This Data Processing Agreement (“DPA“) forms part of and is incorporated into the Terms of Service, Order Form or other written or electronic agreement between Leedflow Technology AB, company registration number 559491-1660 (“Processor” or “Leedflow“), and the customer entity that has entered into the Agreement with Leedflow (“Controller” or “Customer“).

This DPA applies where Leedflow Processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

For purposes of this DPA:

• “Applicable Data Protection Law” means the GDPR, UK GDPR, applicable national data protection laws and any binding guidance applicable to the processing under this DPA.
• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” have the meanings given in Applicable Data Protection Law.
• “Subprocessor” means any third party engaged by Leedflow to Process Personal Data on behalf of Customer.
  
  

2. Roles of the Parties

The parties acknowledge and agree that:

• Customer acts as Controller or, where applicable, as another processor acting on behalf of its own controller; and
• Leedflow acts as Processor with respect to the Personal Data processed on behalf of Customer under the Agreement.

Customer is responsible for:

• ensuring that it has a lawful basis for the Processing;
• providing all required notices to Data Subjects;
• ensuring that Personal Data is adequate, relevant and limited to what is necessary.
  
  

3. Subject Matter, Nature and Purpose of Processing

Leedflow will Process Personal Data for the limited and specified purpose of providing the Services to Customer under the Agreement.

The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and the categories of Data Subjects are described in Appendix 1.

4. Customer Instructions

Leedflow shall:

• Process Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, through the configuration and ordinary use of the Services, and other documented instructions issued by Customer from time to time;
• inform Customer if, in Leedflow’s opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by law from doing so.

Customer instructs Leedflow to Process Personal Data as necessary to:

• provide, secure, support and improve the Services;
• disclose Personal Data to Subprocessors in accordance with this DPA;
• transfer Personal Data internationally in accordance with this DPA;
• take measures required to comply with law applicable to Leedflow, provided Leedflow informs Customer of that legal requirement unless prohibited by law.
  
  

5. Confidentiality

Leedflow shall ensure that persons authorized to Process Personal Data:

• are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality; and
• access Personal Data only on a need-to-know basis and only where necessary for the purposes of the Agreement.
  
  

6. Security of Processing

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks to the rights and freedoms of natural persons, Leedflow shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

These measures include, where appropriate:

• pseudonymization and encryption of Personal Data;
• measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures.

A general description of Leedflow’s current technical and organizational security measures is set out in Appendix 2.

7. Subprocessors

Customer provides general authorization for Leedflow to engage Subprocessors.

Leedflow shall:

• ensure that each Subprocessor is bound by data protection obligations no less protective than those set out in this DPA;
• remain responsible for the performance of its Subprocessors.

Leedflow will inform Customer of material changes to Subprocessors.

8. Assistance

Taking into account the nature of the Processing, Leedflow shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligations to respond to requests for exercising Data Subject rights.

Leedflow shall also assist Customer in ensuring compliance with obligations relating to:

• security of processing;
• personal data breaches;
• data protection impact assessments, where applicable.
  
  

9. Personal Data Breach

Leedflow shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

Such notification shall include, where available:

• a description of the nature of the breach;
• the categories and approximate number of Data Subjects concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach.
  
  

10. International Transfers

Leedflow may transfer Personal Data outside the EEA where necessary to provide the Services.

Such transfers shall be carried out in accordance with Applicable Data Protection Law using appropriate safeguards, including Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful mechanisms.

11. Deletion or Return of Data

Upon termination of the Services, Leedflow shall delete or return all Personal Data to Customer, unless retention is required by applicable law.

12. Liability

Liability arising from this DPA shall be subject to the limitations of liability set out in the Agreement.

13. Governing Law

This DPA is governed by Swedish law.

Appendix 1 – Processing Details

Purpose: Provision of the Services (lead generation, enrichment, outreach)

Data subjects: Users, employees, business contacts

Data types: Name, business email, job title, company data, usage data

Duration: For the duration of the Agreement

Appendix 2 – Subprocessors