DATA PROCESSING ADDENDUM

Updated: 2024-09-17

GENERAL

This Data Processing Addendum (the "DPA") forms part of the underlying agreement (the "Agreement"), inclusive of the terms and conditions ("Terms") any associated amendments, statements of work or orders which are applicable to the all Services provided by Ludo Technologies AB (company registration number 559371-1061) ("Ludo Technologies", "us", "our" or "we", "Company", "Processor" ) to our customer ("you", "Customer", "Controller"). When we refer to the "parties" we mean you and us together.

The DPA sets forth Customer's instructions for the Processing of Personal Data in connection with the Services provided under the Agreement and the rights and obligations of both Parties. In the event of any conflicts between this DPA and any other terms in the Agreement, this DPA will govern to the extent of the conflict.

The DPA is binding upon acceptance of the Terms of the Agreement by the Customer, by the creation of an Account by the Customer, by the creation of an Account by a site visitor (also a Customer or "User") and/or by the use of the Services by the Customer.

DEFINITIONS AND INTERPRETATION

Capitalized Terms used in the DPA shall have the meanings ascribed to them below and/or in the Agreement.

"Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Sensitive/Special Category Data", "Supervisory Authority," and "Personal Data Breach," shall have the same meaning as in the Data Protection Law;

"Customer Personal Data" means data shared by the Customer which as part of the Services, the Company Processes on behalf of the Customer and may include Personal Data of Authorized Persons as referred to in the Terms;

"Data Privacy Law" means all worldwide data protection and privacy laws and regulations applicable to the Customer Personal Data being Processed, and may include without limitation, where applicable:: (a) the GDPR; (b) UK GDPR and Data Protection Act of 2018 (UK); (c) the Federal Data Protection Act of 19 June 1992 (Switzerland), and/or (d) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA");

"GDPR" means the EU General Data Protection Regulation 2016/679;

"Privacy Policy" means the Company's Privacy Policy (www.ludoo.app/legal/privacy-policy) which describes how the Company processes the Customer's personal data as a Controller;

"SCCs" means (i) where GDPR Applies, the Standard Contractual Clauses (as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021) means the clauses for the transfer of Personal Data from the EEA to non-EEA countries that do not provide an adequate level of data protection as approved by European Commission Decision of 4 June 2021, as currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and (ii) where the UK GDPR applies, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO ("UK SCC").

PROCESSING OF CUSTOMER PERSONAL DATA

Roles of the Parties

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer will be the Controller and Company will be the Processor.

For situations where the Company will be Controller of the Personal Data, please refer to the Privacy Policy.

The Parties agree to comply with their respective obligations under applicable Data Privacy Law with respect to any Customer Personal Data Processed under this DPA.

Customer Obligations

Customer shall comply with all applicable Data Privacy Laws in providing Personal Data to Company in connection with the Services. Customer represents and warrants that: (a) the Data Privacy Laws applicable to Customer and Customer Personal Data do not prevent Company from fulfilling the instructions received from Customer and performing Company's obligations under this DPA; (b) all Personal Data was collected and shared by Customer in compliance with all applicable Data Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from Data Subjects; and (c) Customer has a lawful basis for disclosing the Personal Data to Company and instructing Company to process the Personal Data as set out in this DPA. Customer shall notify Company without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Data Privacy Laws, in which case, Company shall not be required to continue processing such Personal Data.

If Customer opts in/agrees to/subscribes to any marketing material or newsletters as per the Privacy Policy, they agree that by doing so they give access to such marketing materials and newsletters to any Authorized Persons as shared users of an Account. The Customer agrees they are responsible for informing the Authorized Persons that the customer has agreed to the receipt of such marketing material and newsletters by the Account and its Authorized Users. Customer may opt out /unsubscribe as per the Privacy Policy.

Company may use Customer and Authorized Person training and usage data for the improvement of the Services. Customer agrees and accepts to the usage of such data by the Company also on behalf of the Authorized Persons to the extent any such training or usage data may constitute Personal Data. Customer is the Controller of Authorized Persons Personal Data. 

Company Obligations

When the Company acts as Processor of the Customer Personal Data, Company will only Process the Customer Personal Data on behalf of the Customer for the purposes of offering the Services under the Agreement, in accordance with applicable Data Privacy Law, this DPA and Controller's instructions, and solely for purposes stated below in the section Details of Processing. For all other instances where the Company will Process Customer Personal Data in order to offer the Services under the Agreement, it will do so as Controller as further specified in the Privacy Policy.

The Processor shall promptly notify the Controller if it determines that Controller's instructions or if Processing on behalf of the Customer will infringe Data Privacy Law(s) and in such event, Processor shall not be obligated to undertake such Processing until such time as the Controller has updated its instructions and Processor has determined that the incidence of non-compliance has been resolved.

The Processor shall maintain a record of all Processing activities carried out on behalf of the Controller which is available upon request.

DETAILS OF PROCESSING

Duration

The duration of Processing is the term of the Agreement and any period after the termination or expiry of the Agreement during which the Processor may be required to process Personal Data in accordance with the Agreement.

Purpose

Processor will process Personal Data as necessary to perform the Services and obligations pursuant to the Agreement, as further instructed by the Controller.

Customer instructs Company to Process Customer Personal Data for the following purposes: (a) to provide Services to Customer in accordance with the Agreement; (b) Processing of Users/ Customer/Authorized Persons' e-mail addresses to provide log-in credentials; (c) Processing of Users' /Authorized Persons/Customer log-in credentials and IP address for authentication purposes and to provide access to the Subscription Services in accordance with the Agreement; (d) Processing of  contact information and IP address to provide Support; and (e) hosting and storage of Customer Data that contains Customer Personal Data.

Nature or Processing

The provision of the services as described in the Agreement more broadly to collect, record, organize, store, adapt, alter, retrieve, redact, consult, use, align or combine, block, erase or destruct, disclose by transmission, disseminate or otherwise make available Customer Personal Data as described herein, as necessary for offering the Services

The Processor Processes Personal Data on behalf of and on instruction by the Controller, whereby through the sales and service training platform the Processor offers, the Controller can share specific personal data of its Authorized Persons. The Processor can then in turn follow up and make available to the Controller data analysis based on the engagement and training of said Authorized Persons in the platform.

Types of Personal Data

The different types of Personal Data Processed is: Name, email, store location and IP-address.

There are no Special Categories of data or Sensitive Personal Data being Processed and at no time will the Processor receive any Sensitive Personal Data from the Controller under this Agreement.

Categories of Data Subjects

Customer and any Authorized Persons to use an Account as decided by Customer

Location of Processing

EU unless otherwise stated in the Sub- processor List

Approved Sub processors

As per the Sub-processor list at www.ludoo.app/legal/subprocessors

SUB- PROCESSING

General Authorization

(a) provide 30 days prior notice to Controller in the event of the engagement of any new or replacement Sub-processor, including updating the Sub-processor List. This notice will be given by way of email to Customer.

(b) impose substantially the same data protection terms on any Sub-processor it engages as contained in this DPA (including data transfer provisions, where applicable);

(c) remain fully liable for any breach of this DPA caused by an act, error, or omission of such Sub-processor; and

(d) Sign SCCs with these Sub-processors where necessary in order to comply with Data Privacy Law as further explained in the Section below International Restricted Transfers.

Rejection of a new Sub processor

Controller may object to Processor's appointment of any new or replacement Sub-processor promptly in writing within thirty (30) days after receipt of notice of a change of Sub-processor. In such case, the parties shall discuss Controller's concerns in good faith with a view to achieving a reasonable resolution. If the parties cannot reach such resolution, Processor shall either not appoint the disputed Sub-processor, or permit Controller to suspend or terminate the Agreement with pro-rated refund of any prepaid fees.

DATA SUBJECT RIGHTS AND REQUESTS

Requests

Processor shall reasonably cooperate with Controller to enable Controller to respond to any requests, complaints, or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Personal Data, including requests from Data Subjects seeking to exercise their rights under Data Privacy Law(s). If any such request, complaint or communication is made directly to Processor, Processor shall pass this onto Controller and shall not respond to such communication without Controller's express authorization (unless required to do so to comply with Data Privacy Law).

DPIA

The Processor shall respond to questions relating to Data Protection Impact Assessments (“DPIA”) applicable to the processing of personal data under this DPA without undue delay. Processor will assist Controller to conduct a DPIA, where required, and consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to Data Subjects.

Notification

To the extent permitted under applicable law, Processor will inform Controller without undue delay should the Personal Data under this DPA become subject to an authority, supervisory authority or regulator request for seizure or disclosure. Processor shall take commercially reasonable steps to minimize the scope of the request and limit the access of data to the authority or regulator, including but not limited to technical measures, encryption, movement of data to a jurisdiction not within scope of the request, and/or challenging the request.

SECURITY AND INCIDENT MANAGEMENT

Confidentiality

Processor will ensure that any personnel tasked with the processing of Personal Data are subject to an appropriate duty of confidentiality. For the avoidance of doubt, this DPA and its contents, as well as all Personal Data Processed, are confidential information and must be kept confidential and bound by any confidentiality obligations in the Agreement.

TOMS

The Processor represents and warrants that it has implemented and maintains a written comprehensive information security program containing appropriate administrative, technical, physical, and organizational measures and safeguards for the protection of Personal Data in line with the requirements of Data Privacy Law. The Processor further represents and warrants that such measures provide a level of security that is appropriate, considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the likelihood and severity of risks to the rights and freedom of the Data Subjects. The Processor shall upon request provide Controller with an overview of all such measures. As appropriate, the measures will amongst other things include:

a) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;

b) the pseudonymization and encryption of Personal Data;

c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

d) the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services.

Processor will implement and maintain reasonable and appropriate technical and organizational security measures (“TOMs”) to protect Personal Data from Data Breach in accordance with the security standards stated below.

a) All storage of personal data is encrypted with industry leading encryption methods and requires a 2FA log in to access. All data is stored on databases within the EU, and encrypted at rest with AES-256 encryption and TLS/HTTPS during transfer. All transfer to third countries is in full compliance with the Standard Contractual Clauses.

b) Mandatory internal governing documents such as the Processor's data protection policy are a part of onboarding and the code of conduct for all employees, partners, and consultants working with the processor. The policies are updated and evaluated every 6 months to assure compliance with current practices, laws and regulations.

c) All code and generated data are backed up, with encryption, to ensure a secure usage of the platform, and allow for access to personal data in a timely manner in case of a physical or technical incident.

d) User login to the platform is handled with a password-less setup utilizing email access for extra security.

e) All computers used by the processor's employees, partners or consultants are encrypted and allow for remote wipe in case of theft.

f) Admin access to the processor's internal system and their sub-processors is on a need-to-use basis, and recalled the same day access is no longer needed by an employee, partner or consultant.

g) All partners, employees and consultants have been briefed on the Processor's data protection policy and DPAs and confidentiality agreements are signed with every consultant.

h) The Processor only stores and processes the least possible amount of personal data needed, such as names of employees and emails for their place of work and personal emails for the managers and admins. All of the information is provided by the Controller and the Controller dictates which individuals are to access the system and have their training engagement processed. The Controller has access to add and remove users and amending details as they please.

i) The Controller, or the data subjects may contact the Processor, using the contact information stipulated in this agreement, at any time with an inquiry to assert their rights under the applicable data protection laws, including, but not limited to deletion, to which the Processor will respond in a timely manner.

Breach Notification

The Processor will promptly investigate any suspected data breach or security incident and in the event of a data breach or security incident, the Processor will inform the Controller without undue delay.

Processor shall, to the extent possible, provide timely information and cooperation to Controller to allow Controller to fulfil its Data Breach reporting obligations under Data Privacy Law and shall take commercially reasonable steps available to the Processor which may remedy or mitigate the effects of the Data Breach.

Audits

Upon reasonable notice from the Controller, once per 12 months, the Processor will make available to the Controller all documentation, certifications and information required to prove its compliance with this DPA. If this is not sufficient to prove compliance, the Controller will be permitted to audit the Processor. Any audit will be carried out at the full expense of the Controller. Should any audit (or any other circumstance) reveal Processor's non-compliance with this DPA, the Processor shall immediately at its own expense rectify such non-compliance. Any audit shall be: (i) carried out in a manner that prevents unnecessary disruption to Processor's operations; (ii)conducted during Processor's regular business hours; and (iii) subject to reasonable confidentiality procedures.

INTERNATIONAL RESTRICTED TRANSFERS

Limitations

Processor may not transfer or otherwise Process Personal Data in a location not listed in Section “Location of Processing” above, unless and until Controller has confirmed its lawfulness.

SCCs

If Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred in a country that has not been found to provide an adequate level of protection under Data Privacy Law, the parties agree that the terms of the transfer shall be governed by the SCCs Module 2 for Controller to Processor transfers and Module 3 for Processor-to-Processor transfers - which are incorporated herein by reference.

The parties agree that: (i) the particulars including those relating to security and technical organizational standards, Sub-processors, parties involved, purpose of Processing, nature, location and category of Personal Data and Data Subjects in the SCCs (and the UK Addendum) will mirror those stipulated in this DPA; (ii) Clause 9 of the SCCs will follow Option 1 and coincide with this DPA ; iii) the optional sections in Clause 7 and 11 of the SCCs are accepted; (iv) the Swedish Authority for Privacy Protection shall be the competent Supervisory Authority pursuant to Clause 13 of the SCCs; (v) Clause 17 of the SCCs will be Option 1; and (vi) Sweden shall be the member state for the purposes of Clause 17 and Clause 18 (b) of the SCCs coinciding with this DPA..

GENERAL

Deletion and return

Upon Controller's request, or upon termination or expiry of the Agreement or this DPA, Processor shall destroy or return to Controller all the Personal Data requested by Controller (including those processed by Sub-processors) unless Processor is required by any applicable law to retain some or all the Personal Data. Processor will confirm in writing that the destruction/deletion has taken place.

Upon termination or expiry of the DPA or the Agreement, the Controller will inform the Processor within 30 days of such expiration or termination if the Controller will require the personal data be returned or destroyed. A return of personal data will be made in a readable and convenient format to the Processor. If the Controller requests a different format, the Processor will comply at the Controllers expense.

Deletion of Personal Data will happen within the legal parameter as specified in applicable Data Privacy Law.

California Consumer Privacy Act (CCPA)

To the extent the CCPA applies to the Processing of Personal Data, the Processor understands and agrees that it is a Service Provider and Controller is a Business (as each term is defined in the CCPA). Processor shall not Sell (as defined in the CCPA) Personal Data.

Validity

In no event does this DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority and this DPA is valid for as long as the Processor (or any Sub-processor) Processes Personal Data on behalf of the Controller.

This DPA is valid for as long as the Processor processes personal data on behalf of the Controller.

In the event of the Processor being obligated under applicable law to process personal data under this DPA after the expiration or termination of the DPA or the Agreement, it will continue to do so as the controller of the applicable personal data.

If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

Material Breach

A material breach entitles the innocent party to terminate the Agreement. Any breach which cannot be cured within 30 days of notification of breach will also constitute a material breach.

Liability

In the event one party suffers loss (including but not limited to administrative fines, Data Subject compensations claims and reasonable legal fees) due to the violation of this DPA by the other party, the violating party will indemnify the innocent party for any such loss.

Article 82 of the GDPR shall apply with regards to the Parties' divided and shared responsibility for liability towards any data subject who has suffered any damage or been awarded any compensation as a result of an infringement of the GDPR and this DPA.

Amendment

This DPA may be modified by the Company if such amendment is required in order to stay compliant due to a change in Data Privacy Law. In such an event, the Company will inform the Customer of any such amendments made.

For all other purposes of modification to the DPA, any amendments can only be made upon mutual agreement of the Parties.

Governing Law

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Privacy Law(s) or the SCCs.