Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between DTF Gang Sheet Builder (“Processor,” “we,” “our,” or “us”) and you (“Controller,” “Customer,” “you,” or “your”) regarding the processing of Personal Data in connection with our SaaS platform services.

This DPA complies with the EU General Data Protection Regulation (GDPR) and supplements our Privacy Policy. Where this DPA conflicts with other agreements, this DPA takes precedence regarding data processing matters.

Definitions

For the purposes of this DPA:

• “Controller” means you, the customer, who determines the purposes and means of processing Personal Data
• “Processor” means us, DTF Gang Sheet Builder, who processes Personal Data on behalf of the Controller
• “Personal Data” means any information relating to an identified or identifiable natural person
• “Processing” means any operation performed on Personal Data, including collection, storage, use, or deletion
• “Data Subject” means the individual to whom Personal Data relates
• “GDPR” means EU General Data Protection Regulation (EU) 2016/679
• “Supervisory Authority” means the relevant data protection authority

Scope and Application

When This DPA Applies

This DPA applies when:

• You use our Service to process Personal Data of your customers, employees, or other individuals
• We process Personal Data on your behalf as part of providing our Service
• The processing falls under GDPR jurisdiction

Data Processing Activities

We process Personal Data in the following contexts:

• Account Management: User account creation, authentication, and management
• Service Provision: Providing access to our gang sheet design platform
• Design Processing: Temporary processing of uploaded design files (not stored)
• Support Services: Providing customer support and technical assistance
• Billing Operations: Processing subscription payments and billing information

Categories of Personal Data

Data We May Process on Your Behalf

• Account Information: Names, email addresses, company details
• Authentication Data: Login credentials, session information
• Usage Data: Platform usage statistics, feature utilization
• Support Data: Communications and support ticket information
• Billing Data: Payment information, subscription details

Design File Data

• Temporary Processing: Design files uploaded for gang sheet creation
• No Storage: Files are processed but not permanently stored on our systems
• Automatic Deletion: Files removed from temporary processing within 24 hours

Categories of Data Subjects

Data Subjects whose Personal Data we may process include:

• Your employees and team members using the Service
• Your customers whose designs you process using our platform
• Your business contacts and authorized users
• Individuals who contact us for support on your behalf

Processing Instructions

Lawful Processing

We will only process Personal Data:

• According to your documented instructions as Controller
• As necessary to provide the contracted Service
• As required by applicable law (with notification to you where possible)
• With your explicit written consent for any additional processing

Processing Limitations

We will not:

• Process Personal Data for our own commercial purposes
• Share Personal Data with third parties without your authorization
• Transfer Personal Data outside the EU/EEA without appropriate safeguards
• Retain Personal Data longer than necessary for service provision

Technical and Organizational Measures

Security Measures

We implement appropriate technical and organizational measures including:

Technical Safeguards:

• Encryption of Personal Data in transit and at rest
• Secure authentication and access controls
• Regular security updates and vulnerability assessments
• Secure hosting infrastructure with reputable providers
• Automated backup systems with encryption

Organizational Safeguards:

• Staff training on data protection requirements
• Access controls limiting data access to authorized personnel
• Confidentiality agreements with all staff handling Personal Data
• Regular review and update of security policies
• Incident response procedures for data breaches

Data Minimization

• We only process Personal Data necessary for service provision
• Data collection is limited to what is required for platform functionality
• Regular review of data processing activities to ensure necessity

Sub-Processors

Current Sub-Processors

We may engage the following categories of sub-processors:

• Cloud Hosting Providers: For secure infrastructure and data storage
• Payment Processors: For handling subscription billing and payments
• Email Service Providers: For sending service-related communications
• Analytics Providers: For platform performance and usage analysis (anonymized where possible)

Sub-Processor Obligations

All sub-processors:

• Are bound by data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational measures
• Are regularly audited for compliance with data protection requirements
• Must notify us immediately of any data protection issues

Changes to Sub-Processors

• We will provide 30 days’ notice before adding new sub-processors
• You may object to new sub-processors with legitimate data protection concerns
• Current sub-processor list available upon request

Data Subject Rights

Facilitating Rights Requests

We will assist you in fulfilling Data Subject rights requests including:

• Right of Access: Providing access to Personal Data we process
• Right to Rectification: Correcting inaccurate Personal Data
• Right to Erasure: Deleting Personal Data when legally required
• Right to Restriction: Limiting processing in certain circumstances
• Right to Data Portability: Providing data in machine-readable format
• Right to Object: Stopping processing for legitimate interests

Support for Rights Requests

• We will respond to your requests within 72 hours
• Technical assistance provided for data export and deletion
• Documentation of processing activities available upon request

Data Breach Notification

Breach Response Procedure

In case of a Personal Data breach:

1. Immediate Assessment: We assess the nature and scope of the breach
2. Notification to You: Within 72 hours of becoming aware of the breach
3. Containment Measures: Immediate steps to contain and remedy the breach
4. Documentation: Full documentation of the incident and response measures
5. Regulatory Support: Assistance with any required regulatory notifications

Breach Information Provided

Our breach notification will include:

• Nature of the breach and categories of data affected
• Number of Data Subjects and Personal Data records affected
• Likely consequences of the breach
• Measures taken to address the breach and mitigate harm
• Contact information for further information

International Data Transfers

EU/EEA Processing

• Primary data processing occurs within the EU/EEA
• We use hosting providers located within the EU/EEA where possible
• Sub-processors selected with preference for EU/EEA locations

Transfers Outside EU/EEA

If data transfer outside EU/EEA becomes necessary:

• Appropriate safeguards will be implemented (Standard Contractual Clauses, etc.)
• You will be notified in advance of any planned transfers
• Transfer impact assessments conducted where required
• Additional security measures implemented for international transfers

Data Retention and Deletion

Retention Periods

• Account Data: Retained while subscription is active plus 90 days
• Design Files: Not permanently stored; deleted within 24 hours of processing
• Usage Data: Aggregated and anonymized after 12 months
• Support Data: Retained for 2 years for service improvement

Data Deletion

Upon termination of service or your request:

• Complete deletion of Personal Data within 30 days
• Secure deletion methods ensuring data cannot be recovered
• Certificate of deletion provided upon request
• Backup data securely deleted according to retention schedules

Audit Rights

Your Audit Rights

You have the right to:

• Request information about our data processing activities
• Receive copies of relevant certifications and audit reports
• Conduct audits of our data processing (with reasonable notice)
• Review our compliance with this DPA

Audit Process

• Audit requests should be made with 30 days’ advance notice
• Audits conducted during business hours with minimal service disruption
• Third-party auditors must sign confidentiality agreements
• Audit costs borne by the requesting party unless non-compliance is found

Liability and Indemnification

Liability Limitations

• Our liability is limited to direct damages caused by our breach of this DPA
• Liability caps as specified in our main Terms of Service apply
• We are not liable for your failure to comply with Controller obligations

Indemnification

You agree to indemnify us against claims arising from:

• Your violation of data protection laws as Controller
• Your instructions that violate applicable data protection law
• Your failure to obtain necessary consents for data processing

Termination

Effect of Termination

Upon termination of this DPA:

• We will cease processing Personal Data except as required by law
• Personal Data will be deleted or returned as per your instructions
• Sub-processors will be notified of termination requirements
• This DPA remains in effect until all Personal Data is deleted or returned

Contact Information

Data Protection Officer
DTF Gang Sheet Builder

• Email: hello@dtfgangsheetbuilder.com
• Subject Line: “DPA Inquiry” or “Data Protection Matter”
• Address: Mariebergsgatan 12 A, 731 34 Köping, Sweden

Supervisory Authority (Sweden): Integritetsskyddsmyndigheten (IMY)

• Website: https://www.imy.se/
• Email: imy@imy.se

Changes to This DPA

We may update this DPA to reflect:

• Changes in data protection laws
• Changes in our data processing activities
• Improvements to our security measures

Material changes will be communicated with 30 days’ advance notice via email and platform notifications.

This Data Processing Agreement is effective as of the date listed above and forms an integral part of our service agreement. This DPA complies with GDPR and Swedish data protection requirements.