Skip to content

Data Processing Agreement

Effective: April 2026

This Data Processing Agreement (the "DPA") sets out the terms on which Growth Hackers Sthlm AB ("Growth Hackers", "we", "us", the "Processor") processes personal data on behalf of a customer (the "Customer", the "Controller") in connection with the services described in the master services agreement, statement of work, or consulting agreement between the parties (together, the "Main Agreement"). It is entered into to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 (the "GDPR") and applicable national data protection law. Capitalised terms not defined here have the meanings given in the GDPR or the Main Agreement.

1. How to execute this DPA

The Customer may execute this DPA by emailing contact@growthhackers.se with the Customer's legal entity name, registered address, organisation number, and the name and email of the signatory. Growth Hackers will return a counter-signed copy by email, typically within five (5) business days. Until counter-signed, the terms below nonetheless apply to any processing of personal data carried out by Growth Hackers on behalf of the Customer under the Main Agreement.

2. Subject matter, nature, purpose and duration β€” Art. 28(3)

  • Subject matter. Processing of personal data by Growth Hackers as processor on behalf of the Customer for the purpose of delivering the services agreed in the Main Agreement.
  • Nature and purpose. Growth marketing consulting, including paid-media management, search engine optimisation, content and creative production, conversion rate optimisation, analytics and measurement advisory, customer relationship management configuration, and related advisory work.
  • Duration. The term of the Main Agreement, plus any post-termination return and deletion period set out in Section 11.

3. Categories of data subjects and personal data β€” Art. 28(3)

  • Categories of data subjects: the Customer's prospects, leads, customers, end-users, and website visitors; the Customer's employees and contractors to the extent they are users of marketing, analytics, or CRM platforms within scope of the engagement.
  • Categories of personal data: contact details (name, email, phone, company, role); marketing-platform identifiers (cookie IDs, advertising IDs, hashed email identifiers used for matching); behavioural and engagement data (pageviews, events, conversions, campaign interactions); CRM records (lifecycle stage, deal data, communication history) where the engagement includes CRM work.
  • Special categories and criminal data: Growth Hackers does not process special categories of personal data within the meaning of Article 9 GDPR or criminal-conviction data within the meaning of Article 10 GDPR in the course of the services. The Customer agrees not to instruct Growth Hackers to do so.

4. Processor obligations β€” Art. 28(3)(a)–(h)

Growth Hackers will:

  • (a) Documented instructions. Process personal data only on documented instructions from the Customer, including with regard to transfers to a third country or international organisation, unless required to do so by Union or Member State law to which Growth Hackers is subject; in such a case, Growth Hackers will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Main Agreement, this DPA, and ordinary written communications from the Customer's named contact constitute documented instructions.
  • (b) Confidentiality. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • (c) Security. Take all measures required pursuant to Article 32 GDPR, as set out in Section 5.
  • (d) Sub-processors. Engage sub-processors only in accordance with Section 6.
  • (e) Assistance with data subject rights. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR.
  • (f) Assistance with Articles 32–36. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Growth Hackers, including personal data breach notification (Section 7) and data protection impact assessments.
  • (g) Return or deletion. At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services relating to processing, and delete existing copies, unless Union or Member State law requires storage of the personal data (see Section 11).
  • (h) Audit and information. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (see Section 9).

Growth Hackers will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

5. Security measures β€” Art. 32

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Growth Hackers maintains appropriate technical and organisational measures, including:

  • Access control. Role-based access to Customer materials on a need-to-know basis; multi-factor authentication for all personnel accounts that can access Customer data; immediate revocation of access on personnel departure.
  • Credentials. Customer-system credentials and delegated-access tokens are stored in an access-controlled secret store with multi-factor authentication required for retrieval; credentials are revoked on request or at engagement end.
  • Encryption in transit. Transport-level encryption (TLS 1.2 or higher) for communication and file transfer through the sub-processors in Section 6.
  • Encryption at rest. Customer materials at rest in sub-processor-operated platforms are encrypted by the sub-processor in accordance with its standard service terms.
  • Endpoint protection. Personnel devices use full-disk encryption, current operating systems, and endpoint anti-malware.
  • Logging. Access to shared documents and platforms is logged by the underlying sub-processor.
  • Personnel training. Internal security-awareness training covering confidentiality, access hygiene, phishing awareness, and incident reporting.
  • Resilience. Reliance on sub-processors with industry-standard availability and backup commitments; Growth Hackers does not host customer-facing production data on its own infrastructure.

6. Sub-processors β€” Art. 28(2) and (4)

The Customer grants Growth Hackers a general written authorisation to engage sub-processors for the processing of personal data, subject to the conditions in this Section. The sub-processors engaged at the date of this DPA are:

  • Google LLC / Google Workspace β€” email, Drive, Meet, and document collaboration (EU data residency).
  • Slack Technologies LLC β€” engagement communication (EU data residency where available).
  • Anthropic PBC β€” AI assistance for analysis, drafting, and research (United States, under EU Standard Contractual Clauses).
  • Notion Labs, Inc. and/or Asana, Inc. β€” engagement and project management.
  • HubSpot, Inc. β€” customer relationship management, where the engagement includes HubSpot work.
  • Cogny AB β€” marketing analytics, where the engagement uses the Cogny Cloud platform (EU/Sweden).

Growth Hackers will impose on each sub-processor data protection obligations that are no less protective than those set out in this DPA. Growth Hackers remains fully liable to the Customer for the performance of each sub-processor's obligations.

Growth Hackers will give the Customer at least thirty (30) days' prior notice before adding or replacing a sub-processor that will process Customer personal data. The Customer may object to such a change on reasonable data protection grounds; if the parties are unable to agree on a resolution, the Customer may terminate the affected part of the services in accordance with Section 12.

7. Personal data breach notification β€” Art. 33

Growth Hackers will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a personal data breach within the meaning of Article 4(12) GDPR affecting Customer personal data. The notification will include, to the extent then known:

  • the nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and
  • the name and contact details of the contact point at Growth Hackers.

Growth Hackers will provide the Customer with reasonable assistance in fulfilling the Customer's obligations under Articles 33 and 34 GDPR, including in any communications with supervisory authorities and affected data subjects, and will provide updates at reasonable intervals until the incident is resolved.

8. International transfers β€” Chapter V

Customer personal data is ordinarily processed within the European Union / European Economic Area through sub-processors configured for EU data residency. Where transfers to a third country are required for the provision of the services, Growth Hackers relies on:

  • an adequacy decision adopted by the European Commission under Article 45 GDPR; or
  • the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the "SCCs"), with appropriate supplementary measures where required following a transfer impact assessment.

Where the SCCs apply between Growth Hackers and a sub-processor, Growth Hackers acts for and on behalf of the Customer in entering into Module 3 (processor-to-processor) of the SCCs with that sub-processor. Where the Customer is established outside the EU/EEA and the SCCs apply between the Customer and Growth Hackers, the parties will execute Module 2 (controller-to-processor) of the SCCs by reference, with the data export details, security measures, and sub-processor list set out in this DPA.

9. Audit β€” Art. 28(3)(h)

Growth Hackers will make available to the Customer, on reasonable prior request, all information necessary to demonstrate compliance with this DPA. The Customer and its appointed auditors have the right to audit Growth Hackers' compliance with this DPA on the following terms:

  • audits will be conducted on at least thirty (30) days' prior written notice;
  • during normal business hours;
  • not more than once per calendar year, unless triggered by a personal data breach affecting the Customer or by an instruction from a supervisory authority;
  • at the auditing party's expense, save where the audit reveals material non-compliance by Growth Hackers;
  • under reasonable confidentiality obligations; and
  • without disrupting Growth Hackers' obligations to other customers.

Where Growth Hackers' sub-processors are subject to recognised third-party audits or certifications (for example ISO 27001 or SOC 2), Growth Hackers may satisfy information requests under this Section by providing copies of the relevant audit reports or certificates obtained from the sub-processor.

10. Customer obligations and warranties

The Customer warrants that it has all necessary rights, lawful bases, and notices in place to instruct Growth Hackers to process the personal data within scope of this DPA. The Customer is responsible for the accuracy, quality, and legality of the personal data and the means by which it acquired the personal data. The Customer will not instruct Growth Hackers to process personal data in a manner that infringes applicable data protection law.

11. Return and deletion β€” Art. 28(3)(g)

On termination of the Main Agreement, on the Customer's written request, or on completion of the relevant processing activity, Growth Hackers will, within thirty (30) days, at the Customer's election:

  • return to the Customer all Customer personal data in Growth Hackers' possession or control; or
  • permanently delete all Customer personal data in Growth Hackers' possession or control;

and revoke or return any delegated access to Customer systems. Residual copies held in backups or archives will be deleted within ninety (90) days from the date of primary deletion, subject to any mandatory retention required by Union or Member State law. On completion, Growth Hackers will, on request, provide the Customer with a written confirmation of deletion.

12. Term and termination

This DPA takes effect on the date it is counter-signed by Growth Hackers (or, if earlier, the date Growth Hackers begins processing Customer personal data under the Main Agreement) and continues for the term of the Main Agreement. Sections 11 (Return and deletion), 13 (Liability and order of precedence), and 15 (Contact) survive termination. The Customer may terminate the affected part of the services where the Customer has reasonably objected to a change of sub-processor under Section 6.

13. Liability and order of precedence

Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Main Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law, including liability under Article 82 GDPR.

In the event of any conflict between this DPA and the Main Agreement in relation to the processing of personal data, this DPA prevails. Where the Customer is a financial entity that has entered into the Growth Hackers DORA Addendum, the DORA Addendum prevails over this DPA in respect of matters specifically addressed in that addendum.

14. Governing law and jurisdiction

This DPA is governed by the laws of Sweden, without regard to its conflict of laws rules, and is subject to the exclusive jurisdiction of the courts of Stockholm, Sweden, unless a different governing law and forum is specified for the Main Agreement, in which case those provisions apply equally to this DPA.

15. Contact

Requests to execute this DPA, data subject request assistance, breach notifications, and other privacy correspondence should be directed to:

Growth Hackers Sthlm AB
Peter Myndes backe 16, 118 46 Stockholm, Sweden
Org. no. 556963-5211
contact@growthhackers.se

Related: DORA Addendum for financial entities subject to Regulation (EU) 2022/2554.