Appendix D - Data Processing Agreement (DPA)

Last updated: Dec 18th, 2020

This Data Processing Agreement (“DPA”) is entered into between Membrain and Customer.

1. Background

1.1 This DPA constitutes an integral part of the Membrain License Agreement (the "Agreement") between Membrain and the Customer. The Agreement is either the SAAS-agreement entered into between the Customer and Membrain or the Terms of Service, if the Customer entered into the Agreement through an online procedure.

1.2 Upon completion of the Agreement, Membrain will process Personal Data on behalf of the Customer, as a Processor. The Customer is the Controller for the processing of the Personal Data.

1.3 If the Customer is joint Controller with another party for the relevant Personal Data, the Customer shall inform Membrain accordingly.

1.4 The purpose of this Agreement is to ensure that Processing is carried out in accordance with the applicable requirements for data processing and obligations under Data Protection Rules and to ensure adequate protection of personal integrity and fundamental rights of individuals during the transfer of Personal Data from the Customer to Membrain within the framework of the Services that Membrain performs under the Agreement.

2. Definitions

”Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

”Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

”Data Protection Rules” means the from time to time applicable laws and regulations in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), Supervisory Authority’s binding decisions, regulations and recommendations and supplementary local adaptions and regulations in respect of data protection.

”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;

”Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

”Sub Processor” means the natural or legal person who processes Personal Data as a Sub Processor on behalf of Membrain;

”Data Subject” means the natural person to whom the Personal Data relates to.

”Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51. The Supervisory Authority in Sweden is the Swedish Data Protection Authority.

2.1 Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Rules and otherwise in the Agreement, unless the circumstances obviously require another interpretation.

3. Responsibilities and instructions

3.1 The Personal Data Processed by Membrain on behalf of the Customer is primarily Personal Data relating to names, titles and contact details, see further in Appendix DPA1.

3.2 The Customer is Controller for all the Personal Data that Membrain Processes on behalf of the Customer under the Agreement. The Customer is therefore responsible for complying with Data Protection Rules. The Customer undertakes to inform Membrain of the Data Protection Rules that are relevant to carry out the Processing under this Agreement. In addition to the requirements that apply directly to a Processor in accordance with Data Protection Rules, Membrain shall be obliged to comply with other applicable requirements according to Data Protection Rules and recommendations from the Supervisory Authority which Membrain has been informed of by the Customer. The Customer shall also continuously inform Membrain of third parties, including the Supervisory Authority’s and the Data Subject’s, actions as a result of the Processing.

3.3 Membrain and any person acting under the authority of Membrain, who has access to Personal Data, shall not Process those data for any other purposes than in accordance with the Customers written instructions or according to Data Protection Rules. The instructions that apply to this DPA are set out in Appendix DPA1. In addition to the instructions set out in Appendix DPA1, this DPA and the Agreement constitute Customer's instructions to Membrain regarding the Processing of Personal Data. The Customer shall immediately inform Membrain of any changes that affect Membrain's obligations under this DPA.

3.4 Personal Data under this DPA may also be Processed if such Processing is required by Union law or under the national law of a Member State to which Membrain or the Sub Processor is subject. If such Processing is required, Membrain or Sub Processor shall inform the Customer of the legal requirement before the Processing, unless such information is prohibited according to a public interest under this law.

3.5 The Customer may not use Membrain’s services to process data that constitute any of the special categories of Personal Data or data relating to criminal convictions and offences under the GDPR or other Personal Data which is considered to be sensitive Personal Data under national law unless Membrain has given written consent in advance to such Processing.

3.6 Under the Agreement, Membrain will Process Personal Data regarding the Customer's employees or other persons who will use the Service ("User"). This Personal Data may include, for example, contact information, authorization and other information which are relevant for Membrain under the Agreement. The purpose for this Processing is to carry out the Parties' respective obligations and cooperation under the Agreement and for the administration of the contractual relationship and security. The Processing can also be carried out for other purposes if instructed by the Customer.

3.7 The Customer undertakes to take all necessary steps to inform affected persons of Membrain's Processing as per section 3.6. The Customer shall provide to the Users information of Membrain's Privacy Policy ( to the Agreement. At the request of Membrain, the Customer shall be able to prove that information has been provided to Users accordingly. In so far as the Users object or express concerns to the Customer regarding Membrain's Processing, the Customer shall immediately inform Membrain.

3.8 Notwithstanding the foregoing, Membrain has the right to store, process and use data derived from the Customer in an aggregated or anonymized format, for example in reports used for analysis, market communications, marketing materials etc.

4. Security

4.1 Membrain shall implement technical and organizational measures, as required by the Data Protection Rules, in order to ensure a level of security that is appropriate with regards to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of, or access to, the Personal Data being Processed.

4.2 Membrain shall assist the Customer in ensuring that the obligations under Articles 32-36 of the GDPR are fulfilled, taking into consideration the type of Processing and the information available to Membrain.

4.3 Membrain shall notify the Customer without undue delay after becoming aware of a Personal Data breach.

5. Disclosure of Personal Data and Information

5.1 In the event that Membrain receives a request from the Data Subject, Supervisory Authority or other third party to obtain information regarding Personal Data which Membrain Processes on behalf of the Customer, Membrain shall without delay forward the request to the Customer. Membrain and any person acting under the authority of Membrain, may not disclose Personal Data or other information about the Processing of Personal Data without explicit instructions from the Customer unless such disclosure is required according to applicable Data Protection Rules.

5.2 Membrain shall assist the Customer in complying with their obligation to respond to requests regarding a Data Subject’s right of access, rectification and erasure, by taking technical and organizational measures, which are appropriate, taking into account the nature of the Processing and assist in disclosing Personal Data when required by applicable national law.

6. Contact with Supervisory Authority

6.1 Membrain shall inform the Customer of any contacts from the Supervisory Authority concerning the Processing of Personal Data under this DPA. Membrain is not entitled to represent the Customer or act on behalf of the Customer in relation to the Supervisory Authority if not required by Data Protection Rules.

7. Sub Processors

7.1 Personal Data may be Processed by a Sub Processor provided that Membrain enters into a written agreement with the Sub Processor which impose on them the corresponding obligations when Processing Personal Data as per this DPA.

7.2 Membrain undertakes to inform the Customer of any plans to retain new Sub Processors or to replace Sub Processors. The Customer is entitled to object to such changes. Such objection may relate only to objective grounds linked to the fulfilment of technical and organizational security requirements when Processing Personal Data under the DPA. If there are legitimate objections to the use of a Sub Processor and the objection has unreasonable consequences for Membrain, Membrain has the right to terminate the Agreement and/or this DPA in whole or in part with a thirty (30) days notice period. If Membrain hires a Sub Processor, in spite of the Customer's legitimate objection, Membrain can also agree to relieve the Customer from the DPA if it can be shown to have unreasonable consequences for the Customer.

7.3 Membrain is responsible for ensuring that the requirements for the use of Sub Processors under Data Protection Rules are considered and to ensure that such Sub Processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the Processing meets the requirements of Data Protection Rules.

7.4 Membrain shall provide the Customer with a correct and up-to-date list of the Sub Processors assigned for the Processing of Personal Data under this DPA, along with Contact Information and the geographic location for the Processing. This list is available for the Customer at Membrain undertakes to notify the Customer at any update of the list of Sub Processors and ensure that it is always correct.

7.5 If a Sub Processor fails to fulfil the obligations under the Agreement, this DPA and/or according to Data Protection Rules, Membrain shall be responsible for performing the Sub Processor’s obligations in relation to the Customer.

8. Audits

8.1 Membrain shall provide the Customer with all information required to comply with the obligations according to this DPA and Data Protection Rules within reasonable time after such request has been made by the Customer to Membrain.

8.2 Membrain shall enable and contribute to audits, including inspections carried out by the Customer or by another independent auditor selected by the Customer, and which Membrain may reasonably accept. The auditor is required to sign sufficient confidentiality agreements provided by Membrain prior to audits. The Customer has the right to perform one audit per year without cost. If the Customer would like to carry out additional audits the Customer must compensate Membrain for all costs associated with the audit/audits.

8.3 Membrain shall regarding the obligations stated in section 8 of this DPA, immediately inform the Customer if Membrain considers an instruction to be in violation of Data Protection Rules.

9. Transfers of Personal Data outside the EU/EEA

9.1 In the event that Membrain and/or the Sub Processor transfer Personal Data to a location outside of the EU/EEA, Membrain and/or the Sub Processors shall ensure that such transfer complies with applicable Data Protection Rules.

10. Confidentiality

10.1 Membrain shall, where applicable, comply with national legislation applicable to classified or confidential information. Membrain undertakes to ensure that personnel authorized to process Personal Data under this DPA have undertaken to observe confidentiality for the Processing or are subject to applicable statutory duty of confidentiality.

10.2 Section 10.1 above does not apply to information requested by the Supervisory Authority in accordance with Data Protection Rules or other statutory obligation.

10.3 The confidentiality obligation also applies after the Agreement and/or the DPA has ceased to apply.

11. Data portability

11.1 Membrain shall ensure that the Customer is able to fulfill any obligation regarding Data Portability relating to Personal Data which Membrain Processes on behalf of the Customer.

12. Compensation

12.1 In the event that the obligations imposed on Membrain in accordance with Sections 5, 8, 9 and 11 results in extensive work for Membrain, Membrain shall be entitled to reasonable compensation from the Customer.

12.2 In the event that the Customer submits a legitimate objection to a new Sub Processor pursuant to Section 7 and Membrain does not agree to replace the Sub Processor, Membrain shall be entitled to additional compensation from the Customer for the costs incurred by Membrain due to the fact that the Sub Processor cannot be used.

12.3 Membrain shall be entitled to reasonable compensation for all work and all costs that arise due to the Customer’s Instructions for Processing if these exceeds the features and level of security based on the services that Membrain normally provides to its Customers or that requires Membrain to make special adjustments on behalf of the Customer.

13. Liability

13.1 Membrain, any person acting under the authority of Membrain or a Sub Processor, Processes Personal Data in violation of this DPA or the Instructions for Data Processing provided by the Customer, Membrain shall, in consideration of the limitation of liability arising from the Agreement, compensate the Customer for the direct damage suffered by the Customer due to the wrongful Processing. [Regardless of the limitation of liability in this Agreement, Membrain’s liability under paragraph 13.1 shall always be limited to an amount equivalent to [the fees paid by the Customer to Membrain under the Agreement for a period of twelve (12) months before the damage occurred. In the event that the Agreement has not been valid during a full contract year, such amount shall be calculated on the costs that the Customer is expected to pay during a contract year under the Membrain License Agreement.

13.2 During the term of this DPA and thereafter, the Customer shall indemnify and hold Membrain harmless from any direct damage, including claims from Data Subjects and third parties, which Membrain has suffered due to unclear, inadequate or unlawful instructions from the Customer, or otherwise, depending on the circumstances deriving from the Customer.

13.3 Membrain’s obligation to pay damages, laid down in section 13.1 above, only applies, provided that i) the Customer without undue delay informs Membrain in writing of any claims against the Customer; and ii) the Customer allows Membrain to control the defense of the claim and make independent decisions regarding settlement.

14. Term and Termination

14.1 This DPA enters into force when duly signed by both Parties either separately as an amendment to the Agreement or as a part of the Agreement and remains in force as long as Membrain Processes Personal Data on behalf of the Customer.

14.2 Upon termination of the Agreement or this DPA (depending on which occurs first), Membrain shall in accordance with the Customer’s instructions delete or return all Personal Data to the Customer and make sure that all Sub Processors do the same.

14.3 If the Customer has not requested that the Personal Data should be returned, Membrain shall delete the data within 90 days after the termination of the DPA or the Membrain License Agreement. Membrain shall delete any existing copies unless the storage of Personal Data is required by Union law or the national law of the Member State.

15. Changes and additions

15.1 If the Data Protection Rules are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in this DPA no longer meeting the requirements for a DPA, shall the Parties make the necessary changes to this DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Rules, guidelines, decisions or regulations of the Supervisory Authority.

15.2 Other changes and additions to this DPA, in order to be binding, must be made in writing and duly signed by both Parties.

16. Miscellaneous

16.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.

16.2 This DPA shall be governed by the same law and subject to the same forum as the Agreement.

16.3 In addition, the terms of the Agreement shall also apply to Membrain's Processing of Personal Data and the obligations under this DPA. However, in the event of contradictions between the provisions of the Agreement and this DPA, the provisions of the DPA will supersede regarding all Processing of Personal Data. The provisions of the Agreement may not restrict or modify any of the obligations of this DPA.

16.4 This DPA shall be governed by the same law and be subject to the same forum as stated in the Agreement.

Appendix DPA1 – Data Processing Instructions

In these data processing instructions, all capitalised words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.


All purposes for which the Personal Data will be Processed by Membrain as the Customer’s data Processor

Membrain processes Personal Data for the purpose of fulfilling the service under the Agreement. Personal Data may also be Processed for IT-support and related services.

Categories of data

Personal Data that will be Processed by Membrain as data Processor


Membrain processes the following categories of Personal Data:

- Information and data transferred by the Customer to Membrain when using Membrain’s services,

- user data and information related to the use of Membrain's services,

- other information relevant to IT-support and related services.

Without any customizations from the Customers of Membrain, this Personal Data is restricted to very fundamental information such as names, titles and contact details such as professional phone numbers and email addresses.

Membrain does not Process sensitive Personal Data, the Customer is responsible for ensuring that sensitive Personal Data is not transferred to Membrain's services unless Membrain has provided the Customer with written consent in advance to such Processing.

Categories of Data Subjects

Categories of Data Subjects whose Personal Data will be Processed by Membrain as data Processor


Membrain processes the following categories of Data Subjects:

- Information about registered users, and

- Information about Data Subjects Customer transfers to Membrain through the use of any of Membrain’s services.

Processing operations

Processing activities to be conducted by Membrain as Processor

Membrain stores data on behalf of the Customer. Membrain does not actively manipulate this data without explicit requests and permission by the Customer. The Customer can actively restrict access to the data (including Personal Data) they save in Membrain from Membrain personnel.

Location of processing operations

Locations where the Personal Data will be Processed by Membrain.

The main data center is located in Solna, Sweden. The second datacentre, which is located in Stockholm, Sweden is mainly used as a backup datacenter. No Personal Data stored in Membrain is Processed outside of the EU. Additional technical information can be found in our IT guidelines.

Retention requirements

Retention time of Personal Data stored by Membrain

Personal Data must be deleted at the Customer's request and according to the Customer's instructions. To be able to offer access to Membrain a very small set of core data is needed as credentials: name and email address.

Membrain has a retention period of 90 days after the termination of the Membrain License Agreement or DPA. Membrain will retain the Personal Data at least 45 days after the cancellation to help with potential migration issues unless Customer requests the deletion of this date before that time.


Information security measures

Access control

Only trusted Membrain employees have access to Customers Personal Data and can only access this using a proprietary two-factor authentication method. One part is a personal authentication and secure password, augmented by a personal key generated for each login, this key is only valid for 15 minutes.

The datacenters are locked and under constant surveillance and can only be accessed by authorized personnel. Monitored closed-circuit television systems and security teams protect our data centers around the clock, while pass card access and provide even further security.


All Membrain Databases are stored on hot-swappable RAID system. Membrain exclusively uses SSDs disks on application servers for best reliability and performance. Membrain automatically creates a full database backup every hour, backups are initially made to a separate disk array on the server itself. Local backup files are stored for every hour during the last 24-hour period, every 4 hours for the last 48 hours, and every day for the last 7 days. Backup files further back can be found on secondary level backup. Backup files are transferred immediately after creation to a redundant disk array on a separate machine in the same location.

Backup files are then further replicated to an additional physical location. Every backup file is automatically verified for consistency by automated tools. Additionally, spot checks are performed manually on backups at regular intervals to further ensure validity.

Logging of access to data


All actions taken by Membrain employees in a Customers’ Membrain environment are logged and can be easily monitored and reverted.

Authorisation and permissions

This account requires two-factor authentication with an active password-protected Membrain Team Account as well as a unique key tied to the individual and valid only a few minutes.

Customers can easily disable and enable this access to have full control over when and how Membrain can have access to this data.

As per Membrain policy, Membrain employees will ask Customers for specific access to resolve support issues or offer proactive support. The Customer can at any time revoke this permission.

Encryption and safety of data communication


The data is encrypted in the transport between client and server, where we employ the industry-standard SSL encryption technology. The encryption keys are stored on the server, and at the issuer.

The network and backbone environments are redundant and multi-homed, connected to multiple peering points and Tier1 carriers using its own Darkfibre network and full-table BGP sessions. We are connected to three peering points and totally have 180 peers including companies like Google, ATT, etc. NSC is ISO9001 certified and a formal ISO 27001 certification is planned.