Data Processing Agreement

According to the EU General Data Protection Regulation (GDPR)

Last updated: 10/26/2025

GDPR-compliant
NIS2-aligned
ISO 27001-certified

1. Introduction

This Data Processing Agreement ("DPA") governs SecuraPilot's ("Data Processor") processing of personal data on behalf of the customer ("Data Controller") in accordance with the EU General Data Protection Regulation (GDPR).

2. Definitions

In this agreement, the following definitions apply according to GDPR:

Personal data
Any information that can be linked to an identified or identifiable natural person
Processing
Any operation performed on personal data
Data Controller
The entity that determines the purposes and means of processing
Data Processor
The entity that processes personal data on behalf of the Data Controller

3. Purpose and Scope of Processing

The Data Processor shall process personal data for the following purposes:

  • Provision of the SecuraPilot platform
  • Technical support and maintenance
  • Data backup

4. Data Processor's Obligations

The Data Processor undertakes to:

  • Only process personal data according to documented instructions from the Data Controller
  • Ensure that persons processing personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without written approval
  • Assist the Data Controller in fulfilling data subjects' rights
  • Delete or return personal data when the assignment is completed
  • Provide information to demonstrate compliance with obligations

5. Security Measures

The Data Processor implements technical and organizational security measures in accordance with GDPR Article 32, NIS2 Directive, and ISO 27001/27002 standards:

Technical Measures

  • Encryption: End-to-end encryption (AES-256) for data in transit and at rest
  • Storage: Secure storage in ISO 27001-certified Swedish data centers
  • Access: Multi-factor authentication (MFA) and role-based access control (RBAC)
  • Backup: Automated, encrypted backups with geographic redundancy
  • Monitoring: 24/7 security monitoring with SIEM system (Security Information and Event Management)
  • Network Security: Firewalls, intrusion prevention systems (IPS/IDS), and network segmentation

Organizational Measures

  • Incident Management: Established processes according to NIS2 requirements for detection and reporting
  • Security Training: Regular training of personnel in information security
  • Access Control: Principle of least privilege
  • Vendor Management: Systematic assessment of sub-processors according to ISO 27001
  • Audits: Regular internal and external security audits

ISO 27001 Certification: SecuraPilot is certified according to ISO 27001:2022, which means our information security management system (ISMS) meets international standards and undergoes regular independent audits.

6. Sub-processors

The Data Processor uses the following approved sub-processors:

  • Hosting providers in Sweden for data storage
  • Email services for system notifications

All sub-processors must meet the same security requirements as the Data Processor.

7. Personal Data Breach

In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay and assist with investigation and remedial actions.

The notification shall include:

  • Description of the nature of the breach
  • Estimate of affected individuals and data categories
  • Description of measures taken and planned
  • Contact information for further details

8. Data Transfer

All personal data processing occurs within the EU/EEA. Transfer to third countries only occurs with explicit approval and appropriate safeguards according to GDPR Chapter V.

9. Audit and Review

The Data Controller has the right to audit the Data Processor's compliance with this agreement through:

  • Access to relevant documentation
  • On-site audits with reasonable prior notice
  • Requests for information about processing activities

SecuraPilot is ISO 27001 certified, ensuring systematic information security management.

10. Term and Termination

This agreement is valid as long as the Data Processor processes personal data on behalf of the Data Controller. Upon termination of the agreement, the Data Processor shall:

  • Delete or return all personal data according to the Data Controller's instructions
  • Delete existing copies unless storage is required by law
  • Provide written confirmation of completed actions

11. Contact

For questions about this Data Processing Agreement, contact our Data Protection Officer:

Data Protection Officer

Email: dpo@securapilot.se