Record of Processing Activities (RoPA)

Effective Date: October 1, 2024

1. Information on the Processor

Name and Contact Details:

  • Processor: Deskhero AB
  • Address: KIVRA: 559415-4170, 106 31, Stockholm, Sweden
  • Representative: Jimmie Antonsson
  • Email: support@deskhero.com
  • Phone: +46 70 32 789 55


2. Data Protection Officer (DPO)

Name and Contact Details:

  • Name: Klas Karlsson
  • Email: dpo@deskhero.com
  • Phone: +46 70 601 13 22


3. Information on the Controller (Clients)

Deskhero AB provides a Software-as-a-Service (SaaS) platform to Clients (businesses) who use the Service to manage customer support activities. As the Processor, we process Personal Data on behalf of our Clients (Controllers) in accordance with our Data Processing Agreement.


4. Categories of Processing Activities

4.1 Subject Matter of Processing

  • Processing of Personal Data necessary to provide the Service to Clients, including storage, retrieval, communication, and other operations required for the functioning of the Service.

4.2 Nature and Purpose of Processing

  • Purpose: To facilitate customer support interactions between Clients and their Customers through our helpdesk ticketing system.
  • Nature: Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, and deletion of Personal Data.

4.3 Types of Personal Data Processed

  • Client and User Data:
    • Identification data: names, email addresses, phone numbers, job titles.
    • Authentication data: usernames, passwords.
    • Contact information.
    • Billing information: payment details, transaction records.
  • Client’s Customer Data:
    • Contact details: names, email addresses, phone numbers.
    • Communication content: messages, attachments, support tickets.
    • Any other Personal Data provided through the Service.

4.4 Categories of Data Subjects

  • Users: Employees or agents of the Client authorized to use the Service.
  • Client’s Customers: Individuals who interact with the Client through the Service.

4.5 Duration of Processing

  • Personal Data is processed for the duration of the Agreement with the Client and retained as specified in our Data Retention Policy (see Section 6).


5. Transfers to Third Countries or International Organizations

Personal Data may be transferred to countries outside the European Union (EU) or European Economic Area (EEA) as necessary for the provision of the Service. Such transfers are conducted in compliance with Data Protection Laws, utilizing appropriate safeguards:

  • Standard Contractual Clauses (SCCs): Implemented with Sub-Processors located outside the EU/EEA. See DPA for details
  • Adequacy Decisions: Transferring to countries recognized by the European Commission as providing an adequate level of data protection.


6. Data Retention and Deletion

We retain Personal Data only as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting requirements.

  • Active Data: Retained for the duration of the Agreement.
  • Backups: Retained for up to one (1) year and deleted as part of our regular backup maintenance process.
  • Deletion Upon Termination: Upon termination of the Agreement, Personal Data will be deleted or anonymized in accordance with our Data Processing Agreement (DPA) and data retention policies.


7. Technical and Organisational Measures (TOM)

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in our Technical and Organisational Measures document

Key measures include:

  • Access Control: Restricted access based on the principle of least privilege.
  • Data Encryption: Encryption of Personal Data in transit and at rest.
  • Network Security: Use of firewalls, intrusion detection systems.
  • Incident Response: Procedures for detecting and responding to security incidents.
  • Employee Training: Regular training on data protection and security practices.


8. Sub-Processors

We engage the following Sub-Processors to assist in the provision of the Service:

Sub-Processor Location Services Provided Data Processed
Amazon Web Services Ireland Hosting and infrastructure services Personal Data stored and processed within the Service
Found by Elastic Ireland Search and analytics services Personal Data processed for search functionality
OpenAI API United States AI-based task automation Temporary processing of data input into AI features
DeepL Germany Translation services Temporary processing of text during translation
GroupDocs.Cloud United States Document text extraction Temporary processing of uploaded documents
Pinecone.io Belgium Vector database for AI content search Storage of content vectors (no readable content)
AttachmentScanner.com United States Virus and malware scanning Temporary processing of uploaded files
Zyte.com United States Web scraping for AI knowledge Temporary processing of scraped web data
TaxJar.com United States Tax compliance and VAT validation Processing of tax-related data
Elmah.io Denmark Error logging and debugging Storage of application error logs
IPinfo.io United States IP address geolocation Temporary processing of IP data
Twilio United States Communication services Processing of phone numbers and communication metadata
Google Tag Manager United States Tag management services Processing of tracking data
Stripe United States Payment processing Processing of payment information
Google Analytics 4 United States Web analytics Processing of anonymized usage data


9. Documentation and Compliance

We maintain records of processing activities as required by Article 30 of the GDPR, including:

  • Purposes of Processing
  • Categories of Data Subjects and Personal Data
  • Categories of Recipients
  • International Transfers
  • Technical and Organisational Measures

These records are available to supervisory authorities upon request.


1

0. Updates to This Document

This Record of Processing Activities may be updated from time to time to reflect changes in our processing operations. We will notify Clients of significant changes as outlined in our Data Processing Agreement.


11. Contact Information

For any questions or concerns regarding our processing activities, please contact our Data Protection Officer (DPO):

  • Name: Klas Karlsson
  • Email: dpo@deskhero.com
  • Phone: +46 70 601 13 22


By using the Service and accepting the Terms and Conditions, you acknowledge that you have reviewed and understood this Record of Processing Activities.