Data Processing Agreement

Gilion Platform

Last Updated:

May 26, 2026

1. General

1.1 This DPA governs the rights and obligations of the Parties when the Processor processes personal data on behalf of the Controller (or any of its affiliates) pursuant to the Terms of Service (as applicable). 

1.2 This DPA, including its appendices, together with the Terms of Service (as applicable), constitute the Controller’s (or any of its affiliates) complete instructions to the Processor for the processing of the personal data. 

1.3 If the information stipulated in the Terms of Service conflicts with this DPA, this DPA shall take precedence. 

1.4 This DPA aims to meet the current requirements for a DPA in accordance with Applicable Data Protection Legislation.

2. Definitions

To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR. To the extent not defined herein or in GDPR, defined terms shall have the same meaning set out in the Terms of Service. 

Applicable Data Protection Legislation” means all applicable privacy and personal data legislation applicable to the personal data processing that is carried out under this DPA.

Controller” means the company on whose behalf the registration for the Platform as a customer has been completed and in connection therewith this DPA was entered into.

DPA” means this Data Processing Agreement and its appendices.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council.

Party” means the Controller or the Processor.

Platform” means the digital platform provided by the Processor to which the Controller is granted access in accordance with the Terms of Service.

Processor” means Gilion AB, reg. no. 559264-9726, Eriksbergsgatan 27, 114 30 Stockholm.

Services” means the Platform and its content including the Result (as defined in the Terms of Service), features, functionalities, tools, data, software and services related thereto provided by Gilion.

SCC” means the standard contractual clauses for the transfer of Personal Data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented by the European Commission decision (EU) 2021/914 of 4 June 2021.

Sub-processor” means the legal person who processes personal data on behalf of the Processor.

Terms of Service” means the Terms of Service governing the use of the Services as entered into by the Parties. 

3. Processing of Personal Data

3.1 The Processor shall ensure compliance with Applicable Data Protection Legislation and its obligations under this DPA when processing personal data on behalf of the Controller. 

3.2 The Processor may only process personal data on behalf of the Controller in accordance with the Controller’s documented instructions unless required to do so by the laws of the European Union or a member state of the union to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest. The Controller’s instructions are set out in Appendix 1. 

3.3 The Controller warrants that it is entitled under Applicable Data Protection Legislation to instruct the Processor to process the personal data in accordance with this DPA also on behalf of any affiliates (to the extent relevant or applicable). 

3.4 Except as set out in Section 3.2, the Processor may not process any personal data for its own purposes or other purposes not set out in this DPA. 

3.5 The Processor shall immediately inform the Controller if, in the Processor´s opinion, the Processor has not received sufficient instructions to process personal data in accordance with its obligations or if, in the Processor’s opinion, an instruction infringes Applicable Data Protection Legislation, and defer the processing until receipt of further instructions from the Controller. 

3.6 Any changes to the Controller’s instructions shall be negotiated separately and documented in writing. The Processor shall be entitled to compensation for additional costs incurred as a result of any such amendments provided that the Processor has informed the Controller of such additional costs.

4. The Processor’s Obligations to Assist the Controller

4.1 The Processor shall assist the Controller in fulfilling its obligations in accordance with Applicable Data Protection Legislation per the Controller’s request. This means that the Processor shall:

  1. Through appropriate technical and organizational measures, to the extent possible and with due regard to the nature of the processing, assist the Controller in fulfilling the Controller's obligations to comply with the data subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access);

  2. Assist the Controller in fulfilling the Controller's obligations to take appropriate security measures for the processing of personal data under this DPA to ensure a level of security appropriate considering the level of risk that the processing of personal data in question entails;

  3. Assist the Controller by providing the information, assistance and resources that are reasonably necessary for fulfilling the Controller’s obligation to report personal data breaches to the competent supervisory authority;

  4. Assist the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to inform the data subjects, within the framework of this DPA, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons;

  5. Assist the Controller in fulfilling the Controller's obligation to carry out impact assessments for processing under this DPA, which is likely to result in a high risk to the rights and freedoms of individuals; and 

  6. Assist the Controller by providing the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to provide information and documentation to the supervisory authority for prior consultation, and when necessary, and to a reasonable extent, attend meetings with the competent supervisory authority. 

4.2 When the Processor assists the Controller in fulfilling the Controller’s obligations under Applicable Data Protection Legislation in accordance with Sections 4.1 b) - f) above, consideration shall be given to the type of processing it refers to, and the information available to the Processor. In order to avoid any misunderstandings, nothing in this Section 4 shall be interpreted as indicating that the Processor may act on behalf of the Controller. The Processor may only act to fulfill its obligations vis-à-vis the Controller.

5. Security and Confidentiality

5.1 The Parties' obligations to observe confidentiality are regulated in the Terms of Service (as applicable). 

5.2 The Processor undertakes to take appropriate technical and organizational measures to protect the personal data being processed under this DPA in accordance with Applicable Data Protection Legislation. 

5.3 The Processor shall ensure that only the personnel who must have access to the personal data in order to fulfill the Processor's obligations under this DPA will have access to such personal data. The Processor shall ensure that all such personnel are bound by appropriate confidentiality obligations, either by law or by agreement. 

6. Personal Data Breaches

6.1 The Processor shall without undue delay inform the Controller after becoming aware of any personal data breach.

6.2 A notification pursuant to Section 6.1 shall include all information that may reasonably be required by the Controller to fulfill its obligations under Applicable Data Protection Legislation. Such information includes e.g. a description of:

  1. the nature of the personal data breach, categories of and the approximate number of data subjects affected, categories of and the approximate number categories of personal data included;

  2. likely consequences as a result of the data breach; and 

  3. a description of the measures taken to rectify the personal data breach or to mitigate its potential adverse effects. 

6.3 If and to the extent it is not possible to provide all the information at the same time, the information may be provided in installments without undue further delay.

6.4 The Controller shall compensate the Processor for any direct costs that the Processor incurs if the measures taken under this Section 6 are due to the Controller’s non-compliance of Applicable Data Protection Legislation.

7. Sub-processors

7.1 For the performance of the Agreement, the Processor engages Sub-processors for certain tasks, such as IT operation and data hosting, and AI-assisted analysis etc. The Processor is hereby given prior general authorization for the engagement of Sub-processors through which personal data may be transferred for the Processor to be able to fulfil its obligations pursuant to the Agreement. 

7.2 The Processor shall notify the Controllers who have subscribed to notifications, of any plans to engage new Sub-processors or to replace any Sub-processor fifteen (15) days prior to such change, thereby giving the Controller the opportunity to object to such changes.

7.3 Controllers may subscribe here to receive notifications of any changes to the Sub-processors list set out in Appendix 2 hereto. It is the Controller’s responsibility to subscribe to and maintain valid contact details for such notifications. 

7.4 If the Controller reasonably considers the engagement of a new or replacement Sub-processor to materially adversely affect the protection of its personal data, it has fifteen (15) days from the date of notification to bring such matter to the Processor's attention. If the Processor is unable to resolve the Controller's objection within fifteen (15) days from receiving the Controller’s objection, the Controller may terminate the Agreement without penalty upon five (5) days’ notice and shall be entitled to a pro rata refund of any prepaid fees remaining and being unused for the subscription period.

7.5 If the Controller does not raise an objection within fifteen (15) days from the date of notification, the Controller shall be deemed to have accepted the new or replacement Sub-processor. 

7.6 The Processors is responsible for ensuring that the Sub-processor, through a written agreement or other legal act pursuant to Applicable Data Protection Legislation, is bound to data protection obligations equivalent to those laid down in this DPA, and for ensuring that the Sub-processor provides sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the data processing will meet the requirements of Applicable Data Processing Legislation. 

7.7 A list of Pre-approved Sub-processors, as updated from time to time, is set out in Appendix 2. 

8. Transferring Personal Data to a Third Country 

The Processor may move, store, transfer, or otherwise process the personal data outside of the EU/EEA, provided that such transfers meet the requirements and undertakings that follow from Applicable Data Protection Law. Where no EU adequacy decision applies to the destination country, the Processor undertakes to enter into the relevant module of the EU Commission’s Standard Contractual Clauses with its Sub-processors that transfer personal data outside the EU/EEA, unless another applicable transfer mechanism applies, and to take all reasonable measures to control that the engaged Sub-processors ensure the lawfulness of any further transfers of personal data that the Sub-processors’ sub-processors may undertake.

9. Request for Information and Disclosure of Personal Data

9.1 In cases where a data subject or other third party requests information from the Processor about the processing of personal data that belongs to the Controller, the Processor shall refer such data subject or third party to the Controller. 

9.2 In the event a public authority requests the type of data as set forth in Section 9.1, the Processor shall immediately inform the Controller of the request unless prevented by law, and the Processor and the Controller shall thereafter, in consultation, agree on a suitable course of action. Unless expressly agreed between the Parties, the Processor shall not act on behalf of the Controller. 

9.3 The Processor shall not disclose or make any personal data available to third parties unless the Processor is under a legal obligation deriving from the laws of the European Union or a member state, or court or public authorities’ order to disclose the personal data. 

9.4 If an obligation to disclose information as stipulated in this Section 9 emerges, the Processor shall immediately inform the Controller of such situation.

10. Audit and Documentation 

10.1 The Processor undertakes to document and keep records of the measures taken by the Processor in order to comply with its obligations under this DPA and Applicable Data Protection Legislation. 

10.2 The Processor shall assist the Controller in obtaining information and documentation relating to the processing of personal data carried out on behalf of the Controller to the extent required to demonstrate that the Processor has fulfilled its obligations in accordance with Applicable Data Protection Legislation. The right to information shall include the right of access to the Processor’s premises. The Controller shall be entitled to request an audit for this purpose which may be conducted either by the Controller or by an independent third party provided that such third party is subject to confidentiality and does not constitute a competitor to the Processor. 

11. Compensation

The Processor shall receive compensation for any reasonable costs for measures which it takes in respect of processing personal data in accordance with this DPA. 

12. Liability

12.1 In the event of compensation for damages in connection with wrongful processing of personal data, which, through an established judgment or settlement, shall be payable to data subjects due to a breach of the provisions in this DPA, the Controller’s instructions or Applicable Data Protection Legislation, Article 82 GDPR shall apply. 

12.2 Any administrative fines pursuant to Article 83 GDPR or Chapter 6 of the Swedish Data Protection Act (2018:218) shall be borne by the Party upon whom such a charge is imposed.

12.3 The breaching Party’s liability towards the other Party for such claims referred to in Section 12.1 above is limited to the amount set out in the Terms of Service.

12.4 The Controller shall fully indemnify the Processor against any damages, fines or costs that the Processor incurs as a result of any breach by the Controller of the warranty set out in Section 3.3. 

13. Term 

With the exception of Sections 5 and 12, the provisions of this DPA shall apply for as long as the Processor processes personal data on the Controller’s behalf.

14. Measures in Connection with Termination

14.1 When the Terms of Service are terminated, the Processor shall, at the Controller’s request and per the Controller’s instructions, permanently delete, or return in a format that the Controller chooses, all personal data processed in accordance with the DPA to the Controller, unless the Processor is required by law to save a copy of the personal data. 

14.2 In this context, deletion means that the personal data is deleted by the industry standard in force at any given time to make it impossible for the data to be recreated using any technology or method known at the time of deletion. This shall also apply to personal data that has been processed for logging and security purposes.

15. Miscellaneous 

15.1 This DPA forms an integral part of the Agreement between the Parties. In case of conflicting provisions in the Agreement, the DPA shall prevail

16. Assignment of the DPA

Neither Party shall be entitled to assign its rights or obligations under this DPA, in whole or in part, without the prior written consent of the other Party. However, the Processor may, without the prior written consent of the Controller, assign any of its rights or obligations under this DPA to an affiliate, or to another third party as part of a corporate reorganization, upon a change of control, consolidation, merger, sale of all or substantially all of its business or assets of the Processor.

17. Applicable Law and Dispute Resolution

17.1 This DPA shall be governed by the substantive law of Sweden, without regard to its choice of law provisions.

17.2 Any dispute, controversy or claim that solely regards this DPA shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm and the language to be used in the arbitral proceedings shall, unless otherwise agreed between the Parties, be English. 

17.3 The Parties undertake and agree that any arbitral proceedings conducted with reference to this arbitration clause shall be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way its rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority, applicable stock exchange regulations or the regulations of any other recognized marketplace.

_____________________________




APPENDIX 1

Specification of the Processing
1. Brief Description of the Services

The Services are delivered as part of the Platform, an online business intelligence portal provided by the Processor. The primary users of the Services are companies wanting to get a better understanding of their business performance, such as the Controller. The Services can also be used by the Processor’s representatives to understand the Controller’s business.

The Services include access to the Platform where dashboards with metrics and Key Performance Indicators (“KPI”) are presented to the customer. The Platform aims to enhance understanding of various aspects of the company’s business, including revenue trends, user retention and churn, marketing efficiency, and future projections. The Platform utilises AI models to analyse the company’s data for the purposes of providing the Services and, where applicable, to enable the company’s investors to perform AI-assisted analyses of the company’s business performance. 

The Platform requires access to, inter alia, data regarding financials and sales records to calculate these metrics. The necessary data sets are either provided directly by the Controller or by a 3rd party service APIs managed by the Controller. These data sets are aggregated into statistics and presented in the Platform’s interface.

2. Purpose and Subject Matter of the Processing

The processing of personal data is carried out for the purpose of enabling the Processor to provide the Services to the Controller as described above. This includes  data sets fetched by the Platform to calculate business metrics for the Controller. These business metrics are presented to the Controller as a self-service tool where the Controller can log in to learn more about their business performance. The business metrics may also be used together with AI-assisted insights from the Platform to evaluate and follow the health of the Controller’s business, as a foundation for extending loans to the Controller, or tracking of covenants or other obligations set out in the facility documentation.

In the process of acquiring the raw data necessary to provide the Service, the processing may include a limited amount of personal data. As such personal data is not intentionally collected, and any such processing of personal data will be limited to either (i) downloading it together with other business data only to immediately delete it, or (ii) downloading it together with other business data, whereafter such data will be subject to pseudonymization by way of hashing or encrypting such personal data only in situations where required to provide the Services. Whenever possible, the Processor will abstain from downloading the personal data in the first place, although not all 3rd party services provide anonymous views of data over their APIs. 

3. Categories of Personal Data

The Platform is designed to minimize and restrict processing of personal data to what is necessary to deliver the Services. To the extent personal data will be processed to determine what other types of data to store, such personal data may contain information regarding data subjects such as:

  • Full names and professional roles 

  • Contact details (including such as home and billing addresses, email addresses, and telephone numbers)

  • Social security numbers

  • Usernames, user- and customer identifiers, customer numbers

  • Geographical location information

  • Invoice details (including invoice number and purchase details)

  • Partial credit card numbers

Sensitive personal data under Article 9 of the GDPR and other personal information which may be regarded as sensitive from an integrity perspective may not be processed in the Platform or Services. The Controller is not permitted to import or store such data unless these instructions are explicitly amended in writing and signed by both Parties. 

4. Categories of Data Subjects

The personal data processed contains information about the Controller’s employees and customers. 

Employees in the context of this DPA refer to individuals who are or have been employed by the Controller.

Customers in the context of this DPA refer to existing or previous customers or end users of the Controller’s goods or services.

5. Processing Operations

The Controller’s login details are encrypted and stored in systems using AES-256 encryption algorithm (Google Secret Manager, Google Cloud SQL).

During the data ingestion process, the Processor processes personal data on the designated encrypted shared host located in Europe which communicates with Google BigQuery using TLS. Cross host data transformation takes place and it is done in a closed, secure, and shielded environment. Data in the ingestion process is short-lived and after the process is irretrievably deleted.

After data ingestion, personal data is stored and transformed only in Google BigQuery service which provides encryption in transit and at rest. The Platform is using raw data without personal data to calculate metrics and KPI. Where the Processor deploys AI-assisted analytical or generative features as part of the Services, personal data may additionally be processed by large language model inference services provided by a Sub-processor. The Sub-processor is contractually prohibited from using customer data for model training, fine-tuning, or model improvement.

6. Location of Processing Operations

Personal Data may be stored and processed in the jurisdictions identified in the list of Pre-approved Sub-processors set out in Appendix 2.

7. Duration of the processing (retention period)

The processing of personal data is either:

  1. limited to receiving the raw data, and immediately deleting any personal data from the datasets the Processor receives; or 

  2. limited to receiving the raw data and immediately pseudonymizing any personal data from the datasets the Processor receives, which will be retained only as long as required to provide the Platform and in any event be deleted within 30 days of the termination of the provision of the Platform.

Data deletion is primarily done using the standard Google BigQuery process, which means personal data may persist for a few days before being fully erased. 

The Processor will also apply manual processes to ensure that any remaining personal data is deleted within 30 days of detection.

Personal data may persist for a few days before being fully erased. 



APPENDIX 2

Pre-approved Sub-processors

For each Sub-processor engaged, the Processor applies the principle of least privilege, meaning that each Sub-processor shall only have access to the minimum personal data required to fulfil its purpose.

Sub-Processor

Service

Place of processing

Google Cloud EMEA Limited

Hosting, internal records and infrastructure 

EU


Google Cloud EMEA Limited

Provision of AI models 

EU, US, Asia-Pacific 

Anthropic Ireland Limited 

Provision of AI models 

EU, US, Asia-Pacific 

OpenAI Ireland Ltd

Provision of AI models

EU/EEA, US, UK, Asia-Pacific

Fivetran Inc. 

Data migration and integration provider 

EU/EEA