Data Processing Agreement
Effective Date: April 1, 2026 Last Updated: April 28, 2026
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "Customer") and SolidKey AB (org.nr 559496-6318), a Swedish company based in Mölndal ("Processor", "we", "us"), and supplements the Terms of Service and Privacy Policy.
This DPA governs the processing of personal data by SolidKey AB on behalf of the Customer in connection with the OneLore service ("the Service"), as required by Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
By using the Service, you accept this DPA. If your organization requires a separately executed DPA, contact us at hello@onelore.ai.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data to provide the OneLore collaborative platform, including project management, task tracking, messaging, document storage, and email notifications.
2.2 Duration
Processing continues for the duration of the Customer's use of the Service. Upon account deletion, processing ceases and data is handled as described in Section 11.
2.3 Nature and Purpose
The Processor processes Personal Data solely to:
- Authenticate users and manage accounts
- Store, retrieve, and deliver project content (tasks, messages, documents)
- Send email notifications (invitations, task updates, digest summaries)
- Generate activity logs for project members
- Maintain system health and debug technical issues
2.4 Types of Personal Data
- Email addresses
- Display names (from Google OAuth)
- GitHub usernames (optional)
- Project content created by users (tasks, messages, documents)
- Activity logs (timestamps, event types, tool names)
- Authentication data (sign-in timestamps, token metadata)
2.5 Categories of Data Subjects
- Users of the Service (project owners, admins, and members)
- Individuals referenced in project content created by users
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or member state law. The instructions are documented in the Terms of Service, Privacy Policy, and this DPA. If the Processor believes an instruction infringes the GDPR, it shall inform the Controller without delay.
3.2 Confidentiality
The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (HTTPS/TLS)
- Encryption of data at rest (Google Cloud default encryption)
- Authentication via Google OAuth with PKCE
- API key and JWT token-based access control
- Role-based access control within projects (owner, admin, member)
- Daily database backups with 7-day retention, stored in europe-west4
- Access logging and monitoring
3.4 Content Access
The Processor does not access Customer content except:
- When the Customer provides explicit consent for technical issue resolution
- When required by a legal obligation (e.g., court order)
When investigating issues, the Processor first examines metadata and logs only (timestamps, document sizes, error codes).
4. Obligations of the Controller
The Controller warrants that:
- It has a lawful basis under the GDPR for all Personal Data it submits to the Service
- It has provided appropriate notice to data subjects regarding the processing of their Personal Data through the Service
- Its instructions to the Processor comply with applicable data protection law
- It is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor
The Controller shall not use the Service to process special categories of Personal Data (Article 9 GDPR) unless the Controller has ensured a lawful basis and appropriate safeguards for such processing.
5. Sub-processors
5.1 Authorized Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform (Firebase) | Hosting, authentication, database | All service data | EU (europe-west4); authentication is global |
| Google Cloud Storage | Context document storage | Project documents | EU (europe-west4) |
| Mailgun (Sinch) | Email notifications | Email addresses, notification content | EU |
5.2 Changes to Sub-processors
The Processor shall inform the Controller of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object. Notice will be provided at least 30 days before the new sub-processor begins processing. If the Controller objects on reasonable grounds, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the Service.
5.3 Sub-processor Obligations
The Processor imposes the same data protection obligations on sub-processors as set out in this DPA, by way of contract or other legal act under EU or member state law. The Processor remains fully liable for the performance of its sub-processors.
6. International Data Transfers
All project data is stored in Google Cloud's europe-west4 region (Netherlands). Firebase Authentication is a global service that processes email addresses and display names through Google's global infrastructure during the sign-in flow.
Where Personal Data is transferred outside the European Economic Area, the following safeguards apply:
- The EU-US Data Privacy Framework (where the recipient is certified)
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions by the European Commission
Google Cloud participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses as part of their data processing terms.
7. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection). The Processor shall:
- Promptly notify the Controller if a data subject contacts the Processor directly
- Provide the Controller with the ability to access, export, correct, and delete Personal Data through the Service
- Respond to Controller assistance requests within 10 business days
- Assist the Controller in responding to requests within the timeframes required by the GDPR
8. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:
- Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach
- Provide the Controller with sufficient information to fulfill any obligation to notify the supervisory authority within 72 hours and to inform affected data subjects
- Cooperate with the Controller in investigating and remediating the breach
The notification shall include, to the extent available:
- The nature of the breach, including categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- The contact point for further information
9. Data Protection Impact Assessment
The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR, to the extent that the Processor's processing activities are relevant to the assessment.
10. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Where available, the Processor may satisfy audit requests by providing relevant third-party audit reports or certifications (such as SOC 2 or ISO 27001) in lieu of on-site inspection. Where on-site inspection is required, the following conditions apply:
- Audit requests must be submitted in writing with at least 30 days' notice
- Audits shall be conducted during normal business hours, no more than once per year
- Audits shall not unreasonably interfere with the Processor's operations
- The Controller bears the cost of any audit it initiates
11. Data Deletion and Return
Upon termination of the Service or upon the Controller's request:
- The Controller may export all Personal Data through the Service's export functionality (structured data in JSON format, documents in their stored format)
- The Processor shall delete all Personal Data from active systems upon account deletion or Controller request
- Deleted data may persist in infrastructure-level retention (database backups and Cloud Storage soft-delete) for up to 7 days before being fully purged. All backups are stored in europe-west4 (Netherlands)
- The Processor shall not access or use deleted data during the retention period
- Upon request, the Processor shall provide written confirmation that Personal Data has been deleted
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except that neither party limits its liability for breaches of its obligations under the GDPR that cannot be limited under applicable law.
13. Governing Law
This DPA is governed by the laws of Sweden. For disputes relating to this DPA, the courts of Sweden shall have jurisdiction, without prejudice to any rights a data subject may have under Article 79 of the GDPR.
14. Changes to This DPA
We may update this DPA to reflect changes in our processing activities, sub-processors, or applicable law. We will notify the Controller of material changes at least 30 days before they take effect. If the Controller objects to material changes, the Controller may terminate the Service. Continued use of the Service after the 30-day notice period constitutes acceptance.
15. Contact
SolidKey AB (org.nr 559496-6318) Mölndal, Sweden Email: hello@onelore.ai Website: https://onelore.ai
For DPA-related inquiries, including requests for a separately executed copy, contact us at the email address above.