DATA PROCESSING AGREEMENT (DPA)

Last updated: 2026-07-02

1. Background and Purpose

1.1 This Data Processing Agreement (the “DPA”) forms an integral part of the General Terms
and Conditions (the “Main Agreement”) entered into by and between the customer (“Data
Controller” or “Customer”) accepting the Main Agreement and Just Klingit AB, reg.no 559287-
1304, (“Data Processor” or “Klingit”).

1.2 By using the Services and the Platform as defined in the Main Agreement, the Data
Controller will upload content that may contain personal data (“Customer Content”). This DPA
sets out the terms, requirements, and conditions for the Data Processor’s processing of such
personal data on behalf of the Data Controller to ensure compliance with the General Data
Protection Regulation (EU) 2016/679 (“GDPR”).

1.3 Where anything regulated in this DPA conflicts with the Main Agreement, the provisions of
this DPA shall take precedence with respect to data protection matters.

2. Definitions

These definitions shall, regardless of whether they are used in the plural or singular, in definite
or indefinite form, have the following meaning when entered with capital letters as the initial
letter.

Personal Data
Any information relating to an identified or identifiable natural person, where an identifiable
natural person is a person who directly or indirectly can be identified in particular by reference to
an identifier such as name, social security number, location data or online identifiers or one or
more factors which are specific to the natural person’s physical, physiological, genetic,
psychological, economic, cultural or social identity.

Processing
Any operation or set of operations which is performed on Personal Data or on sets of Personal
Data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.

Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the Processing of Personal Data.

Processor
A natural or legal person, public authority, agency or other body which Processes Personal Data
on behalf of the Controller.

Data Subject
Natural person whose Personal Data is Processed.

Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise
Processed.

3. The Processor’s Obligations

3.1 Instructions: Klingit shall only process personal data in accordance with the Data
Controller’s documented instructions, unless required to do so under European union (EU) law
or under the law of an EU member state to which Klingit is subject. In such a case, Klingit shall
inform the Data Controller of that legal requirement before processing the personal data, unless
that law prohibits such information on important grounds of public interest. The Main Agreement
and this DPA constitute the Data Controller’s complete instructions to Klingit.

3.2 Unclear or unlawful instructions: In the event that Klingit considers the instructions to be
unclear, potentially in violation of applicable data protection legislation, or insufficient for
performing the processing, Klingit shall (a) inform the Data Controller of this without undue
delay; (b) temporarily suspend the affected processing; and (c) await new or supplementary
instructions before resuming, unless otherwise agreed by the parties.

3.3 Confidentiality: Klingit shall ensure that persons authorized to process the personal data
have committed themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality. The list of persons granted access shall be reviewed regularly. On the basis of
the review, such access to personal data may be withdrawn if the access is no longer
necessary.

3.4 Security: Klingit shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. These
measures are further specified in Appendix 2.

4. Sub-processors

4.1 General Authorization: The Data Controller hereby grants Klingit a general written
authorization to engage sub-processors (including third-party generative AI services) to process
personal data on behalf of the Data Controller. The sub-processors currently engaged by Klingit
are listed in Appendix 3.

4.2 Notice of Changes: Klingit shall inform the Data Controller of any intended changes
concerning the addition or replacement of sub-processors at least fourteen (14) days in
advance. Notification can be made via email or through an update on the Platform.

4.3 Right to Object: The Data Controller may object to such changes on reasonable, data
protection-related grounds. If the parties cannot resolve the objection, either party may
terminate the Main Agreement.

4.4 Sub-processor Obligations: Klingit shall ensure that any sub-processor is bound by data
protection obligations materially similar to those set out in this DPA. Klingit remains fully liable to
the Data Controller for the performance of the sub-processor’s obligations.

4.5 Use of Artificial Intelligence (AI): In providing the Services, Klingit may utilize third-party
generative AI features. Klingit strictly ensures that any sub-processors providing such AI
capabilities (as listed in the approved sub-processor list) are bound by agreements stating that
Customer Content and personal data will not be used to train, develop, or improve their
foundational AI models. AI features are utilized strictly to generate results specifically requested
by the Data Controller within the Platform.

5. Assistance to the Data Controller

5.1 Data Subject Rights: Klingit shall, taking into account the nature of the processing, support
the Data Controller by appropriate technical and organizational measures, insofar as this is
possible, for the fulfilment of the Data Controller’s obligation to respond to requests for
exercising the data subject’s rights laid down in Chapter III of the GDPR.

5.2 Security and DPIAs: Klingit shall assist the Data Controller in ensuring compliance with the
obligations pursuant to GDPR Articles 32 to 36 (Security, Personal Data Breaches, and Data
Protection Impact Assessments), taking into account the nature of processing and the
information available to Klingit.

6. Personal Data Breaches

6.1 Notification: In the case of a personal data breach, Klingit shall, without undue delay after
having become aware of it, notify the personal data breach to the Data Controller.
The notification by Klingit to the Data Controller shall, where possible, occur within 24 hours of
Klingit becoming aware of the personal data breach, in order to enable the Data Controller to
comply with the obligation to notify the competent supervisory authority of the personal data
breach.

6.2 Information: The notification shall, to the extent possible, describe the nature of the breach,
the categories and approximate number of data subjects concerned, the likely consequences,
and the measures taken or proposed to be taken to address the breach. Where it is not possible
to provide full information simultaneously, the description may be provided in instalments
without undue further delay

7. Audits and Inspections

7.1 Klingit shall make available to the Data Controller all information necessary to demonstrate
compliance with the obligations laid down in GDPR Article 28.

7.2 Klingit shall allow for and contribute to audits, including inspections, conducted by the Data
Controller or another auditor mandated by the Data Controller. Such audits shall be conducted
during regular business hours, upon reasonable prior written notice (at least 14 business days),
and in a manner that minimally disrupts Klingit’s business operations. The Data Controller bears
the costs of the audit.

8. International Data Transfers

8.1 Klingit predominantly processes data within the EU/EEA. If Klingit or a sub-processor
transfers personal data outside the EU/EEA, Klingit shall ensure that such transfer is lawful
under Chapter V of the GDPR (e.g., by relying on the EU-U.S. Data Privacy Framework or
executing the European Commission’s Standard Contractual Clauses). The legal basis
applicable to each sub-processor’s international transfers is set out in Appendix 3.

9. Term, Deletion, and Return of Data

9.1 This DPA takes effect on the date both parties have signed the DPA and remains in effect
for as long as Klingit processes personal data on behalf of the Data Controller.

9.2 Upon termination of the Main Agreement, or at the Data Controller’s choice, Klingit shall
delete or return all personal data to the Data Controller. As per Klingit’s standard data retention
policy, Customer Content is stored until the Data Controller deletes it or the Customer Account
is terminated (e.g., after 24 months of inactivity following a prior notice), after which the data is
permanently deleted, including all existing copies, unless storage of the personal data is
required under EU law or under law of a EU member state to which Klingit is subject, in which
case Klingit shall notify the Data Controller of the applicable legal basis for retention.

9.3 Upon the Data Controller’s request, Klingit shall issue a written confirmation that deletion
has been completed.

10. Requests from Authorities

10.1 If a supervisory authority or other public authority submits a request to Klingit regarding the
processing of personal data under this DPA, Klingit shall: (a) promptly refer the request to the
Data Controller; (b) not disclose any personal data or other information about the processing
without written consent from the Data Controller, unless mandatory law requires such
disclosure; and (c) assist with the communication of information where covered by such consent
or legal requirement.

10.2 If a public authority or law enforcement body demands access to personal data under
compulsory legal powers, Klingit shall, to the extent permitted by applicable law, immediately
inform the Data Controller of such demand before complying, and co-operate with the Data
Controller to challenge or limit such demand where grounds exist to do so.

11. Applicable Law and Disputes

11.1 This DPA shall be governed by and interpreted in accordance with Swedish law, without
reference to its conflict-of-laws rules.

11.2 Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive
jurisdiction of a competent Swedish court.

APPENDIX 1: Specification of the Processing

Subject-matter and purpose: The processing is necessary for Klingit to provide the creative
design, web design, and marketing solutions (the “Services”) as described in the Main
Agreement. This includes storing, managing, and modifying Customer Content uploaded to the
Platform.

Duration of the processing: For the duration of the Main Agreement and until the data is deleted
in accordance with Section 9.

Categories of data subjects: Individuals whose personal data is included in the Customer
Content uploaded by the Customer (e.g., the Customer’s employees, end-customers, models, or
partners).

Types of personal data: Any personal data included in the Customer Content, which may
include names, contact details, photos, IP addresses, or audio/video files. The Data Controller is
strictly prohibited from uploading special categories of personal data (as defined in GDPR
Article 9, including but not limited to biometric data, health data, and data revealing racial or
ethnic origin) to the Platform. Where, despite this prohibition, such data is uploaded by the Data
Controller, the Data Controller accepts full responsibility for any consequences arising therefrom
and shall indemnify Klingit against any resulting claims, fines, or damages.

APPENDIX 2: Technical and Organizational Measures (TOMs)

Klingit maintains strict technical and organizational security measures to protect the data,
including but not limited to:

Access Control: Access to personal data is strictly limited to authorized personnel with a strict
“need-to-know” basis. All personnel are bound by confidentiality.

Authentication: Use of strong passwords and/or multi-factor authentication for administrative
access to the Platform and servers.

Encryption: Data is encrypted in transit (e.g., via TLS/HTTPS) and at rest using industry-
standard encryption protocols.

Backups: Regular backups are conducted to prevent data loss.

Physical Security: Data centers provided by our hosting partners feature strict physical access
controls, surveillance, and security personnel.

Logging and Monitoring: Access to personal data is logged continuously. Logs are retained for a
minimum of five (5) years unless a longer period is required by applicable law or the Data
Controller’s instructions.

Incident Response: Klingit maintains a documented incident response procedure to identify,
contain, assess, and report personal data breaches in accordance with Section 6 of this DPA

APPENDIX 3: Approved Sub-processors

By accepting this DPA, the Data Controller authorizes the use of the sub-processors listed
below. Klingit ensures that all sub-processors are vetted for security, privacy, and compliance,
applying data minimization and approved transfer mechanisms for any international data flows.

The currently approved sub-processors are maintained and listed dynamically at klingit.com/subprocessors, which is incorporated into this Appendix by reference.

HOW CAN I REACH OUT TO YOU?

If you have any questions or would like to reach out to us, you can always contact us by using the chat on the Site or the contact details below:

Email: [email protected]
Phone: 08–21 15 00

Company information:
Just Klingit AB, reg.no 559287–1304
Stora Nygatan 39, 111 27 Stockholm, Sweden