updated: 2026-01-29
1.1 This Data Processing Agreement and its Schedules (the “DPA”) forms part of the Connectel Customer Agreement between Connectel AB (company registration number 556755-6559, having its registered address at Kivra: 556755-6559 , 106 31 Stockholm SE) and the Customer for the purchase of Service Provider’s Services (the “Agreement”).
1.2 By signing the Agreement, Customer enters into this DPA.
1.3 All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1.4 For the purposes of this DPA, Connectel AB shall be referred to as the “Service Provider”.
1.5 In the course of providing the Services to Customer pursuant to the Agreement, the Service Provider will process personal data on behalf of the Customer and the Parties agree that the following provisions shall apply with respect to any personal data.
1.6 Terms such as “personal data”, “processing” and “data subject” and other expressions not defined in this DPA or the Agreement shall have the same meaning as set out in in the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”), as may be amended, updated, replaced or superseded from time to time, if not expressly stated otherwise.
1.7 In case of conflict between the Agreement and the DPA, this DPA shall take precedence in matters relating to the protection of personal data.
2.1 The Customer shall ensure that it:
(i) in its use of the Service, process personal data in accordance with the requirements of applicable data protection laws;
(ii) provide the relevant information to its end-customers under applicable laws about the processing of personal data, and where appropriate direct such end-customers to the Service Provider’s privacy notice;
(iii) gives instructions for the processing of personal data which comply with applicable data protection laws.
2.2 The Customer has the sole responsibility for the accuracy, quality, and legality of personal data provided by the Customer to the Service Provider and the means by which the Customer acquired the personal data.
2.3 The Customer is responsible for ensuring that the security measures agreed in accordance with schedule 3 complies with the Customer’s data security obligations pursuant to applicable laws as regards the personal data processed.
2.4 As part of carrying out its obligations under this Agreement, the Service Provider will process personal data pertaining to Customer’s personnel as a controller, collected either directly from the personnel or as provided by the Customer. The Service Provider will also process personal data used within the Service for its own purposes. The Service Provider’s processing activities are described in the Service Provider’s Privacy Notice, available on the Service Provider’s website (www.connectel.io). When the Customer transfers personal data to the Service Provider, the Customer shall ensure that it can lawfully transfer personal data about its personnel and end-customers to the Service Provider, and that it has informed the individuals which the personal data pertains to that information about the Service Provider’s processing of personal data can be found in Supplier’s Privacy Notice.
3.1 The Service Provider shall to the extent any personal data is processed by the Service Provider on behalf of the Customer under the Agreement:
(i) only process personal data in accordance with the Customer’s documented instructions specified in Schedule 1 of this DPA, unless when required to do so under applicable European Union (“EU”) or Member State law to which the Service Provider is subject. The Service Provider shall in such case inform the Customer of such legal obligation unless prohibited by law. The Service Provider has no obligation to monitor the compliance of the Customer’s use of the Services with the GDPR, though the Service Provider shall immediately inform the Customer if the Customer’s documented instructions, in Service Provider’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by the Service Provider. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes. If the Customer requests an amendment of the security measures, the Service Provider shall be entitled to reasonable compensation for abiding with the amended instructions;
(ii) ensure that the data subject’s listed under schedule 1 (3.5) or other third parties that are authorized to process personal data are subject to an obligation of confidentiality with regards to the personal data. The Service Provider is only allowed to disclose personal data to third parties if the Customer has given its written consent or if it is required by applicable law;
(iii) implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR, as set out in Schedule 3;
(iv) not disclose or otherwise reveal any personal data covered by the DPA to a data subject or third party, unless otherwise stated in the Agreement or required by law or a court of official authority’s decision. In the event that the Service Provider must disclose such data due to law or a court or official authority’s decision, the Service Provider shall notify the Customer of the disclosure, unless this is prohibited by applicable law or a court or official authority’s decision;
(v) hereby granted a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of the Customer. The engagement of Sub-processors shall be subject to the conditions set forth in Schedule 2 – Sub-processors, including but not limited to the maintenance of an up-to-date list of Sub-processors, advance notification of changes to that list, and the Customer’s right to object. The Service Provider shall ensure that any contract entered into with a Sub-processor imposes data protection obligations that are no less protective than those set forth in this DPA, in accordance with applicable data protection laws. Where a Sub-processor operates under standard, non-negotiable terms, such terms shall apply as described in Schedule 2. The Service Provider shall remain fully liable for the performance of each Sub-processor’s obligations as they relate to the processing of personal data under this DPA;
(vi) have the right to cure an objection from the Customer as described in (v) above, in accordance with the conditions set forth in Schedule 2, at the Service Provider’s sole discretion;
(vii) be allowed to transfer personal data to third countries outside the EU or European Economic Area (“EEA”) in accordance with the Customer’s documented instructions. When personal data is transferred to a country that does not ensure an adequate level of data protection, the Service Provider ensures that the transfer is made subject to adequate safeguards as stated in Chapter V GDPR being in place. The Service Provider may for this purpose rely on the standard contractual clauses set forth in the annex to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”), or decisions and clauses that may replace or amend these. The Customer acknowledges and agrees that the Service Provider or Sub-processor, as applicable, may utilize different modules of the SCCs as applicable, and that module 3 of the SCCs in most cases will be the applicable module. The Service Provider may choose not to perform a transfer impact assessment (TIA) in relation to a transfer of data to a third country if it is deemed safe by the European Commission, as listed in the adequacy decisions here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If the requirement to perform such an assessment instead lies with a Sub-processor appointed by the Service Provider, the Service Provider will request that the Sub-processor performs the necessary assessment. Some Sub-processors may publish relevant information, such as risk assessments, on their respective websites, which is beyond the Service Provider’s control. The Customer acknowledges that such information, including any assessments, is beyond the Service Provider’s control and accepts the reliance on such information and assessments;
(viii) taking into account the nature of the processing and the information available for the Service Provider, assist the Customer in its obligation to respond to requests from data subjects pursuant to chapter III in the GDPR by implementing appropriate technical and organizational measures, insofar as this is possible;
(ix) taking into account the nature of the processing and the information available to the Service Provider, assist the Customer in fulfilling its obligations pursuant to Articles 32 to 36 of the GDPR. This includes providing available technical documentation, system configuration options, and audit logs upon request; offering built-in tools for anonymization and deletion of personal data; and supporting the Customer in performing data protection impact assessments or responding to supervisory authorities. Such assistance shall be provided within reasonable timelines, typically no more than ten (10) business days, unless otherwise agreed;
(x) in the event the Service Provider becomes aware of a Personal Data Breach, as defined under applicable data protection law, the Service Provider shall, without undue delay and in any event no later than seventy-two (72) hours thereafter, notify the Customer of the breach. Such notification shall, where possible, include all information required under Article 33(3) of the GDPR, including: (i) a description of the nature of the breach, (ii) the categories and approximate number of data subjects and data records concerned, (iii) the contact details of a relevant contact person, (iv) the likely consequences of the breach, and (v) the measures taken or proposed to address it, including efforts to mitigate its potential adverse effects. The Service Provider shall cooperate with the Customer and provide reasonable assistance in relation to the investigation, mitigation, and remediation of the breach. The Customer, acting as the data controller, retains sole responsibility for fulfilling any legal obligations to notify supervisory authorities or data subjects. Except where required by law, the Service Provider shall not issue any public statements or notices, nor notify any third parties, including data subjects or supervisory authorities, without the Customer’s prior written consent;
(xi) on termination or expiration of the Agreement or on instruction from the Customer, upon written request and at the Customer’s choice, return or delete all personal data processed under the Agreement, unless Service Provider is required to retain the personal data by applicable laws, disaster recovery requirements, or other rules and regulations. Unless the Customer makes such written request for the return of all personal data within fourteen (14) days from the Agreement’s termination or expiration, the Service Provider assumes that the Customer wishes that the Service Provider shall delete the personal data;
(xii) upon the Customer’ request, make available all information necessary to demonstrate Service Provider’s compliance with the obligations laid down in Article 28 in the GDPR and in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer and accepted by the Service Provider. The Service Provider shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year unless the Customer demonstrates reasonable cause for further audits, and a written notice shall in all cases be sent to the Service Provider with a notice period of at least sixty (60) days before the audit commences. The audit shall be conducted during the Service Provider’s normal working hours without disturbance to the normal operations of the Service Provider. If the Service Provider’s personnel are required to assist the Customer during the audit, the Service Provider shall be entitled to reasonable compensation for such assistance; and
(xiii) Customer shall reimburse the Service Provider for reasonable business expenses incurred in the performance of its duty to assist the Customer under clause 3.1(viii), 3.1(ix), 3.1(xi) and 3.1(xii) in the DPA.
4.1 The Service Provider’s liability shall be limited in accordance with what is set out in the Agreement. This includes, for example, claims from data subjects and administrative penalties or fines issued by relevant courts or data protections authorities.
4.2 The Customer shall indemnify and hold harmless the Service Provider from any liability arising as a result of the Customer’s infringement of the GDPR or other applicable laws or as a result of the Customer’s instructions to the Service Provider which is in breach with the provisions of the GDPR or other applicable laws.
5.1 This DPA is valid for as long as the Service Provider is processing personal data on behalf of the Customer.
5.2 This DPA shall be governed in accordance with what is set out in the Agreement.
Notwithstanding the foregoing, the Service Provider may, under specific circumstances, act as a controller in respect of certain processing activities. Such instances are detailed in Section 3.3 of this Schedule 1.
The Customer are provided with the ability to manage data retention settings via the Compliance and Security section of the customer’s given portal. These settings enable customers to configure specific retention periods for various data types, in accordance with their own compliance, legal, and governance obligations.
3.Information about the processing
3.1 Integration services
In the course of performing integration services pursuant to the Agreement, the Service Provider may, as a consequence of accessing the Customer’s systems or environments, come into contact with personal data. Any such access and corresponding processing of personal data shall be incidental and strictly limited to what is necessary for the purposes of implementing, configuring, and testing the integration in accordance with the Customer’s instructions.
The Service Provider shall not process such personal data for any purpose other than the performance of the integration services, and shall implement appropriate technical and organizational measures to protect the data in accordance with the obligations set forth in this DPA.
3.2 Consultancy services as an add-on
If the Customer and Service Provider has agreed that the Service Provider shall provide consultancy services to the Customer, this DPA shall govern and control the Service Provider’s processing of personal data on the Customer’s behalf in connection with providing such consultancy services. The details of the processing operations, such as the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects may be set out in a separate agreement, work order, statement of work, or similar, which refers to this DPA as the contract governing the processing of such personal data and setting out the rights and obligations of the Customer.
3.3 Personal data processed by the Service Provider as the controller
The Service Provider, acting as the data controller, may process personal data for the following purposes:
Operational and Troubleshooting Data: The Service Provider may process information necessary to operate the service and troubleshoot any issues, which typically includes contact information of the Customer’s employees.
Traffic Data: The Service Provider may process traffic data, including but not limited to, the participants in the communication, the time of the communication, and the duration of the communication, which must be stored in accordance with applicable legal obligations.
Aggregated and Anonymised Statistics: The Service Provider may aggregate and/or anonymize personal data processed on behalf of the Customer to generate statistics. These statistics may include, but are not limited to, interaction data, timing of occurrences, and any other data uploaded by the Customer for processing. The purposes of this processing are as follows: (i) To generate statistics on service usage and utilization; (ii) To troubleshoot and address service issues; (iii) To enhance and tailor the service to meet the Customer’s needs and demands.
Security Purposes: The Service Provider may use personal data processed on behalf of the Customer for internal IT security purposes, including maintaining the security of the Service Provider’s services and, when necessary, assisting the Customer in protecting its agents.
Communication with Agents and Users: The Service Provider may use the names and email addresses of the Customer’s agents and other users for the purpose of sending relevant communications, including but not limited to service-related updates, notifications of upcoming training sessions, seminars, and similar activities. The Service Provider’s determination of what constitutes relevant or beneficial information will be based on the professional role of the recipient and the overall benefit to the Customer.
3.4 Data Subjects
The personal data processed by the Service Provider, including by its authorized subprocessors, in connection with the provision and operation of the Customer’s system may concern the following categories of data subjects:
End Users of the Customer: Individuals who are the end recipients of communication facilitated by the Customer’s system, including but not limited to persons contacted via voice, chat, or email services provided through the platform;
Customer Personnel: Employees, agents, and representatives of the Customer who are authorized to access or use the Customer’s system, including contact center agents, administrators, and supervisory personnel;
Customer-Designated Support Contacts: Individuals identified by the Customer for purposes of operational coordination, support, or contractual communication;
Authorized Third Parties: Consultants, contractors, or other external parties explicitly authorized by the Customer to access or use the Customer’s system on its behalf.
3.5 Data Categories
In accordance with the General Data Protection Regulation (GDPR), the processing of personal data under this Agreement may include the following categories of personal data:
| Categories | Data |
| Identification Data | Name, email address, phone number, username, and internal customer identifiers. |
| Contact Data | Phone numbers (inbound and outbound), email addresses, and postal addresses if provided during communication. |
| Communication Content | Text from chat, email, or other messaging channels, as well as transcriptions of voice calls (where applicable and enabled by the customer). |
| Voice and Audio Data | Recordings of voice calls, audio messages, and voicebot interactions (if enabled), including transcriptions and extracted text. |
| Technical and Usage Data | IP addresses, device identifiers, browser type, connection metadata, time zone, and platform usage statistics. |
| Support and Operational Data | Information voluntarily submitted during support interactions, including logs, screenshots, or structured case data. |
1.1 The Customer agrees that the Service Provider engages certain sub-processors and authorizes the Service Provider to engage additional or replacement sub-processors for specific processing activities on behalf of the Customer, provided that:
The Service Provider ensures that all sub-processors are bound by data protection obligations that are no less protective than those outlined in this DPA, through written contracts or equivalent legal instruments in accordance with applicable data protection laws.
Where the Service Provider engages a sub-processor whose terms cannot reasonably be imposed or negotiated (e.g., cloud service providers operating on standard non-negotiable terms), but those terms are consistent with the requirements of Article 28 of the GDPR, and provided the customer has been informed of such terms, those sub-processor terms shall:
1.2 The Customer may object to the appointment of a new sub-processor on reasonable, documented grounds relating to data protection. In such cases, the parties will cooperate in good faith to resolve the matter. If no resolution is reached within (60) days, either party may terminate the affected services without liability for damages resulting solely from such termination.
1.3 The Service Provider remains fully liable to the customer for the performance of its sub-processors’ data protection obligations, in accordance with the terms of this DPA.
1.4 To the extent required by applicable data protection law, the customer may request that the Service Provider conducts or confirms an audit of a sub-processor’s compliance with data protection obligations relevant to processing on behalf of the customer.
2.1 List of Core Subprocessors
| Name | Purpose | Processing Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud infrastructure services including compute and storage | Customer Data is processed in EU/EEA. CloudFront (CDN) service is provisioned from USA but deployed globally | SCC:s + TIA + DPF (Data Privacy Framework) |
2.2 List of Optional Subprocessors
| Name | Feature(s) | Purpose | Processing Location | Transfer Mechanism |
| Featurebase | User Communication | Roadmap, Changelog and Feature updates | EU/EEA | N/A |
| Better Stack | User Communication | Service uptime monitoring | EU/EEA | N/A |
| OpenAI | Reply Assistant, Agent Assistant, Speech Analytics, Conversation Summarize, Voicebot | Natural language processing | USA | SCC:s + TIA |
| DeepGram | Speech Analytics | Natural language processing | USA | SCC:s + TIA |
| Google Cloud Speech | Voicebot Services | Natural language processing, Journey Text To Speech | Processing is configured to occur in the EU/EEA; any third-country access is protected by SCCs and supplementary safeguards. | SCC:s + TIA + DPF (Data Privacy Framework) |
| Infobip | Voice, Text Messages (SMS) | Provision of phone numbers (DIDs), call routing and connectivity, sending and receiving Text Messages (SMS) | EU/EEA | N/A |
| Bandwidth | Voice | Provision of phone numbers (DIDs), call routing and connectivity | EU/EEA | N/A |
| Tele2 | Voice | Provision of phone numbers (DIDs), call routing and connectivity | EU/EEA | N/A |
| GlobalConnect | Voice | Provision of phone numbers (DIDs), call routing and connectivity | EU/EEA | N/A |
| Xenialab s.r.l. | Support Services | Provide Connectel with third-level support for Connectel Motion services. | EU/EEA | N/A |
1.1 The Service Provider warrants that it has implemented, and will maintain, appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing. These measures take into account:
Such measures include, where appropriate:
The Service Provider is certified under ISO/IEC 27001, the international standard for information security management systems (ISMS), as part of its commitment to implementing and maintaining robust information security practices.
A detailed specification of the Service Provider’s technical and organisational measures is available and listed at https://connectel.io/security/
1.2 Upon the Customer’s request, the Service Provider shall provide information necessary to demonstrate compliance with the technical and organisational measures referred to in this section. The Customer shall have the right to audit and test such measures in accordance with the provisions set forth in Section 1.4 of Schedule 2 of this DPA.
1.3 If changes in applicable data protection laws require the Customer to instruct the Service Provider to implement additional or enhanced security measures, and such measures necessitate an amendment to the Agreement, the Parties shall engage in good faith negotiations to agree on the required changes.
1.4 Operational Resilience (DORA)
The Service Provider acknowledges that certain Customers may be subject to the Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”). To support such Customers, the Service Provider undertakes to:
(i) maintain information security, risk management and operational resilience measures in accordance with its ISO/IEC 27001 and ISO 9001 certifications;
(ii) operate a documented Business Continuity Management framework and incident management process, including the ability to restore availability and access to personal data in a timely manner in the event of an ICT-related incident;
(iii) notify the Customer without undue delay — and in accordance with the notification timelines specified in Section 3.(x) — of any major ICT-related incident or significant cyber threat affecting the Services provided to the Customer;
(iv) ensure that any Sub-processors engaged in delivering the Services are subject to equivalent obligations on security, risk management and operational resilience;
(v) provide, upon reasonable request, relevant certifications, audit reports, or other information necessary to demonstrate compliance with the above measures, and to enable the Customer to fulfil its obligations under DORA;
(vi) provide reasonable assistance to the Customer, within the scope of the Services, in connection with any ICT-related incident that affects the Services provided to the Customer; such assistance shall be provided at no additional charge where it falls within the Service Provider’s standard incident management and support processes included in the Services, and otherwise in accordance with the Service Provider’s pre-agreed professional services rates or price list;
(vii) cooperate in good faith with the Customer’s competent supervisory or resolution authorities, and with any persons appointed by them, insofar as such cooperation relates to the Services provided to the Customer;
(viii) maintain appropriate ICT security awareness and training for its personnel, and, where reasonably requested, provide the Customer with information on such programmes.
(ix) For the avoidance of doubt, the assistance described in item (vi) above is included as set out therein and shall not be subject to additional charges under this DPA, except where such assistance falls outside the Service Provider’s standard incident management and support processes and is therefore provided in accordance with the pre-agreed professional services rates or price list.
For any questions regarding this Data Processing Agreement, please contact us at privacy@connectel.se.
Need to get in touch with us?
Speak with our sales team or call +46 (0) 101 800 000
Need to contact customer support? click here