Legal Documents

Important information about our services

Data Processing Agreement (DPA)

Last updated: January 2026

This Data Processing Agreement (“DPA”) forms part of the Bulkgrid Terms of Service (the “Main Agreement”) entered into between Bulkgrid AB, reg. no. 559465-9087 (“Bulkgrid”, the “Processor”, “we”, “us”) and the business customer (“Customer”, the “Controller”).

This DPA governs Bulkgrid’s processing of Personal Data on behalf of the Controller in connection with the provision of the services.

By using the Bulkgrid platform or services, the Controller agrees to this DPA.

1. Scope and precedence

1.1 This DPA applies to Bulkgrid’s processing of Personal Data on behalf of the Controller when providing the services, including website crawling, monitoring, indexing, storage, and AI-based analysis.

1.2 In the event of a conflict between this DPA and the Main Agreement, this DPA shall prevail to the extent required to ensure compliance with Regulation (EU) 2016/679 (“GDPR”).

2. Definitions

Unless otherwise defined herein, terms used in this DPA shall have the meanings set out in the GDPR.

For clarity:

  • Controller means the Customer, which determines the purposes and means of the Processing.
  • Processor means Bulkgrid, which Processes Personal Data on behalf of the Controller.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data as defined in Article 4 GDPR.
  • Subprocessor means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Roles and processing principles

3.1 The Controller is responsible for determining the purposes and legal basis for the Processing of Personal Data.

3.2 The Processor shall Process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Main Agreement, unless otherwise required by Union or Member State law.

3.3 If the Processor believes that an instruction infringes applicable data protection law, it shall inform the Controller without undue delay and suspend the relevant Processing until the matter is resolved.

4. Nature, purpose, and scope of processing

4.1 The Processor Processes Personal Data solely for the purpose of providing, maintaining, and improving the services, including:

  • Crawling and indexing publicly accessible websites and domains;
  • Monitoring and managing crawl operations;
  • Storing, organizing, and analyzing crawled content;
  • Providing AI-driven insights and analytics;
  • Maintaining system logs, performance monitoring, and security.

4.2 The Processing may involve Personal Data contained in publicly available web content. The Processor does not determine the content or sources selected by the Controller.

4.3 The categories of data subjects may include website visitors, customers, employees, or other individuals whose Personal Data appears in publicly accessible web content.

4.4 The Controller shall not submit or instruct the Processor to Process special categories of Personal Data as defined in Article 9 GDPR.

5. Personnel and confidentiality

5.1 The Processor shall ensure that persons authorized to Process Personal Data are bound by confidentiality obligations.

5.2 The Processor shall ensure that such personnel receive appropriate training on data protection and information security.

6. Technical and organizational measures

6.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

6.2 Such measures include, but are not limited to:

  • Encryption of Personal Data in transit and at rest;
  • Access controls and authentication mechanisms;
  • Logging and monitoring of system activity;
  • Vulnerability management and security patching;
  • Incident response and disaster recovery procedures;
  • Employee security awareness and training.

6.3 The Processor may update these measures over time, provided that the overall level of security is not materially reduced.

7. Personal Data Breaches

7.1 The Processor shall notify the Controller without undue delay, and where feasible within forty-eight (48) hours, after becoming aware of a Personal Data Breach.

7.2 Such notification shall include information reasonably necessary to enable the Controller to comply with Articles 33 and 34 GDPR.

7.3 The Processor shall take reasonable steps to mitigate the effects of the Personal Data Breach.

8. Data protection impact assessments and cooperation

8.1 Taking into account the nature of the Processing, the Processor shall assist the Controller in carrying out data protection impact assessments and prior consultations under Articles 35 and 36 GDPR.

8.2 The Processor shall cooperate with competent supervisory authorities where required by applicable law.

9. Subprocessors

9.1 The Controller grants the Processor a general written authorization to engage Subprocessors for the provision of the services.

9.2 The Processor shall ensure that any Subprocessor is subject to a written agreement imposing data protection obligations that are no less protective than those set out in this DPA.

9.3 The Processor shall remain fully liable to the Controller for the performance of its Subprocessors.

9.4 The Processor shall maintain an up-to-date list of authorized Subprocessors and shall inform the Controller of any intended changes. The Controller may object to such changes on reasonable data protection grounds.

10. International transfers

10.1 The Processor may transfer Personal Data outside the EU/EEA only in accordance with Chapter V GDPR.

10.2 Such transfers shall be based on one or more of the following safeguards, as applicable:

  • An adequacy decision under Article 45 GDPR;
  • Standard Contractual Clauses adopted by the European Commission under Article 46 GDPR;
  • Other lawful transfer mechanisms recognized under applicable data protection law.

10.3 Where required, the Processor shall implement supplementary measures to ensure an essentially equivalent level of protection.

11. Audits and transparency

11.1 Upon reasonable written notice, the Controller may audit the Processor’s compliance with this DPA no more than once per year.

11.2 The audit shall not unreasonably interfere with the Processor’s business operations.

11.3 The Controller shall bear its own costs related to the audit.

12. Assistance with data subject rights

12.1 The Processor shall assist the Controller in fulfilling its obligations regarding data subject rights under Chapter III GDPR.

12.2 Where assistance requires disproportionate effort, the Processor may charge a reasonable fee agreed in advance.

13. Liability

13.1 Each party shall be liable for damages caused by its own breach of this DPA or the GDPR.

13.2 The Processor’s total liability under this DPA shall be limited as set out in the Main Agreement, or if not specified, to SEK 100,000, except where prohibited by law.

13.3 This limitation shall not apply to willful misconduct or gross negligence.

14. Termination and deletion

14.1 Upon termination of the Main Agreement or upon written request, the Processor shall, at the Controller’s choice:

  • Return all Personal Data; or
  • Delete all Personal Data and confirm deletion in writing,

unless retention is required by law.

14.2 After deletion, the Processor shall cease all Processing of the Controller’s Personal Data.

15. Confidentiality

Each party shall keep confidential all information received in connection with this DPA, except where disclosure is required by law.

16. Amendments

The Processor may update this DPA to reflect changes in applicable law. The current version shall always be available on the Processor’s website.

17. Governing law and jurisdiction

This DPA shall be governed by the laws of Sweden.

Any dispute shall be subject to the exclusive jurisdiction of Stockholms tingsrätt as the court of first instance.

Bulkgrid AB
Västmannagatan 28A
113 25 Stockholm, Sweden
Reg. No. 559465-9087
Email: privacy@bulkgrid.com
Website: bulkgrid.com