Data Processing Addendum

A Data Processing Addendum is a contract between data controllers and data processors and protects the user’s data in compliance with the GDPR or any other Privacy Laws.

The Customer agreeing to these terms (“Customer”) and Invajo AB, org. nr. 556984-0829, address Grev Turegatan 30, 114 38 Stockholm (“Invajo”) have entered into one or more Agreement(s) about the Invajo System (“The Service”) (each, as amended from time to time, (“Main Agreement(s)”).

This Data Processing addendum to the Main Agreement(s) including its appendices (the “Data Processing Addendum”) will, as from the Addendum Effective Date (as defined below), be effective and replace any previously applicable data processing agreement(s).

1. Background

  1. The Personal Data Act (1998:204), (Sw: Personuppgiftslagen), hereinafter “PUL”) and the General Data Protection Regulation 2016/679 (hereinafter “GDPR”), require a written agreement when data processors are to process Personal Data on behalf of a data controller. This Data Processing Addendum thus has the purpose of meeting the requirements pursuant to Section 30, second paragraph under PUL and the requirements pursuant to Articles 28-29 under GDPR on data processor agreements between a contractor and a processor. The Data Processing Addendum applies to all Personal Data processing performed by the Processor on behalf of the Controller.
  2. The Main Agreement is the agreement that governs what the Processor shall be responsible for and what duties the Processor should perform on behalf of the Controller. This Data Processing Addendum constitutes a supplementary agreement to the Main Agreement.
  3. In case of a conflict between the Main Agreement and the Data Processing Addendum, regarding the processing of Personal Data, the provisions of this Addendum shall prevail.

2. Definitions

The following terms are based on definitions under Article 4 GDPR.

  • Addendum Effective Date means, as applicable: (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement prior to or on such date; or (b) the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the applicable Agreement, if such date is after 25 May 2018.
  • Agreement, refers to the service and/or product agreement(s) between the Customer and Invajo.
  • Applicable data protection legislation, refers to Directive 95/46/EC of the European Parliament and of the Council, incorporated in Swedish law by the PUL, the Personal Data Ordinance (1998:1191), (Sw: Personuppgiftsförordning), and the GDPR with its implementing regulations. In the event of a conflict between the above-mentioned regulations, GDPR shall take precedence from 25 May 2018.
  • Controller, refers to the one which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • Data Subject, see the definition of Personal Data below.
  • Personal Data, refers to any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal Data breach, refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.  
  • Processing, refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Processor, refers to the one which processes Personal Data on behalf of the Controller.
  • Special categories of Personal Data (sensitive data), refers to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
  • Standard data protection clauses, refers to the model clauses adopted by the European Commission or adopted by a supervisory authority and approved by the Commission (Article 46 c) – d) GDPR.
  • Supervisory Authority, refers to an independent public authority. At the time of signing this Data Protection Addendum, the Swedish supervisory authority is the Data Protection Authority.
  • Sub Processor, refers to the subcontractor employed by the Processor or by one of the Processor’s sub processors, which processes Personal Data on behalf of the Controller in accordance with the Controllers instructions, terms and the terms of a written sub-processor agreement.
  • Technical and Organisational Measures, refers to actions designed to protect Personal Data against accidental or illegal expulsion, accidental loss or change, unauthorized disclosure or unauthorized access, especially when the processing involves the transmission of data over a network and against any other form of illegal treatment.

3. Controller's obligations

  1. The Controller shall ensure that the Personal Data is only processed in accordance with applicable data protection legislation and other relevant laws.
  2. The Controller shall only provide the Processor with the necessary Personal Data for the purpose of the processing.
  3. The Controller is responsible for providing the Processor, without undue delay, with documents containing information regarding the purpose, nature, extent and duration of the processing, the categories of Data Subjects and other relevant instructions in order for the Processor to be able to fulfil its obligations under this Data Processing Addendum and applicable data protection legislation.
  4. The Controller is responsible for not providing the Processor with instructions that would entail unlawful processing and for ensuring that Personal Data is not processed for the purpose of promoting illegal activities. The Parties also agree that the Processor shall be held indemnified in the event such unlawful information is processed.
  5. The Controller shall, without undue delay, inform the Processor of changes in the processing that affects the Processor’s obligations. This includes changes resulting from third party actions as a result of the processing, such as by the Supervisory Authority or by the Data Subject.

4. Data processing

  1. Unless the Processor is required by law to process Personal Data for other purposes or means, the Processor may only process Personal Data in accordance with this Data Processing Addendum, applicable data protection legislation and the documented instructions of the Controller.
  2. The Processor may only process the Personal Data as instructed in Appendix 1 – Specification on the Processing of Personal Data.
  3. The Processor processes Personal Data as long as is necessary considering the purpose of the processing. The Processor shall enable the Controller to delete Personal Data at the end of the current term of the Main Agreement and the Processor shall delete Personal Data (including copies) on the Controllers instructions in accordance with applicable data protection legislation. The Processor shall without undue delay follow these instructions from the Controller.
  4. The Processor shall take steps to ensure that any person who performs work under the supervision of the Processor and who has access to the Personal Data, only processes the Personal Data in accordance with the Controller’s instructions, unless otherwise required by Union law or member states’ national law.
  5. Access to the Personal Data shall be restricted to persons who need it in order to perform their obligations.
  6. The Processor shall, at no additional cost for the Controller, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia as appropriate:

    A. The pseudonymization and encryption of Personal Data,
    B. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services,
    C. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,
    D. a process for regularly testing, assessing and evaluating the effectiveness of the Technical and Organizational Measures for ensuring the security of the Processing.
  7. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
  8. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes on applicable data protection legislation. The Processor understands that the Processor is not required to provide legal advice to the Controller regarding the responsibilities of the Controller.
  9. In the event of a Personal Data Incident, or a high risk thereof, the Processor shall immediately inform the Controller, and provide the Controller with all necessary and accessible information that the Controller requires in order to take appropriate measures as well as in order to fulfil his obligations regarding the notification of Personal Data Incidents to the Supervisory Authority. The Processor shall instruct and coordinate any of its sub-processors in according to the Controller’s instructions at its owns cost.
  10. The Processor shall, without undue delay and no later than fifteen (15) business days after the request of the Controller, provide access to the Personal Data it has in its possession and make requested rectifications, erasures, restrictions or transfers of the Personal Data. Necessary measures to prevent recovery of Personal Data shall be taken after the Controller or the Processor has deleted Personal Data.
  11. The Processor shall keep a record of all Personal Data processing performed on behalf of the Controller and shall provide a readable transcript of the record upon the Controller’s or competent Supervisory Authority´s request.

    The record shall at least contain the following information:

    A. the name and contact details of the Controller and, where applicable, the joint controller, the Controller's representative and the data protection officer;
    B. the purposes of the Processing;
    C. a description of the categories of Data Subjects and the categories of Personal Data;
    D. the categories of recipients to whom the Personal Data have been or will be disclosed to;
    E. where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49:1 GDPR, the documentation of suitable safeguards;
    F. where possible, the envisaged time limits for erasure of the different categories of Personal Data;
    G. where possible, a general description of the technical and organizational security measures taken.

5. Purpose of processing

  1. The purpose of the processing are set out in Appendix 1 – Specification on the Processing of Personal Data.

6. Transfer of personal data

  1. With respect to Personal Data that originates from Controllers established in the European Union and is Processed by Processor outside of the European Union, Processor shall ensure that it has taken appropriate steps to ensure Personal Data is Processed in accordance with applicable data protection laws. Controller shall execute such further documents and do any and all such further things as may be necessary to ensure that any international transfers and subsequent Processing of Personal Data by Processor, Processor’s affiliates or their Sub-processors is in compliance with applicable data protection laws.
  2. In cases where the Processor transfer Personal Data to a country outside the European Economic Area ("EEA") and which the European Commission does not consider meets an adequate level of protection in relation to applicable data protection rules, the Parties shall conclude an additional agreement based on Standard Data Protection Clauses which the Processor is mandated to sign on behalf of Controller. Where applicable, the Processor shall, upon request, provide the Controller with a signed copy of such a supplementary agreement as referred to above.

7. Data subject's rights

  1. The Processor will provide the Controller with electronic access to its technical environment which holds Personal Data to allow the Controller to fulfil its obligations to the Data Subject, such as the Data Subject’s right to information, access, data portability, objection (including objection to automated decision making), erasure, rectification, restriction of processing. If such electronic access is not feasible or practical, the Processor shall instead, to the extent permitted by applicable law, follow the Controller’s documented instructions to fulfil the responsibilities of the Controller under this paragraph.
  2. The Processor shall forward to the Controller all requests from a Data Subject to erase, rectify or block Personal Data, or any other requests relating to Personal Data processed under this Data Processing Addendum.

8. Sub processor

  1. Processor may engage third party sub-processors to assist in the provision of Services, and Controller authorizes Processor to sub-contract Processing of Personal Data under this Data Processing Agreement to a third party provided that Processor shall be responsible for compliance by such Sub-processors with data protection obligations which are no less onerous than the data protection obligations of Processor contained within this Data Processing Agreement.
  2. Upon Controller’s written request, Processor shall make available to Controller a current list of key sub-processors engaged by Processor to process Personal Data in connection with the provision of the Services.
  3. Controller may choose to “opt-in” to receiving email notifications of any proposed changes to key sub-processors engaged by Processor by sending an email to privacy@invajo.com requesting the opt-in. If Controller has a reasonable basis to object to Processor’s use of a new Sub-processor, Subscriber may terminate the Main Agreement and this Data Processing Agreement by providing written notice to Processor.
  4. For the avoidance of doubt, no refund will be due from Processor in the event of termination by Subscriber pursuant to Section 8.
  5. The Controller has the right to request, and receive, a copy of the agreements between the Processor and its Sub Processors. If an agreement contains confidential information, the Processor shall provide the Controller with a version where confidential information is masked.

9. The processor's obligations

  1. The Processor agrees to comply with applicable privacy laws and regulations. In the event that a Data Subject, Supervisory Authority or other third party requests information from the Processor regarding the Processing of Personal Data, the Processor shall refer them to the Controller. The Processor may only disclose Personal Data, or other information about the processing of Personal Data, on the explicit instruction from the Controller or as a result of mandatory national or union law.
  2. The Processor is not entitled to represent the Controller or act on behalf of the Controller to Data Subject, Supervisory Authority or other third party.
  3. The Processor is liable for damages that occur for the Controller as a result of this Data Processing Addendum from: (i) breach of, at any point in time, applicable Personal Data law, by the Processor’s own conduct or failure to act; (ii) negligence; and/or (iii) Processing of Personal Data which goes beyond the Controller’s instructions.
  4. The total liability of the Processor for damages under this Data Processing Addendum is limited, unless the Processor has demonstrated intent or gross negligence, to a sum amounting to the annual fee for the Service, which is delivered on behalf of the Controller under the Main Agreement.

10. Controller's instructions

  1. During the terms of this Data Processing Addendum, the Controller may provide instructions to the Processor for the Processing of Personal Data in addition to what is specified in this Data Processing Addendum. The Processor will follow all such instructions in accordance with section ‎4.
  2. If an action requested by the Controller does not appear in the Main Agreement or this Data Processing Addendum (hereinafter "Additional Instructions"), the Processor is entitled to compensation from the Controller to follow his or her written instructions. Cost of Additional Instruction shall be approved by the Controller in advance.
  3. If the costs of meeting the Controller’s Additional instruction are unreasonable and disproportionate in relation to the service charge for the service under the Parties' Main Agreement, the Processor is entitled to terminate the Main Agreement and this Data Processing Addendum with thirty (30) days of notice.

11. Confidentiality

  1. The Processor agrees to not disclose or transfer any information regarding the processing of the Personal Data or any other information received under this Data Processing Addendum to any third party. The obligations stated in this section does not apply to: (i) information which a Party can show was known to the public at the time of reception; or (ii) information that a Party is issued to submit to an authority based on national or Union law.
  2. The Parties shall disclose Confidential information only to employees or subcontract personnel who need to know the Confidential information for their work in relation to the carrying out of the Main Agreement and/or this Data Processing Addendum.
  3. The Processor shall ensure that persons authorized to process Personal Data (employees, Sub Processor, consultants, or others) have undertaken to obey confidentiality or that they are subject to an appropriate statutory duty of confidentiality. The non-disclosure agreement with Sub Processors shall be displayed upon request from the Controller.
  4. The confidentiality obligation in this section 11 shall survive the Agreement.

12. Audit capability

  1. At the request of the Controller, the Processor shall provide the Controller with all information required to demonstrate that the Processor has fulfilled its obligations under this Data Processing Addendum, including a certificate of compliance with IT security requirements applicable to the services. The Controller may, by itself or by third party appointed by the Controller, review the Processor’s compliance to the terms of this Data Processing Addendum and the Main Agreement up to once a year. The Controller may carry out more frequent audits to the extent that there are special circumstances causing further control or if required by law. If a third party is to perform the audit, it must enter into a confidentiality agreement with the Processor before the audit is performed.
  2. In order to request an audit, the Controller must submit an audit plan at least two weeks before the proposed date of audit to the Processor, which describes the purpose of the audit, start date and expected extent and duration. The Processor shall review the audit plan and provide comments to the Controller in the event of any problems (for example, request for information that may endanger the Processor’s security, privacy or employment policies). The Controller will provide the Processor with a copy of all audit reports generated in connection with auditing carried out in accordance with this section. The Controller may only use the audit reports in order to comply with applicable laws and/or confirm compliance with the obligations under this Data Processing Addendum and the Main Agreement. Audit reports shall be treated as confidential information for the Parties under the terms of this Data Processing Addendum.
  3. All audits are made at the expense of the Controller. A request for the Processor to assist in an audit is considered a request for a separate service if such audit assistance requires different or additional resources. Before leaving such audit assistance, the Processor must have the written consent of the Controller that the Controller agrees to pay any related charges for assistance provided.

13. Collaboration of the parties

  1. The Parties shall cooperate to achieve the purpose of this Data Processing Addendum. The Parties undertake to dedicate time and to provide the other Party with information on their development plans, strategies and cooperation to the extent necessary to achieve the purpose of this Data Processing Addendum.

14. General data protection regulation

  1. On 25th May 2018, the GDPR will enter into force and the obligations and rights deriving from the Act shall also apply to this Data Processing Addendum.
  2. The Processor is obliged to cooperate with the Supervisory Authority on its own and upon request in addition to the terms of this Data Processing Addendum.

15. Compensation

  1. Unless specifically mentioned in this Data Processing Addendum, each Party shall carry their own costs relating to the processing of Personal Data in accordance with this Data Processing Addendum.

16. Term

  1. This Data Processing Addendum enters into force when the Main Agreement has been signed upon authorized signature of both Parties, and shall remain in force as long as the Processor processes Personal Data on behalf of the Controller based on the Main Agreement.
  2. The following Sections shall remain in force after termination of this Data Processing Addendum: Section 9.4 (Processor’s Obligations), 11 (Confidentiality), Section 16 (Term), Section 17 (Obligations after Termination of Agreement) and Section 18 (Applicable Law And Disputes).

17. Obligations after termination of agreement

  1. The Parties agree that the Processor and any Sub Processors, after the termination of the Main Agreement and, depending on what the Controller decides, shall within 90 days either return all the transferred Personal Data and copies thereof to the Controller, or permanently destroy all Personal Data, and in writing to the Controller attest to the destruction of all Personal Data.
  2. If return or destruction of the Personal Data, as described above, is not technically possible, or if the Processor has legal obligation to preserve the data after the termination of the Main Agreement, the Processor will confirm that he will preserve the confidentiality of the Personal Data, that he will not further process the Personal Data and that, if it is technically possible without unreasonable costs, he will anonymize the Personal Data in ways that render it impossible to recreate, as long as it does not violate any applicable laws.

18. Applicable law and disputes

  1. The Agreement shall be governed and interpreted by Swedish laws, without reference to the choice of law and conflict of law provisions thereof.
  2. Any dispute, controversy or claim in connection with this Data Processing Addendum shall be solved by mediation between the Controller and the Processor. The Parties shall be represented by each Parties’ CEO or by another qualified and suitable representative as chosen by that Parties CEO.
  3. If one of the Parties objects to Mediation or if the Mediation is terminated, the dispute shall be finally resolved in accordance with the Main Agreement.
  4. Any and all information disclosed during or otherwise in connection with the dispute procedure including the content of the award constitutes confidential information.

This agreement is accepted by the Controller by electronic signature.

Appendix 1 - Specification of processing of personal data

1. Instructions

  • 1.1.Brief description of the Service and the purpose of the treatment

Enter all purposes for which personal data are to be processed by Invajo:

Invajo is a digital tool for event-planning with which Event Organizers (Customers) can invite potential Participants (end users) and/or accept their registration.

  1. Invajo Main Agreement – Invajo will process personal data to the extent it is required to provide the Service, as described in the Main Agreement, and to follow the Customer’s instructions, as provided in its use of the Service.
  2. Invajo Main Agreement – Invajo will process personal data to the extent it is required in order to provide the end users of the Service with adequate support functions.
  • 1.2.Categories of personal data

The personal data to be processed by Invajo:

The Customer decides, at its sole convenience, which categories of personal data Invajo is to process, which may include:

  • Address
  • Email address
  • Employer
  • Employment Title
  • Event location presence
  • Name
  • Phone number
  • Sex

The Customer decides, at its sole convenience, which categories of personal data Invajo is to process, which does not include:

  • Birthdate
  • Cookies
  • Device Information
  • Employment Identification number
  • IP-address
  • National Identification Number (Social Security Number)
  • Nationality
  • Passwords
  • Pictures
  • Passwords
  • Sound Recordings
  • System Usage Data (behavior)
  • System Usage Location Data
  • System Usage Timestamps
  • User ID
  • Vehicle Registration Number
  • Address
  • The Customer is also given the option to use a Supplementary Service for ticket-sales through its use of the Service, in which the following categories of personal data is processed from the relevant Customer’s account holder:

    - Birth date
    - Valid passport or driver’s license
    - OR other as specified: _______________

Specify the special categories of personal data to be processed by Invajo (if any):

Invajo does not process special categories of personal data as part of basic Service. Special categories of personal data are processed only on instruction of the Customer, in its sole convenience. And may include:

  • Health information (Allergies, Special Diets)
  • Biometrics
  • Passport Number
  • Political Views
  • Race or Ethnic origin
  • Religious views
  • Sexual Orientation or preference
  • Union Affiliation
  • OR other as specified: _________________
  • Customer should notify Invajo when asking Invajo to process special categories of data.
  • 1.3.Categories of registered data subjects

Specify which categories of registered data subjects of whom the Supplier will process personal data and its scope.

The Customer decides, at its sole convenience, which categories of registered data subjects will be subject to processing, which may include:

  • Event Organizers (System Users)
  • Event Visitors (Attendees)
  • System Users
  • 1.4.Processing activities (storage, administration, datasets that have been matched or combined, etc.)

Invajo is the provider of the Service and process personal information in accordance with the Customer’s instructions in the Main Agreement and this Specification, which may include the following activities:

  • Adaptation
  • Alignment
  • Alteration
  • Collection
  • Combination
  • Consultation (Troubleshooting, Support)
  • Destruction
  • Disclosure by Transmission
  • Erasure
  • Retrieval
  • Storage
  • Structuring
  • 1.5.Enter all countries where personal data may be stored and / or processed by the Supplier:

Personal data is processed by Invajo and it sub-processors in Sweden, The United Kingdom, The Netherlands, Germany and USA (optional).

  • 1.6.Use in order to improve the Service

The Supplier has the right to process personal data "For the purpose of developing and improving the Service", this shall be explicitly stated in the table below:

Personal data may be processed for the following activities for the purpose of developing and improving the Service (if any):

  • Adaptation
  • Alignment
  • Collection
  • Combination
  • Consultation (Troubleshooting, Support)
  • Destruction
  • Disclosure by Transmission
  • Erasure
  • Retrieval
  • Storage
  • Structuring

Specification of the categories of personal data that may not be used to improve services ordered by the Customer (e.g.: name, address):

  • Cookies
  • Device Information
  • Email Address
  • Employer
  • Employment Title
  • Event Location Presence
  • IP-address
  • Name
  • Nationality
  • Passwords
  • Phone number
  • Pictures
  • Phone number
  • System Usage Data (behavior)
  • System Usage Location Data
  • System Usage Timestamp
  • User ID

These personal data should be retrieved from the following treatments performed by the Supplier on behalf of the Customer (e.g.: backup, storage, troubleshooting)

  • Collection
  • Consultation (Troubleshooting, Support)
  • Storage

And may only be used by the Supplier for the purpose of improving and / or developing the following types of services or categories of services ordered by the Customer (e.g.: Supplier's error handling process):

  • Billing
  • Compliance
  • Consultation (Troubleshooting, Support)
  • Customer Satisfaction
  • Error handling
  • Statistics

2. Security

Enter all organizational and technical security measures that are to be implemented by Invajo, Customer has a right to request specific documentation by contacting Invajo at privacy@invajo.com:

  • Physical access control
  • System Access Control
  • Personal Data access Control
  • Transfer Access Control
  • Control of Entry of Personal Data
  • Control of Availability
  • Control of Separation
  • Storage Policy
  • Safety Policy

Invajo Keeps the following Policies for compliance:

  • Acceptable Use Policy
  • Backup and Retention Policy
  • Change Management Policy
  • Data Breach Response Policy
  • Data Classification Policy
  • Email and Electronic Use Policy
  • Information Security Policy
  • Privacy Policy
  • Logging, Monitoring and Audit Policy
  • Mobile Device Policy
  • Password Policy
  • Patch Management Policy
  • Risk Assessment Policy
  • Logical and Physical Separation of Production and Development areas
  • 2.1.Physical access control

Measures that prevent unauthorized persons access to IT systems where processing of personal data occurs:

Invajo uses Glesys as sub-processor for servers and data storage that store Customer collected Personal Data.
Glesys state-of-the-art data centers are equipped with physical protection, CCTV, alarms, access control systems, backup power, and redundant internet connections. Certified according to ISO 27001.

  • 2.2.System access control

Measures to prevent unauthorized use of IT systems:

Invajo has access to the Customer’s data through an Admin interface that implements:

  1. Different levels of access to the system for every user, controlled and approved by management and implemented in our employees’ admin interfaces.
  2. Secure passwords are registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Access to Customer’s data is based on the employee’s role and needs on a user level. This is achieved by logical safeguards in the system by which the user only has access to the data that is necessary in order to perform the work as required by their Role and as required in order to Deliver the Service as defined in the Main Agreement. When accessing Customers collected Personal Data full system logging demonstrating access to this data is applied, as well as all changes made to personal data, this information is available to the Customer, these logs will follow the Invajo’s Logging, Monitoring and Audit Policy and contain the following information:

  • What activity was performed?
  • Who or what performed the activity, including where or on what system the activity was performed from (subject)?
  • What the activity was performed on (object)?
  • When was the activity performed?
  • What tool(s) was the activity was performed with?
  • What was the status (such as success vs. failure), outcome, or result of the activity?

Invajo staff needs to actively log into Customers environment which is only done by request of the Customer and per their strict instructions.

Invajo’s IT-operations and IT-security departments have access to Customer collected Personal data in order to reliably deliver the service in accordance with the Main agreement and this agreement and to comply with policies and regulations. Access is implemented with:

  • Secure passwords and two-factor authentication and Secure passphrases through secure encrypted SSH tunnels. Registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Customer may give access to their own environment by “inviting” Users to their account, no access is given unless a System User account is created for this User. Access can be revoked at any time.

  • 2.3.Personal data access control

Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

Invajo has access to the Customer’s data through an Admin interface that implements:

  1. Different levels of access to the system for every user, controlled and approved by management and implemented in our employees’ admin interfaces.
  2. Secure passwords are registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Access to Customer’s data is based on the employee’s role and needs on a user level. This is achieved by logical safeguards in the system by which the user only has access to the data that is necessary in order to perform the work as required by their Role and as required in order to Deliver the Service as defined in the Main Agreement. When accessing Customer collected Personal Data full system logging demonstrating access to this data is applied, as well as all changes made to personal data, this information is available to the Customer, these logs will follow the Invajo’s Logging, Monitoring and Audit Policy and contain the following information:

  • What activity was performed?
  • Who or what performed the activity, including where or on what system the activity was performed from (subject)?
  • What the activity was performed on (object)?
  • When was the activity performed?
  • What tool(s) was the activity was performed with?
  • What was the status (such as success vs. failure), outcome, or result of the activity?

Invajo staff needs to actively log into Customers environment which is only done by request of the Customer and per their strict instructions.

Invajo’s IT-operations and IT-security departments have access to Customer collected Personal data in order to reliably deliver the service in accordance with the Main agreement and this agreement and to comply with policies and regulations. Access is implemented with:

  • Secure passwords and two-factor authentication and Secure passphrases through secure encrypted SSH tunnels. Registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Customer may give access to their own environment by “inviting” Users to their account, no access is given unless a System User account is created for this User. Access can be revoked at any time.

  • 2.4.Transfer access control

Measures to ensure that personal data cannot be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without permission, and that recipients can be identified and verified when transfer of personal data is performed via electronic transmission:

All electronic transmissions are encrypted with SSL/TLS. No data is transferred unless the System User has logged into the Invajo system. All changes to personal data is logged as well as extractions from the system in machine readable formats as per defined in Invajo’s Logging, Monitoring an Audit policy.

  • 2.5.Control of entry of personal data

Measures to ensure that it is possible to review and determine retroactively whether personal data has been entered, changed or deleted in the IT system and who has performed the activity:

All additions, changes or erasures of personal data is logged and monitored as per Invajo’s Logging, Monitoring and Audit Policy and the log is provided to the Customer. The log
will contain the following information:

  • What activity was performed?
  • Who or what performed the activity, including where or on what system the activity was performed from (subject)?
  • What the activity was performed on (object)?
  • When was the activity performed?
  • What tool(s) was the activity was performed with?
  • What was the status (such as success vs. failure), outcome, or result of the activity?
  • 2.6.Control of availability

Measures to ensure that personal data are protected from accidental destruction or loss:

Backups of personal data is performed on a regular basis as per defined in Invajos Backup and Retention Policy.

  1. A full system backup will be performed weekly. Weekly backups will be saved for a full month.
  2. The last full backup of the month will be saved as a monthly backup. The other weekly backup media will be recycled by the backup system.
  3. Monthly backups will be saved for one year, at which time the media will be reused.
  4. Yearly backups will be retained for five years and will only be run once a year at a predetermined date and time.
  5. Differential or Incremental backups will be performed daily. Daily backups will be retained for two weeks. Daily backup media will be reused once this period ends.

Backups are saved as per defined above and verified (at least yearly) through the performance of a complete data restoration and by verifying the access and integrity of restored data. Backups are transmitted to a place separate from current data. Backups have the same safety levels as the original data. Invajo undertakes regular emergency planning to ensure that Invajo’s organization, personnel and systems are readily available for processing within a timeframe that corresponds to the agreed level of service.

  • 2.7.Control of separation

Measures to ensure that personal data collected for different purposes can be treated separately:

Personal data is categorized and stored after the purpose of the processing and logically separated by “Event”. Access to the different personal data is logically separated at a System User Account level. To access Customer collected Personal Data a User needs to actively log into that Customers environment. Access can be given to a System User Account to either the entire Customer environment or to specific “event”. Access can be revoked at any time.

  • 2.8.Storage Policy

Measures to ensure that personal data are deleted during and after the term of agreement when use is no longer necessary for the initial purpose:

Customers may specify the retention schedule for the data Invajo Processes on behalf of the Controller. If Controller fails to specify retention time Invajo will erase or anonymize Personal Data six (6) months after it is deemed as inactive and not longer necessary to provide the service unless hindered to do so by law or technical limitations.

  • 2.9.Safety Policy

Provide the Supplier's internal security policy that apply to personal data processing, alternatively refer to website or other accessible platform, where the policy is available:

Invajo’s applicable security policies are provided to the Customer upon request sent to privacy@invajo.com.

3. Pre-approved sub processors

A list of sub processors can be found on the sub processors page.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.