Zensli Data Processing Agreement (DPA)


Introduction

This Data Processing Agreement (DPA) governs how PKGruppen AB processes personal data on behalf of our Customers when providing the Zensli service.

Definitions

  • “Customer” refers to the organisation using the Zensli Service.
  • “We” or “PKGruppen AB” refers to PKGruppen AB, a Swedish company (Reg. No. SE559008922201).
  • “Service” means the Zensli service provided by PKGruppen AB to analyse the online behaviour of the Customer’s website visitors or app users.
  • “Data Protection Legislation” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and all other applicable laws relating to the processing of personal data and privacy.
  • “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Appropriate Technical and Organisational Measures” shall be interpreted in accordance with the Data Protection Legislation.

The parties agree that the Customer is the Data Controller, and PKGruppen AB is the Data Processor for personal data processed in providing the Service.

Nature and Purpose of Processing

The purpose of processing personal data is the statistical evaluation and analysis of performance and usage behaviour of individuals on the Customer’s websites or apps. This processing is done in an anonymous or pseudonymised manner. PKGruppen AB does not pursue its own purposes with this data processing.

Categories of Personal Data Processed

Depending on how the Customer configures the Service, the following types of personal data may be processed:

  • IP address (anonymised by default)
  • Geographic data (city, region, country, approximate latitude/longitude)
  • Browser, device type, operating system, and user agent
  • Date, time, and time zone
  • Pages and screens visited (URLs and titles)
  • Referrer URL
  • Marketing campaign URL parameters
  • Files downloaded and external links clicked
  • Screen resolution
  • Session recordings (HTML pages, mouse movements, clicks, scrolls, and keypresses)
  • Internal search terms
  • Custom dimensions, variables, events, and content
  • JavaScript errors
  • User ID
  • E-commerce data (order ID, date, abandoned carts)
  • Media titles and URLs
  • A/B test participation

The data subjects affected by this processing are end-users of the Customer’s websites and apps.

Obligations of PKGruppen AB (Data Processor)

  • Processing Instructions: PKGruppen AB will process personal data only in accordance with the Customer’s instructions, as configured through the Service settings.
  • Confidentiality: PKGruppen AB guarantees the confidentiality of processed personal data.
  • Compliance with Laws: PKGruppen AB will notify the Customer without undue delay if it believes an instruction violates Data Protection Legislation.
  • Data Subject Requests: If a data subject contacts PKGruppen AB directly, the request will be forwarded to the Customer without delay. PKGruppen AB will not act on such requests without the Customer’s documented instructions, unless required by law.
  • International Transfers: Any transfer of personal data outside the EU/EEA requires the Customer’s prior consent and compliance with GDPR Article 44.
  • Employee Training: PKGruppen AB ensures that employees handling personal data are informed of its confidential nature and comply with this DPA.
  • Subprocessors: PKGruppen AB may engage subprocessors, provided they comply with terms substantially similar to this DPA. The Customer will be notified of any changes to the subprocessor list and may object within 30 days.
  • Incident Notification: PKGruppen AB will notify the Customer without undue delay of any data breach, providing details and mitigation measures.
  • Assistance: PKGruppen AB will assist the Customer in complying with GDPR obligations, including data breach reporting, impact assessments, and prior consultations.

Customer Obligations

  • Legal Basis: The Customer warrants that it has the legal right to provide personal data to PKGruppen AB for processing, including obtaining necessary consents.
  • Compliance: The Customer shall comply with Data Protection Legislation at all times.

Technical and Organisational Measures

PKGruppen AB implements measures to ensure data security in accordance with GDPR Articles 28(3)(c), 32, and 5(1)-(2). These measures include:

  • Access Control: Restricting access to authorised personnel only.
  • Encryption: Encrypting data in transit (HTTPS) and at rest.
  • Incident Detection and Response: Logging system activities and responding to security incidents.
  • Availability and Redundancy: Ensuring fault tolerance and data backups.

Detailed measures are documented in Appendix 1.

Liability and Indemnity

Each party indemnifies the other against claims, losses, or damages arising from a breach of this DPA.

Duration and Termination

This DPA takes effect upon the Customer’s acceptance and continues until terminated in accordance with the Zensli Terms of Service. Upon termination, PKGruppen AB will delete the Customer’s data within 30 days, in line with its retention policy.

Appendix 1 – Technical and Organisational Measures

PKGruppen AB implements the following measures:

  • Access Control:
    • Authentication and authorisation mechanisms.
    • Restricted access to production environments.
    • Employee training on data security.
  • Transmission Control:
    • HTTPS encryption for data in transit.
    • Disk encryption for data at rest.
  • Incident Detection and Response:
    • Logging and monitoring system activities.
    • Incident response and tracking.
  • Availability Control:
    • Redundant systems and backups.
    • Regular testing of failover mechanisms.

Privacy Policy

For more information, please refer to the Zensli Privacy Policy available on our website.

By accepting this DPA, you confirm that you have the authority to bind the Customer and agree to its terms. If you do not have this authority, please do not accept this DPA.