Data protection

A data processing agreement is a legally binding document that regulates the data processor's processing of personal data on behalf of the data controller. FirstAgenda is a data processor in connection with the delivery of its solutions and you as customers are data controllers.

To ensure compliance with the GDPR, it is necessary to enter into a contract that regulates the scope and duration of the processing. Please note that you as the data controller have the overall responsibility.

FirstAgenda provides the solutions Prepare, Publication, Live, Management and LetDialog.

Please note that it is necessary that the data processing agreement is concluded at product level, as the processing activity varies from one solution to another.

If your organization uses multiple solutions, you will need to enter into a corresponding number of data processing agreements. For example, it will be necessary to enter into two data processing agreements if your organization uses both Prepare and Publication.

When using FirstAgenda Publication there is a processing of personal data as defined in GDPR art. 4. In this processing of personal data, you as a data controller must be aware that the processing activity is different from FirstAgenda Prepare , which is why we, as a data processor, are obliged under GDPR art. 28 to receive instructions and purposes for exercising these processing activities in our provision of FirstAgenda Publication

Formalized procedures are in place to ensure that FirstAgenda conducts a risk assessment to achieve appropriate security. The risk assessment performed is up to date and covers the current processing of personal data. FirstAgenda has implemented the technical measures to ensure appropriate security in accordance with the risk assessment.

We obtain an annual ISAE3000 statement from an independent auditor, which, among other things, tests that risk assessments have been carried out. The declarations are made available on the website and serve as documentation of our compliance with the GDPR and the provisions of the data processing agreement.

Data is stored in accordance with a data processing agreement. We perform ongoing screening and control of our sub-processors to ensure appropriate processing security.

We have implemented appropriate organizational and technical security measures to ensure that there are no unintentional third-country transfers, including but not limited to encryption measures in accordance with the EDPB's recommendations in this regard.

At FirstAgenda we have purchased it as a service that AWS is obliged to process data within the data region EU-WEST (Ireland), and thus within the EU/EEA.

FirstAgenda has, in continuation of the above, taken additional measures to ensure that the personal data is subject to adequate security and therefore cannot be accessed by unintended third parties. Encryption measures have been taken in accordance with the EDPB recommendations for this, ensuring the storage of the encryption key separately, so that even AWS does not have the possibility to decrypt

FirstAgenda's dataset. As a security measure, we do not want to publish the exact location where the encryption key is stored, as this could be exploited.

Please note that on July 10, 2023, the European Commission adopted an adequacy decision that opens up for the transfer of personal data to the United States without the use of other transfer bases. However, this requires that the recipient is certified under the new EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, which AWS is. https://www.dataprivacyframework.gov/s/participant-search

As a security measure, we do not want to publish the exact location where the encryption keys are stored, as this could be exploited with negative consequences. The encryption keys are stored separately in locations that even AWS does not know about.

Binero is headquartered in Sweden, which is why all hosting is done at locations in Sweden. With Binero, you get a European setup where you are also assured of a high level of security, which is reflected in their certifications and declarations.

AWS is obligated under their standard sub-processor agreement to perform data processing within the EU-WEST (Ireland) data region. AWS has a state-of-the-art setup, which is reflected in their many certifications and declarations.

We have addressed the comments in our latest ISAE3000 statement. This is further elaborated below:

Deviations in ISAE3000 declaration

As a data processor, we offer solutions for you as a data controller. It is the data controller who must comply with GDPR articles 12, 13 and 14. In some of our solutions, we offer you as a data controller to comply with the duty of disclosure, in particular by supporting a subpage where you have the opportunity to provide the statutory information.

As a customer, you must be aware of who must comply with what in which role. This means that when you access FirstAgenda website(s), these websites have nothing to do with the delivery of the solutions and thus FirstAgenda is the data controller for the processing of personal data that takes place on the websites.

No cookie technologies are used in the solutions themselves.