Data Processing Agreement

Drömlik UCaaS Data Processing Agreement (DPA)

The Data Controller (“Customer”) and the Data Processor (“Drömlik”) are hereinafter referred to individually as a “Party” and collectively as the “Parties.”

This DPA clarifies the rights and obligations of the Customer (the “Data Controller”) and Drömlik (the “Data Processor”) in connection with the processing of personal data under applicable data protection laws. Please read and fully understand this DPA before using the Services.

By accessing or using Drömlik UCaaS, the Data Controller acknowledges that it has read, understood, and agreed to be bound by this DPA and consents to the processing of its information under these terms. If the Data Controller does not agree to this DPA, it must not use the Services.

1. DEFINITIONS

The terms used in this DPA have the same meaning as in the applicable data protection laws and any related guidance or interpretations. For clarity:

• Processing: any operation performed on Personal Data, such as collection, storage, use, disclosure, deletion, etc.
  
  
• Applicable Data Protection Law: the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other national or international privacy laws applicable to the Parties.
  
  
• Standard Contractual Clauses (SCCs): contractual terms approved by the European Commission ensuring adequate protection for data transferred outside the EEA.
  
  
• Data Controller: the entity determining the purposes and means of processing Personal Data.
  
  
• Data Processor: the entity processing Personal Data on behalf of the Data Controller.
  
  
• Personal Data: information relating to an identified or identifiable individual.
  
  
• Data Subject: the individual to whom Personal Data relates.
  
  
• Personal Data Breach: a security incident resulting in accidental or unlawful destruction, loss, or unauthorized disclosure of Personal Data.
  
  
• Sub-processor: any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
  
  

2. PURPOSE LIMITATION

Drömlik shall process Personal Data only for the purposes described in Annex A, or as otherwise required by law.

3. OBLIGATIONS OF THE DATA PROCESSOR

3.1 Security

Drömlik maintains technical and organizational measures to safeguard Personal Data, consistent with industry standards. This includes access control, encryption, logging, incident response, and other protective controls ensuring confidentiality, integrity, and availability.

3.2 Confidentiality

Drömlik ensures that any personnel authorized to process Personal Data are subject to strict confidentiality obligations, continuing beyond the termination of their engagement.

3.3 Personal Data Breaches

Drömlik will notify the Data Controller without undue delay, and within 24 hours where feasible, after becoming aware of a Personal Data Breach. Drömlik will assist the Data Controller in meeting its legal obligations to notify authorities or affected Data Subjects, as required by law.

3.4 Data Subject Requests

Drömlik will reasonably assist the Data Controller, via technical and organizational measures, in responding to Data Subject requests (e.g., access, correction, deletion, portability). If a request is received directly, Drömlik will forward it to the Data Controller. Any costs associated with such assistance may be charged to the Controller.

3.5 Sub-processors

Drömlik may engage Sub-processors only with the Controller’s consent. Drömlik shall:

• Notify the Controller of new or replacement Sub-processors.
  
  
• Ensure Sub-processors are bound by written agreements reflecting the same data protection obligations as this DPA.
  
  
• Remain fully liable for the actions of Sub-processors.
  
  

Drömlik relies on reputable providers (e.g., AWS, Azure) listed in Annex A, each of which operates under GDPR-compliant safeguards such as SCCs.

3.6 International Transfers

Drömlik may transfer Personal Data outside the European Economic Area (“EEA”) in accordance with Applicable Data Protection Laws. When transferring data to countries without adequate protection, Drömlik will implement SCCs or equivalent safeguards. The applicable clauses and mechanisms are detailed in Annex B.

3.7 Deletion or Return of Data

Upon termination or expiry of the Agreement, Drömlik shall, upon written request, delete or return all Personal Data unless retention is required by law or for backup integrity. Retained data will be securely isolated and deleted in accordance with Drömlik’s data retention policies.

4. OBLIGATIONS OF THE DATA CONTROLLER

The Data Controller is solely responsible for ensuring compliance with applicable data protection laws, including:

• Lawful Basis: establishing a valid legal basis for all Personal Data processed through Drömlik UCaaS.
  
  
• Accuracy: ensuring data provided to Drömlik is accurate and current.
  
  
• Instructions: issuing lawful processing instructions to Drömlik.
  
  
• Impact Assessments: where required, conducting Data Protection Impact Assessments (DPIAs).
  
  
• User Access Management: controlling user permissions and feature enablement (e.g., recordings, AI transcription).
  
  

5. VALIDITY

This DPA takes effect upon the Customer’s acceptance of the Agreement and remains valid as long as Drömlik processes Personal Data on behalf of the Customer.

6. INDEMNITY

The Customer shall indemnify and hold harmless Drömlik, its affiliates, officers, and employees from any claims, losses, or liabilities resulting from the Customer’s non-compliance with this DPA or applicable data protection laws.

ANNEX A — DETAILS OF PROCESSING

Purpose of Processing:

• Delivery of communication and collaboration services.
  
  
• Support of core UCaaS features.
  
  
• Optional AI-powered features (e.g., transcription, call summaries), enabled at Customer discretion.
  
  

Categories of Data:

• Account Data: user names, emails, phone numbers, credentials.
  
  
• Usage Data: logs, metadata, CDRs.
  
  
• User Content: voicemails, chat messages, call recordings, transcripts.
  
  
• Optional Data: uploaded contacts, profile pictures, or CRM integrations.
  
  

Duration of Processing:
For as long as Drömlik provides Services or until deletion upon request.

Sub-processors:

Entity NamePurposeCountry/RegionAmazon Web Services (AWS)Cloud hostingMultiple regions globallyMicrosoft AzureAI & analytics servicesEU, UK, Singapore, USAgoraVideo conferencingEU, UK, Asia-Pacific, USNetease Inc.Instant messaging (optional)ChinaCustomer-assigned local data centerOptional local hostingVaries

Features marked optional process data only when enabled.

Disclosures:
Personal Data may be disclosed only:

• With Customer consent;
  
  
• To comply with legal obligations;
  
  
• To protect vital interests or safety;
  
  
• To emergency service providers when required (e.g., emergency calls).
  
  

De-identified or aggregated data is not considered Personal Data under this DPA.

ANNEX B — STANDARD CONTRACTUAL CLAUSES (SCCs)

Where applicable, Drömlik and its Sub-processors shall rely on the EU Commission’s 2021 Standard Contractual Clauses (Module 2: Controller to Processor) to ensure lawful cross-border transfers of Personal Data from the EEA/UK to third countries without an adequacy decision.

Drömlik agrees to:

• Ensure onward transfers comply with equivalent safeguards.
  
  
• Provide a copy of applicable SCCs upon written request.
  
  
• Maintain records of international data transfers.

 

© 2026 Drömlik AB. All rights reserved.
Data Processing Agreement for Drömlik UCaaS Hosted Communication Platform.