By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Data Processing Agreement

Updated 2024-05-28

Table of Contents

1                 Introduction

2                Agreements Documents

3                Processing of Personal Data

4                Security Measures

5                Transfer Outside of the EU/EEA

6                Use of Sub-Processors

7                 Duties of Processor

8                Personal Data Breach

9                Confidentiality

10              Remuneration

11               Liability

12              Term and Termination

13              Return and Destruction of Personal Data

14              Governing Law and Dispute Resolution


Appendix I – List of Parties and Description of Processing

Appendix II - Technical and Organisational Measures

Appendix III – List of Sub-Processor

This data processing agreement ("DPA") forms part of the Agreement between 360Player AB ("Processor"), as data processor, and the customer that is party to the Agreement ("Controller"), as data controller. If there is any conflict between this DPA and the Agreement, this DPA shall prevail in relation to the processing of personal data.

Controller and Processor are jointly referred to as the “Parties” and each of them as a “Party”.

1 - Introduction

1.1 In order to perform its obligations under the Agreement, Processor will process personal data on behalf of Controller. This DPA is an appendix to the Agreement and regulates processing of personal data in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”) and any national or European Union law as applicable from time to time (“Applicable Data Protection Legislation”).

1.2 In the event of any conflict or inconsistency between the Agreement and this DPA related to the processing of personal data, the provisions of the DPA shall prevail.

2 - Agreements Documents

2.1 The following appendices are hereby incorporated by reference into this DPA:

Appendix I –   ´Description of Processing

Appendix II – Technical and Organisational Measures

Appendix III – List of Sub-Processors

3 - Processing of Personal Data

3.1 The subject-matter, duration, nature and purpose of the processing are set out in Appendix I (Description of Processing)

3.2 Controller is responsible to ensure that the processing is carried out in accordance with Applicable Data Protection Legislation and for providing Processor with accurate and sufficient instructions.

3.3 Processor undertakes to process personal data only in accordance with the instructions under this DPA, the Agreement and documented instructions given by Controller from time to time, unless the processing is required by Applicable Data Protection Legislation. In such case, Processor shall inform Controller of the processing and the legal requirements on which the processing is based, prior to processing the personal data, unless providing such information is prohibited under Applicable Data Protection Legislation.

3.4 Processor shall promptly inform Controller if:

(i) Processor is unable to fulfil its obligations under the DPA;

(ii) Processor deems that the instructions provided by Controller infringe Applicable Data Protection Legislation; or

(iii) Processor deems that the instructions provided by Controller are inadequate or incorrect.

In such case Controller shall adjust its instructions.

4 - Security Measures

4.1 The Parties shall take appropriate technical and organisational security measures necessary to ensure a level of security appropriate to the risks presented when processing personal data, and when necessary implement and maintain the technical and organisational security measures set out in Article 32 GDPR.

4.2 The technical and organisational security measures agreed upon between the Parties are set out in Appendix II (Technical and Organisational Measures). Controller shall ensure that such measures comply with the provisions of Applicable Data Protection Legislation.

5 - Transfer Outside of the EU/EEA

5.1 Processor may at times transfer personal data to a country outside the EU/EEA in accordance with instructions provided by Controller, as further set out in the appendices to this DPA as updated from time to time. If personal data is transferred to a country outside the EU/EEA, the Parties shall ensure that the transfer is subject to an adequate transfer mechanism in accordance with Chapter V of the GDPR, for example by executing the applicable module of EU Commission’s approved Standard Contractual Clauses or binding corporate rules. To the extent necessary to ensure an adequate protection of personal data, the Parties shall agree upon additional safeguards in Appendix III (List of Sub-Processor).

6 - Use of Sub-Processors

6.1 Processor hereby obtains a general written authorisation from Controller to use sub-processors to process personal data on behalf of Controller. The list of sub-processors authorised by Controller for the processing of personal data upon the effective date of this DPA is set out in Appendix III (List of Sub-Processor). Processor shall inform Controller in writing of the addition or replacement of sub-processors at least 30 days before the change takes place, in order to give the Controller opportunity to object to the change.

6.2 Controller shall have the right to object in writing within 20 days of Processor informing the Controller of the change. Controller may object to the use of a sub-processor only if there is reason to believe that the sub-processor does not comply with the requirements of the Applicable Data Protection Legislation and state the reasons for the objection. Processor shall provide Controller with the information necessary for Controller to exercise its right to object.

6.3 Processor shall ensure that a written agreement imposes on sub-processors at least equivalent obligations in relation to the processing of personal data as those imposed on Processor under this DPA. Processor shall be fully liable to Controller for the performance by the sub-processor of its obligations, as for its own under this DPA.

7 - Duties of Processor

7.1 Processor shall, upon Controllers reasonable request, assist Controller as far as reasonably possible and with regard to the nature of the processing, in fulfilling its obligations to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Legislation. Processor shall notify Controller within 30 days if Processor receives any requests from data subjects. Processor may not respond to any requests without Controller’s specific prior written instruction to do so.

´7.2 Processor shall, to the extent possible, taking into account the nature of processing and the information available to Processor, assist Controller in fulfilling Controller’s obligations under Articles 32–36 GDPR.

7.3 ´Processor shall, upon Controller’s reasonable request, provide Controller with the information necessary to demonstrate compliance with the obligations of the DPA.

7.4 ´In the event that Processor, according to Applicable Data Protection Legislation, is required to disclose personal data that Processor processes on behalf of Controller to supervisory authorities, Processor shall inform Controller thereof and request confidentiality in connection with the disclosure of the requested information.

7.5 ´Upon the reasonable request made by Controller or by an external auditor appointed by Controller, Processor shall allow an audit for the purpose of verifying that the processing of personal data by the Processor is carried out in accordance with the Applicable Data Protection Legislation and this DPA. Any third-party auditor is at the expense of the Controller.

8 - Personal Data Breach

8.1 Processor shall notify Controller in writing without undue delay after becoming aware of a personal data breach in relation to personal data processed by Processor on behalf of Controller. Processor shall, to the extent such breach has taken place at Processor, provide Controller with a description of the breach, its nature, its likely consequences and information on the measures taken or proposed to be taken to remedy and mitigate the consequences of the breach.

8.2 If Controller notifies a breach to the supervisory authority, Processor shall upon Controller’s reasonable request assist Controller and provide the requested information.

9 - Confidentiality

9.1 Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to any third party without Controller's prior written consent, except for sub-processors engaged in accordance with this DPA.

9.2 Processor shall ensure that only staff and other representatives that require access to personal data have access to such information. Processor shall ensure that such persons are bound by confidentiality undertakings or subject to a statutory obligation of confidentiality.

9.3 Processor undertakes to ensure that confidentiality agreements are in place with any sub-processors engaged under this DPA.

10 - Remuneration

10.1 Processor is entitled to reasonable remuneration for costs and work incurred by Processor as a result of its obligations as specified below:

(i) Controller adjusts its instructions under section 3.1 above.

(ii) Controller adjusts its instructions under section 4.2 above.

(iii) Processor assists Controller in an audit in accordance with section 7.5 above.

11 - Liability

11.1 The Parties acknowledge that they each respectively are liable, accountable and responsible in their respective roles as Controller and Processor under the requirements set forth in the GDPR and this DPA. Any administrative fines, fees or sanctions imposed by the supervisory authority and/or compensation to data subjects shall be subject to the liability provisions set out in Articles 82–84 GDPR. If a Party processes personal data in violation of this DPA or Applicable Data Protection Legislation, the Party shall compensate the other party for direct damages suffered due to such wrongful processing and/or violation of this DPA in accordance with the limitations of liability set out in the Agreement.

12 - Term and Termination

12.1 This DPA enters into force when the Agreement is signed by both Parties and remains in force thereafter for as long as Processor processes personal data on behalf of Controller.

12.2 Processor has the right to terminate the DPA immediately by written notice to Controller if instructions given by Controller infringe Applicable Data Protection Legislation and Controller, after being notified of such circumstances, subsequently insist on applying to such instructions.  

13 - Return and Destruction of Personal Data

13.1 Upon termination or expiry of this DPA, Processor shall without undue delay stop processing personal data and at Controller’s written request delete all personal data of the Controller and delete any remaining copies, unless required by Applicable Data Protection Legislation.

14 - Governing Law and Dispute Resolution

14.1 The DPA shall be governed by Swedish law, excluding applicable conflicts of law rules.

14.2 Any dispute arising out of or in connection with the DPA shall be finally settled in accordance with the dispute resolution provision set out in the Agreement.

Appendix I – Description of Processing

1 Introduction

Appendix I (Description of Processing) describes the processing of personal data under the DPA.

2 Description of Processing

For Controllers with local privacy policy legislation, it is vital for Controller to understand what data that has special classification in local privacy law. Minimizing sensitive data collection is recommended and 360Player will always have users consent to user terms and privacy policy.

Categories of data subjects

The following categories of data subjects will be included in the processing:

Controller’s employees/staff

Controller’s members and legal guardian/s of members

Categories of personal data that controller will process

The following personal data will be processed:


Date of birth


Phone number


Special categories of personal data that controllers may process

The following special categories of personal data will be included in the processing:

☐ Genetic data

Biometric data

Data concerning health

Other data controller needs to collect (custom data fields)

Nature and purpose of the processing

Processor processes personal data for the following purposes:

The personal data will be processed for controller to be able to use the system according to the purpose of the platform.

Duration of processing

Personal data will be processed in accordance with the following:

The duration of the processing corresponds to the duration of the Agreement or until controller removes data. Thereafter, the personal data will be processed for as long as required by Applicable Data Protection Legislation.

Appendix II - Technical and Organisational Measures

1 Introduction

Appendix II (Technical and Organisational Measures) specifies the technical and organisational measures taken to ensure a high level of security for the processing of personal data.

2 List of Technical and Organisational Measures

The following security measures have been explicitly agreed between the Parties:

  • 360Player is hosted with highest security protocol at Microsoft Azure and two-factor authentication.
  • Traffic within the app is using SSL (TLS 1.2) encryption.
  • 360Player staff members are under confidentiality agreements and have restricted access to controller’s data.
  • Organization users can be structured to get limited access to data within the platform.
  • 360Player supports Single Sign On (SSO) and Directory sync for user lifecycle and provisioning.
  • 360Player and its services are fully compliant with GDPR and take measure quarterly to audit compliancy.
  • Protocols are in place for reporting user generated content.
  • Audit trails exist on the account and user level.
  • Monitoring chats where minors are involved is possible.
  • SLA available upon request.

Appendix III – List of Sub-Processor

1 Introduction

Appendix III (List of Sub-Processor) sets out the sub-processors of Processor approved by Controller. SCC stnas for “Standard Contractual Clauses” and means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR.

2 List of Sub-Processors

Controller has approved the sub-processors listed in the table below upon the effective date of the DPA. The table is updated from time to time:

Location of the processing (country)
Description of processing
Categories of personal data.
Transfer mechanism (for transfer outside of EU/EEA)
Transactional emails
Email, name
CUSTOmer support
WEbsite hosting
Attn: Data Protection, One Microsoft Place South County Business Park, Leopardstown. Dublin 18, D18 P521, Ireland
Cloud storage and hosting
WOrk os
eu, usa
attn: data protection officer, 4th floor, 8 bloomsbury street london, wc1b 3qd, united kingdom
payment provider
name, email, products
raintank inc dba. grafana labs, 165 broadway, 23rd floor, new york, ny, 10006, united states of america
metrics and analytics
holid ab, united spaces, götgatan 22a, 118 46, stockholm, sweden
gender, age, family
sinch, mailjet
parish hq, 4 rue jules lefebvre, 75009 paris, france
germany and belgium
name, email
mixpanel inc, one front street, 28th floor, san fransico, ca 94111
metrics and analytics