Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Svenska Moln AB ("Processor", "Frostmoln") and the customer ("Controller", "you") for the provision of cloud infrastructure services. This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) and complies with Swedish data protection legislation.

1. Scope and Duration

This DPA applies to all processing of personal data that Frostmoln carries out on behalf of the Controller in connection with the provision of cloud infrastructure services under the Terms of Service. The duration of processing corresponds to the duration of the service agreement. Upon termination of the service agreement, the provisions regarding return and deletion of data in Section 11 shall apply.

2. Details of Processing

Subject matter: Hosting and processing of Customer Data on Frostmoln’s cloud infrastructure. Nature and purpose: Storage, computation, networking, database management, and related infrastructure operations as instructed by the Controller through the use of the Services. Types of personal data: Determined by the Controller. May include any type of personal data that the Controller chooses to store or process using the Services, including but not limited to names, contact information, financial data, health data, or other special categories of data. Categories of data subjects: Determined by the Controller. May include the Controller’s customers, employees, contractors, suppliers, end users, or any other individuals whose data the Controller processes. Processing activities: Storage, retrieval, backup, replication, encryption, transmission, and deletion of data as part of the infrastructure services.

3. Controller’s Obligations

The Controller shall: • Ensure that there is a valid legal basis for the processing of personal data under the GDPR • Provide documented instructions to the Processor regarding the processing of personal data • Ensure that data subjects have been informed about the processing in accordance with Articles 13 and 14 of the GDPR • Be responsible for the accuracy, quality, and legality of the personal data provided to the Processor • Carry out data protection impact assessments (DPIAs) where required under Article 35 of the GDPR

4. Processor’s Obligations

The Processor shall: • Process personal data only on documented instructions from the Controller, unless required to do so by EU or Swedish law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law) • Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality • Implement appropriate technical and organisational security measures as described in Section 7 • Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller, as described in Section 5 • Assist the Controller in fulfilling its obligations regarding data subject requests, as described in Section 9 • Assist the Controller in ensuring compliance with the obligations under Articles 32–36 of the GDPR, taking into account the nature of processing and the information available to the Processor • At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Swedish law requires further storage • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, as described in Section 10

5. Sub-processors

The Controller grants general authorisation for the Processor to engage sub-processors, subject to the conditions set out in this section. The Processor shall maintain a current list of sub-processors, which is available upon request. As of the effective date of this DPA, the following sub-processors are engaged: • Swedbank Pay (payment processing) — EU/EEA data processing, Swedish/EU-based provider (part of Swedbank group) • Colocation datacenter provider (physical hosting) — EU/EEA location, no access to Customer Data The Processor shall notify the Controller in writing at least 30 days before adding or replacing a sub-processor, providing the name, location, and description of processing activities. The Controller may object to a new sub-processor on reasonable grounds related to data protection within 30 days of notification. If the Controller objects and the parties cannot reach a resolution, the Controller may terminate the affected Services without penalty. The Processor shall impose data protection obligations equivalent to those set out in this DPA on each sub-processor by way of a contract.

6. International Data Transfers

All processing of personal data under this DPA takes place exclusively within the EU/EEA. The Processor shall not transfer personal data to a country outside the EU/EEA without the prior written consent of the Controller and only if appropriate safeguards are in place in accordance with Chapter V of the GDPR (such as Standard Contractual Clauses or an adequacy decision by the European Commission).

7. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include, but are not limited to: • Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+) • Access control and authentication (multi-factor authentication, role-based access control) • Network security (firewalls, intrusion detection/prevention systems, DDoS protection) • Physical security of datacenters (access controls, surveillance, environmental controls) • Regular security testing and vulnerability assessments • Employee security awareness training • Logging and monitoring of access to systems processing personal data • Backup and disaster recovery procedures • Incident response procedures The Processor shall regularly evaluate and, where necessary, update these measures to maintain the appropriate level of security.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting the Controller’s personal data. The notification shall include: • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned • The name and contact details of the Processor’s contact point for further information • A description of the likely consequences of the breach • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Controller remains responsible for notifying the supervisory authority (IMY) and affected data subjects as required under Articles 33 and 34 of the GDPR.

9. Data Subject Requests

The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under the GDPR (access, rectification, erasure, restriction, portability, or objection). The Processor shall assist the Controller in fulfilling its obligation to respond to such requests, taking into account the nature of the processing. This assistance includes providing the Controller with the technical capability to retrieve, correct, or delete personal data stored in the Services. The Processor shall not respond directly to a data subject request unless instructed to do so by the Controller or required by applicable law.

10. Audit Rights

The Controller has the right to audit the Processor’s compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor appointed by the Controller, subject to reasonable confidentiality obligations. Audits shall be conducted with reasonable prior notice (at least 30 days, except in the case of a suspected data breach) and shall be carried out during normal business hours in a manner that minimises disruption to the Processor’s operations. The Processor shall make available all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and shall contribute to audits and inspections. The Processor may satisfy audit requirements by providing current third-party audit reports (e.g., SOC 2, ISO 27001 certifications) where they cover the relevant processing activities.

11. Data Return and Deletion

Upon termination of the service agreement, the Processor shall, at the Controller’s choice: • Return all personal data to the Controller in a structured, commonly used, and machine-readable format; or • Delete all personal data and certify such deletion in writing The Controller has 30 days after termination to request return of data. After this period, the Processor shall delete all personal data unless EU or Swedish law requires further storage. Deletion includes all copies, backups, and replicas, and shall be completed within 30 days of the deletion request or the end of the retention period.

12. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service, except where such limitations are not permitted under the GDPR. Each party shall be liable for damage caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR, or where it has acted outside or contrary to the Controller’s lawful instructions.

13. Contact

For questions about this Data Processing Agreement, please contact: Svenska Moln AB Email: dpa@frostmoln.se Box 10074 434 21 Kungsbacka Sweden