Get a demo
Log in

Data Protection Agreement

DPA

Your data – your terms

Last updated: 2025-04-15

DATA PRIVACY AGREEMENT

This Data Processing Agreement (“Agreement”) sets forth the terms under which Goget AB, a company incorporated under the laws of Sweden with its principal place of business at Viktor Rydbergsgatan 10, 411 32 Gothenburg, Sweden (“Goget”), processes personal data on behalf of its customers (“Client”) in connection with the provision of its services.

This Agreement applies to all Clients who use Goget’s services where Goget acts as a data processor and the Client acts as a data controller, as defined under applicable data protection laws.

Each of Goget and the Client may be referred to individually as a “Party” and collectively as the “Parties.”

1. Purpose and Scope

This Agreement governs the collection, use, storage, sharing, and protection of personal data processed by Goget on behalf of the Client in connection with the provision of Goget’s meeting room display solution (“Services”), including synchronization with Microsoft 365 Exchange Online, Exchange On-Premises, or Google Workspace.

The Client (as Data Controller) has entered into a Purchase Agreement with Goget, under which the Client is granted a license to access and use the Services. Personal data submitted to the Services is selected, collected, or otherwise made available by the Client and/or by third parties designated by the Client, including those with whom the Client interacts through the Services.

Personal data is stored and processed within the Services exclusively for the purpose of delivering, supporting, and maintaining the Services, as instructed by the Client and in accordance with applicable data protection laws, including the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).

For the avoidance of doubt, the terms of this Agreement shall apply only while the Client holds an active license to the Services.

Unless otherwise stated, we collect only the minimum personal data necessary for functionality, security, and compliance.

2. Roles and Responsibilities

  • The Client acts as the Data Controller, determining the purposes and means of the processing of personal data.
  • Goget acts as the Data Processor, processing personal data solely on behalf of the Client and in accordance with the Client’s documented instructions.
  • Under no circumstances shall Goget be deemed to act as a Data Controller in relation to the personal data processed under this Agreement.
  • Each Party shall comply with its respective obligations under applicable data protection laws

3. Ownership of Personal Data

All personal data processed under this Agreement remains the sole property of the Client. Nothing in this Agreement shall be construed as transferring any ownership rights in the personal data to Goget.

4. Personal Data Processed

Goget may process the following categories of personal data on behalf of the Client:

  • Account Data: Administrator names, email addresses, phone numbers.
  • Support Data: Contact details and support case information.
  • System Data: IP addresses, language settings, device and software configurations, debug logs.
  • Meeting Information: Basic meeting event information as exchanged with the Client calendar integration to Microsoft 365 Exchange Online, Exchange on-premises or Google Workspace.

Special Categories of Data (as defined under GDPR Article 9) are not intended to be processed under this Agreement and client agrees not to transmit or store such data via the Services.

5. Data Minimization and Privacy by Design

Goget implements and maintains the principles of data minimization and privacy by design, including:

  • Pseudonymized Access: Clients may configure user accounts using non-personally identifiable information (e.g., generic service accounts).
  • Limited Data Collection: Only the minimum necessary information required to provide the Services is collected and processed.

Goget’s systems and processes are built to ensure that personal data is collected only when essential, protecting user privacy at every stage.

6. Use and Processing of Data

Goget shall:

  • Process personal data solely for providing, supporting, maintaining, and improving the Services as instructed by the Client.
  • Not use personal data for any marketing, analytics, or other unauthorized purposes. However, Goget may contact the Client using the provided contact details to share essential product updates, security notices, and information necessary to ensure optimal delivery, fault reduction, and improvement of the Services, provided such communications are directly related to the Client’s use of the Services and do not constitute external marketing.
  • Not sell, lease, or share personal data with third parties except as required to provide the Services.

7. Sub-Processors

Goget may share personal data with trusted Sub-Processors located in the EU/EEA or in countries with adequacy decisions by the European Commission. Sub-Processors may provide services such as:

  • Payment processing
  • Third-party logistics and communications services;
  • Communication with the Client, such as via email, customer relationship management systems, or survey delivery, where such communication is necessary to support, maintain, or improve the delivery and quality of the Services.

Sub-Processors shall:

  • Process personal data only under Goget’s instructions;
  • Implement security measures consistent with this Agreement;
  • Be bound by written agreements ensuring compliance with GDPR. Such agreements may be in the form of direct contracts, explicit consents to the use of specific Sub-Processors, or other arrangements that Goget deems adequate following an internal assessment of compliance with applicable data protection laws.

Goget shall maintain an internal list of its Sub-Processors, which will be made available upon request to Clients who have entered into a formal agreement with Goget prior to or in connection with a Purchase Agreement. Such Clients may subscribe to receive notifications of intended changes to Sub-Processors at least 30 days in advance, and may object to the appointment of new Sub-Processors within 14 days of such notice.

Goget only shares personal data with such third parties where it is necessary for them to provide the requested services or perform duties on Goget’s behalf. These third parties (and their subcontractors) are bound by strict data processing terms and conditions, and are prohibited from using, sharing, or retaining personal data for any purpose other than as specifically contracted or without the Client’s consent

8. Security Measures

Goget shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing of personal data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Access control measures, including Multi-Factor Authentication (MFA).
  • Vulnerability assessments and penetration testing.
  • Use of secure, ISO 27001-certified data centers operated by Google Cloud within the EU/EEA.

9. Data Storage and Location

All personal data processed by Goget will be stored exclusively within the European Union or European Economic Area (EU/EEA), unless otherwise expressly agreed in writing by the Parties. If transferred outside the EU/EEA, such transfers shall be protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.

10. Data Retention and Deletion

  • Goget retains personal data only as long as necessary to provide the Services or to fulfill legal obligations.
  • Upon expiration or termination of the Services, or upon written request by the Client, Goget shall securely delete or return all personal data unless continued retention is required by applicable law. Deletion from backup systems may be delayed in accordance with Goget’s standard backup retention schedules.
  • Clients will be offered a window to retrieve or receive a copy of their data before deletion, in accordance with applicable law and best practices, but in no case shall such window exceed 30 days.

11. Data Subject Rights

Upon written request, Goget shall:

  • Make reasonable efforts to assist the Client in responding to data subject requests under GDPR, taking into account the nature of the processing and the information available to Goget.
  • Refer any direct requests from data subjects to the Client, unless legally required to respond.
  • Reserve the right to recover reasonable and proportionate costs for assistance in handling requests that are manifestly unfounded, excessive, or repetitive.

12. Data Breach Notification

Goget shall notify the Client without undue delay and, where feasible, within 48 hours of becoming aware of a personal data breach affecting Client personal data. Such notification shall include:

  • A description of the nature of the breach,
  • The categories and approximate number of affected data subjects and records,
  • The measures taken or proposed to address the breach and mitigate its effects.
  • Goget shall make reasonable efforts to cooperate with the Client, taking into account the nature and scope of the incident.

13. Client Obligations

The Client represents and warrants the following, in addition to the obligations under applicable law:

  • It has obtained and processes personal data lawfully;
  • It informs data subjects where applicable about the use of processors and data transfers, and undertakes to take all reasonable measures to avoid sharing more personal data than necessary, including using pseudonymized or minimized alternatives where appropriate;
  • It will not submit special categories of data without a lawful basis;
  • It will respond to supervisory authorities and provide instructions to Goget in a timely manner;
  • All communications relating to this Agreement shall be conducted in good faith and with a constructive intent, aimed at minimizing any disruption or damage to either Party.

14. Liability

Each Party’s liability arising out of or in connection with this Agreement shall be subject to the following limitations:

  • Except in the case of willful misconduct or gross negligence, Goget’s total aggregate liability for any and all claims, damages, costs, or expenses arising under or related to this Agreement shall not exceed the total amount of fees paid by the Client to Goget for the Services under the applicable contract during the twelve (12) months immediately preceding the event giving rise to the claim.
  • In no event shall Goget be liable for any indirect, incidental, consequential, punitive, or special damages, including but not limited to loss of profits, loss of revenue, loss of goodwill, or anticipated savings, even if advised of the possibility of such damages.
  • The Client acknowledges that Goget’s Services rely on the availability and functionality of third-party platforms (such as Microsoft 365 Exchange, Microsoft Exchange, or Google Workspace). Goget shall not be held liable for any disruptions, data loss, or breaches originating from such third-party platforms or services that are beyond Goget’s reasonable control.
  • Any claim raised by the Client in its capacity as Data Controller shall be substantiated by demonstrable and documented evidence and shared with Goget in a timely manner. Furthermore, the factual basis of such claims must be independently verified by a mutually agreed, impartial third party, and the costs associated with such verification shall be borne exclusively by the Client.
  • The Parties acknowledge that compensation for damages under Article 82 and fines under Article 83 of the GDPR shall apply as determined in accordance with the respective responsibilities and roles of each Party under applicable law.
  • These limitations and exclusions of liability shall apply to the maximum extent permitted by applicable law and shall survive termination or expiration of this Agreement.

15. Audit Rights

The Client may audit Goget’s compliance with this Agreement only as required by Article 28(3)(h) of the GDPR and subject to the following conditions:

  • Audits may occur no more than once per year, with at least 30 days’ prior written notice, during regular business hours, and shall be conducted in a manner that avoids undue disruption to Goget’s operations.
  • Goget shall acknowledge such audit requests without undue delay and will work in good faith to provide an appropriate response within a reasonable timeframe, taking into account the scope of the request and operational feasibility.
  • Audits must be limited to what is strictly necessary to verify compliance with this Agreement and applicable data protection laws. They may be conducted by the Client or an independent, reputable third party appointed by the Client and reasonably approved by Goget.
  • Goget may fulfill its audit obligations by providing up-to-date documentation, technical information, certifications, and summaries of relevant internal or third-party audits. On-site audits shall only be permitted if such documentation is insufficient to demonstrate compliance.
  • All audit-related costs, including those arising from Goget’s internal resources used to support the audit, shall be borne by the Client.
  • All findings and related documentation shall be treated as confidential and used solely to assess compliance.

16. Term and Termination

This Agreement remains in effect while Goget processes personal data on behalf of the Client and the Client holds a valid license under a mutually agreed Purchase Agreement. For the avoidance of doubt, this Agreement applies only to Clients with an active and current right to use the Services as licensed. Upon termination of Services:

  • Goget shall, at the Client’s instruction, delete or return personal data;
  • This clause survives termination to the extent required by law.

17. Miscellaneous

  • This Data Processing Agreement is incorporated by reference into and forms an integral part of the Client’s use of Goget’s Services. By entering into a Purchase Agreement or otherwise accessing or using the Services, the Client is deemed to have accepted and agreed to the terms of this DPA. No separate or explicit signature shall be required to give this Agreement legal effect.
  • This Agreement is presented on a non-negotiable basis in most circumstances and is intended to satisfy the Parties’ obligations under Article 28 of the GDPR. Modifications or deviations may only be considered in exceptional cases and require Goget’s prior written consent.
  • The Parties agree that all communications and interactions under this Agreement shall be conducted in good faith, in a constructive manner, and with the shared objective of minimizing damage, risk, or disruption to either Party.
  • This Agreement may not be modified except in writing signed by both Parties, unless required to comply with applicable law.
  • Goget may issue non-material updates with reasonable prior notice, typically 30 days where practicable, unless a shorter period is necessary due to legal, regulatory, or urgent operational requirements.
  • If any terms conflict with mandatory EU data protection laws or guidance, such terms shall be interpreted accordingly.
  • The Agreement is confidential between the Parties. No modifications or disclosures shall be made except in writing signed by both Parties, unless required to comply with applicable law.
  • If any terms conflict with mandatory EU data protection laws or guidance, such terms shall be interpreted accordingly.
  • The Agreement is confidential between the Parties.

18. Contact Information

For any questions, concerns, or requests related to personal data or this Data Processing Agreement, the Client may contact Goget at: privacy@gogetcorp.com.

19. Governing Law and Jurisdiction

This Agreement shall be governed by, and construed in accordance with, the laws of Sweden.

Any dispute, controversy, or claim arising out of or in connection with this Agreement, or the breach, termination, or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce (SCC). The arbitral tribunal shall be composed of a sole arbitrator. The seat of arbitration shall be Stockholm, Sweden. The arbitration language shall be English or Swedish, at Goget’s discretion, unless otherwise agreed in writing by the Parties. The proceedings and all related information shall be confidential.

 

– END –

Download DPA
Log in
GOGET One, Does it best!