Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Firma Kimmo Björnsson, org. no. 780106-5595, Grankullegatan 67, 441 46 Alingsås, Sweden (the “Processor”, “BottomUp”) and the customer who has signed a Subscription Agreement for the BottomUp service (the “Controller”, “Customer”).

This DPA forms an integral part of the Subscription Agreement (the “Main Agreement”) and is accepted by the Customer when the Customer signs the Main Agreement. A separately signed DPA is available on request.

This DPA governs the Processor’s processing of personal data on behalf of the Controller in accordance with Regulation (EU) 2016/679 (the “GDPR”) and applicable Swedish data protection law.

1. Parties

The Controller is the customer organisation identified in the Main Agreement. The Processor is Firma Kimmo Björnsson, org. no. 780106-5595, info@bottomup.se.

The Controller determines the purposes and means of the processing. The Processor processes personal data solely on behalf of the Controller under this DPA and the Main Agreement.

2. Subject Matter, Duration, Nature and Purpose

• Subject matter: Processing of personal data necessary for the Processor to provide the BottomUp service – a cloud-based platform for financial forecasting, budgeting and analysis – to the Controller.
• Duration: This DPA applies for as long as the Processor processes personal data on behalf of the Controller under the Main Agreement, including the data return/deletion period under Section 12 below.
• Nature of processing: Storage, retrieval, structuring, aggregation, import from third-party systems (e.g. accounting systems, ERP), transmission, display and deletion of personal data, all as required to operate the Service.
• Purpose of processing: To enable the Controller to use the Service for internal financial planning, including personnel cost modelling.

A description of the processing, including categories of data subjects and types of personal data, is set out in Annex 1.

3. Roles and Compliance

3.1 The Controller is responsible for ensuring that there is a lawful basis for the processing, that data subjects have been informed, and that any transfer of personal data to the Processor is lawful.

3.2 The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law; in such a case the Processor shall inform the Controller of that legal requirement before processing, unless such law prohibits the notice on important grounds of public interest.

3.3 The Controller’s instructions to the Processor are set out in this DPA, the Main Agreement, and the ordinary use of the Service (including the configuration options the Controller chooses within the Service). Additional instructions must be given in writing.

3.4 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Processor Obligations

The Processor shall:

1. process personal data only as set out in Section 3;

2. ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3. implement the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk (GDPR Art. 32);

4. respect the conditions for engaging sub-processors (Section 6);

5. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligations to respond to data subject requests under Chapter III of the GDPR;

6. assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of the processing and the information available to the Processor;

7. at the choice of the Controller, delete or return all personal data after the end of the provision of services relating to processing, as set out in Section 12;

8. make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits as set out in Section 9.

5. Security (Art. 32)

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to the rights and freedoms of natural persons.

The measures currently in place are described in Annex 2. The Processor may update these measures from time to time provided that the overall level of protection is not reduced.

6. Sub-processors

6.1 The Controller grants the Processor a general written authorisation to engage sub-processors, subject to the conditions in this Section 6.

6.2 The Processor’s current sub-processors are listed at https://www.bottomup.se/subprocessors.html (and summarised in Annex 3).

6.3 The Processor shall inform the Controller of any intended addition or replacement of sub-processors at least 30 days in advance. Notice shall be given by email to the Controller’s contact address or by publication on the sub-processors page. The Controller may object on reasonable grounds related to data protection within those 30 days, i.e. before the new sub-processor begins processing. If the Controller objects, the Parties shall discuss the matter in good faith. If no solution can be agreed, the Controller may terminate the Main Agreement with respect to the affected processing on 30 days’ written notice, with a pro-rata refund of prepaid fees for the unused term.

6.4 The Processor shall impose, by way of a written agreement, the same data protection obligations on each sub-processor as are imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the performance of its sub-processors’ obligations under this DPA (GDPR Art. 28(4)). This liability is subject to the limitations and exclusions set out in Section 13.

7. International Transfers

7.1 The Processor shall not transfer personal data to a country outside the European Economic Area (“EEA”) unless the transfer is based on a valid transfer mechanism under Chapter V of the GDPR, such as:

• an adequacy decision by the European Commission (e.g. the EU–US Data Privacy Framework); or
• the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented by additional safeguards where required.

7.2 Where a sub-processor is located outside the EEA, the Processor shall ensure that an appropriate transfer mechanism is in place and shall, upon request, make the documentation available to the Controller. Current third-country transfers are indicated at https://www.bottomup.se/subprocessors.html.

8. Personal Data Breach

8.1 The Processor shall notify the Controller without undue delay, and in any event within 36 hours, after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The Processor’s notification is intended to support the Controller’s own 72-hour notification obligation under Article 33 GDPR.

8.2 The notification shall, to the extent possible, include:

• the nature of the breach, including categories and approximate number of data subjects and records concerned;
• the likely consequences of the breach;
• measures taken or proposed to address the breach and mitigate its effects;
• the name and contact details of the Processor’s point of contact for further information.

8.3 The Processor shall cooperate with and assist the Controller in fulfilling the Controller’s own notification obligations to the supervisory authority and, where applicable, to data subjects.

9. Audit and Information

9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Art. 28.

9.2 The Controller may, no more than once per 12-month period (or more frequently if required by a supervisory authority or following a confirmed personal data breach), audit the Processor’s compliance with this DPA. Audits shall:

• be conducted by an independent third party reasonably acceptable to both Parties and bound by an appropriate non-disclosure agreement (the Controller may not conduct the audit itself, and the auditor may not be a competitor of the Processor);
• be carried out during normal business hours, on at least 30 days’ prior written notice, and in a manner that does not unreasonably interfere with the Processor’s operations;
• not include access to the Processor’s source code or to data of other customers;
• be at the Controller’s expense, including the Processor’s reasonable time spent supporting the audit at the Processor’s then-current consulting rate (currently 1,200 SEK per hour, excl. VAT).

9.3 If an audit identifies a material non-compliance, the Processor shall be given 30 days to remedy the issue before the Controller may exercise any termination right based on that finding.

9.4 The Processor may satisfy the audit obligation by providing a current independent third-party assessment or certification (e.g. ISO 27001, SOC 2) of the Service, where available and to the extent it covers the relevant processing.

9.5 Inspections by a competent supervisory authority (e.g. IMY) are not subject to the limitations in this Section 9.

10. Data Subject Requests

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If a data subject contacts the Processor directly with such a request, the Processor shall refer the data subject to the Controller and shall not respond to the request itself, unless otherwise instructed by the Controller.

11. Confidentiality

The Processor shall ensure that its personnel and sub-processors are bound by an appropriate obligation of confidentiality with regard to personal data processed under this DPA. The confidentiality obligation shall survive the termination of this DPA.

12. Return or Deletion of Personal Data

12.1 Upon termination or expiry of the Main Agreement, the Processor shall, at the choice of the Controller:

1. return a copy of the personal data in a commonly used, structured, machine-readable format (e.g. CSV, JSON), subject to the Processor’s reasonable hourly rate for export work exceeding the standard export function in the Service; or

2. delete all personal data.

12.2 The Controller’s choice must be communicated in writing within 30 days after termination. If no choice is communicated, the Processor shall delete the personal data.

12.3 The Processor shall delete all personal data, including from backup media, no later than 90 days after termination, except where storage is required by Union or Member State law. Backup copies will be overwritten according to the Processor’s standard backup rotation.

12.4 The Processor shall confirm the deletion in writing upon request.

13. Liability

The liability of each Party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement and the Terms of Service referenced therein. Nothing in this DPA limits liability that cannot be limited under mandatory law.

14. Term and Termination

This DPA enters into force on the effective date of the Main Agreement and remains in force for as long as the Processor processes personal data on behalf of the Controller under the Main Agreement. Sections 11, 12 and 13 survive termination.

15. Order of Precedence

In the event of a conflict between documents, the following order of precedence shall apply:

1. This DPA (with respect to data protection matters);
2. The Main Agreement (Subscription Agreement);
3. BottomUp’s Terms of Service (https://www.bottomup.se/terms-of-service.html).

16. Changes to this DPA

The Processor may amend this DPA from time to time. Material amendments take effect either:

• at the start of the Controller’s next subscription renewal term, provided that the Processor has given at least 60 days’ written notice of the change; or
• with the Controller’s consent.

If the Controller does not accept a material change, the Controller may terminate the Main Agreement effective on the date the change would take effect.

17. Governing Law and Jurisdiction

This DPA is governed by Swedish law, without regard to conflict-of-law rules. Disputes shall be resolved by Swedish general courts, with Göteborg District Court (Göteborgs tingsrätt) as the court of first instance.

Annex 1 – Description of Processing

Categories of data subjects (typical):

• the Controller’s employees, contractors and consultants
• the Controller’s board members and owners (where relevant to financial reporting)
• the Controller’s customers and suppliers (where such data is imported from an accounting system or ERP)

Categories of personal data (typical):

• identifiers: name, employee ID, email address, telephone number
• employment data: role/title, department/cost centre, employment type, start and end dates
• compensation data: salary, benefits, pension contributions, variable pay, payroll tax, vacation accrual
• financial transaction data linked to an individual (e.g. supplier name where supplier is a sole trader, customer name where customer is a natural person)
• user account data for authorised users of the Service (name, email, IP address, login timestamps, audit log entries)

Special categories of personal data (Art. 9) / criminal convictions (Art. 10): The Service is not designed for, and the Processor does not intentionally process, special categories of personal data or data on criminal convictions. The Controller shall not upload such data to the Service.

Frequency of processing: Continuous for the duration of the Main Agreement.

Retention: Personal data is retained for the duration of the Main Agreement and deleted as set out in Section 12.

Annex 2 – Technical and Organisational Measures (Art. 32)

Access control

• Application user passwords are stored using a modern key-derivation function (not in plaintext)

Encryption

• TLS 1.2 or higher for all data in transit
• Database connections require TLS (the production Cloud SQL instance is configured to allow only SSL connections)
• Encryption at rest for databases, backups and file storage provided by Google Cloud Platform default encryption (AES-256)

Network and infrastructure security

• Hosting on Google Cloud Platform, region europe-west1 (Belgium). GCP holds ISO 27001, ISO 27017, ISO 27018 and SOC 2/3 certifications.
• Network segmentation between environments (production / staging / development)
• No production data in development or staging environments

Logging and monitoring

• Audit logs of user actions and administrative access
• Application error monitoring and alerting on failures
• Log retention of 12 months

Backups and resilience

• Daily automated Cloud SQL backups with 90 days retention

Physical security

• Inherited from Google Cloud Platform’s certified data-centre controls (ISO 27001, SOC 2/3); see https://cloud.google.com/security/compliance for current attestations.

Sub-processor oversight - Written data processing agreements with each sub-processor - Periodic review of sub-processor compliance

Annex 3 – Approved Sub-Processors

The current list of sub-processors is published and maintained at:

https://www.bottomup.se/subprocessors.html

The published list shall be considered an integral part of this DPA. Changes to the list are subject to the notice and objection procedure in Section 6.