1. Introduction
This Data Processing Agreement ("DPA") governs SecuraPilot AB's ("Data Processor") processing of personal data on behalf of the customer ("Data Controller") in accordance with the EU General Data Protection Regulation (GDPR).
2. Definitions
In this agreement, the following definitions apply according to GDPR:
- Personal data
- Any information that can be linked to an identified or identifiable natural person
- Processing
- Any operation performed on personal data
- Data Controller
- The entity that determines the purposes and means of processing
- Data Processor
- The entity that processes personal data on behalf of the Data Controller
3. Purpose and Scope of Processing
The Data Processor shall process personal data for the following purposes:
- Provision of the SecuraPilot platform
- Technical support and maintenance
- Data backup
4. Data Processor's Obligations
The Data Processor undertakes to:
- Only process personal data according to documented instructions from the Data Controller
- Ensure that persons processing personal data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Not engage sub-processors without written approval
- Assist the Data Controller in fulfilling data subjects' rights
- Delete or return personal data when the assignment is completed
- Provide information to demonstrate compliance with obligations
5. Security Measures
The Data Processor implements the following security measures:
- Encryption: End-to-end encryption (AES-256)
- Storage: Secure storage in Swedish data centers
- Access: Access control and authentication
- Backup: Regular backups
- Monitoring: Continuous security monitoring
- Incident Management: Established incident management processes
6. Sub-processors
The Data Processor uses the following approved sub-processors:
- Hosting providers in Sweden for data storage
- Email services for system notifications
All sub-processors must meet the same security requirements as the Data Processor.
7. Personal Data Breach
In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay and assist with investigation and remedial actions.
The notification shall include:
- Description of the nature of the breach
- Estimate of affected individuals and data categories
- Description of measures taken and planned
- Contact information for further details
8. Data Transfer
All personal data processing occurs within the EU/EEA. Transfer to third countries only occurs with explicit approval and appropriate safeguards according to GDPR Chapter V.
9. Audit and Review
The Data Controller has the right to audit the Data Processor's compliance with this agreement through:
- Access to relevant documentation
- On-site audits with reasonable prior notice
- Requests for information about processing activities
SecuraPilot is ISO 27001 certified, ensuring systematic information security management.
10. Term and Termination
This agreement is valid as long as the Data Processor processes personal data on behalf of the Data Controller. Upon termination of the agreement, the Data Processor shall:
- Delete or return all personal data according to the Data Controller's instructions
- Delete existing copies unless storage is required by law
- Provide written confirmation of completed actions
11. Contact
For questions about this Data Processing Agreement, contact our Data Protection Officer:
Data Protection Officer
Email: dpo@securapilot.se