01 · Data Processing Agreement
Data Processing Agreement (DPA)
This data processing agreement ("DPA") forms an integral part of the Geogiraph Subscription Agreement ("the Main Agreement") between the company purchasing the Service ("Data Controller", hereinafter "the Customer") and The Insiders Hub AB, corporate registration number 559525-3377 ("Data Processor", hereinafter "the Provider").
1. Introduction and Purpose
This DPA regulates the Provider's processing of personal data on behalf of the Customer in connection with the provision of the Geogiraph Service. Both parties undertake to comply with the data protection legislation applicable at any given time, including Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").
2. Allocation of Roles and Instructions
2.1 The Customer is the data controller for the personal data processed in the Service and has full responsibility for ensuring that a legal basis exists for the processing.
2.2 The Provider is the data processor and may only process the personal data for the purpose of delivering the Service and in accordance with the Customer's documented instructions, which are set forth in the Main Agreement, this DPA, and the technical settings configured by the Customer within the Service.
2.3 If the Provider considers that an instruction violates the GDPR or other applicable data protection legislation, the Provider shall immediately inform the Customer thereof.
3. Confidentiality
The Provider shall ensure that all persons (employees and sub-contractors) authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security Measures
The Provider shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, as well as against loss, destruction, or damage. The level of security shall be adapted to technological developments and the risks associated with the processing.
5. Sub-processors
5.1 The Customer grants the Provider a general prior authorization to engage sub-processors to fulfill its obligations under the Main Agreement.
5.2 An up-to-date list of approved sub-processors is available on the Provider's website at https://geogiraph.com/legal/sup-processors.
5.3 The Provider shall inform the Customer (via email and/or website update) at least thirty (30) days before a new sub-processor is engaged or replaced. The Customer has the right to object to such changes within fourteen (14) days of receiving the notice, provided and on the condition that the objection is based on objective, documented, and legitimate data protection grounds.
In the event of such an objection, the Provider shall, at its sole discretion, be given the opportunity within thirty (30) days to either (i) take measures to remedy the grounds for the objection, (ii) offer an alternative solution where the sub-processor in question is not used for the Customer's data, or (iii) refrain from changing the sub-processor. If the parties, in consultation, cannot agree on a solution within this period, and it is not commercially or technically reasonable for the Provider to deliver the Service without the new sub-processor, the Provider has the right to terminate the Main Agreement with thirty (30) days' notice. In such case, the Customer is obliged to pay for the Service up to the date of termination, and is not entitled to a refund of fees already paid for the remaining contract period.
5.4 The Provider remains fully liable to the Customer for the performance of the sub-processor's obligations.
6. Geographical Transfer of Data
6.1 All storage and primary processing of the Customer's personal data and communication shall take place within the EU/EEA.
6.2 Measurements and anonymized data that do not contain personal data (with the exception of the Customer's company name) may be processed outside the EU/EEA. Since the company names of legal entities do not constitute personal data under the GDPR, such processing is not subject to the rules on third-country transfers.
7. AI Models and Product Improvement
7.1 The Provider exclusively uses enterprise-grade AI engines ("Enterprise grade AI") for the delivery of the Service. These engines are configured so that the Customer's data is not used by external third-party providers to train or improve their public models.
7.2 The Customer instructs and grants the Provider the right, to the extent the Provider chooses to do so, to anonymize personal data before the data may be aggregated to improve the Provider's own underlying algorithms, models, and services. Since anonymized data does not constitute personal data, such processing is not covered by the GDPR. The Provider does not currently use personal data for such training; this clause regulates a future possibility.
8. Cooperation and Data Subject Rights
The Provider shall, to the extent technically possible and taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in responding to requests from data subjects exercising their rights under the GDPR (e.g., right of access or erasure).
9. Personal Data Breaches
In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data processed on behalf of the Customer ("Personal Data Breach"), the Provider shall notify the Customer without undue delay after becoming aware of the incident.
10. Audit
The Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. The Customer shall bear all costs associated with such an audit. Audits (on-site inspections) may only occur a maximum of once per year, must be notified at least 30 days in advance, must take place during ordinary working hours, and must not disrupt the Provider's daily operations or expose other customers' data.
11. Term and Erasure of Data
11.1 This DPA applies for as long as the Provider processes personal data on behalf of the Customer under the Main Agreement.
11.2 Upon termination of the Main Agreement, the Provider shall, at the choice of the Customer, delete or return all personal data to the Customer, unless applicable law requires continued storage of the personal data.
Appendix A — Specification of the Processing
This appendix constitutes the instruction for the processing of personal data.
| Section | Description |
|---|---|
| Purpose of the processing | Geogiraph is an automated infrastructure service that, on behalf of the Customer, builds and publishes a structured, machine-readable digital foundation about the Customer, aimed at mirroring reality so that AI services (such as ChatGPT) reflect an accurate picture of the Customer's business, as well as measuring the outcome of this. The Service creates the conditions for AI engines to reflect reality as it is instead of guessing, but the Provider does not control and cannot guarantee how external AI models choose to retrieve, prioritize, or reproduce information. |
| Categories of data subjects |
|
| Types of personal data | Name, professional role/title, company addresses, work email, phone number, location, competencies/work history, and personal identity number (personnummer – only in cases where the customer is a sole proprietorship and the corporate registration number is identical to the personal identity number). |
| Sensitive data | The Service is not intended for the systematic processing of sensitive personal data (under Article 9 of the GDPR). The Customer is responsible for avoiding the upload of such data as far as possible. To the extent that sensitive data nevertheless appears as unstructured data, the Provider's processing constitutes passive storage only, on the Customer's instruction. |
| Duration of the processing | Continuous throughout the Contract Period of the Main Agreement. |