Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Linkbase AB ("Processor", "Linkbase", "we", "us") and the Customer ("Controller", "you", "your") who uses the Linkbase application and services.

This DPA sets out the terms governing the processing of Personal Data by Linkbase on behalf of the Customer in connection with the provision of services, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

In this DPA, the following definitions apply:

• "Personal Data": Any information relating to an identified or identifiable natural person as defined in the GDPR
• "Processing": Any operation performed on Personal Data, including collection, storage, use, transfer, and deletion
• "Data Controller": The Customer, who determines the purposes and means of the processing of Personal Data
• "Data Processor": Linkbase, who processes Personal Data on behalf of the Data Controller
• "Sub-processor": A third party engaged by Linkbase to process Personal Data
• "Data Subject": An individual whose Personal Data is processed
• "Personal Data Breach": A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data

3.1 Purpose

Linkbase processes Personal Data solely for the purpose of providing the integration services between Shopify and Fortnox as described in the Terms of Service, including:

• Synchronizing order data from Shopify to Fortnox
• Creating and managing customer records in Fortnox
• Generating invoices and accounting entries
• Processing product and inventory data

3.2 Categories of Personal Data

• Customer names and contact information
• Billing and shipping addresses
• Email addresses and phone numbers
• Order and transaction data
• Payment information (amounts, dates, methods)

3.3 Categories of Data Subjects

End customers of the Controller's Shopify store.

Linkbase agrees to:

1. Process Personal Data only on documented instructions from the Controller, unless required by applicable law
2. Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
3. Implement appropriate technical and organizational security measures
4. Engage sub-processors only with the Controller's authorization and under written agreements
5. Assist the Controller in responding to Data Subject requests
6. Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
7. Delete or return all Personal Data upon termination of services, unless retention is required by law
8. Make available to the Controller information necessary to demonstrate compliance with GDPR obligations

The Controller represents and warrants that:

1. It has a lawful basis for processing all Personal Data provided to Linkbase
2. It has provided all necessary notices and obtained any required consents from Data Subjects
3. It will comply with all applicable data protection laws in its use of the Service
4. Its instructions to Linkbase will comply with applicable data protection laws

Linkbase implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Incident response procedures
• Employee training on data protection

The Controller provides general authorization for Linkbase to engage sub-processors. Linkbase maintains a list of current sub-processors and will notify the Controller of any intended changes. Current sub-processors include hosting providers and infrastructure services located within the EU/EEA.

If the Controller objects to a new sub-processor, the Controller may terminate the affected services within 30 days of notification.

Personal Data is primarily processed within the EU/EEA. If transfers outside the EU/EEA are necessary, Linkbase will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or transfers to countries with an adequacy decision.

Linkbase will promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under GDPR. Linkbase will assist the Controller in fulfilling such requests, taking into account the nature of the processing. The Controller is responsible for responding to Data Subject requests.

Linkbase will notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach. The notification will include, to the extent possible:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Linkbase will make available to the Controller, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with GDPR obligations. The Controller may conduct audits or inspections, provided that:

• Reasonable advance notice is given (at least 30 days)
• Audits are conducted during normal business hours
• The Controller bears the costs of any audit
• Audits do not unreasonably disrupt Linkbase's operations

This DPA remains in effect for the duration of the Terms of Service. Upon termination, Linkbase will delete all Personal Data within 30 days, unless retention is required by applicable law or the Controller requests return of the data in a standard format.

The limitations of liability set forth in the Terms of Service apply to this DPA. Each party's liability under this DPA is subject to the exclusions and limitations set forth in the Terms of Service.

This DPA is governed by Swedish law. Any disputes shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.

For questions regarding this DPA or data protection matters: