Safespring is a Swedish cloud infrastructure provider, proudly Swedish owned and operated.
We deliver Public Cloud and Private Cloud services for organisations that require secure, reliable, and high-performance infrastructure. Safespring operates through legal entities in Sweden and Norway and provides services from data centres located within these jurisdictions.
This Privacy Policy describes how Safespring (“we”, “us”, “our”) processes personal data in accordance with:
- General Data Protection Regulation (“GDPR”)
- ePrivacy Directive
- Digital Services Act
- ISO/IEC 27001
1. Data Controller
Safespring AB
559075-0245
Rättarvägen 3, 169 68 Solna
Sweden
For privacy-related matters, including the exercise of data subject rights, you may contact us at gdpr@safespring.com
2. Your Rights Under GDPR
Under the GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectification (Art. 16)
- Erasure (“right to be forgotten”) (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with your national supervisory authority
Contact information
Local Authorities
Sweden
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)
website: https://www.imy.se/
Norway
Norwegian Data Protection Authority (Datatilsynet)
website: https://www.datatilsynet.no/
Denmark
Danish Data Protection Agency (Datatilsynet)
website: https://www.datatilsynet.dk/english
Finland
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
website: https://tietosuoja.fi/en/home
3. Categories of Data Subjects
We may process personal data relating to:
- Website visitors
- Business contacts
- Job applicants
- Authorized Users of our services
4. Website Privacy
4.1 Purpose of Processing
We process website data for:
- Website functionality and security
- Analytics and performance monitoring
- Campaign effectiveness tracking
- Improvement of user experience
4.2 Categories of Personal Data
We may process:
- IP address (anonymised where technically feasible)
- Device and browser metadata
- Date/time and session data
- Page views and interaction data
- Referrer URLs
- Marketing parameters
- Download/click behaviour
- Error logs
- Session interaction data (if applicable) Where possible, IP addresses are truncated or anonymised immediately upon collection.
4.3 Legal Basis (GDPR Art. 6)
We rely on:
- Art. 6(1)(f) — Legitimate interest (analytics, security monitoring)
- Art. 6(1)(a) — Consent (where required for non-essential cookies or tracking) A documented Legitimate Interest Assessment (LIA) is maintained where required.
4.4 Retention
- Raw analytics and log data: maximum 12 months
Retention periods are defined in accordance with ISO 27001 control requirements for information lifecycle management.
4.5 Cookies and Similar Technologies
We use cookies and similar technologies in compliance with the ePrivacy Directive and GDPR. Cookies may include:
- Strictly necessary cookies
- Functional cookies
- Analytics technologies
- Consent management cookies (read more about our cookies in the Cookies setting)
Where legally required, we obtain prior consent before placing non-essential cookies.
5. Business Contact Data
5.1 Purpose of Processing
We process business contact data for:
- Commercial discussions
- Contract fulfilment
- Customer relationship management
- Surveys and feedback
5.2 Categories of Personal Data
- Name
- Business email
- Business phone
- Title
- Organisation
- Professional profile links
5.3 Legal Basis
- Art. 6(1)(f) — Legitimate interest (B2B communication)
- Art. 6(1)(b) — Contract performance
- Art. 6(1)(a) — Consent (surveys/newsletters)
5.4 Retention
- Personal data is retained for the duration of the active business relationship, and thereafter in accordance with applicable legal retention obligations or until consent is withdrawn.
6. Recruitment
6.1 Purpose of Processing
Processing job applications and candidate evaluation.
6.2 Categories of Personal Data
- Contact details
- CV and application documents
- Assessment notes
6.3 Legal Basis
- Art. 6(1)(a) — Consent
- Art. 6(1)(b) — Pre-contractual steps
6.4 Retention
- During active recruitment
- Up to 12 months for candidate pooling (unless consent withdrawn)
6.5. Processors and International Transfers
We use subprocessors for specific services.
| Name of Subprocessor | Location of Processing | Description of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| LinkedIn – Recruitment | USA, EU operations in Ireland | Used to link candidate CVs to ATS | USA | LinkedIn DPA |
| Hailey HR | Finland, Sweden | ATS used to evaluate candidates | Sweden | Hailey HR DPA |
Where personal data is transferred outside the EU/EEA, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other legally recognised safeguards.
Records of processing activities (ROPA) are maintained in accordance with GDPR Art. 30.
7. Authorized Users of our services
7.1 Purpose
To deliver contracted services, including.
- Provide and manage access to our systems and services
- Ensure security and compliance with internal policies
- Monitor and audit usage to prevent unauthorised access or misuse
7.2 Categories of Personal Data
- IP addresses
- Usernames
- Business Emails
- Business Phone
7.3 Legal Basis
- Art. 6(1)(a) - Consent
- Art. 6(1)(b) - Contractual Necessity
- Art. 6(1)(c) - Legal Obligation
7.4 Retention
- Duration of engagement period
- Duration of engagement plus 7 years for financial reporting
7.5 Processors and International Transfers
We use subprocessors for specific services.
| Name of Subprocessor | Location of Processing | Description of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Atlassian (JIRA) | Global | Ticketing System | USA | Atlassian DPA |
| NextCloud | Sweden | File workspace and storage | Germany | NextCloud Privacy |
| Runbox | Norway | Email Communication | Norway | Runbox Privacy |
| IssTech AB | Sweden | Backup Administration and Support | Sweden | Stored Internally |
Optional Use of Shared Slack Workspace
We may offer access to a shared workspace in Slack as an optional way to communicate.
Use of Slack is voluntary and based on your consent. It is not required to receive our services, which are available through other communication channels.
By using the shared Slack workspace, you understand that messages may be visible to other authorised participants and are handled through a third-party platform under its own terms and privacy practices.
8. Information Security Measures
In accordance with ISO/IEC 27001, we maintain an Information Security Management System (ISMS) and apply appropriate technical and organisational measures, including:
- Risk assessment and risk treatment processes
- Access control based on least privilege
- Encryption in transit (TLS)
- Encryption at rest where appropriate
- Logging and monitoring
- Supplier security assessments
- Incident response procedures
- Business continuity planning
- Regular internal audits and management reviews Personal data protection is integrated into our security governance framework.
9. Automated Decision-Making
We do not engage in automated decision-making or profiling within the meaning of GDPR Art. 22, unless explicitly stated and legally permitted.
10. Third-Party Websites
Our website may contain links to third-party websites. When you leave our site, their privacy policies apply. We are not responsible for their data processing practices.
11. Contact Us
If you have any questions about your rights, please feel free to contact us at gdpr@safespring.com
