Get started

Data Processing Agreement

1. Scope

1.1. This Data Processing Agreement (“DPA”) is an integral part of the Agreement between Berget and the Customer.

1.2. If the Customer Data contains personal data, the provisions of this DPA shall govern the processing of that personal data by Berget.

2. Definitions

Unless otherwise defined, the capitalised terms defined in the Terms of Service shall have the same meaning when used herein. In this DPA the following terms shall have the meanings set out below:

“End-Customer” means an end-customer of the Customer, who has engaged the Customer to process personal data regarding which the End-Customer is data controller, in which case the Customer acts a data processor towards the End-Customer and Berget acts as a subprocessor of the Customer:

“Data Breach” means a breach of security attributable to the acts or omissions of Berget leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Relevant Personal Data;

“Data Protection Laws” means the data protection and privacy laws and regulations applicable to the processing of Relevant Personal Data under this DPA, including EU Regulation 2016/679 of the European Parliament and of the Council (“GDPR”);

“personal data”, “processing”, “data controller”, “data processor”, and “data subject” have the same meaning as in the Data Protection Laws;

“Relevant Personal Data” means the personal data controlled by the Customer, or, as the case may be, an End-Customer, and processed by Berget on behalf of the Customer pursuant to the Agreement;

“Supervisory Authority” means (i) an independent public authority which is established by an EU/EEA member state pursuant to Article 51 of GDPR; and (ii) any similar regulatory authority responsible for the enforcement of Data Protection Laws.

3. Processing of Personal Data

3.1. Details of Processing:

a) Subject matter: Processing of Relevant Personal Data in order to provide the Service pursuant to the Agreement.

b) Duration: For as long as the Customer uses the Service in a manner that entails the processing of Relevant Personal Data by Berget.

c) Purpose: The provision of the Service ordered by the Customer.

d) Nature of the processing: Compute, storage and/or other Service described in the Agreement that the Customer may order under the Agreement.

e) Type of personal data: The Customer controls which types of personal data the Customer enters into the Service.

f) Categories of data subjects: The categories of data subjects may include the Customer’s, or, if applicable, End-Customers’ employees, job applicants, directors, agents, contractors, suppliers, customers, clients, and/or end-users.

3.2. Berget processes certain personal data also as data controller. Such personal data may include, inter alia, data of the Customer’s contact persons, users of the Services, credit card information, and other personal data of the Customer’s personnel which Berget processes in order to provide the Services, collect payments, and maintain and develop the customer relationship. Processing of this type of personal data is outside the scope of this DPA. For more information on how Berget processes personal data as data controller, please see Berget’s Privacy Policy available on Berget’s website at https://berget.ai

4. General Obligations of the Customer

4.1. The Customer shall comply with the Data Protection Laws and warrants that the Customer is, and for the duration of this DPA remains, in compliance with all responsibilities set for data controllers or data processors (as applicable) under Data Protection Laws towards data subjects, Berget, and, where applicable, the End-Customers.

The Customer is fully responsible for ensuring that all personal data transferred to Berget complies with applicable data protection laws, including GDPR.

4.2. If the Customer acts as data controller of the Relevant Personal Data, the Customer shall be responsible for the lawful collection, processing and use, and for the accuracy of the Relevant Personal Data, as well as for preserving the rights of the data subjects concerned, and the Customer shall be responsible for informing the data subjects about the processing of their personal data by Berget, and shall obtain the needed consents from the data subject, if necessary.

4.3. The Customer shall ensure that the Customer is entitled to process the Relevant Personal Data and to disclose, transfer or otherwise make it available to Berget for lawful processing hereunder. The Customer acknowledges that due to the nature of the Service, Berget cannot control and has no obligation to verify what types of personal data the Customer transfers to Berget for processing in connection with the Service.

5. General Obligations of Berget

5.1. Berget shall process the Relevant Personal Data in accordance with (i) the Data Protection Laws, (ii) this DPA, (iii) the Agreement, and (iv) the Customer’s documented processing instructions set out in this DPA or given otherwise, provided that any processing instructions issued by the Customer outside this DPA solely pertain to: (a) changes in the Data Protection Laws and/or guidance of the Supervisory Authority, European Data Protection Board or other similar competent authority, or (b) decision or court order issued by a competent court. Without prejudice to the above, further processing instructions may also be issued otherwise as mutually agreed in writing by the Parties.

5.2. Without prejudice to Article 28(3) of GDPR, Berget shall not be obliged to verify whether any processing instructions issued by the Customer are compliant with the Data Protection Laws, as the Customer is responsible for such compliance verification of its processing instructions. Nonetheless, if Berget detects that any processing instructions issued by the Customer are non-compliant with the Data Protection Laws, Berget shall inform the Customer thereof.

5.3. Berget shall not use the Relevant Personal Data for any other purposes other than that of providing the Service, and shall not process, transfer, modify, amend, assert liens or other right over or alter the Relevant Personal Data. Berget shall not disclose or permit the disclosure of the Relevant Personal Data to any third party without the Customer’s prior written approval, unless such disclosure is required by applicable laws or an order of Governmental Authority, in which case Berget shall, to the extent legally permitted, inform the Customer of the disclosure.

6. Berget’s Assistance Obligations

6.1. Berget agrees to reasonably and insofar as practically possible assist the Customer in the fulfilment of the Customer’s, and where applicable, End-Customer’s, obligations (as a data controller in each case) under the Data Protection Laws to respond to requests for exercising data subject rights established under the Data Protection Laws by implementing appropriate technical and organisational measures to facilitate the fulfilment of such obligations and by providing the Customer with necessary information relating to Berget’s processing of the Relevant Personal Data. However, the Customer shall primarily use the corresponding control functions of the Service in responding to such requests, such as the Control Panel.

6.2. Berget shall further provide the Customer with commercially reasonable assistance in enabling compliance with the Customer’s, and where applicable, End-Customer’s (as a data controller in each case), obligations to perform data protection impact assessments, breach notifications and prior consultations of the competent Supervisory Authority, as set out in the applicable Data Protection Laws, taking into account the nature of the processing and the information available to Berget.

6.3. If the Customer requires assistance from Berget, Berget shall be entitled to a reasonable remuneration for providing the assistance. The amount of remuneration will be agreed upon between the Parties in advance.

7. Berget’s Personnel

7.1. Berget shall ensure that its personnel (including its subprocessors’ personnel) who process the Relevant Personal Data:
(i) process the Relevant Personal Data in accordance with the Customer’s written instructions and only for the purposes allowed under this DPA;
(ii) are informed of the confidential nature of the Relevant Personal Data and are aware of Berget’s obligations under this DPA;
(iii) are under confidentiality undertakings or an appropriate statutory obligation of confidentiality; and
(iv) have undertaken appropriate training in relation to the processing of the Relevant Personal Data.

8. Security Measures

8.1. Berget and the Customer shall implement and maintain appropriate technical and organisational security measures to protect the Relevant Personal Data within their areas of responsibility, in order to safeguard the Relevant Personal Data against unauthorised or unlawful processing or access and against accidental loss, destruction or damage. Such measures include where necessary and appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the following measures:
(i) access right controls to systems containing the Relevant Personal Data;
(ii) the pseudonymisation and encryption of the Relevant Personal Data;
(iii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iv) the ability to restore the availability and access to the Relevant Personal Data in a timely manner in the event of a physical or technical incident; and
(v) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

9. Subprocessors

9.1. Berget is entitled to use subprocessors in the provision of the Service. The subprocessors approved by the Customer are listed in Appendix 1 hereto. The subprocessors actually used by Berget depend on the Services ordered by the Customer, as described in Appendix 1.

9.2. Berget ensures that the engaged subprocessors are properly qualified, are under a data processing agreement with Berget, and comply with data processing obligations similar to the ones which apply to Berget under this DPA. Berget shall be liable towards the Customer for the processing of Relevant Personal Data carried out by Berget’s subprocessors.

9.3. Berget is entitled to change its subprocessors. Berget shall inform the Customer regarding changes (additions or replacements) in the subprocessors by providing at least 30 (thirty) days’ advance notice, giving the Customer the opportunity to object to such change. The Customer may object to the change by providing a written notice thereof to Berget within thirty (30) days after being informed of the change. In such case, the Parties shall strive to find an alternative solution. If such a solution is not found, the Customer may terminate the Agreement without any liability to Berget.

10. International Transfers

10.1. The Customer may choose in which Berget data centre(s) the Relevant Personal Data will be processed. All our data centres are within the European Economic Area (“EEA”). Berget shall not move the Relevant Personal Data from the selected data centre unless explicitly instructed to do so by the Customer.

11. Audits

11.1. Upon written request of the Customer, Berget agrees to make available to the Customer and, where relevant, to the End-Customer, the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits by the Customer or an established third-party auditor approved by Berget (such approval not to be unreasonably withheld) and agreed by both Parties (“Mandated Auditor”), of Berget’s systems and premises where the processing of Relevant Personal Data takes place, in order to assess Berget’s compliance with this DPA. Berget shall permit the Customer, or, where relevant, a Mandated Auditor to inspect and audit Berget’s relevant records solely pertaining to the Relevant Personal Data, and to inspect and audit processes and systems related to the processing of the Relevant Personal Data. Berget agrees to co-operate in respect of such audits. All audits by the Customer, or, where relevant, by Mandated Auditor are subject to a thirty (30) days’ prior written notice.

11.2. Where an audit may lead to the disclosure of business or trade secrets of Berget (or its Affiliates or other customers) or otherwise pose a threat to intellectual property rights of Berget, the Customer shall employ a Mandated Auditor to carry out such audit. Whenever a Mandated Auditor is used, the Customer shall procure such Mandated Auditor’s acceptance to be bound to confidentiality to Berget’s benefit by way of such confidentiality undertaking as accepted by Berget.

11.3. Unless otherwise agreed between the Parties, the Customer is allowed to conduct one (1) audit in every twelve (12) months. Any audit must be conducted during the normal business hours of Berget and in a way that does not cause substantial disturbance to Berget’s business operations. The Customer shall bear all costs and expenses relating to the audits conducted hereunder and pay a reasonable compensation to Berget for the work required to assist in the audits.

12. Data Breaches

12.1. Berget shall notify the Customer without undue delay after becoming aware of any Data Breach, providing the Customer with sufficient information which allows the Customer to meet its obligations to report a Data Breach under the Data Protection Laws. Such notification shall at a minimum:

(i) describe of the nature of the Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Relevant Personal Data records concerned;

(ii) communicate the name and contact details of Berget’s contact point where more information can be obtained; and

(iii) description of the measures taken by Berget to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

12.2. Berget shall cooperate with the Customer and, where relevant, the End-Customer, and take commercially reasonable steps to assist in the investigation, mitigation and remediation of the Data Breach.

13. Deletion and Return of Personal Data

13.1. For deletion and return of the Relevant Personal Data, the Customer shall primarily use the functionalities of the Service through the Control Panel.

13.2. The Customer agrees that within a reasonable time after the termination or expiry of the Agreement, or after the Customer has permanently ceased to use the Services, Berget shall delete and procure deletion of all copies of the Relevant Personal Data processed by Berget or any subprocessor, unless Berget is obliged to retain copies of the Relevant Personal Data pursuant to applicable laws or orders of Governmental Authority.

14. Liability

14.1. Each Party’s liability for: (i) damages incurred by a data subject and (ii) administrative fines imposed by a Supervisory Authority, in connection with the processing of the Relevant Personal Data under this DPA shall be defined in accordance with Articles 82 and 83, respectively, of the GDPR, or another corresponding and applicable provision of compulsory Data Protection Laws.

14.2. Otherwise the Parties’ liability for a breach of the DPA shall be subject to Section 19 (Limitation of Liability) of the main body of the Terms of Service.

15. Term

15.1. This DPA remains in force until Berget ceases to process the Relevant Personal Data pursuant to the Agreement, whereafter this DPA shall automatically expire.

APPENDIX 1 – Berget Subprocessors

Berget may utilise its Affiliates in the provision of the Service, as may be necessary for the provision of the Services ordered by the Customer.

Berget’s Operations Team members may need to work with or handle resources containing Customer Data when maintaining Berget’s data centre infrastructure or resolving issues reported by the Customer (e.g. moving storages from one physical host machine to another physical host machine in the same data centre). As the Article 4 of the GDPR provides a very extensive definition for ‘processing‘, such actions can be deemed as processing under the GDPR even though they do not entail accessing the Customer Data.

Therefore Berget considers some of its Affiliates as subprocessors regardless of the data centre(s) the Customer has selected. However, Berget personnel will never take actions to access the Customer Data, unless specifically requested by and agreed in advance with the Customer.

The following list describes in which cases Berget Affiliates will be utilised in the provision of the Services:

  • GetGeek AB (Org nr: 559073-1039), provides services to Berget AI AB with regards to network and server design and operations and support

  • Acebit AB (Org nr: 559265-3538), provides services to Berget AI AB with regards to network and server design and operations and support