Data Processing Agreement

Introduction

The following Data Processing Agreement is a complement to the Agreement (Schedule One and the T&Cs) for the Deal Orchestration Factory by Megadeals.

By signing the DPA section in Schedule One the customer has been presented with a link to this website.

This Data Processing Agreement ("DPA") is entered into by and between the parties and constitutes an integral part of the Megadeals Agreement; Schedule One and the Terms and Conditions. It is incorporated therein by reference. All the definitions have the same meaning as they are used in the Agreement, Schedule One and T&Cs, unless they are specially defined hereby. In the event of any discrepancies between this DPA and other agreements or documents, the terms of this DPA shall take precedence.


1. Definitions

In addition to capitalised terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

1.1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition means direct or indirect ownership or control of 75%.

1.2. The terms "Commission", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Special Categories of Data", "Process/Processing", "Controller", "Processor", and "Supervisory Authority" shall have the same meanings given to them in the GDPR (or where the same or similar terms are used under another applicable Data Protection Law, the meanings given to such terms under such Data Protection Law).

1.3. "Client's Personal Data" means any Personal Data processed by the Vendor on behalf of the Client pursuant to or in connection with the Vendor's Services.

1.4. "Sensitive Personal Data" is a subset of Personal Data, which due to its nature has been classified by applicable law. Sensitive Personal Data consists of, in particular:

  • 1.4.1. All government-issued identification documents and numbers;
  • 1.4.2. All financial information, including any consumer or spending habits, and any account numbers (bank and non-bank financial services account numbers, credit/debit card numbers, and other information if that information would permit access to a financial account);
  • 1.4.3. Any Personal Data pertaining to the categories specified in Articles 9–10 of the GDPR;
  • 1.4.4. All employee, employment candidate and payroll information and data; and
  • 1.4.5. Any other Personal Data designated by the Client as Sensitive Personal Data.

1.5. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State, and as amended, replaced, or supplemented, including its replacement by GDPR.

1.6. "GDPR" means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements, or supplements.

1.7. "Standard Contractual Clauses" mean the Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.8. "Sub Processor" means any third party engaged directly by the Vendor to process any of the Client's Personal Data pursuant to or in connection with the Vendor's Services. The term shall not include employees or contractors of the Vendor.

1.9. "Client" means the Client (as specified in the Schedule One and/or the Terms and Conditions), and any of its Affiliates.

1.10. "Vendor's Services" means any services provided by the Vendor to the Client, including any software or platform services, pursuant to the Agreement, Purchase Order, license, subscription, or other legal instruments.


2. Scope of Processing

2.1. The Vendor shall process the Client's Personal Data as described herein. The Vendor shall process the Client's Personal Data as a data Processor acting on behalf of the Client, who is the Controller of such Personal Data.

2.2. The Client hereby instructs the Vendor to process the Client's Personal Data exclusively for the limited purposes of providing the Vendor's Services to the Client. Under no circumstances shall the Vendor process any of the Client's Personal Data for its own purposes, thereby becoming a data Controller of such Personal Data.

2.3. The Vendor shall only process the Client's Personal Data in accordance with:

  • (i) the terms of this DPA,
  • (ii) the terms of the existing agreement between the Parties,
  • (iii) the Client's documented instructions, except where processing is required by applicable laws, and
  • (iv) all applicable laws and regulations.

2.4. If the Vendor determines that a Client's instruction would contravene applicable laws, the Vendor shall immediately cease the relevant processing activities and notify the Client of the conflict. The Vendor will not resume the processing unless lawful instructions are provided by the Client or unless required by applicable law.

2.5. If the Vendor determines that it can no longer meet its obligations under this DPA, it shall notify the Client promptly. Upon such notification, the Parties agree to enter into good-faith negotiations to remedy or adjust the terms of the data processing to ensure compliance with applicable law. If the Parties are unable to reach a mutually acceptable solution within 30 days, the Client may terminate the relevant agreement(s) without penalty.


3. Subprocessing

3.1. The Vendor shall not engage any subprocessors to process the Client's Personal Data without prior consent from the Client for each such engagement.

  • 3.1.1. The Vendor shall notify the Client of the name and role of any subprocessors engaged to process the Client's Personal Data. The Client may retrieve additional information directly from the subprocessor's publicly available documentation or by request to the Vendor.
  • 3.1.2. The Vendor shall ensure that the agreement between the Vendor and the subprocessor is governed by a binding contract that requires the subprocessor to process the Client's Personal Data in accordance with this DPA or standards that are at least as stringent as those of this DPA.
  • 3.1.3. The Client has the right to object to the use of the proposed subprocessor on privacy or security grounds within 10 days of receiving the notice. If no objections are raised within this timeframe, consent shall be deemed granted.


4. Data Transfers

4.1. Except in cases where the Personal Data Processing is carried out by the approved sub-processors, without the Client's prior written consent, the Vendor may not transfer or permit the transfer of the Client's Personal Data to any territory which is (i) outside the EEA and (ii) not recognized by the European Commission as providing an adequate level of data protection. Where the Client has permitted such a transfer, the Vendor or the Vendor's Sub Processors must ensure that there is a legal basis for the transfer of said data, e.g. Standard Contractual Clauses or binding corporate rules.

4.2. By way of this DPA, the Client consents to the transfer of the Client's Personal Data to the Vendor and each of the Sub Processors listed in Annex III – List of Sub-Processors. Any transfer made under this DPA out of the EEA shall be governed by Standard Contractual Clauses, which shall be deemed incorporated by reference as an integral part of this DPA.


5. Vendor's Personnel

5.1. The Vendor shall conduct an appropriate background investigation of all employees or contractors (the "Vendor's Personnel") of the Vendor who may have access to the Client's Personal Data, prior to allowing them such access. If the background investigation reveals that the Vendor's Personnel are not suited to access the Client's Personal Data, then the Vendor shall not provide the Vendor Personnel with access to the Client's Personal Data.

5.2. The Vendor shall ensure that all the Vendor Personnel:

  • (i) has such access only as necessary for the purposes of providing the Client Services and complying with applicable laws;
  • (ii) is contractually bound to confidentiality requirements no less onerous than this DPA; and
  • (iii) is provided with appropriate privacy and security training.

5.3. Upon request, the Vendor shall provide to the Client a list of all individual employees and contractors (including former individual employees and contractors) who have (or have had) access to the Personal Data.


6. Security

6.1. The Vendor shall assess and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of the Client's Personal Data including:

  • 6.1.1. The pseudonymization and/or encryption of Personal Data, which in the case of any Sensitive Personal Data, shall be transmitted only via secured encrypted channels and in encrypted form;
  • 6.1.2. The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
  • 6.1.3. The ability to restore the availability and access to the Client's Personal Data in a timely manner in the event of a physical or technical incident; and
  • 6.1.4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

6.2. In assessing the appropriate level of technical and organizational measures, the Vendor shall take into account the risks that are presented by the Processing including the risks of Personal Data Breach, accidental or unlawful loss, destruction, alteration, unauthorized disclosure of or access to the Client's Personal Data.

6.3. The Vendor shall keep records of its processing activities performed on behalf of the Client, which shall include at least:

  • 6.3.1. The details of the Vendor as Personal Data Processor, any representatives, Sub Processors, data protection officers and the Vendor Personnel having access to the Client's Personal Data;
  • 6.3.2. The categories of Processing activities performed;
  • 6.3.3. Information regarding cross-border data transfers, if any; and
  • 6.3.4. Description of the technical and organizational security measures implemented in respect of the processed Personal Data.


7. Data Subject Rights

7.1. The Vendor shall reasonably assist the Client in responding to requests to exercise Data Subject rights under applicable laws, including EU Data Protection Laws.

7.2. The Vendor shall:

  • 7.2.1. Promptly notify the Client if it receives a request from a Data Subject under EU Data Protection Laws in respect of the Client's Personal Data; and
  • 7.2.2. Ensure that it does not respond to that request except on the documented instructions of the Client or as strictly required by applicable laws to which the Vendor is subject.


8. Legal Disclosure; Personal Data Breach

8.1. The Vendor shall notify the Client without undue delay and, where feasible, no later than 72 hours after becoming aware of a Personal Data Breach, in accordance with GDPR requirements.

  • 8.1.1. The Vendor shall notify the Client of any legally binding request for disclosure of the Client's Personal Data by a law enforcement authority unless prohibited by law, such as under criminal law to preserve confidentiality.
  • 8.1.2. The Vendor shall notify the Client of any actual or suspected Personal Data Breach affecting the Client's Personal Data. The Vendor shall provide sufficient information to enable the Client to fulfill reporting obligations to Data Subjects or Supervisory Authorities, including details required by Article 33(3) of the GDPR. The Vendor shall not make public statements or disclosures about a Personal Data Breach without the Client's prior written consent unless required by law.

8.2. The Vendor shall investigate any suspected or actual Personal Data Breach and take necessary actions to prevent further breaches. The Vendor shall cooperate with the Client and follow steps directed by the Client to assist in investigation, mitigation, and remediation.

8.3. The Vendor shall ensure that all Vendor Personnel are informed of the confidential nature of the Client's Personal Data, maintain its confidentiality, receive appropriate training, and understand their obligations under this DPA.


9. Deletion or Return of Client's Personal Data

9.1. Upon expiration or termination of the provision of the Vendor's Services, the Vendor shall, within 90 days, delete or return all copies of the Client's Personal Data, at the Client's choice, except as required to be retained in accordance with applicable law or as technically necessary within a reasonable time frame.


10. Provision of Information

10.1. The Vendor shall provide assistance to the Client with any data protection impact assessments, prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Client reasonably considers to be required under applicable laws. The scope of such assistance shall be limited to the Processing of the Client's Personal Data by the Vendor.


11. Miscellaneous

11.1. Severance. Should any provision of this DPA be determined invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.2. Notice. All notices required under this DPA shall be sent to the Client by post and email to the address specified in Schedule One. Notices to the Vendor shall be sent to: Megadeals (address specified in Schedule One), and by email to: hello@megadeals.com

11.3. Order of Precedence. In the event of any conflict between the terms of this DPA and other documents binding on Parties, the terms of these documents will be interpreted according to the following order of precedence: (i) this DPA; and (ii) terms of the Agreement, orders, license, or subscription, pursuant to which the Vendor's Services are provided.

11.4. Governing Law and Jurisdiction. This DPA is governed by the laws of Sweden. Any dispute arising from this DPA shall be resolved by the courts of Sweden, in accordance with the terms set forth in the Agreement (Schedule One and Terms and Conditions).

11.5. Duration and Termination. The duration of this DPA shall correspond to the Client's use of the Vendor's Services.


Annex I – Description of Transfer

Categories of data subjects whose personal data is transferred

Audience selected and specified by Data Controller, who are subject to targeted advertising campaigns running by Data Processor to the benefit and on behalf of Data Controller.

Categories of personal data transferred

First and last name, company name, title, business email address and phone number, and any other data uploaded by Data Controller.

Sensitive data transferred (if applicable)

Not applicable.

The frequency of the transfer

Episodically, as needed.

Nature of the processing

Collection, recording, organisation, structuring, storage, retrieval, and erasure.

Purpose(s) of the data transfer and further processing

Running advertising campaigns targeted to specific people according to data provided by Data Controller.

The period for which the personal data will be retained

Personal data will not be retained for longer than is necessary for the purposes for which it was collected. For data processed in connection with active campaigns, necessity is determined by reference to the duration of the campaign and any reasonable follow-up period required to measure outcomes. Data that is no longer necessary for these purposes will be deleted promptly, and in any case within 30 days of the point at which necessity ceases. Upon a valid erasure request from a Data Subject or the Data Controller, all relevant personal data will be deleted within 30 days of the request. Upon expiration or termination of the Agreement, all personal data will be deleted or returned in accordance with Section 9.1 of this DPA.

For transfers to (sub-)processors

Running advertising campaigns targeted to specific people on a particular social media platform; retrieval and erasure. The data is transferred in hashed (irreversibly pseudonymised) format and will be deleted promptly after the match process is complete.


Annex II – Technical and Organisational Measures

Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

  • Access Control (Physical): Measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed, including establishing security areas, restriction of access paths, establishing access authorizations for employees and third parties, and door locking (electric door openers etc.).
  • Access Control (Logical): Measures to prevent data processing systems from being used by unauthorized persons including user identification and authentication procedures, ID/password security procedures, and encryption of archived data media.
  • Authorization Controls: Measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including internal policies and procedures, control authorization schemes, differentiated access rights (profiles, roles, transactions and objects), monitoring and logging of accesses, and disciplinary action against employees who access personal data without authorization.
  • Transmission Security: Measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that it can be verified to which companies or other legal entities Personal Data are disclosed, including encryption, logging, and transport security. Personal Data is encrypted with SHA-256 algorithm at rest and is subject to transfer via HTTPS with TLS 1.3 encryption.
  • Audit Logging: Measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including logging and reporting systems, audit trails and documentation.
  • Availability Controls: Measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) including backup procedures, uninterruptible power supply (UPS), remote storage, anti-virus/firewall systems, and disaster recovery plan.
  • Data Separation: Measures to ensure that Personal Data collected for different purposes can be processed separately, including separation of databases, limitation of use, and segregation of functions (production/testing).


Annex III – List of Sub-Processors

The Data Controller has been authorised to use the following sub-processors:

(i) Influ2 Inc. Address: 1250 Borregas Avenue #44, Sunnyvale, CA 94089, USA Contact: privacy@influ2.com Description: Processing the Data Controller's personal data to launch ad campaigns targeted to specific prospects and track advertisement effectiveness. Ad campaigns may be launched via the following sub-processors:

  • Meta Platforms, Inc. – 1 Hacker Way, Menlo Park, CA 94025, USA – Matching of hashed personal data with Meta data to target users on facebook.com and instagram.com
  • LinkedIn Corp. – 1000 West Maude Avenue, Sunnyvale, CA 94085, USA – Matching of hashed personal data to target users on linkedin.com
  • Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA – Matching hashed data for targeted advertising across Google platforms
  • Oath Inc. (Yahoo Ad Network) – 770 Broadway, New York, NY 10003, USA – Matching hashed personal data for advertising on yahoo.com
  • Amazon.com Services LLC / Amazon.com, Inc. – 410 Terry Ave N, Seattle, WA 98109, USA – Matching hashed personal data for advertising across the Amazon Network

(ii) Meta Platforms, Inc. Address: 1 Hacker Way, Menlo Park, CA 94025, USA Description: Run advertising campaigns targeted at users of facebook.com and instagram.com

(iii) LinkedIn Corp. Address: 1000 West Maude Avenue, Sunnyvale, CA 94085, USA Description: Run advertising campaigns targeted to users of linkedin.com

(iv) NextRoll, Inc. Address: 1 Burlington Plaza, Burlington Road, Dublin 4, Ireland Description: Run advertising campaigns targeted to users on the Adroll, NextRoll, and RollWorks networks

(v) Dealfront Group GmbH Address: Am Sandtorkai 73, 20457 Hamburg, Germany Contact: privacy@dealfront.com / dpo@dealfront.com Description: Provides B2B lead generation and sales intelligence to support identification and engagement of potential prospects

(vi) InZynk AB Address: Kungsgatan 32, 111 35 Stockholm, Sweden Contact: info@inzynk.com / +46 73 975 56 86 Description: Optimises digital marketing campaigns using data analysis to refine targeting and improve outreach

(vii) Adform A/S Address: Silkegade 3B, ST. & 1., 1113 Copenhagen, Denmark Contact: support@adform.com Description: Enables targeted advertising, real-time bidding, and analytics across digital platforms

(viii) Google LLC Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Contact: dpo-google@google.com Description:

  • Runs targeted ad campaigns via Google Ads, including conversion tracking and performance analytics
  • Google Tag Manager facilitates tag and script management for analytics and marketing

(ix) ZenLeads Inc. d/b/a Apollo.io Address: 440 N Barranca Ave #4750, Covina, CA 91723-1722, USA Contact: privacy@apollo.io Description: Provides sales and marketing intelligence, including lead generation, enrichment, and contact data enhancement

(x) Amazon Web Services, Inc. (AWS) Address: 410 Terry Ave N, Seattle, WA 98109-5210, USA Contact: aws-privacy@amazon.com Description: Provides cloud hosting and infrastructure, supporting secure and scalable processing of personal data in compliance with SCCs and industry standards

We may make updates to these Terms from time to time by posting a new version to the Site, whereupon such changes will become effective.


Contact Information

For any questions or enquiries, please contact us using the details below:

Email: david@njord.io

Phone: +46 73 359 56 55

Company Information: Megadeals International AB, reg. no 559220-2120

Address:
Mäster Samuelsgatan 42
111 57 Stockholm
Contact:
+46 73-359 56 55
hello@njord.io
Complex deals made simple
© 2026 Megadeals International AB. All rights reserved.
Legal NoticeTerms and ConditionsData Processing AgreementPrivacy Policy