Legal · DPA
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the PowersportOS Terms of Service (the "Terms") between Umbr AB, a Swedish limited company (org. number 559512-5252, VAT SE559512525201), having its registered office in Sweden ("Processor", "Umbr", "we"), and the customer identified in the relevant order form, signup, or account record ("Controller", "Customer", "you"). The Processor and the Controller are each a "Party" and together the "Parties".
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Service. In the event of a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA prevails.
1. Definitions
Capitalised terms not defined in this DPA have the meaning given to them in the Terms or, if not defined there, in the GDPR.
- "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation), as amended or replaced from time to time, and any national implementing legislation, including the Swedish Data Protection Act (lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning).
- "Personal Data" has the meaning given in GDPR Article 4(1) and refers, in this DPA, to such data processed by the Processor on behalf of the Controller in connection with the Service.
- "Processing" has the meaning given in GDPR Article 4(2).
- "Data Subject" has the meaning given in GDPR Article 4(1).
- "Personal Data Breach" has the meaning given in GDPR Article 4(12).
- "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced.
- "Service" has the meaning given in the Terms.
2. Subject matter, nature, purpose, and duration
2.1 Subject matter
The subject matter of the Processing is the provision of the PowersportOS platform and related services to the Controller, as described in the Terms and in the Service documentation at powersportos.com/docs.
2.2 Nature and purpose
The Processor processes Personal Data on behalf of the Controller solely for the purposes of (a) providing, operating, securing, and supporting the Service, (b) complying with the Controller's documented written instructions, and (c) complying with legal obligations to which the Processor is subject.
2.3 Duration
This DPA applies for the duration of the Terms and continues to apply to the extent the Processor retains any Personal Data after termination, in accordance with Section 10 below.
2.4 Details
The categories of Data Subjects, the types of Personal Data, the Processing operations, and the applicable retention periods are set out in Annex 1 (Details of Processing).
3. Roles of the Parties
The Controller is the controller, and the Processor is the processor, of Personal Data processed in connection with the Service. With respect to Personal Data for which the Processor determines the purposes and means of Processing (for example, account credentials for the Processor's own administrative users, billing and accounting records, and aggregated platform telemetry), the Processor acts as an independent controller, and such Processing is governed by the Privacy Policy and not by this DPA.
4. Processor obligations
The Processor shall:
- (a) process Personal Data only on documented written instructions from the Controller, including with respect to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject (in which case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest);
- (b) treat the Terms, this DPA, and Customer onboarding configuration as the Controller's standing written instructions for Processing under the Service;
- (c) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- (d) take all measures required pursuant to GDPR Article 32 (see Section 5 below);
- (e) respect the conditions for engaging Subprocessors (see Section 6 below);
- (f) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to Data Subject requests (see Section 7 below);
- (g) assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to the Processor;
- (h) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies, unless Union or Member State law requires storage of the Personal Data; and
- (i) make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits, including inspections, as set out in Section 9 below.
If, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable data-protection law, the Processor shall immediately inform the Controller and may suspend the relevant Processing until the instruction is confirmed or amended.
5. Security of Processing
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. The measures currently in place are described in Annex 2 (Technical and Organisational Measures) and at powersportos.com/docs/security-posture. The Processor may update these measures from time to time, provided the overall level of protection is not materially reduced.
6. Subprocessors
6.1 General authorisation
The Controller grants the Processor general written authorisation to engage Subprocessors for the Processing of Personal Data in connection with the Service. A current list of Subprocessors is set out in Annex 3 (Subprocessors) and, in updated form, at powersportos.com/privacy.
6.2 Notice of changes
The Processor shall inform the Controller of any intended addition or replacement of a Subprocessor at least thirty (30) days in advance, by updating Annex 3 and, where the Controller has subscribed to such notifications, by email.
6.3 Right to object
The Controller may object to a new Subprocessor on reasonable grounds related to data protection by notifying the Processor in writing within the notice period referred to in Section 6.2. The Parties shall in good faith seek a resolution. If no resolution is reached within thirty (30) days of the objection, the Controller may, as its sole and exclusive remedy, terminate the affected portion of the Service with a pro-rata refund of any prepaid fees for the unused remainder of the term.
6.4 Flow-down
The Processor shall impose on each Subprocessor data-protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing meets the requirements of the GDPR.
6.5 Liability
The Processor remains fully liable to the Controller for the performance of any Subprocessor's obligations.
7. Data Subject requests
The Service provides functionality enabling the Controller to access, rectify, erase, restrict, and export Personal Data, which the Controller may use to respond to Data Subject requests in the first instance.
If a Data Subject contacts the Processor directly with a request relating to Personal Data processed on behalf of the Controller, the Processor shall (a) not respond to the request other than to acknowledge receipt and direct the Data Subject to the Controller, unless instructed otherwise by the Controller in writing, and (b) promptly notify the Controller of the request.
Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to Data Subject requests at no additional charge, unless the requests are manifestly unfounded or excessive (in which case the Processor may charge a reasonable fee or refuse to act).
8. Personal Data Breach
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include, to the extent then known:
- the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
- the likely consequences of the Personal Data Breach;
- the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects; and
- the contact details of a point of contact where more information can be obtained.
Where it is not possible to provide all of the above at the same time, the information may be provided in phases without further undue delay.
The Processor's notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement of fault or liability.
9. Audits
The Controller has the right, upon at least thirty (30) days' prior written notice and not more than once per twelve (12) months (except where required by a supervisory authority or following a Personal Data Breach), to audit the Processor's compliance with this DPA. Audits shall:
- be conducted during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations;
- be carried out by the Controller or by an independent third-party auditor mutually agreed by the Parties and bound by appropriate confidentiality obligations (an auditor that is a competitor of the Processor is not acceptable);
- be at the Controller's expense, except where the audit reveals a material breach of this DPA by the Processor (in which case the Processor shall bear the reasonable costs of the audit);
- not include access to data of, or systems used by, other customers of the Processor.
The Processor may satisfy its obligations under this Section by providing the Controller with a copy of any current third-party audit report (for example, ISO 27001, SOC 2, or equivalent) covering the relevant scope, where such report is available.
10. Return and deletion of Personal Data
Upon termination or expiration of the Terms, and at the Controller's choice, the Processor shall delete or return all Personal Data to the Controller, and delete existing copies, in accordance with the timelines set out in the Terms (currently: thirty (30) days for export-on-request, ninety (90) days for permanent deletion from primary storage, and removal from backups within the regular backup-rotation window).
The Processor may retain Personal Data to the extent and for the period required by Union or Member State law, including for accounting purposes under the Swedish Bookkeeping Act (Bokföringslagen (1999:1078)). Personal Data so retained shall continue to be protected in accordance with this DPA and shall be processed only for the legal purpose justifying its retention.
11. International transfers
The Processor primarily processes Personal Data within the European Economic Area (EEA). Where the Processor or a Subprocessor processes Personal Data outside the EEA, the Processor shall ensure that the transfer is subject to an appropriate transfer mechanism under Chapter V of the GDPR, including:
- an adequacy decision under GDPR Article 45;
- the Standard Contractual Clauses (Modules 2 (Controller-to-Processor) or 3 (Processor-to-Processor), as applicable), the terms of which are incorporated into this DPA by reference where required; or
- another lawful transfer mechanism as set out in GDPR Articles 46 to 49.
The current Subprocessors and the applicable transfer mechanisms are set out in Annex 3 (Subprocessors).
12. Liability
The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this DPA limits or excludes either Party's liability where such limitation or exclusion is not permitted by applicable law, including liability for breach of GDPR resulting in administrative fines under GDPR Article 83.
13. Governing law and jurisdiction
This DPA is governed by the laws of Sweden, without regard to its conflict-of-laws principles. Any dispute arising out of or in connection with this DPA shall be settled in accordance with the dispute-resolution provisions of the Terms.
14. Order of precedence
In the event of any inconsistency or conflict between the documents governing the relationship between the Parties, the order of precedence (highest to lowest) shall be:
- The Standard Contractual Clauses, where applicable;
- This DPA;
- The Terms;
- The Privacy Policy;
- Any signed order form or quote.
15. Changes to this DPA
The Processor may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or the operation of the Service, provided that no such update materially reduces the level of protection of Personal Data. The Processor shall give the Controller at least thirty (30) days' notice of any material change before it takes effect.
16. Entry into force and signature
This DPA is incorporated into the Terms by reference and is binding on both Parties from the date the Controller accepts the Terms or otherwise begins using the Service. No separate signature is required, but the Controller may request a counter-signed copy by writing to info@powersportos.com.
Annex 1: Details of Processing
A. Categories of Data Subjects
- The Controller's employees, contractors, and authorised users who access the Service (tenant users and administrators).
- The Controller's business contacts, including dealer and reseller personnel listed in the Controller's tenant.
- End customers of the Controller's webshops or storefronts who interact with PowersportOS storefront widgets (such as YMM search, dealer map, store locator, or reseller stock locator).
B. Categories of Personal Data
- Tenant user data: full name, email address, hashed password, role, tenant association, account-creation and last-login timestamps, IP address and user-agent at sign-in.
- Business-contact data: names, business email addresses, telephone numbers, postal addresses, and roles associated with dealer or reseller locations entered into the Controller's tenant.
- End-customer widget data: IP address, approximate location (where shared by the end customer for "find a store near me" functionality), search terms, vehicle selections, requested part numbers, and timestamps.
- Technical data: server-side request logs, error and exception traces (pseudonymous), and session-cookie identifiers.
The Service is not intended for, and the Controller shall not upload, special categories of Personal Data within the meaning of GDPR Article 9, nor Personal Data relating to criminal convictions and offences within the meaning of GDPR Article 10.
C. Nature and purpose of Processing
Hosting, storing, transmitting, indexing, searching, displaying, and otherwise making available Personal Data uploaded by the Controller or generated through the Controller's use of the Service, for the purpose of operating the PowersportOS platform on behalf of the Controller, including:
- delivering the customer portal, admin interface, public APIs, PowersportOS Shopify Theme, and embeddable storefront widgets;
- authenticating users and enforcing access controls;
- responding to queries from the Controller's end customers via the storefront widgets;
- monitoring, debugging, securing, and improving the Service;
- providing support to the Controller.
D. Duration of Processing
For the duration of the Terms, plus any retention periods specified in the Terms, this DPA, or applicable law.
E. Frequency of Processing
Continuous, for as long as the Controller uses the Service.
Annex 2: Technical and Organisational Measures
The Processor implements the following technical and organisational measures, as further described at powersportos.com/docs/security-posture. The Processor may update these measures from time to time, provided the overall level of protection is not materially reduced.
A. Confidentiality
- Access control: role-based access control (RBAC) within the Service; tenant isolation enforced at the application and database layer; principle of least privilege applied to internal personnel; multi-factor authentication available self-service for all customer-portal and administrative accounts to production systems, and enabled on Processor staff accounts with production access.
- Authentication: passwords are hashed using industry-standard algorithms; session tokens are issued by a hardened authentication library (Better Auth) and transmitted only over TLS.
- Confidentiality undertakings: all personnel and contractors with access to Personal Data are bound by written confidentiality obligations.
B. Integrity
- Transport encryption: TLS 1.2 or higher for all traffic between clients and the Service, and between the Service and Subprocessors.
- Audit logging: append-only audit log of mutation events within the Service, retained for the duration of the tenant relationship.
- Change management: code changes are reviewed before deployment; production deployments are logged and reversible.
C. Availability and resilience
- Hosting: redundant infrastructure in EU data centres operated by Hetzner Online GmbH (primary region: Finland).
- Backups: automated daily backups; backup rotation window of thirty (30) days.
- Monitoring: continuous monitoring of system health, error rates, and security events; on-call alerting for production incidents.
D. Procedures for testing, assessing, and evaluating effectiveness
- Security review: periodic internal review of access controls, dependency vulnerabilities, and incident-response procedures.
- Patching: operating-system and dependency patches applied on a regular cadence and immediately for critical vulnerabilities.
E. Personal Data Breach response
- Documented incident-response procedure, including triage, containment, notification to affected Controllers within seventy-two (72) hours, and post-incident review.
F. Data minimisation and storage limitation
- The Service is designed to collect only the Personal Data necessary for the operation described in Annex 1.
- Retention periods are defined in the Terms, the Privacy Policy, and this DPA.
Annex 3: Subprocessors
The following Subprocessors are authorised by the Controller as of the effective date of this DPA. The current list is also published at powersportos.com/privacy.
| Subprocessor | Purpose | Location | Transfer mechanism | Personal data processed |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting, storage, backups | Germany / Finland (EU/EEA) | Within EEA, no transfer mechanism required | Yes |
| Resend, Inc. | Transactional email (account, password reset, contact form, notifications) | United States | Standard Contractual Clauses (Module 3) | Yes |
| Functional Software, Inc. (Sentry) | Error tracking and exception monitoring (pseudonymous) | United States | Standard Contractual Clauses (Module 3) | Limited (pseudonymous traces) |
| Mapbox, Inc. | Geographic map rendering on tenant-installed dealer-map widgets, using each tenant's own Mapbox token | United States | Standard Contractual Clauses (Module 3); each tenant's Mapbox account governs its own relationship with Mapbox | Yes |
| Labelary Inc. | Server-side rendering of label-printing ZPL strings (SKU, brand, part name) into preview images and PDF for the Customer's own use | United States | Standard Contractual Clauses (Module 3) | None (label payloads contain no personal data) |