This Data Processing Agreement (“Agreement“) forms part of the Contract for services (“Principal Agreement“) under the In Parallel Terms and Conditions and is formed between the Company using In Parallel’s services (the “Company”) and In Parallel (the “Data Processor”) (together as the “Parties”).

This Agreement is complementary to our Privacy Policy, which serves as the primary reference for our data protection practices and measures.

The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and in line with the General Data Protection Regulation.

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means:

1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or

1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.9 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.1.10 “Company Data Subjects” means natural persons whose Personal Data is included in Company Personal Data and comprises (a) the Company’s employees and contractors; and (b) natural persons who appear in or are discussed in Company communications or Customer Content (e.g., meeting participants, third-party contacts).

1.1.11 “Controller Instructions” means documented instructions by Company to Processor, including written or electronic configuration choices and access tokens/connector settings, together with any lawful basis and notices relied upon by Company for supplying Company Personal Data to Processor.

1.1.13 “Customer Content” means all data, information, documents, communications, and materials provided, submitted, or made available by the Company to the Processor in connection with the use of the Services, including but not limited to text, images, audio, video, files, messages, and metadata

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Special Category Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

Processor shall:

2.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;

2.2 and not process Company Personal Data other than on Controller’s documented instructions in section 2.

Controller instructs Processor to process Company Personal Data to:

2.3 provide the requested services and related technical support;

2.4 fulfil legal obligations or resolve disputes;

2.5 exercise any internal task aimed to optimise the security, privacy, confidentiality and functionalities of the Services;

2.6 exercise internal reporting, financial reporting and other similar internal tasks.

2.7 Controller obligations and warranties 

The Company warrants and agrees that:

a) it has lawfully collected, and has a lawful basis (or necessary authorisation) for the transfer and processing, of all Company Personal Data disclosed to the Processor and that it will provide any notices or obtain any consents required by Data Protection Laws prior to such disclosure;

b) it will supply and maintain valid access credentials, API tokens and permissions required to access data sources (e.g. Slack, Jira), and will immediately revoke such credentials where no longer authorised;

c) it shall apply reasonable pre-ingestion filtering and configuration (including filtering of private, special-category or irrelevant Personal Data) to the extent its tooling permits, and shall not supply to Processor any Special Category Personal Data unless expressly agreed in writing;

d) it is responsible for identifying which individuals constitute Company Data Subjects and for configuring retention, capture and recording settings (including meeting recording consent) in its account/admin panel; and

e) it shall indemnify and hold Processor harmless from all Claims and liabilities arising from Controller’s failure to comply with subsections (a)–(d), including any regulatory fines, penalties or data subject claims resulting from unlawful collection, inadequate notices or missing consents.

2.8 Model Training Prohibition

Processor shall not use Company Personal Data or Customer Content to train machine learning models, except for the benefit of the Company where Company has expressly opted in via the Admin Console or a written addendum. Processor may use anonymized information and customer feedback to improve its services.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

In accordance with Article 32 (1) of the GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures shall be designed to protect the rights and freedoms of natural persons, considering the risks of varying likelihood and severity, including the risk of a Personal Data Breach.

Measures include but are not limited to: the training of personnel, encryption at rest and in-transit where feasible, strict access controls, multi-factor authentication, logging & monitoring, the presence of a Data Protection Officer, regular security audits, and adherence to ISO 27001.

5. Subprocessing

Subject to this Agreement, the Company grants general authorization to the Processor to engage Subprocessors and disclose or transfer Company Personal Data to them. The Company acknowledges and approves the list of Subprocessors outlined in the Processor’s Privacy Policy, understanding that this list may be updated by the Processor regularly, in which case the company shall be informed by the Processor according to the Privacy Policy notification process no less than thirty (30) days prior to such change. If Company reasonably objects, they shall do so within fourteen (14) days. If an objection is unresolved within 30 days, Company may terminate the affected service(s) and receive a pro-rata refund of prepaid, unused fees. 

Processor ensures that Subprocessors are subject to an agreement with Processor no less restrictive and protective than the present Agreement with respect to the protection of Company Personal Data to the extent applicable to the nature of the services provided by the Subprocessor.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Where possible, the Company shall answer Data Subject rights requests itself.

6.2 Processor shall:

6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

The Processor shall manage any Personal Data Breach in compliance with applicable Data Protection Laws and its internal Personal Data Breach procedures. In the event of a Personal Data Breach affecting company Personal Data, the Processor shall notify the Company without undue delay, providing sufficient information to enable the Company to fulfill its obligations under Data Protection Laws, including informing Data Subjects as necessary. In such cases, Processor shall provide Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Processor shall co-operate with Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Each party shall bear the costs of the investigation, remediation, mitigation, and other related costs to the extent a Data Breach is caused by such party. With the limitation that the aggregate liability of each Party shall not exceed 12 months of fees paid or payable in the 12 months prior to the event; provided that liability for data protection breaches, confidentiality breaches, and IP infringement shall be capped at 2× such amount. Nothing limits liability for death, fraud, or willful misconduct.

Each party shall bear the costs of any fines, penalties, damages, or other related amounts imposed by an authorized regulatory body, governmental agency, or court of competent jurisdiction to the extent arising from such party’s breach of its obligations under this Agreement.

8. Data Protection Impact Assessment and Prior Consultation 

Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors. For assistance beyond normal operational support, a reasonable fee relative to the costs incurred by the Processor may be charged.

9. Deletion or return of Company Personal Data

Upon cessation of any Service that involves Processing of Company Personal Data, the Processor shall, at the Company’s choice, delete or return all Company Personal Data, to the extent permitted by applicable law and in accordance with the Processor’s Terms and Conditions and Privacy Policy. The Company shall have sixty (60) days from the cessation of Services to export or receive all Company Personal Data in a common, machine-readable format. The Processor shall not delete Company Personal Data during this 60-day export window. Afterward, the Processor shall delete any remaining Company Personal Data unless retention is required by Union or Member State law. For clarity, the Processor may retain anonymized or aggregated data that is not reasonably capable of re-identifying any individual.

10. Audit rights

Subject to this section, Processor shall make available to Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Company Personal Data by the Contracted Processors. 

Company shall not exercise its audit rights more than once per calendar year except following a Personal Data Breach or an instruction by a regulatory authority. Company shall give Processor at least sixty (60) days prior written notice of its intention to audit Processor pursuant to this Agreement. Audit shall be conducted during Processor’s business hours, shall not disrupt Processor’s operations and shall ensure the protection of the Company’s, Processor’s and other Data Subjects’ Personal Data. Processor and Company shall mutually agree in advance on the date, scope, duration and security and confidentiality controls applicable to the audit. Company acknowledges that the signing of a non-disclosure agreement may be required by the Controller prior to the conduction of the audit. Such audits will be at the expense of the Company, including reasonable expenses incurred by the Processor as part of its cooperation. Where possible, Processor may satisfy audit rights by providing SOC2 Type II or ISO 27001 reports, pentest summaries, and security questionnaire responses. 

Information and audit rights of Company only arise under section 10 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1. The Parties shall, where possible, limit transfers of Company Personal Data to countries within the European Economic Area (EEA) or to countries subject to an adequacy decision adopted by the European Commission.

11.2. Where Company Personal Data is to be transferred to a country outside the EEA that is not the subject of an adequacy decision, the Parties shall ensure that such transfers are effected only on the basis of appropriate safeguards as provided under Data Protection Laws. Unless otherwise agreed, the Parties shall rely on the EU Commission’s Standard Contractual Clauses (“SCCs”) in the version in force at the time of transfer or on another transfer mechanism permitted by Data Protection Laws (including an applicable adequacy decision such as the EU-US Data Privacy Framework), provided that the Parties first assess and implement any supplementary technical, contractual or organisational measures necessary to ensure an essentially equivalent level of protection.

11.3. Prior to any transfer to a third country that is not covered by an adequacy decision, Processor shall (a) perform a Transfer Impact Assessment (TIA) consistent with EDPB guidance, (b) provide such TIA and any proposed supplementary measures to Company on request, and (c) not proceed with the transfer if Company reasonably objects. Processor shall also implement the SCCs (where used) and flow down equivalent obligations to any Subprocessor engaged in such transfers.

11.4. Processor shall upon Company’s request provide reasonable evidence of compliance with this Section.

12. General Terms

12.1 Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;

(b) the relevant information is already in the public domain.

12.2 Notices

Controller shall be notified by email sent to the address related to its use of the services under the Principal Agreement. Processor shall be notified by email sent to the address: privacy@in-parallel.com

12.3 Data Protection Officer

Processor has appointed a Data Protection Officer (DPO) responsible for privacy governance and regulatory liaison. Processor represents that the DPO has demonstrable expertise in data protection law and practices appropriate to the processing activities under this Agreement.

The DPO shall be available via info@in-parallel.com and Company shall be notified of any changes in the appointment of the DPO.

12.4 Requests from authorities

Processor shall notify Company of any legally binding request for disclosure by a governmental authority where legally possible, challenge overbroad requests, and disclose only the minimum required.

12.5 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable under applicable law, such provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable. If such modification is not possible, the provision shall be deemed severed from this Agreement. The remainder of the Agreement shall remain in full force and effect.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of Finland.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Helsinki.