Legal

Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of our Terms of Service and applies to the processing of personal data on behalf of our customers.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Controller" means the entity that determines the purposes and means of Processing.
  • "Data Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by us to process Personal Data.

2. Roles and Responsibilities

In providing our services, you (the Customer) act as the Data Controller and Recoger (Komply.1 AB) acts as the Data Processor. We process Personal Data only on your documented instructions.

3. Processing Details

Categories of Data Subjects

  • Customer employees and contractors
  • Device users within customer organization

Types of Personal Data

  • Names and email addresses
  • Device identifiers (hashed)
  • IP addresses
  • Device compliance status

Purpose of Processing

To provide device compliance monitoring and security posture assessment services.

Duration

For the duration of your subscription, plus 30 days for data export/deletion.

4. Security Measures

We implement appropriate technical and organizational measures, including:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Access controls and authentication
  • Regular security assessments
  • Employee security training
  • Incident response procedures

5. Sub-processors

We use sub-processors to deliver our services. The current list is available at recoger.app/legal/subprocessors. We will notify you of any changes to sub-processors.

6. Data Subject Rights

We will assist you in responding to data subject requests (access, correction, deletion, portability) to the extent legally required and technically feasible.

7. Data Breach Notification

We will notify you of any Personal Data breach without undue delay, and in any case within 72 hours of becoming aware of it.

8. Data Transfers

All Personal Data is processed within the EU/EEA (Frankfurt, Germany). If any transfer outside the EU/EEA becomes necessary, we will ensure appropriate safeguards are in place.

9. Audits

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA.

10. Return and Deletion

Upon termination, we will delete or return all Personal Data within 30 days, unless retention is required by law.

11. Contact

For DPA-related inquiries:

Email: dpa@recoger.app
Entity: Komply.1 AB, Sweden

Need a signed DPA?

Contact us at dpa@recoger.app and we'll send you a countersigned copy for your records.