Legal
Data Processing Agreement
Last updated: 2026-05-11
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between the Bytesafe customer (the "Company") identified by the information provided upon account creation, and Bitfront AB, Swedish Registration number 559155-7912 (the "Data Processor"), with address Mellanvägen 5, 136 70 Vendelsö, Sweden (together the "Parties").
The Company acts as a Data Controller. The Company wishes to subcontract certain Services, which involve the processing of personal data, to the Data Processor. The Parties seek to implement a data processing agreement that complies with the requirements of Regulation (EU) 2016/679 (GDPR).
1. Definitions
"Company Personal Data" means any Personal Data processed by a Contracted Processor on behalf of the Company under the Principal Agreement. "Contracted Processor" means a Subprocessor. "Data Protection Laws" means EU Data Protection Laws and, where applicable, the data protection laws of any other relevant country. "EEA" means the European Economic Area. "GDPR" means EU General Data Protection Regulation 2016/679. "Services" means the Dependency Firewall SaaS that Bitfront AB provides. "Subprocessor" means any person appointed by the Processor to process Personal Data on behalf of the Company.
The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the same meaning as in the GDPR.
2. Processing of company personal data
The Processor shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data, and shall not Process Company Personal Data other than on the Company's documented instructions. The Company instructs the Processor to process Company Personal Data as necessary to deliver the Services.
3. Processor personnel
The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Company Personal Data. Access is strictly limited to those who need it to fulfill obligations under the Principal Agreement. All such individuals are subject to confidentiality undertakings or professional obligations of confidentiality.
4. Security
Taking into account the state of the art, implementation costs, and the nature, scope, and context of Processing, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures referred to in Article 32(1) of the GDPR.
5. Subprocessing
The Processor shall not appoint or disclose Company Personal Data to any Subprocessor unless authorized by the Company. For the current list of authorized subprocessors, see our Subprocessors page.
6. Data subject rights
The Processor shall assist the Company by implementing appropriate technical and organizational measures to fulfill the Company's obligations to respond to Data Subject rights requests under applicable Data Protection Laws.
The Processor shall promptly notify the Company of any Data Subject request received, and shall not respond to such requests except on the Company's documented instructions, or as required by applicable law.
7. Personal data breach
The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information for the Company to meet any reporting obligations under applicable Data Protection Laws.
The Processor shall cooperate with the Company to investigate, mitigate, and remediate any such breach.
8. Data protection impact assessments
The Processor shall provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where the Company reasonably considers these required under Article 35 or 36 of the GDPR.
9. Deletion or return of data
Within 10 business days of the cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), the Processor shall delete all copies of that Company Personal Data, and provide written certification of compliance within 10 business days of the Cessation Date.
10. Audit rights
Upon request, the Processor shall make available all information necessary to demonstrate compliance with this Agreement, and shall allow for audits and inspections by the Company or an auditor mandated by the Company, to the extent required by applicable Data Protection Law.
11. Data transfers
The Processor may not transfer Company Personal Data to countries outside the EU/EEA without the prior written consent of the Company. Where transfers are required, the Parties shall rely on EU-approved Standard Contractual Clauses or other lawful transfer mechanisms.
12. Confidentiality
Each Party must keep this Agreement and information received about the other Party confidential, and may not use or disclose it without prior written consent, except where disclosure is required by law or where the information is already in the public domain.
13. Term
This Agreement remains in effect for as long as Bitfront AB carries out Personal Data processing operations on behalf of the Company, or until termination of the Dependency Firewall subscription and deletion of all Personal Data in accordance with Section 9.
14. Governing law
This Agreement is governed by the laws of Sweden. Disputes that cannot be resolved amicably will be settled by a Swedish court of general jurisdiction, with the Stockholm District Court as court of first instance.