Data processing agreement

Schedule 2 to Terms and conditions for business users

Version 1.0
Applicable form 2024-08-25

Capitalised words and meanings not defined in this data processing agreement (this “DPA”) will have the meaning ascribed to such term in KnownID’s general terms and conditions for business users (the “Terms and Conditions”).

  1. Introduction

    1. KnownID AB, Reg. No. 559432-3924 (“KnownID”) provides a platform for sharing and managing KYC information and documentation (the “Platform”), where companies, organisations, and others who has created a business account (a “Business User”) is given the right to use certain digital services and features related to KYC (the “Services”).

    2. In order to provide the Services to the Business User, KnownID will process personal data and other information on behalf of the Business User. For that reason, the Parties have agreed to regulate the conditions for KnownID’s processing of, and access to, personal data on behalf of the Business User in this DPA.

    3. This DPA consists of this document and the attached instruction (the “Instruction”). In the event of any contradiction between this document and the Instruction, this document prevails, unless otherwise specified or unless circumstances clearly dictate otherwise.

    4. For the purpose of this DPA, the terms "controller", "processor", “data subject”, "personal data", "process", and “personal data breach” have the same meaning as set out in the EU General Data Protection Regulation (the “GDPR”).

  2. Generally regarding the processing

    1. The Business User is the controller of the personal data processed in connection with the Business User’s use of the Services. KnownID is to be considered a processor to the Business User for the processing of personal data carried out by KnownID on behalf of the Business User.

    2. The Business User authorises KnownID to transfer any personal data to third parties as necessary to fulfil the Services, fulfil the purpose of this DPA, including the Instruction, and/or to fulfil a legal obligation. This includes, but is not limited to, transferring the personal data to suppliers, partners and authorities.

    3. KnownID may only process personal data based on the Business User’s documented instructions as set out herein and according to applicable law. In the event KnownID would find that instructions necessary to carry out the assignment is missing or that instructions given by the Business User are contrary to applicable law, KnownID must notify the Business User without undue delay. In addition, KnownID is not obliged to follow instructions which, in the opinion of KnownID, are contrary to applicable law. In such event, KnownID may take any actions that it deems are necessary to comply with applicable law.

    4. KnownID may process certain relevant information for its own purposes in its role as data controller (such as e.g. invoicing information). KnownID must provide information about such processing in its privacy notice as applicable from time to time.

  3. Agreement term and actions upon termination

    1. This DPA is valid as from execution and remains in force for as long as KnownID or any sub-processor retained by KnownID processes personal data on behalf of the Business User within the scope of the undertakings arising from this DPA.

    2. KnownID undertakes to erase all personal data related to the Business User sixty (60) days after the provision of processing services has ended (ie upon closure of the Business User’s Business Account (as defined in the Terms and Conditions)), unless storage of the personal data is required by applicable law or if KnownID has a legal basis to process relevant personal data.

  4. Confidentiality

    1. KnownID must ensure that its employees and all other persons for whom KnownID is responsible and who are authorised to process personal data covered by this DPA undertake to observe confidentiality or are subject to a relevant and appropriate statutory duty of confidentiality.

  5. Security

    1. KnownID must take all necessary security measures required in accordance with Article 32 of the GDPR and this DPA.

    2. In assessing the appropriate level of security in accordance with the clause above, particular account must be taken of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss or alteration, or from unauthorised disclosure of, or access to, the personal data transmitted, stored, or otherwise processed.

    3. Taking into account the type of the processing and the information in possession of KnownID, KnownID undertakes to assist the Business User in ensuring that the Business User’s obligations regarding security can be fulfilled in the manner which follows from Article 32 of the GDPR.

  6. Personal data breach

    1. KnownID must notify the Business User without undue delay after becoming aware of a personal data breach related to the Business User.

    2. A notification according to section 6.1 must contain information regarding:

      1. the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

      2. the name and contact details of a contact person where more information can be obtained,

      3. the likely consequences of the personal data breach, and

      4. the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

    3. Where, and in so far as, it is not possible to provide the information according to section 6.2 at the same time, the information may be provided in phases without undue further delay.

    4. Taking into account the type of processing and the information available to KnownID, KnownID undertakes to assist the Business User to a reasonable extent in ensuring that the obligations in connection with any personal data breach can be fulfilled in the manner which follows from Articles 33–34 of the GDPR as well as the performance of a data protection impact assessment and/or prior consultation with a supervisory authority in accordance with Articles 35 and 36 of the GDPR.

  7. Sub-processors

    1. The Business User has approved the sub-processors retained by KnownID at the date hereof and which are set out in the Instruction.

    2. KnownID undertakes to inform the Business User of any plan to retain a new sub-processor and/or replace existing sub-processors with minimum thirty (30) days prior notice unless a shorter notice is agreed by the Business User. If the Business User does not object during the notice period, the Business User is deemed to have accepted the prospective sub-processor(s). If the Business User would object to a prospective sub-processor(s), the Parties agree to cooperate to find an appropriate solution. The Business User has the right to immediately terminate this DPA (and thereby close its Business Account), if an appropriate solution cannot be found.

    3. KnownID must ensure that each sub-processor enters into a written data processing agreement (no less protective than as set out herein) before such sub-processor commences work that has a connection to the Business User. KnownID remains responsible to the Business User for the sub-processor's fulfilment of its obligations under this DPA.

    4. KnownID may transfer, store, transmit, or otherwise process personal data on behalf of the Business User outside the EU/EEA, provided KnownID, before transfer to a third country commences, complies with the requirements and measures that follow from the GDPR or other applicable law with regard to third country transfers. KnownID undertakes, where applicable, to enter into the EU Commission’s Standard Contractual Clauses (SCC) or equivalent transfer mechanism with sub-processors whose operations are outside the EU/EEA.

  8. Request for information

    1. Any information and/or intellectual property rights disclosed by KnownID within the Platform or otherwise are owned by If a data subject or other third-party requests information from KnownID regarding processing of personal data carried out on behalf of the Business User, KnownID must refer such data subject or other third party to the Business User.KnownID or KnownID’s affiliates or partners. The access to or disclosure by KnownID does not give the Business User any license or other rights whatsoever in respect of any part of such information or intellectual property right.

    2. The Business User may not, or enable anyone to, modify, reverse engineer, disassemble, or decompile the Platform or any software contained therein or duplicate, publish, create derivative works from, or otherwise distribute or exploit the Platform or any part thereof withIf a public authority requests information from KnownID regarding processing of personal data carried out on behalf of the Business User, KnownID must notify the Business User without undue delay unless prohibited by law and, in consultation with the Business User, agree on an appropriate course of action. KnownID does not have the right to represent the Business User or act on their behalf vis-à-vis the public authority.out our express written permission.

    3. Taking into account the nature of the processing, KnownID must, through appropriate technical and organisational measures, assist the Business User, to the extent possible, so that the Business User can fulfil its obligation to respond to requests regarding exercise of the rights of the data subject in accordance with Chapter III of the GDPR.

  9. Right to transparency

    1. KnownID must provide the Business User with access to all information reasonably required to demonstrate that the obligations which follow from Article 28 of the GDPR have been fulfilled, and to a reasonable extent make possible and contribute to audits, including inspections, conducted by the Business User or by other auditor authorised by the Business User. Unless otherwise agreed in writing, each Party bears its own costs for the audit or inspection according to this clause 9.

    2. The Business User is responsible for ensuring that personnel and others retained by the Business User to conduct an audit or inspection in accordance with section 9.1 above have entered into a customary confidentiality undertaking that prevents the dissemination of data covered by the audit/inspection.

    3. The Business User must provide thirty (30) days prior written notice to KnownID prior to an audit or inspection. The audit or inspection must be made in a way which entails the least possible impact on KnownID’s operations. The audit or inspection must also be made in compliance with any security measures provided by KnownID, provided that the measures do not prevent or significantly complicates the audit or inspection.

  10. Additions and changes

    1. The Business User may add and/or change the Instruction from time to time by providing a thirty (30) days prior written notice to KnownID. If KnownID cannot reasonably fulfil such changed instructions (as decided by KnownID), KnownID may terminate this DPA (and thereby close the Business User’s Business Account) at the last day of the notice period.

    2. KnownID may add and/or change this DPA in a manner decided by KnownID no later than thirty (30) days before such addition or change take effect. If the Business User would object to such change and/or addition during the notice period, and the Business User has:

      1. a Full Business Account (as defined in the Terms and Conditions), KnownID may choose to apply the previous DPA for the reminder of the agreement term as set out in the Service Agreement. If KnownID would apply the changed DPA the Business User may terminate this DPA (and thereby close its Full Business Account) at the last day of the notice period.

      2. a Limited Business Account (as defined in the Terms and Conditions), the Business User may terminate this DPA and close its Limited Business Account at the last day of the notice period.

      3. The Business User must provide thirty (30) days prior written notice to KnownID prior to an audit or inspection. The audit or inspection must be made in a way which entails the least possible impact on KnownID’s operations. The audit or inspection must also be made in compliance with any security measures provided by KnownID, provided that the measures do not prevent or significantly complicates the audit or inspection.

    3. In addition, KnownID may with immediate effect and without prior notice make such changes to this DPA that (i) are required by law, regulation or decision by applicable authorities (unless the change is less favourable to the Business User in which case KnownID will provide a notice or a notification within the Platform); and/or (ii) neither reduce the Business User’s rights nor increase the Business User’s responsibilities.

  11. Notices

    1. Any notices and other communications from the Business User to KnownID under this DPA must be made in writing via e-mail, in the Swedish or English language, to privacy@knownid.io. Any notices and other communication from KnownID to the Business User must be made in writing via email to the contact person set out in the Service Agreement, or as specified within the Platform. A notice is deemed to have been received by a Party on the day of delivery. Each Party is responsible for keeping their contact information up to date.

  12. Liability

    1. A Party’s liability to compensate for damage/loss that it, or another party for which it is liable, has caused to the other Party in connection with processing of personal data, or in the event of actions in breach of this DPA, is covered by the limitation of liability in clause 9 (Limitation of liability) in the Terms and Conditions.

    2. Any penalty fees according to Article 83 of the GDPR, or Chapter 6 Section 2 of the Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218) must be borne by the Party which was imposed such fee by a supervisory authority.

    3. A Party must inform the other Party immediately if it becomes aware of any impropriety that could lead to damage/loss of the other Party. In such event, the Parties agree to cooperate and work proactively together to prevent and/or minimize such damage/loss.

  13. Governing law and jurisdiction

    1. This DPA is governed by the substantive law of Sweden. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration as set out in the Terms and Conditions.

  1. The Platform
    Below, you will find information about how we process your personal data when you create an account on the Platform and become a user – either on behalf of the organisation you represent or on behalf of yourself as a Personal User. This includes details on how personal data is handled when you use the Platform and other related processing activities surrounding it.

    Item
    Personal data being processed
    Subject and purpose of KnownID’s processing of personal data on behalf of the Business User
    Provide a platform for sharing and managing KYC information and documentation
    KnownID may process the following categories of personal data on behalf of the Business User
    • Name
    • Address
    • E-mail address
    • Telephone number
    • Personal identity number
    • Place of birth
    • Date of birth
    • Nationality
    • PEP status
    • Tax residency
    • Identity verification data
    • Other information as provided by the Business User
    KnownID may process the following categories of sensitive personal data on behalf of the Business User
    Categories of sensitive personal data:
    • Political opinions (deriving from PEP screening)
    KnownID may process personal data relating to the following categories of data subjects
    Categories of data subjects:
    • The owners, directors, employees and consultants and other key persons of the Business User
    • The owners, directors, employees and consultants and other key persons of any of the Business User’s counterparties
    Name of service provider
    Agreement date
    Service description
    Geographic proccesing of data
    Twillio
    7 June 2023
    Email automation
    Server location: USA See https://www.twilio.com/en-us/legal/sub-processors for information on sub-processors  Part of the EU-U.S. Data Privacy Framework. See https://www.dataprivacyframework.gov/list for more information.
    Name of service provider
    Agreement date
    Service description
    Geographic proccesing of data
    Criipto
    4 July 2024
    Digital ID verification (eID)
    Server location: EU
    ComplyAdvantage
    15 June 2023
    Balancing of interests
    Our legitimate interest is to be able to communicate with the organisation in its capacity as customer.
    Server location: Ireland See https://complyadvantage.com/sub-processors-list/ for information on sub-processors
    Name of service provider
    Agreement date
    Service description
    Geographic proccesing of data
    DigitalOcean
    20 June 2023
    Cloud services and data storage
    Server location: Germany
    See www.digitalocean.com/trust/subprocessors for information on sub-processors
    MongoDB
    27 July 2023
    Cloud services and data storage
    Server location: Ireland See https://complyadvantage.com/sub-processors-list/ for information on sub-processors