Version 1.0
CAKESTER â DATA PROCESSING AGREEMENT
Document reference: DPA-CST-2025 Version: 1.0 Governing law: GDPR (EU) 2016/679 & Swedish data protection law
Preamble & Parties
This Data Processing Agreement ("Agreement" or "DPA") is entered into between:
Controller ("Client"): The legal entity or individual whose authorised representative agrees to this DPA upon signing up for the Cakester service, identified by the account registration details provided at sign-up.
Processor ("Cakester"): Cakester AB, a company incorporated under Swedish law, whose registered office is at [Registered Address], Sweden, providing automated HR cake and fika ordering services.
Together referred to as the "Parties" and each individually as a "Party".
This DPA forms part of, and is incorporated into, the Cakester Terms of Service ("Main Agreement") between the Parties. By completing registration and accepting the Terms of Service, the Client agrees to be bound by this DPA. In the event of conflict between this DPA and the Main Agreement, this DPA shall prevail in respect of personal data processing matters.
1. Definitions
In this DPA, the following terms shall have the meanings set out below:
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in Article 9 GDPR.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates â in this context, the Client's employees or contractors whose data is entered into the Cakester platform.
"Sub-processor" means any processor engaged by Cakester who processes Personal Data on behalf of the Client.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of GDPR, in Sweden the Integritetsskyddsmyndigheten (IMY).
"Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles of the Parties
2.1 The Client is the Data Controller in respect of the Personal Data of its employees and contractors entered into the Cakester platform. The Client determines the purposes and means of processing.
2.2 Cakester is the Data Processor. Cakester processes Personal Data solely on documented instructions from the Client, except where required to do so by applicable law.
2.3 Where Cakester independently determines the purposes and means of any processing (e.g. aggregated analytics for service improvement), Cakester acts as a Data Controller for such processing and shall maintain a separate lawful basis.
3. Subject Matter, Nature, and Purpose of Processing
3.1 Subject matter: Personal Data of the Client's employees and contractors for the purpose of fulfilling cake and fika orders on celebratory occasions.
3.2 Nature of processing: collection, storage, use, disclosure to third-party suppliers (bakeries, couriers), and deletion.
3.3 Purposes: (i) scheduling and placing cake/fika orders on birthdays, work anniversaries, and other events designated by the Client; (ii) communicating delivery and logistics information to relevant suppliers; (iii) customer support and dispute resolution.
3.4 Duration: for the term of the Main Agreement, plus any retention period required by applicable law or as set out in Clause 9.
4. Categories of Personal Data and Data Subjects
4.1 Data Subjects
Employees, contractors, or other staff members of the Client whose details are entered by the Client's HR personnel or office administrators.
4.2 Categories of Personal Data Processed
| Data Category | Details |
|---|---|
| Identity data | Full name; preferred name; pronouns (optional) |
| Contact data | Work email address (optional) |
| Employment data | Job title; team; office location; employment start date; employment end/retirement date (all optional) |
| Date data | Date of birth; employment start date |
| Health / dietary data | Food restrictions / allergies; free-text dietary notes (optional â Special Category Data under Article 9 GDPR, see Clause 4.3) |
| Religious / philosophical indicators | Dietary preferences that may reveal religious or philosophical beliefs (e.g. halal, kosher) (optional â Special Category Data under Article 9 GDPR, see Clause 4.3) |
4.3 Special Category Data â Additional Obligations
Certain optional fields may constitute Special Category Data under Article 9 GDPR: food restriction and allergy information (and any free-text dietary notes) may reveal data concerning health, and dietary preferences such as halal or kosher may reveal religious or philosophical beliefs. The Client, as Data Controller, is solely responsible for:
- Identifying an appropriate legal basis under Article 9(2) GDPR (e.g. explicit consent of the Data Subject, or processing necessary to protect the vital interests of the Data Subject).
- Collecting and documenting such consent or other lawful basis before entering health-related or belief-revealing data into the Cakester platform.
- Informing Data Subjects that their dietary information will be shared with third-party bakery and logistics suppliers.
Cakester shall process such data only on the Client's documented instructions, implement appropriate technical and organisational measures, and shall not use such data for any other purpose.
5. Obligations and Responsibilities of the Client (Controller)
The Client represents, warrants, and undertakes that:
- It has a valid legal basis under GDPR Article 6 (and Article 9 where applicable) for providing Personal Data to Cakester.
- It has provided Data Subjects with all required information under GDPR Articles 13 and 14 (privacy notices) covering the processing described in this DPA.
- The Personal Data entered into the platform is accurate, adequate, and not excessive for the stated purposes.
- It will ensure that authorised users (HR personnel, office managers) access the platform only in accordance with applicable law and this DPA.
- It will promptly notify Cakester of any changes to accuracy of data or instructions that may affect Cakester's processing activities.
- It has obtained, where required, the explicit consent of Data Subjects before entering Special Category Data (dietary/allergy information) into the platform.
- It accepts full responsibility and liability as Data Controller for compliance with all applicable data protection laws in relation to its own processing activities and its instructions to Cakester.
6. Obligations of Cakester (Processor)
Cakester undertakes to:
- Process Personal Data only on documented instructions from the Client, unless required by applicable law; in which case Cakester shall inform the Client of such requirement before processing (where legally permitted).
- Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures as set out in Clause 8.
- Assist the Client, at the Client's reasonable cost, with fulfilling its obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection).
- Assist the Client in meeting its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
- At the Client's choice, delete or return all Personal Data upon termination of the service, and delete existing copies, unless applicable law requires continued storage.
- Make available to the Client all information necessary to demonstrate compliance with this Clause, and allow for and contribute to audits conducted by the Client or a mandated auditor, with reasonable prior written notice (not less than 30 days).
- Immediately inform the Client if, in Cakester's opinion, an instruction infringes GDPR or applicable data protection law.
7. Sub-processors
7.1 The Client grants Cakester a general written authorisation to engage Sub-processors for the purpose of fulfilling the service, subject to the conditions in this Clause.
7.2 Current Sub-processors include: bakery suppliers, courier and logistics providers, cloud infrastructure providers, and payment processors. An up-to-date list of Sub-processors is available at https://cakester.io/sub-processors.
7.3 Cakester shall inform the Client of any intended addition or replacement of Sub-processors by updating the list at the above URL and providing at least 14 days' prior email notice to the registered account address. The Client may object to a new Sub-processor on reasonable grounds by notifying Cakester in writing within 14 days of receiving such notice. If the Client's objection cannot be resolved, either Party may terminate the relevant services on 30 days' written notice without penalty.
7.4 Cakester shall impose data protection obligations on each Sub-processor no less protective than those contained in this DPA, by way of contract. Cakester remains liable to the Client for the acts and omissions of its Sub-processors.
7.5 Sub-processors shall only receive access to Personal Data to the extent necessary for their specific task and shall not be permitted to use it for any other purpose.
8. Security Measures
8.1 Cakester shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account:
- The state of the art and costs of implementation;
- The nature, scope, context, and purposes of processing; and
- The varying likelihood and severity of risks to the rights and freedoms of natural persons.
8.2 Such measures include, as a minimum:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Role-based access controls and least-privilege principles.
- Regular security testing and vulnerability assessments.
- Audit logging of access to Personal Data.
- Business continuity and disaster recovery procedures.
8.3 Security Incident Notification: Cakester shall notify the Client without undue delay, and in any case within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. Notification shall include, to the extent available: (i) a description of the incident; (ii) categories and approximate number of Data Subjects concerned; (iii) categories and approximate volume of Personal Data records concerned; (iv) likely consequences; and (v) measures taken or proposed. Where a full notification cannot be provided within 72 hours, Cakester shall provide an initial notification and supplement it with additional information as it becomes available.
8.4 The Client is responsible for its own users' access credentials and for ensuring appropriate access management on its end.
9. Data Retention and Deletion
9.1 Cakester shall retain Personal Data only for as long as necessary to provide the service or as required by applicable law.
9.2 Upon termination or expiry of the Main Agreement, Cakester shall, within 30 days, at the Client's written request: (i) return to the Client a complete copy of all Personal Data in a machine-readable format; and/or (ii) securely delete or destroy all Personal Data, including copies held by Sub-processors, and provide written confirmation.
9.3 Where applicable law requires continued retention, Cakester shall inform the Client of the retention requirement and the legal basis, and shall restrict processing of such data to the minimum necessary to fulfil that legal obligation.
9.4 The Client may, at any time during the service, request deletion of specific Data Subjects' records from the platform. Cakester shall action such requests within 5 business days, subject to any operational or legal retention obligations.
10. International Transfers
10.1 Cakester shall not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Client, unless:
- The transfer is to a country deemed to provide an adequate level of protection under Article 45 GDPR; or
- Appropriate safeguards are in place in accordance with Article 46 GDPR (e.g. Standard Contractual Clauses); or
- A specific derogation under Article 49 GDPR applies.
10.2 Where Standard Contractual Clauses are relied upon, Cakester shall make them available to the Client upon request.
11. Liability and Indemnification
11.1 Each Party shall be liable for its own non-compliance with GDPR and this DPA as provided under GDPR Articles 82 and 83.
11.2 The Client acknowledges and agrees that, as Data Controller, it bears primary responsibility and liability for:
- Establishing and maintaining a valid legal basis for processing under GDPR Articles 6 and 9.
- Issuing compliant privacy notices to Data Subjects.
- Ensuring the accuracy and appropriateness of Personal Data entered into the platform.
- Obtaining explicit consent for Special Category Data (dietary/allergy information).
- Any claim, loss, or damage arising from the Client's instructions to Cakester or the Client's own processing activities.
11.3 Cakester's total aggregate liability to the Client under or in connection with this DPA shall not exceed, in any twelve-month period, the total fees paid by the Client to Cakester in the preceding twelve months, except in cases of gross negligence, wilful misconduct, or as required by mandatory applicable law.
11.4 Neither Party shall be liable for any indirect, consequential, special, or punitive damages, including loss of profit, revenue, or data, arising out of or in connection with this DPA, even if advised of the possibility of such damages.
11.5 The Client shall indemnify and hold Cakester harmless against any third-party claims, regulatory fines, or penalties arising from: (i) the Client's failure to comply with its obligations as Data Controller; (ii) Personal Data entered into the platform without a lawful basis; or (iii) inaccurate or unauthorised Personal Data provided by the Client.
11.6 Notwithstanding the foregoing, nothing in this DPA limits either Party's liability in respect of death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability which cannot be excluded or limited by law.
12. Data Subject Rights
12.1 Cakester shall promptly notify the Client (and in any case within 5 business days) upon receiving a request from a Data Subject exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection, or rights related to automated decision-making).
12.2 Cakester shall not respond to such requests directly (except to confirm that the request should be directed to the Client) unless specifically instructed to do so by the Client in writing.
12.3 The Client, as Data Controller, is responsible for responding to Data Subject requests within the timeframes prescribed by GDPR. Cakester shall provide reasonable technical assistance to facilitate the Client's response.
13. Term and Termination
13.1 This DPA shall commence on the date the Client accepts the Cakester Terms of Service and shall remain in force for the duration of the Main Agreement.
13.2 Termination of the Main Agreement shall automatically terminate this DPA, subject to the survival provisions in Clause 13.3.
13.3 Clauses 4, 9, 11, and 14 shall survive termination of this DPA.
13.4 Either Party may terminate this DPA with immediate effect on written notice if the other Party is in material breach of this DPA and fails to remedy such breach within 30 days of receiving written notice thereof.
14. General Provisions
14.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of law provisions. The Parties submit to the exclusive jurisdiction of the Swedish courts.
14.2 Amendments: Cakester may amend this DPA to reflect changes in applicable law or service features, by providing the Client with at least 30 days' prior written notice. Continued use of the service after the effective date of any amendment constitutes acceptance. If the Client does not accept a material amendment, it may terminate the service on written notice prior to the effective date.
14.3 Entire Agreement: This DPA, together with the Main Agreement, constitutes the entire agreement between the Parties with respect to data processing and supersedes all prior agreements and understandings.
14.4 Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.
14.5 No Waiver: Failure to enforce any provision shall not constitute a waiver.
14.6 Notices: All notices under this DPA shall be in writing and sent to the registered account email address, or to Cakester at legal@cakester.io.
SCHEDULE A â PROCESSING DETAILS
| Field | Detail |
|---|---|
| Controller (Client) | As identified in Cakester account registration |
| Processor | Cakester AB, [Registered Address], Sweden |
| Subject matter | Employee celebratory cake and fika ordering |
| Duration | Duration of the Main Agreement |
| Nature of processing | Collection, storage, use, disclosure to suppliers, deletion |
| Purpose | Automated placement of cake/fika orders on designated celebratory events (birthdays, work anniversaries, general celebrations) on behalf of the Client |
| Data Subjects | Client's employees and contractors entered by HR/office managers |
| Personal Data categories | Full name; preferred name; pronouns; work email; job title; team; office location; date of birth; employment start date; employment end/retirement date; food restrictions / allergies and free-text dietary notes (Special Category â health); dietary preferences that may reveal religious or philosophical beliefs, e.g. halal/kosher (Special Category) |
| Retention period | For the duration of the Main Agreement. On termination, Personal Data is returned and/or securely deleted within 30 days of the Client's request (Clause 9.2). Thereafter Cakester retains only records it is required to keep by applicable law (e.g. invoicing/accounting data under the Swedish Bookkeeping Act, Bokföringslagen (SFS 1999:1078), for the statutory period), restricted to the minimum necessary |
| Sub-processor categories | Bakery suppliers; courier/logistics providers; cloud infrastructure (EU-based); payment processors |
SCHEDULE B â CLICKWRAP ACCEPTANCE & RECORD OF CONSENT
B.1 How This Agreement Is Executed
This DPA does not require a handwritten or electronic ink signature. It is executed by clickwrap acceptance: the Client's authorised representative checks the acceptance box presented during the Cakester account registration flow, which reads:
â I agree to the Terms of Service and the Data Processing Agreement (see Appendix). I confirm that I am authorised to enter into this agreement on behalf of my organisation. By checking this box I acknowledge that I have read and understood the DPA in full, including my organisation obligations as Data Controller.
B.2 Legal Effect of Clickwrap Acceptance
Checking the acceptance box constitutes a legally binding agreement to this DPA with the same legal effect as a handwritten signature under Swedish law (Act on Electronic Signatures, SFS 2016:561) and EU Regulation No 910/2014 (eIDAS). The act of checking the box combined with the acceptance record described in Clause B.3 constitutes conclusive evidence of the Client's agreement.
B.3 Acceptance Record â What Cakester Logs
Cakester shall automatically create and retain an acceptance record at the moment the acceptance box is checked. This record constitutes the binding execution of this DPA and shall include:
| Field | Description |
|---|---|
| Timestamp | Date and time of acceptance in UTC (ISO 8601 format) |
| IP address | The IP address from which the acceptance was submitted |
| User identity | Full name and email address of the individual who checked the box |
| Account / company | Registered company name and account identifier |
| DPA version | Version number and hash of the DPA document accepted (e.g. v1.0) |
| Acceptance method | Confirmation that acceptance was via clickwrap checkbox at registration |
| Browser / user agent | Browser and device information at time of acceptance |
Cakester shall retain acceptance records for the duration of the Main Agreement plus five (5) years, or such longer period as required by applicable law. Acceptance records shall be made available to the Client or a competent supervisory authority upon request.
B.4 Authority to Bind
The individual completing registration and checking the acceptance box warrants that they have full authority to bind the Client organisation to this DPA. The Client organisation shall be bound by this DPA regardless of whether the individual had actual authority, provided Cakester reasonably relied on the apparent authority of that individual.
If the individual does not have authority to bind the Client, they must not check the acceptance box and must contact Cakester at legal@cakester.io to arrange execution by an authorised representative before the service is used.
B.5 DPA Presented as Appendix at Registration
The full text of this DPA shall be presented to the Client's representative during the registration flow as a scrollable appendix, accessible via a clearly labelled link reading "Data Processing Agreement" immediately adjacent to the acceptance checkbox. The Client shall have the opportunity to read the DPA in full before acceptance. The checkbox shall not be pre-ticked.
B.6 Updated Versions
If Cakester issues an updated version of this DPA in accordance with Clause 14.2, affected Clients will be prompted to re-accept the updated DPA upon their next login. A new acceptance record will be created for each version accepted. Continued use of the service after the prompt constitutes acceptance of the updated version.
â This document has legal effect. The Client is advised to seek independent legal counsel before accepting.