Skip to content

Data Processing Agreement

Last updated: 2026-05-18

This Data Processing Agreement ("DPA") is between Sweatkraft AS ("SweatStack") and the legal entity or person who registers an application on the SweatStack platform ("Developer"). It applies automatically when you register an application or call the SweatStack API, and forms part of the SweatStack Terms and Conditions.

We've kept it short on purpose. The substantive obligations are in GDPR; this document records how they apply to our relationship.

1. Scope and roles

This DPA covers personal data of end users that flows between SweatStack and the Developer through the SweatStack API.

  • Independent controllers (athlete data via the API). For personal data that the Developer pulls from the SweatStack API after a user authorizes the Developer's app, SweatStack and the Developer are each independent controllers. Each party determines the purposes and means of processing on its own side and is responsible for its own GDPR compliance.
  • SweatStack as processor (developer-controlled storage). For data the Developer writes back into SweatStack — including the app-metadata feature and any future developer-controlled storage SweatStack offers — SweatStack acts as a processor on the Developer's behalf. Sections 3 and 4 govern that processing.

2. Independent-controller cooperation

For data processed under the independent-controller relationship:

  • Each party will have its own privacy notice covering its processing.
  • Each party will handle data subject requests directed to it, and will cooperate in good faith on requests that span both parties.
  • Each party will inform the other without undue delay of any personal data breach affecting shared data subjects, so the other party can meet its own notification obligations.

3. SweatStack as processor: subject matter and instructions

Where SweatStack acts as the Developer's processor:

  • Subject matter and duration: processing of personal data the Developer writes into SweatStack-hosted developer storage, for as long as the Developer's account is active.
  • Nature and purpose: storing the data so the Developer's app can read it back and use it inside the Developer's product.
  • Categories of data and data subjects: whatever the Developer chooses to write. Developers must not store data that the user would not reasonably expect them to keep in this storage.
  • Instructions: SweatStack will process this data only on the Developer's documented instructions, which are the SweatStack Terms, this DPA, and the API behavior the Developer invokes. SweatStack will not access this data except as needed to provide and secure the service.

4. Processor obligations

When acting as processor, SweatStack will:

  • Confidentiality. Ensure that personnel authorized to process the data are bound by confidentiality.
  • Security. Implement the technical and organizational measures described in Appendix A.
  • Sub-processors. Use the sub-processors listed at sweatstack.no/sub-processors. SweatStack will give at least 30 days' notice before adding or replacing a sub-processor that processes developer-controlled data. The Developer may object on reasonable grounds; if we can't resolve the objection, the Developer may terminate the affected service.
  • Assistance. Assist the Developer, taking into account the nature of processing and the information available, in responding to data subject requests and in meeting the Developer's obligations under Articles 32–36 of GDPR.
  • Breach notification. Notify the Developer without undue delay after becoming aware of a personal data breach affecting the Developer's data.
  • Return or deletion. On termination of the Developer's account or this DPA, delete the developer-controlled data within a reasonable period, except where law requires retention.
  • Information and audits. Make available the information reasonably necessary to demonstrate compliance with this section. Until SweatStack has formal third-party security certifications, this takes the form of written responses to reasonable questions; once certifications exist, sharing the relevant reports will satisfy this obligation.

5. International transfers

Where personal data is transferred outside the EEA — either between SweatStack and the Developer, or to SweatStack's sub-processors — the parties rely on the European Commission's Standard Contractual Clauses (Module 1 for controller-to-controller transfers between the parties; the appropriate modules for sub-processors) and any additional safeguards the providers offer.

6. Term

This DPA applies for as long as the Developer has an active SweatStack application or API access. Sections that by their nature should survive termination (confidentiality, accrued liability, return/deletion obligations) will do so.

7. Conflicts

If this DPA conflicts with the SweatStack Terms and Conditions on data protection matters, this DPA controls. For everything else, the Terms control.

Appendix A — Technical and organizational measures

SweatStack's current measures include:

  • Encryption. TLS for data in transit. Encryption at rest for primary storage and backups.
  • Access control. Scoped, individually-attributable access for personnel. Production access limited to those who need it.
  • Hosting. Primary application and database hosting in Finland (EU) with Hetzner. Sub-processor list maintained at sweatstack.no/sub-processors.
  • Monitoring. Continuous error and security monitoring. Application and access logs retained for up to 12 months.
  • Vulnerability management. Dependencies kept current. Security issues triaged on discovery.
  • Backups. Encrypted backups with defined retention; tested periodically.
  • Incident response. Defined process for detection, containment, notification, and post-incident review.

These measures evolve with the service. The current version is always reflected here.

Contact

For DPA matters, email [email protected].

Sweatkraft AS, Norway.