Last changed: 16 march 2021
This Storykit Standard Data Processing Agreement (the “Storykit DPA”) forms part of the agreement entered into concerning services relating to Storykit (the “Main Contract”). The Main Contract was entered into by signing an order form or other written or electronic agreement related to the Storykit services.
The Storykit DPA is entered into between Storykit AB, a corporation of Sweden with registration no 556980-8404 and place of business at Söder Mälarstrand 77, 118 25 Stockholm (which shall be referred to as "Processor" or "Party") and the customer signing the Main Contract (which shall be referred to as "Controller" or "Party"), the Controller and the Processor are collectively referred to as the "Parties".
- The Parties have entered into an agreement concerning services relating to the Main Contract. In order to satisfy its obligations under the Main Contract, the Processor needs to Process Personal Data for which the Controller is the data controller.
- The General Data Protection Regulation (EU) 2016/679 (the "GDPR") require that a written contract is entered into between the Controller and the Processor (a data processing agreement). This Storykit DPA regulates the Processor's Processing of Personal Data on behalf of the Controller as well as the organizational and technical measures that is to be achieved when Processing Personal Data.
- Unless otherwise stated in this Storykit DPA, all references to "Personal Data", "Processing", "Data Subject" and any other capitalized terms not defined herein shall have the same meaning in this Storykit DPA as in the GDPR.
- For the avoidance of doubt, obligations of the Processor in relation to Personal Data as set out herein applies only in relation to Personal Data of the Controller.
1. The Processing
- Personal Data that may be Processed by the Processor hereunder include Personal Data as described in Appendix 1.
- The Processor may only Process Personal Data in accordance with (i) this Storykit DPA, (ii) the Main Contract and its schedules, (iii) the GDPR and any other applicable law and, (iv) the documented instructions of the Controller.
- The Processor shall not Process Personal Data for its own purposes unless required to do so by applicable law.
The Processor has the right to engage or replace third parties as sub-processors for the Processing of Personal Data in accordance with this Storykit DPA (so called "Sub-processing") provided that the Processor and the sub-processor enters into a written contract and that the Sub-processing complies with this Storykit DPA and applicable law. The Processor shall remain responsible for any sub-processors. The Processor shall keep the Controller informed of any new appointments or replacement of sub-processors and provide the Controller with the possibility to object to a change of sub-processors, such objection shall be delivered in writing to the Processor no more than 14 days after the Processor informed the Controller of the change of sub-processors. Provided that the Controller's objection is reasonable and based on justified data privacy reasons, the Controller's remedy if the Controller does not approve of a new sub-processor is to terminate the Main Contract and this Storykit DPA by providing thirty 30 days' prior written notice, in which case Processor shall refund Controller any pre-paid fees.
The Sub-processors listed at www.storykit.io/legal/sub-processors are approved for processing of Personal Data under the Circumstances specified in this Storykit DPA. In order for the Controller to receive notifications of such updates, the Controller is referred to use a URL tracking service such as https://visualping.io/.
3. Security of Personal Data
The Processor shall implement appropriate technical and organizational measures to protect the Personal Data Processed in accordance with Article 32 of the GDPR. The Controller is responsible for analyzing and assessing the relevant security measures and confirm that they are sufficient considering the Personal Data to be processed hereunder.
4. Instructions and Assistance
- If the Processor lacks instructions from the Controller that the Processor deems necessary in order to Process the Personal Data, or if the Processor, in its reasonable opinion, considers the Controller's instructions to infringe the GDPR or other applicable law, the Processor (i) may refrain from the relevant Processing, (ii) will notify the Controller of its opinion, and (iii) the Controller shall immediately provide documented instructions in compliance with applicable legislation.
- At the Controller's request and to the extent possible, the Processor shall assist the Controller with the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as set out in chapter III of the GDPR. The Processor has implemented what it considers to be appropriate technical and organizational measures for this purpose. The Controller has analyzed the relevant measures and confirms by signing the Main Contract to this Storykit DPA that it considers the measures to be adequate.
- If requested, the Processor shall assist the Controller in fulfilling its obligations under the GDPR Articles 32-36 taking into account the information available to the Processor and the nature of the Processing. The Processor shall be compensated on a time and material basis when providing such assistance.
5. Audits and Supervision
The Controller has the right to monitor, by itself or by appointing an independent third party (that is not a competitor to the Processor and that is bound by confidentiality undertakings acceptable to the Processor in its reasonable opinion), that the Processor is compliant with the Controller's requirements for Processing of Personal Data hereunder. The Processor shall upon reasonable prior notification assist the Controller or a third party that performs such analysis with reasonable documentation, and be available to answer questions. Should the Processor fail to provide such documentation or be unavailable to answer questions, the Controller or such third party shall upon additional reasonable notice be granted access to premises, IT-systems and other assets used for the Processing of Personal Data, but strictly to the extent required to follow up the Processor's compliance with this Storykit DPA. The Processor's obligations to assist the Controller as set out hereunder is subject to the Controller agreeing to provide reasonable compensation to the Processor on a time and material basis.
The Processor will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons only processes the Personal Data on a need-to-know basis rather than a nice-to-know basis.
7. Transfer of Personal Data
- The Processor may transfer Personal Data to a country outside the European Union ("EU")/European Economic Area ("EEA") provided that the Processor shall comply with the provisions of the GDPR relating to the transfer of Personal Data outside the EU/EEA and undertakes to take all steps necessary to comply and allow the Controller to comply with such provisions, e.g. by entering into Standard Contractual Clauses. The Processor shall be entitled to enter into Standard Contractual Clauses with any Sub-Processor on behalf of the Controller provided that all necessary steps have been taken with respect to assessing the legal landscape of the receiving country and that necessary measures are taken as a consequence of the third country's legislation.
Upon amendments to the list of Sub-Processors as set forth in section 2, the Controller shall without undue delay object to any changes that involves transfer of Personal Data outside the EU/EEA if the Controller has reasonable grounds to doubt such transfer does not comply with the GDPR.
The Parties are liable jointly and severally in relation to claims from data subjects. The party compensating the data subject shall have a right to recourse in accordance with the provisions under art. 82 of the GDPR.
The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under the GDPR.
For the purposes of section 8(b) above, both Parties shall, to a reasonable extent, provide information to the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
9. Term and Termination
- This Storykit DPA shall enter into force on the date on which the Main Contract has been signed by both Parties and shall remain in force for as long as Processing of Personal Data is carried out by the Processor and/or a Sub-processor for the purposes stated in this Storykit DPA or the Main Contract.
- Upon termination of the Main Contract, the Processor shall, in accordance with the Controller's instructions, return the Personal Data it has to the Controller or delete or make it anonymous unless storage by the Processor is required by law. If the Controller has not provided its written instructions to the Processor within three (3) months after the termination of the Main Contract, the Processor may in its sole discretion decide to delete or return the Personal Data to the Controller.
- Subject to changes to or additional instructions of the Controller in writing according to this Storykit DPA, this Storykit DPA constitutes the entire agreement between the Parties relating to the subject matter hereof and may not be amended except in a written document executed by both Parties. In case of discrepancies between this Storykit DPA and the Main Contract, this Storykit DPA shall prevail.
- This Storykit DPA applies to and covers any changes, additions or amendments to the Main Contract (e.g. changes to the service description or additional support). If the Main Contract is terminated and a new contract with a similar scope and purpose to the Main Contract is entered into, but without a new data processing agreement, this Storykit DPA shall apply to the new contract. This also applies if an explicit reference is made to this Storykit DPA in a contract between the Controller and the Processor.
11. Governing Law and Settlement of Disputes
- This Storykit DPA shall be governed by and construed in accordance with the law stated in the Main Contract.
- Any dispute, controversy or claim arising out of or in connection with this Storykit DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision in the Main Contract.
Specification of processing of Personal Data
The personal data to be processed concern the following categories of data subjects (please specify):
- Employees and/or subcontractors of Controller (“Users”)
- Data subjects of varying kinds included in the User Content (eg. Videos and articles) created by the Controllers Users in the Services or otherwise added to the Services by the Controller (may include suppliers, interviewees, contributors etc).
Nature and purposes of the processing
The processing of data is necessary for the following purposes (please specify):
- User Account - Log in, authentication and account management of Users with access to Storykit on behalf of the Controller.
- User Content - Producing User Content (both editorial and marketing) in the Storykit core services by the Users on behalf of the Controller.
- User Account – collection and storage
- User Content – collection, storage and distribution
Categories of data
The personal data to be processed fall within the following categories of data (please specify):
- User account - name (required), email (required), username (required), profile image (optional), Twitter username (optional), Facebook username (optional), Instagram username (optional), Google+ username (optional),
- User content - Personal data included as part of User Content by the Users on behalf of the Controller (may include names or other personal data written in free text, images etc.)
The personal data to be processed fall within the following categories of sensitive data (please specify):
No sensitive data is processed for User Accounts. Sensitive data will only be processed if included as part of User Content by the users on behalf of the Controller for the sole purpose of handling User Content as set out in the Main Contract.
Processing activities based on Processors purposes
When using the Services the Processor will process some information based on the Processors purposes. For this processing Storykit AB is the data controller. For further information about which information is gathered and for what purpose please see the Storykit Integritetspolicy, www.storykit.io/legal/integritetspolicy
The personal data transferred may be stored for 6 months after the respective Order Term or until the Controller requests that the Processor delete the personal data, whichever comes first. The storage limit might be increased upon written agreement between the Controller and the Processor.