Gridheart Data Processing Terms

    Version 2026-03

    These Data Processing Terms (including appendices, "Data Processing Terms") are entered into by Gridheart AB, org.nr 556779-9209 ("Gridheart") and the customer identified in the applicable Service Agreement ("Customer"), and supplement the Gridheart Service Agreement(s) (the "Agreement").

    These Data Processing Terms set out the manner in which Gridheart shall process Personal Data on behalf of Customer.

    1. Definitions

    In these Data Processing Terms:

    "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

    "Customer Personal Data" means personal data that is processed by Gridheart on behalf of Customer in Gridheart's provision of the Processor Services.

    "Data Incident" means a breach of Gridheart's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Gridheart. Data Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

    "Data Protection Legislation" means, as applicable: (a) Regulation (EU) 2016/679 (the "GDPR"); (b) national legislation implementing or supplementing the GDPR, including the Swedish Data Protection Act (2018:218); (c) Regulation (EU) 2018/1725; and/or (d) any other applicable data protection or privacy legislation.

    "EEA" means the European Economic Area.

    "Gridheart Entity" means Gridheart AB or any Affiliate of Gridheart AB.

    "Notification Email Address" means the email address designated by Customer to receive notifications from Gridheart relating to these Data Processing Terms.

    "Processor Services" means the applicable services listed at gridheart.com/data-processing-terms-services.

    "Restricted Transfer" means a transfer of Customer Personal Data to a country outside the EU/EEA that is not subject to an EU Commission adequacy decision.

    "Security Measures" has the meaning given in Section 6.1.

    "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914, as may be amended or replaced from time to time.

    "Subprocessors" means third parties authorized under these Data Processing Terms to process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.

    "Term" means the period from the effective date of these Data Processing Terms until the end of Gridheart's provision of the Processor Services under the Agreement.

    "Third Party Product(s)" means any service offered through the Gridheart Marketplace by a third party.

    The terms "controller", "data subject", "personal data", "processing", "processor" and "supervisory authority" as used in these Data Processing Terms have the meanings given in the GDPR.

    2. Scope and Duration

    2.1 These Data Processing Terms apply to the extent that Data Protection Legislation applies to the processing of Customer Personal Data in connection with the Processor Services.

    2.2 These Data Processing Terms take effect on the date they are accepted by both parties and, notwithstanding expiry of the Term, remain in effect until deletion of all Customer Personal Data by Gridheart as described herein.

    2.3 In the event of any conflict between these Data Processing Terms and the remainder of the Agreement, these Data Processing Terms shall prevail.

    3. Roles and Responsibilities

    3.1 The parties acknowledge and agree that:

    • (a) Gridheart is a processor of Customer Personal Data under Data Protection Legislation;
    • (b) Customer is a controller or processor, as applicable, of Customer Personal Data under Data Protection Legislation; and
    • (c) each party will comply with the obligations applicable to it under Data Protection Legislation.

    3.2 If Customer is a processor, Customer warrants that Customer's instructions and actions with respect to Customer Personal Data, including its appointment of Gridheart as a sub-processor, have been authorized by the relevant controller.

    4. Processing of Customer Personal Data

    4.1 Nature and Purpose. Gridheart will process Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms. Processing activities may include collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying Customer Personal Data.

    4.2 Categories of Data Subjects. Customer Personal Data may relate to: (a) individuals whose personal data is transferred to Gridheart in connection with the Processor Services by, at the direction of, or on behalf of Customer; and (b) end users or customers of Customer's products or services.

    4.3 Types of Personal Data. Customer Personal Data may include the types of personal data described at gridheart.com/data-processing-terms-services.

    4.4 Customer Instructions. Customer instructs Gridheart to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer's use of the Processor Services and their settings and functionality; (c) as documented in the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Gridheart.

    4.5 Compliance with Instructions. Gridheart will comply with Customer's instructions unless EU or Member State law requires other processing, in which case Gridheart will inform Customer before such processing (unless prohibited by law on important grounds of public interest).

    4.6 Third Party Products. If Customer uses any Third Party Product, the Processor Services may allow that Third Party Product to access Customer Personal Data as required for interoperation. These Data Processing Terms do not apply to processing by Third Party Products.

    5. Data Deletion

    5.1 Deletion During Term. During the Term, Gridheart will comply with reasonable requests from Customer to facilitate deletion of Customer Personal Data, insofar as possible taking into account the nature and functionality of the Processor Services and unless applicable law requires retention. Gridheart may charge a reasonable fee for such deletion, communicated in advance.

    5.2 Deletion on Term Expiry. On expiry of the Term, Customer instructs Gridheart to delete or anonymize all Customer Personal Data (including existing copies) from Gridheart's systems in accordance with applicable law. Gridheart will comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless applicable law requires continued storage.

    6. Data Security

    6.1 Security Measures

    6.1.1 Gridheart will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as described in Appendix 1: Security Measures. Gridheart may update the Security Measures from time to time, provided that such updates do not result in a degradation of the overall security of the Processor Services.

    6.1.2 Gridheart will ensure that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    6.1.3 Gridheart will, taking into account the nature of the processing and the information available to Gridheart, assist Customer in ensuring compliance with Customer's obligations pursuant to Articles 32 to 34 of the GDPR.

    6.2 Data Incidents

    6.2.1 If Gridheart becomes aware of a Data Incident, Gridheart will: (a) notify Customer without undue delay and in any event within 48 hours of becoming aware of the incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.

    6.2.2 Notifications will describe, to the extent possible: (a) the nature of the Data Incident, including the categories and approximate number of data subjects and personal data records concerned; (b) the likely consequences of the Data Incident; (c) the measures taken or proposed to address the Data Incident; and (d) the contact point for further information.

    6.2.3 Notifications will be delivered to the Notification Email Address or, at Gridheart's discretion, by other direct communication. Customer is responsible for providing and maintaining a current Notification Email Address.

    6.2.4 Customer is responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident.

    6.3 Customer Responsibilities

    6.3.1 Customer is responsible for making appropriate use of the Processor Services, including ensuring a level of security appropriate to the risk, and for securing account authentication credentials, systems and devices used to access the Processor Services.

    6.3.2 Customer acknowledges that the Security Measures provide a level of security appropriate to the risk in respect of Customer Personal Data, taking into account the state of the art, costs of implementation, nature, scope, context and purposes of processing.

    6.4 Audits

    6.4.1 Gridheart will make Security Documentation available for review by Customer to demonstrate compliance with these Data Processing Terms.

    6.4.2 Customer or a third-party auditor appointed by Customer may conduct audits to verify Gridheart's compliance. Audits require reasonable advance notice, and the parties will agree on scope, timing, duration and applicable confidentiality controls.

    6.4.3 Gridheart may charge a reasonable fee for audits. Gridheart may object to a third-party auditor that is a competitor or otherwise not suitably qualified or independent, in which case Customer shall appoint another auditor.

    6.4.4 Nothing in these Data Processing Terms requires Gridheart to disclose data of other customers, internal financial information, trade secrets, or information that could compromise the security of Gridheart's systems.

    7. Impact Assessments

    Gridheart will, taking into account the nature of the processing and the information available, assist Customer in ensuring compliance with any obligations regarding data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR.

    8. Data Subject Rights

    8.1 Gridheart will, taking into account the nature of the processing, assist Customer in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.

    8.2 If Gridheart receives a request from a data subject in relation to Customer Personal Data, Gridheart will advise the data subject to submit the request to Customer, unless Gridheart has a standardized tool for direct responses.

    8.3 Gridheart may charge a reasonable fee for assistance beyond what is provided through standard functionality of the Processor Services.

    9. International Transfers

    9.1 Gridheart will not make a Restricted Transfer of Customer Personal Data unless appropriate safeguards are in place in accordance with Data Protection Legislation, including:

    • (a) the transfer is to a country subject to an EU Commission adequacy decision;
    • (b) Standard Contractual Clauses are in place, supplemented by a transfer impact assessment where required; or
    • (c) another valid transfer mechanism under Data Protection Legislation applies.

    9.2 Where Gridheart relies on Standard Contractual Clauses for a Restricted Transfer, Customer agrees to enter into such clauses with Gridheart as necessary.

    9.3 Information about sub-processor locations and data center locations is available at gridheart.com/sub-processors and gridheart.com/data-processing-terms-services.

    10. Sub-processors

    10.1 Authorization. Customer specifically authorizes the engagement of Gridheart Affiliates as sub-processors. Customer also generally authorizes the engagement of third-party sub-processors listed at gridheart.com/sub-processors.

    10.2 Sub-processor Obligations. Gridheart will ensure via written contract that each sub-processor: (a) only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, in accordance with the Agreement and these Data Processing Terms; and (b) is subject to data protection obligations at least as protective as those set out in these Data Processing Terms, in accordance with Article 28(3) of the GDPR.

    10.3 Liability. Gridheart remains fully liable for all obligations subcontracted to, and all acts and omissions of, its sub-processors.

    10.4 Changes to Sub-processors. When Gridheart engages a new third-party sub-processor, Gridheart will inform Customer at least 30 days before the new sub-processor processes any Customer Personal Data, by updating the sub-processor list at gridheart.com/sub-processors and by notification via the Gridheart Platform or email.

    10.5 Objection Right. Customer may object to a new sub-processor within 30 days of being informed. The parties will seek to agree on a mutually acceptable solution. If no solution is reached, Customer may terminate the affected part of the Agreement upon written notice to Gridheart, which shall be Customer's sole and exclusive remedy.

    11. Confidentiality

    Gridheart shall keep all Customer Personal Data in strict confidence and not disclose any Customer Personal Data to third parties unless authorized by Customer, required by applicable law, or necessary for the performance of these Data Processing Terms. This confidentiality obligation survives termination of these Data Processing Terms and continues until all Customer Personal Data has been deleted or anonymized.

    12. Liability

    The provisions regarding liability under the Agreement shall apply correspondingly to these Data Processing Terms, without prejudice to Article 82 of the GDPR.

    13. Processing Records

    Customer acknowledges that Gridheart is required under GDPR Article 30 to maintain records of processing activities. Customer will provide Gridheart with information necessary for such records and ensure it remains accurate and up to date.

    14. Changes to These Data Processing Terms

    14.1 Gridheart may update the URLs and content referenced in these Data Processing Terms, including the service list at gridheart.com/data-processing-terms-services, to reflect name changes, new services, or removal of terminated services.

    14.2 Gridheart may change these Data Processing Terms if the change: (a) is required to comply with applicable law or regulation; (b) reflects a change in the name or form of a legal entity; (c) does not degrade the overall security of the Processor Services; (d) does not expand the scope of Gridheart's processing; or (e) does not otherwise have a material adverse impact on Customer's rights.

    14.3 Material changes will be communicated at least 30 days in advance. Customer may terminate the Agreement within 30 days of being informed if Customer objects to the change.

    15. Applicable Law and Disputes

    15.1 These Data Processing Terms shall be governed by Swedish law, without regard to conflict of laws provisions.

    15.2 Any dispute arising out of or in connection with these Data Processing Terms shall be settled in accordance with the dispute resolution provisions of the Agreement.

    Previous versions: Version 2018-05