Data Processing Agreement

📄

This DPA is available immediately — no request needed

Print or save as PDF using your browser's print function (Ctrl+P / Cmd+P). For a signed copy or custom annexes, contact privacy@supplira.io.

Contents

Parties
Definitions
Subject matter and duration
Nature and purpose of processing
Processor obligations
Sub-processors
Data subject rights
Security measures
Personal data breach notification
International transfers
Audit and inspection
Deletion and return
Liability
Governing law
Annex A — Processing details
Annex B — Security measures
Annex C — Sub-processors

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Processor

Supplira
Reg. no. 559458-4533
Sweden
Email: privacy@supplira.io

Data Controller

[Customer organisation name]
[Registration number]
[Address]
[Contact email]

Together referred to as the "Parties." The Controller is the entity that has subscribed to the Supplira service under the Terms of Service. This DPA forms part of and supplements the Terms of Service between the Parties.

2. Definitions

In this DPA, the following terms have the meanings set out below:

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Personal Data" has the meaning given in Article 4(1) GDPR.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" has the meaning given in Article 4(1) GDPR.
"Sub-processor" means any processor engaged by Supplira who will process Personal Data on behalf of the Controller.
"Services" means the Supplira supplier risk management platform as described in the Terms of Service.
"Controller Data" means Personal Data submitted to or processed through the Services by or on behalf of the Controller.

3. Subject matter and duration

3.1 The subject matter of this DPA is the Processing of Controller Data by Supplira in connection with the provision of the Services.

3.2 The duration of the Processing corresponds to the duration of the Terms of Service, unless otherwise agreed in writing or required by applicable law.

4. Nature and purpose of processing

4.1 Supplira processes Controller Data to provide and operate the Services, which include:

Storing and managing supplier assessment data, findings, and risk records uploaded or created by the Controller
Sending assessment questionnaires and automated reminders to supplier contacts on behalf of the Controller
Processing supplier questionnaire responses submitted through the platform
Generating risk reports and executive summaries from Controller Data
Storing account and user data necessary to operate the Services

4.2 Supplira shall process Controller Data only in accordance with the Controller's documented instructions, which are set out in this DPA and the Terms of Service, unless required to do otherwise by applicable EU or member state law. In such cases, Supplira shall inform the Controller of that legal requirement before Processing, unless that law prohibits disclosure.

4.3 Supplira shall not use Controller Data for its own purposes, including for marketing, product development, or profiling of the Controller's suppliers or employees, unless this is expressly agreed in writing.

5. Processor obligations

5.1 Confidentiality. Supplira shall ensure that persons authorised to Process Controller Data are subject to appropriate obligations of confidentiality, whether under contract or by law.

5.2 Instructions. Supplira shall process Controller Data only on the Controller's documented instructions. Where Supplira believes an instruction would infringe the GDPR or other applicable data protection law, it shall promptly notify the Controller.

5.3 Assistance. Supplira shall assist the Controller, by appropriate technical and organisational measures and to the extent possible, in fulfilling the Controller's obligations to respond to requests by Data Subjects exercising their rights under Chapter III of the GDPR.

5.4 Compliance assistance. Taking into account the nature of Processing and the information available to Supplira, Supplira shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation).

6. Sub-processors

6.1 The Controller grants Supplira general authorisation to engage Sub-processors, subject to the conditions in this clause.

6.2 Supplira shall maintain an up-to-date list of Sub-processors, available at supplira.io/legal/subprocessors. Supplira shall notify the Controller of any intended addition or replacement of Sub-processors by updating this list and providing at least 30 days' prior notice where material changes are made.

6.3 The Controller may object to a new or replacement Sub-processor by notifying Supplira in writing within 14 days of notification. If the Controller raises a reasonable objection and the Parties cannot reach agreement, the Controller may terminate the relevant Services on written notice without penalty, subject to the terms of the Terms of Service.

6.4 Supplira shall impose on each Sub-processor data protection obligations equivalent to those set out in this DPA. Supplira shall remain fully liable to the Controller for the performance of the Sub-processor's obligations to the extent that Supplira has failed to fulfil those obligations.

7. Data subject rights

7.1 Supplira shall promptly notify the Controller if it receives a request from a Data Subject exercising rights under the GDPR (access, rectification, erasure, restriction, portability, objection). Supplira shall not respond to such requests on behalf of the Controller without the Controller's prior written authorisation, except where required by applicable law.

7.2 Supplira shall provide the Controller with reasonable technical assistance to enable the Controller to respond to Data Subject requests within the statutory timeframes.

8. Security measures

8.1 Supplira shall implement and maintain appropriate technical and organisational security measures to protect Controller Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures are described in Annex B to this DPA.

8.2 Supplira shall keep its security measures under review and may update them from time to time to reflect changes in technology, known threats, or applicable standards. Supplira shall not materially reduce the level of security provided without prior notice to the Controller.

9. Personal data breach notification

9.1 Supplira shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach involving Controller Data.

9.2 The notification shall include, to the extent available at the time:

A description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected
The likely consequences of the breach
The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects
Contact details for obtaining further information

9.3 Where Supplira cannot provide all information at the time of initial notification, it shall provide the information in phases without undue further delay.

10. International transfers

10.1 Supplira's primary application database is hosted in Sweden (AWS eu-north-1, within the European Economic Area). Some supporting services may involve transfers outside the EEA, in which case Supplira shall ensure an appropriate transfer mechanism is in place (Standard Contractual Clauses, adequacy decision, or equivalent), as detailed in Annex C.

10.2 Supplira shall not transfer Controller Data outside the EEA without appropriate safeguards and prior notification to the Controller where material changes to transfer practices are made.

11. Audit and inspection

11.1 Supplira shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations under this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller.

11.2 Any audit shall be carried out with reasonable prior written notice (at least 30 days unless a security incident requires otherwise), during normal business hours, with minimal disruption to Supplira's operations, and at the Controller's cost. Audits shall not occur more than once per calendar year unless required by a supervisory authority.

11.3 In lieu of a direct audit, Supplira may provide relevant certifications, security reports, or assessments from qualified third parties as evidence of compliance, where these are available and sufficient to address the Controller's audit objectives.

12. Deletion and return of data

12.1 Upon termination or expiry of the Terms of Service, or upon the Controller's written request, Supplira shall, at the Controller's choice, delete or return all Controller Data and delete all existing copies, unless applicable EU or member state law requires storage of the Personal Data.

12.2 Supplira shall confirm in writing to the Controller when deletion or return has been completed. Where deletion is technically infeasible (for example in backup systems), Supplira shall isolate the Controller Data from further Processing and delete it as soon as technically feasible.

13. Liability

13.1 Each Party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.

13.2 Nothing in this DPA limits either Party's liability to Data Subjects or to supervisory authorities as required by the GDPR.

14. Governing law and jurisdiction

14.1 This DPA is governed by the laws of Sweden. The Parties submit to the exclusive jurisdiction of the courts of Sweden for any dispute arising under this DPA, unless the GDPR or applicable supervisory authority guidance requires otherwise.

14.2 This DPA shall not affect the rights of Data Subjects to bring claims before any competent supervisory authority or court in the EU.

Annex A — Details of processing

Subject matter: Supplier risk management — assessments, findings, risk scoring, and reporting.

Duration: For the term of the subscription agreement between the Parties.

Nature of processing: Storage, retrieval, transmission, analysis, and deletion of data submitted by the Controller in connection with the Services.

Purpose of processing: To provide the Supplira supplier risk management platform as described in the Terms of Service.

Types of personal data: The Controller determines the personal data submitted to the Services. This typically includes: names and business email addresses of supplier contacts and internal users; data submitted in supplier questionnaire responses; assessment and finding notes created by the Controller's users.

Categories of data subjects: The Controller's internal users (employees, contractors); the Controller's supplier contacts named in the platform; individuals who may be referenced in assessment responses or finding notes.

Special categories of data: The Services are not intended for the processing of special categories of personal data as defined in Article 9 GDPR. The Controller should not submit special category data to the Services without contacting Supplira to assess suitability.

Annex B — Technical and organisational security measures

Supplira implements the following measures to protect Controller Data:

Tenant isolation: PostgreSQL Row-Level Security (RLS) enforces account-scoped data isolation at the database layer. All runtime queries use a restricted database role subject to RLS policies.
Authentication: Passwords are stored using bcrypt hashing. Multi-factor authentication (TOTP) is supported for all user accounts. Login and MFA attempts are rate-limited.
Transport security: All data in transit is encrypted using TLS. HTTPS is enforced for all platform connections.
Encryption at rest: Data at rest is encrypted by the hosting provider (AWS) at the storage layer. MFA secrets are additionally encrypted at the application layer.
Access controls: Supplira staff access to production systems is restricted to authorised personnel. Platform administration is separated from customer account access.
Audit logging: Security-relevant events are recorded in an audit log accessible to account administrators.
Hosting: Primary application database hosted in Sweden (AWS eu-north-1). Supporting services may use approved sub-processors as listed in Annex C.
Vulnerability management: Supplira monitors dependencies for known vulnerabilities and applies security updates on a regular basis.
Incident response: Supplira maintains an internal process for identifying, assessing, and notifying customers of personal data breaches in accordance with this DPA.

Annex C — Approved sub-processors

The current list of approved sub-processors is maintained at supplira.io/legal/subprocessors. The Parties agree that this page constitutes notice of sub-processor usage for the purposes of this DPA.

Supplira will provide at least 30 days' advance notice of material changes to sub-processors via the subprocessors page and, where the Controller has enabled notifications, by email.

This DPA is provided as a standard agreement. For customers requiring a negotiated or countersigned DPA, contact privacy@supplira.io. By using the Services, the Controller agrees to be bound by this DPA as part of the Terms of Service.