Data Processing Agreement
Effective date: April 20, 2026
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sanilog ("Processor", "we", "us") and the customer ("Controller", "you") and governs the processing of personal data by Sanilog on behalf of the Controller in connection with the Sanilog platform (the "Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all personal data processed by Sanilog as a data processor on the Controller's behalf.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR. "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. "Sub-processor" means any third party engaged by Sanilog to process Personal Data on behalf of the Controller. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
Scope and Duration
Subject matter: Sanilog processes Personal Data to provide the Controller with cloud-based field service management functionality, including client management, job scheduling, invoicing, route optimization, and team coordination. Duration: Processing begins when the Controller creates an account and continues until the Controller's account is terminated and all Personal Data is deleted in accordance with Section 10 of this DPA. Nature and purpose: The processing includes storage, retrieval, organization, structuring, adaptation, consultation, use, disclosure by transmission, and erasure of Personal Data, solely for the purpose of providing and maintaining the Service.
Types of Personal Data
Sanilog processes the following categories of Personal Data on the Controller's behalf: - Contact information: names, email addresses, phone numbers, and physical addresses of the Controller's clients and contacts - Location data: GPS coordinates of service sites, driver locations during active use of the mobile app, and photo geolocation metadata - Service records: job details, service history, delivery/pickup records, and proof-of-service photographs - Financial data: invoice amounts, payment records, and contract terms (credit card data is processed by Stripe and never stored by Sanilog) - Team data: names, email addresses, and roles of the Controller's employees and drivers - Device data: device identifiers and app usage data from drivers using the mobile application
Categories of Data Subjects
Personal Data processed under this DPA relates to the following categories of Data Subjects: - The Controller's clients and their contact persons - The Controller's employees, including drivers, dispatchers, and administrative staff - End users of the Service authorized by the Controller
Controller Obligations
The Controller shall: - Ensure that it has a lawful basis for processing Personal Data and for instructing Sanilog to process Personal Data on its behalf - Provide clear and documented instructions regarding the processing of Personal Data - Ensure that Data Subjects have been informed about the processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR - Respond to Data Subject requests and notify Sanilog promptly of any such requests that require Sanilog's assistance - Notify Sanilog without undue delay of any changes to applicable data protection laws that may affect Sanilog's processing obligations
Processor Obligations
Sanilog shall: - Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or member state law (in which case Sanilog will inform the Controller of that legal requirement before processing, unless the law prohibits such notification) - Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality - Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, regular security assessments, and incident response procedures - Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to Section 8 of this DPA - Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests under Chapter III of the GDPR - Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Sanilog - At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or member state law requires storage of the Personal Data - Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
Sub-processors
The Controller provides general authorization for Sanilog to engage sub-processors. Sanilog shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification. If the Controller objects, Sanilog will make reasonable efforts to provide an alternative solution. If no alternative is available, either party may terminate the affected services. Sanilog shall ensure that sub-processors are bound by data protection obligations no less protective than those set out in this DPA. Current sub-processors: - Supabase (authentication and database services) - EU region - Cloudflare (hosting, CDN, edge compute) - Global with EU data residency - Stripe (payment processing) - EU/US - Resend (transactional email delivery) - US - BetterStack (application logging and monitoring) - EU/US
Data Breach Notification
Sanilog shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include: - A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected - The name and contact details of Sanilog's data protection contact - A description of the likely consequences of the Data Breach - A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects Sanilog shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
Data Deletion and Return
Upon termination of the Service or upon the Controller's written request, Sanilog shall: - Provide the Controller with the ability to export all Personal Data in a structured, commonly used, and machine-readable format - Delete all Personal Data within 90 days of account termination, except where EU or member state law requires continued storage - Provide written confirmation of deletion upon the Controller's request Personal Data retained for legal compliance (such as billing records required by Swedish tax law) shall be isolated and protected from further processing, and deleted when the retention period expires.
International Data Transfers
Sanilog's primary data infrastructure is located in the European Union. Where Personal Data is transferred outside the EU/EEA (for example, to sub-processors operating in the United States), Sanilog ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include: - Standard Contractual Clauses (SCCs) as adopted by the European Commission - Verification that the recipient sub-processor maintains adequate technical and organizational security measures - Data transfer impact assessments where required The Controller may request copies of the relevant transfer safeguards at any time by contacting privacy@sanilog.io.
Audits
Sanilog shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. The Controller or its designated auditor may conduct an audit of Sanilog's processing activities, subject to the following conditions: - The Controller shall provide at least 30 days written notice of any audit - Audits shall be conducted during normal business hours and shall not unreasonably disrupt Sanilog's operations - The Controller shall bear all costs associated with the audit - The auditor shall be bound by confidentiality obligations - Sanilog may satisfy audit requests by providing relevant certifications, audit reports, or third-party attestations where available Sanilog shall cooperate with any audit by a supervisory authority related to the processing of Personal Data under this DPA.
Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where such limitations are not permitted by the GDPR. Sanilog shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.
Term and Termination
This DPA shall remain in effect for the duration of Sanilog's processing of Personal Data on behalf of the Controller. It shall automatically terminate when all Personal Data has been deleted or returned in accordance with Section 10. The obligations in this DPA shall survive termination to the extent necessary to complete the deletion of Personal Data and to address any ongoing data protection obligations.
Governing Law
This DPA shall be governed by and construed in accordance with the laws of Sweden, consistent with the Terms of Service. For matters relating to GDPR compliance, the provisions of the GDPR shall take precedence over any conflicting terms.
Contact
For questions or requests related to this DPA, contact us at: Data Protection: privacy@sanilog.io General inquiries: hello@sanilog.io Website: https://sanilog.io