OKRnest Data Processing Agreement (DPA)

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Service (the “Terms”) between Bantero AB, a Swedish limited liability company with registration number 556943-5273 and registered address Långholmsgatan 16, 117 33 Stockholm, Sweden (“Bantero”, “Processor”, “we”, “us”), and the legal entity that has accepted the Terms (“Customer”, “Controller”, “you”).

This DPA applies to the extent that Bantero processes Personal Data on behalf of the Customer in the course of providing the OKRnest service (the “Service”) as described in the Terms. It is entered into pursuant to Article 28 of the GDPR.

This DPA is designed to ensure compliance with:

• The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);
• The UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 (“UK GDPR”); and
• The Swiss Federal Act on Data Protection (as revised 1 September 2023, “nFADP”; referred to in this DPA as “Swiss DPA”),

collectively referred to as “Applicable Data Protection Law”.

Where there is a conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Personal Data.

2. Definitions

Capitalised terms not defined in this DPA have the meanings given to them in the Terms.

“Applicable Data Protection Law” means the GDPR, UK GDPR, Swiss DPA, and any other data protection legislation applicable to the processing of Personal Data under this DPA.

“Customer Data” has the meaning given in the Terms.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Personal Data” means any information relating to a Data Subject that is processed by Bantero as Processor on behalf of the Customer in connection with the Service. For the avoidance of doubt, personal data that Bantero processes as an independent controller (as described in Section 3.1) is not Personal Data for the purposes of this DPA.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Bantero.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means (and “process”, “processes”, and “processed” shall be construed accordingly).

“Sub-processor” means any third party engaged by Bantero to process Personal Data on behalf of the Customer.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.

“Technical and Organisational Measures” or “TOMs” means the technical and organisational security measures implemented by Bantero as described in the separate TOMs document referenced in Section 5.

3. Roles and Responsibilities

3.1 Controller and Processor

For the purposes of Applicable Data Protection Law, the Customer is the Controller and Bantero is the Processor with respect to the processing of Personal Data described in this DPA. The details of the processing — including the subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects — are set out in Annex 1.

Bantero also processes certain personal data as an independent controller in connection with the Service — specifically, the Owner’s account data (name, email, role), profile data (job title, department, profile picture), usage and log data (IP address, login timestamps, feature usage, device and browser information), and billing data (billing address, VAT number, payment information). The Owner enters into a direct contractual relationship with Bantero, and Bantero independently determines the purposes of processing the Owner’s data for account management, billing, support, and relationship management. Such processing is not governed by this DPA but by the Privacy Policy.

By contrast, Admins and Users are provisioned by the Customer organization. The Customer determines the purposes of processing their personal data through the Service. Bantero processes Admin and User data solely on the Customer’s documented instructions to provide the Service, and this processing falls within the scope of this DPA.

3.2 Customer obligations

The Customer shall:

1. comply with its obligations as Controller under Applicable Data Protection Law, including ensuring it has a valid legal basis for providing Personal Data to Bantero;

2. ensure that it has provided adequate notice to, and where required obtained necessary consents from, Data Subjects regarding the processing described in this DPA;

3. ensure that its instructions to Bantero comply with Applicable Data Protection Law;

4. be responsible for the accuracy, quality, and lawfulness of Customer Data and the means by which it was obtained; and

5. not submit special categories of personal data (as defined in Article 9 GDPR) or data relating to criminal convictions and offences to the Service, unless expressly agreed in writing.

3.3 Bantero obligations

Bantero shall process Personal Data only on documented instructions from the Customer, unless required to do so by EU or Member State law to which Bantero is subject (in which case Bantero shall inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest).

If Bantero believes that an instruction from the Customer infringes Applicable Data Protection Law, Bantero shall immediately notify the Customer and may suspend the relevant processing until the Customer has provided revised instructions or confirmed the original instruction in writing.

The Customer’s instructions are documented in this DPA and the Terms. The Customer may issue additional reasonable instructions consistent with the Terms, provided that any instruction that falls outside the scope of the Terms shall require a separate written agreement and may be subject to additional fees.

3.4 Government and law enforcement requests

If Bantero receives a request from a government authority or law enforcement agency for access to Personal Data processed on behalf of the Customer, Bantero shall (a) promptly notify the Customer of the request, unless legally prohibited from doing so; (b) inform the requesting authority that the data is processed on behalf of the Customer and redirect the request to the Customer where possible; and (c) not disclose Personal Data in response to such a request unless required by applicable law. If disclosure is legally required, Bantero shall disclose only the minimum amount of Personal Data necessary to comply.

4. Confidentiality

Bantero shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Bantero shall limit access to Personal Data to those personnel who need access in order to perform obligations under the Terms and this DPA.

5. Security

5.1 Technical and organisational measures

In accordance with Article 32 GDPR, Bantero shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The specific measures are described in the separate Technical and Organisational Measures (TOMs) document, available at Technical and Organisational Measures and updated from time to time. Bantero will not materially reduce the overall level of security during the term of this DPA.

5.2 Access to Customer Data

In the course of providing, securing, and supporting the Service — including customer support, troubleshooting, and customer success activities — authorised Bantero personnel may access Customer accounts and Customer Data. Such access is limited to authorised personnel, is purpose-limited to providing the Service, and is subject to the safeguards set out in the Technical and Organisational Measures (TOMs).

5.3 Data hosting

Bantero stores Customer Data within the European Union (currently AWS Frankfurt, eu-central-1) and endeavours to select Sub-processors that process Personal Data within the EU/EEA. Where a Sub-processor processes Personal Data outside the EU/EEA, Bantero shall ensure that appropriate safeguards are in place in accordance with Section 9. The current processing locations of each Sub-processor are set out in the Sub-processor List. Bantero will not relocate the primary data storage region without prior written notice to the Customer.

6. Personal Data Breach

This Section sets out the parties’ obligations in respect of Personal Data Breaches, in support of the Customer’s obligations under Articles 33 and 34 GDPR.

6.1 Notification

Bantero shall notify the Customer of a confirmed Personal Data Breach without undue delay and in any event no later than forty-eight (48) hours after becoming aware of it. Notification shall be sent to the Customer’s designated contact or, in the absence of a designated contact, to the account Owner’s email address on file.

6.2 Content of notification

The notification shall include, to the extent reasonably available at the time:

1. a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;

2. the likely consequences of the breach;

3. a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects; and

4. the name and contact details of Bantero’s contact point for further information.

6.3 Ongoing cooperation

Where it is not possible to provide all information at the time of notification, information may be provided in phases without further undue delay. Bantero shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

6.4 Costs

Each party shall bear its own costs associated with complying with its obligations under this Section 6 and under Applicable Data Protection Law in relation to a Personal Data Breach.

6.5 No assessment by Bantero

Bantero’s notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability. The Customer retains the sole responsibility for assessing whether the breach triggers notification obligations to supervisory authorities or Data Subjects under Applicable Data Protection Law.

7. Sub-processors

7.1 General authorisation

The Customer provides a general authorisation for Bantero to engage Sub-processors to process Personal Data on behalf of the Customer. The current list of Sub-processors is available at Sub-processor List (the “Sub-processor List”).

7.2 Obligations on Sub-processors

Bantero shall:

1. enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA;

2. remain fully liable to the Customer for the performance of each Sub-processor’s obligations; and

3. conduct appropriate due diligence on Sub-processors before engagement.

7.3 Changes to Sub-processors

Bantero shall notify the Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days before the new Sub-processor begins processing Personal Data, by updating the Sub-processor List. For Paid Plan customers, Bantero will additionally send notice to the account Owner’s email address (or an alternative notification mechanism made available in the Service). Free Plan customers are responsible for periodically reviewing the Sub-processor List at Sub-processor List to stay informed of any changes. Bantero will include the effective date of each change on the Sub-processor List.

7.4 Objection right

If the Customer has a reasonable, documented objection to a new Sub-processor based on data protection grounds, the Customer shall notify Bantero in writing within the 30-day notice period. The parties shall discuss the objection in good faith with the aim of achieving a commercially reasonable resolution, which may include:

1. Bantero making available a change in the Service that avoids the use of the objected-to Sub-processor;

2. Bantero taking corrective steps requested by the Customer and proceeding with the Sub-processor; or

3. if no resolution can be reached within thirty (30) days of Bantero’s receipt of the objection, the Customer may terminate the affected subscription by giving written notice. The Customer is not entitled to any remedies other than the termination right set out in this paragraph.

8. AI-Specific Processing

8.1 AI Sub-processors

Where the Service includes AI Features (as defined in the Terms), Bantero may engage AI Sub-processors — including third-party AI model providers — to process Customer Data in connection with those features. AI Sub-processors are subject to the same requirements as all other Sub-processors under Section 7 and are listed on the Sub-processor List.

8.2 No training on Customer Data

Bantero does not use Customer Data to train generally available artificial intelligence or machine learning models. Bantero’s agreements with AI Sub-processors contractually prohibit such Sub-processors from using Customer Data to train their generally available models.

8.3 Data minimisation

Bantero shall ensure that Personal Data submitted to AI Sub-processors is limited to what is necessary to provide the requested AI Feature. Where technically feasible, Bantero will pseudonymise or minimise Personal Data before transmission to an AI Sub-processor.

9. International Data Transfers

9.1 General principle

To the extent that the provision of the Service requires the transfer of Personal Data to a country outside the EU/EEA (see Section 5.3) that has not been recognised by the European Commission as providing an adequate level of data protection, Bantero shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law.

9.2 Standard Contractual Clauses

Where a transfer described in Section 9.1 takes place, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply, incorporated by reference as follows:

1. Clause 7 — the optional docking clause is included;

2. Clause 9(a) — Option 2 (general written authorisation) applies, and the time period for prior notice of Sub-processor changes is thirty (30) days as set out in Section 7.3;

3. Clause 11 — the optional language is not included;

4. Clause 13(a) — the competent supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY);

5. Clause 17 — Option 1 applies, and the SCCs shall be governed by the law of Sweden;

6. Clause 18(b) — disputes shall be resolved before the courts of Sweden, with the Stockholm District Court (Stockholms tingsrätt) as court of first instance;

7. Annex I to the SCCs is completed with the information set out in Annex 1 to this DPA;

8. Annex II to the SCCs is completed by reference to the TOMs document referenced in Section 5.1; and

9. Annex III to the SCCs is completed by reference to the Sub-processor List referenced in Section 7.1.

9.3 UK International Data Transfer Addendum

For transfers of Personal Data subject to the UK GDPR, the parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018 (“UK Addendum”), shall apply. In the event of a conflict between the UK Addendum and the SCCs, the UK Addendum prevails with respect to transfers of UK Personal Data.

Part 1 of the UK Addendum is completed as follows:

1. Table 1 — the parties’ details are as set out in Annex 1 to this DPA;

2. Table 2 — the Approved EU SCCs referenced are those described in Section 9.2;

3. Table 3 — is completed by reference to Annex 1 and the Sub-processor List; and

4. Table 4 — Importer may end the UK Addendum in accordance with Section 19 of the UK Addendum.

9.4 Swiss Data Transfers

For transfers of Personal Data subject to the Swiss DPA, the SCCs as described in Section 9.2 apply with the following modifications:

1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

2. references to “EU”, “Union”, and “Member State” shall not be interpreted in a way that excludes Data Subjects in Switzerland from exercising their rights;

3. the competent supervisory authority under Clause 13 is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and

4. the SCCs shall be governed by Swiss law and disputes shall be resolved before the courts of Switzerland, unless the parties’ agreement specifies Swedish law and jurisdiction.

9.5 Customer’s own transfers

The Customer acknowledges that where it permits access to the Service from outside the EU/EEA (for example, by granting access to Users located in third countries), the Customer is responsible for ensuring that any such transfer of Personal Data complies with Applicable Data Protection Law. Bantero’s provision of the Service does not constitute a transfer of Personal Data to a third country solely because the Customer or its Users access the Service from outside the EU/EEA.

10. Assistance to the Customer

10.1 Data Subject rights

Bantero shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If Bantero receives a request directly from a Data Subject, Bantero shall promptly redirect the request to the Customer unless otherwise instructed.

10.2 Data protection impact assessments

Bantero shall provide reasonable assistance to the Customer in ensuring compliance with the Customer’s obligations regarding data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Bantero.

10.3 Cooperation with supervisory authorities

Bantero shall cooperate with and assist the Customer in responding to inquiries from supervisory authorities relating to the processing of Personal Data under this DPA. This Section 10.3 applies to Paid Plan customers only.

11. Audit Rights

This Section 11 applies to Paid Plan customers only.

11.1 Audit reports

Bantero shall make available to the Customer, upon written request and no more than once per twelve (12) month period, copies of relevant audit reports, certifications (such as SOC 2 or ISO 27001, when available), or summaries of third-party audits that demonstrate Bantero’s compliance with its obligations under this DPA. Such reports shall be provided under the confidentiality obligations set out in the Terms.

11.2 On-site audit

If the information provided under Section 11.1 is not reasonably sufficient to demonstrate compliance, the Customer may, upon at least thirty (30) days’ written notice, conduct or commission a third-party auditor (bound by confidentiality obligations) to conduct an on-site audit of Bantero’s processing activities and facilities relevant to this DPA, subject to the following conditions:

1. audits shall be conducted during normal business hours and shall not unreasonably disrupt Bantero’s operations;

2. the scope shall be limited to Bantero’s compliance with this DPA and shall not include data of other customers or systems not involved in the processing of Personal Data;

3. the Customer shall provide Bantero with a detailed audit plan in advance and the parties shall agree in writing on the scope, timing, and duration of the audit;

4. Bantero may object to an auditor if the auditor is a competitor of Bantero or is otherwise not reasonably suitable;

5. the Customer shall bear all costs and expenses incurred by both parties as a result of the audit, including Bantero’s reasonable internal costs;

6. the Customer shall promptly provide Bantero with the results of any audit and allow Bantero to comment on and address any findings; and

7. all information and findings obtained through the audit shall be treated as confidential, used solely to verify compliance with this DPA, and deleted by the Customer within one (1) month of completion of the audit.

11.3 Multi-customer audits

Where multiple customers request audits in the same period, Bantero may satisfy those requests through a single audit conducted by a qualified independent third party, the results of which shall be shared with requesting customers under confidentiality.

12. Return and Deletion of Data

12.1 During the term

During the term of the Customer’s use of the Service, the Customer may export Customer Data from the Service at any time using the export functionality available in the Service.

12.2 After termination

Upon termination or expiry of the Terms, Bantero shall:

1. delete Customer Data from production systems within thirty (30) days of the effective date of termination; and

2. purge backup copies containing Customer Data within ninety (90) days of deletion from production systems, except to the extent that retention is required by applicable law.

The Customer is responsible for exporting any Customer Data it wishes to retain before termination or expiry of the Terms.

13. Liability

The parties’ liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA does not create any liability beyond what is provided for in the Terms, except as required by Applicable Data Protection Law.

For the avoidance of doubt, Bantero shall not be liable for any administrative fines imposed on the Customer by a supervisory authority.

14. Term and Termination

This DPA takes effect on the date the Customer accepts the Terms (or, if earlier, the date Bantero first processes Personal Data on behalf of the Customer) and remains in effect for as long as Bantero processes Personal Data on behalf of the Customer. Upon termination, Sections 4, 5, 6, 9, 11, 12, and 13 shall survive for as long as Bantero retains any Personal Data.

15. Execution

This DPA is incorporated into and forms part of the Terms. By accepting the Terms (whether through click-wrap acceptance or written execution), the Customer also accepts this DPA without the need for separate signature.

Bantero may make a separately executed copy of this DPA available to Customers on eligible Paid Plans upon request. Both versions are legally equivalent. Eligibility for a signed DPA is described on our website or in the applicable plan description.

16. Governing Law and Disputes

This DPA is governed by the laws of Sweden, excluding its conflict-of-laws rules. Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms, with the Stockholm District Court (Stockholms tingsrätt) as court of first instance.

For matters subject to the UK GDPR, this Section is subject to the UK Addendum. For matters subject to the Swiss DPA, this Section applies unless the modifications in Section 9.4 require otherwise.

17. Contact

For questions or requests relating to this DPA:

Bantero AB Email: privacy@okrnest.com Address: Långholmsgatan 16, 117 33 Stockholm, Sweden

Annex 1 — Description of Processing

A. List of Parties

Data exporter (Controller): Name: The Customer, as identified in the Terms (and, where applicable, the Order). Activities: Use of the OKRnest Service for internal business purposes, including OKR management. Role: Controller.

Data importer (Processor): Name: Bantero AB Address: Långholmsgatan 16, 117 33 Stockholm, Sweden Registration number: 556943-5273 Activities: Provision and operation of the OKRnest Service. Contact: privacy@okrnest.com Role: Processor.

B. Description of Processing

Communications to Admins and Users (purpose (c)): Communications include (1) transactional emails (such as account invitations, password resets, and security alerts) and in-product notices (such as notifications, system updates, and feature guidance), which are delivered to all users as part of the Service; and (2) non-transactional emails (such as product news, feature updates, information about available Service capabilities including paid features, and educational content such as webinar invitations), which are delivered to all users by default and may be restricted by the Owner via an organisational setting in the Service to Admins and Owners only, or to the Owner only. Individual users may opt out of non-transactional emails at any time.

C. Competent Supervisory Authority

The competent supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), unless a Data Subject’s processing is exclusively subject to the UK GDPR (in which case the UK Information Commissioner’s Office, ICO) or the Swiss DPA (in which case the Swiss Federal Data Protection and Information Commissioner, FDPIC).

Annex 2 — Technical and Organisational Measures

The technical and organisational measures implemented by Bantero are described in the separate TOMs document, available at Technical and Organisational Measures.

Annex 3 — Sub-processors

The current list of approved Sub-processors is maintained at Sub-processor List and is updated in accordance with Section 7 of this DPA.