About this Agreement
This Data Processing Agreement (DPA) applies when Webbfabriken AB processes personal data on your behalf in connection with delivery of services such as web hosting, operations, support, development, design, security services, backup or similar. This agreement is an integral part of our General Terms and Conditions.
Contents
Main Agreement
1. Parties and Roles
Data Controller (Customer):
The legal entity that has entered into an agreement with Webbfabriken for the delivery of services.
Data Processor:
Webbfabriken AB
Org.nr: 559274-4816
Tryffelslingan 12, 181 57 Lidingö
The customer is the data controller for personal data processed in the customer's systems and services. Webbfabriken AB is the data processor to the extent that we process personal data on the customer's behalf and according to the customer's instructions.
2. Scope and Annexes
This agreement is supplemented by:
- Annex A - Processing Description
- Annex B - Technical and Organizational Measures
- Annex C - Sub-processors
- Annex D - Incident Response
2.1 Order of Precedence
In case of conflict, the following order applies:
- This data processing agreement with annexes
- Special terms and SLA that explicitly refer to this agreement
- General Terms and Conditions
3. Subject, Duration, Nature and Purpose
The subject, duration, nature and purpose of the processing are specified in Annex A.
The agreement applies from the customer's order or when processing begins and remains in effect as long as Webbfabriken AB processes personal data on the customer's behalf.
4. Instructions
Webbfabriken AB processes personal data only according to documented instructions from the customer. Instructions can be given via email or other agreed contact channels.
If Webbfabriken AB determines that an instruction conflicts with data protection regulations, we will inform the customer without undue delay.
If Webbfabriken AB is obligated under EU law or Swedish law to process personal data in a manner other than according to the customer's instructions, we will inform the customer of this before processing begins, unless the law prohibits such information for important reasons of public interest.
5. Confidentiality and Access
Webbfabriken AB ensures that persons who have access to personal data are bound by confidentiality or equivalent confidentiality commitments.
Access is only given to authorized personnel and only when necessary to deliver, maintain, troubleshoot or secure the service.
6. Security
Webbfabriken AB implements appropriate technical and organizational measures to protect personal data. The measures are described in Annex B and may be updated as needed to maintain an appropriate level of protection.
As part of operations and security, Webbfabriken AB may use monitoring, logging, malware scanning and similar protective measures. This may mean that technical access to data may occur when necessary.
7. Sub-processors
The customer gives Webbfabriken AB general prior authorization to engage sub-processors to deliver the service. Sub-processors and categories of sub-processors are listed in Annex C.
Webbfabriken AB ensures that sub-processors are subject to data protection obligations that at least correspond to this agreement.
When adding or changing sub-processors, we will inform the customer in advance via email, normally at least 30 days before the change takes effect when practically possible. The customer may object with legitimate reasons within 14 days of the notification. If the parties cannot agree on a reasonable solution, either party may terminate the affected part of the service with immediate effect or according to the agreed notice period, without other consequences.
7.1 Third Country Transfers
If a sub-processor or supplier processes personal data outside the EU/EEA, we ensure that the transfer is carried out with appropriate safeguards according to applicable data protection regulations, such as the European Commission's Standard Contractual Clauses (SCC) or other approved mechanism.
8. Third-party Services
If the customer purchases or uses third-party services, the supplier's terms apply to that third-party service. Webbfabriken AB is not responsible for the supplier's own processing or delivery.
If Webbfabriken AB administers or supports third-party services for the customer, our processing takes place according to this processor agreement to the extent that we process personal data on the customer's behalf, for example via administrative access and support work.
9. Assistance to Customer
Webbfabriken AB shall, taking into account the nature of the service, assist the customer with reasonable help to respond to requests from data subjects and for the customer's compliance.
This includes, when relevant, reasonable assistance for the customer to fulfill obligations under GDPR Articles 32-36, taking into account the nature of the processing and the information available to us.
If the assistance requires extensive work beyond the agreed level, it may be charged according to the agreement.
10. Personal Data Incidents
Webbfabriken AB shall inform the customer without undue delay of a personal data incident concerning the customer's data.
Target Response Time:
The goal is that initial notification shall occur within 24 hours from the time we have confirmed the incident, when practically possible.
See Annex D for contact and information flow.
11. Return and Deletion
When processing ends, Webbfabriken AB shall, at the customer's choice and unless law requires otherwise, delete or return personal data and then delete.
Retention Period:
Unless otherwise agreed, we may delete data after 14 days from termination.
11.1 Backup for Web Hosting
When the customer uses web hosting, Webbfabriken AB may take backups as a protective measure for operations and security. Unless otherwise agreed:
- Backups are stored for up to 7 days.
- Backup is a protective measure and not a guarantee of full restoration in all situations.
- Restoration may require manual work and may be charged if not included in the agreed level.
11.2 Retention at Termination
When processing ends, customer data may be deleted after the retention period specified in the agreement or general terms. Backup copies may remain in rotating backup during the specified backup period even if the service has been terminated.
11.3 Accounting Data
Data that Webbfabriken AB needs to store as data controller for accounting and bookkeeping purposes is stored for 7 years, or the longer period required by law. This is not covered by processor processing in the customer's systems, but by Webbfabriken AB's own processing as data controller.
Work for export, migration or restoration may be charged if not included in the agreement.
12. Audit and Information
The customer may, upon request, receive reasonable information about compliance with this agreement.
Audits shall be planned in consultation and carried out in a manner that does not risk security or affect other customers.
13. Limitation of Liability
Liability and limitation of liability follow primarily the customer's agreement and general terms, to the extent permitted by law.
14. Contact
Data Protection Questions
Support & Incidents
Annexes
Annex A - Processing Description
1. Services and Scope
This agreement may apply to the following services:
- Web hosting and operations
- Support and troubleshooting
- Development and management
- Design and content management
- Security services and monitoring
- Backup and restoration
- Email and collaboration tools (e.g., Microsoft 365)
2. Duration of Processing
Processing takes place during the contract period and during any retention periods according to the agreement and general terms.
3. Nature and Purpose of Processing
Processing takes place to:
- Provide and administer the service
- Perform operations, maintenance and updates
- Troubleshoot, support and handle incidents
- Implement security measures such as logging, scanning and protection against malicious code
- Take backups and restore when necessary
- Perform migrations and handovers according to customer instructions
4. Categories of Data Subjects
Examples of data subjects whose data may be processed:
- Customer's employees and consultants
- Customer's customers and users
- Visitors to customer's website
- Recipients and senders in email
5. Categories of Personal Data
Examples of personal data that may be processed:
- Contact information (name, email, phone)
- Account information and user IDs
- IP addresses and log data
- Form data and messages
- Orders and customer history in customer's system
- Metadata in email and collaboration tools
Supplementary Text for Web Hosting and Server Operations
Webbfabriken AB provides platforms and operating environments, such as web hosting, virtual servers, databases and related services, where the customer can store data, publish content and operate their own applications.
This means that various categories of personal data may exist in the customer's environment, such as personal data about the customer's customers, users, partners and employees. Examples of data may include names, personal identification numbers, organization numbers, postal addresses, phone numbers, email addresses, IP addresses, login credentials, form data and other information necessary for the customer to deliver their services.
Webbfabriken AB does not normally actively process the customer's content. However, access to data may occur when necessary to deliver, administer, troubleshoot, security scan, backup, restore or otherwise maintain the service and security.
Webbfabriken AB is responsible for the overall security of the platform and infrastructure we deliver, such as operational management, basic protection, monitoring, logging and security measures.
The customer is responsible for ensuring that the security in the customer's applications, accounts, permissions, content and configurations is sufficient for the personal data the customer chooses to process, including only processing necessary personal data and using appropriate protective measures in their systems.
6. Special Categories of Personal Data
As a general rule, special categories of personal data (sensitive data) should not be processed in our services without written agreement and special protective measures.
7. Customer Instructions and Access
The customer instructs Webbfabriken AB via email and agreed contact channels. Webbfabriken AB may have technical access to data when necessary for operations, support and security according to the agreement.
8. Processing Location
Processing takes place on Webbfabriken AB's own servers in Sweden, unless otherwise stated in the agreement or unless the customer chooses services that involve processing elsewhere.
Annex B - Technical and Organizational Measures
1. Access Control
- Access is only given to authorized personnel.
- The principle of least privilege is applied.
- Administrative access is protected with strong authentication where practically possible.
- Accounts and permissions are reviewed as needed.
2. Logging and Traceability
- Relevant system events may be logged for operations and security.
- IP addresses and network events may be logged in firewalls and services as part of normal operations.
- Logs are used for troubleshooting, incident handling and security work.
- Logs are stored for a reasonable time based on purpose and risk.
3. Protection Against Malicious Code and Intrusion
- Malware scanning and protective measures may run on servers and file systems.
- Monitoring and alarms may be used to detect abnormal behavior.
- Blocking and isolation may be performed in case of risk of spread or damage.
4. Patching and Vulnerability Management
- Operating systems and central components are updated within reasonable time based on risk and impact.
- Vulnerabilities may be handled through updates, mitigation or configuration changes.
5. Backup and Restoration
- Backup may be performed according to agreed scope.
- Restoration is tested when reasonable and according to agreed level.
- Backup is a protective measure and not a guarantee of full restoration in all situations unless otherwise agreed.
6. Encryption and Communication
- Encrypted communication is used where reasonable, such as TLS for web and administrative interfaces.
- Encryption at rest may be used when practically possible and relevant.
7. Segmentation and Infrastructure Protection
- Firewalls and network rules are used to limit access.
- Services are only exposed when necessary.
- Restrictions may be imposed in case of abuse or security risk.
8. Personnel Security and Procedures
- Personnel are subject to confidentiality commitments.
- Procedures exist for incident handling and escalation.
- Procedures exist for change management when relevant.
9. Physical Security
Servers and infrastructure are protected with physical measures through data centers and premises, where relevant.
10. Changes
Security measures may be updated over time to maintain an appropriate level of protection and meet new threats.
Annex C - Sub-processors
1. Principle
Webbfabriken AB may engage sub-processors to deliver services. Sub-processors shall be subject to data protection terms that at least correspond to this processor agreement.
2. List of Sub-processors
Current sub-processors and categories:
| Category | Provider | Country |
|---|---|---|
| Storage and backup (when purchased by customer) | Storegate / CrashPlan | EU/EEA and third countries per supplier terms |
This list is updated as needed. Contact us for the latest version.
3. Third-Party Services We Administer
For certain services, the customer is the contracting party with the supplier, but Webbfabriken AB has administrative access to manage the service on the customer's behalf.
Microsoft 365 (Customer's Tenant)
The customer is the contracting party for Microsoft 365 and Microsoft processes personal data according to Microsoft's terms and data protection terms. Webbfabriken AB may have administrative access to manage licenses, users, settings and troubleshooting. We do not read the customer's email content as a routine. Access to content can only occur if needed for support or incident handling and then according to the customer's instructions.
4. Customer's Own Suppliers
Certain suppliers are used directly by the customer, where the customer is the contracting party, such as domain registrars and DNS providers that the customer chooses. These are not Webbfabriken AB's sub-processors. If Webbfabriken AB assists with administration, this is done on the customer's instruction.
5. Changes
When adding or changing sub-processors, we will inform the customer in advance via email, normally at least 30 days before the change takes effect when practically possible. The customer may object with legitimate reasons within 14 days of the notification. If the parties cannot agree on a reasonable solution, either party may terminate the affected part of the service with immediate effect or according to the agreed notice period, without other consequences.
Annex D - Incident Response
1. Contact Channels
customersupport@webbfabriken.com
info@webbfabriken.com
The customer should designate a contact person for incidents (name, email, phone).
2. What Counts as a Personal Data Incident
A personal data incident is a security event that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data.
3. Notification and Initial Information
Webbfabriken AB informs the customer without undue delay when we have confirmed that an incident concerns the customer's personal data. Initial notification may contain preliminary information and be supplemented later.
Initial notification normally contains:
- What happened and when it was discovered
- Which systems are affected
- Assessed impact and risk level
- Actions already taken
- Recommended actions for the customer
- Next update time
4. Cooperation and Logs
The parties cooperate promptly to limit the damage. Webbfabriken AB may share relevant logs and technical findings to the extent possible and without risking other customers' security.
5. Communication and Reporting
The customer is responsible for assessing whether the incident should be reported to the supervisory authority or data subjects, unless otherwise agreed. Webbfabriken AB may assist with documentation according to the agreed level.
Questions about this agreement?
Contact us if you have questions about data processing or this agreement.