Data Processing Agreement

Last updated January 16, 2020.

1. Introduction

1.1 In the course of Load Impact’s performance of the load testing services under the agreement entered into between you and Load Impact AB, a Swedish limited liability company with reg. no. 556560-4773 (“Load Impact”), Load Impact might process personal data on behalf of you within the sense of article 28 in regulation (EU) 2016/679 (the “Data Protection Regulation”). This Data Processing Agreement provides for Load Impact’s and your obligations in respect of any processing of personal data included in the code used to perform load tests. Terms and concepts used in capitalised letters not defined herein shall have the meaning ascribed to them in the Data Protection Regulation unless the context clearly requires otherwise. Any reference made to “personal data” means the personal data processed by Load Impact to perform its obligations under the Agreement.

2. Load Impact’s Obligations

2.1 Load Impact or its personnel working under its management may only process the personal data in accordance with your documented instructions. In addition to the instructions set forth in Appendix 1 (Instructions on processing of personal data) to this Data Processing Agreement, the Agreement and Load Impact’s performance thereof shall be your documented instructions to Load Impact in respect of its processing of the personal data. Load Impact may further process personal data on behalf of you to the extent required under Union or a Member State’s national law to which Load Impact is subject to. Load Impact shall inform you of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Load Impact shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• a) the pseudonymisation and encryption of personal data;
• b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.3 Load Impact is obligated to take the technical and organisational measures required under applicable data protection law to protect the personal data processed on behalf of you from unintentional or unlawful destruction, loss or modification or unauthorised disclosure of or access to such personal data.

2.4 To meet the requirements described in section 2.2-2.3 above, Load Impact has taken the measures described in our security policy found at

https://k6.io/security-policy/. Load Impact may take other or additional measures as required due to new or amended legislation, or as a result of decisions by public authorities.

2.5 Load Impact shall further:

• a) assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Data Protection Regulation, taking into account the nature of processing and the information available to Load Impact;
• b) taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subjects’ rights laid down in Chapter III of the Data Protection Regulation;
• b) upon reasonable notice, make available to you all information necessary to demonstrate compliance with the obligations laid down in article 28 of the Data Protection Regulation and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you; and
• b) ensure that persons authorised to process personal data on behalf of you have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.6 Subject to section 2.7 below, Load Impact shall keep the personal data strictly confidential without limitation in time. The aforementioned shall not apply in relation to information that Load Impact is ordered to disclose or submit to public authorities or information disclosed in order to exercise or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

2.7 Load Impact is authorised by you to engage sub-processors and shall enter into data processing agreements in its own name with such sub-processors that are as stringent as this. Load Impact shall inform you of any intended changes concerning the addition or replacement of other sub-processors, thereby giving you the opportunity to object to such changes. Load Impact shall further make available to you an up-to-date list list indicating the sub-processors engaged, contact details to these as well as the geographical location where their processing activities in respect of the personal data for which you are the data controller of are performed. Such a list is to be made available in the manner decided by Load Impact, e.g. on a website designated by Load Impact. Load Impact shall remain fully liable to you for the performance of that other processor's obligations if a sub-processor fails to fulfil its data protection obligations.

2.8 Load Impact may transfer personal data for which you are the data controller to countries outside the EEA, subject to applicable legal requirements in respect of protection of personal data in relation to such transfers being observed.

2.9 After the end of the performance of the activities under the Agreement involving processing on personal data on behalf of you and your choice, Load Impact will delete or return all personal data processed under this Data Processing Agreement to you in the format offered by Load Impact from time to time, and delete existing copies unless Union or Member State law requires storage of the personal data. Load Impact’s obligation to return personal data ends seven (7) days following the effective termination of the Agreement. The personal data will then be deleted unless Load Impact is obliged to keep it in accordance with the aforesaid.

2.10 Load Impact’s total and aggregate liability for all damages caused by its processing of personal data on your behalf in breach of this Data Processing Agreement or applicable data protection laws during one and the same calendar year shall be equal to the greater of EUR 1,000 and the fees paid by you during the calendar year immediately preceding the date when the damage arised. Save for cases of gross negligence or intent, Load Impact is not liable for indirect or consequential damages, including but not limited to, loss of business, loss of profit or loss of data.

3. Your General Obligations

3.1 You are in the capacity of the controller liable to ensure that the processing of personal data is compliant with applicable law, including but not limited to data protection law. Such requirements include, but is not limited to, the provision of information about processing of personal data to data subjects concerned and ensuring that there is a legal ground for Load Impact’s processing the personal data.

3.2 You shall pay for Load Impact’s reasonable work and costs to accommodate:

• a) any changes in or new documented instructions by you;
• b) assistance in relation to actual requests to you by data subjects as referred to in section 2.5a) above.
• c) performance of audits and inspections in accordance with section 2.5c) above as this require manual work or costs for Load Impact;
• d) your objection against the use of a specific sub-processor as provided for in section 2.7 above; and
• e) manual assistance in returning personal data as provided for in section 2.5 above; and

3.3 If Load Impact deems it would not be commercially feasible to accommodate your request for changes in or new documented instructions, Load Impact may instead of accommodating your request choose to terminate the Agreement with immediate effect.

Appendix 1 – Instructions on processing of personal data

In addition to what is set forth in the Data Processing Agreement, you instruct Load Impact to process personal data on behalf of you in accordance with the below: