Data Processing Agreement
Last updated: June 15, 2026
Megadeals International AB / Njord
Introduction
The following Data Processing Agreement is a complement to theAgreement (Schedule One and the T&Cs) for the Deal Orchestration Factory byMegadeals.
By signing the DPA section in Schedule One the customer has beenpresented with a link to this website.
This Data Processing Agreement ("DPA") is entered intoby and between the parties and constitutes an integral part of the MegadealsAgreement; Schedule One and the Terms and Conditions. It is incorporatedtherein by reference. All the definitions have the same meaning as they areused in the Agreement, Schedule One and T&Cs, unless they are speciallydefined hereby. In the event of any discrepancies between this DPA and otheragreements or documents, the terms of this DPA shall take precedence.
1. Definitions
In addition to capitalised terms defined elsewhere in this DPA,the following terms shall have the meanings set forth opposite each one ofthem:
1.1. "Affiliate": means any entity that directly orindirectly controls, is controlled by, or is under common control with thesubject entity. "Control" for purposes of this definition meansdirect or indirect ownership or control of 75%.
1.2.: The terms "Commission", "Data Subject","Member State", "Personal Data", "Personal DataBreach", "Special Categories of Data","Process/Processing", "Controller", "Processor",and "Supervisory Authority" shall have the same meanings given tothem in the GDPR (or where the same or similar terms are used under anotherapplicable Data Protection Law, the meanings given to such terms under suchData Protection Law).
1.3. "Client's Personal Data": means any Personal Dataprocessed by the Vendor on behalf of the Client pursuant to or in connectionwith the Vendor's Services.
1.4. "Sensitive Personal Data": is a subset of PersonalData, which, due to its nature, has been classified by applicable law.Sensitive Personal Data consists of, in particular: (i) all government-issuedidentification documents and numbers; (ii) all financial information, includingany consumer or spending habits, and any account numbers; (iii) any PersonalData pertaining to the categories specified in Articles 9 to 10 of the GDPR;(iv) all employee, employment candidate and payroll information; and (v) anyother Personal Data designated by the Client as Sensitive Personal Data.
1.5. "EU Data Protection Laws": means EU Directive95/46/EC, as transposed into domestic legislation of each Member State, and asamended, replaced, or supplemented, including its replacement by GDPR.
1.6. "GDPR": means EU General Data Protection Regulation2016/679 and any subsequent amendments, replacements, or supplements.
1.7. "Standard Contractual Clauses": mean the Annex to theCommission Implementing Decision on standard contractual clauses for thetransfer of personal data to third countries pursuant to Regulation (EU)2016/679.
1.8. "Sub Processor": means any third party engaged directly bythe Vendor to process any of the Client's Personal Data pursuant to or inconnection with the Vendor's Services. The term shall not include employees orcontractors of the Vendor.
1.9. "Client": means the Client (as specified in the Schedule Oneand/or the Terms and Conditions), and any of its Affiliates.
MegadealsInternational AB | c/o Njord, Mäster Samuelsgatan 42 | 111 57 Stockholm |Sweden Page 1
1.10. "Vendor's Services": means any servicesprovided by the Vendor to the Client, including any software or platformservices, pursuant to the Agreement, Purchase Order, license, subscription, orother legal instruments.
2. Scope of Processing
2.1. The Vendor shall process the Client's Personal Data as describedherein. The Vendor shall process the Client's Personal Data as a data Processoracting on behalf of the Client, who is the Controller of such Personal Data.
2.2. The Client hereby instructs the Vendor to process the Client'sPersonal Data exclusively for the limited purposes of providing the Vendor'sServices to the Client. Under no circumstances shall the Vendor process any ofthe Client's Personal Data for its own purposes, thereby becoming a dataController of such Personal Data.
2.3. The Vendor shall only process the Client's Personal Data inaccordance with: (i) the terms of this DPA; (ii) the terms of the existingagreement between the Parties; (iii) the Client's documented instructions,except where processing is required by applicable laws; and (iv) all applicablelaws and regulations.
2.4. If the Vendor determines that a Client's instruction wouldcontravene applicable laws, the Vendor shall immediately cease the relevantprocessing activities and notify the Client of the conflict. The Vendor willnot resume the processing unless lawful instructions are provided by the Clientor unless required by applicable law.
2.5. If the Vendor determines that it can no longer meet itsobligations under this DPA, it shall notify the Client promptly. Upon suchnotification, the Parties agree to enter into good-faith negotiations to remedyor adjust the terms of the data processing to ensure compliance with applicablelaw. If the Parties are unable to reach a mutually acceptable solution within30 days, the Client may terminate the relevant agreement(s) without penalty.
3. Subprocessing
3.1. The Vendor shall not engage any subprocessors to process theClient's Personal Data without prior consent from the Client for each suchengagement.
3.1.1. The Vendor shall notify the Client of the name and role of anysubprocessors engaged to process the Client's Personal Data. The Client mayretrieve additional information directly from the subprocessor's publiclyavailable documentation or by request to the Vendor.
3.1.2. The Vendor shall ensure that the agreement between the Vendor andthe subprocessor is governed by a binding contract that requires thesubprocessor to process the Client's Personal Data in accordance with this DPAor standards that are at least as stringent as those of this DPA.
3.1.3. The Client has the right to object to the use of the proposedsubprocessor on privacy or security grounds within 10 days of receiving thenotice. If no objections are raised within this timeframe, consent shall bedeemed granted.
4. Data Transfers
4.1. Except in cases where thePersonal Data Processing is carried out by the approved sub-processors, withoutthe Client's prior written consent, the Vendor may not transfer or permit thetransfer of the Client's Personal Data to any territory which is (i) outsidethe EEA and (ii) not recognized by the European Commission as providing anadequate level of data protection. Where the Client has permitted such atransfer, the Vendor or the Vendor's Sub Processors must ensure that there is alegal basis for the transfer of said data, e.g. Standard Contractual Clauses orbinding corporate rules.
4.2. By way of this DPA, the Client consents to the transfer of theClient's Personal Data to the Vendor and each of the Sub Processors listed inAnnex III, List of Sub-Processors. Any transfer
MegadealsInternational AB | c/o Njord, Mäster Samuelsgatan 42 | 111 57 Stockholm |Sweden Page 2
made under this DPA out of the EEA shall be governed by StandardContractual Clauses, which shall be deemed incorporated by reference as anintegral part of this DPA. Where a transfer presents an elevated risk, theVendor maintains a Transfer Impact Assessment (TIA) documenting thesupplementary measures relied upon (see Annex III).
5. Vendor's Personnel
5.1. The Vendor shall conduct an appropriate background investigationof all employees or contractors (the "Vendor's Personnel") of theVendor who may have access to the Client's Personal Data, prior to allowingthem such access. If the background investigation reveals that the Vendor'sPersonnel are not suited to access the Client's Personal Data, then the Vendorshall not provide the Vendor Personnel with access to the Client's PersonalData.
5.2. The Vendor shall ensure that all the Vendor Personnel: (i) hassuch access only as necessary for the purposes of providing the Client Servicesand complying with applicable laws; (ii) is contractually bound toconfidentiality requirements no less onerous than this DPA; and (iii) isprovided with appropriate privacy and security training.
5.3. Upon request, the Vendor shall provide to the Client a list of allindividual employees and contractors (including former individual employees andcontractors) who have (or have had) access to the Personal Data.
6. Security
6.1. The Vendor shall assess and implement appropriate technical andorganizational measures to ensure a level of security appropriate to the riskpresented by the processing of the Client's Personal Data including: (i) thepseudonymization and/or encryption of Personal Data, which in the case of anySensitive Personal Data, shall be transmitted only via secured encryptedchannels and in encrypted form; (ii) the ability to ensure the on-goingconfidentiality, integrity, availability and resilience of processing systemsand services; (iii) the ability to restore the availability and access to theClient's Personal Data in a timely manner in the event of a physical ortechnical incident; and (iv) a process for regularly testing, assessing andevaluating the effectiveness of technical and organizational measures forensuring the security of the Processing.
6.2. In assessing the appropriate level of technical and organizationalmeasures, the Vendor shall take into account the risks that are presented bythe Processing including the risks of Personal Data Breach, accidental orunlawful loss, destruction, alteration, unauthorized disclosure of or access tothe Client's Personal Data.
6.3. The Vendor shall keep records of its processing activitiesperformed on behalf of the Client, which shall include at least: (i) thedetails of the Vendor as Personal Data Processor, any representatives, SubProcessors, data protection officers and the Vendor Personnel having access tothe Client's Personal Data; (ii) the categories of Processing activitiesperformed; (iii) information regarding cross-border data transfers, if any; and(iv) a description of the technical and organizational security measures implementedin respect of the processed Personal Data.
7. Data Subject Rights
7.1. The Vendor shallreasonably assist the Client in responding to requests to exercise Data Subjectrights under applicable laws, including EU Data Protection Laws.
7.2. The Vendor shall: (i) promptly notify the Client if it receives arequest from a Data Subject under EU Data Protection Laws in respect of theClient's Personal Data; and (ii) ensure that it does not respond to thatrequest except on the documented instructions of the Client or as strictlyrequired by applicable laws to which the Vendor is subject.
8. Legal Disclosure; Personal Data Breach
MegadealsInternational AB | c/o Njord, Mäster Samuelsgatan 42 | 111 57 Stockholm |Sweden Page 3
8.1. The Vendor shall notify the Client without undue delay and, wherefeasible, no later than 72 hours after becoming aware of a Personal DataBreach, in accordance with GDPR requirements.
8.1.1. The Vendor shall notify the Client of any legally binding requestfor disclosure of the Client's Personal Data by a law enforcement authorityunless prohibited by law, such as under criminal law to preserveconfidentiality.
8.1.2. The Vendor shall notify the Client of any actual or suspectedPersonal Data Breach affecting the Client's Personal Data. The Vendor shallprovide sufficient information to enable the Client to fulfill reportingobligations to Data Subjects or Supervisory Authorities, including detailsrequired by Article 33(3) of the GDPR. The Vendor shall not make publicstatements or disclosures about a Personal Data Breach without the Client'sprior written consent unless required by law.
8.2. The Vendor shall investigate any suspected or actual Personal DataBreach and take necessary actions to prevent further breaches. The Vendor shallcooperate with the Client and follow steps directed by the Client to assist ininvestigation, mitigation, and remediation.
8.3. The Vendor shall ensure that all Vendor Personnel are informed ofthe confidential nature of the Client's Personal Data, maintain itsconfidentiality, receive appropriate training, and understand their obligationsunder this DPA.
9. Deletion or Return ofClient's Personal Data
9.1. Upon expiration or termination of the provision of the Vendor'sServices, the Vendor shall, within 90 days, delete or return all copies of theClient's Personal Data, at the Client's choice, except as required to beretained in accordance with applicable law or as technically necessary within areasonable time frame.
For theavoidance of doubt: the 90-day window in Section 9.1 governs the administrativeprocess of deletion or return following termination. It does not affect thenecessity-based deletion obligations set out in Annex I, which apply during theterm of the Agreement and require deletion within 30 days of the point at whichnecessity ceases. Deletion or return of the Client's Personal Data under thisSection 9 is required at the Client's choice in accordance with Article28(3)(g) GDPR, regardless of any payment dispute, and is not contingent onpayment of any outstanding fees.
10. Provision ofInformation
10.1. The Vendor shall provide assistance to the Client with any dataprotection impact assessments, prior consultations with Supervisory Authoritiesor other competent data privacy authorities, which the Client reasonablyconsiders to be required under applicable laws. The scope of such assistanceshall be limited to the Processing of the Client's Personal Data by the Vendor.
11. Miscellaneous
11.1. Severance. Should any provision of this DPA be determinedinvalid or unenforceable, then the remainder of this DPA shall remain valid andin force. The invalid or unenforceable provision shall either be (i) amended asnecessary to ensure its validity and enforceability, while preserving theParties' intentions as closely as possible or, if this is not possible, (ii)construed in a manner as if the invalid or unenforceable part had never beencontained therein.
11.2. Notice. All notices required under this DPA shall be sent to theClient by post and email to the address specified in Schedule One. Notices tothe Vendor shall be sent to: Megadeals International AB (trading as Njord), c/oNjord, Mäster Samuelsgatan 42, 111 57 Stockholm, Sweden, and by email to:privacy@njord.io
11.3. Order of Precedence. In the event of any conflict between the terms ofthis DPA and other documents binding on Parties, the terms of these documentswill be interpreted according to the following order of precedence: (i) thisDPA; and (ii) terms of the Agreement, orders, license, or subscription,pursuant to which the Vendor's Services are provided.
MegadealsInternational AB | c/o Njord, Mäster Samuelsgatan 42 | 111 57 Stockholm |Sweden Page 4
11.4. Governing Law and Jurisdiction. This DPA is governed bythe laws of Sweden. Any dispute arising from this DPA shall be resolved by thecourts of Sweden, in accordance with the terms set forth in the Agreement(Schedule One and Terms and Conditions).
11.5. Duration and Termination. The duration of this DPA shall correspondto the Client's use of the Vendor's Services.
ANNEX I: DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:Audience selected and specified by Data Controller, who are subject to targetedadvertising campaigns running by Data Processor to the benefit and on behalf ofData Controller.
Categories of personal data transferred: First and last name,company name, title, business email address, and any other data uploaded byData Controller.
Sensitive data transferred (ifapplicable): Not applicable.
The frequency of the transfer:Episodically, as needed.
Nature of the processing: Collection, recording, organisation,structuring, storage, retrieval, and erasure.
Purpose(s) of the data transfer and further processing: Runningadvertising campaigns targeted to specific people according to data provided byData Controller.
The period for which the personal data will be retained: Personaldata will not be retained for longer than is necessary for the purposes forwhich it was collected. For data processed in connection with active campaigns,necessity is determined by reference to the duration of the campaign and anyreasonable follow-up period required to measure outcomes. Data that is nolonger necessary for these purposes will be deleted promptly, and in any casewithin 30 days of the point at which necessity ceases. Upon a valid erasurerequest from a Data Subject or the Data Controller, all relevant personal datawill be deleted within 30 days of the request. Upon expiration or terminationof the Agreement, all personal data will be deleted or returned in accordancewith Section 9.1 of this DPA.
For transfers to (sub-)processors: Running advertising campaignstargeted to specific people on a particular social media platform; retrievaland erasure. Audience identifiers are transferred in hashed (irreversiblypseudonymised via SHA-256) format and are deleted promptly after the matchprocess is complete.
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organisational measuresimplemented by the data importer(s) to ensure an appropriate level of security,taking into account the nature, scope, context and purpose of the processing,and the risks for the rights and freedoms of natural persons.
Access Control (Physical)
Measures to prevent unauthorized persons from gaining access tothe data processing systems available in premises and facilities (includingdatabases, application servers and related hardware), where Personal Data areprocessed, including establishing security areas, restriction of access paths,establishing access authorizations for employees and third parties, and doorlocking (electric door openers etc.).
Access Control (Logical)
Measures to prevent data processing systems from being used byunauthorized persons, including user identification and authenticationprocedures, OIDC-based authentication with access and refresh tokens,role-based access control (RBAC), multi-factor authentication (MFA) forprivileged/administrative accounts, and encryption of archived data media.
MegadealsInternational AB | c/o Njord, Mäster Samuelsgatan 42 | 111 57 Stockholm |Sweden Page 5
Authorization Controls
Measures to ensure that persons entitled to use a data processingsystem gain access only to such Personal Data in accordance with their accessrights, and that Personal Data cannot be read, copied, modified or deletedwithout authorization, including internal policies and procedures, controlauthorization schemes, differentiated access rights (profiles, roles,transactions and objects), monitoring and logging of accesses, and disciplinaryaction against employees who access personal data without authorization.
Encryption
Personal Data at rest is encrypted using AES-256 (symmetricencryption), meeting the requirements of NIST SP 800-57 Part 1 (Table 2) forsymmetric encryption strength. Encryption keys are managed through AWS KMS withstrict IAM-based access controls. Data in transit is encrypted using TLS 1.2 asa minimum, with TLS 1.3 preferred and deployed across all Vendor-controlledendpoints; deprecated protocols (SSL, TLS 1.0/1.1) and deprecated cipher suitesare disabled. SHA-256 is used separately as an irreversible one-way hashfunction for the pseudonymisation of audience identifiers prior to transfer toadvertising platforms for match-based targeting, and is not used as anencryption mechanism.
Transmission Security
Measures to ensure that Personal Data cannot be read, copied,modified or deleted without authorization during electronic transmission,transport or storage on storage media, and that it can be verified to whichcompanies or other legal entities Personal Data are disclosed, includingencryption, logging, and transport security. All external connections use HTTPSwith TLS 1.2 or higher (TLS 1.3 preferred). Certificates are issued by trustedCertificate Authorities.
Audit Logging
Measures to monitor whether data have been entered, changed orremoved (deleted), and by whom, from data processing systems, including loggingand reporting systems, audit trails and documentation. Centralised logging isin place via AWS CloudTrail, CloudWatch and ELK, with retention configured to aminimum of 6 months and integrity protection through AWS-managed services.
Availability Controls
Measures to ensure that Personal Data are protected againstaccidental destruction or loss (physical/logical) including backup procedures,AWS multi-AZ high availability, geo-redundant storage across EU regions,anti-malware/firewall systems, and documented Business Continuity and DisasterRecovery Plans (RTO 4 to 6 hours; RPO 1 hour; backup integrity testedquarterly).
Data Separation
Measures to ensure that Personal Data collected for differentpurposes can be processed separately, including logical separation ofdatabases, VPC architecture with private subnets and security groups,limitation of use, and segregation of functions (production/testing). Customerdata is never used in non-production environments.
ANNEX III: LIST OF SUB-PROCESSORS
The Data Controller has been authorised to use the followingsub-processors. The transfer mechanism column records the Chapter V safeguardrelied upon for each sub-processor.
Sub-processor: Influ2 Inc.
Email: privacy@influ2.com
Location: USA
Description: Launches ad campaigns targeted to specific prospects and tracks advertisement effectiveness across LinkedIn, Meta (Facebook, Instagram), Google (Google Ads, DV360), Microsoft (Bing Ads), Amazon Ads, and Taboola.
Transfer mechanism and safeguards: Third country (USA). SCCs Module Three, executed 10 June 2026; TIA on file (v1.1, 10 June 2026). Not DPF-certified; ISO 27001 certified, ISO 27701 expected Aug 2026.
Sub-processor: Meta Platforms, Inc.
Location: USA
Description: Run advertising campaigns targeted at users of facebook.com and instagram.com via matching of hashed personal data.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: LinkedIn Corp.
Location: USA
Description: Run advertising campaigns targeted to users of linkedin.com via matching of hashed personal data.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: NextRoll, Inc.
Location: Ireland
Description: Run advertising campaigns targeted to users on the Adroll, NextRoll, and RollWorks networks.
Transfer mechanism and safeguards: Within EEA (Ireland). No Chapter V transfer.
Sub-processor: Dealfront Group GmbH
Email: privacy@dealfront.com
Location: Germany
Description: Provides B2B lead generation and sales intelligence to support identification and engagement of potential prospects.
Transfer mechanism and safeguards: Within EEA (Germany). No Chapter V transfer.
Sub-processor: InZynk AB
Email: info@inzynk.com
Location: Sweden
Description: Optimises digital marketing campaigns using data analysis to refine targeting and improve outreach.
Transfer mechanism and safeguards: Within EEA (Sweden). No Chapter V transfer.
Sub-processor: Adform A/S
Email: support@adform.com
Location: Denmark
Description: Enables targeted advertising, real-time bidding, and analytics across digital platforms.
Transfer mechanism and safeguards: Within EEA (Denmark). No Chapter V transfer.
Sub-processor: Google LLC
Email: dpo-google@google.com
Location: USA
Description: Runs targeted ad campaigns via Google Ads (conversion tracking and analytics) and manages tags via Google Tag Manager.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: ZenLeads Inc. d/b/a Apollo.io
Email: privacy@apollo.io
Location: USA
Description: Provides sales and marketing intelligence, including lead generation, enrichment, and contact data enhancement.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: Amazon Web Services (AWS)
Email: aws-privacy@amazon.com
Location: USA / EU regions
Description: Provides cloud hosting and infrastructure, supporting secure and scalable processing of personal data.
Transfer mechanism and safeguards: Hosting in AWS EU regions; SCCs incorporated under Section 4.2 for any out-of-EEA transfer.
Sub-processor: Microsoft Online, Inc. (Microsoft Advertising / Bing Ads)
Email: msdpo@microsoft.com
Location: USA
Description: Run advertising campaigns targeted to users on the Microsoft Advertising network (Bing Search, Microsoft Audience Network) via matching of hashed personal data.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: Amazon.com Services LLC (Amazon Ads)
Email: amazon-ads-privacy@ama zon.com
Location: USA
Description: Run advertising campaigns targeted to users on the Amazon Ads network via matching of hashed personal data.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Sub-processor: Taboola, Inc.
Email: privacy@taboola.com
Location: USA
Description: Run native and content advertising campaigns across the Taboola publisher network via matching of hashed personal data.
Transfer mechanism and safeguards: Third country (USA). SCCs incorporated under Section 4.2.
Standard Contractual Clauses are incorporated by reference underSection 4.2 of this DPA and constitute the Vendor's primary transfer mechanismfor all transfers outside the EEA. Where a sub-processor has self-certifiedunder the EU-U.S. Data Privacy Framework, that certification provides anadditional adequacy basis. A Transfer Impact Assessment is maintained fortransfers presenting elevated risk (for example, Influ2 Inc.) and is availableto the Client on request.
Contact Information
For any questions or enquiries,please contact us using the details below:
Email:david@njord.ioor privacy@njord.io (privacy and DPA matters)and david@njord.io (commercial and compliance lead)
Phone: +46 73 359 56 55
Company: Megadeals International AB(trading as Njord), reg. no 559220-2120
Address: c/o Njord, Mäster Samuelsgatan 42,111 57 Stockholm, Sweden