Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Main Agreement regarding the subscription to the service Nestic ("Service") entered into by and between:

1. The Customer (acting as “Controller”); and

2. Future Memories AB, Reg. No. 556956-8008, Hossabergsvägen 64, 433 52 Öjersjö, Sweden (acting as “Processor”).

(Collectively the “Parties”).

1. BACKGROUND AND SCOPE

1.1 This DPA sets out the terms, requirements, and conditions on which the Processor will process Personal Data on behalf of the Controller when providing the Service. 

1.2 Both Parties confirm that this DPA represents the specific instructions of the Controller to the Processor.

2. PROCESSING OF PERSONAL DATA

2.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller. The Main Agreement and the use of the Service’s settings and features constitute such instructions. 

2.2 Compliance
The Processor shall comply with applicable Data Protection Laws (including the GDPR). The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR. 

2.3 Confidentiality
The Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. SECURITY MEASURES

3.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure/access.

4. SUB-PROCESSORS

4.1 General Authorization
The Controller grants the Processor a general written authorization to engage sub-processors to perform specific processing activities (e.g., hosting, storage, AI analysis). 

4.2 Approved Sub-processors
The sub-processors listed in Appendix 1 are approved by the Controller upon signing this DPA. 

4.3 Updates
A current list of sub-processors is maintained in Appendix 1. The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors (e.g., via email or in-app notification) at least thirty (30) days in advance. 

4.4 Objections
The Controller may object to a new sub-processor on reasonable grounds relating to data protection. If the Parties cannot resolve the objection, the Processor may terminate the affected part of the Service or the Controller may terminate the Main Agreement. 

4.5 Liability
The Processor remains fully liable to the Controller for the performance of the sub-processor’s obligations.

5. INTERNATIONAL TRANSFERS

5.1 Location
Personal Data is primarily processed within the EU/EEA.

5.2 Transfers
The Controller acknowledges and agrees that specific processing activities (AI analysis by OpenAI, L.L.C.) involve the transfer of Personal Data to the USA. The Processor ensures that such transfers are lawful by verifying that the sub-processor is certified under the EU-U.S. Data Privacy Framework or by entering into EU Standard Contractual Clauses (SCCs).

6. DATA SUBJECT RIGHTS AND ASSISTANCE

6.1 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject's rights (e.g., access, rectification, erasure). 

6.2 The Processor shall assist the Controller in ensuring compliance with obligations regarding security of processing, breach notifications, and data protection impact assessments (DPIAs), considering the nature of processing and the information available to the Processor.

7. PERSONAL DATA BREACH

7.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. 

7.2 The notification shall describe the nature of the breach, likely consequences, and measures taken or proposed to address the breach.

8. AUDIT

8.1 Security Reports
Upon request, the Processor shall provide the Controller with its most recent security reports (e.g., summary of penetration tests or internal security reviews) to demonstrate compliance with this DPA. The Controller agrees to review these reports prior to requesting any on-site audit. 

8.2 Third-Party Audit
If the Controller reasonably concludes that the reports provided in Section 8.1 are insufficient to demonstrate compliance, the Controller may mandate an audit. Such audit shall be carried out by an independent third-party auditor mutually agreed upon by the Parties (not to be unreasonably withheld). 

8.3 Restrictions
Audits shall be conducted during normal business hours, with at least 30 days' prior written notice, and without disrupting the Processor’s business operations. The auditor shall not have access to the Processor’s proprietary information, source code, or any data related to other customers. The auditor shall be bound by a strict non-disclosure agreement (NDA). 

8.4 Costs
The Controller shall bear all costs arising from the audit, including the auditor's fees and compensating the Processor for time spent assisting with the audit at the Processor’s then-current professional services rates.

9. LIABILITY

9.1 Limitation
The Processor’s liability towards the Controller for any breach of this DPA (including fines or damages paid to third parties) shall be subject to the exclusions and limitations of liability set forth in the Main Agreement. 

9.2 Indirect Damages
Under no circumstances shall the Processor be liable for indirect or consequential damages (such as loss of profit or data).

10. TERM AND TERMINATION

10.1 This DPA is valid for as long as the Processor processes Personal Data on behalf of the Controller. 

10.2 Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, unless EU or Member State law requires storage of the Personal Data.

11. MISCELLANEOUS 

11.1 Assignment
Any assignment or transfer of this DPA shall be governed by the assignment provisions of the Main Agreement. 

11.2 Conflict
In the event of any conflict between this DPA and the Main Agreement regarding data protection, this DPA shall prevail. regarding other matters (e.g. liability), the Main Agreement shall prevail.

11.3 Governing Law and Disputes
This DPA shall be governed by the laws and dispute resolution forums stipulated in the Main Agreement.

APPENDIX 1 – DETAILS OF PROCESSING

1. Subject matter and duration
The provision of the Nestic service (digital cleaning inspections and AI analysis) under the Main Agreement. Duration corresponds to the subscription term.

2. Nature and Purpose
To facilitate cleaning inspections, document apartment conditions using photos, and utilize AI to assess cleaning quality.

3. Categories of Data Subjects

• Tenants: Individuals using Nestic to document their home cleaning.

• Customer Personnel: Employees using the administration interface.

4. Types of Personal Data

• Contact details: E-mail addresses.

• Property data: Apartment images, Object numbers/addresses.

• Technical data: User roles, logs, authentication data.

5. Approved Sub-processors