Data Processing Agreement (DPA)

Between Customer (Data Controller) and Mochabug AB (Data Processor)

Effective Date: 2025-10-01 Last Updated: 2025-10-01

Parties

Data Controller (“Customer”, “you”):
The entity or individual that has entered into the Mochabug Terms of Service and uses the Service to process Personal Data.

Data Processor (“Mochabug”, “we”, “us”):
Mochabug AB
Organization Number: 559418-8640
Address: Roslagsgatan 4, 113 55 Stockholm, Sweden
Email: privacy@mochabug.com
Website: https://www.mochabug.com

1. Introduction and Scope

1.1 Purpose

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Customer and Mochabug. It governs the processing of Personal Data by Mochabug on behalf of Customer when using the Service.

1.2 Incorporation

This DPA is incorporated into and forms part of the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to Personal Data processing.

1.3 Applicability

This DPA applies when Customer uses the Service to process Personal Data for which Customer is the Data Controller under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1.4 Roles

  • Customer acts as the Data Controller and determines the purposes and means of processing Personal Data
  • Mochabug acts as the Data Processor and processes Personal Data only on documented instructions from Customer
  • Sub-processors are third-party service providers engaged by Mochabug to assist in providing the Service

2. Definitions

Personal Data – Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).

Processing – Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in GDPR Article 4(2).

Data Subject – An identified or identifiable natural person whose Personal Data is processed.

Customer Data – All data, including Personal Data, that Customer submits, stores, sends, or receives via the Service.

Sub-processor – Any third party engaged by Mochabug to process Personal Data on behalf of Customer.

Data Protection Laws – All applicable laws and regulations relating to data protection and privacy, including GDPR, Swedish Data Protection Act (2018:218), and any successor legislation.

Standard Contractual Clauses (SCCs) – The standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as adopted by the European Commission.

Supervisory Authority – The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”) or other relevant data protection authority.

3. Processing of Personal Data

3.1 Customer Instructions

Mochabug shall process Personal Data only on documented instructions from Customer, unless required to do so by EU or Member State law. The Service functionality and Customer’s use thereof constitute documented instructions.

Customer’s instructions include:

  • Configuration of workflows, automations, and integrations
  • API calls and commands issued through the Service
  • Settings and preferences within the Customer account
  • Support requests requiring access to Customer Data

3.2 Compliance with Instructions

If Mochabug believes an instruction violates GDPR or other Data Protection Laws, it will inform Customer immediately.

3.3 Prohibited Processing

Mochabug will not:

  • Sell or rent Customer’s Personal Data
  • Process Personal Data for its own purposes (except as permitted under Section 3.4)
  • Share Personal Data with third parties except as authorized by this DPA
  • Process Personal Data outside the scope of Customer’s instructions

3.4 Permitted Uses

Mochabug may process Personal Data to:

  • Provide, maintain, and support the Service
  • Prevent fraud, abuse, and security threats
  • Comply with legal obligations
  • Enforce the Terms of Service
  • Generate aggregated, anonymized statistics that do not identify individuals

4. Details of Processing

4.1 Subject Matter

The subject matter of processing is Customer’s use of Mochabug’s cloud-based automation and integration platform to create workflows, integrations, and automations.

4.2 Duration

Processing will continue for the duration of the Service subscription plus the retention period specified in Section 9 (Data Deletion).

4.3 Nature and Purpose

The nature and purpose of processing is to provide the Service functionalities including:

  • Workflow automation and orchestration
  • Data integration between third-party services
  • API processing and data transformation
  • Storage and retrieval of workflow configurations
  • Execution of scheduled and triggered automations

4.4 Types of Personal Data

The types of Personal Data processed depend on Customer’s use of the Service and may include:

  • Contact information (names, email addresses, phone numbers)
  • Professional information (job titles, company names)
  • Identification data (user IDs, account numbers)
  • Transaction data (purchase records, payment information)
  • Communication data (emails, messages, support tickets)
  • Technical data (IP addresses, device information, logs)
  • Location data
  • Any other Personal Data Customer inputs or processes through the Service

4.5 Categories of Data Subjects

Data Subjects may include:

  • Customer’s employees, contractors, and representatives
  • Customer’s customers, clients, and users
  • Customer’s partners, vendors, and suppliers
  • Website visitors and leads
  • Any individuals whose data Customer processes through the Service

5. Customer Obligations

5.1 Lawful Processing

Customer warrants that:

  • It has a lawful basis under GDPR Article 6 for all processing instructions
  • It has obtained all necessary consents and provided required notices to Data Subjects
  • Its instructions comply with Data Protection Laws
  • It will not instruct Mochabug to process Personal Data unlawfully

5.2 Data Accuracy

Customer is responsible for:

  • Ensuring accuracy and quality of Personal Data
  • Maintaining appropriate records of processing activities
  • Implementing privacy by design and default principles
  • Responding to Data Subject requests within required timeframes

5.3 Sensitive Personal Data

Customer acknowledges that the Service is not designed for processing Special Categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions (Article 10) unless specifically agreed in writing with enhanced security measures.

If Customer processes such data without authorization, Customer assumes full liability.

6. Mochabug’s Obligations

6.1 Confidentiality

Mochabug shall:

  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Provide data protection training to relevant personnel
  • Limit access to Personal Data on a need-to-know basis

6.2 Security Measures

Mochabug implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex A (Security Measures).

6.3 Assistance with Data Subject Rights

Mochabug shall, to the extent possible and considering the nature of processing, assist Customer in responding to Data Subject requests to exercise their rights under GDPR Chapter III:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

Assistance may include:

  • Providing technical means for Customer to access and retrieve Personal Data
  • Suspending or restricting processing upon Customer’s request
  • Deleting or returning Personal Data as instructed
  • Providing information about processing activities

Mochabug may charge reasonable fees for assistance requiring substantial effort beyond normal Service functionality.

6.4 Assistance with Compliance

Mochabug shall assist Customer in ensuring compliance with obligations under GDPR Articles 32-36, including:

  • Security of processing (Article 32)
  • Data breach notification (Article 33)
  • Data protection impact assessments (Article 35)
  • Prior consultation with supervisory authorities (Article 36)

Such assistance may be subject to additional fees for substantial effort.

7. Sub-processors

7.1 Authorization

Customer authorizes Mochabug to engage Sub-processors to perform processing activities. Current Sub-processors are listed in Annex B (Sub-processor List).

7.2 Sub-processor Requirements

Mochabug shall:

  • Conduct due diligence before engaging Sub-processors
  • Impose contractual obligations on Sub-processors equivalent to this DPA
  • Ensure Sub-processors implement appropriate security measures
  • Remain liable to Customer for Sub-processor performance

7.3 Notification of Changes

Mochabug shall inform Customer of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance by:

  • Email to Customer’s registered address
  • Notification in the Customer account dashboard
  • Updating Annex B and posting at Subprocessors

7.4 Right to Object

Customer may object to a new or replacement Sub-processor on reasonable data protection grounds within 14 days of notification. If Customer objects:

  • Customer must notify Mochabug in writing with specific reasons
  • Parties will work together in good faith to find a solution
  • If no solution is found, Customer may terminate the affected Service without penalty

Failure to object within 14 days constitutes acceptance of the new Sub-processor.

8. International Data Transfers

8.1 Data Location

Mochabug primarily stores and processes Personal Data within the European Economic Area (EEA).

8.2 Transfers Outside EEA

Some Sub-processors may process data outside the EEA. For such transfers, Mochabug ensures adequate protection through:

a) Adequacy Decisions
Transfers to countries recognized by the European Commission as providing adequate protection (GDPR Article 45).

b) Standard Contractual Clauses (SCCs)
For transfers not covered by adequacy decisions, Mochabug implements the European Commission’s Standard Contractual Clauses (2021/914).

c) Supplementary Measures
Where required, Mochabug implements supplementary security measures including:

  • End-to-end encryption
  • Pseudonymization and data minimization
  • Contractual restrictions on data access
  • Regular security audits

8.3 Government Access Requests

If Mochabug receives a legally binding request from government authorities for access to Customer’s Personal Data, Mochabug will:

  • Notify Customer promptly unless legally prohibited
  • Challenge the request if appropriate
  • Provide minimum necessary data
  • Document all requests and responses

9. Data Deletion and Return

9.1 Deletion Upon Termination

Upon termination of the Service or upon Customer’s written request, Mochabug shall, at Customer’s choice:

  • Delete all Customer Personal Data, or
  • Return all Customer Personal Data to Customer in a portable format

Deletion or return shall occur within 30 days of termination or request.

9.2 Exceptions

Mochabug may retain Personal Data to the extent required by:

  • EU or Member State law (e.g., accounting, tax, or audit requirements)
  • Legitimate legal claims or dispute resolution
  • Backup retention policies (backups deleted within 90 days)

Retained data remains subject to this DPA and shall be deleted when the legal basis ceases.

9.3 Certification

Upon Customer’s request, Mochabug shall provide written certification of deletion.

10. Personal Data Breaches

10.1 Notification to Customer

Mochabug shall notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer’s Personal Data.

10.2 Breach Notification Content

The notification shall include, to the extent possible:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

10.3 Subsequent Information

If information cannot be provided simultaneously, Mochabug shall provide information in phases without undue further delay.

10.4 Cooperation

Mochabug shall reasonably cooperate with Customer’s investigation and provide assistance necessary for Customer to notify Supervisory Authorities and Data Subjects as required by GDPR Articles 33 and 34.

10.5 Documentation

Mochabug shall document all Personal Data Breaches, including facts, effects, and remedial actions, and make this documentation available to Customer and Supervisory Authorities upon request.

11. Audit and Inspection Rights

11.1 Audit Rights

Customer has the right to audit Mochabug’s compliance with this DPA. Mochabug shall make available to Customer all information necessary to demonstrate compliance with GDPR Article 28.

11.2 Documentation

Mochabug shall maintain and provide upon request:

  • Records of processing activities (GDPR Article 30(2))
  • Evidence of security measures implementation
  • Sub-processor agreements and compliance evidence
  • Data breach logs and responses
  • Training records for personnel

11.3 Third-Party Audits

Customer may appoint an independent third-party auditor (not a competitor) to conduct audits, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Execution of confidentiality agreements
  • Limitation to business hours with minimal disruption
  • Reasonable frequency (maximum once per year, unless required by incident or Supervisory Authority)
  • Customer bearing audit costs

11.4 Alternative: Certifications

In lieu of on-site audits, Mochabug may provide:

  • ISO 27001 certification (if applicable)
  • SOC 2 Type II reports (if applicable)
  • Third-party security assessments
  • Compliance questionnaires (e.g., CAIQ, VSA)

12. Liability and Indemnification

12.1 GDPR Article 82 Liability

Each party shall be liable under GDPR Article 82 for damage caused by processing that violates GDPR, subject to the exemptions in Article 82(3).

12.2 Limitation of Liability

Except for liability under GDPR Article 82, liability is governed by the limitation of liability provisions in the Terms of Service.

12.3 Indemnification

Customer shall indemnify and hold harmless Mochabug from:

  • Claims arising from Customer’s violation of Data Protection Laws
  • Processing instructions that violate Data Protection Laws
  • Customer’s failure to obtain necessary consents or provide required notices
  • Customer’s processing of Special Categories of Personal Data without authorization

Mochabug shall indemnify and hold harmless Customer from:

  • Claims arising from Mochabug’s violation of this DPA
  • Processing Personal Data outside the scope of Customer’s instructions
  • Failure to implement appropriate security measures

13. Term and Termination

13.1 Term

This DPA takes effect on the Effective Date and continues for as long as Mochabug processes Personal Data on behalf of Customer.

13.2 Survival

Sections 9 (Data Deletion), 10 (Personal Data Breaches), 12 (Liability), and any other provisions necessary to enforce rights and obligations survive termination.

13.3 Termination Rights

Either party may terminate this DPA:

  • If the other party materially breaches this DPA and fails to cure within 30 days
  • As provided in the Terms of Service
  • Upon termination of the Service subscription

14. General Provisions

14.1 Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding Personal Data processing.

14.2 Amendments

Mochabug may update this DPA to reflect changes in Data Protection Laws or processing practices. Material changes require 30 days’ advance notice. Continued use after changes constitutes acceptance.

14.3 Severability

If any provision is found invalid or unenforceable, the remainder of this DPA remains in effect.

14.4 Governing Law

This DPA is governed by the laws of Sweden, consistent with the Terms of Service.

14.5 Supervisory Authority

The competent Supervisory Authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), unless Customer is established in another EU/EEA country, in which case the supervisory authority of that country may also have jurisdiction.

14.6 Order of Precedence

In the event of conflict:

  1. This DPA
  2. Terms of Service
  3. Privacy Policy

15. Contact Information

For DPA-related inquiries:

Mochabug AB (Data Processor)
📧 privacy@mochabug.com
📧 dpo@mochabug.com
🏢 Roslagsgatan 4, 113 55 Stockholm, Sweden
🌐 https://www.mochabug.com/

Swedish Supervisory Authority:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
🌐 https//www.imy.se/
📧 imy@imy.se
📞 +46 8 657 61 00

ANNEX A: Technical and Organizational Security Measures

Mochabug implements the following security measures pursuant to GDPR Article 32:

A.1 Access Control

Physical Access Control:

  • Data centers operated by certified providers (AWS, Azure, Google Cloud)
  • 24/7 surveillance and monitoring
  • Biometric and badge access controls
  • Visitor logs and escort requirements

Logical Access Control:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) available
  • Strong password policies (minimum complexity requirements)
  • Automatic session timeout after inactivity
  • Access logging and monitoring

Authorization Control:

  • Principle of least privilege
  • Regular access reviews and revocation
  • Separation of duties for critical functions
  • Approval workflows for privileged access

A.2 Data Security

Encryption:

  • Data encrypted in transit using TLS 1.3 or higher
  • Data encrypted at rest using AES-256 encryption
  • Database encryption with encrypted backups
  • Secure key management with rotation policies

Pseudonymization and Anonymization:

  • Password hashing using bcrypt or stronger algorithms
  • API keys and tokens encrypted in storage
  • Aggregated analytics anonymized to prevent re-identification

Data Minimization:

  • Collection limited to necessary data for Service functionality
  • Automated deletion of unnecessary logs and temporary data
  • Regular data retention reviews

A.3 Availability and Resilience

Backup and Recovery:

  • Automated daily backups with encryption
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Documented disaster recovery procedures
  • Recovery Time Objective (RTO): 24 hours
  • Recovery Point Objective (RPO): 24 hours

System Availability:

  • 99.5% uptime commitment (per Terms of Service)
  • Load balancing and redundancy
  • Health monitoring and automated alerts
  • Incident response procedures

Business Continuity:

  • Documented business continuity plan
  • Annual testing of disaster recovery
  • Alternative processing facilities available

A.4 Network Security

Perimeter Security:

  • Web application firewall (WAF)
  • DDoS protection
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network segmentation and isolation

Vulnerability Management:

  • Regular security scanning and penetration testing
  • Patch management with timely updates
  • Security updates deployed within 30 days of release (critical: within 7 days)
  • Vulnerability disclosure program

API Security:

  • Rate limiting to prevent abuse
  • Input validation and sanitization
  • API authentication and authorization
  • Logging of API access

A.5 Application Security

Secure Development:

  • Security training for developers
  • Secure coding standards and code reviews
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency vulnerability scanning

Change Management:

  • Controlled deployment processes
  • Testing in staging environments
  • Rollback procedures for failed deployments
  • Change logs and documentation

A.6 Personnel Security

Confidentiality:

  • All personnel sign confidentiality agreements
  • Background checks for employees with data access
  • Security awareness training (annual minimum)
  • Clear desk and screen policies

Access Termination:

  • Immediate access revocation upon employment termination
  • Asset return procedures
  • Exit interviews covering confidentiality obligations

A.7 Monitoring and Logging

Security Monitoring:

  • 24/7 security operations monitoring
  • Automated threat detection
  • Security information and event management (SIEM)
  • Anomaly detection and alerting

Audit Logging:

  • Comprehensive logging of system access and changes
  • Tamper-proof log storage
  • Log retention for 12 months minimum
  • Regular log review for security events

A.8 Incident Response

Incident Management:

  • Documented incident response plan
  • Incident response team with defined roles
  • Incident classification and escalation procedures
  • Post-incident reviews and lessons learned

Data Breach Response:

  • Breach detection and containment procedures
  • Notification processes per Section 10
  • Forensic investigation capabilities
  • Remediation and prevention measures

A.9 Vendor Management

Sub-processor Security:

  • Security assessments before engagement
  • Contractual security requirements
  • Regular vendor security reviews
  • Sub-processor incident notification requirements

A.10 Compliance and Testing

Certifications and Audits:

  • Annual security audits
  • Penetration testing (minimum annually)
  • Vulnerability assessments (quarterly)

Continuous Improvement:

  • Regular security measure reviews
  • Updates based on threat landscape
  • Incorporation of industry best practices
  • Measurement of security metrics and KPIs

ANNEX B: Sub-processor List

Mochabug engages the following Sub-processors to provide the Service:

B.1 Infrastructure Providers

Sub-processorService ProvidedData ProcessedLocationSafeguards
Google Cloud Platform (GCP)Cloud hosting and storageAll Customer DataEUDPA, SCCs if needed, ISO 27001

Note: Customer Data is stored in EU data centers. Data may transit through other regions for technical routing but remains encrypted.

B.2 Service Providers

Sub-processorService ProvidedData ProcessedLocationSafeguards
SendGridTransactional email deliveryEmail addresses, email contentEUDPA, SCCs, EU-US Data Privacy Framework

B.4 Changes to Sub-processors

Last Updated: 2025-10-01

This list is current as of the date shown. Changes are communicated per Section 7.3 (30-day advance notice).

View current Sub-processor list

Subscribe to notifications:
Email privacy@mochabug.com to receive automatic updates when Sub-processors change.

B.5 Data Center Locations

Primary data processing occurs in EU

Customers may request specific data residency requirements for Enterprise plans.

By using the Mochabug Service, Customer acknowledges and agrees to this Data Processing Agreement.

Document Version: 1.0
Last Updated: 2025-10-01
Effective Date: 2025-10-01

For questions about this DPA, contact privacy@mochabug.com