« Back to terms and conditions
Terms of Service | Data Processing Agreement | Privacy Policy
User Policy | Developer Terms and Conditions
Last updated: 2025-02-03
Ungapped AB (556786-1264), hereinafter Ungapped, and Ungapped’s customer, hereinafter the Customer, have entered into an agreement regarding digital marketing services (the “Agreement”). The Agreement means that Ungapped will process personal information on Customer’s behalf. According to the rules in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, etc. (GDPR), such processing between the parties shall be regulated by agreement or similar. This Data Processing Agreement (the “DPA Agreement”) therefore supplements the Agreement with respect to the processing of personal data. What is set forth in this DPA shall prevail over the Agreement and its appendices unless otherwise expressly stated below. The DPA Agreement replaces any previous Data Processing Agreements or other agreements on the Processing of Personal Data between the parties.
The DPA agreement shall have the same definitions as can be found in the version of the GDPR in force at any given time. This means, for example, that the Customer is the Data Controller and Ungapped is the Data Processor in relation to the Customer.
Ungapped processes personal data from three different sources:
Ungapped stores the above data until the Customer or natural person deletes the data. It is up to the Customer to be responsible for ensuring that data is not stored for longer than can be considered permitted under the GDPR.
The Data Processor shall only process Personal Data in accordance with this DPA Agreement, the Agreement and its appendices, applicable law, the Supervisory Authority’s regulations and the Data Controller’s current and documented instructions from time to time. The Data Processor shall, in each Processing of Personal Data, ensure that, taking into account the nature of the Personal Data, appropriate technical and organisational measures are taken in such a way that the requirements of Applicable Law/Regulation are complied with and that the Data Subject’s rights are protected. The Data Processor shall not Process Personal Data for its own or any other purposes than those for which the Data Processor has been engaged by the Data Controller.The Data Processor shall, taking into account the latest developments, implementation costs and the nature, scope, context and purpose of the Processing, as well as the risks associated with the Processing, take appropriate technical and organisational measures to ensure an appropriate level of security, as stipulated in the Applicable law/regulation. The controller has the right, if necessary and with reasonable notice, to supplement this section with special instructions. The personal data must be protected against destruction, alteration, unauthorized dissemination and unauthorized access. The Personal Data shall also be protected against any other kind of unlawful Processing.The Data Processor shall take measures to ensure that all persons working under its direction comply with what is stated in this DPA Agreement and at any given time applicable instructions from the Data Controller, and that they are kept informed of the content of the Applicable Law/Regulation. The Data Processor shall limit access to the Personal Data to such persons who work under its direction and who need the Personal Data to perform their duties for the performance of agreements entered into between the Data Processor and the Data Controller. The Data Processor shall ensure that the persons who have access to the Personal Data are covered by confidentiality as set out in section 9 and that they are informed of how they may process the Personal Data.The Data Processor shall have an access control system that prevents unauthorized Processing of Personal Data or unauthorized access to Personal Data.The Data Processor shall provide and implement technical and practical solutions to investigate suspicions that someone in the event of unauthorized Processing, unauthorized access, destruction or alteration of Personal Data, as well as attempts to do so, or in the event of suspicion of other circumstances in connection with the Processing that may be of importance to the Data Controller, the Data Processor shall immediately notify the Data Controller in writing of the event and take measures to prevent similar incidents from occurring again. In the event of a Personal Data Breach, the Data Processor shall provide the following information to the Data Controller:
The information must be provided without undue delay. The Data Processor shall also otherwise and appropriately assist the Data Controller so that the Data Controller is able to meet the requirements under Applicable Law/Regulation that are imposed on a Data Controller in the event of Personal Data Breaches. In such a case, the Data Processor shall follow the instructions. The controller has the right to verify with reasonable notice that the technical and organisational security measures are actually taken during the performance of the DPA agreement. If the Data Processor does not have instructions from the Data Controller that the Data Processor deems necessary to carry out the Processing of Personal Data, or considers that the Data Controller’s instructions are wholly or partly in conflict with the statutes, regulations and recommendations that the Data Processor must comply with according to the DPA Agreement, the Data Processor shall without delay notify the Data Controller of its position and await the instructions that the Data Processor The controller assesses the required. The Data Processor shall, upon request, assist the Data Controller in impact assessments in accordance with Applicable Law/Regulation and prior to any consultations with the Supervisory Authority.The Data Processor shall document in writing the measures taken to fulfil its obligations under this section and shall, upon request, provide the Data Controller without delay with copies of this documentation. The Data Processor may not transfer Personal Data to Third Countries, or make Personal Data available to Third Countries, unless permitted as set out in section 7.The Data Processor may not transfer Personal Data to Third Parties, or make Personal Data available to Third Parties, unless permitted as set out in sections 5 and 6 below. The Data Processor shall not transfer any of its rights or obligations under this DPA to Third Parties unless permitted under Section 5.The Data Processor shall maintain a written record regarding all Processing of Personal Data in the manner set out in the GDPR.
The Data Processor shall correct, block, delete, amend or delete Personal Data in accordance with the Data Controller’s instructions. If, for example, the Data Controller has notified that Personal Data is to be deleted, such deletion shall take place no later than 30 days thereafter, unless the Data Controller notifies otherwise. The Data Processor shall, promptly and at the request of the Data Controller, assist the Data Controller in fulfilling the Data Controller’s obligations under Applicable Law/Regulation in relation to Data Subjects, such as providing information about which Personal Data the Data Processor processes in relation to Data Subjects or electronically transferring the Data Subject’s Personal Data to the Data Controller or to another Data Controller that The controller directs. If the Data Processor considers that the Data Controller’s instructions are in conflict with the Applicable Law/Regulation, the Data Processor shall promptly notify the Data Controller thereof. However, the Data Processor does not have the right to cancel the assignment for this reason. The Data Controller has the right, upon request, to access all relevant information and documentation regarding the measures taken by the Data Processor to meet the requirements imposed on the Data Processor under Applicable Law/Regulation.
The Data Processor may in turn engage a Data Processor (“Sub-Processor”) if the following conditions are met:
The Data Processor shall ensure that the Data Controller is aware at all times of which Sub-Processors are processing Personal Data.The Data Processor may not engage Sub-Processors if this means that Personal Data will be transferred to a Third Country unless the provisions of section 7 are met. Sub-processors used and with whom Ungapped has entered into a DPA agreement:
If the Data Subject, Supervisory Authority, other supervisory authority or other Third Party requests information from the Data Processor regarding the Processing of Personal Data, the Data Processor shall refer to the Data Controller.The Data Processor may not disclose Personal Data or other information about the Processing of Personal Data without the prior written consent of the Data Controller. The Data Processor shall assist the Data Controller in the event that a Data Subject requests access to information that is registered about him or her in the form of Personal Data or requests correction of such information. The Data Processor shall without delay notify the Data Controller in writing of any contacts from the Supervisory Authority or other supervisory authority that concern or may be of importance to the Processing of Personal Data. The Data Processor is not entitled to represent the Data Controller or act on behalf of the Data Controller vis-à-vis the Supervisory Authority or other supervisory authority that concerns or may be of importance to the Processing of Personal Data. In the event that the Data Processor is compelled by law or an order by public authority to disclose Personal Data, the Data Controller shall be informed as soon as possible of what data may be disclosed.
The Data Processor is not entitled to transfer Personal Data to Third Countries, unless the Data Controller has approved such transfer in writing in advance or one of the following conditions are met:
In the event that Personal Data is transferred to a Third Country, the Data Processor shall at all times be able to present documentation proving that the provisions of this section 7 are met.
The Data Controller has the right to follow up that the Data Processor lives up to the Data Controller’s requirements for the Processing. In such follow-up, the Data Processor shall assist the Data Controller or the person performing the audit with documentation, access to premises, IT systems and other assets necessary to be able to follow up the Data Processor’s compliance with this DPA Agreement. The Data Processor shall also ensure the Data Controller corresponding rights in relation to the Sub-Processors engaged. The Data Processor has the right to offer alternative methods of follow-up, such as auditing by an independent Third Party. In such a case, the controller shall have the right, but not be obligated to, apply this alternative approach to follow-up. The Data Processor shall also provide the opportunity for the Supervisory Authority, or other authority that concerns or may be of importance to the Processing of Personal Data, to carry out on-site supervision.
The Data Processor and the persons working under its direction must observe confidentiality when Processing Personal Data. This means that Personal Data may not be disclosed to third parties without authorisation. The Data Processor undertakes to ensure that the person(s) working under the direction of the Data Processor and who will process Personal Data comply with and comply with the Data Processor’s duty of secrecy pursuant to this Section 9.Personal data, information, instructions, system solutions, descriptions or other documents that the Data Processor obtains through the exchange of information under this DPA or any other agreement between the parties may not be used or disclosed to the Data Processor. other purpose than stated in this DPA or any other agreement between the parties, whether directly or indirectly, unless the Data Controller has consented to this in advance in writing. The duty of confidentiality does not apply to information that a party can show was publicly known or that has come to the party’s attention from a third party without a breach of this DPA Agreement.The Data Processor may disclose Personal Data without this entailing an action in violation of this DPA Agreement if the Data Processor has an obligation to disclose Personal Data by law or government order. In such a case, it is the responsibility of the Data Processor to immediately notify the Data Controller in writing of this and request that the requested Personal Data is covered by confidentiality at the time of disclosure. The duty of confidentiality also applies after this DPA agreement has ended.
The Data Processor is, in addition to the remuneration set out in the Agreement, not entitled to additional compensation for the Processing of Personal Data under this DPA Agreement.
The Data Processor undertakes to indemnify the Data Controller in the event that the Data Controller is obliged to pay damages to the Data Subjects under Applicable Law/Regulation if the Processing of Personal Data on which the compensation is based has been carried out by the Data Processor in violation of applicable law and with this DPA Agreement.The Data Processor also undertakes to indemnify the Data Controller in the event that the Data Controller suffer direct damage as a result of the Data Processor’s processing of Personal Data and this processing has taken place in violation of this DPA Agreement/written instructions from the Data Controller. This means that administrative fines imposed on the Data Controller as a result of the Data Processor processing Personal Data in violation of this DPA Agreement and applicable law are considered to constitute direct damage to the Data Controller.The Data Processor is responsible as on its own account and in full towards the Data Controller for each Sub-Processor’s Processing of Personal Data as a result of this DPA Agreement.
This DPA Agreement applies between the parties for as long as the Data Processor processes Personal Data for which the Data Controller is the Data Controller and as long as the Agreement is in force. Upon termination of the DPA Agreement, the Data Processor shall ensure that all Personal Data is handed over to the Data Controller in such customary format as the Data Controller defines. The Data Processor undertakes to delete all Personal Data processed under this DPA within 180 days from the termination of the DPA Agreement. However, deletion shall not take place until the Data Processor has informed the Data Controller in writing that deletion will take place and has provided Personal Data in accordance with the Data Controller’s instructions. When deletion has taken place, the Data Processor shall certify to the Data Controller in writing that this has taken place. If the Agreement is terminated and a new such agreement is entered into without a new data processing agreement being concluded, this DPA agreement also applies to the new agreement. If no new agreement is made, this DPA Agreement will terminate at the same time as the Agreement, with the exception of the provisions governing liability and any remaining rights and obligations after the termination of the DPA Agreement. Amendments and additions to this DPA must, in order to be valid, be made in writing and signed by both parties. Such amendments and additions to the DPA will enter into force 30 days after the signature by both parties, unless otherwise agreed. This clause 12 does not prevent the Data Controller from amending or issuing further instructions as set out in this DPA.
For this DPA agreement, Swedish law applies. Any dispute arising out of this DPA shall be finally settled in accordance with what is set forth in the Agreement.
Ungapped is a complete platform for growing businesses with tools for email marketing, surveys, invitations, signup forms and text messages. In addition to our platform, we also offer consulting services to help you create exceptional customer experiences.
Copyright © Ungapped 2022, which is part of Liana Technologies, part of the Finnish listed company Ilkka-Yhtymä Group.
Götgatan 22 A, 11846 Stockholm, Sweden, Sitemap, Cookies