Appendix 1Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement (the “DPA”) is hereby entered between Mesh Nordic* and the Customer. Mesh Nordic and the Customer may hereinafter jointly be referred to as ”Parties” or individually as a ”Party”.
This DPA was established by us on Nov 21, 2024.

* Mesh Nordic AI AB ("Mesh Nordic", "us", "we", or "our"), org. no. 559466-2057 with address Box 3090, 211 65 Malmö, Sweden. The international company name is Mesh Nordic AI Limited.

1. Background and Interpretation

1. In order to fulfil the Agreement, Mesh Nordic will process personal data for which the Customer is the customer, in the capacity of the Customer’s processor.
2. Exceptions apply in the event that the Customer acts as processor of personal data on behalf of a third-party controller, in which case Mesh Nordic is a sub-processor. 
3. This DPA forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.
4. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and in accordance with the Agreement, unless otherwise clearly indicated by the circumstances. The terms “processing” and “personal data” refer exclusively to such processing and such personal data that Mesh Nordic processes on behalf of the Customer in accordance with this DPA.

2. Instructions and Responsibilities

1. The type of personal data and categories of data subjects processed by Mesh Nordic under this DPA and the purpose, nature, duration and objects of this processing, are described in the instructions on processing of personal data in Appendix A. The Customer shall ensure that Mesh Nordic is not able to process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix A.
2. The Customer is responsible for complying with the GDPR and a supervisory authority's binding decisions, recommendations and guidelines, practices in the field of data protection, supplementary local adaptation and legislation as well as sector-specific legislation in relation to data protection (the “Data Protection Rules”). The Customer shall in particular:(a) be contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;(b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 13 and 14 in the GDPR and maintain a record of processing activities under its responsibility;  (c) provide Mesh Nordic with documented instructions for Mesh Nordic’s processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;(d) immediately inform Mesh Nordic of changes that affect Mesh Nordic’s obligations under this DPA;(e) immediately inform Mesh Nordic if a third party takes action or lodges a claim against the Customer as a result of Mesh Nordic’s processing under this DPA; and(f) immediately inform Mesh Nordic if anyone else is the Customer or joint controller with the Customer of the relevant personal data.
3. When processing personal data, Mesh Nordic shall:(a) only process personal data in accordance with the Customer’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix A, including transfers to a third country or an international organisation, unless required to do so by Union or Member State law to which Mesh Nordic, or party that process personal data as sub-processor to Mesh Nordic (“Sub-processor”), is subject to. In such a case, Mesh Nordic or the Sub-processor shall inform the Customer of that legal requirement before processing, unless the law prohibits such information in important grounds of public interest;(b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;(c) maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below;(d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a Sub-processor;(e) taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR; (f) assist the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Mesh Nordic; (g) at the choice of the Customer, delete or return all the personal data to the Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and(h) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor agreed upon by the Parties. 
4. Mesh Nordic shall notify the Customer without undue delay, if, in Mesh Nordic’s view, an instruction infringes the GDPR. In addition, Mesh Nordic is to immediately inform the Customer of any changes affecting Mesh Nordic’s obligations pursuant to this DPA. Mesh Nordic may not take any action which may result in that the Customer can be deemed to be in violation of the GDPR.

3. Security

1. Mesh Nordic shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Mesh Nordic may amend its technical and organisational measures.
2. Mesh Nordic shall notify the Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that Mesh Nordic has committed any wrongful act or omission, or that Mesh Nordic shall become liable for the personal data breach.
3. If the Customer during the term of this DPA requires that Mesh Nordic takes additional security measures, Mesh Nordic shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.

4. Confidentiality

1. In addition to what follows from the Agreement in other parts, Mesh Nordic shall not without the Customer's prior written consent, disclose or otherwise make available personal data to any third party, except (i) to the Sub-processors that have been engaged in accordance with this DPA, or (ii) if the data is ordered to be shared with the supervisory authority or should be disclosed according to the GDPR or another statutory obligation.
2. Mesh Nordic undertakes to ensure that persons authorized to process the personal data have committed themselves to confidentiality for such processing or are under an appropriate statutory obligation of confidentiality.

5. Disclosure of Personal Data and Contact with Supervisory Authority

1. If Mesh Nordic receives a request from a data subject, supervisory authority or any other third party regarding obtaining access to personal data that Mesh Nordic processes on behalf of the Customer, Mesh Nordic shall immediately forward the request to the Customer. Mesh Nordic, or persons under Mesh Nordic's supervision, shall not disclose personal data or any other information related to the processing of the personal data without explicit, documented instruction from the Customer, unless Mesh Nordic is required to do so subject to the GDPR. In the event that Mesh Nordic is required to disclose personal data subject to the GDPR, Mesh Nordic shall take all actions to request confidentiality in connection with the requested information and immediately inform the Customer of the disclosure, in so far as Mesh Nordic is not prevented from doing so under the GDPR.
2. Mesh Nordic shall without undue delay inform the Customer of any contacts from the supervisory authority regarding the processing of personal data and provide the Customer, to the extent permitted by law, with all information relevant in this regard. Mesh Nordic is not entitled to represent or act on the Customer’s behalf in relation to the supervisory authority.

6. Sub-processors

1. The Customer hereby grants Mesh Nordic with a general authorisation to engage Sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix B. Mesh Nordic shall enter into a data processor agreement with each Sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the Sub-processor.
2. Mesh Nordic shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after Mesh Nordic has informed the Customer about the intended changes. If the Customer objects to Mesh Nordic engaging a Sub-processor and the Parties are unable to agree within a reasonable time, Mesh Nordic shall have the right to terminate the DPA and/or relevant parts of the Agreement in whole or in part with thirty (30) days' notice. If Mesh Nordic would choose to adapt to such objection from the Customer, Mesh Nordic shall be entitled to reasonable compensation from the Customer for the costs that Mesh Nordic incurs as a result of the adaptation.
3. Upon the Customer’s request, Mesh Nordic shall provide the Customer with a correct and up-to-date list containing the Sub-processors that have been engaged in the processing of personal data, the Sub-processors’ contact information, the geographic location of the Sub-processor’s processing and which processing of personal data each Sub-processor performs
4. Mesh Nordic is liable towards the Customer for a Sub-processor’s performance of its obligations in relation to the Customer.

7. Transfers to Third Countries

If Mesh Nordic and/or Sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. Mesh Nordic shall keep the Customer informed about the legal grounds for the transfer.

8. Compensation

Mesh Nordic is not entitled to any additional compensation for the processing of personal data in accordance with this DPA. However, Mesh Nordic is entitled to compensation in accordance with the Agreement for any work performed by Mesh Nordic's personnel in accordance with this DPA.

9. Limitation of Liability

1. The Customer shall indemnify Mesh Nordic for all claims directed against Mesh Nordic due to Mesh Nordic’s or Sub-processor’s processing of personal data on behalf of the Customer, as well as for all costs and other direct damages - including any administrative fines - that Mesh Nordic is caused by breach of the Data Protection Rules. The Customer’s indemnification obligation according to the foregoing, applies when the breach is due to unclear, incomplete or illicit instructions from the Customer, insufficient information from the Customer about which categories of data are processed or otherwise depending on the circumstances on the Customer's side. The Customer can avoid its responsibility only if the Customer can demonstrate that the Customer is in no way responsible for the event, action or omission that caused Mesh Nordic the claim, cost or damage. In these cases, section 9.2 shall apply.
2. If Mesh Nordic, a person working under Mesh Nordic's management or a Sub-processor engaged by Mesh Nordic processes personal data in breach of this DPA or the documented instructions provided by the Customer, Mesh Nordic shall, taking into account the limitations of liability resulting from other parts of the Agreement, compensate the Customer for the direct damage which the Customer is caused due to the incorrect processing. Mesh Nordic's compensation obligations regarding claims and damages according to this section 9.2 apply only on the condition that i) the Customer notifies Mesh Nordic in writing without undue delay of the direct damage caused to the Customer or of the claim made against the Customer; and ii) the Customer allows Mesh Nordic to control the defence of the claim and alone decide on any settlement.
3. Notwithstanding what is stated above in this section 9 or other parts of the Agreement, the liability of each Party is limited to the amount that the Customer has paid Mesh Nordic during the last twelve (12) months preceding the time of the damage and under no circumstances shall a Party be liable for any loss of profits or other indirect damage caused to the other Party, unless such damage is the result of intent or gross negligence.
4. Except for as stated in section 9.1, each Party shall be fully and solely responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.

10. Term and Termination

1. This DPA is valid from the time the Agreement is entered into.
2. Upon termination of the Agreement without undue delay, Mesh Nordic shall either delete or return all personal data, in accordance with the Customer’s instructions to Mesh Nordic and ensure that each Sub-processor does the same. If the Customer does not inform Mesh Nordic that the personal data shall be returned, Mesh Nordic shall promptly delete the information, including any existing copies, unless the Customer’s in time given instructions result in taking another action, and in any case so that the data in question is not available and cannot be retrieved at Mesh Nordic. Mesh Nordic shall ensure this no later than thirty (30) days after the processing discontinues. Upon the Customer's request, Mesh Nordic shall confirm in writing that deletion has occurred and provide a written description of the measures taken in this regard.
3. This DPA remains in force as long as Mesh Nordic processes personal data on behalf of the Customer, including by deletion or returning of personal data according to section 10.2 above. This DPA shall thereafter cease to apply. 
4. Sections that by their nature shall continue to apply even after this DPA has been terminated, e.g. sections 4 and 9.

11. Amendments

1. If existing Data Protection Rules are changed so that this DPA does not meet the requirements for a data processing agreement pursuant to the GDPR, the Parties shall be entitled to request changes to this DPA in order to meet such new, changed or clarified requirements.
2. Mesh Nordic is at any time entitled to notify the Customer of a new or amended version of the DPA.
3. Changes in accordance with section 11.1 or 11.2 above shall enter into effect no later than thirty (30) days after the Party’s amendment notification, unless the other Party has objected to such proposed change or new version of the DPA. If a Party makes such an objection and the Parties are unable to agree within a reasonable time, Mesh Nordic shall have the right to terminate the DPA and/or other relevant parts of the Agreement in whole or in part with thirty (30) days' notice.
4. If Mesh Nordic would choose to adapt to the Customer’s objection, Mesh Nordic shall be entitled to reasonable compensation from the Customer for the costs that Mesh Nordic incurs as a result of such adaptation.

12. Miscellaneous

1. When a company in the same group as the Customer is the Customer of personal data processed by Mesh Nordic under this DPA, the obligations that Mesh Nordic has towards the Customer under this DPA shall apply towards such company that is the Customer, insofar as is necessary in order to comply with existing Data Protection Rules.
2. In the event of deviating provisions between other parts of the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA to the extent that this would result in that the Customer would not fulfil the GDPR.
3. This DPA supersedes and replaces all data processing agreements between the Parties potentially existing prior to this DPA.
4. If a Party assigns the Agreement (according to the terms of the Agreement), this DPA shall also be deemed assigned to the assignee of the Agreement. However, this DPA may still apply between the original Parties. No Party shall assign this DPA separately from the Agreement.

Appendix AInstructions on processing of personal data

Information security measures:
The information security measures that Mesh Nordic takes at the time of conclusion of this DPA are listed in the Mesh Nordic data processing policy here.

Appendix BSub-processors

The Sub-processors that are engaged by Mesh Nordic to perform parts of the processing assignment at the time of the conclusion of the DPA are listed at the Mesh Nordic’s website here.