Data processing agreement
‍

This Data Processing Agreement (“DPA”) is a part of an agreement (the “Main Agreement”) under

which Selma Intelligence AB (“Processor”)shall provide the party in the Main Agreement who has been

identified as “Customer” (“Controller”) with the AI-driven sales service Selma (the “Service”). The

Service includes processing by Processor of certain personal data relating to individuals on behalf of

Controller. The DPA shall be applied to any such processing, whereby Controller is data controller and

Processor is data processor.

‍

The DPA is an appendix to the Main Agreement. In the event of inconsistency between the Main

Agreement and the DPA, the DPA shall prevail where the inconsistency relates to processing of

personal data.

‍

1. Definitions

1.1 Terms used in this DPA that are defined by Regulation (EU) 2016/679 of the European

Parliament and of the Council (the “GDPR”) shall have the same meaning when used

herein, unless specifically defined in this DPA or the Main Agreement. The GDPR and any

supplementary local adaptation applicable to a Party is below jointly referred to as

“Applicable Law”.

‍

‍

2. Processing of Personal Data

2.1 As data controller it is the Controller’s responsibility that personal data is processed in

accordance with Applicable Law. In its capacity as data processor, Processor shall

process all personal data on behalf of Controller in accordance with the (i) Main

Agreement, (ii) Applicable Law, and (iii) Controller’s documented instructions (the

“Instructions”). In addition, the DPA constitutes the Controller’s instructions. Processor

shall not take any measures in respect of personal data received from Controller or

collected on behalf of Controller for purposes other than those set out in the

Instructions, unless required to do so by Applicable Law in which case Processor shall

give Controller prior written notice thereof (unless prevented to do so by Applicable

Law). The Parties shall update the Instructions, where necessary, to reflect new or

amended instructions.

‍

2.2 Processor may refuse adhering to the Instructions provided by Controller if it would

involve processing of personal data in conflict with Applicable Law, provided that

Processor promptly notifies Controller thereof (unless prevented to do so by Applicable

Law).

‍

‍

3. Security measures

3.1 Controller and Processor shall take appropriate technical and organizational measures

to protect personal data which it processes pursuant to the DPA, in particular protection

from accidental or unlawful destruction, alteration, unauthorized disclosure,

unauthorized access, and other types of unauthorized processing.

‍

3.2 The measures shall be adapted to a level which is appropriate, taking into consideration

the degree of sensitivity of the personal data, the particular risks which exist, existing

technical possibilities, and the costs for carrying out the measures. At a minimum,

Controller and Processor shall maintain the same level of protection as those imposed

by Applicable Law.

‍

3.3 Processor shall only allow access to the personal data to personnel on a need-to-know

basis. Processor shall ensure that all personnel having access to the personal data are

subject to adequate secrecy obligations.

‍

3.4 Taking into account the nature of the processing and the information available to

Processor, Processor shall assist Controller by appropriate technical and organizational

measures, for the fulfilment of Controller's obligation to respond to requests for

exercising a data subject's rights laid down in Applicable Law.

‍

3.5 Controller and Processor shall comply with any decisions from a supervisory authority

with jurisdiction over Controller or Processor. Processor shall also allow any supervisory

authority to supervise the processing under this DPA.

‍

‍

4. Personal data breach

4.1 In the event of a personal data breach Processor shall without undue delay notify

Controller and assist Controller, as requested in fulfilling its notification obligations. The

notification must, where possible, include at least the following:

a) a description of the nature of the personal data breach including where possible, the

categories and approximate number of data subjects concerned and the categories

and approximate number of personal data records concerned;

b) the name and contact details of the data protection officer or other contact point

where more information can be obtained;

c) a description of the likely consequences of the personal data breach; and

d) a description of the measures taken or proposed to be taken by Controller to address

the personal data breach, including, where appropriate, measures to mitigate its

possible adverse effects.

‍

‍

5. Records and risk assessments

5.1 Processor shall keep written records (including in electronic form) of the processing

activities performed for Controller, in accordance with ApplicableLaw.

‍

5.2 Where a type of processing in particular using new technologies, and taking into account

the nature, scope, context and purposes of the processing, is likely to result in a high risk

to the rights and freedoms of natural persons, Processor shall reasonably assist

Controller, prior to the processing, in carrying out an assessment of the impact of the

envisaged processing operations on the protection of personal data (including assisting

Controller in consulting the supervisory authority). In accordance with ApplicableLaw

such assistance shall take into account the nature of processing and the information

available to Processor.

‍

‍

6. Data subject rights

6.1 Processor shall promptly refer to Controller all requests from data subjects and

notifications, inquiries and similar from supervisoryauthorities (unless prevented to do so

by Applicable Law.

‍

‍

7. Audits

7.1 Upon prior written notice, Controller is entitled to perform audits of Processor, through

a reputable external auditor, in order to review that Processor’s processing of personal

data is in compliance with this DPA. The audit shall be performed during office hours

with minimal disruption to Processor’s business. The audit shall not grant the auditor

access to trade secrets or proprietary information, unless required to comply with

Applicable Law.

‍

7.2 Controller shall ensure that the external auditor’s personnel conducting such audit are

subject to adequate secrecy obligations. Processor shall give the assistance needed for

performance of such audits and shall, upon written request from the auditor, provide all

reasonably available information regarding the processing of personal data. Both Parties

shall be entitled to receive a copy of the auditreport.

‍

‍

8. Sub-processors

8.1 Processor will in the provision of the Service engage certain third parties, (“Sub-

processors”) which will act as sub-processors in accordance with this DPA. Controller

confirms that it has no objections to the Sub-processors currently engaged by Processor,

which are listed in on Processor’s web page, and that Processor may engage new

Sub-processors (including to replace current Sub-processors). Processor shall however

inform Controller in writing (e-mail sufficient) of any intended changes concerning the

addition or replacement of Sub-processors. Upon receipt of such information, Controller

shall make a decision swiftly and in any event within 10 days of receipt. Failure by

Controller to notify Processor of its decision within such time frame shall constitute an

approval of the sub-processor. An objection by Controller must be based on reasonable

grounds (e.g. that engaging the sub-processor would increase the risks for the data

subject).

‍

8.2 Where Processor engages a sub-processor in accordance with Section Error! Reference

source not found. above, it shall do so only by way of written agreement with the sub-

processor which imposes adequate data protection obligations on the sub-processor

that in all material respects are similar to those in this DPA. Processor remains

responsible for the sub-processor’s obligations under suchagreement.

‍

‍

9. International data transfers

9.1 Processor may not transfer personal data outside the EU/EEA (or engage a sub-processor

to process personal data outside of the EU/EEA) without Controller’s prior written

consent. Where Controller consents to such transfer, Processor shall (i) comply with at

least one of item a) to d) below, and (ii) upon request by Controller, demonstrate

compliance with suchitem:

a) the receiving country has an adequate level of protection of personal data as decided

by the EuropeanCommission;

b) Controller confirms that the data subject has given his/her consent to the transfer;

c) the transfer is subject to the European Commission’s standard contractual clauses for

transfer of personal data to thirdcountries; or

d) Processor is subject to Binding Corporate Rules and the receiving party in the third

country is also subject to the Binding Corporate Rules.

‍

‍

10. Termination of the Main Agreement and deletion of data

10.1 Following termination of the Main Agreement and the end of the provision of Service,

Processor shall, subject to Applicable Law and the Instructions, at Controller’s written

request, either delete or return personal data processed on behalf of Controller

hereunder and Processor shall not process any personal data for which Controller is the

data controller in addition to the processing described in this Section 11, unless

Processor is required to do so by Applicable Law and, if so, Processor shall inform

Controller of any such obligations.

‍