Aquil
Aquil
Legal

Data Processing Agreement

How Sokigo processes personal data on behalf of customer organisations under GDPR art. 28.

Version 1.0.0 · Effective 7 April 2026

Download PDFDownload Markdown

Data Processing Agreement (DPA)

Aquil — ISO 27001 ISMS Management Service

Version: 1.0 Effective date: 2026-04-07 Document hash: [computed at publish]

This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the Aquil Master Subscription Agreement ("MSA") between Sokigo AB and the customer entity identified in the applicable Order Form or self-service signup ("Customer").

In the event of conflict between this DPA and the MSA, this DPA prevails with respect to the processing of Personal Data.

1. Parties

RoleParty
ProcessorSokigo AB, org.nr 556550-6309, with registered office in Sweden ("Sokigo")
ControllerThe Customer entity that has accepted the MSA

Sokigo is part of the Addnode Group AB (publ) corporate group.

2. Definitions

Terms not defined in this DPA have the meanings given in the GDPR or the MSA.

  • GDPR: Regulation (EU) 2016/679.
  • Personal Data: any information relating to an identified or identifiable natural person processed by Sokigo on behalf of Customer through the Aquil service.
  • Processing, Controller, Processor, Data Subject, Personal Data Breach: as defined in GDPR art. 4.
  • Sub-processor: any third party engaged by Sokigo to process Personal Data on behalf of Customer.
  • Service: the Aquil ISMS management software-as-a-service.
  • Standard Contractual Clauses or SCCs: the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914.

3. Subject matter, nature, purpose and duration

  • Subject matter: provision of the Aquil Service by Sokigo to Customer.
  • Nature and purpose: hosting, storage, processing, transmission, AI-assisted analysis and presentation of information uploaded or generated by Customer's authorised users in connection with managing Customer's information security management system.
  • Duration: for the term of the MSA, plus the deletion period set out in Section 12.

Details of processing are set out in Annex 1.

4. Customer instructions

  • Sokigo processes Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required to do so by Union or Member State law to which Sokigo is subject; in such case Sokigo shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • The MSA, this DPA, configuration choices made by Customer in the Service, and any use of the Service by Customer's authorised users constitute Customer's complete and final documented instructions.
  • Sokigo will inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
  • Customer warrants that it has all necessary lawful bases under GDPR (including art. 6 and, where applicable, art. 9 and art. 10) for the Personal Data it submits to the Service.

5. Sokigo obligations

Sokigo shall:

a) Process Personal Data only on documented instructions from Customer. b) Ensure that persons authorised to process Personal Data are bound by confidentiality obligations. c) Implement the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk under GDPR art. 32. d) Engage Sub-processors only in accordance with Section 7. e) Taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests. f) Assist Customer in ensuring compliance with GDPR arts. 32–36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to Sokigo. g) At Customer's choice, delete or return all Personal Data after the end of provision of services, in accordance with Section 12. h) Make available to Customer all information necessary to demonstrate compliance with art. 28, and allow for and contribute to audits in accordance with Section 9.

6. Confidentiality

Sokigo personnel with access to Personal Data are subject to written confidentiality obligations that survive termination of their engagement.

7. Sub-processors

  • Customer grants Sokigo general written authorisation to engage Sub-processors for the provision of the Service.
  • The current list of Sub-processors is published at: https://aquil.se/legal/subprocessors ("Sub-processor List").
  • Sokigo will notify Customer of any intended addition or replacement of Sub-processors at least 30 days in advance by updating the Sub-processor List and notifying subscribers to the change-notification mailing list.
  • Customer may object on reasonable data-protection grounds within 14 days of notification. If the parties cannot resolve the objection in good faith within a further 30 days, Customer may terminate the affected portion of the Service with a pro-rata refund of prepaid fees, as Customer's sole and exclusive remedy.
  • Sokigo imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to Customer for the performance of each Sub-processor's obligations.

8. International transfers

  • Sokigo will not transfer Personal Data outside the EEA unless: (i) such transfer is to a country covered by an adequacy decision under GDPR art. 45; (ii) the transfer is subject to appropriate safeguards under GDPR art. 46 (including the SCCs); or (iii) another lawful transfer mechanism applies.
  • Where Sub-processors are located outside the EEA or are subsidiaries of non-EEA parent companies subject to extraterritorial law, Sokigo enters into the SCCs with the Sub-processor and conducts a Transfer Impact Assessment (TIA).
  • The currently applicable transfer mechanisms per Sub-processor are documented in the Sub-processor List.

9. Audits

  • Customer may verify Sokigo's compliance with this DPA by reviewing: (i) Sokigo's current ISO/IEC 27001:2022 certificate and Statement of Applicability (available under NDA); (ii) the most recent third-party security audit reports available; and (iii) the Trust page at https://aquil.se/trust.
  • If the above is insufficient and Customer is required by a competent supervisory authority to conduct a further audit, Customer may, at its own cost, conduct an audit no more than once per twelve-month period, on at least 30 days' written notice, during normal business hours, with a mutually agreed independent auditor bound by confidentiality, and without disrupting Sokigo's operations or accessing other customers' data.
  • More frequent audits are permitted only where required by a supervisory authority following a Personal Data Breach.

10. Personal Data Breach notification

  • Sokigo will notify Customer without undue delay and in any event within 48 hours of becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data.
  • The notification will include, to the extent known: nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, measures taken or proposed.
  • Sokigo will provide reasonable assistance to Customer in fulfilling Customer's own notification obligations under GDPR arts. 33–34.
  • For clarity, Sokigo's notification is not an admission of fault.

11. Data Subject rights

  • Sokigo will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures (including the data export and deletion features built into the Service) to respond to Data Subject requests under GDPR arts. 15–22.
  • If a Data Subject contacts Sokigo directly, Sokigo will forward the request to Customer without undue delay and will not respond to the Data Subject except to confirm the forwarding.

12. Return and deletion

  • Customer self-service export. Aquil provides in-product export functionality that enables Customer's authorised users to download their data (documents, processes, requirements, audit records, reports and uploaded files) at any time during the Subscription Term and during the post-termination grace period. Because Customer Data is encrypted with per-tenant keys, Customer is the only party able to obtain its data in plaintext form; Sokigo is technically unable to perform exports on Customer's behalf for data that has already been encrypted with Customer's tenant key.
  • Post-termination grace period. Upon termination or expiry of the MSA, Customer's authorised users retain read-and-export access to the Service for 30 days for the purpose of exporting Customer Data.
  • Deletion. After the grace period, Sokigo will delete all Customer Data within a further 60 days, except to the extent retention is required by applicable law. Backups containing Customer Data are deleted in accordance with Sokigo's backup rotation cycle (maximum 90 days).
  • Confirmation. Sokigo will provide written confirmation of deletion on request.
  • Format. Exports are provided in open, machine-readable formats (e.g. JSON, Markdown, original file formats for uploaded documents) consistent with GDPR art. 20 portability principles.

13. Liability

The liability of the parties under this DPA is subject to the limitations of liability set out in the MSA. For the avoidance of doubt, this provision does not limit the liability of either party towards Data Subjects under GDPR art. 82.

14. Governing law and jurisdiction

This DPA is governed by Swedish law. Disputes are resolved in accordance with the dispute resolution clause of the MSA.

15. Order of precedence

In case of conflict: (1) the SCCs (where applicable); (2) this DPA; (3) the MSA; (4) the Order Form.

Annex 1 — Description of processing

ItemDetail
Categories of Data SubjectsCustomer's employees, contractors, consultants and other authorised users; Customer's own data subjects whose information appears in documents Customer uploads (e.g. incident reports, audit findings, training records).
Categories of Personal DataIdentification data (name, email, role, organisation), authentication data (hashed credentials, MFA factors via Auth0), usage and audit data (timestamps, actions, IP addresses), content data (any Personal Data contained in documents, processes, requirement records, audit reports, support tickets and chat messages submitted by Customer to the Service).
Special categoriesThe Service is not designed for processing of art. 9 or art. 10 data. Customer acknowledges that information security incident records may incidentally contain such data and warrants that it has a valid art. 9(2) basis where this occurs.
Nature of processingStorage, retrieval, structuring, organisation, alteration, transmission, AI-assisted analysis (text generation, summarisation, similarity matching), display, export, deletion.
PurposeEnabling Customer to operate its ISMS using the Aquil Service.
DurationFor the term of the MSA + 30-day export grace period + 60-day deletion period + up to 90 days in backups.
Sub-processorsSee https://aquil.se/legal/subprocessors

Annex 2 — Technical and Organisational Measures (TOMs)

Sokigo implements the following measures, aligned with ISO/IEC 27001:2022 Annex A controls:

A. Access control (A.5.15, A.8.2, A.8.3)

  • Role-based access control (RBAC) within the Service with tenant isolation enforced at the application and database layer.
  • Multi-factor authentication required for all administrative access via Auth0.
  • Principle of least privilege; access reviews at least annually.

B. Encryption (A.8.24)

  • Data in transit: TLS 1.2 or higher with strong cipher suites.
  • Data at rest (infrastructure layer): AES-256 full-disk encryption on Nutanix storage covers the database, logs and backups.
  • Per-tenant file encryption (application layer): all Customer-uploaded files are additionally encrypted with AES-256-GCM using a per-tenant derived key. Key derivation uses PBKDF2-HMAC-SHA256 with the tenant identifier as salt and a master secret known only to Sokigo. Each file is encrypted with a unique random IV and protected by an authenticated encryption tag.
  • The master secret is held by Sokigo and is injected into the application runtime via Kubernetes secrets management. It is not held by Microsoft or any sub-processor.
  • Aquil Customers do not provide or manage their own root encryption keys (no BYOK at this time).
  • Backups inherit infrastructure-level disk encryption; encrypted file objects retain their per-tenant encryption inside backups.

C. Pseudonymisation and minimisation (A.8.11)

  • Logging captures organisation and user IDs, not personal content. PII and document content are excluded from operational logs.

D. Resilience and availability (A.8.13, A.8.14)

  • Hosted on Sokigo-operated Nutanix infrastructure in Sweden, managed by Nordlo as IT service provider.
  • Encrypted backups stored in a geographically separate Swedish location.
  • Documented recovery procedures; current RTO/RPO published at https://aquil.se/trust.

E. Network and infrastructure security (A.8.20, A.8.21, A.8.22)

  • Segregated network zones; perimeter and internal firewalls.
  • Vulnerability scanning and patch management on a documented schedule.
  • Hardened Kubernetes baseline; container image scanning.

F. AI processing (A.5.30, A.8.28)

  • AI inference runs on Microsoft Azure AI Foundry, region Sweden Central, using gpt-oss-120b model deployed in Sokigo's tenant.
  • Key material for Sokigo's Azure platform services (including the AI Foundry deployment) is held by Sokigo in Azure Key Vault, Sweden Central — not by Microsoft.
  • No customer prompts or completions are used to train any model.
  • AI prompts and completions are not persisted in Sokigo's database. Only usage metadata (feature name, model, token counts, organisation/user identifiers, timestamps) is stored for quota enforcement and billing.
  • AI outputs that Customer explicitly saves as part of Customer Data (for example, a generated document that the user keeps) are treated as Customer Data and retained for as long as Customer retains them.

G. Personnel and confidentiality (A.6.1–A.6.6)

  • Background checks where lawful; written confidentiality undertakings; security awareness training on hire and at least annually.

H. Logging and monitoring (A.8.15, A.8.16)

  • Application, infrastructure and security logs collected to a self-hosted Grafana LGTM stack within Sokigo's environment.
  • Logs retained per the documented retention schedule and reviewed for security events.

I. Incident management (A.5.24–A.5.27)

  • Documented incident response plan; 24/7 incident escalation procedure for Personal Data Breaches.
  • Notification to Customer within 48 hours of becoming aware of a confirmed breach affecting Customer Personal Data.

J. Supplier management (A.5.19–A.5.22)

  • Sub-processor due diligence including security and data protection assessment.
  • Written contracts flowing down GDPR art. 28 obligations.
  • Periodic re-assessment.

K. Physical security (A.7.1–A.7.4)

  • Datacenter facilities operated to industry-standard physical security controls; access restricted and logged.

L. Secure development (A.8.25–A.8.29)

  • Source code review; dependency scanning; SAST/DAST in CI/CD; segregation of development, staging and production environments.

These measures may be updated from time to time provided that the level of security is not materially decreased.

[End of DPA]

Document hash (SHA-256): 214d6754c49747369ad04b18292192babf3d0db62dfa7fd4d835d03e63585b36