Exelement and Customer have entered into an agreement regarding Exelement’s provision of Managed Integration platform as a service (SyncCloud) and implementing Marketo, (the “Agreement”) of which this data processing agreement (“DPA”) shall form an integral part.  

The above parties are hereinafter each referred to as a “Party” and jointly as the “Parties”.

1. Background and Purpose

1.1 As part of the Agreement, Exelement will be processing personal data on behalf of Customer. Customer is the data controller (hereinafter the “Controller”) and Exelement is the data processor (hereinafter the “Processor”) in relation to the personal data processed under this DPA (the “Included Personal Data”). The Included Personal Data is described in Schedule 1 (Instruction).

2.2 This DPA governs the conditions for Processor’s processing of, and access to, Included Personal Data on behalf of Controller in accordance with the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and other applicable data protection legislation (all together ”Applicable Legislation”).  

3.3 The DPA comprises of this document and the appendices. In the event of any contradictions between this document, Schedule 1 or the Agreement, this document shall take precedence.

4.4 All terms defined in Article 4 of GDPR shall have the same meaning in the DPA, unless expressly stated otherwise.

2. Processor’s Obligations

  • 2.1 Scope of processing. Processor shall only process Included Personal Data in accordance with the DPA, the Agreement (including applicable amendments), Applicable Legislation and Controller’s instructions, unless further processing is required under applicable EU or member state law which Processor is subject to. In such case Processor shall inform Controller of this legal obligation unless such disclosure is prohibited by law.  

2.2 Sub-processors. Controller hereby gives Processor a general authorization to engage sub-processors to process Included Personal Data (“Sub-processors”), if Processor engages Sub-processors, Processor shall enter into a sub-processing agreement with the same obligations as in this DPA. The current sub-processors are listed in Schedule 2. Processor shall notify Controller via e-mail of any intended addition or replacement of its Sub-processors at least 30 days prior to such change being implemented. If the Controller has not objected within 30 days from the notice, the Controller is assumed to have approved the engagement. Processor shall maintain an updated list of Sub-processors and submit a copy of the list to Controller upon request. In the event a Sub-processor fails to fulfil its obligations under the Sub-processor agreement, Processor shall bear full liability to Controller for the performance of the Sub-processors’ work, undertakings, and obligations.  

2.3 Third country transfers. Processor may, by itself or through its Sub-processors, transfer Included Personal Data to third countries, provided that prior to commencing such transfer or provision of access, Processor or Sub-processor, as applicable, meets the requirements and undertakings which follow from the GDPR, which may include entering into EU Standard Contractual Clauses.

2.4 Security. Processor shall implement appropriate technical and organizational measures in accordance with Schedule 1 to secure in particular, Included Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Included Personal Data transmitted, stored or otherwise processed, as required pursuant to Article 32 in the GDPR.

2.5 Assistance and personal data breach. Taking into account the nature of the processing, Processor shall reasonably assist the Controller, insofar as this is possible, in the fulfilment of the Controller's obligations to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. Processor shall also assist Controller to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR, especially regarding security of processing and personal data breach. Processor shall notify Controller without undue delay and latest within 48 hours after Processor has learned of a personal data breach affecting the Included Personal Data. Such notification shall at least:  

a) describe the nature of the incident, including, if possible, the categories and number of data subjects concerned and categories of Included Personal Data concerned;  

b) describe the likely consequences of the incident; and  

c) describe what actions have been taken, or which the Processor proposes to take, to correct the incident, including, where appropriate, measures to reduce any adverse effects.  

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

2.6 Return of information. Processor shall upon termination of the Agreement or upon notice from Controller, at Controller’s choice, return or delete all Included Personal Data processed under the DPA, unless Processor is required to retain the Included Personal Data pursuant to national law or EU law.  

2.7 Audits by Controller. The Controller, including any third-party auditor (not being a direct competitor of the Processor) acting on behalf of the Controller, shall have the right to, once per year, upon thirty (30) calendar days' prior written notice, audit all information necessary to demonstrate that Processor is fulfilling its obligations under the DPA and Applicable Legislation. Processor shall enable and assist in audits at Controller’s cost. However, should the audit reveal any deficiencies in the operations of Processor, the Processor shall reimburse Controller its costs related to the audit.

2.8 Inspection by supervisory authority. Processor shall enable inspections performed by authorised supervisory authorities to ensure a correct processing of Included Personal Data. Processor shall comply with any decisions submitted by a supervisory authority regarding the security measures required to meet the security requirements set out in the Applicable Legislation.  

3. Confidentiality

3.1 In addition to any confidentiality obligations provided for in the Agreement, Processor undertakes not to disclose Included Personal Data or other information on the processing of Included Personal Data to any third party without express instruction from Controller. The undertaking does not, however, apply to information which is disclosed to Sub-processors for the purpose of enabling these to fulfil their obligations under a Sub-processing agreement, information which is generally known (due to other reasons than a breach of the DPA or the Agreement), information which Processor is required to disclose under mandatory legislation or under a decision or ruling of a court of competent jurisdiction or another competent authority. In the latter case, Processor shall inform Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.  

3.2 Processor shall ensure that each Sub-processor, employee or third party that is given access to Included Personal Data is subject to at least the same obligation of confidentiality as set forth in this Section 3.  

3.3 The obligation of confidentiality pursuant to this Section 3 shall apply without limitation in time.

4. Compensation  

Processor shall be entitled to reasonable compensation for all work and all costs that arise due to Controller’s instructions for processing if these exceed the features and level of security based on the services that Processor normally provides to its customers, e.g. in the case that Processor’s system and/or services require special adjustments or development following special requests from Controller. Processor is not entitled to compensation for costs which arise based on compliance with requirements set out in the Applicable Legislation.

5 Term

The DPA shall remain in force for as long as Processor processes Included Personal Data on behalf of Controller.

6. Liability and indemnification

6.1 Each Party undertakes to keep the other Party harmless in the case where the other Party is obliged to pay damages to a data subject in accordance with GDPR if the processing of Included Personal Data that forms the basis for compensation for damages has been performed by the first Party in contravention of this DPA or the GDPR.

6.2 The Parties agree that each Party shall solely and to the full extent cover a possible administrative fine, that a Party is liable to pay due to breach of its obligations under the GDPR or according to Applicable Legislation regardless of the reason therefor. Thus, the paying Party has no right to demand the other Party to be liable for any part of or pay such administrative fine.

6.3 A Party shall not be obliged to pay compensation for indirect damages such as for example loss of profit. For the avoidance of doubt, any liability according to Section 6.1-6.2 in this DPA is considered direct damages.

6.4 With the exception of Section 6.1-6.3, the maximum amount of damages according to the DPA shall be limited to 100 % of the total fees paid by Controller to Processor under the Agreement for a period of twelve (12) months before the damage occurred.

7. Miscellaneous

7.1 This DPA shall supersede any prior agreements, arrangements and understandings between the Parties and constitutes the entire agreement between the Parties relating to the subject matter hereof.  

7.2 All changes and amendments to the DPA shall be made in writing.

7.3 The Controller shall not be entitled to assign its rights and/or obligations under the Agreement, in whole or in part, without the prior written consent of the Processor.  

7.4 This DPA shall be governed by the substantive law of Sweden. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English. The choice of arbitration does not prevent either Party from seeking injunctive relief with respect of a breach of this DPA in any appropriate jurisdiction.


All processing of Included Personal Data by the Processor on behalf of Controller shall be done in accordance with this Instruction:

Nature and purpose of the processing

Processor will access and store Included Personal Data in order to provide the service and to fulfill its obligations under the Agreement.

Categories of Included Personal Data

- Contact information (name, email, phone number, address, company),
- Title
- Technical data (such as IP address)
- Any other personal data provided by the Controller to the Processor as part of the services provided under the Agreement.

Retention period or criteria for data retention

Processor may process and store Included Personal Data only for as long as necessary for the purpose of performing its obligations under the Agreement and to comply with mandatory legislation. Processor stores audit logs for 30 days, unless otherwise instructed by Controller in writing. Processor shall delete or return all Included Personal Data in accordance with Section 2.6 of the Agreement.

Additional security measures  

- Encryption: e.g. Hard disk encryption or cloud solution with encryption
- Transmission control: e.g. SSL certificate for websites (https: //) to transfer data within forms or encryption procedures for data in transmission (e.g. AES 256)
- Storage: e.g. encryption of data at REST  (eg. TLS 1.3),  
- Confidentiality: e.g. password policies
- Limited data retention: e.g. rules for anonymizing/deleting data after a certain period of time]

All processing of Included Personal Data by the Processor on behalf of Controller shall be done in accordance with this Instruction:

Additional security measures  
Purpose the Processing
Country of processing and lawful ground for processing outside of EU/EEA
Amazon Web Services

38 avenue John F. Kennedy, L-1855 Luxembourg
Hosting platform
Data stored on servers in Germany (potential indirect transfer of data outside of the EU/EES) GmbH,
Wahlerstrasse 2, 40472 Duesseldorf
To enhance scaling and data security in the cloud we use
The Netherlands
12-16 Addiscombe Rd, Croydon CR0 0XT
Integration supporting platform