Data Processing Agreement
DPA last updated:
2026-01-28
Sub-processors updated:
2026-01-28
This Data Processing Agreement (“DPA”) forms part of the Main Agreement regarding the subscription to the service Inblick ("Service") entered into by and between:
The Customer (acting as “Controller”); and
Future Memories AB, Reg. No. 556956-8008, Hossabergsvägen 64, 433 52 Öjersjö, Sweden (acting as “Processor”).
(Collectively the “Parties”).
1. Definitions
Services: The AI-driven system "Inblick" provided by the Processor, including related support and maintenance, as described in the Main Agreement and as used and configured by the Controller.
Data Protection Legislation: Means the GDPR (EU 2016/679) and any applicable national data protection laws.
Personal Data: Any information relating to an identified or identifiable natural person processed within the Service.
Processing Instructions: Means the Controller’s documented instructions to the Processor, including instructions set out in separate agreements, appendices, order forms, statements of work, DPIA documentation, and instructions resulting from the Controller’s configuration and use of the Service, in each case to the extent they relate to the processing of Personal Data under this DPA.
2. Scope and Purpose
2.1 The Processor shall process Personal Data on behalf of the Controller to provide, manage, and develop the Service.
2.2 The purpose of the processing is to enable data-driven analysis, reporting, follow-up, and visualization of the Controller’s data in connection with the Controller’s operations, as determined by the Controller.
2.3 The categories of Personal Data, categories of Data Subjects, and the scope of processing are determined by the Controller through its use, configuration, and integrations of the Service and its documented instructions.
3. Processor’s Obligations
3.1 The Processor shall only process Personal Data in accordance with the Controller’s documented instructions and this DPA.
3.2 The Processor shall ensure that all persons authorized to process the Personal Data are bound by confidentiality obligations.
3.3 The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Processor, with the Controller’s obligations under Articles 32 to 36 of the GDPR, including handling requests from Data Subjects, security, personal data breaches, and, where applicable, data protection impact assessments.
3.4 Where the Parties have agreed on customer-specific Processing Instructions in a separate document, such document shall form an integral part of the documented instructions under this DPA and shall prevail in case of conflict with the general descriptions in this DPA.
3.5 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and shall provide information reasonably required for the Controller to comply with its obligations under applicable Data Protection Legislation.
4. Controller’s Obligations
4.1 The Controller is responsible for ensuring a legal basis for the processing of Personal Data.
4.2 The Controller is responsible for providing correct and lawful instructions to the Processor.
4.3 The Controller is responsible for informing data subjects about the processing in accordance with applicable laws.
5. Security of Processing
5.1 The Processor shall implement appropriate technical and organizational measures to protect Personal Data.
5.2 The Processor shall implement appropriate technical and organizational measures, which may include pseudonymization, taking into account the nature of the processing, the Controller’s configuration and instructions, and the risk to the rights and freedoms of Data Subjects.
5.3 Access to Personal Data is restricted to authorized personnel based on role and necessity.
5.4 All access to Personal Data is automatically logged to ensure traceability.
5.5 The Processor uses industry-standard encryption in transit and at rest where appropriate.
6. Sub-processors
6.1 The Controller grants the Processor a general authorization to engage sub-processors to fulfill its obligations.
6.2 The sub-processors listed in Appendix 1 are approved by the Controller upon commencement of the Services. The Processor shall maintain an up-to-date list of approved sub-processors in Appendix 1 and make it available to the Controller.
6.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
6.4 The Processor shall ensure that all sub-processors are bound by written agreements providing at least the same level of protection as this DPA.
6.5 If the Controller objects to a new sub-processor on reasonable data protection grounds within the notice period, the Parties shall discuss in good faith to address the objection. If no resolution is reached, the Controller may terminate the affected part of the Service.
7. Audits and Inspection
7.1 The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA.
7.2 The Processor shall conduct an annual self-assessment of its security measures.
7.3 Physical audits by the Controller or a third party require 60 days’ prior notice and shall be conducted at the Controller’s expense, based on the Processor’s current hourly rates.
7.4 Any audit shall be conducted during normal business hours, subject to reasonable confidentiality obligations, and in a manner that does not unreasonably interfere with the Processor’s operations.
8. Liability and Limitation of Liability
8.1 The parties' liability for damages is governed by Article 82 of the GDPR.
8.2 The Processor’s total aggregate liability for any and all claims, damages, or costs arising out of or in connection with this DPA shall be limited to an amount corresponding to the total license fees paid by the Controller to the Processor during the six (6) months preceding the event giving rise to the claim.
8.3 The limitation of liability in Section 8.2 shall not apply to liability arising from (i) willful misconduct or gross negligence, or (ii) breach of confidentiality obligations.
9. Term and Termination
9.1 This DPA is valid as long as the Agreement for the Services is in effect.
9.2 Upon termination, the Processor shall, at the Controller’s choice, delete or return all Personal Data within 30 days, unless storage is required by law.
9.3 Where the Controller requests return of Personal Data, the Processor shall provide it in a commonly used and machine-readable format, unless otherwise agreed.
10. Governing Law
10.1 This DPA shall be governed by and construed in accordance with the laws of Sweden.
10.2 Disputes shall be settled by Swedish courts.
APPENDIX 1: Approved Sub-processors
-
Function / Purpose
Cloud infrastructure, storage, and handling of data.Location
EU/EEA (Sweden) -
Function / Purpose
Provides Google Cloud services in Europe.Location
EU/EEA (Finland) -
Function / Purpose
Cloud-based data integration. Data is stored within the EU/EEA.Location
EU/EEA (Denmark) -
Function / Purpose
Used for AI processing. Data is retained for up to 30 days.Location
USA (may process data within and outside the EU/EEA).Note on International Transfers
Data transfers to the U.S. are protected by the provider's certification under the EU-U.S. Data Privacy Framework and the use of SCCs including the UK Addendum. -
Function / Purpose
Used for AI processing. Data is retained for up to 30 days.Location
USA (may process data within and outside the EU/EEA).Note on International Transfers
Data transfers to the U.S. are protected by the provider's certification under the EU-U.S. Data Privacy Framework and SCCs including Swiss & UK Addendums. -
Function / Purpose
Used for AI processing. Data is retained for up to 30 days.Location
USA (may process data within and outside the EU/EEA).Note on International Transfers
Data transfers to the U.S. are protected by the provider's certification under the EU-U.S. Data Privacy Framework and SCCs including the UK Addendum. -
Function / Purpose
Cloud-based monitoring and log management. Data is stored for up to 30 days.Location
EU/EEA (Germany)Note on International Transfers
Data is hosted in the EU, with U.S.-based support. Transfers are governed by SCCs including UK and Swiss Addendums. -
Function / Purpose
Used for AI and model monitoring. Data is stored for 15 days.Location
EU/EEA (storage within the EEA on an EU-operated cloud instance).Note on International Transfers
While the service is EU-hosted, LangChain is a U.S. entity; therefore, transfers are governed by SCCs including the UK Addendum.