Skip to main content

Data Processing Agreement

Data Processing Addendum under GDPR

Last updated: February 2, 2026

This Data Processing Agreement ("DPA") is part of your service agreement with Tom Isgren / Bright Interaction ("Processor", "we", "us"). This DPA is incorporated into and governed by your signed proposal or service agreement with Bright Interaction.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data (the Client).
  • "Processor" means the entity that processes Personal Data on behalf of the Controller (Tom Isgren / Bright Interaction).
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Scope and Purpose of Processing

We process Personal Data only as needed to provide the services, which may include:

  • Workflow automation and process optimization
  • System integration and API development
  • Cloud infrastructure management and hosting
  • Database design, development, and maintenance
  • Custom software development
  • Technical support and maintenance services

3. Categories of Personal Data

Depending on the services provided, the following categories of Personal Data may be processed:

  • Contact information (names, email addresses, phone numbers, addresses)
  • Professional information (job titles, company names, business contact details)
  • Account credentials and authentication data
  • Usage data and system logs
  • Any other Personal Data the Controller includes in systems we manage

The specific categories of data processed will be defined in your service agreement or project scope.

4. Categories of Data Subjects

Data Subjects may include:

  • The Controller's employees and contractors
  • The Controller's customers and clients
  • The Controller's business partners and vendors
  • End users of the Controller's products or services
  • Any other individuals whose data is stored in systems we manage

5. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures as described in Section 8
  • Respect the conditions for engaging Sub-processors as described in Section 7
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments)
  • Delete or return all Personal Data upon termination of services, unless retention is required by law
  • Make available all information necessary to demonstrate compliance and allow for audits

6. Controller Obligations

The Controller agrees to:

  • Ensure that the processing of Personal Data is lawful and that appropriate legal bases exist
  • Provide documented instructions regarding the processing of Personal Data
  • Ensure that Data Subjects have been informed of the processing in accordance with GDPR
  • Respond to Data Subject requests in a timely manner
  • Notify the Processor promptly of any changes to applicable data protection laws
  • Conduct data protection impact assessments where required

7. Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors, subject to the following conditions:

  • The Processor will maintain a current list of Sub-processors
  • The Processor will inform the Controller of any intended changes to Sub-processors with reasonable notice
  • The Controller may object to any new Sub-processor within 14 days of notification
  • All Sub-processors will be bound by data protection obligations equivalent to those in this DPA
  • The Processor remains fully liable for the performance of its Sub-processors

Current Sub-processors:

Provider Purpose Location
Hetzner Online GmbH Cloud infrastructure hosting Germany (EU)
Cloudflare, Inc. CDN, DNS, security services EU data centers (with SCCs)
Stripe, Inc. Payment processing EU/US (with SCCs)
Documenso, Inc. E-signature services EU (self-hosted)

This list was last updated on February 2, 2026. Contact us for the most current version.

8. Security Measures

We use these technical and organizational measures:

Technical Measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication for all system access
  • Regular security updates and vulnerability patching
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Regular automated backups with encrypted storage
  • Secure development practices and code review

Organizational Measures:

  • Access control based on least privilege principle
  • Confidentiality agreements with all personnel
  • Regular security awareness training
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Regular security assessments and audits

9. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access - providing copies of Personal Data
  • Right to rectification - correcting inaccurate data
  • Right to erasure - deleting data ("right to be forgotten")
  • Right to restriction - limiting processing
  • Right to data portability - providing data in a structured format
  • Right to object - ceasing certain processing activities

The Processor will notify the Controller promptly (within 48 hours) upon receiving any request directly from a Data Subject.

10. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay, and no later than 24 hours after becoming aware of the breach
  • Provide all information necessary for the Controller to fulfill its breach notification obligations under GDPR Article 33
  • Cooperate with the Controller in investigating and remediating the breach
  • Document all breaches, including facts, effects, and remedial actions taken

Breach notification will include:

  • Nature of the breach including categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

11. International Data Transfers

The Processor primarily processes data within the European Economic Area (EEA). When transfers outside the EEA are necessary:

  • Transfers will only occur to countries with an EU adequacy decision, or
  • Appropriate safeguards will be implemented, including Standard Contractual Clauses (SCCs)
  • The Controller will be informed of the destination country and safeguards in place
  • Additional measures will be implemented where required by the Schrems II decision

12. Audits and Inspections

The Processor will:

  • Make available all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
  • Provide reasonable notice requirements for on-site audits (minimum 30 days)
  • Audits shall be conducted during regular business hours with minimal disruption
  • Costs of audits initiated by the Controller shall be borne by the Controller, unless the audit reveals material non-compliance

13. Data Retention and Deletion

Upon termination of services or upon the Controller's request:

  • The Processor will return all Personal Data to the Controller in a commonly used format, or
  • Delete all Personal Data and certify such deletion in writing
  • Deletion will be completed within 30 days of termination, unless longer retention is required by law
  • Any legally required retention will be documented and the Controller will be informed

14. Duration and Termination

This DPA starts when you sign a proposal or service agreement. It lasts as long as we process Personal Data for you. After the main agreement ends, this DPA still applies until all Personal Data is returned or deleted.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of Sweden and the GDPR. Disputes will be resolved in the courts of Malmö, Sweden, unless otherwise agreed in writing.

16. Contact Information

For any questions regarding this DPA or data protection matters:

Tom Isgren / Bright Interaction

Data Protection Contact

Nobelvägen 3c

214 29 Malmö, Sweden

Org.nr: 199302152351

Email: Contact

Phone: +46 76 297 80 35

Back to Home Terms of Service Privacy Policy