Data Processing Agreement

This Data Processing Agreement ("DPA") regulates the processing of personal data pursuant to the EU's General Data Protection Regulation (2016/679) (GDPR) by Ansvar Systems AB as the data processor on behalf of customers using the Ansvar AI threat modeling platform.

For customers processing personal data via the Ansvar platform, this GDPR Article 28 compliant agreement governs how we handle your data.

When Do You Need a DPA?

You may need this DPA if:

• Your uploaded architecture documentation contains personal data (employee names, contact information, etc.)
• Your company requires a DPA for compliance obligations
• You are subject to ISO 27001, SOC 2, or similar audits
• Your internal policies require DPAs with all processors

The Processor

Purpose of Processing

The purpose for the processing of personal data is to provide the Ansvar AI threat modeling service. This includes:

• Receiving and processing system architecture documentation uploaded by the Controller
• Generating AI-assisted threat model analysis
• Delivering threat model reports to the Controller
• Providing customer support and communication
• Processing billing and payment information

Categories of Personal Data Processed

The following categories of personal data may be processed:

• Name and email address
• Online identifiers such as cookies or IP addresses
• Any personal data incidentally included in system architecture documentation uploaded by the Controller (e.g., employee names in diagrams, contact information in documentation)

Approved Subprocessors

The following subprocessors are approved for processing personal data:

International Data Transfers

At the time of signing, personal data covered by the DPA is processed in Sweden or elsewhere within the EEA. Personal data may be transferred outside the EU/EEA to the following subprocessors:

• Stripe (USA) - EU-US Data Privacy Framework certified
• OpenAI (USA) - Standard Contractual Clauses (SCCs) in place
• Anthropic (USA) - Standard Contractual Clauses (SCCs) in place

All transfers are conducted in accordance with GDPR Chapter V requirements. The Processor ensures appropriate safeguards are in place before any transfer occurs.

Data Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments
• Audit logging of data access
• Employee confidentiality obligations
• Incident response procedures

Data Retention and Erasure

Upon termination of the service agreement, or upon the Controller's request, the Processor will:

• Store a copy of the Controller's data for up to 30 days from termination date
• Assist the Controller with transferring data in appropriate format
• Delete or return all personal data within 30 days of receiving necessary instructions

Personal Data Breach Notification

The Processor must notify the Controller of a personal data breach without undue delay after the Processor or its subcontractors have been made aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Audit Rights

The Controller has the right to examine the Processor's processing activities through inspections and audits. The inspection may be conducted by an auditor mandated by the Controller, provided reasonable advance notice is given and appropriate confidentiality commitments are undertaken.

Contact

For questions about this Data Processing Agreement or data protection matters: