Data Processing Agreement

(GDPR, Privacy Shield, Standard Contractual Clauses, Episerver Processor Binding Corporate Rules) – 21 May 2018



The Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or other written or electronic agreement between Episerver and Customer for the purchase of online services from Episerver (identified either as “Software Services” or otherwise in the applicable agreement, and hereinafter defined as “Software Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

By signing this Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Episerver processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement, end-user services agreement (“EUSA”) and service level agreement (“SLA”).

In the course of providing the Software Services to Customer pursuant to the Agreement, Episerver may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.



  1. This DPA consists of two parts: the main body of the DPA and Exhibits 1 (including Appendices 1 and 2), 2, 3, and 4.
  2. If this DPA is attached to an Agreement or Order which is signed and executed, the DPA will become legally binding between the Parties as part of the Agreement or Order.
  3. If this DPA was not attached to an Agreement or Order, then this DPA has been pre-signed on behalf of Episerver and Customer must follow Step 4 below. The Standard Contractual Clauses in Exhibit 1 have been pre-signed by Episerver Inc. as the data importer.
  4. To complete this DPA when not attached to an Agreement or Order, Customer must:
    1. Complete the information in the signature box and sign on Page 8.
    2. Take note that different Sub-processors apply to different Services on Page 19.
    3. send the completed and signed DPA to Episerver by email, indicating the Customer’s Account Name (as set out on the applicable Episerver Agreement, Order or invoice), to  Upon receipt of the validly completed DPA by Episerver at this email address, this DPA will become legally binding.



If Customer entering into this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Episerver entity that is party to the Agreement is party to this DPA.

If Customer’s Affiliate entering into this DPA has executed an Order with Episerver or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order and applicable renewal Orders, and the Episerver entity that is party to such Order is party to this DPA.

If the Customer entity signing the DPA is not a party to an Order nor a Master Services Agreement directly with Episerver but is instead a customer indirectly via an authorized reseller of Episerver services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

This DPA shall not replace any additional terms relating to Processing of Customer Data contained in any Amendment(s) to Customer’s Agreement, however shall replace any existing standard data processing agreement between the Parties.

If an entity signing this DPA is neither a party to an Agreement nor an Order, this DPA is not valid and is not legally binding. Such entity should request that a Customer entity who is a party to the Agreement executes this DPA on their behalf.

**Note: If Customer is using Episerver Managed Services (formerly Everweb), this DPA is not valid and is not legally binding unless written confirmation from Episerver has been received stating that the minimum GDPR technical and organizational measures on Customer’s environment have been met.



  1. Please [right-click] on the following link -

Episerver Data Processing Agreement (20180521)-Customer DISTRO.pdf

  1. Please then select [Save link as], and download to your local computer
  2. Please use Adobe Acrobat™ to e-sign the document (including your information and e-signature)
  3. Please send the completed DPA back to this email address DPA@episerver.comand in the subject line, please include your company name and software service type (e.g. Subject Line: “Company XYZ, Digital Experience Cloud Commerce

For further information, please see the Episerver Trust Center here.


As always, we at Episerver take your privacy seriously.  Please find our privacy statement here.