Version: 1.2
Last Updated: 2026-02-13
Effective Date: 2026-02-13

Data Processing Agreement

Effective Date: February 13, 2026

This Data Processing Agreement is based on the Common Paper Data Processing Agreement (Version 1.1), released under the CC BY 4.0 license, and incorporates the EU Standard Contractual Clauses (SCCs) for international data transfers.[web:32][web:44]

How to Execute This DPA: If you are a FreshGuard customer who needs a signed DPA, please email legal@freshguard.dev with your company name and account email. We will send you a countersigned copy within 5 business days.

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement (“Agreement”) between Hedvig Holding AB, org.nr 559346-1865 (“FreshGuard,” “Provider,” “Processor,” “we,” or “us”) and Customer (“Customer,” “Controller,” or “you”) for the provision of the FreshGuard Cloud service (“Service”).

This DPA applies when Customer submits Personal Data to the Service, and sets out the parties’ obligations regarding the processing of such Personal Data.[web:41]

2. Definitions

“Controller” — The entity that determines the purposes and means of Processing Personal Data. For data Customer submits to the Service, Customer is the Controller.[web:39]
“Data Subject” — An identified or identifiable natural person whose Personal Data is Processed.
“EEA” — European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).
“GDPR” — The General Data Protection Regulation (EU) 2016/679.
“Personal Data” — Any information relating to an identified or identifiable natural person.[web:39]
“Processing” / “Process” — Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
“Processor” — The entity that Processes Personal Data on behalf of a Controller. FreshGuard acts as a Processor for Customer Data.[web:39]
“SCCs” — The Standard Contractual Clauses approved by the European Commission for international data transfers (Commission Implementing Decision 2021/914).[web:44]
“Security Incident” — A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Subprocessor” — A third party engaged by the Processor to Process Personal Data on behalf of the Controller.
“UK GDPR” — The UK General Data Protection Regulation, as incorporated into UK law.[web:33]

3. Scope and Roles

3.1 Scope

This DPA applies to the Processing of Personal Data by FreshGuard on behalf of Customer in connection with the Service. The subject matter, duration, nature, and purpose of Processing are described in Annex I.[web:41]

3.2 Roles

Customer as Controller: Customer determines the purposes and means of Processing the Personal Data submitted to the Service.
FreshGuard as Processor: FreshGuard Processes Personal Data only on Customer’s documented instructions to provide the Service.

If Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants that it has obtained all necessary authorizations to engage FreshGuard as a Subprocessor.[web:39]

4. Customer Obligations

Customer agrees to:

Ensure it has a lawful basis to submit Personal Data to the Service
Provide Data Subjects with appropriate privacy notices
Obtain necessary consents where required
Comply with applicable data protection laws
Ensure the accuracy of Personal Data provided
Not submit Prohibited Data (as defined in the Terms of Service) without prior written authorization and appropriate additional safeguards as set out in the Agreement or as otherwise agreed in writing[web:41]

5. FreshGuard’s Processing Obligations

5.1 Processing Instructions

FreshGuard will:

Process Personal Data only on documented instructions from Customer, including as specified in the Agreement, unless required by applicable law
Inform Customer if legally prohibited from following instructions (unless prohibited from doing so by law)
Not Process Personal Data for any purpose other than providing and maintaining the Service, performing security and integrity monitoring, complying with applicable law, or as otherwise documented in this DPA and the Agreement[web:39][web:41]

5.2 Confidentiality

FreshGuard will:

Ensure personnel authorized to Process Personal Data are subject to confidentiality obligations
Limit access to Personal Data to personnel who need it to provide the Service[web:33]

5.3 Security Measures

FreshGuard will implement and maintain appropriate technical and organizational security measures as described in Annex II. These measures are designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing.[web:36][web:45]

5.4 Assistance

FreshGuard will assist Customer, taking into account the nature of Processing and the information available to FreshGuard, with:

Responding to Data Subject requests (access, rectification, erasure, etc.), to the extent technically feasible
Data protection impact assessments, where applicable
Prior consultations with supervisory authorities, where applicable
Compliance with security obligations under applicable law[web:33][web:39]

Customer acknowledges that such assistance may be subject to FreshGuard’s then-current professional services rates for time and resources required beyond routine Service operations.[web:45]

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes FreshGuard to engage the Subprocessors listed in Annex III to Process Personal Data on Customer’s behalf.[web:36]

6.2 Subprocessor Changes

FreshGuard will:

Notify Customer at least 10 business days before adding or replacing a Subprocessor via email to the account administrator or through the notification mechanism described at freshguard.dev/company/subprocessors
Provide an opportunity to object to Subprocessor changes

Customer may object to a new Subprocessor by notifying FreshGuard in writing within 30 days of receiving notice, stating the reasonable grounds for objection. If FreshGuard cannot reasonably accommodate the objection, Customer may terminate the affected Service or workspace on 30 days’ written notice and receive a prorated refund of any prepaid fees for the unused portion.[web:36][web:41]

6.3 Subprocessor Agreements

FreshGuard will enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA, including appropriate transfer mechanisms where required. FreshGuard remains liable for the acts and omissions of its Subprocessors to the same extent as if FreshGuard had performed the services directly.[web:36][web:42]

7. Security Incidents

7.1 Notification

FreshGuard will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer’s Personal Data. Notification may be provided in phases as information becomes available.[web:39][web:41]

7.2 Incident Response

FreshGuard will:

Take reasonable steps to mitigate the effects of the Security Incident and prevent further unauthorized access
Provide Customer with information about the incident, to the extent known, including:
- Nature of the incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate volume of data records affected
- Likely consequences
- Measures taken or proposed to address the incident and mitigate potential adverse effects
Cooperate with Customer’s investigation and notification obligations under applicable law[web:39][web:41]

Customer is responsible for complying with any applicable Security Incident notification obligations and notifying Data Subjects and supervisory authorities as required by law.

8. Data Transfers

8.1 Transfers Outside EEA/UK

FreshGuard may transfer Personal Data outside the EEA and UK only where appropriate safeguards are in place as required by applicable data protection law, including but not limited to the Standard Contractual Clauses, adequacy decisions, or other legally recognized transfer mechanisms.[web:39][web:42]

8.2 Standard Contractual Clauses

Where Personal Data originating from the EEA or UK is transferred to a country not deemed adequate by the European Commission or UK authorities, the parties agree that the transfer is governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), which are set forth in Annex IV.[web:44]

For such transfers:

Module Two (Controller to Processor) applies when Customer is the Controller
Module Three (Processor to Processor) applies when Customer is a Processor acting on behalf of a third-party Controller[web:44]

In signed versions of this DPA, a copy of the applicable SCCs (and, where applicable, the UK Addendum) is attached to or referenced in the signature package. If there is any conflict between the attached SCCs and any other version, the attached version controls.[web:44]

8.3 UK International Data Transfer Addendum

For transfers from the UK, the parties agree that the UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner’s Office) applies and is incorporated by reference.[web:33]

8.4 Swiss Transfers

For transfers from Switzerland, the SCCs apply with modifications required by the Swiss Federal Act on Data Protection (FADP), including that the supervising authority shall be the Swiss Federal Data Protection and Information Commissioner where the data exporter is subject to Swiss law.[web:41]

9. Audits

9.1 Audit Rights

Customer may, no more than once per year (unless required by a supervisory authority or following a Security Incident for which FreshGuard is responsible), request information or conduct an audit to verify FreshGuard’s compliance with this DPA.[web:33][web:41]

9.2 Audit Process

Customer must provide at least 30 days’ written notice, specifying the proposed scope, duration, and audit commencement date
Where possible, audits will be conducted remotely based on documentation, interviews, and system demonstrations. On-site audits will only be required where remote means are insufficient to demonstrate compliance
Audits must be conducted during normal business hours and in a manner that does not unreasonably interfere with FreshGuard’s business operations
Customer bears the cost of the audit
FreshGuard may require auditors to sign reasonable confidentiality agreements
Auditors may not access other customers’ data or confidential business information unrelated to the audit scope[web:33]

9.3 Audit Costs

If an audit is initiated following a Security Incident caused by FreshGuard’s breach of this DPA, we will bear our own reasonable internal costs of facilitating the audit. Otherwise, Customer will reimburse FreshGuard for reasonable time and materials spent responding to audit requests that exceed the provision of standard compliance documentation, at our then-standard professional services rates.[web:33][web:45]

9.4 Audit Reports

As an alternative to on-site or remote audits, FreshGuard will make available relevant security certifications, third-party audit reports (e.g., SOC 2 Type II, ISO 27001), and technical and organizational measures documentation upon reasonable written request, subject to appropriate confidentiality obligations.[web:45]

10. Data Deletion and Return

10.1 During the Agreement

Customer may delete Personal Data through the Service’s functionality in accordance with the Service documentation.[web:41]

10.2 Upon Termination

Upon termination of the Agreement, FreshGuard will, at Customer’s written request made within 30 days of termination:

Return Personal Data to Customer in a commonly used, structured, machine-readable format; or
Delete Personal Data and certify deletion in writing

Unless Customer requests return or deletion within 30 days of termination, FreshGuard will delete Personal Data within 60 days, except where retention is required by law or as specified in this DPA.[web:41]

10.3 Backup Retention

Personal Data stored in backups will be overwritten and deleted in the ordinary course of FreshGuard’s backup rotation procedures, and may be retained for an additional period not exceeding 90 days solely for this purpose.[web:41]

11. California Consumer Privacy Act (CCPA/CPRA)

To the extent Customer is subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) and FreshGuard Processes Personal Information (as defined by CCPA/CPRA) on Customer’s behalf:[web:34][web:37][web:40]

FreshGuard acts as a “Service Provider” or “Contractor” (as applicable) under CCPA/CPRA
FreshGuard will not sell or share Personal Information as those terms are defined under CCPA/CPRA
FreshGuard will not retain, use, or disclose Personal Information for any purpose other than for the specific business purposes specified in the Agreement and this DPA, or as otherwise permitted by CCPA/CPRA
FreshGuard will not retain Personal Information for longer than is reasonably necessary to achieve the business purposes specified in the Agreement or as permitted by law
FreshGuard will not combine Personal Information received from or on behalf of Customer with personal information collected from other sources, except as permitted by CCPA/CPRA or with Customer’s prior written consent
FreshGuard will assist Customer with CCPA/CPRA-related requests from consumers, to the extent technically feasible and as required by law[web:34][web:37]

Certification: FreshGuard certifies that it understands and will comply with the restrictions and requirements in this Section 11 with respect to Personal Information governed by the CCPA/CPRA.[web:40]

12. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations set forth in the Agreement, except that such limitations do not apply to:

Either party’s liability to Data Subjects under applicable data protection law, to the extent such liability cannot be limited under applicable law
Violations of the SCCs, UK Addendum, or other applicable data transfer mechanisms
Claims that cannot be limited under applicable data protection law[web:39][web:42]

Nothing in this DPA is intended to increase either party’s liability or to create any new right to damages not already provided under the Agreement, except to the extent required by applicable data protection laws.[web:33]

13. General

13.1 Precedence

In the event of conflict:

The SCCs / UK Addendum / Swiss modifications take precedence over this DPA
This DPA takes precedence over the Agreement with respect to the Processing of Personal Data
The Agreement governs all other matters[web:32][web:44]

13.2 Severability

If any provision of this DPA is held invalid or unenforceable by a court of competent jurisdiction, it shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions continue in full force and effect.[web:41]

13.3 Governing Law

This DPA is governed by the same law as the Agreement (the laws of Sweden), except that:

The SCCs are governed by the law of the EU Member State where the data exporter is established, as specified in the SCCs
The UK Addendum is governed by the law of England and Wales
Swiss transfers are subject to Swiss law as applicable[web:44]

13.4 Amendments

This DPA may only be amended by written agreement signed by both parties, except that FreshGuard may update Annex II (Security Measures) and Annex III (Subprocessors) in accordance with the notification procedures set forth in this DPA.[web:32][web:44]

Annex I: Details of Processing

A. Subject Matter and Duration

FreshGuard processes Personal Data to provide the data pipeline monitoring Service as described in the Agreement, for the duration of the Agreement and any applicable retention periods.[web:41]

B. Nature and Purpose of Processing

Connecting to Customer’s data sources via secure credentials
Executing automated monitoring checks (freshness, schema, volume)
Storing check results, alert history, and configuration data
Sending alert notifications via configured channels
Providing dashboard, reporting, and API access
Maintaining audit logs for security and compliance
Providing technical support and troubleshooting[web:41]

C. Categories of Data Subjects

Data Subjects whose Personal Data may be processed include:

Customer’s employees, contractors, and authorized users (users of the Service)
Individuals whose data exists in Customer’s monitored data sources, to the extent such data is processed as metadata[web:41]

D. Types of Personal Data

Account Data: Name, email address, company name, job title
Authentication Data: Hashed passwords, API tokens, OAuth credentials
Usage Data: IP address, browser information, device identifiers, feature usage, session data
Monitored Metadata: Data source connection details, database/table/column names, row counts, timestamps, query patterns, and other structural metadata[web:41]

Important Note: FreshGuard is designed to operate primarily on metadata (such as table names, column names, row counts, and timestamps) and not on individual record contents from monitored tables. The Service does not intentionally store record-level contents of monitored tables, except where explicitly configured by Customer (e.g., for custom SQL queries or data profiling features) or as necessary for troubleshooting or support. However, metadata itself may in some cases contain or constitute Personal Data (for example, if a column name includes an individual’s name).[web:41][web:45]

E. Sensitive Data

The Service is not designed to process sensitive or special categories of data under GDPR Article 9 (e.g., health data, biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning sex life or sexual orientation).[web:39]

Customer should not configure monitoring rules that would cause FreshGuard to access fields containing special categories of Personal Data without appropriate safeguards, lawful bases, and prior written notice to FreshGuard.[web:41]

Annex II: Security Measures

FreshGuard implements the following technical and organizational measures to protect Personal Data:[web:36][web:45]

A. Encryption

Data in transit: TLS 1.3 or higher (with fallback to TLS 1.2 for compatibility)
Data at rest: AES-256 encryption for databases and file storage
Database credentials: Encrypted using envelope encryption (key management via cloud provider KMS)
API keys and secrets: Encrypted in dedicated secrets management system

B. Access Controls

Role-based access control (RBAC) with principle of least privilege
Multi-factor authentication (MFA) available for all user accounts and required for administrative access
Unique user accounts for all personnel with access to production systems
Regular access reviews (quarterly) and immediate revocation upon termination
Segregation of production and development environments

C. Infrastructure Security

Hosted on SOC 2 Type II compliant cloud providers (Cloudflare, Neon)
DDoS protection and Web Application Firewall (WAF)
Network segmentation and firewall rules
Regular security patching and vulnerability management
Secure software development lifecycle (SDLC) practices
Dependency scanning and automated security updates[web:45]

D. Monitoring and Logging

Comprehensive audit logging of administrative actions and data access
Security event monitoring and alerting (SIEM)
Anomaly detection for unusual access patterns
Centralized log management with retention policies[web:45]

E. Personnel Security

Background checks for employees with access to production systems or Personal Data (where permitted by law)
Security awareness training for all employees (annually and upon hiring)
Confidentiality and non-disclosure agreements for all employees and contractors
Defined roles and responsibilities for data protection

F. Incident Response

Documented incident response procedures and playbooks
24/7 on-call rotation for security incidents
Post-incident reviews and root cause analysis
Regular incident response tabletop exercises

G. Business Continuity and Disaster Recovery

Automated daily backups with 30-day retention
Multi-region redundancy for critical services
Documented disaster recovery procedures with defined RTOs and RPOs
Regular disaster recovery testing (at least annually)[web:45]

H. Data Minimisation and Retention

The Service is designed to minimise Personal Data processing by focusing on metadata rather than record contents where feasible
Retention periods are limited to what is necessary for providing the Service and fulfilling legal obligations, as further described in the Agreement and our Privacy Policy
Automated data deletion processes for expired data
Customer-configurable retention settings where applicable[web:41]

I. Vendor and Subprocessor Management

Due diligence and security assessments for all Subprocessors
Contractual requirements for Subprocessors to implement equivalent security measures
Regular review of Subprocessor security posture[web:36][web:42]

J. Physical and Environmental Security

Physical security is managed by our cloud infrastructure providers (Cloudflare, Neon) and includes:

Restricted physical access to data centers with multi-factor authentication
24/7 surveillance and monitoring
Environmental controls (temperature, humidity, fire suppression)
Redundant power and network connectivity

K. Testing and Improvement

Periodic penetration testing and vulnerability assessments by qualified third parties (at least annually)
Regular security audits and compliance assessments
Continuous improvement of security measures based on emerging threats and industry best practices[web:45]

FreshGuard may update these security measures from time to time to reflect improvements, changes in technology, or evolving regulatory requirements. Material changes that reduce the level of protection will be communicated to Customer in accordance with the notification procedures in the Agreement.[web:41]

For more detailed information about our security practices, please refer to our Security Overview at freshguard.dev/security.

Annex III: Authorized Subprocessors

As of the effective date, FreshGuard uses the following Subprocessors to process Customer Personal Data:[web:36][web:41]

Subprocessor	Purpose	Location	Data Processed
Cloudflare, Inc.	Cloud hosting, CDN, DDoS protection, edge computing	United States (global edge network)	Usage Data, API requests, cached metadata
Neon, Inc.	Database hosting (PostgreSQL)	United States / EU (customer-configurable; EU by default for EU customers)	Account Data, Monitored Metadata, Configuration Data
Stripe, Inc.	Payment processing	United States	Billing information (name, email, payment method details)
Lettermint B.V.	Transactional email delivery	Netherlands / EU-based infrastructure	Account Data (email addresses), notification content

Lettermint is an EU-based transactional email provider with infrastructure located in the European Union, designed for GDPR-compliant transactional email delivery.[web:48][web:50][web:53]

Updates: An up-to-date list of Subprocessors is maintained at freshguard.dev/company/subprocessors. Customers can subscribe to email notifications of Subprocessor changes at that page or by emailing legal@freshguard.dev.[web:36]

Notification Process: FreshGuard will provide at least 10 business days’ prior written notice before adding or replacing a Subprocessor, in accordance with Section 6.2 of this DPA.

Annex IV: Standard Contractual Clauses

The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021) are incorporated by reference and apply to transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission.[web:44]

The full text of the SCCs is available at:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj[web:44]

SCC Details

For the purposes of the SCCs:

Data Exporter:

Name: Customer (as identified in the Agreement)
Role: Controller (Module Two) or Processor (Module Three)
Contact: As specified in the Agreement

Data Importer:

Name: Hedvig Holding AB (org.nr 559346-1865), trading as FreshGuard
Address: Norregöksvägen 40, 163 52 Spånga, Sweden
Contact: legal@freshguard.dev
Role: Processor

Applicable Module:

Module Two (Controller to Processor) applies when Customer is the Controller
Module Three (Processor to Processor) applies when Customer is a Processor acting on behalf of a third-party Controller[web:44]

Optional Clauses:

Clause 7 (Docking clause): Not applicable
Clause 9(a) (Prior authorization for sub-processors): General authorization applies (Option 2)
Clause 11(a) (Redress): Not applicable (no independent dispute resolution body designated)
Clause 17 (Governing law): The law of Sweden (or the law of the EU Member State where the Data Exporter is established, if different)
Clause 18 (Choice of forum and jurisdiction): Courts of Sweden (or the courts of the EU Member State where the Data Exporter is established, if different)[web:44]

Competent Supervisory Authority:
The supervisory authority of the EU Member State where the Data Exporter is established. If the Data Exporter is not established in an EU Member State, the competent authority is the Swedish Authority for Privacy Protection (IMY).[web:42]

Annex I (List of Parties, Description of Transfer, Competent Supervisory Authority):
As described in Annex I of this DPA.

Annex II (Technical and Organizational Measures):
As described in Annex II of this DPA.

Annex III (List of Sub-processors):
As described in Annex III of this DPA.

UK International Data Transfer Addendum

For transfers of Personal Data from the UK to countries not recognized as adequate under UK data protection law, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, issued by the UK Information Commissioner’s Office on 21 March 2022) applies.[web:33]

The UK Addendum is available at:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/[web:33]

UK Addendum Details

Parties: As specified in the EU SCCs above

Approved EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to is the EU SCCs Commission Implementing Decision 2021/914.[web:44]

Mandatory Clauses: The Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.[web:33]

Contact

For questions about this Data Processing Agreement:

Email: legal@freshguard.dev
Data Protection Officer: dpo@freshguard.dev
Security Incidents: security@freshguard.dev

Processor:
Hedvig Holding AB
Organization number: 559346-1865
Norregöksvägen 40
163 52 Spånga
Sweden

This Data Processing Agreement is based on the Common Paper DPA v1.1, available at commonpaper.com under CC BY 4.0 license, and has been customized for FreshGuard Cloud.[web:32][web:44]

Last Updated: February 13, 2026
Effective Date: February 13, 2026
Version: 1.2