All legal documents

Data Processing Agreement

Effective: 2024-10-06Last updated: 2026-03-19

This Data Processing Agreement (“DPA”) forms part of the agreement between Adcyma AB (“Adcyma”, “we”, “us”) and the customer (“Customer”, “you”) for the use of Adcyma's services.

This DPA describes how we handle personal data on your behalf in compliance with the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679) and other applicable data protection laws.

1. Roles and Responsibilities

Depending on the context, Adcyma acts in two roles:

  • Data Controller — for personal data we collect directly from end users of our website and services (such as account registration and usage data).
  • Data Processor — for personal data that you, the Customer, provide to us or that we process on your behalf through the Adcyma platform (such as identity and access data from your Microsoft Entra ID environment).

When we act as a Data Processor, you remain the Data Controller. We only process your data according to your documented instructions.

2. What We Process and Why

2.1 As Data Controller, we process data necessary to operate our service — things like account details, login information, and basic usage analytics.

2.2 As Data Processor, we process the personal data you send to us through the platform. This typically includes user identity information from your Microsoft Entra ID tenant, such as names, email addresses, group memberships, and role assignments.

2.3 We only process personal data to the extent needed to deliver the services described in our agreement with you. We do not use your data for any other purpose.

3. Our People

Anyone at Adcyma who has access to personal data is bound by confidentiality obligations. We limit access to the people who actually need it to do their work.

4. Security

4.1 We maintain technical and organizational security measures appropriate to the sensitivity of the data we process. This includes encryption in transit and at rest, access controls, and regular security reviews.

4.2 All customer data is hosted on infrastructure within the European Union, primarily in Germany through our hosting provider Hetzner. See our full subprocessor list for details.

5. Subprocessors

5.1 We use a limited number of third-party services (subprocessors) to operate the platform. We do not engage a new subprocessor without your prior authorization.

5.2 The current list of subprocessors is available at adcyma.com/legal/subprocessors. By using our services, you authorize the subprocessors listed there.

5.3 If we plan to add or replace a subprocessor, we will notify you in advance and give you the opportunity to object. If you have a reasonable objection that we cannot resolve, you may terminate the affected part of the service.

6. Data Subject Rights

6.1 If someone whose data we process on your behalf contacts us with a rights request (access, deletion, correction, etc.), we will let you know promptly and follow your instructions on how to respond.

6.2 We will assist you, where technically feasible, in fulfilling your obligations to respond to data subject requests under GDPR.

7. Data Breaches

7.1 If we become aware of a personal data breach affecting your data, we will notify you without undue delay. Our notification will include a description of the breach, the data affected, and the steps we are taking to address it.

7.2 We will cooperate with you in investigating and resolving any breach.

8. Data Protection Impact Assessments

If you need to carry out a data protection impact assessment (DPIA) or consult with a supervisory authority about your use of our service, we will provide reasonable assistance.

9. Data Deletion and Return

When our agreement ends, or at your request, we will delete or return all personal data we have processed on your behalf. We will confirm deletion in writing unless legal obligations require us to retain certain data.

10. Audit Rights

You have the right to verify that we comply with this DPA. We will provide the information you reasonably need to confirm compliance and allow audits by you or a third-party auditor you appoint, subject to reasonable notice and scope.

11. International Data Transfers

We keep personal data within the EEA wherever possible. We will not transfer personal data outside the EEA without your prior written consent. If a transfer is necessary, we will ensure adequate protection through EU-approved Standard Contractual Clauses or other legally recognized mechanisms.

12. General

12.1 Confidentiality: Both parties will keep the information exchanged under this agreement confidential.

12.2 Notices: Any notices under this DPA should be sent in writing by email. Subprocessor change notifications will be sent by email, and the current list is always available at adcyma.com/legal/subprocessors.

12.3 Governing Law: This agreement is governed by Swedish law. Any disputes will be resolved through the courts of Malmö Tingsrätt.

12.4 Contact: For any questions about this DPA, contact us at [email protected].