Personal data processor agreement

1. Preamble

This Personal Data Processor Agreement (the ”Processor Agreement”) is entered into by the Customer (hereinafter also referred to as the “Controller”) and Dugga (hereinafter also referred to as the “Processor”),

The purpose of this Processor Agreement is to ensure that the Processor’s processing of personal data on behalf of the Controller takes place in accordance with the General Data Protection Regulation (2016/679) (”GDPR”), the Controller’s instructions and this Processor Agreement.

This Processor Agreement is an appendix to any free licence or main agreement entered into by the Customer and Dugga (the ”Main Agreement”). In the event of conflicting provisions, the Main Agreement shall take precedence over this Processor Agreement.


2. Purpose of the processing of personal data

The purpose of the processing of the personal data, and the service provided by Dugga, is to enable the Customer to handle and perform digital evaluation of knowledge. Personal data are used in the system for use and log in purposes, depending on role and function of the user. The Customer shall e.g. be able to identify the person who assigns or creates tests, those taking tests and their answers and results. Personal data are also used for support, technical maintenance and back-up purposes.

The Processor is not entitled to process the personal data for any purpose other than those set forth in this Processor Agreement, unless prior written consent is obtained in each case.


3. The Processor’s responsibility

The Processor shall be responsible for taking such measures regarding the processing of personal data as requested in writing by the Controller, in Appendix 2:1 or otherwise, and for performing such processing as is required in connection with the provision of services to the Controller or required under applicable legislation.

After receiving written instructions, the Processor shall, without undue delay, take suitable action in order to ensure that the processing of personal data is adapted in accordance with such instructions.

The Processor shall not be liable for any lack of clarity in such instruction from the Controller and shall not be obligated to take any action other than those expressly requested by the Controller.

The Processor shall be entitled to compensation, in accordance with the pricelist from time to time applied by the Processor, for any action regarding processing of personal data which is not expressly specified by the Controller when this Processor Agreement enters into force.


4. Undertakings of the Controller

The Controller undertakes, as far as possible, to facilitate the processing of personal data within the scope of this Processor Agreement, inter alia by providing the Processor with necessary information without delay and by notifying the Processor well in advance of any administrative measures.


5. Certification

The Processor certifies that its own business activities are, in all respects, managed in a manner which ensures compliance with the requirements of GDPR, in accordance with prevailing norms in the industry and in a manner which allows implementation of measures in respect of personal data processing in accordance with this Processor Agreement.


6. Protective measures

In respect of all processing of personal data on behalf of the Controller, the Processor shall take technical and organisational protective measures specified by the Controller in Appendix 2:1.

The Processor shall determine how such measures are to be implemented in order to achieve the necessary level of protection.

The Processor shall not be obligated to take protective measures which are not expressly stated in this Processor Agreement or the appendices hereto.

The parties may agree on increased or additional protective measures and unless otherwise agreed in writing, the Processor shall be entitled to separate compensation for any such measure, in accordance with the Processor’s then current price list.

If no such protective measures are specified by the Controller, in Appendix 2.1 or otherwise, the Processor will at the expense of the Controller implement such protective measures as are customary in the industry under comparable circumstances.


7. Information

In order to verify the implementation of the processing of personal data, the Controller shall be entitled to request documentation regarding the Processor’s business activities and systems, to the extent that they relate to the processing of personal data on behalf of the Controller.


8. Follow-up

In the event the parties agree upon new protective measures for the processing of personal data, the Controller shall be entitled to request documentation regarding measures taken by the Processor for the purpose of bringing about the agreed implementation.


9. Disclosure of data

The Processor shall not be entitled to disclose any personal data to any third party without the prior written approval of the Controller, unless such disclosure is required by law.

In the event that a public authority orders the Processor to disclose data or to take other measures as a consequence of the processing of personal data on behalf of the Controller, the Processor shall be entitled to reasonable compensation for such work.

The Processor shall also be entitled to reasonable compensation for any other disclosure of personal data, at the request of the Controller or required by law or this Agreement, to any party other than the Controller, and the measures associated with such disclosure.


10. Transfer to third countries

The Processor may only transfer personal data to a country which is not a member of the European Union or a member of the European Economic Area with the prior written consent of the Controller.

In the event that the execution of a separate agreement for the purpose of maintaining an adequate level of protection is a legal requirement for the transfer of personal data to a third country, the Controller shall not be entitled to withhold consent to such transfer if the Processor can demonstrate that such an agreement does exist.

Details concerning the Processor’s routines for storage and processing of personal data are set out in Appendix 2:1 and 2.2.


11. Subcontracting

The Processor will use the subcontractors specified in Appendix 2:2, for the purposes set out therein.

The Processor may at its discretion replace or appoint further subcontractors, provided that they undertake to comply with this Processor Agreement.

The Processor is in relation to the Controller responsiblle for the acts and omissions of subcontractors as for its own acts and omissions.


12. Compensation

As set out above and below, the Processor is entitled to compensation for processing of personal data and related measures, to the extent that such processing and related measures are not expressly agreed in this Processor Agreement and the appendices hereto.


13. Contact persons, etc.

Each party shall designate a contact person with primary responsibility for communication between the parties regarding this Processor Agreement. The parties shall notify each other of the designated contact person and contact details, and each party shall without undue delay inform the other party if the contact person is replaced. For Free Licenses, the person applying for the Free Licence is the contact person.


14. Ensuring the rights of the registered

The Processor shall, upon request, without delay, and in accordance with instructions from the Controller, correct, extract or delete personal data which is covered by this Processor Agreement.

The Processor shall moreover be of assistance to the Controller in ensuring the registereds’ rights in accordance with Chapter III of GDPR.

The Processor shall be entitled to reasonable compensation for such measures.

In the event that the Controller makes a written request for deletion of personal data, the Processor shall delete the personal data in question not later than within 90 days from the request.


15. Termination

Upon termination of this Processor Agreement, personal data belonging to the Controller shall be returned or erased without unreasonable delay.

The Controller must not later than 3 months prior to the expiry of this Processor Agreement notify the Processor of how the personal data belonging to the Controller shall be handled and any need for assistance by the Processor in connection with transfer of personal data. Failing such notice, the Processor will erase the personal data in connection with the expiry of this Processor Agreement.

The Processor shall to a reasonable extent and provided availability of resources assist in the transfer of personal data. The Processor is entiled to compensation for such assistance in accordance with its then applicable price list for such services.


16. Limitation of liability

The Processor’s liability under this Processor Agreement shall be limited to direct losses resulting from processing of personal data which was clearly contradictory to the written instructions from the Controller or applicable legislation. Claims from third parties or public authorities shall for the purposes hereof be deemed to be direct losses. The Processor’s liability shall however under no circumstances include indirect losses such as for instance loss of revenue.


17. Disputes

Any dispute arising from or relating to this Processor Agreement shall be resolved as agreed in the Main Agreement.


18. Amendments to the agreement

In order to be binding, any amendments to or modifications of this Processor Agreement must be in writing and duly signed by both parties.



Appendix 2:1
The Controller’s instructions and required protective measures


The purpose of the Dugga Learning Assessment service is to make it possible to carry out digital knowledge assessment, predominantly in an educational setting. Data processing in the platform is done in order to make it possible to log in and use the platform in the different ways that follows from the role/s and function/s that a user has. The customer will be able to identify those who administer, creates and takes exams and assignments as well as the results from those knowledge assessment activities.

Personal data is also used for the purpose of support, technical maintenance and security back-ups.

The data is stored within the EU/EES.

The data processed consists of the following types of personal data.


Personal data in the platform may consist of:

  • User name, First name, Last name, group affiliation (class/classes/groups), images, mobile phone number.
  • Student’s tests, results and occasionally also grades and feedback from teachers.
  • The users email address (when using accounts).
  • Dugga does not require personal numbers or social security numbers but the customer has the possibility to add such information.
  • Processing of certain kinds of personal data according to article 9.1 i the data processing frame work may occur depending upon the information that individual users may add.


The processing of data will encompass the following categories/roles


  • Teachers
  • Administrators
  • Students
  • Proctors/Invigilators
  • Study administrators
Specific rules for data processing and the removal of personal data conducted by the processor.


  • Personal data is deleted after the number of years that the controller specifies in writing to Dugga. Such request on deletion of data shall be submitted to Dugga no later than 90 days prior to the deletion. The controller has the possibility to delete data at any time in the platform.
  • Backup copies are not stored longer than 2 years.
Technical measures to protect personal data.
Dugga has been approved in several revisions on data security conducted by customers, researchers, partners and independent organizations. Technical revisions on data security is conducted on a yearly basis and in accordance with regulations on data security.
Logging of personal data processing and access.

Logging of data includes:

  • Users who have conducted assessment, provided results and grades for individual students and groups of students.
  • Access to such information is provided to teachers, admins and study admins.
Transfer of personal data to third countries.
Transfer of personal data does not occur beyond what is stated under the section ”Purpose”.
Other instructions related to the processing of personal data conducted by the processor.

1.       To set up remote access to the controllers system to investigate and solve technical problems and;

2.       Publish statistics on the data processing conducted in the platform.

In addition to this processor agreement the processor has the right to provide data to the controller in xml-format only, in the event that the customer agreement expires.

The processor has the right to, during and after the expiration of the agreement, keep, use, analyse meta data /de-identified data for the purpose of scientific reseearch and development. All such data shall be transformed into a mode where no physical person can be identified. Thus no physical person may be traceable or identified in data stored for afore mentioned purposes.



Appendix 2:2


Storage and processing of personal data

The following subcontractors are as of the date of the Processor Agreement used by the Processor, for the purposes set out below. The subcontractors are based in the countries specified below.

Establish remote access to the Controller’s system, for analysis and resolution of technical problems:

Eventful AB (Sweden)
FastDev AB (Sweden)


Storage and processing of personal data:

Microsoft Azure (the Netherlands)
Microsoft Azure (Ireland)
Microsoft Azure (Sweden)


Kontakta oss

Torsgatan 39, 113 62 Stockholm


Logga in

Dugga Plugga


Hur hanterar vi din data


Dugga API