1. Definitions
Unless otherwise defined, capitalized terms have the following meanings:
| Customer Personal Data | Any Personal Data processed by the Processor on behalf of the Customer pursuant to the Principal Agreement |
| Data Protection Laws | EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country |
| GDPR | EU General Data Protection Regulation 2016/679 |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data |
| Processing | Any operation performed on Personal Data, whether or not by automated means |
| Sub-processor | Any third party appointed by the Processor to process Customer Personal Data |
| Data Transfer | A transfer of Customer Personal Data from the Customer to the Processor, or an onward transfer to a Sub-processor, where such transfer would be prohibited by Data Protection Laws without appropriate safeguards |
The terms "Controller", "Data Subject", "Member State", and "Supervisory Authority" have the same meaning as in the GDPR.
2. Roles and Scope
In providing the Recoger services, you (the Customer) act as the Data Controller and Komply.1 AB acts as the Data Processor.
The Processor shall:
- Comply with all applicable Data Protection Laws in the Processing of Customer Personal Data
- Process Customer Personal Data only on the Customer's documented instructions
- Not process Customer Personal Data for any purpose other than as necessary to provide the Services
3. Processing Details
3.1 Categories of Data Subjects
- Customer employees and contractors
- Device users within Customer organization
- Customer administrators and account users
3.2 Types of Personal Data
- Names and email addresses
- Job titles and organizational roles
- Device identifiers (hashed where appropriate)
- IP addresses
- Device compliance status and security posture data
- Usage and activity logs
3.3 Purpose of Processing
To provide device compliance monitoring, SaaS security tracking, and security posture assessment services as described in the Principal Agreement.
3.4 Duration of Processing
For the duration of the Customer's subscription, plus the retention period specified in Section 10.
4. Processor Personnel
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Customer Personal Data, ensuring that:
- Access is strictly limited to individuals who need access for the purposes of the Principal Agreement
- All such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality
- All personnel receive appropriate data protection training
5. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including the measures referred to in Article 32(1) of the GDPR.
Current security measures include:
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Access controls and multi-factor authentication
- Regular security assessments and penetration testing
- Employee security awareness training
- Incident response and disaster recovery procedures
- Logging and monitoring of access to Personal Data
6. Sub-processors
The Processor shall not appoint or disclose any Customer Personal Data to any Sub-processor unless authorized by the Customer.
The Customer hereby provides general authorization for the Processor to engage Sub-processors listed at recoger.co/legal/subprocessors.
The Processor shall notify the Customer of any intended changes to Sub-processors, giving the Customer the opportunity to object to such changes. The Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Customer's obligations to respond to requests to exercise Data Subject rights under Data Protection Laws.
The Processor shall:
- Promptly notify the Customer if it receives a request from a Data Subject in respect of Customer Personal Data
- Not respond to such requests except on the documented instructions of the Customer, or as required by applicable law
- Provide reasonable assistance with access, rectification, erasure, restriction, portability, and objection requests
8. Personal Data Breach
The Processor shall notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach affecting Customer Personal Data.
The notification shall include sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects under Data Protection Laws, including:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects concerned
- Categories and approximate number of Personal Data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Processor shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
9. Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that the Customer reasonably considers to be required by Articles 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to the Processor.
10. Deletion or Return of Data
Upon termination of the Services or upon Customer's request, the Processor shall, at the Customer's choice:
- Return all Customer Personal Data in a commonly used format; or
- Delete all Customer Personal Data and procure the deletion of all copies
Deletion shall occur promptly and in any event within 30 days of the cessation date. The Processor shall provide written certification of deletion upon request.
The Processor may retain Customer Personal Data to the extent required by applicable law, in which case the Processor shall inform the Customer of such retention and ensure continued confidentiality.
11. Audit Rights
The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
The Processor shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer, subject to:
- Reasonable advance notice (minimum 30 days except in case of regulatory requirement)
- Confidentiality obligations regarding any information disclosed
- Audits being conducted during normal business hours and not unreasonably interfering with operations
- Reasonable costs being borne by the Customer for on-site audits
The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance attestations (such as SOC 2 reports) where available.
12. International Data Transfers
The Processor shall not transfer or authorize the transfer of Customer Personal Data to countries outside the EU/EEA without the prior written consent of the Customer.
All Customer Personal Data is processed within the EU/EEA (primary location: Frankfurt, Germany).
If any transfer outside the EU/EEA becomes necessary, the Parties shall ensure that the Personal Data is adequately protected through:
- EU adequacy decisions
- EU-approved Standard Contractual Clauses (SCCs)
- Other lawful transfer mechanisms under GDPR
13. Confidentiality
Each Party must keep this DPA and information it receives about the other Party confidential and must not use or disclose that information without the prior written consent of the other Party, except to the extent that:
- Disclosure is required by law or regulatory authority
- The relevant information is already in the public domain through no fault of the receiving Party
- Disclosure is necessary to exercise rights or perform obligations under this DPA
14. Liability
Each Party's liability under this DPA is subject to the limitations set out in the Principal Agreement. The Processor shall be liable for damages caused by Processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to lawful instructions from the Customer.
15. Governing Law
This DPA is governed by the laws of Sweden. Any dispute arising in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Sweden.
16. Contact
For DPA-related inquiries:
Need a signed DPA?
Contact us at dpa@recoger.co and we'll send you a countersigned copy for your records. Enterprise customers may request customized DPA terms.
Related Documents
This DPA should be read in conjunction with our Terms of Service, Privacy Policy, Service Level Agreement, and Subprocessors list.