Data Processing Agreement

between

you as the customer
(”The Data Controller”)

and

IEX ApS
VAT NO.: DK35527710
Roholmsvej 10R
2620 Albertslund
Denmark
gdpr@iex.dk
(”The Data Processor”)

Each of the Data Controller and Data Processor is referred to as a “Party” and collectively as the “Parties.”

1. Background of processing

  1. This Data Processing Agreement has been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

2. Rights and obligations

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with the General Data Protection Regulation (see Article 24 of the Regulation), EU’s other data protection regulations, or the national laws of Member States, as well as this Data Processing Agreement.
  2. The Data Controller has the right and responsibility to make decisions regarding the purposes for which personal data are processed and the means used in the processing.
  3. The Data Controller is also responsible for ensuring that there is a legal basis for the processing of personal data, which the Data Processor is instructed to carry out.
  4. This Data Processing Agreement takes precedence over any other agreements between the Parties.
  5. This Data Processing Agreement must be kept in writing, including electronically, by both Parties.

3. Details of processing

  1. The Data Processor may only process personal data following the instructions from the Data Controller. This applies unless otherwise required by EU law or national law. If further instructions are required from the Data Controller during the processing, these must always be provided in writing and stored electronically.
  2. The Data Processor must immediately inform the Data Controller if they believe that the instructions are in conflict with the Data Processing Agreement, EU data protection regulations, or national law.
  3. The processing is carried out through a technical solution developed by the Data Processor (hereafter referred to as the “System”), which ensures integration between the Data Controller’s webshop, accounting, POS, warehouse management, acquirer, subscription management, API, file formats, and/or other systems to which the Data Processor provides integration (hereafter referred to as “IT systems”).
  4. The Data Controller has entered into a subscription agreement (hereafter referred to as the “Subscription”) with the Data Processor to integrate and transfer data between the Data Controller’s IT systems. Data transfers made via the System constitute an instruction from the Data Controller through the Subscription. The Subscription may also include a trial period. The Data Controller cannot enter into the Subscription without accepting this Data Processing Agreement.
  5. Through the Subscription, the Data Controller chooses which of their IT systems will have data transferred between them and which categories of personal data will be transferred between the IT systems.
  6. Only the personal data selected by the Data Controller for storage in their IT systems can be transferred. The Data Controller can, at any time, view all personal data processed within the System via login access.

4. Purpose and Legal Basis for Processing

  1. Provision of services, customer relationship management, and support. Processed under Article 6(1)(b) of the General Data Protection Regulation (GDPR), as it is necessary to fulfill the Subscription.
  2. Invoicing, accounting, and statutory record-keeping. Processed under Article 6(1)(c) of the GDPR, as the Data Processor is legally obligated under accounting legislation.
  3. Service messages regarding operations, changes to terms, and security. Processed under Article 6(1)(f) of the GDPR, based on the Data Processor’s legitimate interest in providing information necessary for the use of the service.
  4. Marketing via email. Sent only if the Data Controller has given consent, pursuant to Article 6(1)(a) of the GDPR. The Data Controller may withdraw consent at any time.

5. Confidentiality

  1. The Data Processor may only grant access to personal data processed on behalf of the Data Controller to persons who are subject to the Data Processor’s instructions and have committed to confidentiality or are bound by a statutory duty of confidentiality. This access should be granted only when necessary. The list of persons with access must be regularly revised. If it is found that access is no longer necessary, the access must be revoked, and the personal data should no longer be accessible to those persons.
  2. Upon request from the Data Controller, the Data Processor must be able to document that the individuals under the Data Processor’s instructions are also subject to the mentioned confidentiality obligation.

6. Data security and measures

  1. According to Article 32 of the GDPR, both the Data Controller and Data Processor must implement appropriate technical and organizational measures to protect personal data. This should consider the current state of technology, the costs of implementation, the nature of the processing, the scope, context, and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.
  2. The Data Controller must assess the risks of the processing and implement measures to minimize them. The Data Processor, independent of the Data Controller, must also assess and manage the risks of the processing. To do this, the Data Controller must provide the Data Processor with all necessary information to identify and assess the risks.
  3. The Data Processor must also assist the Data Controller in complying with their obligations under Article 32 of the GDPR, including providing necessary information about the technical and organizational security measures the Data Processor has implemented under Article 32, as well as other information required for the Data Controller to fulfill their obligations.
    • Physical Security Measures by the Data Processor:
      • The Data Processor secures physical premises with, among other things, video surveillance.
    • Organizational Security Measures by the Data Processor:
      • The Data Processor ensures that only authorized personnel have access to personal data processed on behalf of the Data Controller.
      • The Data Processor guarantees that personnel authorized to process personal data on behalf of the Data Controller have committed to confidentiality or are subject to a statutory duty of confidentiality. Furthermore, it is ensured that employees comply with the conditions set forth in the Data Processing Agreement.
      • The Data Processor’s employees are familiar with and obligated to follow internal guidelines on handling security breaches.
    • Technical Security Measures by the Data Processor:
      • The Data Processor uses only high-quality hardware and software, which are regularly updated, including antivirus software, anti-hacking software, and firewalls.
      • All communication to/from the System is encrypted (https) and supports a 256/128-bit TLS connection.
      • Access to the Data Processor’s internal IT systems is secured via encrypted login credentials, ensuring unauthorized individuals cannot gain access. Additionally, login is secured with two-factor authentication (2FA).
      • To integrate the System with the Data Controller’s IT systems, the Data Processor receives the necessary passwords and access information. The Data Processor deletes this information after completing the integration setup unless the Parties have agreed otherwise. The Data Controller should also change and delete the provided information.
  4. When you send invoices through the integration (optional setting), the System connects via Google OAuth. The System’s use and transfer of information received from Google’s APIs to any other app will comply with Google API Services User Data Policy, including the requirements for Limited Use.
  5. The Data Processor conducts testing, assessments, and evaluations of the effectiveness of the technical and organizational measures once a year.

7. Use of sub-processors

  1. The Data Processor must meet the conditions specified in Article 28(2) and 28(4) of the GDPR when using another data processor (a sub-processor).
  2. The Data Processor may not use a sub-processor to fulfill the Data Processing Agreement without the prior general written approval of the Data Controller.
  3. The Data Controller gives general approval for the use of sub-processors by the Data Processor. The Data Processor must notify the Data Controller in writing of any planned changes regarding the addition or replacement of sub-processors at least 1 month in advance, allowing the Data Controller to object to such changes before the sub-processor is used.
  4. When the Data Processor uses a sub-processor to carry out specific processing activities on behalf of the Data Controller, the Data Processor must, through a contract or other legal instrument under EU or Member State law, impose the same data protection obligations on the sub-processor as those set out in this Data Processing Agreement, ensuring in particular that the sub-processor provides sufficient guarantees to implement the necessary technical and organizational measures so that the processing complies with the requirements of this Agreement and the GDPR.
    The Data Processor is responsible for ensuring that the sub-processor at least complies with the Data Processor’s obligations under this Data Processing Agreement and the GDPR.
  5. If the sub-processor does not fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations. This does not affect the rights of data subjects under the GDPR, including Articles 79 and 82, concerning the Data Controller and the Data Processor, including the sub-processor.
  6. Any transfer of personal data to third countries or international organizations may only be carried out by the Data Processor based on documented instructions from the Data Controller and must always comply with Chapter V of the GDPR.
  7. If a transfer of personal data to third countries or international organizations, not instructed by the Data Controller, is required by EU law or the national law of a Member State to which the Data Processor is subject, the Data Processor must inform the Data Controller of this legal requirement before processing unless the relevant law prohibits such notification on important grounds of public interest.
  8. Without documented instructions from the Data Controller, the Data Processor cannot, within the framework of this Data Processing Agreement:
    • Transfer personal data to a data controller or data processor in a third country or international organization.
    • Delegate the processing of personal data to a sub-processor in a third country.
    • Process personal data in a third country.
  9. The Data Controller’s instructions regarding the transfer of personal data to a third country, including the transfer basis under Chapter V of the GDPR on which the transfer is based, constitute the Subscription.
  10. This Data Processing Agreement should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the GDPR, and this Data Processing Agreement cannot constitute a legal basis for the transfer of personal data under Chapter V of the GDPR.
  11. Sub-Processors Used:
    • 1password – Secure login storage
    • 3CX – Phone system
    • Clearhaus – Acquirer
    • e-conomic – Accounting
    • Frisbii – Subscription management
    • Google Cloud EMEA Limited² – Server hosting (Cloud), email (Gmail/Groups) and file sharing (Drive)
    • Intercom Inc.¹ – Case handling
    • Mailchimp¹ – Operational emails and newsletters
    • Nordea – bank and payments/transfers
    • Rykkerportalen ApS – Debt collection and recovery
    • Slack¹ – Case management and communication
    • Viptel – Phone system

¹ Transfers to third countries via SCC (Commission’s standard contractual clauses)
² Transfers to third countries via the EU-U.S. Data Privacy Framework

8. Assistance to the Data Controller

  1. The Data Processor shall assist, taking into account the nature of the processing, the Data Controller as much as possible through appropriate technical and organizational measures in fulfilling the Data Controller’s obligation to respond to requests for exercising the data subjects’ rights as laid down in Chapter 3 of the GDPR.
  2. This includes that the Data Processor shall, to the extent possible, assist the Data Controller in ensuring compliance with:
    • the obligation to provide information when collecting personal data from the data subject
    • the obligation to provide information if the personal data is not collected from the data subject
    • the right of access
    • the right to rectification
    • the right to erasure (“the right to be forgotten”)
    • the right to restrict processing
    • the obligation to notify regarding rectification or erasure of personal data or restriction of processing
    • the right to data portability
    • the right to object
    • the right not to be subject to a decision based solely on automated processing, including profiling
  3. In addition to the Data Processor’s obligation to assist the Data Controller under section 5.3, the Data Processor also assists the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, with:
    • the Data Controller’s obligation to notify the Data Protection Authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless it is unlikely that the breach results in a risk to the rights and freedoms of natural persons.
    • the Data Controller’s obligation to notify the data subject of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.
    • the Data Controller’s obligation to conduct an analysis of the intended processing activities’ impact on the protection of personal data (a data protection impact assessment) before processing.
    • the Data Controller’s obligation to consult the Data Protection Authority before processing, where a data protection impact assessment shows that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.

9. Notification of personal data breach

  1. The Data Processor will notify the Data Controller without undue delay after becoming aware of a personal data breach.
  2. The Data Processor’s notification to the Data Controller must, if possible, occur no later than 72 hours after becoming aware of the breach, allowing the Data Controller to comply with their obligation to notify the competent supervisory authority in accordance with Article 33 of the GDPR.
  3. In line with section 9.2, the Data Processor will assist the Data Controller in notifying the breach to the competent supervisory authority. This means that the Data Processor will assist in providing the following information, as required by Article 33(3), in the Data Controller’s notification of the breach to the supervisory authority:
    • The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
    • The likely consequences of the personal data breach.
    • The measures taken or proposed by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

10. Deletion and return of data

  1. In the System, the Data Processor stores the personal data that is processed according to the Data Controller’s instructions for as long as the Subscription is active and for up to 6 months after termination, unless longer storage is necessary due to claims or disputes. This is used for logging and troubleshooting. Likewise, case processing is stored during the agreement period and for up to 12 months after the termination of the Subscription.
  2. Invoices and accounting material for the Data Controller are stored for 5 years from the end of the financial year in accordance with accounting legislation.
  3. Upon termination of the Subscription, the Data Processor is obligated to delete all of the Data Controller’s personal data within 6 months, excluding data mentioned in section 10 which is deleted after their expiry, unless EU law or the national law of Member States requires the retention of personal data.
  4. The Data Processor undertakes to process the personal data only for the purpose(s), for the period, and under the conditions prescribed by these rules. The Data Processor undertakes to process the personal data only for the purpose(s), for the period, and under the conditions prescribed by these rules.

11. Audit, including inspections

  1. The Data Processor will provide all information necessary to demonstrate compliance with Article 28 of the GDPR and this Data Processing Agreement and will allow and contribute to audits, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller.
  2. The Data Controller will bear any costs related to audits and/or physical inspections. However, the Data Processor is obligated to allocate the necessary resources (mainly time) required for the Data Controller to perform their audit and/or inspection.
  3. The Data Processor is obligated to grant access to supervisory authorities, which, according to applicable law, have access to the facilities of the Data Controller or the Data Processor, or representatives acting on behalf of the supervisory authority, to the Data Processor’s physical facilities upon presentation of appropriate identification.

12. Parties' agreement on other matters

  1. The Parties may enter into additional agreements regarding the Subscription, such as provisions on liability, as long as such supplementary provisions do not conflict with the Data Processing Agreement or limit the fundamental rights and freedoms of the data subject as outlined in the GDPR.

13. Commencement and termination

  1. This Data Processing Agreement enters into force simultaneously with the Subscription. The Data Processing Agreement remains in effect as long as the Subscription is valid. During this period, the Data Processing Agreement cannot be terminated unless other provisions regulating the provision of the service concerning the processing of personal data are agreed upon between the parties.
  2. Either party may request that the Data Processing Agreement be renegotiated if changes in the law or deficiencies in the agreement give cause for such renegotiation.
  3. If the Subscription is terminated and the personal data have been deleted or returned to the Data Controller in accordance with section 10, the Data Processing Agreement will automatically be terminated, as no further instructions concerning the processing of personal data will exist from the Data Controller.

Adapted to your needs

IEX is a platform that automates the majority of your accounting tasks for your webshop sales.

Try 14 days for free

*Trial period not offered on systems with required setup

Info

Shortcuts

Integrations

Facebook Linkedin Youtube Instagram