Data Processing Agreement

1. Parties and applicability

This Data Processing Agreement (“DPA”, also referred to in Swedish as “PUBA”) constitutes a schedule to and an integral part of the agreement governing the Customer’s use of Talentwise’s services (the “Main Agreement”). This DPA applies solely to the processing of personal data where Talentwise acts as a data processor in accordance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”).

• Data Controller (the “Customer”) refers to the legal entity that has entered into the Main Agreement.
• Data Processor (“Talentwise”) refers to Talentwise AB, reg. no. 556956-0351.

Processing carried out within the scope of Talentwise’s publishing licence (utgivningsbevis) pursuant to the Swedish Freedom of Expression Act (Yttrandefrihetsgrundlagen, YGL) does not fall within the scope of the GDPR and is therefore not governed by this DPA.

2. Nature, purpose, and scope of the processing

2.1. Talentwise processes personal data in order to provide the services ordered by the Customer under the Main Agreement and the applicable Service Agreement(s).

2.2. The processing may include storage, structuring, access control, technical provision, support, and other necessary operational activities.

2.3. The categories of personal data and data subjects are set out in the applicable Service Agreement(s) or in the Customer’s instructions.

2.4. The processing shall be carried out for the duration of the Agreement and for the retention periods specified in the applicable Service Agreement(s) or in the Customer’s instructions.

2.5. Detailed processing instructions for each service are set out in Schedule 2.1 to this DPA.

8. Security

8.1. Talentwise applies appropriate technical and organisational security measures in accordance with Article 32 of the GDPR in order to protect personal data. Such security measures include, inter alia:

• Encryption: all identifying information is stored in encrypted form using modern encryption technology (e.g. AES-based encryption), and communications are protected using TLS.
• Access control: role-based and permission-based access control, multi-factor authentication (MFA) for administrative access, and logging of access events.
• Logging: system logs and security logs are maintained and monitored in order to detect anomalous behaviour.
• Backup and recovery: backups are performed on a regular basis and retained for a limited period to enable recovery in the event of an incident.
• Redundancy: the operating environment uses redundant components (including network, power supply, and cooling) to ensure high availability.
• Incident management: established processes are in place to detect, manage, and report security incidents.
• Training: personnel receive regular training in information security and data protection.

12. Governing law and disputes

12.1. In the event of any conflict between this DPA and the General Terms and Conditions, this DPA shall prevail with respect to matters relating to the processing of personal data.

12.2. Provisions regarding governing law and dispute resolution shall be governed by and follow the Main Agreement.