DATA PROCESSING AGREEMENT (DPA)

1. Background and Purpose

1.1 This Data Processing Agreement (the “DPA”) forms an integral part of the General Terms and Conditions (the “Main Agreement”) entered into by and between the customer accepting the Main Agreement (“Data Controller” or “Customer”) and Just Klingit AB, reg.no 559287–1304, (“Data Processor” or “Klingit”).

1.2 By using the Services and the Platform as defined in the Main Agreement, the Data Controller will upload content that may contain personal data (“Customer Content”). This DPA sets out the terms, requirements, and conditions for the Data Processor’s processing of such personal data on behalf of the Data Controller to ensure compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Definitions

Terms such as “personal data”, “processing”, “data controller”, “data processor”, “data subject”, and “personal data breach” shall have the meanings ascribed to them in the GDPR.

3. The Processor’s Obligations

3.1 Instructions: Klingit shall only process personal data in accordance with the Data Controller’s documented instructions, unless required to do so by European Union or Member State law to which Klingit is subject. The Main Agreement and this DPA constitute the Data Controller’s complete instructions to Klingit.

3.2 Confidentiality: Klingit shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security: Klingit shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. These measures are further specified in Appendix 2.

4. Sub-processors

4.1 General Authorization: The Data Controller hereby grants Klingit a general written authorization to engage sub-processors (including third-party generative AI services) to process personal data on behalf of the Data Controller. The sub-processors currently engaged by Klingit are listed in Appendix 3.

4.2 Notice of Changes: Klingit shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance. Notification can be made via email or through an update on the Platform.

4.3 Right to Object: The Data Controller may object to such changes on reasonable, data protection-related grounds. If the parties cannot resolve the objection, either party may terminate the Main Agreement.

4.4 Sub-processor Obligations: Klingit shall ensure that any sub-processor is bound by data protection obligations materially similar to those set out in this DPA. Klingit remains fully liable to the Data Controller for the performance of the sub-processor’s obligations.

4.5 Use of Artificial Intelligence (AI): In providing the Services, Klingit may utilize third-party generative AI features. Klingit strictly ensures that any sub-processors providing such AI capabilities (as listed in the approved sub-processor list) are bound by agreements stating that Customer Content and personal data will not be used to train, develop, or improve their foundational AI models. AI features are utilized strictly to generate results specifically requested by the Data Controller within the Platform.

5. Assistance to the Data Controller

5.1 Data Subject Rights: Klingit shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

5.2 Security and DPIAs: Klingit shall assist the Data Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 (Security, Personal Data Breaches, and Data Protection Impact Assessments), taking into account the nature of processing and the information available to Klingit.

6. Personal Data Breaches

6.1 Notification: In the case of a personal data breach, Klingit shall, without undue delay after having become aware of it, notify the personal data breach to the Data Controller.

6.2 Information: The notification shall, to the extent possible, describe the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to be taken to address the breach.

7. Audits and Inspections

7.1 Klingit shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28.

7.2 Klingit shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Such audits shall be conducted during regular business hours, upon reasonable prior written notice (at least 30 days), and in a manner that minimally disrupts Klingit’s business operations. The Data Controller bears the costs of the audit.

8. International Data Transfers

8.1 Klingit predominantly processes data within the EU/EEA. If Klingit or a sub-processor transfers personal data outside the EU/EEA, Klingit shall ensure that such transfer is lawful under Chapter V of the GDPR (e.g., by relying on the EU-U.S. Data Privacy Framework or executing the European Commission’s Standard Contractual Clauses).

9. Term, Deletion, and Return of Data

9.1 This DPA remains in effect for as long as Klingit processes personal data on behalf of the Data Controller.

9.2 Upon termination of the Main Agreement, or at the Data Controller’s choice, Klingit shall delete or return all personal data to the Data Controller. As per Klingit’s standard data retention policy, Customer Content is stored until the Data Controller deletes it or the Customer Account is terminated (e.g., after 24 months of inactivity following a prior notice), after which the data is permanently deleted.

APPENDIX 1: Specification of the Processing

Subject-matter and purpose: The processing is necessary for Klingit to provide the creative design, web design, and marketing solutions (the “Services”) as described in the Main Agreement. This includes storing, managing, and modifying Customer Content uploaded to the Platform.

Duration of the processing: For the duration of the Main Agreement and until the data is deleted in accordance with Section 9.

Categories of data subjects: Individuals whose personal data is included in the Customer Content uploaded by the Customer (e.g., the Customer’s employees, end-customers, models, or partners).

Types of personal data: Any personal data included in the Customer Content, which may include names, contact details, photos, IP addresses, or audio/video files. The Data Controller is strictly advised not to upload special categories of personal data (sensitive data) to the Platform.

APPENDIX 2: Technical and Organizational Measures (TOMs)

Klingit maintains strict technical and organizational security measures to protect the data, including but not limited to:

Access Control: Access to personal data is strictly limited to authorized personnel with a strict “need-to-know” basis. All personnel are bound by confidentiality.

Authentication: Use of strong passwords and/or multi-factor authentication for administrative access to the Platform and servers.

Encryption: Data is encrypted in transit (e.g., via TLS/HTTPS) and at rest using industry-standard encryption protocols.

Backups: Regular backups are conducted to prevent data loss.

Physical Security: Data centers provided by our hosting partners feature strict physical access controls, surveillance, and security personnel.

APPENDIX 3: Approved Sub-processors

By accepting this DPA, the Data Controller authorizes the use of the sub-processors listed below. Klingit ensures that all sub-processors are vetted for security, privacy, and compliance, applying data minimization and approved transfer mechanisms for any international data flows.

The currently approved sub-processors are maintained and listed dynamically at klingit.com/subprocessors, which is incorporated into this Appendix by reference.