Compose Glow AB · glowcode.io · Version 1.0 · March 2026
In this DPA, the following terms have the meanings given below: Controller means the customer entity that has agreed to Glow's Terms of Service and uses the Glow platform to collect personal data from third parties. Processor means Compose Glow AB, the entity that operates the Glow platform and processes personal data on behalf of the Controller. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council. Personal Data has the meaning given in Article 4(1) GDPR. Processing has the meaning given in Article 4(2) GDPR. Data Subject means the individual whose personal data is processed. Sub-processor means any third party engaged by the Processor to process personal data under this DPA. Services means the Glow form-building and data collection platform provided at glowcode.io.
N/A
The Processor shall process personal data only on behalf of the Controller and only for the purposes of providing the Services, as described in Annex 1 to this DPA. The Processor shall not process personal data for any other purpose, including the Processor's own commercial purposes, unless required by law.
N/A
It has a valid legal basis for collecting the personal data it processes through the Services; It has provided appropriate privacy notices to data subjects whose data is collected through Glow forms; It has the authority to instruct the Processor to process personal data as described in this DPA; Its instructions to the Processor comply with applicable data protection law.
The Processor shall: Process personal data only on documented instructions from the Controller, unless required to do so by law; Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations; Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR; Notify the Controller without undue delay - and in any event within 48 hours - after becoming aware of a personal data breach affecting the Controller's data; Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection); Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation); At the Controller's choice, delete or return all personal data upon termination of the Services, and delete existing copies unless required by law to retain them; Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.
The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. The current list of approved sub-processors is set out in Annex 2. The Processor shall impose data protection obligations on sub-processors equivalent to those in this DPA, by way of a written contract. The Processor remains fully liable to the Controller for the performance of sub-processors' obligations.
Personal data is primarily stored within the EEA on Microsoft Azure infrastructure in Sweden Central. Where personal data is transferred outside the EEA to sub-processors (see Annex 2), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V GDPR, including Standard Contractual Clauses (SCCs) adopted by the European Commission.
The Processor has implemented the following technical and organisational measures to protect personal data: Encryption of personal data in transit using TLS 1.2 or higher; Encryption of personal data at rest; Role-based access controls limiting access to personal data to authorised personnel only; Regular security assessments and vulnerability testing; Hosting on Microsoft Azure Sweden Central - ISO 27001 and SOC 2 Type II certified infrastructure; Incident response and breach notification procedures.
8. Data subject rights The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests. Where a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller. The Controller is responsible for responding to data subject rights requests within the timeframes required by GDPR.
In the event of a personal data breach affecting the Controller's data, the Processor shall: Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach; Provide sufficient information to allow the Controller to meet its own notification obligations to supervisory authorities and data subjects; Cooperate with the Controller and take such steps as the Controller reasonably requires to investigate and remediate the breach.
10. Audit rights The Controller may, upon reasonable prior written notice (not less than 30 days), request an audit of the Processor's data processing activities to verify compliance with this DPA. Such audits shall be conducted at the Controller's cost, no more than once per year, and shall not unreasonably interfere with the Processor's operations. The Processor may satisfy audit requests by providing up-to-date certifications, audit reports, or other relevant documentation.
11. Term and termination This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller under the Terms of Service. Upon termination of the Services, the Processor shall, at the Controller's election, either securely delete or return all personal data processed under this DPA, within 30 days of the termination date, unless applicable law requires retention.
12. Governing law This DPA is governed by the laws of Sweden. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Swedish courts. 13. Order of precedence In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to the processing of personal data.
Annex 2 - Approved sub-processors The following sub-processors are approved as of the date of this DPA: Microsoft Azure - Cloud infrastructure and data hosting - Sweden Central (EEA) - EEA, no transfer. Stripe, Inc. - Payment processing - United States - Standard Contractual Clauses (SCCs). Mixpanel, Inc. - Product analytics - United States - Standard Contractual Clauses (SCCs). Google LLC - Website analytics (GA4) - United States - Standard Contractual Clauses (SCCs). The Processor will notify the Controller of any changes to this list with at least 14 days' notice. The Controller may object to the addition of a new sub-processor within that notice period. Where the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the Services with written notice.
