Log in

Data processing agreement (DPA)

This data processing agreement ("Agreement") and its annexes, including links, governs the processing of personal data by OneMore Secure, 559389-1764 ("OMS"), a company registered in Sweden, acting as the "Processor."

This agreement is made in accordance with the requirements set out under the General Data Protection Regulation (EU 2016/679) ("GDPR") and details the terms under which OMS will process personal data on behalf of the Controller.

1. Definitions

The following terms have the meanings assigned to them by GDPR:
1.1 "Personal data": Any information relating to an identified or identifiable natural person ("Data subject"), including names, email addresses, and phone numbers of the Controller's representatives.
1.2 "Processing": Any operation performed on personal data, including collection, storage, access, use, and deletion.
1.3 "Controller": The entity determining the purposes and means of processing personal data.
1.4 "Processor": OMS, acting on behalf of the Controller in processing personal data.
1.5 "Sub-processor": Any third party engaged by OMS to process personal data.
1.6 "Technical and organisational measures (TOMs)": Measures implemented to protect personal data, as further described in Appendix 1.

2. Purpose and scope of processing

2.1 OMS will process personal data solely for the delivery of products and services as set out in the main agreement between the parties.
2.2 OMS will not process personal data for any purpose other than those expressly agreed, except where required by law.

3. Categories of personal data and data subjects

3.1 OMS will process the following types of personal data:

  • Names of administrators.

  • Email addresses.

  • IP addresses.

3.2 The categories of data subjects include representatives and employees of the Controller.

4. Data location and transfers

4.1 OMS ensures that all data is stored within the EU/EEA.
4.2 OMS uses Microsoft Azure with physical servers located in Sweden.
4.3 Data will not be transferred outside the EU/EEA.

5. Technical and organisational measures

OMS implements appropriate technical and organisational measures to ensure a level of security proportionate to the risk, as detailed in Appendix 1. These include, but are not limited to:

  • Multifactor authentication (MFA) for all services.

  • Encryption (SHA256, AES256, TLS 1.2 minimum).

  • Incident management procedures.

  • Regular privacy and security training for all staff.

6. Sub-processors

6.1 OMS engages the following sub-processors:

  • Microsoft Corporation (Cloud hosting).

  • Websearch Sverige AB (Development).

  • Intuit France SAS - Represented by Mailchimp (Email sending).

  • True Value Software AB (Certificate issuance).

6.2 OMS will ensure that any sub-processor complies with terms equivalent to those in this agreement.

7. Obligations of OMS

OMS commits to:

  • Processing personal data only under the documented instructions of the Controller.

  • Ensuring personnel authorised to process personal data are bound by confidentiality obligations.

  • Implementing and maintaining appropriate TOMs.

  • Assisting the Controller in fulfilling data subject rights requests and GDPR obligations, where applicable.

  • Promptly notifying the Controller of any personal data breach.

8. Data Retention and deletion

OMS will retain personal data only as long as necessary to meet contractual obligations unless otherwise required by law. Upon termination of the agreement, OMS will securely delete all personal data unless prohibited by national law.

9. Data Subject rights

OMS will assist the Controller in responding to requests from data subjects in line with GDPR, including rights of access, rectification, erasure, and data portability.

10. Audits and inspections

OMS allows the Controller to conduct one (1) free audit or inspection per year. Additional audits may incur administrative fees, subject to prior agreement.

11. Incident management

OMS has procedures to detect, respond to, and mitigate personal data breaches. OMS will notify the Controller without undue delay upon becoming aware of a breach.

12. Annual assessments

OMS regularly conducts impact and transfer assessments to ensure compliance with GDPR and other applicable laws.

13. Indemnity

OMS shall not be liable for penalties, damages, or other costs arising from the Controller's failure to comply with its own GDPR obligations.

14. Governing law and jurisdiction

This agreement is governed by the laws of Sweden. Any disputes will be subject to the exclusive jurisdiction of the courts in Stockholm, Sweden.


Appendix 1: Technical and organisational measures (TOMs)

OMS employs the following safeguards:

  • Access controls:

  • Multifactor authentication (MFA).

  • Role-based access control (RBAC).

  • Encryption:

  • SHA256 and AES256 for data at rest.

  • TLS 1.2 for data in transit.

  • Incident management:

  • Defined procedures for breach detection, response, and notification.

  • Training:

  • Regular staff training on data protection.

  • Data minimisation:

  • Limiting collected data to what is necessary for agreed purposes.

For more information about our security, see our security measures.

How to contact us

Please feel free to contact us if you have any questions about our DPA.

Email us at support@onemoresecure.com

For further contact details, please visit our website www.onemoresecure.com

This DPA was last updated on 22 January 2025.