer.
-
11. RETURN OF PERSONAL DATA
- Upon termination of the Main Contract and subject to any provisions related to termination assistance in the Main Contract, the Customer shall instruct Storykit whether the personal data that Storykit has processed on behalf of the Customer within the scope of this Data Processing Agreement shall either, (i) be returned to the Customer, or (ii) be irreversibly deleted, unless Storykit is obligated under Applicable Legislation to continue to store the personal data, in which case Storykit shall notify the Customer subject to section 2.3. Unless otherwise agreed in the Main Contract, if the Customer does not submit such instruction within ninety (90) days from the termination of the Main Contract, Storykit will at its sole discretion either delete or store the personal data as further detailed in Appendix 1.
12. TERM AND TERMINATION
- This Data Processing Agreement shall be effective as of the Agreement Date and until the Main Contract is terminated. However, if Storykit processes personal data on behalf of the Customer after the termination of the Main Contract, this Data Processing Agreement shall apply until Storykit no longer processes any personal data on the Customer's behalf.
13. NON-ASSIGNMENT
- Neither of the rights nor the obligations of either Party under this Data Processing Agreement may be assigned in whole or in part without the prior written consent of the other Party, unless otherwise stated in this Data Processing Agreement.
14. AMENDMENTS
-
- Storykit reserves the right to make additions or amendments to this Data Processing Agreement. If such addition or amendment constitutes either a material adjustment to the Data Processing Agreement or has a material adverse impact on the Customer's business, Storykit shall notify the Customer regarding the changes not later than sixty (60) calendar days prior to the entry into force of the changes. Customer shall have the right to terminate the Main Contract and this Data Processing Agreement in writing with immediate effect if objecting to the changes and such objections are not adhered to by Storykit. If the Customer has not terminated the Main Contract and this Data Processing Agreement within the subject sixty (60) day period, the Customer shall be deemed to have accepted the changes.
- This Data Processing Agreement applies to and covers any changes, additions, or amendments to the Main Contract (e.g. changes to the service description or additional support). If the Main Contract is terminated and a new contract with a similar scope and purpose to the Main Contract is entered into, but without a new data processing agreement, this Data Processing Agreement shall apply to the new contract. This also applies if an explicit reference is made to this Data Processing Agreement in a contract between the Customer and Storykit.
15. GOVERNING LAW
- This Data Processing Agreement shall be governed and construed in accordance with the laws of Sweden, without regard to its conflict of law principles.
16. DISPUTE RESOLUTION
- Any dispute arising out of or in connection with this Data Processing Agreement shall be finally settled in accordance with the provisions regarding dispute resolution in the Main Contract.
Appendix 1
DESCRIPTION OF THE SCOPE, PROCESSING AND USE OF PERSONAL DATA COVERED BY THE DATA PROCESSING AGREEMENT
Categories of Data Subjects |
Data subjects of varying kinds included in the User Content by the Customer in the Services or otherwise added to the Services by the Customer (may include suppliers, interviewees, contributors etc).
|
Categories of Personal Data |
|
Purpose(s) of the Processing |
|
Processing Operations |
The Personal Data will be subject to the following basic processing activities:
|
Retention of Personal Data |
|