Data Processing Agreement

LoadImpact's GDPR Data Processing Agreement

Effective November 30, 2020 | Archived version.

1. Introduction

1.1 In the course of LoadImpact’s performance of the load testing services under the agreement entered into between you and Load Impact AB, a Swedish limited liability company with reg. no. 556560-4773 (“LoadImpact”), LoadImpact might process personal data on behalf of you within the sense of article 28 in regulation (EU) 2016/679 (the “Data Protection Regulation”). This Data Processing Agreement provides for LoadImpact’s and your obligations in respect of any processing of personal data included in the code used to perform load tests. Terms and concepts used in capitalised letters not defined herein shall have the meaning ascribed to them in the Data Protection Regulation unless the context clearly require otherwise. Any reference made to “personal data” means the personal data processed by LoadImpact to perform its obligations under the Agreement.

2. LoadImpact’s Obligations

2.1 LoadImpact or its personnel working under its management may only process the personal data in accordance with your documented instructions. In addition to the instructions set forth in Appendix 1 (Instructions on processing of personal data) to this Data Processing Agreement, the Agreement and LoadImpact’s performance thereof shall be your documented instructions to LoadImpact in respect of its processing of the personal data. LoadImpact may further process personal data on behalf of you to the extent required under Union or a Member State’s national law to which LoadImpact is subject to. LoadImpact shall inform you of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, LoadImpact shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • a) the pseudonymisation and encryption of personal data;
  • b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.3 LoadImpact is obligated to take the technical and organisational measures required under applicable data protection law to protect the personal data processed on behalf of you from unintentional or unlawful destruction, loss or modification or unauthorised disclosure of or access to such personal data.

2.4 To meet the requirements described in section 2.2-2.3 above, LoadImpact has taken the measures described on https://k6.io/security-policy/. LoadImpact may take other or additional measures as required due to new or amended legislation, or as a result of decisions by public authorities.

2.5 LoadImpact shall further:

  • a) assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Data Protection Regulation, taking into account the nature of processing and the information available to LoadImpact;
  • b) taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subjects’ rights laid down in Chapter III of the Data Protection Regulation;
  • b) upon reasonable notice, make available to you all information necessary to demonstrate compliance with the obligations laid down in article 28 of the Data Protection Regulation and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you; and
  • b) ensure that persons authorised to process personal data on behalf of you have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.6 Subject to section 2.7 below, LoadImpact shall keep the personal data strictly confidential without limitation in time. The aforementioned shall not apply in relation to information that LoadImpact is ordered to disclose or submit to public authorities or information disclosed in order to exercise or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

2.7 LoadImpact is authorised by you to engage sub-processors and shall enter into data processing agreements in its own name with such sub-processors that are as stringent as this. LoadImpact shall inform you of any intended changes concerning the addition or replacement of other sub-processors, thereby giving you the opportunity to object to such changes. LoadImpact shall further make available to you an up-to-date list indicating the sub-processors engaged, contact details to these as well as the geographical location where their processing activities in respect of the personal data for which you are the data controller of are performed. Such list to be made available in the manner decided by LoadImpact, e.g. on a website designated by LoadImpact. LoadImpact shall remain fully liable to you for the performance of that other processor's obligations if a sub-processor fails to fulfil its data protection obligations.

2.8 LoadImpact may transfer personal data for which you are the data controller to countries outside the EEA, subject to applicable legal requirements in respect of protection of personal data in relation to such transfers being observed. In relation to sub-processors located in the United States, LoadImpact has entered into data processing agreements including the standard contract clauses (“SCC”) issued by the European Commission. Should the European Commission issue updated or revised SCC, LoadImpact will update any data processing agreements that includes the SCC to reflect the updated version. Further, LoadImpact shall ascertain that the use of SCC sufficiently protects the rights and freedoms of the data subjects in accordance with the Data Protection Regulation and any guidelines issued by a competent authority.

2.9 After the end of the performance of the activities under the Agreement involving processing on personal data on behalf of you and your choice, LoadImpact will delete or return all personal data processed under this Data Processing Agreement to you in the format offered by LoadImpact from time to time, and delete existing copies unless Union or Member State law requires storage of the personal data. LoadImpact’s obligation to return personal data ends seven (7) days following the effective termination of the Agreement. The personal data will then be deleted unless LoadImpact is obliged to keep it in accordance with the aforesaid.

2.10 LoadImpact’s total and aggregate liability for all damages caused by its processing of personal data on your behalf in breach of this Data Processing Agreement or applicable data protection laws during one and the same calendar year shall be equal to the greater of EUR 1,000 and the fees paid by you during the calendar year immediately preceding the date when the damage arised. Save for cases of gross negligence or intent, LoadImpact is not liable for indirect or consequential damages, including but not limited to, loss of business, loss of profit or loss of data.

3. Your General Obligations

3.1 You are in the capacity of the controller liable to ensure that the processing of personal data is compliant with applicable law, including but not limited to data protection law. Such requirements include, but is not limited to, the provision of information about processing of personal data to data subjects concerned and ensuring that there is a legal ground for LoadImpact’s processing the personal data.

3.2 You shall pay for LoadImpact’s reasonable work and costs to accommodate:

  • a) any changes in or new documented instructions by you;
  • b) assistance in relation to actual requests to you by data subjects as referred to in section 2.5a) above.
  • c) performance of audits and inspections in accordance with section 2.5c) above as this require manual work or costs for LoadImpact;
  • d) your objection against the use of a specific sub-processor as provided for in section 2.7 above; and
  • e) manual assistance in returning personal data as provided for in section 2.5 above.

3.3 Notwithstanding the above, your obligation to compensate LoadImpact in accordance with section 3.2 shall only apply to work and measures that go beyond what is set forth in the Data Protection Regulation, in Appendix 1 and the functions and level of security that LoadImpact normally offers its customer, e.g. customer specific customizations requested by you.

3.4 If LoadImpact deems it would not be commercially feasible to accommodate your request for changes in or new documented instructions, LoadImpact may instead of accommodating your request choose to terminate the Agreement with immediate effect.

Appendix 1 – Instructions on processing of personal data

In addition to what is set forth in the Data Processing Agreement, you instruct LoadImpact to process personal data on behalf of you in accordance with the below:

Purposes of the processing

Any personal data processed on your behalf will be processed to provide LoadImpact’s SaaS based load testing tool.


Types of personal data and categories of data subjects

The types of personal data processed by LoadImpact depends on what type of data you use LoadImpact’s testing tool to perform tests on.


Note: LoadImpact may also process personal data about your personnel, i.a. to manage the customer relationship. This data is however processed by LoadImpact in capacity of an independent controller why it has not been included in the Data Processing Agreement.


Types of personal data and categories of data subjects

Persons whose personal data is included in the code you use LoadImpact’s testing tool to perform tests on.


Duration of the processing

Duration for paid subscriptions


The personal data will be processed until the subscription is terminated unless deleted earlier by you. Personal data collected through the URL testing tool will however only be processed momentarily before it is deleted.


Duration for trial subscriptions



The personal data will be deleted after six (6) months’ inactivity unless deleted earlier by you. Personal data collected through the URL testing tool will however only be processed momentarily before it is deleted.