InsightAlignAboutStart the interview →

Data Processing Agreement

Inflect — Edström Business AB

Last updated: 24 February 2026 Version: 1.0.0

Related policies: Terms of Service · Privacy Policy · Cookie Policy

THIS DATA PROCESSING AGREEMENT (this "DPA") is entered into between:

(1) Edström Business AB, registration number 559101-7750, Edinsvägen 2, 131 45 Nacka, Sweden ("Inflect") ("Data Processor"); and

(2) The Customer using Inflect's AI-powered interview services via the web platform at inflect.se ("Data Controller").

Hereinafter each referred to individually as a "Party" and jointly as the "Parties".

This DPA includes the following appendices:

1. Background

1.1 The Parties have entered into an agreement regarding the Data Processor's provision of AI-powered interview services to the Data Controller (the "Main Agreement"). The services provided under the Main Agreement will result in the Data Processor processing personal data on behalf of the Data Controller.

1.2 This DPA regulates the Data Controller's rights and obligations in its capacity as data controller, and the Data Processor's rights and obligations in its capacity as data processor when the Data Processor processes personal data on behalf of the Data Controller.

1.3 This DPA shall be considered an integral part of the Main Agreement. If the provisions of the Main Agreement and this DPA are incompatible, the provisions of this DPA shall apply and take precedence.

2. Definitions

2.1 Unless otherwise provided in this DPA, terms used in this DPA shall be interpreted in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR).

2.2 Definitions used in this DPA but not defined herein shall be interpreted in accordance with the Main Agreement.

3. Processing of Personal Data

3.1 The Data Processor undertakes to process personal data only in accordance with documented instructions from the Data Controller, unless otherwise required by applicable data protection legislation. The Data Controller's instructions regarding the subject matter, duration, nature and purpose of the processing, the type of personal data, and categories of data subjects are set out in this DPA and in Appendix 1.

3.2 The Data Controller confirms that the Data Processor's obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by the Data Processor.

3.3 Changes to the Data Controller's instructions shall be negotiated separately and documented in writing, signed by both Parties, to be effective.

3.4 The Data Processor shall without undue delay inform the Data Controller if it considers that an instruction from the Data Controller violates applicable data protection legislation.

3.5 The Data Processor shall, to the extent required by applicable data protection legislation and in accordance with the Data Controller's written instructions, assist the Data Controller in fulfilling its obligations.

3.6 Each Party shall ensure that the other Party has the right to process contact details and other personal data of the first Party's employees to the extent necessary for the provision of services under the Main Agreement.

3.7 The Data Processor shall have the right to anonymise and use personal data and other information to analyse, evaluate, modify, improve, and/or otherwise develop the Services or new products and services.

4. Sub-Processors and Third-Country Transfers

4.1 The Data Controller consents to the Data Processor engaging sub-processors within and outside the EU/EEA. The Data Processor shall ensure that sub-processors are bound by written agreements imposing materially equivalent data protection obligations as those applicable under this DPA.

4.2 If the Data Processor intends to engage a new or replace an existing sub-processor, the Data Processor shall notify the Data Controller in advance and provide an opportunity to raise objections in writing without undue delay.

4.3 The Data Controller consents to the Data Processor transferring personal data outside the EU/EEA, provided the Data Processor ensures that there is a lawful basis for the transfer under applicable data protection legislation and that appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses. The Data Controller authorises the Data Processor to enter into such Standard Contractual Clauses on the Data Controller's behalf with sub-processors.

5. Data Security and Confidentiality

5.1 The Data Processor shall implement the technical and organisational measures set out in Appendix 2 to ensure the protection of personal data.

5.2 The Data Processor is obligated to fulfil its legal obligations regarding information security and shall implement appropriate technical and organisational measures to protect the personal data processed.

5.3 The Data Processor shall ensure that only personnel who need access to personal data in order to fulfil the Data Processor's obligations are granted access to such data, and that such personnel are subject to an appropriate confidentiality obligation.

6. Disclosure of Personal Data and Contacts with Authorities

6.1 The Data Processor undertakes not to, without prior written consent from the Data Controller, disclose personal data to third parties, unless otherwise required by Swedish or European law, authority decision, or court order.

6.2 If a data subject requests information from the Data Processor about the processing of personal data covered by this DPA, the Data Processor shall without undue delay refer such request to the Data Controller.

6.3 If a competent authority requests information from the Data Processor about the processing of personal data covered by this DPA, the Data Processor shall without undue delay inform the Data Controller of this, unless otherwise required by law.

7. Personal Data Incidents

7.1 The Data Processor shall without undue delay, after becoming aware of a personal data breach, notify the Data Controller.

7.2 The Data Processor shall assist the Data Controller with the information reasonably required to fulfil the Data Controller's obligation to report personal data breaches.

7.3 To the extent it is not possible to provide all necessary information simultaneously, the information may be provided in stages without undue further delay.

8. Audit

8.1 The Data Controller shall have the right to take necessary measures to ensure that the Data Processor can fulfil and is fulfilling its obligations under this DPA.

8.2 The Data Processor undertakes to provide the Data Controller with all information required to demonstrate compliance, and to enable and contribute to audits, including on-site inspections, provided that those conducting the audit enter into appropriate confidentiality agreements.

9. Remuneration

The Data Processor is entitled to remuneration in accordance with its current price list for work performed in connection with the Data Processor's obligations under sections 3.5, 6, 7.2, 8, and 12 of this DPA.

10. Limitation of Liability

10.1 The limitations of liability set out in Inflect's Terms of Service shall apply to the Data Processor's liability under this DPA. In the absence of applicable limitations, the Parties' liability under this DPA shall be limited to direct damages, nominally capped at the remuneration paid under the Main Agreement for the 12 months preceding the damage (or the average monthly remuneration multiplied by 12 if the Agreement has been in force for less than 12 months).

10.2 Subject to section 10.1, the Data Processor shall indemnify the Data Controller from costs, losses, and damages incurred as a result of the Data Processor acting in breach of this DPA or applicable data protection legislation.

10.3 The Data Processor shall not be liable where it has acted in accordance with the Data Controller's instructions. The Data Controller shall indemnify the Data Processor from costs, losses, and damages resulting from the Data Processor acting according to the Data Controller's instructions.

11. Term

The provisions of this DPA shall remain in force for as long as the Data Processor processes personal data for which the Data Controller is the data controller.

12. Measures upon Termination of Data Processing

12.1 Upon termination of this DPA, the Data Processor shall, without undue delay and in accordance with the Data Controller's written instructions, delete or return all personal data processed under the DPA, no later than thirty (30) days after receiving the Data Controller's instructions, unless storage is required by applicable law.

12.2 Upon request by the Data Controller, the Data Processor shall confirm the measures taken in respect of the personal data.

13. Amendments

Amendments to and additions to this DPA shall, to be binding, be made in writing and signed by the Parties.

14. Applicable Law and Dispute Resolution

14.1 This DPA shall be interpreted and applied in accordance with Swedish law.

14.2 Disputes arising from this DPA shall be finally resolved in accordance with the dispute resolution provisions of the Main Agreement.

Appendix 1 — Specification of Personal Data Processing

Subject matter of the processing The Data Processor provides an AI-powered interview service through which the Data Controller's customers and representatives participate in structured interviews designed to collect information about the organisation, its market, and its customers.

Duration of the processing The processing takes place for as long as the Main Agreement is in force, and for any additional retention period required by applicable law.

Nature and purpose of the processing Collection, storage, and processing of personal data for the purpose of conducting AI-powered interviews and producing structured summaries for review by the Data Controller (Inflect's client team).

Type of personal data

  • Name
  • Email address
  • Phone number
  • Company name
  • Interview content (unstructured information provided by the data subject during the interview session)
  • Technical data (IP address, browser data, session metadata)

Categories of data subjects Individuals who participate in the interview service, including the Data Controller's customers, prospects, and representatives.

Appendix 2 — Technical and Organisational Measures

The Data Processor shall implement and maintain the following technical and organisational measures to ensure a level of security appropriate to the risk:

Confidentiality

  • Access control: access to personal data is restricted to authorised personnel on a need-to-know basis.
  • Encryption: data is encrypted in transit using TLS and at rest using industry-standard encryption.
  • Pseudonymisation: where appropriate, personal data is pseudonymised.

Integrity

  • Logging: access to and changes in personal data systems are logged and monitored.
  • Separation: personal data is logically separated from other data to prevent unauthorised access.

Availability

  • Redundancy: systems include appropriate redundancy to ensure continued availability.
  • Backup: regular backups of personal data are performed and tested.

Resilience

  • Security testing: regular security assessments are performed.
  • Incident management: documented procedures for handling personal data breaches are maintained.

Supplier Management

  • Sub-processors: all sub-processors are subject to data protection agreements with materially equivalent obligations.