Data Processing Agreement

Agreement number: [completed by Skolkoll]
Agreement date: YYYY-MM-DD

1. Parties

1.1 Data Controller

Organisation: [Municipality name]
Organisation number: [XXXXXX-XXXX]
Address: [Postal address]
Contact person: [Name, title]
Email: [Email]
Data Protection Officer (DPO): [Name / email]

Hereinafter referred to as the "Data Controller".

1.2 Data Processor

Organisation: Skolkoll AB
Organisation number: 559220-2088
Address: [Postal address communicated upon contracting]
Contact person: Markus Reimer
Email: markus@skolkoll.se

Hereinafter referred to as the "Data Processor".

2. Background and purpose

The Data Controller and the Data Processor have entered into a Skolkoll Municipal Licence agreement, whereby the Data Processor provides a web service that processes personal data on behalf of the Data Controller. This agreement governs the Data Processor's processing of personal data per article 28 of EU regulation 2016/679 (GDPR).

3. Subject of processing

3.1 Categories of personal data

• User accounts: email address, display name, organisation membership, role, login timestamps.
• School-data-related metadata: head teacher's name (public data from Skolverket), school unit codes.
• Billing data: billing address, organisation number, payment history (Stripe).
• Operational data: sessionId (random, not linked to an individual), usage statistics without personal data.

3.2 Categories of data subjects

• Employees of the Data Controller who have an account in the service.
• Head teachers named in Skolverket's open school unit register (public data).

3.3 Purpose and duration of processing

The processing is performed to provide the Skolkoll service per the Municipal Licence agreement. The processing continues for the active lifetime of the Municipal Licence agreement, plus the time required to fulfil legal obligations (e.g. the Swedish bookkeeping act's 7-year retention of billing data).

3.4 Type of processing

Collection, storage, organisation, structuring, reading, modification, deletion. The Data Processor performs no profiling or automated decision-making with legal effect on data subjects.

4. Obligations of the Data Processor

The Data Processor shall:

1. Only process personal data on documented instructions from the Data Controller (including for transfers to a third country).
2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Take appropriate technical and organisational security measures per GDPR article 32 (see annex A).
4. Only engage other processors (subprocessors) under the conditions in section 5 below.
5. Assist the Data Controller in fulfilling the obligation to respond to requests for the exercise of data subjects' rights (GDPR articles 12-22).
6. Assist the Data Controller in fulfilling its obligations under GDPR articles 32-36 (security, breach notification, impact assessment).
7. At the termination of the Municipal Licence agreement, at the Data Controller's choice, delete or return all personal data and delete existing copies, unless Union law or Member State law requires retention (e.g. the Swedish bookkeeping act).
8. Make available to the Data Controller all information necessary to demonstrate compliance with GDPR article 28, and allow for and contribute to audits, including inspections — see section 8 below.

5. Subprocessors

The Data Controller gives the Data Processor general prior authorisation to engage subprocessors under the following conditions:

1. The subprocessor's processing is governed by a written agreement imposing the same data protection obligations as this agreement.
2. The Data Processor notifies the Data Controller of any planned changes (additions or replacements) of subprocessors at least 30 days before the change takes effect, by email to the organisation's administrators.
3. The Data Controller has the right to object to changes. Objections are handled per the Municipal Licence agreement's termination clause.
4. The current list of subprocessors is at https://skolkoll.se/en/privacy/data-protection/.

6. International transfer

Personal data is processed primarily within the EU/EEA (Firebase europe-west1, Belgium; Stripe Ireland). For transfers to a third country, the following apply:

• Standard Contractual Clauses (SCCs) per EU Commission decision 2021/914.
• Where necessary: supplementary technical and organisational measures (encryption in transit, encryption at rest, access control).
• EU-US Data Privacy Framework (DPF) as an alternative legal basis for DPF-certified providers (Google, Stripe).

7. Personal data breach

The Data Processor shall, without undue delay and at the latest within 72 hours of becoming aware of a personal data breach, notify the Data Controller. The notification shall include:

• A description of the nature of the breach, the number of data subjects affected and the categories of personal data concerned.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and limit its adverse effects.
• Contact details of the Data Processor's incident handler.

8. Right to audit

The Data Controller has the right, at its own cost and with reasonable notice, to audit the Data Processor's compliance with this agreement. The audit may be conducted by the Data Controller itself or by an independent third party approved by the Data Processor. The Data Processor provides reasonable supporting documentation and access to relevant premises during business hours.

As an alternative to on-site audit, the Data Controller accepts that the Data Processor provides a current SOC 2 Type II or ISO 27001 report from the Data Processor or its primary subprocessors (Google Cloud, Stripe). (Skolkoll does not hold its own ISO 27001 certification as of 2026; we rely on Google Cloud's certifications for the infrastructure layer.)

9. Liability and limitations

The Data Processor's liability under this agreement is limited as set out in the Municipal Licence agreement's liability clause. The provisions of GDPR article 82 are however mandatory and not affected by limitations between the parties.

10. Term

This agreement enters into force on signing and remains in effect for the active lifetime of the Municipal Licence agreement. The Data Processor's obligations regarding deletion or return of personal data (section 4 item 7) survive termination.

11. Amendments

Amendments to this agreement must be made in writing and signed by both parties.

12. Governing law and dispute resolution

This agreement is governed by Swedish law. Disputes shall be resolved primarily through negotiation; failing that, by the ordinary courts with Stockholm District Court as the first instance.

Annex A — Technical and organisational security measures

The Data Processor takes the following measures:

• Encryption in transit (TLS 1.2+, HSTS).
• Encryption at rest (Firestore Google-managed keys).
• Access control (role-based access, audit log for admin actions).
• Secrets management (Google Secret Manager).
• Rate limiting and input validation on all public endpoints.
• Error monitoring and alerts on scheduled-function failures.
• Backups (Firestore daily backups, 7-day retention).
• Detailed disclosure: skolkoll.se/en/privacy/data-protection/ section 8.

This template is based on SKR's Swedish standard contract for data processors (public sector convention). For adjustments, contact markus@skolkoll.se. The template is a starting point; binding contract text is negotiated before signing.