1.1. This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between Ronja Technologies AB (the "Processor") and the entity or person using the Ronja platform (the "Controller"). By accessing or using the Ronja platform, the Controller accepts and agrees to be bound by this DPA.
1.2. This DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the Ronja data platform services and is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR").
1.3. This DPA takes effect on the date the Controller first accesses or uses the Ronja platform and remains in effect for the duration of the Controller's use of the services.
1.4. The Processor does not determine the purposes or essential means of the processing and acts solely on behalf of the Controller.
Terms used in this DPA have the meanings given to them in the GDPR, including but not limited to: Personal Data, Processing, Controller, Processor, Sub-processor, Data Subject, Personal Data Breach, and Supervisory Authority.
3.1. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
3.2. The Controller's instructions are set out in this DPA, the Terms of Service, and any subsequent written instructions agreed by the Parties.
3.3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
3.4. The Controller's use of the Services in accordance with the Terms of Service shall constitute documented instructions for the purposes of this DPA.
4.1. The Processor shall ensure that all persons authorized to process personal data are bound by appropriate confidentiality obligations, whether by contract or statutory duty.
4.2. These confidentiality obligations shall survive the termination of this DPA.
5.1. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include, at a minimum:
5.2. The Processor is committed to maintaining ISO 27001 certification and SOC 2 Type 2 attestation. Certificates and reports are available to the Controller upon request. The Processor shall notify the Controller without undue delay if such certifications materially lapse or are withdrawn.
Note (temporary — to be removed once certifications are obtained): As of February 2026, the Processor has implemented all technical and organizational controls required for ISO 27001 and SOC 2 Type 2 and is currently undergoing formal auditing. ISO 27001 certification is expected by mid-March 2026. This note will be removed and replaced with confirmation of certification upon completion.
5.3. The specific technical and organizational measures are described in Annex 2.
6.1. The Controller provides general written authorization for the Processor to engage sub-processors. The current list of sub-processors is set out in Annex 3.
6.2. The Processor shall notify the Controller by email to the Controller's designated contact at least 30 days in advance before adding or replacing a sub-processor, providing the Controller with an opportunity to object.
6.3. If the Controller objects on reasonable data protection grounds — meaning a material and demonstrable risk of non-compliance with applicable data protection law — the Parties shall work in good faith to resolve the objection. If no resolution is reached within 30 days, the Controller may terminate the affected services without penalty.
6.4. The Processor shall ensure that each sub-processor is bound by written obligations no less protective than those in this DPA.
6.5. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
7.1. Personal data shall be stored and processed exclusively within the EU/EEA. The Processor shall not transfer personal data to any country outside the EU/EEA. For the avoidance of doubt, the transfer of anonymized, non-personal data is addressed in Section 7.3.
7.2. All sub-processors engaged by the Processor shall process and store personal data exclusively within the EU/EEA, regardless of where the sub-processor is incorporated.
7.3. The Processor may transfer anonymized, non-personal data outside the EU/EEA solely for the purpose of product analytics and service improvement. Such data shall be stripped of all identifiers and shall not constitute personal data within the meaning of the GDPR. Details of any such tools are listed in Annex 3.
7.4. This DPA applies to the protection of personal data under the GDPR regardless of where the Controller is established. Where the Controller is established outside the EU/EEA, the Parties acknowledge that the GDPR may still apply to the processing of personal data of data subjects located within the EU/EEA, and this DPA shall govern such processing accordingly.
8.1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 of the GDPR, including requests for access, rectification, erasure, restriction, portability, and objection.
8.2. The Processor shall notify the Controller without undue delay upon receiving any request directly from a data subject, and shall not respond to such requests unless instructed by the Controller.
8.3. Such assistance shall be provided to the extent technically feasible, taking into account the nature of the processing. Where a request requires material effort beyond standard platform functionality, the Processor may charge reasonable costs as agreed with the Controller.
9.1. The Processor shall notify the Controller of any personal data breach without undue delay, and no later than 48 hours after becoming aware of it, where feasible based on available information.
9.2. The notification shall include:
9.3. The Processor shall cooperate fully with the Controller and any supervisory authority in relation to the breach, and shall document all breaches including their effects and remedial actions taken.
10.1. The Processor shall not use personal data processed under this DPA for training, fine-tuning, or improving machine learning or AI models, except where expressly instructed by the Controller.
10.2. AI/LLM sub-processors engaged by the Processor process data on an inference-only basis, with no data retention beyond transient processing necessary to generate a response.
11.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and the GDPR.
11.2. The Processor engages qualified, independent third-party auditors to conduct annual audits against recognized standards, including ISO 27001 and SOC 2 Type 2. Upon the Controller's written request, the Processor shall provide copies of the most recent audit reports and certificates within a reasonable timeframe.
11.3. The Controller agrees that these third-party audit reports and certificates shall satisfy the Controller's audit rights under Article 28(3)(h) of the GDPR, unless:
11.4. Where the Controller is entitled to an on-site audit under Section 11.3, the audit shall be subject to: (i) at least 20 business days' written notice; (ii) a mutually agreed scope and schedule; (iii) no more than one on-site audit per calendar year; and (iv) conduct during normal business hours with minimal disruption to the Processor's operations.
11.5. All audit reports, findings, and related information disclosed to the Controller shall be treated as confidential information of the Processor. The Controller shall not disclose such information to any third party without the Processor's prior written consent, except to the Controller's professional advisors bound by confidentiality obligations or as required by law.
11.6. On-site audits conducted under Section 11.3 shall be at the Controller's expense.
The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35–36 of the GDPR.
13.1. Upon termination of the Controller's use of the services, the Processor shall, at the Controller's choice: return all personal data in a structured, commonly used, machine-readable format; or delete all personal data.
13.2. Deletion shall be completed within 30 days of the Controller's written request. Personal data in backup systems shall be deleted within 90 days.
13.3. During the backup deletion period, such data shall remain protected by the technical and organizational measures set out in this DPA and shall not be actively processed.
13.4. The Processor may retain personal data only to the extent required by applicable law, and shall inform the Controller of any such requirement.
13.5. The Processor shall provide written confirmation of deletion upon the Controller's request.
Each Party's liability arising under or in connection with this DPA shall be subject to the limitations and exclusions set out in the Terms of Service. Each Party shall be liable for its own obligations under the GDPR.
Nothing in this DPA or the Terms of Service limits either Party's liability where such limitation is prohibited by applicable data protection law.
15.1. This DPA takes effect on the date the Controller first accesses or uses the Ronja platform and shall remain in effect for the duration of the Controller's use of the services, and shall survive termination until all personal data has been returned or deleted in accordance with Section 13.
15.2. Confidentiality obligations under Section 4 shall survive termination of this DPA indefinitely, for as long as the Processor or any sub-processor retains any personal data, and in any event shall not expire.
16.1. This DPA shall be governed by and construed in accordance with Swedish law and the GDPR.
16.2. Disputes arising under this DPA shall be resolved by the Stockholm District Court as the court of first instance.
The Processor shall promptly inform the Controller of any investigation by a supervisory authority that relates to the processing of personal data under this DPA, to the extent permitted by law.
18.1. If the Processor receives a legally binding request from a law enforcement authority, court, or other governmental body to disclose personal data processed under this DPA, the Processor shall attempt to redirect the requesting authority to seek the data directly from the Controller.
18.2. If the Processor is compelled to disclose personal data to such an authority, the Processor shall notify the Controller promptly and provide reasonable detail about the request, unless the Processor is prohibited from doing so by applicable law.
18.3. The Processor shall disclose only the minimum amount of personal data required to comply with the legal obligation, and shall use reasonable efforts to protect the confidentiality of the data disclosed.
The Processor may update this DPA from time to time. Material changes will be communicated to the Controller via email or through the Ronja platform at least 30 days before they take effect. Continued use of the services after such notice constitutes acceptance of the updated DPA. Updates to the sub-processor list (Annex 3) are governed by Section 6.
| Subject matter | Provision of data platform services |
| Duration | For the duration of the Controller's use of the services |
| Nature of processing | Collection, storage, structuring, transformation, analysis, and visualization of data from the Controller's data sources |
| Purpose | Enabling the Controller to connect, structure, analyze, and visualize its business data through the Ronja platform |
| Types of personal data | As determined by the Controller's use of the services. May include: names, email addresses, phone numbers, employee identifiers, customer records, transaction data, and other data present in connected sources |
| Categories of data subjects | As determined by the Controller's use of the services. May include: the Controller's employees, customers, vendors, partners, and other individuals whose data is present in connected sources |
| Measure | Description |
|---|---|
| Encryption in transit | All data encrypted using TLS 1.2 or higher |
| Encryption at rest | All stored data encrypted using AES-256 |
| Access control | Role-based access control (RBAC) with principle of least privilege |
| Authentication | Multi-factor authentication for all personnel with access to personal data |
| Network security | Firewalls, intrusion detection, and network segmentation |
| Logging & monitoring | Centralized logging and real-time monitoring of access and processing activities |
| Vulnerability management | Regular vulnerability scanning and penetration testing |
| Backup & recovery | Automated backups with tested disaster recovery procedures |
| Personnel security | Confidentiality agreements, background checks, and security awareness training |
| Certifications | ISO 27001 and SOC 2 Type 2 (certificates available upon request) |
Last updated: February 2026
Sub-processors processing personal data
| Sub-processor | Purpose | Data processing location | Incorporation | Data access |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud infrastructure, hosting, data storage, and compute | EU (AWS EU region) | Luxembourg | No access to personal data |
| Anthropic (via AWS Bedrock) | AI/LLM processing for data analysis and conversational interface | EU (via AWS EU infrastructure) | — (accessed via AWS) | Inference only, no data retention |
| Airbyte Inc. | Data connector and ingestion pipelines | EU (Airbyte Cloud, EU-hosted instance) | USA | Automated processing only |
Tools processing anonymized, non-personal data only
The following tools are listed for transparency. They do not process personal data as defined by the GDPR.
| Tool | Purpose | Data location | Notes |
|---|---|---|---|
| Google Analytics (Google LLC) | Product analytics and user experience improvement | USA | Anonymized, aggregate usage data only. No personal data is processed. Used solely for improving the Processor's service. |
The Processor shall notify the Controller at least 30 days in advance of any additions or changes to this list.