Data Processing Agreement (DPA)

Template, review by qualified counsel before use. This DPA applies where a business customer is the controller of personal data and Partsnord Europe AB acts as processor. Replace every [bracketed] placeholder. *Last updated: [date].*

This Data Processing Agreement forms part of the agreement between the Customer (the "Controller") and Partsnord Europe AB, Torshamnsgatan 27, SE-164 40 Kista, Sweden ([org.nr 559XXX-XXXX]) (the "Processor") for the water-leak alarm notification service (the "Service"). It governs the Processor's processing of personal data on the Controller's behalf under GDPR Article 28.

1. Subject matter and roles

The Processor processes personal data only to provide the Service. The Controller determines the purposes and means of processing the recipient and related personal data it enters into the Service.

2. Duration

This DPA applies for as long as the Processor processes personal data on the Controller's behalf under the main agreement.

3. Processor obligations

The Processor shall: 1. process personal data only on the Controller's documented instructions (including this DPA and use of the Service), unless required otherwise by EU or Member State law (in which case it will inform the Controller, where permitted); 2. ensure persons authorised to process the data are bound by confidentiality; 3. implement the technical and organisational measures in Annex 2; 4. respect the conditions in clause 5 for engaging sub-processors; 5. assist the Controller, taking into account the nature of processing, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection); 6. assist the Controller with security, breach notification, data protection impact assessments and prior consultation (Arts. 32–36); 7. at the Controller's choice, delete or return all personal data at the end of the services and delete existing copies, unless storage is required by law; 8. make available information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, under clause 7.

4. Personal data breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and provide the information the Controller reasonably needs to meet its own notification duties.

5. Sub-processors

The Controller grants general authorisation for the Processor to engage the sub-processors listed in Annex 3. The Processor will impose data-protection obligations equivalent to this DPA on each sub-processor and remains liable for their performance. The Processor will inform the Controller of intended changes to sub-processors and give the Controller the opportunity to object.

6. International transfers

The Processor will not transfer personal data outside the EU/EEA except under an adequacy decision or the EU Standard Contractual Clauses with supplementary measures, as appropriate.

7. Audits

The Processor will make available the information necessary to demonstrate compliance with Article 28, including its ISO/IEC 27001:2022 certification and relevant reports, and will allow audits at reasonable intervals and notice, subject to confidentiality and minimising disruption.

8. Liability and order of precedence

Liability is governed by the main agreement. In case of conflict on data protection matters, this DPA prevails over the main agreement.

---

Annex 1. Details of processing

• Subject matter: delivery of water-leak alarm notifications.
• Nature and purpose: receiving valve-status data and sending SMS/email

notifications to the Controller's designated recipients; storing related logs.

• Duration: the term of the main agreement.
• Categories of data subjects: the Controller's designated alarm recipients

(e.g. caretakers, property staff, residents) and the Controller's users.

• Categories of personal data: name, mobile phone number, email address,

role, and notification/event logs. No special categories are intended.

Annex 2. Technical and organisational measures (TOMs)

Governed by the Processor's ISO/IEC 27001:2022 ISMS, including: role-based access control and tenant isolation via row-level security; encryption in transit (TLS); secrets stored in a managed vault; least-privilege service keys; append-only audit logging; backup and recovery; vulnerability management and a documented incident-response process; staff confidentiality and security training.

Annex 3. Approved sub-processors