Einride Data Processing Addendum

Version 1.2, April 2023

1. SUBJECT MATTER AND SCOPE

   1. This Data Processing Addendum (the “DPA”) consists of this document along with Attachment A (Specification). Where applicable and subject to Section 9 below, standard contractual clauses adopted by the EU Commission from time to time shall be deemed incorporated into the DPA by reference.
   2. This DPA constitutes an addendum and an integrated part of the Contract (as defined in the Einride Saga Terms of Service) between Einride and User which may be concluded by way of an order form, main agreement or User accepting the Einride Saga Terms of Service referencing this DPA. In the event of inconsistencies between clause(s) in other Contract documents and this DPA in regard to Einride’s processing of Personal Data, this DPA shall prevail and apply in lieu of such inconsistent clause(s) in other Contract documents. Notwithstanding the foregoing, standard contractual clauses shall (if incorporated) have the highest priority in the event of any conflict or inconsistency with this DPA or the Contract.
   3. Einride will as part of the Software Services process Personal Data (as a ‘data processor’) on behalf of User (as the ‘data controller’). This DPA constitutes a written agreement between a data controller and a data processor, as required pursuant to General Data Protection Regulation (EU) (2016/679) (“GDPR”). If this DPA is governed by the law of England and Wales, any reference to the GDPR shall mean the GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”).
   4. If User Content includes Personal Data for which a third party is the data controller, User warrants and represents that it has been instructed by and obtained the mandate and authorization of all relevant data controllers to enter into this DPA with Einride on behalf of such third party data controller and that each and every relevant data controller has given such notifications to, and obtained any required consents from, data subjects to ensure that the sharing and processing of such Personal Data in these circumstances complies with applicable data protection laws, including the GDPR.
   5. For the avoidance of doubt, Personal Data collected and processed by Einride as the data controller is not subject to this DPA. Please see the Privacy Notice for further information.

2. DEFINITIONS

   1. Terms defined in the Contract shall have the same meaning when used in this DPA with an initial capital letter. Further, the terms defined in GDPR shall have the meanings set forth therein such as “controller" "data subject", "processor", "processing", "personal data breach”, “supervisory authorities” and “third country”, when used in this DPA.
   2. In addition to the preceding section and to the terms defined above, the following terms shall be defined as follows:

      ”Covered Personal Data”	Personal Data that is processed by Einride as processor on behalf of User, see Specification.
      ”Data Protection Laws”	means laws and regulations under EU law, including the GDPR, relevant Member State laws, the UK GDPR and the Data Protection Act 2018, that from time to time apply to the processing of personal data;
      ”Specification”	means Attachment A.
      ”Supervisory Authority”	a Swedish, EU, or, where applicable UK, authority such as the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) and, where applicable, any other supervisory authority with regulatory jurisdiction over User’s business operations.

3. INSTRUCTIONS TO EINRIDE

   1. User hereby instructs Einride to process Personal Data in accordance with Attachment A and as reasonably necessary to provide the Services to Einride’s customers. User may provide additional, documented instructions to Einride to process Personal Data; provided, however, that Einride shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Contract and this DPA.
   2. In the event User provides additional documented instructions regarding processing of Covered Personal Data, which goes beyond the scope of this DPA or the Contract, or which requires Einride to take measures over and above the standard measures taken by Einride in order to protect the Personal Data processed by Einride, Einride is entitled to remuneration for any costs incurred by Einride as a result of such additional instructions, provided that they are technically feasible to implement.
   3. If User’s instructions, in Einride’s opinion, might infringe Data Protection Laws, Einride shall notify User and shall not be obliged to follow such instructions, in full or in part, to the extent that they infringe the Data Protection Laws, and await additional instructions before Einride continues to process Covered Personal Data.
   4. This DPA will not in any way prevent or limit Einride from processing Personal Data to the extent necessary in order to comply with legal requirements under the GDPR, Data Protection Laws and/or other laws to which Einride is subject. If Einride is required to process Personal Data for these reasons, in such a way that would not comply with User instructions, Einride will inform the User, unless prohibited from doing so by law.
   5. Notwithstanding any provisions regarding choice of law agreed between the parties in the Contract, Einride will comply with the Data Protection Laws applicable to processors located in the EU and the United Kingdom (UK). User shall comply with data protection legislation applicable to User as controller.

4. SECURITY MEASURES AND ASSISTANCE

   1. Einride shall implement appropriate technical and organizational measures as described in Einride's Security Policy, available upon request, to ensure a level of security appropriate to the risks involved. Technical and organizational measures are subject to technical progress and further development. Accordingly, Einride reserves the right to modify such measures provided that the functionality and security of the Software Services is not significantly degraded. User hereby discharges Einride of any obligation to notify and/or obtain prior approval from User of such changes. Upon User’s request, Einride shall provide an up-to-date and current high level description of technical and organizational security measures.
   2. Einride shall, upon User's request and taking into account the nature of the processing and the information available to Einride, provide information to User in order to allow User to fulfil its obligations to, where applicable, carry out data protection impact assessments (DPIAs) and prior consultations with the relevant supervisory authority in relation to the processing of Personal Data covered by the Software Services.
   3. Each party shall take measures to ensure that access to Covered Personal Data is limited to employees, consultants and affiliated companies who need access to the Covered Personal Data in order to fulfil its obligations under the Contract and the DPA.
   4. Each party shall ensure that all employees authorized to access and process Covered Personal Data are bound by confidentiality obligations and observe confidentiality in no less a restrictive manner than required by the confidentiality undertaking set out in the Contract.

5. PERSONAL DATA BREACH

   1. In the event of a personal data breach attributable to Einride or its Subprocessors involving Covered Personal Data processed by Einride as data processor, Einride shall notify User, in email or otherwise in writing without undue delay, after becoming aware of the personal data breach.
   2. Einride’s notification to the User shall include (i) a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; and (ii) a description of the measures taken or proposed to be taken by Einride to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
   3. Where, and in so far as, it is not possible to provide the information at the same time, Einride may provide the information in phases, provided that Einride (i) explains the reasons why the complete information cannot be provided, and (ii) provides complete information without undue delay.

6. USE OF SUBPROCESSORS

   1. User hereby agrees that Einride may engage service providers to process Covered Personal Data on behalf of User (“Subprocessor(s)”). User hereby issues a general written authorisation to Einride to engage Subprocessors of Covered Personal Data and enter into data processing agreements with obligations no less restrictive than those set out in this DPA. A current list of Subprocessors including geographical location is available at https://documents.einride.tech/en/subprocessors.html (the "Subprocessor List").
   2. Einride may replace or add new Subprocessors by making changes to the Subprocessor List at any time, provided that Einride notifies User without undue delay, thereby giving Controller the opportunity to reasonably object to such changes. Einride’s notification obligation to User will be fulfilled by Einride posting updates to the subprocessor list. In order to receive automated notifications of pending changes to Subprocessors in accordance with this Section, User may subscribe to receive automated notifications by signing up via the webform made available by Einride at: https://i.einride.tech/subprocessor.
   3. User may object to a new Subprocessor processing User’s Personal Data by notifying Einride within ten (10) days from Einrides’ notice thereof, provided that such objection is reasonable and based on data protection concerns and protection of data subject’s rights and freedoms. User acknowledges that certain Subprocessors are essential to providing the Software Services and that objecting to the use of a Subprocessor may prevent Einride from offering the Software Services to User. If only non-material part(s) of the Software Services are affected due to the User’s objection, Einride may in its sole opinion cancel User’s use of such non-material part of the Software Services, if and until the User withdraws its objection or Einride has decided to engage an alternative Subprocessor which the User accepts. If the objection is of essential nature for the provision of the Software Services and Einride is unable to accommodate User’s objection, either Party may terminate, wholly or partly (if possible), the Software Services including this DPA by providing the other Party with written notice within one (1) month of Einride’s initial notice. Einride will refund a prorated portion of any pre-paid charges for Software Services covering the period after such termination date.
   4. Einride shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts or omissions were performed by Einride.

7. ACCESS TO INFORMATION AND AUDIT

   1. Einride shall upon reasonable request provide User access to all information relevant and necessary to demonstrate that Einride has fulfilled its obligations under the GDPR, other Data Protection Laws and this DPA. Such information and documentation shall constitute Confidential Information of Einride. Einride shall have the right to request that any User employees or third party auditors engaged by the User shall sign a non-disclosure undertaking regarding Einride’s Confidential Information prior to providing access to its information. Such request shall be complied with without undue delay and may not be conditional.
   2. Where the information provided is not sufficient to allow User to comply with applicable audit requirements and obligations under applicable law, User may at User’s sole cost and expense (i) request additional information and documentation and (ii) after a reasonable prior notice, and subject to Einride’s confidentiality and data protection obligations to third parties further audit Einride’s control environment and security practices relevant to Covered Personal Data. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only the legally mandated entity (such as a governmental regulatory authority having oversight of User’s operations) may, as part of such further audit, conduct an on-site inspection of the technical and organizational measures that Einride or its subcontractor(s) has implemented to fulfil its obligations under this DPA; such inspection to be performed subject to reasonable confidentiality undertakings and in a manner that minimizes any risk of disruption to Einride’s or its subcontractors’ business and clients or damage to facilities and in accordance with applicable practices and policies.
   3. An on-site inspection as per Section 7.2 shall be (i) subject to at least thirty (30) days’ prior written notice, and (ii) be strictly limited to what is required to verify that Einride’s technical and organisational security measures comply with Einride’s Security Policy.
   4. Any and all costs and expenses related to User’s inspections shall be borne by the User, including any potential costs and expenses incurred by Einride due to Einride's or its Subprocessor(s)’ participation in such inspection.

8. RIGHTS OF THE DATA SUBJECT

   1. As the data controller, User shall act as the single-point-of-contact in relation to data subjects on all matters and issues related to the processing activities carried out under this DPA. Einride shall, subject to compensation, duly assist User in responding to requests from data subjects and to correct, erase, limit and/or block Covered Personal Data in accordance with User’s instructions.
   2. Should a data subject, a supervisory authority, or any other third party, make a request or otherwise contact Einride (or any Subprocessor) regarding the processing of Covered Personal Data, Einride shall, to the extent not prohibited by decision of a court or public authority, refer such request to User.
   3. If a data subject’s Covered Personal Data is not accessible to User through the Service, Einride will, as necessary to enable User to meet its obligations under applicable data protection legislation, provide reasonable assistance to make such Covered Personal Data available to User. Einride is entitled to compensation from the User for any costs and expenses relating to Einride's assistance in accordance with the User's request pursuant to this section.
   4. If a data subject pursuant to mandatory law is entitled to exercise its right directly vis-à-vis Einride, Einride shall take relevant measures and shall be discharged of any obligation to inform or notify User.
   5. User hereby instructs Einride to provide information notices to data subjects about specific data processing operations in the Software Services in accordance with Articles 13 and 14 GDPR as applicable.

9. TRANSFER TO AND PROCESSING OF PERSONAL DATA IN A THIRD COUNTRY

   1. User agrees that Einride or its Subprocessors may transfer Covered Personal Data outside the EU/EEA or the UK where applicable, and process the Covered Personal Data under the Contract on equipment or by using resources that are located outside the EU/EEA or the UK where applicable, in order to fulfil its obligations under the Contract or as otherwise reasonably required for Einride to provide Software Services to its customers around the world, and provided that any such transfer will only occur if and to the extent that:
      1. the relevant country is approved by the EU Commission, or adequacy regulations under section 17A of the Data Protection Act 2018 where applicable, to provide an adequate level of protection for Personal Data;
      2. Einride ensures that there are appropriate safeguards in place for the transfer in accordance with the GDPR such as standard data protection clauses adopted by the EU Commission or UK requirements for such transfers out of the UK where applicable; or
      3. Einride is able to apply other legal mechanisms under the GDPR, or UK GDPR where applicable, for the transfer of the Covered Personal Data.

10. CONFIDENTIALITY

    1. In addition to the confidentiality undertakings that follow from the Contract, Einride undertakes to not disclose Covered Personal Data or otherwise reveal information about the processing of Covered Personal Data to any third party without User’s explicit instruction, unless required to do so for legal or regulatory purposes.
    2. The confidentiality undertaking in accordance with section 10.1 above is not applicable in relation to professional advisors or subcontractors with whom Einride has entered into a data processor agreement in accordance with section 6.1 above. However, such data processor agreement shall include a corresponding confidentiality obligation for the professional advisor or subcontractor.

11. COMPENSATION

    1. Einride is entitled to compensation on time and material basis for any performance required under this DPA not included in the Service, such as measures or assistance requested by User related to:
       1. Compliance with User’s Additional Instructions in accordance with section 3 above.
       2. Assisting User with data protection impact assessments and prior consultation in accordance with section 4.2 above.
       3. Allowing for and contributing to audits carried out by User in accordance with section 7 above.
       4. Assisting User in responding to requests from data subjects exercising their rights under the GDPR or Data Protection Laws, in accordance with section 8.1 above.
       5. Assisting User in transferring Covered Personal Data in connection with termination of the processing in accordance with section 12.2 below.

12. TERM AND TERMINATION

    1. This Data Processing Addendum enters into force when the Contract has been agreed by both parties and shall remain in force for as long as Einride processes Covered Personal Data.
    2. Upon termination of the Contract, Einride will during a reasonable data retention period provide User with the ability to download and retrieve any Personal Data in Einride’s or its Subprocessors’ possession in accordance with Einride’s standard procedures for the Software Services. Upon expiry of the data retention period, Einride shall delete or de-identify any Personal Data, unless Einride is obligated under applicable law to continue to store the Covered Personal Data.

13. GOVERNING LAW AND DISPUTE RESOLUTION

    1. Governing law as well as disputes regarding the interpretation or application of this Data Processing Addendum shall be determined in accordance with the dispute resolution provisions of the Contract.

Attachment A – Specification

Description of the processing of Personal Data covered by the DPA

This Attachment A includes a description of the processing of Covered Personal Data carried out by Einride on behalf of the User, pursuant to the DPA.