This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service for the Kleer for HubSpot integration service (“Terms of Service”) and governs the processing of personal data by iGoMoon AB on behalf of the customer.
By checking the acceptance box during installation and completing the setup of the Kleer for HubSpot application, you (“CUSTOMER”) agree to this DPA. This DPA is effective from the date of installation.
1. Introduction
1.1 The CUSTOMER has accepted the Terms of Service for the Kleer for HubSpot integration service provided by iGoMoon AB, corporate reg. no. 556899-5681, Birger Jarlsgatan 57A, SE-113 65 Stockholm, Sweden (“IGOMOON”). The Terms of Service constitute the “Main Agreement” for the purposes of this DPA.
1.2 Pursuant to the Main Agreement, IGOMOON processes personal data for which the CUSTOMER is the Controller. IGOMOON acts as a Personal Data Processor for the Processing.
1.3 In the event of conflict between a provision in this DPA and a provision in the Main Agreement, the provisions of this DPA shall prevail to the extent that they provide higher protection of the Personal Data that is Processed.
1.4 This DPA shall remain in force for as long as IGOMOON Processes Personal Data on behalf of the CUSTOMER.
2. Definitions
Unless the circumstances clearly indicate otherwise, definitions used in this DPA shall be defined as set forth below. Any term used in the General Data Protection Regulation and not stated below shall be defined as set forth in Article 4 of the General Data Protection Regulation.
| Term | Definition |
|---|---|
| Processing | An operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| General Data Protection Regulation | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Controller | A natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. |
| Processor | A natural or legal person which processes Personal Data on behalf of the Controller. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed. |
| Data Subject | The living natural person whose Personal Data is Processed. |
| Service | The Kleer for HubSpot integration service as described in the Terms of Service. |
3. Documents
3.1 This DPA comprises this document and the appended Processing Description (Appendix 1).
3.2 In the event of any contradictions between this document and the Processing Description, this document shall take precedence, unless otherwise specifically stipulated.
4. Processing of Personal Data
4.1 The CUSTOMER is the Controller of the Personal Data which is Processed through the Service.
4.2 IGOMOON is the Processor on behalf of the CUSTOMER.
4.3 IGOMOON has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing meets the requirements of the General Data Protection Regulation and ensures protection of the rights of the Data Subject.
4.4 Taking into consideration the nature of the Processing, IGOMOON shall assist the CUSTOMER by taking suitable technical and organisational measures, to the extent possible, to enable the CUSTOMER to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.
5. Purpose and Type of Personal Data
The Processing Description (Appendix 1) states the subject, duration, nature, and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.
6. IGOMOON’s Personnel
6.1 IGOMOON, its employees, and other persons who perform work under IGOMOON’s supervision and who gain access to Personal Data belonging to the CUSTOMER may only process such Personal Data in accordance with the Terms of Service and this DPA, unless obligated to do so pursuant to EU law or Swedish national law.
6.2 IGOMOON shall ensure that all persons authorised to process Personal Data covered by this DPA are subject to appropriate confidentiality obligations.
7. Security
7.1 IGOMOON shall take all necessary safeguards in conjunction with the Processing as required under the General Data Protection Regulation (particularly Article 32) and this DPA.
7.2 Taking into consideration the type of Processing, IGOMOON shall assist the CUSTOMER in ensuring that the obligations regarding security can be satisfied in accordance with Article 32 of the General Data Protection Regulation.
7.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data.
8. Personal Data Breach
8.1 IGOMOON shall assist the CUSTOMER in ensuring that obligations arising due to any Personal Data Breach can be fulfilled in accordance with Articles 33–34 of the General Data Protection Regulation.
8.2 IGOMOON shall notify the CUSTOMER without unnecessary delay, and within twenty-four (24) hours, after IGOMOON has learned of a Personal Data Breach. The notification shall contain: (a) a description of the nature of the breach, including categories and approximate number of affected Data Subjects and records; (b) a description of the likely consequences; (c) a description of the actions taken or proposed to address the breach.
8.3 IGOMOON undertakes to document all Personal Data Breaches.
9. Impact Assessment
Taking into consideration the nature of the Processing, IGOMOON shall assist the CUSTOMER in fulfilling its obligations to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation, where applicable.
10. Sub-Processors
10.1 IGOMOON shall be entitled to engage sub-processors to perform the work under this DPA. A current list of sub-processors is maintained in the Processing Description (Appendix 1).
10.2 IGOMOON shall notify the CUSTOMER in writing of any intended changes to sub-processors at least thirty (30) days before the change takes effect. Notification will be provided via email to the address associated with the CUSTOMER’s account.
10.3 The CUSTOMER has the right to object, with due cause, within fourteen (14) days from IGOMOON’s written notice. If the CUSTOMER has not objected within the said time, the proposed sub-processor shall be deemed approved.
10.4 If the CUSTOMER objects, IGOMOON may: (a) refrain from engaging the sub-processor; (b) take action that reasonably eliminates the reason for the objection; or (c) temporarily or permanently cease to provide the part of the Service that involves Processing by the sub-processor in question. If none of these options are possible and the CUSTOMER maintains its objection after thirty (30) days, either Party may terminate the Service with respect to the affected processing.
10.5 Agreements between IGOMOON and sub-processors shall impose obligations no less restrictive than those in this DPA.
10.6 IGOMOON shall be liable to the CUSTOMER for the performance of any sub-processor’s obligations.
11. Transfer to a Third Country
IGOMOON may transfer Personal Data outside the EU/EEA only where such transfer meets the requirements of the General Data Protection Regulation, including Chapter V. The current hosting location is specified in the Processing Description (Appendix 1).
12. Right to Transparency
IGOMOON shall grant the CUSTOMER access to all information required to verify compliance with Article 28 of the General Data Protection Regulation, and to enable and assist in audits conducted by the CUSTOMER or an authorised examiner. The CUSTOMER may exercise this audit right no more than once per twelve (12) month period, with at least thirty (30) days’ prior written notice. The CUSTOMER shall compensate IGOMOON for reasonable costs incurred in connection with any such audit.
13. Records of Processing Activities
IGOMOON shall maintain an electronic record of all categories of Processing activities carried out on behalf of the CUSTOMER, containing at a minimum: (a) name and contact details of IGOMOON and the CUSTOMER; (b) the purposes of the Processing; (c) categories of Data Subjects and Personal Data; (d) categories of Processing; (e) categories of recipients; (f) envisaged time limits for erasure; (g) transfers to third countries; (h) a general description of technical and organisational security measures.
14. Liability
14.1 Liability under this DPA shall be subject to the limitations set forth in the Terms of Service, except that such limitations shall not apply: (i) where a supervisory authority or court orders a Party to pay an administrative fine; (ii) where a Party has a right of subrogation against the other Party; or (iii) in conjunction with a claim for damages brought by a Data Subject under GDPR Article 82.
15. Termination
15.1 When IGOMOON discontinues Processing Personal Data on behalf of the CUSTOMER, IGOMOON shall delete all Personal Data associated with this DPA within thirty (30) days, unless storage is required by law. This DPA shall remain in force until IGOMOON and any sub-processors have discontinued all Processing on behalf of the CUSTOMER.
16. Confidentiality
16.1 The Parties undertake, during the term of this DPA and thereafter, not to disclose to any third party Confidential Information learned as a result of this DPA. This does not apply to information which is in the public domain or which a Party is required to disclose by law.
17. Governing Law and Disputes
17.1 This DPA shall be governed by and construed in accordance with the laws of Sweden.
17.2 Any dispute arising out of or in connection with this DPA shall be settled by Swedish courts with Stockholm District Court as court of first instance.
This DPA is accepted by the CUSTOMER by checking the acceptance box during installation and completing the setup of the Kleer for HubSpot application, as described in the Terms of Service.
Appendix 1 — Processing Description
Kleer for HubSpot
1. Contact Information
| Controller | The CUSTOMER, as identified by the account associated with the Kleer for HubSpot installation. |
| Processor | iGoMoon AB, reg. no. 556899-5681 |
| Address | Birger Jarlsgatan 57A, SE-113 65 Stockholm, Sweden |
| Phone | +46 (0)10 410 11 00 |
| support@igomoon.com |
2. Service Description
The Service integrates the CUSTOMER’s Kleer accounting system with HubSpot CRM. The Service provides two core functions:
- Scheduled synchronisation: Business data (clients, invoices, agreements, projects, products, and line items) is synchronised between platforms. Clients and projects support two-way sync; all other object types sync one-way from Kleer to HubSpot.
- Workflow actions: The Service can create new records in Kleer (clients, invoices, agreements, and projects) triggered by HubSpot workflows configured by the CUSTOMER.
The HubSpot connection is established via OAuth. The Kleer connection is established via API key and Company ID provided by the CUSTOMER.
IGOMOON operates the synchronisation infrastructure. Personal data passes through IGOMOON’s servers during the synchronisation process but is not persistently stored. The following data is stored on IGOMOON’s infrastructure within the EU/EEA: mapping IDs (linking records between Kleer and HubSpot), account credentials (API key and Company ID, encrypted at rest), field mapping configurations, change detection hashes, registration data provided during setup (company name, contact person name, email address, and HubSpot portal ID), and synchronisation logs. Synchronisation logs are retained for a maximum of ninety (90) days for troubleshooting purposes and then automatically deleted.
3. Categories of Personal Data
The following categories of personal data may be processed through the Service, depending on the data present in the CUSTOMER’s Kleer and HubSpot accounts:
- Contact information: name, email address, phone number, postal address.
- Identification information: corporate registration number, VAT number.
- Financial data: invoice amounts, payment status, agreement terms, project fees.
- CRM data: deal stages, activity logs, notes, associated company and contact records.
- Product and line item data: product names, descriptions, quantities, pricing.
- Registration data: contact person name and email address provided during setup of the Service.
No special category data (GDPR Art. 9) is intended to be processed through the Service. If special category data is present in the CUSTOMER’s systems, the CUSTOMER is responsible for ensuring a lawful basis for such processing.
4. Categories of Data Subjects
The following categories of data subjects may be included, depending on the data present in the CUSTOMER’s Kleer and HubSpot accounts:
- The CUSTOMER’s representative who installs and administers the Service.
- The CUSTOMER’s customers and business contacts.
- The CUSTOMER’s employees and staff (where referenced in invoices, projects, or CRM records).
- The CUSTOMER’s suppliers and vendor contacts.
5. Purpose of the Processing
IGOMOON processes personal data on behalf of the CUSTOMER to:
- Synchronise client, invoice, agreement, project, product, and line item data between Kleer and HubSpot (two-way for clients and projects; one-way from Kleer to HubSpot for all other object types).
- Create new records in Kleer (clients, invoices, agreements, and projects) on the CUSTOMER’s instruction via HubSpot workflow actions.
- Maintain mapping IDs, change detection hashes, and field mapping configurations to ensure data consistency between platforms.
- Store account credentials (API key and Company ID, encrypted) to authenticate API connections on behalf of the CUSTOMER.
6. Duration of the Processing
The processing shall continue for the duration of the CUSTOMER’s use of the Service. Upon termination (uninstallation of the application or account closure), IGOMOON shall cease processing and delete all personal data within thirty (30) days, in accordance with section 15 of the DPA.
7. Security Measures
A. Encryption
All data in transit is encrypted using TLS 1.2 or higher. Account credentials and API keys are encrypted at rest using industry-standard encryption.
B. Access Management
Access to the synchronisation infrastructure and customer data is restricted to authorised IGOMOON personnel on a need-to-know basis. Two-factor authentication (2FA) is required for all administrative access.
C. Infrastructure
The Service is hosted within the EU/EEA on infrastructure provided by Laravel Cloud. The hosting provider is selected and evaluated by IGOMOON to ensure an adequate level of technical and organisational security in accordance with GDPR Article 32.
D. Data Minimisation
IGOMOON stores only the minimum data necessary for the Service to function: mapping IDs (linking records between Kleer and HubSpot), account credentials (API key and Company ID, encrypted), field mapping configurations, change detection hashes, registration data (company name, contact person name, email address, and HubSpot portal ID), and synchronisation logs retained for troubleshooting purposes. No business data or personal data is persistently stored beyond the above.
E. Incident Procedures
IGOMOON maintains procedures for detecting, reporting, and documenting personal data breaches in accordance with section 8 of the DPA.
F. Backups and Recovery
Mapping IDs, account credentials, and configuration data are backed up regularly. Backup retention does not exceed ninety (90) days.
8. Sub-Processors
The following sub-processors are engaged as of the date of this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Laravel Cloud | Infrastructure hosting for the synchronisation service | EU/EEA |
Data transfers to the CUSTOMER’s platforms
The Service transfers personal data to the CUSTOMER’s own Kleer and HubSpot accounts via their respective APIs. Kleer and HubSpot are not sub-processors under this DPA. The CUSTOMER is responsible for maintaining its own agreements with Kleer and HubSpot, including any applicable data processing terms. IGOMOON transfers data to these platforms solely on the CUSTOMER’s instruction as part of the synchronisation service.
Changes to sub-processors are notified in accordance with section 10 of the DPA.