Legal

Data Processing Agreement

Last updated: December 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Quantaprice AB ("Processor") and the customer ("Controller").

1. Purpose

The Controller uses the Quantaprice service under the Terms of Service. In doing so, Quantaprice may process personal data on behalf of the Controller.

This DPA governs such processing in accordance with the GDPR (EU) 2016/679.

2. Roles

  • Controller: The Customer
  • Processor: Quantaprice AB

The Controller determines the purposes and means of processing.

Quantaprice processes personal data solely on documented instructions from the Controller.

3. Categories of Data and Data Subjects

Processing may include:

  • Data subjects: Customer employees, users, or business contacts
  • Personal data: Names, email addresses, identifiers, and other data submitted to the Service

Quantaprice does not require or intend to process special categories of personal data.

4. Processing Activities

Personal data may be processed for the purpose of:

  • Providing and operating the Service
  • Troubleshooting, maintenance, and support
  • Security and abuse prevention

5. Confidentiality

Quantaprice ensures that persons authorized to process personal data are bound by confidentiality obligations.

6. Security Measures

Quantaprice implements appropriate technical and organizational measures to protect personal data, taking into account:

  • The state of the art
  • The nature of the data
  • The risks involved

No specific security measures are guaranteed beyond what is required by applicable law.

7. Sub-processors

Quantaprice may use sub-processors (e.g. infrastructure or hosting providers).

The Controller provides general authorization for such sub-processors.

8. Data Subject Rights

Quantaprice will reasonably assist the Controller in fulfilling data subject requests, to the extent required by law and technically feasible.

9. Data Breach Notification

Quantaprice will notify the Controller without undue delay after becoming aware of a personal data breach, where required by law.

10. Data Deletion

Upon termination of the Service, personal data will be deleted or returned in accordance with the Terms of Service, unless retention is required by law.

11. Governing Law

This DPA is governed by Swedish law and applicable European Union law, without regard to conflict-of-laws principles.

Any disputes shall be subject to the exclusive jurisdiction of the courts of Sweden.