Last updated: 2026-05-03
This page is aimed at municipal procurement officers and data protection officers (DPOs) who need to review Skolkoll's data processing prior to contract. For a general overview, see the privacy policy. For a data processing agreement (DPA), see the DPA template.
1. Roles and contact
For personal data covered by the Municipal Licence agreement, the municipality is the data controller and Skolkoll is the data processor. For personal data Skolkoll processes for its own purposes (e.g. visitors to skolkoll.se without an account), Skolkoll is the data controller — see the privacy policy.
Data processor (Skolkoll): Skolkoll AB
Organisation number: 559220-2088
Contact for data protection enquiries: markus@skolkoll.se
Skolkoll has not appointed a Data Protection Officer (DPO) because the operation does not meet the criteria in GDPR art. 37 (the core activity is not large-scale monitoring of personal data; no special categories of personal data are systematically processed).
2. Subprocessors
Skolkoll uses the following third-party services to provide the service. All have their own DPAs that comply with GDPR.
| Provider | Service | Data category | Region | DPA |
|---|---|---|---|---|
| Google Cloud (Firebase) | Hosting, Firestore, Cloud Functions, Cloud Storage, Authentication | User accounts, organisation data, analyticsEvents, billing history | europe-west1 (Belgium) | Google Cloud DPA (SCCs included) |
| Stripe Payments Europe Ltd | Payment processing (card + invoice) | Billing address, email, organisation number, payment metadata. Card details never pass through Skolkoll's servers. | Ireland (EU) primarily; some fraud-detection functions may involve Stripe US under SCC. | Stripe DPA |
| Resend Inc. | Transactional email (account confirmations, invoices, watcher digests, security alerts) | Email address, name, subject, message body (deleted at Resend after 30 days) | EU/US (Resend's EU region used where available; SCCs apply for any US transfer) | Resend DPA |
| Anthropic / OpenAI | "Kollen" AI chat (when activated by the user via consent) | Chat messages + school context. Requests are flagged "no-store" where the API supports it (Anthropic: opt-out from training is the default). | US (Anthropic) or EU/US (OpenAI) — under SCC | Anthropic DPA · OpenAI DPA. Active only when the user has given consent in the chat window. |
For Municipal Licence data (user accounts, organisation data, billing history) we use no advertising networks, marketing platforms, or social media pixels. Web analytics via Google Analytics 4 runs only after explicit cookie consent from visitors on public pages — see the privacy policy for details. For signed-in municipal users no GA4 tracking is performed regardless of consent. Internal usage statistics are collected via our own anonymous collector in Firebase without personal data.
Notice of subprocessor change
While a Municipal Licence is active, we notify the organisation's administrators by email at least 30 days before changing a subprocessor. The municipality has the right to object during that period — objections are handled per the Municipal Licence agreement's termination clause.
3. Retention periods per data category
Periods are measured from the most recent event (e.g. last login, last payment). After the listed time the data is deleted or anonymised.
| Data category | Firestore collection | Retention | Legal basis |
|---|---|---|---|
| User accounts (profile, memberships) | users, organizations/{id}/members | Until deleted by the user. Inactive accounts (24 months without login) receive a reminder and are deleted after 36 months. | Contract (art. 6.1.b) |
| Organisations + Pro subscriptions | organizations, organizations/{id}/subscriptions | Active for the lifetime of the subscription. Billing history retained for 7 years (Swedish bookkeeping act). | Legal obligation (art. 6.1.c) for bookkeeping |
| Analytics events (raw) | analyticsEvents | 90 days, then individual events are deleted. Aggregated daily summaries (no personal data) are retained indefinitely. | Legitimate interest (art. 6.1.f) — product development. No personal data is stored (sessionId is random, no IP, no user-agent). |
| Mail contacts and campaign lists | mailContacts, mailLists, campaigns | Until unsubscribed. Unsubscribed contacts retain an anonymised email hash (to prevent re-subscription) for 24 months, then full deletion. | Consent (art. 6.1.a) for newsletters; contract (art. 6.1.b) for transactional emails. |
| Audit log | auditLog | 90 days. | Legitimate interest (art. 6.1.f) — security / traceability. |
| API usage quota | apiQuota/{orgId}/months/{YYYY-MM} | 13 months (for billing reconciliation and dispute). | Legal obligation (art. 6.1.c) |
| Watchers | watcherEvents, digestWatchers | Active for the lifetime of the watcher. Deleted immediately on account deletion. | Contract (art. 6.1.b) |
| AI chat conversation | Browser sessionStorage only — never on our server. | Deleted when the browser tab is closed. | Consent (art. 6.1.a) |
4. Right to erasure — operational flow
You can exercise the right to erasure (GDPR art. 17) in the following ways, sorted from fastest to most manual:
Self-service — user account
- Sign in to the Skolkoll portal.
- Go to Account settings.
- Click Delete account. Confirm the dialog.
- The account, your memberships, watchers and profile information are deleted immediately from the database.
What is not deleted automatically: billing history is retained for 7 years per Swedish bookkeeping law. Audit log entries are auto-deleted after 90 days. Aggregated analytics data already contains no personal data and is unaffected.
Erasure request — Municipal Licence administrator
As a municipal admin you can request erasure of a specific employee from the organisation by emailing info@skolkoll.se. We acknowledge receipt within 1 working day and complete the erasure within 14 days (the GDPR limit is 30 days).
Erasure request — external person (head teacher objecting)
If you are a named head teacher and object to your name being shown: email info@skolkoll.se with the school's unit code. We remove your data from the display within 14 days and update our sync filter so the data does not return even if Skolverket continues to publish it.
5. DPIA-light — risk assessment for Municipal Licence
For Municipal Licence customers we have done a simplified Data Protection Impact Assessment (DPIA-light) per GDPR art. 35. A full DPIA is not mandatory because the processing does not meet high-risk criteria (no large-scale monitoring, no special categories, no automated decision-making affecting individuals).
Identified risks and mitigations
| Risk | Likelihood × Impact | Mitigation |
|---|---|---|
| Unauthorised access to organisation data | Low × Medium | Firebase Auth with MFA support; admin role check on the server side; auditLog for all admin actions. |
| Data leak via subprocessor (Firebase, Stripe, Resend) | Low × High | EU regions where possible; SCCs for US transfers; least-privilege data sets (Stripe sees no school data; Resend sees only email + subject). |
| Incorrect publication of head teacher's name | Medium × Low | Source is Skolverket's open API; right to object via email with 14-day response; manual sync filter applies objections permanently. |
| Vulnerability in the open analytics endpoint | Low × Low | Origin allowlist, distributed rate-limiting, and event size caps. No personal data is collected in analytics. |
| Operational incident — silent scheduled-function failure | Medium × Low | Error-alerting wrapper emails ops on every scheduled-function failure. Manual backfill endpoint exists for critical syncs. |
6. Personal data breach
In case of a suspected personal data breach:
- Skolkoll notifies affected Municipal Licence administrators within 72 hours via email (GDPR art. 33-34).
- Notification to the Swedish Data Protection Authority (IMY) happens within the same 72 hours if the incident poses a risk to individuals' rights.
- The incident-response runbook and postmortem process is described in the Municipal Licence agreement annex ("IR runbook").
7. International data transfer
Personal data is processed primarily within the EU/EEA (Firebase europe-west1, Stripe Ireland). In limited cases data may be transferred to a third country (USA) under the following mechanisms:
- Standard Contractual Clauses (SCCs) — Google, Stripe, Resend all have signed SCCs per EU Commission decision 2021/914.
- EU-US Data Privacy Framework (DPF) — alternative legal basis for DPF-certified providers (Google, Stripe).
Schrems II implications: Skolkoll has performed a Transfer Impact Assessment (TIA) per provider. Summary available on request from Municipal Licence customers.
8. Technical and organisational security measures
- Encryption in transit: TLS 1.2+ for all communication; HSTS enabled.
- Encryption at rest: Firestore encrypts all data automatically with Google-managed keys.
- Access control: Role-based access (admin / user); admin token compared via timing-safe-equal; auditLog for all admin API calls.
- Secrets: All API keys and tokens are stored in Google Secret Manager and provided to runtime securely via Firebase Functions secrets binding. They are not present in source code or committed to the repository.
- Rate limiting: Distributed Firestore-backed rate limiter on all public endpoints; analytics pipeline hardened against abuse via origin allowlist and event size caps.
- Validation: Strict schema validation on all user inputs; field-level length caps; metadata type enforcement including array-element validation.
- Monitoring: Cloud Logging for all functions; error alerting via Resend to ops distribution list on scheduled-function failures; planned Cloud Monitoring policy for error rate.
- Backup: Firestore has automatic daily backups with 7-day retention; export to Cloud Storage with 30-day retention.
9. Documents for municipal procurement
- DPA template (data processing agreement) — based on SKR's Swedish standard contract.
- Service Level Agreement (SLA) — uptime commitments, support response times, escalation path, and credit policy.
- ROPA summary (Records of Processing Activities) — public summary of the processing register per GDPR art. 30. Full extract available on request to Municipal Licence customers.
- IR runbook — incident-response process and contact details, delivered as an annex to the Municipal Licence agreement.
10. Complaints
If you believe we are processing your personal data unlawfully you have the right to lodge a complaint with the supervisory authority:
Swedish Data Protection Authority (IMY)
Web: imy.se/en
Email: imy@imy.se
Phone: +46 8-657 61 00