Data Processing Agreement
Effective date: May 17, 2026
This Data Processing Agreement applies when Striggo processes personal data on behalf of a Customer as part of providing the Service.
This DPA forms part of the Terms and Conditions between Go Huge AB, company registration number 5590416243, and the Customer.
1. Roles of the parties
For Customer Personal Data, the Customer is the controller and Striggo is the processor, unless otherwise agreed in writing.
The Customer determines the purposes and means of processing Customer Personal Data. Striggo processes Customer Personal Data only on the Customer’s documented instructions, including the Terms, this DPA, the Order Form, and the Customer’s configuration and use of the Service.
2. Definitions
Customer Personal Data means personal data processed by Striggo on behalf of the Customer through the Service.
Applicable Data Protection Laws means the GDPR and any other data protection laws applicable to the processing of Customer Personal Data.
Subprocessor means a third party engaged by Striggo to process Customer Personal Data on behalf of the Customer.
Other terms have the meanings given in the Terms and applicable data protection laws.
3. Processing details
The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data are described in Annex 1.
4. Customer obligations
The Customer is responsible for:
- having a lawful basis for processing Customer Personal Data;
- providing all required notices to Users and learners;
- ensuring that Customer Personal Data is accurate, lawful, and appropriate;
- ensuring that Customer Content does not include restricted or sensitive data unless expressly agreed in writing;
- responding to data subject requests where the Customer is controller;
- ensuring that its instructions to Striggo comply with Applicable Data Protection Laws.
5. Striggo obligations
Striggo will:
- process Customer Personal Data only on documented instructions from the Customer;
- ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations;
- maintain appropriate technical and organisational security measures;
- assist the Customer with data subject requests where possible and reasonable;
- assist the Customer with security, breach, DPIA, and consultation obligations where required by law and where related to the Service;
- delete or return Customer Personal Data according to this DPA;
- make available information reasonably necessary to demonstrate compliance with this DPA;
- notify the Customer if Striggo believes an instruction infringes Applicable Data Protection Laws.
6. Security measures
Striggo will maintain technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access.
The security measures are described in Annex 2.
7. Subprocessors
The Customer gives Striggo general authorisation to use Subprocessors to provide the Service.
Striggo will maintain a list of Subprocessors at Subprocessors.
Striggo will ensure that Subprocessors are bound by written data protection obligations that provide at least the same level of protection for Customer Personal Data as this DPA, as applicable to the nature of the services provided by the Subprocessor.
Striggo remains responsible for its Subprocessors’ processing of Customer Personal Data.
Striggo may update its Subprocessor list. If Striggo adds or replaces a Subprocessor that processes Customer Personal Data, Striggo will take reasonable steps to notify Customers. The Customer may object on reasonable data protection grounds within 30 days of notice. If the parties cannot resolve the objection, the Customer may terminate the affected Service.
8. International transfers
Striggo will ensure that international transfers of Customer Personal Data are protected by appropriate safeguards, such as adequacy decisions, Standard Contractual Clauses, data processing agreements, and additional safeguards where required.
9. Data subject requests
If Striggo receives a request from a data subject relating to Customer Personal Data, Striggo will, where legally permitted, refer the request to the Customer or notify the Customer.
Striggo will provide reasonable assistance to the Customer in responding to data subject requests, taking into account the nature of the processing and the functionality of the Service.
10. Personal data breaches
Striggo will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
The notice will include available information reasonably required by the Customer to meet its breach notification obligations. Striggo may provide information in phases as it becomes available.
11. DPIAs and consultations
Striggo will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required by law and where the assistance relates to Striggo’s processing of Customer Personal Data.
12. Deletion and return
During the subscription, the Customer may request export or deletion of Customer Personal Data by contacting Striggo.
After termination of the subscription, Striggo will delete Customer Personal Data from active systems within 90 days, unless retention is required by law or needed for legal, security, accounting, or dispute purposes.
Backups are overwritten or deleted according to Striggo’s backup cycle, normally within 180 days.
13. Audit and information rights
Striggo will make available information reasonably necessary to demonstrate compliance with this DPA.
The Customer may request an audit no more than once per year unless required by a supervisory authority or following a confirmed personal data breach affecting Customer Personal Data.
Audits must be conducted during normal business hours, with reasonable prior notice, in a way that does not disrupt Striggo’s operations or compromise the security or confidentiality of other customers.
Striggo may satisfy audit requests by providing security documentation, policies, summaries, third-party reports, or written responses.
14. Liability
Liability under this DPA is subject to the limitations of liability in the Terms, unless and to the extent liability cannot be limited under Applicable Data Protection Laws.
15. Order of precedence
If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA will prevail.
Annex 1: Processing description
| Item | Description |
|---|---|
| Subject matter | Provision of Striggo to create, deliver, manage, and follow up practical team training |
| Duration | For the subscription term and any deletion, backup, export, or legal retention period |
| Nature of processing | Hosting, storage, AI-assisted generation, course delivery, email invitations and reminders, learner activity tracking, analytics, support, security, and account administration |
| Purpose of processing | To provide, secure, support, and improve the Service for the Customer |
| Data subjects | Customer administrators, managers, learners, and individuals included in Customer Content |
| Categories of personal data | Name where provided, work email address, company, role, account data, training assignments, progress, completion, quiz answers, scores, timestamps, support data, and any personal data included in Customer Content |
| Special category data | Not intended and prohibited unless expressly agreed in writing |
| Children / minors | Not intended and prohibited unless expressly agreed in writing |
Annex 2: Security measures
Striggo’s security measures include, as applicable:
- hosting and storage with netcup GmbH in Germany / EU;
- access controls for internal systems;
- limited access to Customer Personal Data based on business need;
- encryption in transit where technically supported;
- backup routines;
- logging and monitoring for security and operational purposes;
- confidentiality obligations for personnel and contractors with access to Customer Personal Data;
- vendor review before using relevant service providers;
- incident response routines;
- deletion routines for terminated accounts and Customer Content.
Security measures may be updated from time to time, provided the overall level of protection is not materially reduced.
Annex 3: Subprocessors and service providers
A current list is maintained at Subprocessors.