Data Processing Agreement

DPA under GDPR Art. 28

Here is our standard agreement. It is generated automatically and pre-filled with your details at signup. You do not need to ask for it separately. Swedish law applies.

This is our template. The actual DPA you sign at signup is pre-filled with your company name and registration number.

1. Parties

This data processing agreement ("DPA") is entered into between the Customer (data controller) and Spårlös.se Sweden (data processor). The agreement supplements the parties' main agreement for the Spårlös service and governs the Processor's processing of personal data on the Customer's behalf under GDPR Art. 28.

2. Subject matter and duration

The Processor processes personal data in order to provide the Spårlös web analytics service under the main agreement. Processing continues for as long as the main agreement is in force, plus 30 days for the deletion process.

3. Types of personal data

The Processor processes the following pseudonymized categories for the Customer's website visitors:

  • Page URL, referrer, UTM parameters
  • Daily hash (IP + User-Agent + site ID + salt) that cannot be linked across days or sites
  • Country derived from IP address (the IP is never stored)
  • Browser, OS, device type (from the User-Agent, server-side)
  • Screen size, language

No direct identifiers (name, email, personal identity number) are handled. No IP address is ever stored.

4. Where data is stored

All data is stored within the EU in ISO 27001-certified data centers. There are no US sub-processors in the data path. Our managed account-data provider is SOC 2 Type II-certified and based within the EU.

5. Obligations of the Processor

The Processor undertakes to:

  • Process personal data only in accordance with documented instructions from the Customer.
  • Ensure confidentiality of the persons who process the data.
  • Take appropriate technical and organizational security measures under Art. 32.
  • Assist the Customer in meeting requests from data subjects under Art. 12 to 22.
  • Report personal data breaches within 24 hours.
  • At the end of the main agreement, delete or return all personal data at the Customer's choice.

6. Sub-processors

The Processor uses the following approved sub-processors:

  • ISO 27001-certified EU-based infrastructure provider (compute, storage)
  • SOC 2 Type II-certified EU-based managed account-data provider
  • EU-based email provider (transactional email)
  • EU-based payment provider (Stripe Sweden AB, for billing)

The Customer approves these sub-processors in advance. The Processor gives 30 days' notice before adding new sub-processors. The Customer then has the right to object.

7. Rights of data subjects

The Processor helps the Customer fulfill requests regarding rights under Art. 15 to 22. Standard SLA: 7 business days for access and deletion requests.

8. Incidents

The Processor reports personal data breaches to the Customer within 24 hours of discovery. The report includes: what happened, which categories of data and data subjects are affected, likely consequences, and measures taken.

9. Audit

The Customer has the right to audit the Processor's compliance with this DPA once per year on business days with 30 days' notice. Audits are conducted remotely with a documentation package (security questionnaire, ISO certificates, penetration test reports). On-site audits on request and subject to availability.

10. Applicable law

Swedish law applies. Disputes are settled in the Stockholm District Court unless otherwise agreed in writing.

Create an account and get the DPA

The pre-filled DPA is ready to sign right after signup. Free to start, no card required.

Data Processing Agreement (DPA) | Spårlös