Let's Talk
Stagecast Build meaningful engagements with your audience.
Marketing Gamification Description text for each area.
Partnership Activations Description text for each area.
Arena Engagement Description text for each area.
B2B Events Description text for each area.

Data Processing Agreement

Between Stagecast AB and the Customer, pursuant to Art. 28 GDPR

1. Subject of the Agreement

In the course of the fulfillment of the contract between Stagecast AB, Rålambsvägen 17
112 59 Stockholm (the “Processor”) and the customer (the “Customer”, together with the Processor the “Parties”) regarding the provision of the Processor’s software to the Customer (the “Contract”), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation (“GDPR”), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer’s customers), with regard to which the Customer acts as a controller pursuant to data protection law (the “Customer Data”).

This agreement (the “Agreement”) specifies the data protection obligations and rights of the Parties in connection with the Processor’s use of Customer Data to render the services under the Contract.

2. Scope of the Processing

The Processor shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR. The Customer remains the controller pursuant to Art. 28 GDPR.

The processing of Customer Data by the Processor occurs in the manner and the scope and for the purpose determined in Annex 1 to this Agreement; the processing relates to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Contract.

The Processor reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of:

  • Needs-based designing and machine-learning;
  • Developing and optimizing services; and
  • Rendering of the services agreed as per the Contract.

The Parties agree that anonymized and aggregated Customer Data are not considered Customer Data for the purposes of this Agreement.

The Processor may process and use the Customer Data for the Processor’s own purposes as controller to the extent legally permitted by data protection law, if permitted by a statutory permission or consent by the data subject. This Agreement does not apply to such data processing.

The processing of Customer Data shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Processor is nevertheless permitted to process Customer Data outside the EEA if:

  • The Processor informs the Customer in advance about the place of data processing; and
  • The requirements of Art. 44 to 48 GDPR are fulfilled, or an exception according to Art. 49 GDPR applies.

3. Right of the Customer to Issue Instructions

The Processor processes the Customer Data in accordance with the instructions of the Customer, unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this Agreement. Individual instructions which deviate from the stipulations of this Agreement or which impose additional requirements shall require the Processor’s consent.

If the Processor is of the opinion that an instruction infringes this Agreement or applicable data protection law, the Processor is entitled to suspend the execution of the instruction until the Customer confirms it. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.

4. Legal Responsibility of the Customer

The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify the Processor from all such claims upon first request.

The Customer is responsible for:

  • Providing the Processor with Customer Data in time for the rendering of services;
  • The quality of the Customer Data; and
  • Informing the Processor immediately and completely if errors or irregularities with regard to data protection provisions or instructions are found.

Upon request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2 GDPR, insofar as it is not already available to the Processor. If the Processor is required to provide information to a governmental body on the processing of Customer Data, the Customer is obliged to assist the Processor at first request.

5. Requirements for Personnel and Systems

The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

6. Security of Processing

The Processor takes necessary appropriate technical and organizational measures according to Art. 32 GDPR, taking into account:

  • The state of the art and implementation costs;
  • The nature, scope, circumstances and purposes of the Customer Data; and
  • The different likelihood and severity of the risk to the rights and freedoms of data subjects.

The implemented technical and organizational measures are listed in Annex 2. The Processor shall have the right to modify these measures during the term of this Agreement, as long as they continue to comply with statutory requirements.

7. Engagement of Further Processors

The Customer grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 3.

No authorization is required for contractual relationships with service providers concerned with examination or maintenance of data processing procedures or systems, as long as the Processor takes reasonable steps to protect the confidentiality of the Customer Data.

Customers may subscribe to subprocessor change notifications by contacting support@stagecast.io. Notifications will occur no later than 14 days prior to any changes. If no objection is raised within 14 days, the right to object lapses. If the Customer objects, the Processor is entitled to terminate the Contract and this Agreement with a notice period of three months until the end of a month.

The agreement between the Processor and any further processor must impose the same obligations on the further processor as those incumbent upon the Processor under this Agreement.

8. Data Subjects’ Rights

The Processor shall support the Customer within reason in fulfilling the Customer’s obligation to respond to requests for exercising data subjects’ rights. Specifically, the Processor will:

  • Forward any requests from data subjects submitted directly to the Processor to the Customer in a timely manner;
  • Inform the Customer of stored Customer Data, recipients of Customer Data, and the purpose of storage, where this information is unavailable to the Customer;
  • Enable the Customer to correct, delete or restrict the further processing of Customer Data, or carry out these actions itself at the instruction of the Customer; and
  • Support the Customer in handing over Customer Data in a structured, commonly used and machine-readable format where a right of data portability exists pursuant to Art. 20 GDPR.

In cases where the Processor carries out such actions itself, the Processor shall be reimbursed for the expenses and costs incurred.

9. Notification and Support Obligations of the Processor

Insofar as the Customer is subject to a statutory notification obligation due to a breach of security regarding Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall:

  • Inform the Customer in a timely manner of any reportable events in the Processor’s area of responsibility; and
  • Assist the Customer in fulfilling the notification obligations to the extent reasonable and necessary.

The Processor shall also assist the Customer with data protection impact assessments and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR. In all such cases, the Processor shall be reimbursed for the expenses and costs incurred.

10. Deletion and Return of Customer Data

Upon termination of this Agreement, the Processor shall, at the discretion of the Customer:

  • Either delete or return the Customer Data; and
  • Delete existing copies thereof;

unless the Processor is obligated by law to further store the Customer Data. The Processor may retain documentation which serves as evidence of the orderly and accurate processing of Customer Data after termination of this Agreement.

11. Evidence and Audits

The Processor shall provide the Customer, at the Customer’s request, with all information required to prove compliance with its obligations under this Agreement. The Customer shall be entitled to audit the Processor with regard to compliance, subject to the following conditions:

  • Inspections must take place within usual business hours (Mondays to Fridays, 10 am to 6 pm);
  • The Customer must provide timely advance notification of at least two weeks;
  • Inspections must not disrupt the course of business and must be conducted under strict secrecy of the Processor’s business and trade secrets;
  • The Customer may carry out no more than one audit per calendar year; and
  • The Customer may not commission any of the Processor’s competitors to carry out the audit.

The Customer is not entitled to access data or information about the Processor’s other customers, cost information, quality control reports, or any other confidential data not directly relevant to the agreed audit purposes.

At the discretion of the Processor, proof of compliance may alternatively be provided by submitting a current opinion or report from an independent authority or a suitable certification by an IT security or data protection audit (the “Audit Report”).

12. Contract Term and Termination

The term and termination of this Agreement shall be governed by the term and termination provisions of the Contract. A termination of the Contract automatically results in a cancellation of this Agreement. An isolated termination of this Agreement is excluded.

13. Liability

The Processor’s liability under this Agreement shall be governed by the disclaimers and limitations of liability provided for in the Contract. As far as third parties assert claims against the Processor caused by the Customer’s culpable breach of this Agreement, the Customer shall upon first request indemnify and hold the Processor harmless from these claims.

The Customer undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Customer’s part of responsibility for the infringement sanctioned by the fine.

14. Final Provisions

In case individual provisions of this Agreement are or become ineffective, the remaining provisions shall remain unaffected. The Parties undertake to replace any ineffective provision with a legally permissible provision which comes closest to its purpose and satisfies the requirements of Art. 28 GDPR.

In case of conflicts between this Agreement and other arrangements of the Parties, in particular the Contract, the provisions of this Agreement shall prevail.

Annex 1 – Scope of Data Processing

1. Purpose and Extent of Data Processing

Provision of the Stagecast software as a web application which functions as a platform for creating, collaborating, and distributing audience interactions (so-called “activities” or “activations”); fulfilment of the Processor’s obligations under the Contract.

2. Types of Personal Data

  • Contact data
  • Usage data
  • Any data filled in by the Customer in the Software
  • Employee Data; Customer Data; Supplier Data
  • User-generated Data
  • User data (e.g. email address, name, nationality, birthdate, telephone numbers, addresses)
  • Profile data, usernames, passwords
  • Log files

3. Categories of Data Subjects

  • Users of the Stagecast software
  • Possibly other data subjects mentioned or included in data filled in by the Customer in the Software

Annex 2 – Technical and Organizational Measures (Art. 32 GDPR)

According to Art. 32 GDPR, controller and processor of personal data must take technical and organizational measures (TOM) to ensure that security and protection requirements of data protection are met. Technical measures are physically implementable protections (hardware, software, physical security); organizational measures are implemented through instructions, procedures and processes.

1. Encryption (Art. 32 (1) a) GDPR)

Cryptographic measures to ensure that information is hashed when transferred and can only become readable using the correct encryption key.

  • Technical: Encryption of the company website (“data in motion”)
  • Organisational: Encryption policy covering data in motion

2. Confidentiality – Physical Access Control (Art. 32 (1) b) GDPR)

Measures to prevent unauthorised persons from gaining access to data processing systems with which personal data is processed or used.

  • Technical: Security of buildings, windows and doors with an alarm system
  • Organisational: Digital key management system

3. Confidentiality – Data Access Control (Art. 32 (1) b) GDPR)

Measures to prevent data processing systems from being used without authorisation.

  • Technical: Customer authentication with username/password upon sign-up and log-in; email verification upon customer sign-up and participant sign-in
  • Organisational: Allocation of user rights; defining user profiles; assigning passwords and user profiles to IT systems

4. Confidentiality – Data Usage Control (Art. 32 (1) b) GDPR)

Measures to ensure that persons entitled to use a data processing system have access only to data to which they are entitled, and that personal data cannot be read, copied, altered or removed without authorisation.

  • Technical: Use of document shredders or appropriate service providers; physical deletion of data mediums before reuse
  • Organisational: Authorisation concept with differentiated rights for read, edit and delete; password procedures including special characters, minimum length and mandatory changes; assignment of rights by system administrator

5. Confidentiality – Transmission Control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport, and that transfers can be checked and traced.

  • Technical: Documentation of all interfaces
  • Organisational: Documentation of recipients of data and planned erasure time limits

6. Confidentiality – Separation Control (Art. 32 (1) b) GDPR)

Measures to ensure that data collected for different purposes can be processed separately.

  • Technical: Segregation of functions (production/testing); separation of data so that no customer can access another’s data
  • Organisational: Logical client separation

7. Integrity – Input Control (Art. 32 (1) b) GDPR)

Full documentation of data management and maintenance to ensure ongoing integrity, including subsequent checking of whether data has been entered, changed or removed, and by whom.

  • Technical: No local admin privileges
  • Organisational: Assignment of authorisations for input, alteration and erasure based on an authorisation concept

8. Availability – Availability Control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data is protected from accidental destruction or loss.

  • Technical: Air conditioning in server rooms; fire extinguishers; fire and smoke detection systems; uninterruptible power supply (UPS); alarm during unauthorized entry into server room
  • Organisational: Remote data backup in secure outsourced locations; emergency plan and disaster recovery plan

9. Availability – Job Control (Art. 32 (1) b) GDPR)

Measures to ensure that, in the case of commissioned processing of personal data, the data is processed only in accordance with the instructions of the Controller.

  • Technical: Selection of the Processor with consideration to diligence aspects (in particular data security)
  • Organisational:
    • Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR
    • Processor has appointed a Data Protection Officer
    • Efficient rights of control agreed with the Processor
    • Employees placed under obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)
    • Assurance of deletion of data at end of services; continuous control of the Processor and its activities
    • Use of Subcontractors requires the Controller’s consent and prior verification of security measures

10. Resilience (Art. 32 (1) b) GDPR)

Measures to ensure the resilience of systems and services so that high peak loads and continuous loads can be handled.

  • Technical: Testing of storage, access and line capacities

11. Restoration of Availability (Art. 32 (1) c) GDPR)

Measures to ensure that availability of and access to data can be restored in a timely manner in the event of a physical or technical incident.

  • Technical: Scalable Kubernetes backend technology; Cloud Service; Backup concept; Testing of data restoration

12. Data Protection Management (Art. 32 (1) d) GDPR)

Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

  • Organisational: Checking of the DSB and the IT revision

Annex 3 – Further Processors (Sub-processors)

1. Amazon Web Services Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA
Processing: Secure cloud service platform for database storage

2. GitHub, Inc.

88 Colin P Kelly Junior Street, San Francisco, CA 94107, USA
Processing: Application connection software

3. Alphabet Inc. (Google)

Googleplex, Mountain View, California, USA
Processing: User and website analytics software

4. Stripe Inc.

510 Townsend Street, San Francisco, CA 94103, USA
Processing: Online payment processing provider

5. Webflow Inc.

398 11th St., Floor 2, San Francisco, CA 94103, USA
Processing: Website hosting & publishing software