EN Kundportal

Personuppgiftsbiträdesavtal

Senast uppdaterad: mars 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data by POISE AB ("Processor") on behalf of the client ("Controller") in connection with the services provided under the service agreement.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • GDPR: Regulation (EU) 2016/679

3. Processing Details

  • Subject matter: Cybersecurity monitoring and management services
  • Duration: Duration of the service agreement
  • Nature: Collection, storage, analysis, and reporting of security events
  • Types of data: Email metadata, login events, security alerts, audit logs
  • Data subjects: Client employees and authorised users

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist the Controller with data subject rights requests
  • Assist with Data Protection Impact Assessments where required
  • Notify the Controller without undue delay of any personal data breach
  • Delete or return all personal data upon termination (within 30 days)
  • Make available all information necessary to demonstrate compliance

5. Security Measures

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Regular security updates and patching
  • Role-based access control with multi-factor authentication
  • Network isolation and firewall protection
  • Daily backups with encrypted storage
  • Regular security assessments

6. Sub-processing

The Processor shall not engage another processor without prior written authorisation from the Controller. All sub-processors must be located within the EU/EEA and bound by equivalent data protection obligations. The Processor remains liable for the acts of its sub-processors.

7. Data Transfers

No personal data shall be transferred outside the EU/EEA. All processing occurs within EU-based infrastructure.

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours.

9. Data Return and Deletion

Upon termination of the service agreement, the Processor shall, at the Controller's choice, return or delete all personal data within 30 days, and certify deletion in writing.

10. Governing Law

This DPA is governed by Swedish law and the GDPR.

11. Contact

POISE AB
Brunnsgatan 9, 172 68 Sundbyberg, Sweden
Email: info@poise.se