Last updated: 2026-06-04
This Personal Data Assistance Agreement ("Agreement") is entered into between:
Personal Data Controller
The customer ("Customer", "Controller"); and
Personal Data Processor
Roughly Right AB, org. no. 556912-2871 ("Roughly Right", "Processor")
Together the "Parties" and individually a "Party".
This Agreement forms part of the General Terms and Conditions between the Parties and is incorporated by reference. In the event of any conflict, this Agreement takes precedence over the General Terms and Conditions.
This Agreement governs the processing of personal data carried out by Roughly Right on behalf of the Customer, as follows from the General Terms and Conditions. Roughly Right processes personal data solely on the Customer's instructions and in accordance with Applicable Law.
The terms used in this Agreement have the same meaning as set out in Article 4 of the GDPR.
"Applicable Law" refers to the legislation applicable to the processing of personal data under this Agreement, including the GDPR, supplementary national legislation, and practices, guidelines and recommendations issued by a supervisory authority.
"Processing" means any operation performed on personal data, e.g. storage, modification, reading, handover, etc.
"Personal Data" means all information that can be derived from an identifiable living person.
"Controller" is the company/organisation that determines the purposes and means of processing personal data and is responsible for ensuring processing complies with Applicable Law.
"Processor" is the company/organisation that processes personal data on behalf of the Controller, and may therefore only process personal data according to the Controller's instructions and Applicable Law.
"Data Subject" means the living person whose personal data is being processed.
"Supervisory Authority" means the Swedish or EU authority responsible for supervising compliance with data protection law, including the Swedish Privacy Protection Authority (IMY).
Roughly Right is instructed to process data identifying the Customer's:
Personal data processed under this Agreement originates from:
To enable the Customer to manage their time and finances through the Roughly Right service.
Storage and processing.
Roughly Right undertakes to:
The Customer:
In the event of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data ("Personal Data Incident"), Roughly Right shall notify the Customer in writing without undue delay and no later than eight (8) hours after the incident is discovered, at the contact details set out in Annex 3.
The notification shall, to the extent available, include:
a. A description of the circumstances of the incidentb. The nature of the incident, including categories and approximate number of data subjects and personal data affectedc. The likely consequences of the incidentd. Measures taken or proposed to address the incident and mitigate its effectse. Contact details for further information
If it is not possible to provide all information at once, it may be provided in stages without undue further delay.
Roughly Right shall, upon the Customer's request, provide access to all information necessary to demonstrate compliance with Applicable Law and this Agreement.
If such information is not reasonably sufficient, the Customer has the right to conduct physical inspections. Roughly Right shall enable and contribute to audits and inspections carried out by the Customer or an impartial third party appointed by the Customer.
The Customer shall notify Roughly Right in writing at least ten (10) business days in advance of any planned inspection.
Inspections may only be conducted:
Each Party bears its own costs in connection with inspections. If an additional inspection is requested within one (1) year of a completed inspection, the Customer shall bear all costs.
Roughly Right's approved sub-processors are listed in Annex 1. If Roughly Right plans to engage a new sub-processor or replace an existing one, it shall notify the Customer at least five (5) business days in advance.
If the Customer has reasonable grounds to object to a sub-processor, the Parties shall first seek a suitable alternative. If no alternative is found, the Customer has the right to terminate this Agreement and (where applicable) the General Terms and Conditions.
Roughly Right shall ensure that each sub-processor is bound by obligations equivalent to those in this Agreement. Roughly Right remains fully responsible to the Customer for the actions or omissions of its sub-processors.
Roughly Right shall maintain an updated list of sub-processors, available to the Customer upon request.
Roughly Right shall maintain a written record of processing activities in accordance with Article 30(2) of the GDPR. The record shall be made available to the Customer upon request.
If applicable, the contact details of Roughly Right's Data Protection Officer are set out in Annex 3.
Roughly Right shall promptly inform the Customer of any contact from a data subject, supervisory authority, or other third party regarding the processing of personal data under this Agreement.
If a data subject submits a request to Roughly Right regarding their rights, Roughly Right shall refer them to the Customer.
Roughly Right shall not represent the Customer or act on the Customer's behalf in relation to data subjects, supervisory authorities, or other third parties.
Roughly Right shall implement appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful access, as set out in Annex 2.
The adequacy of these measures shall be assessed in light of current developments, implementation costs, and the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of data subjects.
Roughly Right shall ensure that only employees and consultants who need access to personal data are granted it, and that those with access are bound by appropriate confidentiality obligations.
Roughly Right shall ensure that personal data is not accidentally or unlawfully destroyed, altered or distorted, and is protected against unauthorised access during storage, transfer and other processing.
Roughly Right primarily processes personal data within the EU/EEA. Where processing occurs outside the EU/EEA, Roughly Right shall ensure that one of the following conditions is met:
Roughly Right is liable for direct damages arising from processing personal data in breach of the Customer's instructions under this Agreement and Applicable Law. Liability is capped at the value of the Customer's annual licence fees. Compensation shall not be paid where the claim relates to processing approved or carried out under the Customer's instructions.
Roughly Right is not liable for indirect damages or consequential loss such as lost revenue, contracts, customers, business opportunities, goodwill, or expected savings.
Force majeure: neither Party is liable for obligations under this Agreement where performance is prevented by an extraordinary circumstance beyond the Party's control that the Party could not reasonably have anticipated, avoided or overcome.
Roughly Right shall not use information or materials accessed under this Agreement for any purpose other than fulfilling its obligations. Roughly Right shall not disclose information about the processing of personal data or the content of personal data to any third party, except where required by law.
This confidentiality obligation applies from the date the Agreement enters into force and indefinitely thereafter. Roughly Right shall ensure the obligation applies to all employees and others acting on its behalf.
This Agreement is valid for as long as Roughly Right processes personal data on behalf of the Customer, or until replaced by a new personal data assistance agreement.
Roughly Right's obligations under this Agreement continue to apply regardless of termination, for as long as Roughly Right processes personal data on behalf of the Customer.
Upon termination of this Agreement, Roughly Right and any sub-processors shall either delete or return all personal data covered by the Agreement.
Swedish law applies to this Agreement. The dispute resolution mechanism set out in the General Terms and Conditions applies to this Agreement.
Postmark
Service: automated e-mails (e.g. account registration).Website: postmarkapp.comData processed: e-mail.Transfer safeguard: EU Commission SCCs.
Amazon Web Services (AWS)
Service: hosting of the public website (roughlyright.com).Website: aws.amazon.comData processed: IP address, website visitor data.Transfer safeguard: data processed within EU/EEA.
Digital Ocean
Service: hosting of the Roughly Right application and all associated user data.Website: digitalocean.comData processed: database, logs, images and all data entered by the Customer.Transfer safeguard: data processed within EU/EEA.
Google (GSuite)
Service: internal e-mail provider.Website: workspace.google.comData processed: e-mail, name, information arising via communication.Transfer safeguard: EU Commission SCCs.
ScriveService: contract signing.Website: scrive.comData processed: e-mail, name.Transfer safeguard: data processed within EU/EEA.
Pipedrive
Service: organising Roughly Right's own communications with potential and existing customers. Does not process data entered by the Customer into the Roughly Right application.Website: pipedrive.comData processed: e-mail, name, information arising via communication.Transfer safeguard: data processed within EU/EEA.
Datadog
Service: technical application logs.Website: datadoghq.comData processed: e-mail, user ID, name.Transfer safeguard: data processed within EU/EEA.
Google Analytics
Service: website and app traffic analysis.Website: analytics.google.comData processed: IP address, OS, browser, geographic location.Transfer safeguard: EU Commission SCCs.
Digital Ocean
Service: cloud hosting.Website: digitalocean.comData processed: database, logs, images and all data entered by the Customer.Transfer safeguard: data processed within EU/EEA.
Fortnox (optional — only if activated by the Customer)
Service: the Customer may optionally connect Roughly Right to Fortnox as an accounting system.Website: fortnox.seData processed: customers, projects, suppliers and invoices, to the extent the Customer activates the integration.Transfer safeguard: data processed within EU/EEA.
Marathon (optional — only if activated by the Customer)
Service: the Customer may optionally connect Roughly Right to Marathon as their accounting system. When activated, Roughly Right creates projects and invoices in Marathon and imports employee and customer data from Marathon. The Customer is responsible for their own agreement with Marathon.Website: marathonservice.seData processed: employees, customers, projects and invoices, to the extent the Customer activates the integration.Transfer safeguard: data processed within EU/EEA.
Okta (optional — only if activated by the Customer)
Service: single sign-on (SSO). Where the Customer uses Okta as their identity provider, Okta sends identity data (name, e-mail, user ID) to Roughly Right to authenticate users. Okta acts as a sub-processor of the Customer, not of Roughly Right. The Customer is responsible for their own agreement with Okta and for disclosing Okta's role in their own privacy notices.Website: okta.comData processed: name, e-mail, user ID — received from the Customer's Okta instance.Transfer safeguard: EU Commission SCCs.
Google Sign-In (OAuth)
Service: enables users to log in to Roughly Right using their Google account. We use the openid, userinfo.email and userinfo.profile scopes to authenticate users and pre-populate their display name.Website: developers.google.comData processed: e-mail address, name, Google user ID.Transfer safeguard: EU Commission SCCs.
Google Calendar API
Service: enables users to import Google Calendar events as time report entries.Website: developers.google.com/calendarData processed: calendar event data (titles, times, attendees) — read-only, with user consent.Transfer safeguard: EU Commission SCCs.
Technical measures:
Organisational measures:
Roughly Right AB
Email: info@roughlyright.comPhone: +46 709 42 20 94