Data Processing Agreement

Landvex AB acts as data processor for intelligence outputs delivered to enterprise clients under contract. The enterprise client acts as data controller for the personal data included in or derived from the intelligence outputs.

For certain processing activities — such as managing enterprise client contact data for contract administration — Landvex AB acts as an independent data controller. The full DPA document defines each processing activity and its applicable role.

The Landvex DPA addresses all mandatory requirements of GDPR Art. 28(3), including: processing only on documented instructions; confidentiality obligations on personnel; technical and organisational security measures; sub-processor management; data subject rights assistance; deletion or return on termination; and audit rights.

Landvex processes personal data only in accordance with documented enterprise client instructions, as defined in the service agreement and DPA annexes. Processing for Landvex's own purposes requires a separate legal basis and is not covered by the DPA.

Landvex uses a limited number of sub-processors, primarily AWS (infrastructure). A current sub-processor list is included in the DPA and is updated with 30 days' notice of any change. Enterprise clients may object to new sub-processors.

Enterprise clients retain audit rights as required by Art. 28(3)(h). Audits are conducted with reasonable notice and at the client's cost. Annual third-party audit reports may be provided in lieu of on-site audits at Landvex's discretion.

For enterprise clients based outside the European Economic Area, Landvex provides Standard Contractual Clauses (EU Commission Decision 2021/914) as the transfer mechanism for personal data received from EEA-based data subjects.

For UK-based enterprise clients, Landvex provides the UK GDPR International Data Transfer Addendum (IDTA) as a supplement to the EU SCCs, in accordance with ICO guidance.

AES-256 encryption at rest, TLS 1.3 in transit, AWS KMS key management, VPC network isolation, role-based access controls, annual penetration testing, and incident response procedures. Full TOMs annex is included in the DPA document.

To request a DPA or SCCs: legal@landvex.com
Response within 2 business days.

For vendor assessments and security questionnaires: compliance@landvex.com
5-business-day response SLA.

Data subject rights and GDPR privacy matters: privacy@landvex.com

Full data processing details for enterprise clients.

GDPR posture, infrastructure certifications, and questionnaire process.

Infrastructure security, verification chain, and penetration testing.

Enterprise service agreement and master terms.