Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement (the "DPA") forms an integral part of the Terms of Service (the "Agreement") between Strife AB, company registration number 559295-1114, with registered address Larmgatan 5, 392 32 Kalmar, Sweden ("Strife", the "Processor"), and the customer that has entered into the Agreement (the "Customer", the "Controller").
By accepting the Agreement, the Customer also accepts this DPA. The DPA is incorporated by reference into the Agreement and applies to all processing of Personal Data that Strife carries out on behalf of the Customer in connection with the Strife Service.
1. Purpose and scope
This DPA governs Strife's processing of Personal Data on behalf of the Customer in its role as Data Processor under Regulation (EU) 2016/679 (the "GDPR") and the Swedish Data Protection Act (Dataskyddslagen 2018:218). Its purpose is to ensure that the Customer can rely on Strife for processing of Personal Data in accordance with applicable data protection law.
Where Strife processes Personal Data about the Customer's own representatives, visitors to strife.app, prospects, suppliers, and job applicants for its own business purposes, Strife acts as Data Controller. That processing is governed by Strife's Privacy Policy and not by this DPA.
2. Definitions
Terms used in this DPA that are defined in the GDPR have the meanings given in the GDPR, including "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority". Other capitalised terms have the meanings given in the Agreement.
3. Subject matter and duration
The subject matter of the processing is the provision of the Strife Service to the Customer. Processing continues for as long as the Agreement is in force and for the limited post-termination periods set out in Section 11 below.
4. Nature and purpose of processing
Strife processes Personal Data solely for the purpose of providing the Strife Service to the Customer and fulfilling its obligations under the Agreement. Further details of the processing are set out in Annex I.
5. Customer's obligations
The Customer warrants and undertakes that:
(a) it has a valid legal basis under the GDPR for the processing it instructs Strife to carry out;
(b) its instructions to Strife comply with applicable law, including the GDPR;
(c) it has fulfilled its information obligations to Data Subjects under Articles 13 and 14 GDPR; and
(d) it is responsible for the accuracy, quality, and lawfulness of the Personal Data it transfers to or generates in the Strife Service.
6. Strife's obligations as Data Processor
6.1 Documented instructions
Strife will process Personal Data only on the Customer's documented instructions. The Agreement, this DPA, and the Customer's use of the Strife Service in accordance with the Strife Documentation constitute the Customer's documented instructions. Strife will notify the Customer if it receives an instruction that, in its opinion, infringes applicable data protection law, unless prohibited by law from doing so.
6.2 Confidentiality of personnel
Strife will ensure that persons authorised to process Personal Data are bound by confidentiality obligations. Access to Personal Data is limited to personnel who need access to perform their work.
6.3 Security
Strife will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risk to Data Subjects. These measures are described in Annex II and may be updated by Strife from time to time, provided the level of protection is not reduced.
6.4 Assistance with Data Subject rights
Strife will, taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to requests for exercising the rights of Data Subjects set out in Chapter III GDPR. If a Data Subject contacts Strife directly, Strife will promptly forward the request to the Customer and will not respond to the Data Subject except as instructed by the Customer or required by law.
6.5 Assistance with Controller obligations
Strife will assist the Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to Strife. This includes assistance with security of processing, notification of personal data breaches, communication of personal data breaches to Data Subjects, data protection impact assessments, and prior consultation.
6.6 Personal data breach
Strife will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting Personal Data processed on behalf of the Customer. The notification will include the information described in Article 33(3) GDPR, to the extent such information is known to Strife at the time of notification. Strife will cooperate with the Customer and provide further information as it becomes available.
6.7 Return or deletion of data
Upon termination of the Agreement, Strife will, at the Customer's choice, return or delete all Personal Data processed on behalf of the Customer, in accordance with Section 16.5 of the Agreement. Strife may retain Personal Data to the extent required by applicable law, and only for the period and for the purposes required by that law.
6.8 Compliance information and audits
Strife will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to the following:
(a) the Customer will bear the cost of the audit;
(b) audits will be conducted no more than once per calendar year, unless a Personal Data breach or a supervisory authority action gives reasonable cause for more frequent audits;
(c) audits will be conducted during normal business hours, with at least 30 days' prior written notice, and in a manner that minimises disruption to Strife's business;
(d) the Customer and its auditors will be bound by confidentiality obligations at least as strict as those in the Agreement; and
(e) Strife may, as an alternative to on-site inspection, provide the Customer with the most recent independent third-party audit reports (such as ISO 27001, SOC 2, or equivalent) and responses to a reasonable data protection questionnaire.
7. Sub-processors
7.1 General authorisation
The Customer grants Strife general authorisation to engage Sub-processors for the purpose of providing the Strife Service. A current list of authorised Sub-processors is published at https://strife.app/en/sub-processors and is also set out in Annex III to this DPA.
7.2 Notification of changes
Strife will notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor. The Customer may object to such changes on reasonable data protection grounds within 14 days of notification. If the parties cannot agree on a resolution, the Customer may terminate the Agreement, and Strife will refund any prepaid fees for the unused portion of the subscription period.
7.3 Sub-processor contracts
Strife will impose the same data protection obligations on its Sub-processors as are imposed on Strife under this DPA, by way of a written agreement. Strife remains fully liable to the Customer for the performance of its Sub-processors' obligations.
7.4 Conditional sub-processors
Certain Sub-processors are engaged only in specific circumstances. Anthropic PBC is engaged only when the Customer has enabled Strife Intelligence. A dedicated self-hosted database cluster on Hetzner is engaged only when the Customer has opted, on a case-by-case basis, for that configuration. These conditions are reflected in Annex III.
8. International transfers
Strife primarily processes Personal Data within the European Union and the European Economic Area. Where Strife, or a Sub-processor engaged by Strife, transfers Personal Data to a country outside the EU/EEA, Strife ensures that the transfer is carried out on the basis of one of the transfer mechanisms permitted under Chapter V GDPR.
For transfers to the United States (including the transfer of Customer Content to Anthropic PBC when Strife Intelligence is enabled), Strife relies on the European Commission's Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 of 4 June 2021, in the version and module applicable to the transfer, together with any supplementary safeguards required following the Schrems II judgment. Strife has executed the Standard Contractual Clauses with the relevant Sub-processors and will provide copies to the Customer upon reasonable request.
For transfers involving personnel of RavenDB Ltd (Israel), Strife relies on the European Commission's adequacy decision for Israel, which is currently in force.
9. Deletion of data
Upon termination of the Agreement, the Customer may export Customer Content containing Personal Data in machine-readable format during the 30-day post-termination export window described in Section 16.5 of the Agreement. After that window, Strife will delete all such Personal Data within a further 60 days, except where retention is required by applicable law.
10. Liability
The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
11. Termination
This DPA remains in force for as long as Strife processes Personal Data on behalf of the Customer under the Agreement. Termination of the Agreement terminates this DPA. Sections of this DPA that by their nature are intended to survive termination (including obligations relating to confidentiality, deletion, and liability) will continue to apply.
12. Order of precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses prevail.
13. Governing law and jurisdiction
This DPA is governed by the laws of Sweden. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of Kalmar tingsrätt, as set out in Section 20 of the Agreement.
Annex I: Details of processing
Annex II: Technical and organisational measures