Skrajb®← Back to home

Data Processing Agreement

Effective date: March 31, 2026

Last updated: March 31, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer entity identified in the applicable service agreement ("Customer", "Controller") and Aimm Sweden AB, org. nr 556836-2460, a Swedish limited company ("Aimm", "Processor"), collectively referred to as the "Parties", for the provision of the Skrajb® service (the "Service").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and supplements any existing agreement between the Parties relating to the Service (the "Principal Agreement").

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meaning given to them in the GDPR or the Principal Agreement.

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Technical and Organizational Measures" or "TOMs" means the security measures described in Annex 2 of this DPA.

2. Scope, Nature, and Purpose of Processing

2.1 Scope

This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with the provision of the Service.

2.2 Nature and Purpose

The Processor provides a web-based meeting transcription and AI summarization service. The purpose of the processing is to:

  • Receive and store audio recordings of meetings uploaded or recorded by the Controller's authorized users.
  • Transcribe audio recordings into text using automated speech-to-text technology.
  • Generate AI-powered summaries of meeting transcriptions.
  • Store transcriptions and summaries for the Controller's access and use.
  • Send email notifications related to processing status and service updates.
  • Authenticate and manage user accounts on behalf of the Controller.

2.3 Duration

The Processor shall process Personal Data for the duration of the Principal Agreement, unless otherwise agreed in writing or required by applicable law.

3. Types of Personal Data

The following categories of Personal Data may be processed under this DPA:

  • Account data: Name, email address, and organizational affiliation of the Controller's authorized users.
  • Audio recordings: Meeting recordings that may contain voices, names, opinions, and other personally identifiable information spoken during meetings.
  • Transcriptions: Text transcriptions of audio recordings, which may contain names, titles, and other personal data mentioned in meetings.
  • AI-generated summaries: Summaries derived from transcriptions, which may contain references to individuals and their statements.
  • Usage data: Timestamps, session identifiers, IP addresses, and service interaction logs.
  • Authentication data: Login credentials (hashed), session tokens, and authentication metadata.

4. Categories of Data Subjects

The following categories of Data Subjects may be affected by the processing:

  • The Controller's employees and authorized users of the Service.
  • Meeting participants whose voices and statements are captured in audio recordings.
  • Third parties referenced or discussed during meetings.

5. Obligations of the Processor

5.1 Lawful Processing

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification.

5.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA.

5.3 Security

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2 (Technical and Organizational Measures). The Processor shall regularly assess and, where necessary, update these measures.

5.4 Sub-processors

(a) The Controller provides general authorization for the Processor to engage the sub-processors listed at skrajb.com/legal/subprocessors as of the effective date of this DPA.

(b) The Processor shall notify the Controller by email of any intended changes to sub-processors (additions or replacements) at least 30 days before the change takes effect.

(c) The Controller may object to the change in writing within the 30-day notice period. If the Controller raises a reasonable objection, the Processor shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either Party may terminate the affected portion of the Service.

(d) The Processor shall enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those set out in this DPA.

(e) The Processor remains fully liable to the Controller for the performance of sub-processors' obligations.

(f) The current list of sub-processors is maintained at skrajb.com/legal/subprocessors.

5.5 Assistance with Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection).

5.6 Assistance with Security and Breach Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

  • Security of processing (Article 32)
  • Notification of Personal Data Breaches to the supervisory authority (Article 33)
  • Communication of Personal Data Breaches to Data Subjects (Article 34)
  • Data protection impact assessments (Article 35)
  • Prior consultation with the supervisory authority (Article 36)

5.7 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification shall include:

  • A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of the point of contact where more information can be obtained.
  • A description of the likely consequences of the Personal Data Breach.
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

5.8 Data Deletion and Return

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller's choice:

(a) Return all Personal Data to the Controller in a commonly used, machine-readable format; or

(b) Delete all Personal Data and certify such deletion in writing.

The Processor shall complete the return or deletion within 30 days of termination, unless Union or Member State law requires storage of the Personal Data. Audio recordings are automatically deleted from the processing pipeline after successful transcription, unless the Controller has configured longer retention.

5.9 Audit Rights

(a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.

(b) The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to:

  • Reasonable advance written notice of at least 30 days.
  • Audits being conducted during normal business hours.
  • The Controller bearing the costs of the audit.
  • Confidentiality obligations regarding any information obtained during the audit.

(c) The Processor may satisfy audit requests by providing relevant third-party audit reports or certifications, where available.

6. Obligations of the Controller

6.1 Lawfulness

The Controller warrants that it has a lawful basis for the processing of Personal Data instructed under this DPA, including where applicable obtaining any necessary consents from Data Subjects.

6.2 Instructions

The Controller shall ensure that its processing instructions to the Processor comply with applicable data protection laws. The Controller acknowledges that the Service involves automated transcription and AI summarization, and that meeting audio may contain Personal Data of third parties (meeting participants). The Controller is responsible for ensuring appropriate notice to and, where required, consent from meeting participants.

6.3 Cooperation

The Controller shall cooperate with the Processor in relation to any requests or inquiries from supervisory authorities concerning the processing of Personal Data under this DPA.

7. International Data Transfers

7.1 EU Data Residency

The Processor uses sub-processors that offer EU data residency. The Service is configured to store and process data within the European Union/European Economic Area where available. The current data residency locations for each sub-processor are listed at skrajb.com/legal/subprocessors.

7.2 Transfer Mechanisms

To the extent that Personal Data is transferred outside the EU/EEA, such transfers shall be made in compliance with Chapter V of the GDPR, using one or more of the following mechanisms:

  • An adequacy decision by the European Commission (Article 45 GDPR).
  • Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR).
  • Other appropriate safeguards as set out in Article 46 GDPR.

7.3 US-based Sub-processors

Certain sub-processors are US-based companies. Where applicable, these providers participate in the EU-U.S. Data Privacy Framework or have entered into Standard Contractual Clauses. Data processing for these sub-processors is configured to occur within EU regions.

8. Liability

8.1 General

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

8.2 Processor Liability

The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller, in accordance with Article 82 of the GDPR.

9. Term and Termination

9.1 Term

This DPA shall remain in effect for the duration of the Principal Agreement. Upon termination of the Principal Agreement, this DPA shall automatically terminate, subject to the Processor's obligations regarding deletion or return of Personal Data.

9.2 Survival

The obligations of the Processor regarding confidentiality, data deletion/return, and cooperation with audits shall survive the termination of this DPA.

10. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the Swedish courts.

11. Order of Precedence

In the event of a conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the GDPR, the GDPR shall prevail.

Annex 1 — Details of Processing

ElementDescription
Subject matterProcessing of Personal Data in connection with the Skrajb meeting transcription and AI summarization service
DurationFor the term of the Principal Agreement
Nature and purposeTranscription of audio recordings, AI summarization, storage and retrieval of meeting data, user account management, email notifications
Types of Personal DataAccount data (name, email), audio recordings (voices, spoken content), transcriptions, AI summaries, usage data, authentication data
Categories of Data SubjectsCustomer employees and authorized users, meeting participants, third parties referenced in meetings
ControllerThe Customer, as identified in the Principal Agreement
ProcessorAimm Sweden AB

Annex 2 — Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

Access Control

  • Role-based access control (RBAC) with principle of least privilege.
  • Multi-tenant architecture with strict data isolation between customers.
  • Authentication via Supabase Auth with secure session management.
  • Row-Level Security (RLS) policies enforced at the database level to prevent cross-tenant data access.
  • Administrative access restricted to authorized personnel with multi-factor authentication.

Data Encryption

  • All data encrypted in transit using TLS 1.2 or higher.
  • Database data encrypted at rest using AES-256 encryption.
  • Audio files encrypted at rest in cloud storage.
  • API keys and secrets stored in encrypted environment variables, never in source code.

Data Minimization and Retention

  • Audio recordings are processed and can be deleted after successful transcription, based on customer configuration.
  • Processing pipeline data (intermediate files) is automatically purged after job completion.
  • Personal Data is retained only for the duration necessary to provide the Service.

Infrastructure Security

  • Application hosted on industry-standard cloud platforms (Vercel, Railway, Supabase) with SOC 2 compliance.
  • EU data residency configured for all primary sub-processors.
  • Network-level isolation and firewall rules on backend infrastructure.
  • Regular security updates and dependency patching.

Monitoring and Incident Response

  • Application logging and monitoring for anomaly detection.
  • Documented incident response procedures for Personal Data Breaches.
  • Breach notification processes aligned with 72-hour GDPR requirement.

Organizational Measures

  • Confidentiality obligations for all personnel with access to Personal Data.
  • Regular review of access permissions and security practices.
  • Sub-processor due diligence and contractual obligations.

API Key Isolation (Enterprise Customers)

  • Enterprise customers may provide their own API keys for third-party AI and transcription services.
  • Customer-provided API keys are stored encrypted and isolated per tenant.
  • When customer-provided keys are used, data is sent directly to the third-party service under the customer's own contractual relationship, though it passes through Skrajb's backend infrastructure.