Skip to content

Data Processing Agreement

Signed document with fountain pen, symbolising a data-processing agreement
Juridisk

Data Processing Agreement

Databehandleravtale for bedriftskunder (GDPR art. 28 og Quebecs lov 25).

Version: v1.0-2026-04-17 · Integrity hash: sha256-fc1763cb41c07c02eb591515c8c2a48e03693993b3e612b87a7512f98a573b80

Acceptances are recorded against this hash in the Skaala ledger. If the text below is updated, the version bumps and previously recorded acceptances are re-requested from affected users.

Data Processing Agreement

Version: v1.0-2026-04-17 Effective Date: 2026-04-17 Baseline standard: GDPR Art. 28 (Controller-to-Processor)

This Data Processing Agreement ("DPA") forms part of the Service Agreement between AiCall AB (trading as Skaala), a Swedish corporation with organisation number 559465-4583 and registered office at Husarvikstorget 4, 115 47 Stockholm, Sweden ("Processor" or "Skaala"), and the customer identified in the Service Agreement ("Controller" or "you"). By clicking "Accept and continue" in the Skaala dashboard, you execute this DPA on behalf of the Controller.

This DPA sets out the terms governing Skaala's processing of Personal Data on behalf of the Controller and applies the standards of GDPR Articles 28, 32, and 44–49 as a baseline, regardless of the Controller's jurisdiction. Where the Controller is subject to Quebec's Act respecting the protection of personal information in the private sector (CQLR c P-39.1, as amended by "Law 25"), this DPA is also intended to meet the Section 17 and Section 18.3 written-agreement requirements.

Article 1 — Definitions

"Personal Data", "Processing", "Controller", "Processor", "Sub-Processor" and "Data Breach" have the meanings given to them in GDPR Art. 4. "Personal Information" has the meaning given to it in ARPPIPS. "Platform" means the Skaala AI Agent Platform.

Article 2 — Scope and Purpose of Processing

Skaala Processes Personal Data only to the extent necessary to provide the Platform services described in the Service Agreement, including AI receptionist services, booking management, CRM operations, payment processing, transactional communications, and business analytics.

Skaala does not Process Personal Data for any purpose other than those specified above unless required by EU or Member State law, in which case Skaala shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

Article 3 — Processor Obligations

Skaala shall:

  1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA or Quebec, unless required by law.
  2. Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality.
  3. Implement the technical and organisational measures specified in Schedule 2, ensuring a level of security appropriate to the risk.
  4. Comply with the sub-processor terms in Article 6.
  5. Assist the Controller in responding to requests from data subjects exercising rights under GDPR Chapter III or ARPPIPS.
  6. Notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware.
  7. Delete or return Personal Data at the Controller's election upon termination (Article 13).
  8. Make available all information necessary to demonstrate compliance and allow for audits (Article 12).

Article 4 — Controller Obligations

The Controller warrants that it has a lawful basis for Processing Personal Data through the Platform and that all necessary consents, authorisations, and privacy notices have been obtained and provided to data subjects. The Controller is responsible for configuring user-initiated data exports (e.g., Zapier webhooks, calendar synchronisation) and for ensuring that third-party destinations receiving Personal Data provide adequate protection.

Article 5 — Technical and Organisational Measures

Skaala commits to the measures detailed in Schedule 2. In summary:

  • Encryption in transit: TLS 1.3 (minimum TLS 1.2) for all external connections.
  • Encryption at rest: AES-256 for the primary database, backups, and file storage.
  • Access controls: Stack Auth authentication, MFA available, every database query scoped by teamId and verified user membership.
  • Infrastructure: Vercel (Stockholm, EU) for application; Neon Postgres (Frankfurt, EU) for primary storage; Twilio Ireland (ie1) for voice routing.
  • Webhook verification: HMAC signature validation on all inbound webhooks.
  • Audit logging: Server-side logging of access events, API calls, and administrative operations; logs retained for 90 days.

Article 6 — Sub-Processor Management

The Controller provides general written authorisation for Skaala to engage the Sub-Processors listed in Schedule 3. Skaala shall inform the Controller of any intended changes to Sub-Processors with at least 30 days' prior written notice. The Controller may object to the addition or replacement of a Sub-Processor on reasonable data-protection grounds within 14 days of receiving notice. If Skaala cannot reasonably accommodate the objection, the Controller may terminate the affected services without penalty.

Skaala shall impose on each Sub-Processor, by way of a contract, the same data-protection obligations as set out in this DPA, and shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

Article 7 — International Transfers

All international transfers of Personal Data are made in compliance with GDPR Chapter V, regardless of the Controller's jurisdiction. Skaala has conducted a formal Transfer Impact Assessment (Skaala Privacy Impact Assessment v1.0, Appendix C, 2026-04-15). Transfer mechanisms by destination:

| Destination | Mechanism | Supplementary measures | | ----------------------------------------------------------------------- | ------------------------------- | -------------------------------------- | | EU/EEA (Sweden, Germany, Ireland) | Adequate by default | Standard DPA | | United States (Stripe, ElevenLabs, Google, Microsoft, SendGrid, Zapier) | EU-US Data Privacy Framework | Art. 28 DPA, SCCs fallback, encryption | | Canada | PIPEDA (recognised as adequate) | Standard DPA |

If the EU-US Data Privacy Framework is invalidated, Skaala shall (a) immediately activate Standard Contractual Clauses, (b) notify the Controller within 72 hours, and (c) assess whether supplementary measures are sufficient or whether the transfer must be suspended.

Article 8 — Risk Mitigation Commitments

Skaala publishes its ongoing compliance roadmap in the Skaala Privacy Impact Assessment (Appendix to this DPA). Material commitments include EU data-residency migrations, DSAR tooling, automated retention enforcement, and caller-consent disclosures. Progress is reviewed annually and reported upon reasonable request.

Article 9 — Data Subject Rights

Skaala shall assist the Controller in fulfilling its obligations to respond to data-subject requests exercising rights under GDPR Chapter III and ARPPIPS, including:

  • Right of access (Art. 15 / ARPPIPS s. 27)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17 / ARPPIPS s. 28.1)
  • Right to restriction (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Rights related to automated decision-making (Art. 22 / ARPPIPS s. 12.1)

Skaala shall respond to Controller requests to facilitate data-subject rights within 5 business days, enabling the Controller to meet the statutory one-month response deadline. The Skaala dashboard exposes /api/dsr/export and /api/dsr/erase endpoints for team-admin use on behalf of data subjects.

Article 10 — Personal Data Breach Notification

Skaala shall notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach, providing the information required under GDPR Art. 33(3). Skaala shall cooperate with and assist the Controller in complying with the 72-hour supervisory-authority notification obligation.

Article 11 — Data Protection Impact Assessments

Skaala has conducted a comprehensive Privacy Impact Assessment (Skaala PIA v1.0, 2026-04-15) covering all Processing activities, cross-border transfers, automated decision-making systems, and Sub-Processor data flows. Skaala shall provide the PIA to the Controller on request and update it annually or upon material change.

Article 12 — Audit and Inspection Rights

Skaala shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits of Skaala's data-processing activities upon 30 days' written notice during normal business hours. Third-party certifications currently available: ElevenLabs SOC 2 Type II, Vercel SOC 2, Neon SOC 2, Stripe PCI DSS Level 1.

Article 13 — Term, Termination and Data Return

This DPA remains in effect for the duration of the Service Agreement. Upon termination, Skaala shall, at the Controller's election: (a) return all Personal Data in a structured, commonly used, machine-readable format (JSON/CSV export via the Platform dashboard); or (b) delete all Personal Data and certify such deletion in writing. The Controller shall communicate its election within 30 days of termination; otherwise Skaala shall securely delete all Personal Data within 60 days.

Skaala may retain Personal Data to the extent required by applicable law (e.g. the Swedish Bookkeeping Act). Any retained data shall continue to be protected under this DPA until deleted.

Article 14 — Liability

Each party's liability under this DPA is subject to the limitations set out in the Service Agreement, except that neither party's liability for breaches of data-protection obligations shall be limited in a manner that would prevent an affected data subject from receiving compensation under GDPR Art. 82.

Article 15 — Governing Law

This DPA is governed by the laws of Sweden. Disputes shall first be submitted to good-faith negotiations for 30 days, and then settled by the courts of Stockholm. Nothing in this article shall prevent a data subject from exercising rights under GDPR Art. 79 in the courts of their habitual residence, or under ARPPIPS in the courts of Quebec.

Article 16 — General

This DPA together with the Service Agreement constitutes the entire agreement between the parties regarding the Processing of Personal Data. In the event of conflict between this DPA and the Service Agreement, this DPA prevails with respect to data-protection matters.

Schedule 1 — Processing Details

| Field | Details | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | Subject matter | AI receptionist, booking, CRM, widget, multi-channel communications | | Duration | Duration of the Service Agreement | | Nature | Collection, recording, storage, retrieval, use, disclosure, erasure; includes automated processing (transcription, sentiment analysis, contact scoring) | | Categories of data subjects | End customers (callers), business owners (users), staff members, website visitors | | Categories of Personal Data | Identity, Financial, Voice/Audio, Behavioural, Profiling, Geographic (country/region), Calendar, CRM, Booking, Authentication | | Sensitive data | Skaala does not intentionally collect special categories under GDPR Art. 9 |

Schedule 2 — Technical and Organisational Measures

Pseudonymisation. Database record IDs are UUIDs with no inherent meaning.

Encryption. TLS 1.3+ in transit; AES-256 at rest.

Confidentiality. Multi-tenant isolation (teamId scoping); role-based access; MFA available; OAuth scope minimisation; API keys hashed.

Integrity. Zod schema validation on all API inputs; HMAC webhook signature verification.

Availability and resilience. Vercel auto-scaling serverless; Neon Postgres with automated daily backups and point-in-time recovery.

Testing and evaluation. Dependency scanning; code review; rate limiting; automated security audits; incident-response procedures; DPIA reviews.

Retention. Active-subscription: retained per Controller configuration. Post-cancellation: 90-day grace period, then automated deletion. Payment data: Stripe PCI DSS (no local card storage). Financial records: retained per the Swedish Bookkeeping Act.

Schedule 3 — Authorised Sub-Processors

| Sub-Processor | Location | Purpose | | --------------- | --------------------------- | ------------------------------------------- | | ElevenLabs | US (EU residency roadmap) | Voice AI, transcription | | Twilio | Dublin, Ireland (EU) | Telephony, SMS | | Stripe | US (DPF certified) | Payment processing | | Neon Postgres | Frankfurt, Germany (EU) | Primary database | | Vercel | Stockholm, Sweden (EU) | Application hosting | | Stack Auth | EU | Authentication | | Google Calendar | US (DPF certified) | Calendar sync | | Microsoft Graph | EU (European Data Boundary) | Calendar sync | | Twilio SendGrid | US (via Twilio DPA) | Transactional email | | Zapier | US | User-configured workflow automation | | Meta (WhatsApp) | US | WhatsApp Business messaging | | Ahrefs | EU | Cookieless web analytics (no Personal Data) |

Skaala maintains the current list at https://skaala.ai/legal/dpa and provides 30 days' notice before adding or replacing any Sub-Processor.

Schedule 4 — Risk Mitigation Commitments

Skaala's ongoing roadmap of technical and organisational improvements is published in the Skaala Privacy Impact Assessment (v1.0, 2026-04-15). The Controller may request a current status report at any time.

By accepting this DPA via the click-wrap flow in the Skaala dashboard, the Controller executes this Agreement as of the acceptance timestamp recorded in the Skaala legal_acceptances ledger.