Last updated 21 April 2023


Data Processing Agreement

This Data Processing Agreement (the “DPA”) is entered into between:

(1) Customer (“Controller”); and 

(2) AB, reg. no. 556914-4156, a company organized under the laws of Sweden (“Processor” or “Pickit”).  

Each of Controller and Processor are referred to as a “Party” and jointly as the “Parties”.

1. Background

  • 1.1 The Parties have entered into an enterprise agreement (the “Agreement”), where Controller has contracted Processor in order to use the Pickit Business service, in its business operations which forms the subject matter of the processing of personal data under this Agreement.
  • 1.2 Terms such as “personal data”, “processing” and “data subject” and other expressions not defined in this DPA shall have the same meaning as set out in in the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), as may be amended, updated, replaced or superseded from time to time, if not expressly stated otherwise.
  • 1.3 Pickit’s service, is a SaaS solution providing content (images) in MS Office 365 through an Add-in (the (the “Pickit Business Service”), rendering Controller the data controller, whilst Pickit qualifies as data processor under the applicable data protection laws. In light of the above, Processor and Controller have agreed on the following terms and conditions set out in this DPA (including the Schedules) concerning the Processing of personal data under this DPA.
  • 1.4 This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof. In case of conflict between the Agreement and the DPA including the Schedules, this DPA shall take precedence.

2. Processor’s obligations

  • 2.1 Processor shall to the extent any personal data is processed by Processor on behalf of Controller under the Agreement:
    • (i) only process personal data in accordance with Controller’s documented instructions specified in Schedule 1 of this DPA, unless when required to do so under applicable European Union (“EU”) or Member State law to which the Processor is subject. Processor shall in such case inform Controller of such legal obligation unless prohibited by law. Processor shall immediately inform Controller if the Controller’s documented instructions, in the Processor’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by Processor; 
    • (ii) ensure that the employees/agents/sub-contractors or other third parties that are authorized to process personal data are subject to an obligation of confidentiality with regards to the personal data. Processor is only allowed to disclose personal data to third parties if Controller has given its written consent or if it is required by applicable law;
    • (iii) implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR; 
    • (iv) hereby be given a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of Controller. Where Processor engages a Sub-processor under this clause, Processor undertakes to ensure that the contract entered into between Processor and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, to which the Controller may object. If Controller has made no such objection within ten (10) days from the date of receipt of the notification, Controller is assumed to have made no objection; 
    • (v) have the right to cure an objection from Controller as described in  (iv) above, at Processors sole discretion. If no corrective option is reasonably available and the objection has not been cured within thirty (30) days after receiving the objection, either Party may terminate the affected Pickit Business Service or the Agreement with reasonable written notice;
    • (vi) be allowed to transfer personal data to third countries outside the EU or European Economic Area (“EEA”) is in accordance with Controller’s documented instructions.  When personal data is transferred to a country that does not ensure an adequate level of data protection, the Processor ensures that the transfer is subject to adequate safeguards as stated in Chapter V GDPR is in place. Processor is hereby given clear mandate, on behalf of the Controller, enter into: 2010/87/EU: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) or decisions and clauses that may replace or amend these;
    • (vii) taking into account the nature of the processing and the information available for the Processor, at Controller’s cost, assist the Controller in its obligation to respond to requests from data subjects pursuant to chapter III in the GDPR by implementing appropriate technical and organizational measures, insofar as this is possible;
    • (viii) taking into account the nature of processing and the information available to the Processor, at Controller’s cost, assist the Controller to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR;
    • (ix) on termination or expiration of the Agreement or on instruction from Controller, upon written request and at Controller’s choice, return or delete all personal data processed under the Agreement at Controller’s cost, unless Processor is required to retain the personal data by applicable laws, rules and regulations. Controller must make such written request fourteen (14) days from the Agreement’s termination or expiration; and
    • (x) upon Controller’ request and at the cost of Controller, make available all information necessary to demonstrate Processor's compliance with the obligations laid down in Article 28 in the GDPR and in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller and accepted by Processor. Processor shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year, and a written notice shall be sent to the Processor with a notice period of at least sixty (60) days, before the audit commences. The audit shall be conducted during Processor’s normal working hours without disturbance to the normal operations of Processor.

3. Limitation of liability and Indemnification

  • 3.1 The Processor’s aggregate liability for breach of personal data obligations set forth in the Agreement, DPA or applicable data protection law shall be governed by the limitation of liability in the Agreement. This includes, for example, claims from data subjects and administrative penalties or fines imposed on the Processor by relevant courts or data protections authorities. 
  • 3.2 Notwithstanding what is stated in the Agreement, DPA or applicable data protections law the Controller shall hold harmless the Processor from all liability, if such liability arises as a result of the Controller’s breach of the Agreement, DPA or applicable data protection law or if the Controller’s instructions is in breach of the Agreement, DPA or applicable data protection law. 

4. Governing Law and Disputes

  • 4.1 This DPA shall be governed in accordance with the laws of Sweden, with the exclusion of its conflict of laws rules.
  • 4.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless otherwise agreed.
  • 4.3 The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators. 
  • 4.4 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.



Schedule 1 – Controller’s instructions 

The following are instructions from the Controller to the Processor for the processing of personal data which covers this DPA. 



Collecting, registering and storing


• username

• password

• email address

• company postal & invoicing address

• invoicing e-mail

• postal code

• country




Image Bank Owner

Image Bank Admin

Image Bank Users


Within the Pickit Business service, personal data is being registered and stored for each user in order to secure eligibility rules per user managed by the customers Office 365 admin.



The data privacy officer can be reached at


Schedule 2 – sub-processors


Sub-processors Third country Security measures
Application Insights Ireland GDPR
Fortnox Sweden GDPR
Sendgrid (System email sendouts) USA SCC

Hubspot (Customer support & information)




Schedule 3 technical and organisational measures


Physical security

The premises used by Processor shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Processor shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.


Organisational security measures

Processor should possess an updated and implemented security policy which states for example the manner in which the personal data shall be processed, to whom Processor’s personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.


Technical security measures

Processor should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed personal data; (v) storage of processing history (log data), which shall be sorted out in accordance with Controller’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Controller’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained personal data that no longer is used.