Skillhabit Data
Processing Agreement

1. Background

1.1

This Data Processing Agreement ("DPA") forms part of the agreement between TicTac Learn AB ("Processor") and the client identified in that agreement ("Controller") regarding the Processor's provision of the Skillhabit service (the "Main Agreement").

1.2

Under the Main Agreement, the Processor provides the cloud-based learning platform Skillhabit ("Skillhabit") and processes Personal Data on behalf of the Controller in connection with the Controller's use of Skillhabit (the "Processing"). The Controller and the Processor are each a "Party" and together the "Parties".

1.3

The purpose of this DPA is to ensure that the Processing takes place in accordance with Data Protection Laws and Regulations, the Controller's instructions and what has otherwise been agreed between the Parties. This DPA shall be considered to be an integral part of the Main Agreement.

1.4

In the event of conflicts between the provisions of this DPA and the Main Agreement, this DPA shall prevail.

2. Applicable law and definitions

2.1

Data Protection Laws and Regulations shall apply to the Processing.

2.2

"Data Protection Laws and Regulations" means all applicable laws, regulations and rules applicable to the processing of personal data, including but not limited to the EU General Data Protection Regulation 2016/679/EC and any amendments to, additions to or regulations replacing such laws, regulations and rules.

2.3

Unless otherwise stated in this DPA, concepts used in this DPA shall have the meaning given to them in Data Protection Laws and Regulations.

2.4

In addition to the concepts defined in Data Protection Laws and Regulations, the following terms have the meanings given below: "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller under this DPA, as set out in Section 6 and Annex B; "Personal Data Breach" has the meaning given in Article 4(12) GDPR; "Services" means the services described in the Main Agreement; and "Sub-Processing Agreement" means the written data protection agreement between the Processor and a Sub-Processor under Section 6.3.

3. Responsibilities of the Controller

3.1

In relation to the Data Subjects, the Controller is responsible for ensuring that the legal requirements for the Processing meet the requirements of Data Protection Laws and Regulations.

3.2

The Controller confirms that the Processing is consistent with the purposes for which the Personal Data covered by the Processing has been collected.

3.3

It is the responsibility of the Controller to ensure that the Processor is informed at any given time of the Controller's current instructions, such as those in Annex A and other written instructions from the Controller regarding the Processing. In the event that the Controller gives new instructions regarding the Processing that deviate from those resulting from the Services under the Main Agreement, and these instructions require more from the Processor and go beyond what is prescribed by the Data Protection Laws and Regulations or official guidance issued by the European Data Protection Board or the competent supervisory authority for the Processing, the Processor shall consider, but is under no obligation to accept, such instructions. If such additional instructions significantly change the scope of the services performed by the Processor under the Main Agreement, the matter shall primarily be dealt with under the Main Agreement.

3.4

All instructions from the Controller must be written or otherwise documented.

4. Responsibilities of the Processor

4.1

The Processor shall process Personal Data only on the Controller's documented instructions, as set out in this DPA, Annex A, the Main Agreement and any other written instructions agreed between the Parties, to the extent necessary to provide the Services and any additional services ordered by the Controller.

4.2

The Processor shall implement new or amended documented instructions from the Controller within a reasonable time to the extent they are required for the Processing under the Main Agreement and are technically feasible. To the extent such instructions require additional work, changes to the Services or measures not already included in the Main Agreement, this DPA or the standard functionality of Skillhabit, the Processor may charge its then-current professional services rates.

4.3

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality and process Personal Data only as necessary to perform their duties in accordance with this DPA and the Controller's documented instructions.

4.4

Taking into account the nature of the Processing, the Processor shall make available appropriate technical and organizational measures to assist the Controller in fulfilling the Controller's obligations to respond to requests from Data Subjects. Where Skillhabit includes self-service or administrative functionality enabling the Controller to take the relevant measures itself, the Controller's use of that functionality satisfies the Processor's obligations under this Section 4.4 in respect of such measures.

4.5

The Processor shall notify the Controller of a Personal Data Breach without undue delay and in any event within forty-eight (48) hours after becoming aware that the breach involves Personal Data processed under this DPA. The Processor shall provide the Controller with such information and reasonable assistance as the Controller reasonably requires to comply with its obligations in relation to the Personal Data Breach under Data Protection Laws and Regulations.

4.6

Taking into account the nature of the Processing and the information available to the Processor, the Processor shall make available such assistance as is required under Data Protection Laws and Regulations in connection with data protection impact assessments, prior consultations with competent supervisory authorities and the Controller's handling of Personal Data Breaches. Where such assistance is available through self-service or administrative functionality in Skillhabit, the Controller's use of that functionality satisfies the Processor's obligations under this Section 4.6 in respect of the assistance so provided.

4.7

Any assistance requested by the Controller under Sections 4.4 or 4.6 that is not available through the self-service or administrative functionality of Skillhabit, including manual handling, custom reporting, bespoke exports, configuration support or other work performed by the Processor's personnel, shall be subject to remuneration at the Processor's then-current professional services rates, unless expressly included in the Main Agreement.

4.8

The Processor shall inform the Controller without undue delay if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Laws and Regulations. Pending resolution, the Processor may suspend performance of the instruction to the extent reasonably necessary to avoid such infringement. The Processor shall promptly inform the Controller of any such suspension.

5. Transfer of personal data

5.1 Transfer to non-EU/EEA countries

5.1.1

The Processor may transfer Personal Data to a location outside the EU/EEA where a valid transfer mechanism under Chapter V GDPR is in place. Valid transfer mechanisms include an adequacy decision under Article 45 GDPR, Standard Contractual Clauses adopted under Article 46(2), the EU-US Data Privacy Framework (where the recipient is certified), Binding Corporate Rules approved under Article 47 or another mechanism expressly permitted by GDPR.

5.1.2

The Processor shall identify in Annex B which Sub-Processors process Personal Data outside the EU/EEA and the transfer mechanism relied on. Where Standard Contractual Clauses are used, the Processor shall enter into the appropriate Module (in particular Module 2 or Module 3) with the relevant Sub-Processor and shall make a copy available to the Controller on reasonable request.

5.1.3

The Controller is deemed to have authorized the transfer mechanisms identified in Annex B in force at the time of acceptance of this DPA. Changes are subject to Section 6.

5.2 Transfer to third parties

5.2.1

The Processor may not disclose any Personal Data to third parties without the prior written consent of Controller unless disclosure is required by applicable law or government decision. However, the Processor always has the right to disclose Personal Data to subcontractors in accordance with section "Hiring of Sub-Processors" below.

5.2.2

If the Processor is ordered by a court or authority to disclose Personal Data or take other action as a result of the Processing, the Processor is entitled to reasonable compensation for the work done. The Processor is also entitled to fair remuneration for the disclosure of Personal Data to other than Controller and for measures in connection with such disclosure.

6. Hiring of Sub-Processors

6.1

The Controller acknowledges and agrees that the Processor will engage subcontractors for the performance of the Processing ("Sub-Processor"). The transfer of Personal Data to the Sub-Processor is at the Processor's risk and does not entail any changes in the division of responsibilities that applies between the Processor and the Controller.

6.2

The Processor maintains an up-to-date list of Sub-Processors in Annex B (the “Sub-Processor List”). The Controller is deemed to have given general authorization to the Processor’s engagement of the Sub-Processors on the Sub-Processor List at the date of execution of this DPA.

6.2.1

The Processor shall notify the Controller of any intended addition or replacement of a Sub-Processor by updating the Sub-Processor List in Annex B and sending an email notification to the Controller’s nominated address. Notification will be made no less than thirty (30) days before the intended change takes effect.

6.2.2

The Controller may object to a proposed addition or replacement of a Sub-Processor within thirty (30) days of notification, on reasonable grounds relating to data protection compliance. If the Controller does not object within this period, the change is deemed approved.

6.2.3

If the Controller objects on reasonable grounds, the Parties shall discuss in good faith with a view to resolving the objection. If the Parties cannot resolve the objection within a further thirty (30) days, the Controller may terminate the affected Service under the Main Agreement with effect from the date the Sub-Processor would otherwise be engaged. No other termination right arises under this Section 6.2.

6.3

When the Processor engages a Sub-Processor for the performance of the Processing, the Processor shall enter into a written sub-processing agreement imposing on the Sub-Processor data protection obligations substantially equivalent to those in this DPA, including obligations relating to security measures under Section 7, confidentiality under Section 8, audit cooperation under Section 9 and (where applicable) international transfers under Section 5. The Processor remains liable to the Controller for the performance of its Sub-Processors.

7. Technical and organizational security measures

7.1

The Processor shall take the technical and organizational measures required by Data Protection Laws and Regulations to ensure a level of security appropriate to the risk, in particular in relation to risks related to unauthorized access, destruction and alteration of the Personal Data covered by the Processing. The Processor decides how such measures are to be implemented in order to achieve the required level of protection. The technical and organizational measures implemented by the Processor are described at a functional level in Annex C. The Processor maintains ISO 27001 certification covering the Skillhabit Services and may rely on that certification as evidence of compliance with this Section 7.1. The Processor may update Annex C from time to time, provided the overall level of protection is not materially reduced.

7.2

Where new or amended legal requirements impose additional technical or organizational measures on the Processor, the Processor shall implement those measures as required by law. Where the Controller requests technical or organizational measures beyond those described in Annex C, the Parties shall discuss implementation and the Controller shall pay the Processor's reasonable costs of implementing such Controller-specific measures.

8. Confidentiality

8.1

The Processor undertakes not to disclose to third parties information received by the Processor as a data processor from the Controller or information otherwise processed by the Processor as a data processor to the Controller. The Processor undertakes to ensure that the persons working under its direction have undertaken to observe confidentiality in accordance with this section, titled "Confidentiality". However, confidentiality commitments shall not apply to information that:

i) is publicly known or comes to public knowledge other than through violations of this DPA;

ii) information that the Processor may demonstrate that the Processor had in his possession prior to the Processor receiving the information from the Controller in connection with this DPA;

iii) information that the Processor rightfully receives from third parties outside this contractual relationship without limitation; or

iv) information that the Party is legally obliged to provide due to mandatory legislation, court orders or decisions of another authority, provided that the disclosing Party gives the other Party prompt written notice (where legally permissible) before disclosure and cooperates in any lawful attempt to limit the scope of disclosure.

9. Audits

9.1

The Processor shall make available to the Controller the information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA. The Processor shall satisfy this obligation primarily through its ISO 27001 certification, the documentation described in Annex C, reasonable written responses to the Controller's information requests and audits conducted under this Section 9.

9.2

The Controller may audit the Processor's compliance with this DPA in the following order:

(a) First tier: on request and without charge, the Processor shall provide (i) its current ISO 27001 certificate and statement of applicability, (ii) summary information regarding penetration testing and vulnerability management and (iii) reasonable written responses to the Controller's data protection questionnaires, no more than once per calendar year, except in the event of a Personal Data Breach affecting the Controller.

(b) Second tier: if the information provided under paragraph (a) does not reasonably address the Controller's documented data protection concerns, the Controller may, on at least thirty (30) days' written notice, carry out a remote or on-site audit itself or through an independent third-party auditor appointed by the Controller (the "Auditor"). Any such audit shall be at the Controller's cost, during normal business hours, no more than once per calendar year, except following a Personal Data Breach directly affecting the Controller and shall be limited to the specific concerns notified by the Controller in writing.

9.3

When appointing an Auditor, the Controller shall ensure that the Auditor is independent, suitably qualified, not a competitor of the Processor and bound by confidentiality obligations no less protective than those set out in this DPA. The Processor's approval of the Auditor shall not be unreasonably withheld or delayed.

9.4

The Processor shall provide the Controller or the Auditor with reasonable access to the documentation, personnel and systems information necessary to demonstrate compliance with this DPA and shall provide reasonable cooperation in connection with any audit conducted under this Section 9. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's business operations.

9.5

If an on-site audit is required, the Processor shall provide access only to those premises and areas relevant to the agreed audit scope. The Controller and the Auditor shall comply with the Processor's reasonable security, confidentiality, health and safety, and workplace rules, and shall not access information relating to other customers or Personal Data not processed under this DPA.

10. Damages and liability towards third parties

10.1

Party undertakes to indemnify the other Party in the event that the other Party suffers damage as a result of the first Party's processing of Personal Data in violation of Data Protection Laws and Regulations or this DPA. Such damage may include, but is not limited to, the obligation to pay damages to a Data Subject or to pay administrative fines decided by the competent supervisory authority.

10.2

A Party shall not be liable to pay compensation for indirect damages such as loss of profit under this DPA.

10.3

Each Party's aggregate liability under this DPA, together with any liability under the Main Agreement, is subject to the limitation of liability set out in the Main Agreement. Where the Main Agreement does not contain an enforceable limitation of liability, each Party's aggregate liability under this DPA shall not exceed the fees paid by the Controller to the Processor under the Main Agreement in the twelve (12) months preceding the event giving rise to the claim. For the avoidance of doubt, this limitation does not affect either Party's direct statutory liability to Data Subjects under Article 82 GDPR.

10.4

Nothing in this Section 10 (including the limitations in Section 10.3) shall limit or exclude either Party's liability for (i) intent or gross negligence; (ii) injury to life, body or health; (iii) fraud or malicious concealment; (iv) liability under mandatory product liability legislation; or (v) any other liability that cannot be limited or excluded under applicable mandatory law.

11. Period and measures upon termination of the agreement

11.1

The DPA applies from the time both Parties sign the same and as long as the Processor processes Personal Data on behalf of the Controller. Provisions for termination can be found in the Main Agreement.

11.2

On termination of the Main Agreement, the Processor shall, at the Controller's written election, make the Personal Data available to the Controller for retrieval and/or delete the Personal Data. The Controller shall notify the Processor of its election no later than thirty (30) days after termination. If the Controller does not notify the Processor within that period, the Processor shall delete the Personal Data after expiry of the 30-day period. Personal Data retained in encrypted automated backup archives shall be overwritten in the ordinary course of the Processor's backup cycle and in any event within ninety (90) days after termination. The Processor shall, on request, confirm completion of deletion in writing.

11.3

Any new commercial agreement between the Parties that involves the processing of Personal Data must be accompanied by a current Data Processing Agreement. The current published version of this DPA at the time of execution of the new commercial agreement shall apply unless the Parties agree otherwise.

12. Period and measures upon termination of the agreement

12.1

This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of laws principles.

12.2

Any dispute, controversy or claim arising out of or in connection with this DPA or the breach, termination or invalidity of this DPA, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The place of arbitration shall be Malmö, Sweden. The language of the arbitration shall be English.

12.3

Nothing in this Section 12 limits a Data Subject's statutory rights under Data Protection Laws and Regulations, including the right to lodge a complaint with a supervisory authority or to seek a judicial remedy under Articles 77 to 79 GDPR.