Data Processing Agreement

This Data Processing Agreement (this “DPA”) has been entered into by Billogram AB, company ID no. 556801–7155 (the ”Processor” or “Billogram”) and the customer that is a party to the Service Agreement (the “Controller” or “Customer”).

The Processor and the Controller are jointly referred to as (the ”Parties”) and each as (”Party”).

This DPA governs the rights and obligations with respect to the Processing of Personal Data in connection with the use of the Processor’s Service.

This DPA constitutes the entire DPA and understanding of the Parties hereto with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter.

  1. DEFINITIONS

To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR. In addition to the terms defined continuously through this DPA, the following terms shall have the meaning specified below.

Term

Controller

Meaning

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Term

Customer Data

Meaning

Personal Data relating to the Customer's customers.

Term

Data Protection Laws

Meaning

All privacy and Personal Data legislation, along with any other legislation (including regulations and directives) applicable to the Processing carried out in accordance with this DPA, including national as well as EU legislation, in particular GDPR.

Term

Data Subject

Meaning

A natural person whose Personal Data is Processed.

Term

Instructions

Meaning

The written instructions that more specifically define the object, duration, type and purpose of Processing of Personal Data, as well as the categories of Data Subjects and special requirements that apply to the Processing as set out in Appendix 1 attached hereto.

Term

Personal Data

Meaning

Any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Term

Personal Data Breach

Meaning

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Term

Processing

Meaning

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Term

Processor

Meaning

A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

Term

Service

Meaning

Billogram’s service as defined in the Service Agreement.

Term

Service Agreement

Meaning

The agreement between the Parties governing the Service.

Term

Subprocessor

Meaning

A natural or legal person, public authority, agency or other body which, in the capacity of subcontractor to the Processor, Processes Personal Data on behalf of the Controller.

Term

Third Country

Meaning

A country that is not a member of the European Union (EU) or the European Economic Area (EEA).

2. BACKGROUND AND PURPOSE

  1. The Parties have entered into the Service Agreement. 

  2. The Processor’s obligations under the Service Agreement include to Process Personal Data as a Processor engaged by the Controller.

  3. The Parties have entered into this DPA to ensure that the Processor’s Processing of Personal Data will be in accordance with the Data Protection Laws. 

  4. The aim of this DPA is to meet the current requirements for an agreement between the Controller and Processor in accordance with Article 28 GDPR and to safeguard the freedoms and rights of the Data Subject in accordance with the Data Protection Laws.

  5. Through this DPA, the Instructions and a list of Subprocessors (whereby the Instructions and the list of Subprocessors shall be deemed included in this DPA), the Controller regulates Processor’s Processing of Personal Data on behalf of the Controller. 

  6. In the event of a conflict between this DPA and the Service Agreement, this DPA will prevail.

  7. Any reference in this DPA to national or union legislation refers to the provisions applicable at any given time. 

3. PROCESSING OF PERSONAL DATA AND SPECIFICATION

  1. The Controller hereby appoints the Processor to pursuant to the provisions of this DPA carry out Processing on behalf of the Controller for the purpose of delivering the Service according to the Service Agreement. 

  2. The Processor undertakes to Process Personal Data in compliance with this DPA as well as its own obligations under the Data Protection Laws.

  3. The Processor furthermore undertakes to only Process Personal Data in accordance with the documented Instructions from the Controller, unless otherwise provided by the Data Protection Laws. 

  4. The Controller’s initial Instructions to the Processor are set forth in this DPA and in Appendix 1 to this DPA. The Controller is responsible for ensuring that the Instructions are compliant with the Controller’s obligations under the Data Protection Laws.

  5. The Controller confirms that the obligations of the Processor set out in this DPA, including the Instructions, constitutes the full and complete Instructions to be followed by the Processor. Any changes to the Controller’s Instructions shall be documented in writing in Appendix 1 to this DPA and duly signed by both Parties.

  6. The Controller undertakes to inform the Processor without undue delay of any changes in the Processing that may affect the Processor’s obligations pursuant to the Data Protection Laws.

  7. The Processor shall, to the extent required under the Data Protection Laws and in accordance with the Controller’s Instructions in each case, assist the Controller in fulfilling its legal obligations under the Data Protection Laws.

  8. The Controller is responsible for informing Data Subjects of the Processing and to safeguard the rights of Data Subjects in accordance with the Data Protection Laws, as well as to take every other measure required of the Controller pursuant to the Data Protection Laws.

  9. If the Processor finds the Instructions to be unclear, in violation of the Data Protection Laws, or deficient, and the Processor is of the opinion that new or supplementary Instructions are necessary in order to fulfil its obligations under this DPA and the Data Protection Laws, the Processor shall inform the Controller of this without delay. 

  10. In the event the Controller provides the Processor with new or amended Instructions, the Processor shall within a reasonable time inform the Controller whether the implementation of the new Instructions will entail any changed costs for the Processor. 

4. SECURITY MEASURES

  1. The Processor shall, for as long as this DPA is in effect, maintain appropriate technical and organisational security measures in accordance with what is required by the Data Protection Laws in order to prevent Personal Data Breaches and ensure that the rights of the Data Subjects are protected. 

  2. Upon the effective date of this DPA, the Processor shall apply the technical and organisational measures set out in the Instruction. The Processor undertakes not to substantially change these or otherwise change the security measures in a way that results in a lower level of information security than the one intended in Section 4.1 or the Instructions, without the prior written consent of the Controller.

  3. The Processor shall continuously ensure that the technical and organisational security measures relating to the Processing maintain an appropriate level of confidentiality, integrity, availability and resilience. 

  4. Any future or modified requirements for protective measures coming from the Controller once the Parties have entered into this DPA shall be considered as new Instructions. 

5. REQUEST FOR INFORMATION AND DISCLOSURE OF PERSONAL DATA

  1. The Processor undertakes not to, without the Controller’s prior written consent, disclose or otherwise make Personal Data Processed under this DPA available to any third party, unless otherwise provided by Swedish or European law, judicial or administrative decisions. Notwithstanding the foregoing, the Processor has the right to (i) make Personal Data available to Subprocessors engaged in accordance with Section 9, and (ii) without the prior approval from the Controller, disclose Personal Data to third party recipients who are or provide clearing systems, banks and/or payment system providers, to the extent necessary to make payments in accordance with the Service Agreement. Such third-party recipients of Personal Data are Controllers for the Personal Data thus received.

  2. The Processor shall take all reasonable steps (i) to maintain the confidentiality of the Personal Data, (ii) to ensure that only such staff and other representatives of the Processor who require access to Personal Data in order to fulfil the Processor’s obligations under this DPA and the Service Agreement have access to the Personal Data, (iii) to ensure the reliability of such staff and other representatives of the Processor and (iv) to ensure that all such staff and representatives are bound by confidentiality obligations under law or contract with respect to the Personal Data and are aware of the implications of such confidentiality obligations.

  3. If Data Subjects request information from the Processor regarding the Processing of Personal Data, the Processor shall refer such request to the Controller without undue delay. 

  4. The Processor shall through appropriate technical and organisational measures, to the extent possible and with due regard to the nature of the Processing, assist the Controller in fulfilling the Controller’s obligations to comply with the Data Subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access) in accordance with Section 7 below.

  5. The Processor shall assist the Controller in fulfilling the Controller’s obligation to carry out data protection impact assessments for Processing under this DPA when such Processing is likely to result in a high risk to the rights and freedoms of individuals.

  6. If competent authorities request information from the Processor regarding the Processing of Personal Data pursuant to this DPA or the Service Agreement, the Processor shall refer such request to the Controller without undue delay. The Processor may not in any way act on behalf of, or as a representative of, the Controller and may not, without prior instructions from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party, unless otherwise provided by Swedish or European law, judicial or administrative decisions. The Processor shall assist the Controller by providing the Controller with the information, assistance and resources that may be reasonably required to fulfil the Controller’s obligation to provide information and documentation to the competent authorities for prior consultation. 

  7. In the event the Processor, according to applicable Swedish or European laws and regulations, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor shall be obliged to inform the Controller thereof without undue delay, unless otherwise provided by Swedish or European law, judicial or administrative decisions, and request confidentiality in conjunction with the disclosure of the requested information.

6. AUDITS

  1. At the request of the Controller, the Processor shall without undue delay provide information regarding the technical and organisational security measures used to ensure that the Processing complies with the requirements of this DPA and the Data Protection Laws and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller, provided that persons performing the audits enter into appropriate confidentiality agreements with the Processor.

  2. Such audits shall be subject to at least ten (10) business days written notice and may be carried out once per calendar year, unless where the Controller reasonably considers an additional audit necessary because of genuine concerns as to the Processor’s compliance with this DPA or in the event of a security breach that reasonably would raise such concerns. In the event of a request for an additional audit, the Controller will communicate its reasons for the request, concerns and other relevant information when giving notice about the additional audit to the Processor.

  3. Any information regarding other customers of the Processor that may be considered a trade secret or that otherwise is subject to confidentiality by law or agreement, will be excluded from the audit and the Controller will have no right to access, audit or inspect such information.

  4. Information that the Controller or another auditor mandated by the Controller collects during its audit under this DPA must be deleted by the Controller as soon as it is no longer necessary for the purpose of the audit and the Controller shall confirm that this has been done in writing to the Processor.

  5. Audits shall be performed during normal business hours in a manner to minimise disruption to Processor’s business, and the Controller shall promptly provide the Processor with a copy of the results of the audit. 

  6. Despite any other provision under this DPA, the Processor is under no obligation to provide or allow audit access to a third party auditor that is a competitor of the Processor.

  7. The Processor shall enable the supervisory authority, or other government agency with legal authority, to conduct audits at the authority’s request and pursuant to Data Protection Laws at any given time, even if such an audit would otherwise violate the provisions of this DPA. In the context of facilitating audits under this Section 6.7, the Data Processor shall be exempt from penalties and/or sanctions arising from breaches of this DPA. 

7. HANDLING OF CORRECTIONS, DELETIONS, ETC. 

  1. In the event that the Controller has requested a correction or deletion as a result of incorrect Processing by the Processor or as a result of a request from a Data Subject, the Processor shall take appropriate measures, without undue delay but in any event no later than thirty (30) calendar days from the date on which the Processor received the required information from the Controller. When the Controller has requested deletion, the Processor may only perform Processing of the Personal Data in question as part of the correction or deletion process or as required by Data Protection Laws or other applicable laws.

8. PERSONAL DATA BREACHES

  1. The Processor shall have the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident as provided for in Article 32(1)(c) of GDPR.

  2. The Processor undertakes to assist the Controller in fulfilling its obligations in the event of a Personal Data Breach involving the Processing. At the request of the Controller, the Processor shall also assist in investigating suspicions of unauthorised Processing of and/or access to Personal Data. 

  3. If the Processor becomes aware of a Personal Data Breach, the Processor shall, without undue delay, notify the Controller thereof in writing. The Processor shall, subject to the information available to the Processor, provide the Controller with a written description of the Personal Data Breach. 

  4. A notification pursuant to Section 8.3 shall include all information which may be reasonably required by the Controller to fulfil its obligations under the Data Protection Laws. Such information includes e.g., a description of: 

  5. the nature of the Personal Data Breach, categories of and the approximate number of Data Subjects affected, categories of and the approximate number of Personal Data included;

  6. likely consequences as a result of the Personal Data Breach; and

  7. a description of the measures taken to rectify the Personal Data Breach or to mitigate its potential adverse effects. 

  8. If it is not possible for the Processor to provide all the required information at the same time as the Personal Data Breach notification, the description may be provided in stages without undue additional delay.

  9. To the extent a Personal Data Breach has occurred due to the Controller’s act or omission, or otherwise as a consequence of any circumstances on the Controller’s side in relation to which the Processor has no involvement or responsibility, then any assistance by the Processor requested by the Controller will be charged by the Processor on a time and material basis. 

  10. The Controller shall compensate the Processor for any direct costs that the Processor incurs under this Section 8 as a result of the Controller not complying with Data Protection Laws or this DPA. 

9. SUBPROCESSOR

  1. The Processor may only engage those Subprocessors listed in Appendix 2 to perform its undertakings under this DPA. All engagements of a Subprocessor for the purpose of this DPA are subject to the Subprocessor agreeing in writing to data protection obligations equivalent to those imposed on the Data Processor under this DPA. 

  2. When the Processor intends to engage a new Subprocessor or replace an existing one, the Processor shall verify the Subprocessor’s capacity and ability to meet its obligations in accordance with the Data Protection Laws. 

  3. The Controller may object to new Subprocessors, provided that the Controller has an objectively justified reason not to approve the new Subprocessor and that the Controller objects to the engagement of such Subprocessor within fourteen (14) calendar days after the Processor’s notice of the intention to engage the Subprocessor. If the Controller does not object in writing within the stipulated time, the Controller will be deemed to have approved the Subprocessor. If the Controller reasonably objects to a new Subprocessor, the Controller may terminate this DPA and the Services Agreement in writing with thirty (30) calendar days’ notice without any termination cost. 

  4. The Processor is responsible in relation to the Controller for any Processing carried out by a Subprocessor as if it was the Processor’s own Processing. 

  5. When the Processor stops using a Subprocessor, the Processor shall notify the Controller in writing thereof. 

  6. At the Controller’s request, the Processor shall provide a copy of the agreement governing the Subprocessor’s Processing of Personal Data.

10. LOCALISATION AND TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY 

  1. The Processor shall ensure that the Personal Data will primarily be Processed within the EU/EEA by a natural or legal person who is established in the EU/EEA and that any transfer of Personal Data to a Third Country for Processing (e.g. for service, support, maintenance, development, operations or other similar handling) will be carried out only if such transfer complies with the Data Protection Laws and fulfils the requirements for the Processing set out in this DPA and the Instructions, including but not limited to, ensuring that:

  2. the EU Commission has determined that the level of protection is adequate in the Third Country where the Personal Data is Processed, in accordance with a granted adequacy decision; or 

  3. the transfer is made to a recipient in a Third Country where the recipient is subject to an adequacy decision regarding specific data protection frameworks issued by the EU Commission (such as the Data Privacy Framework), or

  4. the transfer is covered by the EU Commission's Standard Contractual Clauses (SCCs) for data transfer to Third Countries; as applicable at any given time; or 

  5. the transfer is covered by Binding Corporate Rules approved by a competent supervisory authority; or

  6. the transfer is made in accordance with the derogations for specific situations outlined in Article 49 of the GDPR, and

  7. the Processor, prior to the transfer, has taken the additional safeguards that may be required under applicable Data Protection Laws. 

  8. The Processor shall ensure that none of the provisions in the Standard Contractual Clauses or the Binding Corporate Rules are in conflict with this DPA, including the Instructions.

11. COMPENSATION

  1. The Processor shall be entitled to compensation on a time and material basis, applying the Processor’s at each time applicable Services Fees for work performed under Sections 3.10, 4.4, 6 and 8.6 of this DPA. In addition, any third party costs or expenses incurred by the Processor in connection with such work shall be reimbursed in full by the Controller.

  2. The Processor is not entitled to any other compensation for Processing of Personal Data under this DPA, then as set out above.

12. LIABILITY FOR DAMAGES IN CONNECTION WITH THE PROCESSING

  1. In the event that compensation for damages in relation to Processing is due and owed to the Data Subject, through a legally binding judgement or settlement, due to a violation of this DPA and/or applicable provision of the Data Protection Laws, Article 82 of GDPR will apply.

  2. Fines in accordance with Article 83 of GDPR or Chapter 6 of the Data Protection Act (2018:218) shall be paid by the party to this DPA that has imposed such a fee.

  3. Subject to what has been set out in 12.1 and 12.2 above and the limitation of liability set out in the Service Agreement, the Controller shall be liable for any damages, costs or losses that are incurred by the Processor or for which the Processor may become liable due to any failure by the Controller to comply with the obligations under this DPA and the Processor shall be liable for any damages, costs or losses that are incurred by the Controller or for which the Controller may become liable due to any failure by the Processor to comply with the obligations under this DPA.

  4. For the avoidance of doubt, nothing in this DPA shall restrict or limit the Parties’ general obligation at law to mitigate any loss they may suffer or incur as a result of an event that may give rise to a claim under this DPA.

  5. For the avoidance of doubt and notwithstanding any of the provisions of the Service Agreement, Sections 12.1 and 12.2 of this DPA take precedence over other rules regarding the allocation of liability between the Parties of claims regarding the Processing.

13. GOVERNING LAW AND DISPUTE RESOLUTION

  1. What is stipulated in the Service Agreement applies to dispute settlement and choice of law.

14. CONCLUSION, TERM AND TERMINATION OF THE DPA 

  1. This DPA shall enter into force from the time this DPA has been signed by both Parties and shall remain in force until it is terminated in accordance with this Section 14. 

  2. This DPA shall terminate at the later of (i) the date on which the Service Agreement expires; and (ii) the date on which the Data Processor ceases Processing Personal Data on behalf of the Controller.

  3. Notwithstanding the above, Section 5.2 and 12 of this DPA shall remain in effect even if the DPA otherwise ceases to apply. 

15. AMENDMENTS

  1. The Controller has the right to change the Instructions set out in Appendix 1 and the content of this DPA to the extent necessary to comply with the Data Protection Laws. Such amendments shall enter into force no later than thirty (30) calendar days after the Controller has notified the Processor in writing of the changes. The Processor is entitled to compensation for actual and substantiated additional costs resulting from changes communicated by the Controller in accordance with this Section 15.1.

  2. Any amendments to this DPA must be made in writing and signed by both Parties. 

  3. If either Party becomes aware that the other Party is acting in violation of this DPA, the violating Party shall be informed thereof without delay of the actions in question. The informing Party shall be entitled to suspend the performance of its obligations pursuant to this DPA until such time as the violating Party has declared that the actions have ceased, and the explanation has been accepted by the Party that made the complaint.

16. MEASURES IN THE EVENT OF TERMINATION OF THE DPA 

  1. Upon notice of termination or termination of this DPA, the Controller will, at the choice of the Controller and without undue delay, request that the Processor delete or return all Personal Data to the Controller, unless applicable law requires further Processing. Until the Personal Data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.

  2. Transfers and/or deletions pursuant to Section 16.1 shall be carried out by the Processor no later than thirty (30) calendar days from the date on which the notice of termination of the DPA has been received by the Processor, unless otherwise agreed by the Parties. 

17. NOTIFICATIONS

  1. All notices shall be in writing and made in Swedish or English and sent by e-mail, (i) as regards the Controller, to the e-mail address provided by the Customer in connection with registration of the user account or the e-mail address which was specified by the Customer by a later time and, (ii) as regards the Processor, to the e-mail legal@billogram.com. Notices sent in the prescribed manner shall be deemed to have been received by the other Party no later than the next business day.

APPENDIX 2: AUTHORISED SUBPROCESSORS 

(As applicable depending on the Service)

Company name

Amazon Web Services EMEA SARL

Company ID

B186284

Service

Infrastructure and cloud storage

Data Location

EU/EEA

Company name

Zendesk, Inc.

Company ID

519184

Service

Customer support

Data Location

EU/EEA

Company name

Tietoevry AB

Company ID

559435-9001

Service

Invoice distribution (Letter, EDI, digital mailbox)

Data Location

EU/EEA

Company name

46Elks AB

Company ID

556838-8184

Service

Invoice distribution (SMS)

Data Location

EU/EEA

Company name

Tink AB

Company ID

556898-2192

Service

Account information services

Data Location

EU/EEA

Company name

Sendsafely Inc.

Company ID

83-3167288

Service

Communication service

Data Location

EU/EEA

Company name

Stripe Payments Europe Ltd

Company ID

513174

Service

Card payments

Data Location

USA

APPENDIX 1: CONTACT INFORMATION AND INSTRUCTIONS

  1. CONTACT INFORMATION

The Processor’s contact details:

Billogram AB
Klara Södra Kyrkogata 1
111 52 Stockholm

Contact e-mail: legal@billogram.com

2. PERSONAL DATA PROCESSING INSTRUCTIONS

2.1. Subject for Processing 

The subject for Processing is such Processing as is necessary to enable the Processor to provide the Service and otherwise fulfil its obligations under, and take those measures set forth in, the Service Agreement. 

2.2. Purpose 

The purpose of the Processing is the issuance and distribution of invoices to the Controller’s customers, including such processing as is necessary for payment handling and accounts ledger management. 

2.3. Processing activities (Nature of Processing) 

The Processor’s Processing of Personal Data on behalf of the Data Controller primarily concerns the following processing activities: 

  • invoice production and distribution

  • accounts ledger and invoice payments operations 

  • direct debit mandates administration

  • communication with end customers through the provision of communication module and sales and offer module 

  • end customer support 

  • compiling statistics and executing analysis

  • [optimization of configurations and workflows in the Service based on the Controller’s business and end customer types, including profiling where applicable]

  • ensuring functionality and preventing misuse of the Service

  • ensuring compliance with applicable laws and regulations. 

2.4. Categories of Data Subjects

Categories of Data Subjects are the Controller’s customers. 

3.5. Categories of Personal Data

  • Identification data

  • Contact details

  • Billing and payment information

  • Bank details

  • Case details

  • Communication information

  • Consent details

  • Information generated by use of the Service 

Billogram may also Process Personal Data related to the Controller’s relationship with its customers, such as information regarding churn, for the purpose of compiling statistics on the Controller’s behalf.

Special categories of Personal Data as defined in article 9 in the GDPR, such as information revealing trade union membership or data concerning health, may be Processed depending on the content on the invoice specified by the Controller. 

2.6. Duration of the Processing 

The duration of Processing is limited to the period of time necessary to provide the Service under the Service Agreement, which for bookkeeping documents shall be in accordance with national bookkeeping regulations and for all other information for as long as required with regards to the purpose for which the Personal Data is Processed, unless otherwise set forth in Data Protection Laws.

3. TECHNICAL AND ORGANISATIONAL MEASURES

Billogram implements appropriate technical and organisational measures which are designed to meet the data protection principles in an effective manner and ensures that appropriate safeguards are integrated into the Personal Data Processing to meet the requirements of the GDPR and to protect the rights of Data Subjects as described below. Further information about technical and organisational measures is available upon request.

Data protection risk assessment

Billogram executes and documents a risk assessment to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each part of the Service. In all cases, Billogram has implemented at least the security measures described in the chapter “Security of Personal Data” below.

Security measures

Billogram has implemented an Information Security Management System (ISMS) in line with the ISO27001 standard. Security and privacy policies and instructions have been created and established throughout the Billogram organisation as part of the ISMS, which are available for customers on request. The policies are supported by a wide range of mandatory rules on different aspects of data protection and information security to ensure compliance with Data Protection Laws and this DPA. These internal documents include e.g. processes for Personal Data Breach management and Data Subject requests. The documents are subject to regular internal review and approval processes.

Security of Personal Data

Billogram has implemented the following measures based on requirements set out in “Security of Processing” (Article 32 of the GDPR):

a) The pseudonymisation and encryption of Personal Data;

  • Billogram is utilising encryption and/or pseudonymisation in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymisation techniques may vary between Services following the Service requirements and data protection risk assessment. Details of the measures used are available upon request.

b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • Protection of the Personal Data requires implementation of multiple security controls, which is covered by the ISMS. Standardised processes help to secure quality of the Service and to safeguard Personal Data Processing.

  • Access to Billogram IT environment is controlled. To access Billogram systems the employee must have a valid reason, and access to customer interface is only approved by utilising a process agreed on jointly with the customer. Connections to Billogram IT environment are logged to provide audit trails on administrative operations in the systems. At minimum all access to Billogram IT environment and services require a secured channel and strong authentication requirements. Other security controls are applied if required by the data protection risk assessment.

  • Unauthorised persons are prevented from gaining physical access to Data Processing facilities. Physical and environmental controls are utilised to protect Personal Data against accidental and unlawful destruction.

  • Billogram ensures adequate protection of administrative connections, third party access and file transfers which are deployed within Billogram’s infrastructure.

  • Security measures have been implemented to protect the system landscape from security threats.

  • Billogram plans, executes and controls customer business related operations. The organisational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. Billogram management establishes authority and appropriate lines of reporting for key personnel. As a part of the hiring process background checks are conducted based on the employee's position and level of access to Billogram processing facilities and systems.

  • Billogram maintains and controls the execution of the Billogram information security policy, provides regular security training to employees and performs application security reviews. These reviews assess the confidentiality, integrity and availability of data, as well as conformance to the information security policy.

c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

  • Billogram has backup processes and strategies which ensure rapid restoration of business critical systems as and when necessary. 

  • Billogram has defined and implemented business continuity and disaster recovery plans for the infrastructure supporting Billogram’s Service delivery to customers. These plans are updated and tested on a regular basis. 

d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

  • Billogram’s emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the Personal Data Processing. 

  • Billogram conducts internal security testing and vulnerability scanning. For high risk environments Billogram utilises security testing services, including penetration testing. Billogram also utilises services for security testing and penetration testing in those parts of the IT environment where the risk is assessed to be high.