1. Background

The Controller is the data controller responsible for the personal data processed through the Swirl web platform. Swirl acts as a data processor on behalf of the Controller.

2. Definitions

2.1 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").

2.2 "Processing" means any operation or set of operations which is performed on Personal Data.

3. Data Processing

3.1 Subject Matter: Swirl will process Personal Data on behalf of the Controller for the purpose of hosting community spaces, memberships and courses on the Swirl platform.

3.2 Duration: The processing will commence by when creating an account on Swirl and will continue until the termination of the agreement between the Parties.

3.3 Nature of Processing: Swirl will process Personal Data as instructed by the Controller, in accordance with the terms of this DPA, and will not process the Personal Data for any other purpose.

3.4 Categories of Personal Data: The categories of Personal Data may include, but are not limited to, names, contact information, and any other information provided by the Controller for the purpose of hosting memberships and courses.

4. Controller's Obligations

The Controller warrants that it has the lawful right to instruct Swirl to process the Personal Data and that it will comply with all applicable data protection laws and regulations.

5. Swirl's Obligations

5.1 Confidentiality: Swirl will ensure that its personnel involved in the processing of Personal Data are bound by appropriate confidentiality obligations.

5.2 Security: Swirl will implement appropriate technical and organizational measures to ensure the security and confidentiality of the Personal Data.

5.3 Subprocessing: Swirl will not engage any subprocessor without the prior consent of the Controller. If the Controller provides such consent, Swirl will ensure that any subprocessor is bound by the same data protection obligations as set out in this DPA.

5.4 Data Subject Rights: Swirl will assist the Controller in fulfilling its obligations regarding Data Subject rights under applicable data protection laws.

6. Data Security Breach

In the event of a Personal Data breach, Swirl will notify the Controller without undue delay and provide reasonable assistance to the Controller in investigating and mitigating the breach.

7. Compliance with GDPR

Swirl confirms that it is processing Personal Data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council).

9. Termination

Upon termination of the agreement between the Parties, Swirl will, at the choice of the Controller, either return or delete all Personal Data processed on behalf of the Controller.

10. Governing Law

This DPA is governed by the laws of Sweden.