Data processing agreement (DPA)

This Data Processing Agreement ("DPA") supplements any main agreement under which Supplers AB ("Processor") provides services to a customer organisation ("Controller") that involves processing of personal data on behalf of the Controller. It reflects the requirements of Article 28 GDPR. If you are an individual user without a written agreement, this document describes our processor commitments in general terms only.

The subject matter and duration of processing follow from the agreed services. Processing lasts for the term of the agreement and until deletion or return of data in accordance with that agreement and this DPA.

Processing may include collection, storage, adaptation, retrieval, use, disclosure by transmission, and erasure of personal data as needed to deliver the contracted services (for example user accounts, workplace inventory, bookings, and related workflows).

The categories of data and data subjects depend on how the Controller configures and uses the services. They may include employees and other end users, contact details, identifiers, usage logs, and content the Controller uploads. The Controller is responsible for the lawfulness of processing and for instructions to the Processor.

The Processor processes personal data only on documented instructions from the Controller unless EU or Member State law requires otherwise. The Processor ensures that persons authorised to process the data are bound by confidentiality. The Processor implements appropriate technical and organisational measures, assists the Controller with data subject requests where reasonable, assists with security and breach notifications as required by Article 32–34 GDPR, deletes or returns data at the end of services unless law requires retention, and makes available information necessary to demonstrate compliance and allows for audits agreed in writing.

The Controller generally authorises the Processor to engage sub-processors to support delivery of the services. The Processor remains responsible for sub-processors and will impose data protection terms consistent with this DPA. The Controller will be informed of material changes to sub-processors where required by the main agreement or applicable law.

Where personal data is transferred outside the EU/EEA, the Processor will ensure appropriate safeguards in line with GDPR, such as standard contractual clauses.

If this DPA conflicts with the main agreement, the provisions that best protect personal data and meet GDPR Article 28 shall prevail to the extent required by law.