About us

Vision & mission

Handling of personal data

Contact

 

 

Data Processing Agreement (DPA) – SkyMap Innovations AB

Version 1.0      Adopted 2026-03-09

This document has been translated into English for convenience. In the event of any discrepancy or inconsistency between the English translation and the original Swedish version, the Swedish version shall prevail.

 

This Data Processing Agreement is an appendix to and an integral part of the General Terms for SkyMap’s SaaS services (the “Service”). The agreement regulates SkyMap’s processing of personal data on behalf of the Customer in accordance with Article 28 of the GDPR.

 

1. Parties and roles

The Customer is the Data Controller. SkyMap is the Data Processor when processing personal data within the Service.

 

2. Nature and purpose of the processing

SkyMap processes personal data for the provision, operation, development and support of the Service in accordance with the Customer’s instructions. This includes user management, project administration, file and data storage, logs, metadata, access rights and customer-initiated support.

 

3. Categories of personal data and data subjects

Data subjects are the Customer’s users and project members whose data appear in the Service. Personal data includes names, email addresses, user information, logs, roles, images, drawings, metadata, geographic data, geographic position (GPS), and personal data that may appear in files stored by the Customer in the Service.

 

4. Customer obligations

The Customer is responsible for ensuring that personal data processed in the Service complies with applicable data protection legislation and that there is a valid legal basis for all processing. The Customer shall inform data subjects in accordance with Articles 13–14 of the GDPR and ensure that personal data entered into the platform is accurate, relevant and up to date. The Customer may not upload or process sensitive personal data or data relating to criminal offences unless this is expressly permitted under the main agreement. The Customer is also responsible for securely managing user accounts and access rights, providing SkyMap with clear instructions regarding the processing and promptly reporting any incidents or suspected unauthorised access. The Customer is ultimately responsible for ensuring that all processing carried out in the Service complies with the Customer’s obligations as data controller.

 

5. SkyMap obligations

SkyMap is responsible for processing personal data in accordance with the Customer’s instructions, implementing appropriate security measures, ensuring confidentiality, assisting the Customer with data subject rights requests and supporting incident management. SkyMap shall report any incidents or suspected unauthorised access without undue delay.

If a data subject, supervisory authority or other third party submits a request to SkyMap regarding personal data processed on behalf of the Customer, SkyMap shall immediately refer the request to the Customer without acting upon the request unless explicitly instructed otherwise by the Customer.

SkyMap may only disclose personal data or information about the processing to third parties upon documented instruction from the Customer or if SkyMap is required by law to disclose the data. In such cases, SkyMap shall, to the extent permitted by law, inform the Customer of the disclosure before it takes place.

 

6. Approved sub-processors

SkyMap uses the following sub-processors for the processing of personal data in the Service.

  • Amazon Web Services (AWS), Ireland – hosting and storage.
  • Microsoft (Azure Entra ID) – authentication service when using SSO (Single Sign-On).

 

7. Transfers to third countries

Personal data is stored within the EU/EEA. If a transfer to a third country becomes necessary, it shall take place in accordance with applicable rules and with appropriate safeguards. Currently, all data storage takes place within the EU.

 

8. Security measures

SkyMap implements technical and organisational measures including, but not limited to: Encryption using AES256 at rest via AWS KMS and TLS 1.3/HTTPS in transit. The Service runs exclusively in AWS eu-west-1 (Ireland); the data centres are ISO 27001 and SOC 2 certified. Daily incremental backups with a retention period of 7 days. A role and permission framework (RBAC-based) is primarily used for administrative accounts. Access logs enable restoration of the availability of and access to personal data within a reasonable time in the event of a physical or technical incident.

SkyMap undertakes to ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.

 

9. Deletion and return of data

SkyMap retains personal data only for as long as the Customer stores it in the Service or in accordance with the Customer’s instructions. The Customer is responsible for exporting any data that needs to be retained.

 

10. Term

SkyMap’s obligations as Data Processor apply for the entire duration of a valid agreement with the Customer governed by the General Terms for SkyMap’s SaaS services.

 

11. Version management

Version: 1.0
Previous version: -
Adopted: 2026-03-09