Speudio Data Processing Agreement
Version 1.0 Last updated: 12 June 2026
This Data Processing Agreement ("DPA") is part of the agreement between SK Creations and the Customer for the Speudio service. It governs how SK Creations processes personal data on the Customer's behalf under Article 28 of Regulation (EU) 2016/679 (the "GDPR").
This DPA is written in English. Translations may be provided for convenience; the English version prevails in case of any conflict.
1. Parties, roles, and incorporation
1.1 Parties. This DPA is entered into between:
- SK Creations, a Swedish sole proprietorship (enskild firma), Hagvägen 41, 194 40 Upplands Väsby, Sweden ("Speudio", "we", the "Processor"); and
- the customer that holds a Speudio account under the Speudio Terms of Service (the "Customer", "you", the "Controller").
1.2 Roles. Speudio is a read-only inbox-to-CRM service: it connects to the mailbox you choose via IMAP or OAuth with read-only access, imports your emails and attachments, builds contact profiles from them, and provides AI assistants over that data. The content of your mailbox contains personal data about your correspondents and customers. For that content:
- you are the controller — you decide which mailbox to connect and what the imported data is used for; and
- Speudio is your processor — we process that content only to provide the service to you.
For your own account data (login email, name, hashed password, locale, plan, usage records, security logs) Speudio acts as an independent controller; that processing is described in the Speudio Privacy Policy and is not governed by this DPA.
This DPA is relevant where you use Speudio for business purposes and therefore act as a controller of the imported content. If you use Speudio as a private individual for purely personal correspondence, the GDPR's household exemption (Article 2(2)(c)) typically means you are not a controller — Speudio still protects the imported content exactly as described here, but the controller-processor framework of this DPA does not apply to you.
1.3 Incorporation. This DPA is incorporated into and forms part of the Speudio Terms of Service (the "Agreement"). By using the service to import mailbox content, the Customer instructs Speudio to process that content as described in this DPA. No separate signature is required for the DPA to apply; an executed (signed) copy is available on request via info@speudio.com.
1.4 Controller obligations and rights. As controller of Customer Content, the Customer is responsible for the lawfulness of the processing it instructs. In particular, the Customer warrants that it is entitled to connect the chosen mailbox and to have the personal data it contains processed as described in this DPA, that it has an appropriate lawful basis for that processing, that it provides any information to data subjects required of it as controller, and that its instructions to Speudio comply with applicable data-protection law. The Customer exercises its rights as controller through the documented instructions (Section 3.1), the sub-processor information and objection rights (Section 4.2), the assistance and breach notification rights (Section 6), the export and deletion controls (Section 7), and the information and audit rights (Section 8).
2. Subject matter and details of the processing
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex A, which forms part of this DPA.
3. Processor obligations
3.1 Documented instructions. Speudio processes Customer Content (as defined in Annex A) only on the Customer's documented instructions, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which Speudio is subject; in that case Speudio will inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
The Customer's documented instructions are:
- (a) the documented functions of the service as made available in the product and described in the in-app documentation — importing the connected mailbox (read-only), deriving contact profiles, generating AI-derived data (captions, embeddings, summaries, suggested questions), search, export, and deletion;
- (b) the Customer's configuration and use of those functions (e.g. which mailbox is connected, which contacts are edited, what is exported or deleted); and
- (c) any further written instructions agreed between the parties.
Speudio will inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.
3.2 Read-only by design; no use for our own purposes. Speudio accesses the connected mailbox with read-only scope: it never modifies, deletes, or sends mail from the Customer's mailbox. Speudio does not use Customer Content for its own purposes, does not sell it, does not use it to send marketing email to the Customer's contacts, and does not train AI models on it.
3.3 Confidentiality. Speudio ensures that every person authorised to process Customer Content is bound by a contractual or statutory duty of confidentiality. As an operational rule, humans at Speudio do not read Customer email content; the content is processed programmatically (including by the AI features the Customer invokes). Any exceptional human access (e.g. for debugging at the Customer's request) is limited to what is strictly necessary.
3.4 Security (Article 32). Speudio implements and maintains the technical and organisational measures set out in Annex B, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing as well as the risk to the rights and freedoms of natural persons. Speudio may update Annex B from time to time, provided the updates do not materially reduce the overall level of protection.
3.5 Personnel. Speudio ensures that access to Customer Content is limited to personnel who need it to perform under the Agreement.
4. Sub-processors
4.1 General authorisation. The Customer grants Speudio a general written authorisation to engage sub-processors for the processing of Customer Content. The sub-processors currently engaged are listed in Annex C.
4.2 Changes and right to object. Speudio will inform the Customer of any intended addition or replacement of a sub-processor at least 30 days in advance (by email to the account email address and/or by updating the published sub-processor list with notice in the product). The Customer may object on reasonable, data-protection-related grounds within that notice period. If the parties cannot resolve the objection in good faith, the Customer may terminate the Agreement with respect to the affected service and delete or export its data before the change takes effect (see Section 7).
4.3 Flow-down. Speudio imposes on each sub-processor, by contract, data-protection obligations that are in substance the same as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where a sub-processor fails to fulfil its data-protection obligations, Speudio remains fully liable to the Customer for the performance of that sub-processor's obligations.
4.4 Not a sub-processor. The Customer's own mail provider (e.g. Google, Microsoft, or another provider) is the data source the Customer chooses to connect; it processes the mailbox under the Customer's own agreement with that provider and is not a sub-processor of Speudio.
5. International transfers (Chapter V)
5.1 Primary location. Customer Content is hosted in ISO 27001-certified data centres within Europe (see Annex C).
5.2 Transfers outside the EU/EEA. Customer Content is transferred outside the EU/EEA only to the sub-processors listed below. The first is OpenAI (USA), for the AI features of the service (chat assistants, vision captions, embeddings, and web-search sub-calls). This transfer takes place under OpenAI's Data Processing Addendum, which incorporates the European Commission's Standard Contractual Clauses (Article 46(2)(c) GDPR). Under OpenAI's API terms, API data is not used for model training by default and is retained for a maximum of approximately 30 days for abuse monitoring.
Status: OpenAI's Data Processing Addendum was executed between SK Creations and OpenAI Ireland Ltd on 12 June 2026 (incorporating the EU Standard Contractual Clauses).
The second is Cohere (USA/Canada), for search-relevance ranking: when the AI searches Customer Content, the search text and short excerpts of candidate documents are transmitted to Cohere's reranking API. This transfer takes place under Cohere's data-processing terms, which incorporate the EU Standard Contractual Clauses (Article 46(2)(c) GDPR); API data is not used for model training (disabled via Cohere's data controls) and is retained for a maximum of approximately 30 days for abuse monitoring.
In addition, Cloudflare (US-headquartered) stores Speudio's nightly backups in an EU-jurisdiction storage bucket. Every backup is encrypted client-side on Speudio's own server before upload, with a key Cloudflare never has access to, so the backup contents are unreadable to the provider.
5.3 New transfers. Speudio will not transfer Customer Content to any other third country except under a valid Chapter V transfer mechanism and following the sub-processor change procedure in Section 4.2.
6. Assistance to the Controller
6.1 Data-subject requests (Articles 15–22). Taking into account the nature of the processing, Speudio assists the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to data-subject requests. In practice the service is largely self-service for this purpose: the Customer can search, export (full JSON export at Settings → Privacy), rectify (all contact-profile fields are editable in-app at any time), and delete the relevant data directly. If a data subject contacts Speudio directly about Customer Content, Speudio will not respond on the merits but will refer the request to the Customer without undue delay, unless legally required to act otherwise.
6.2 Articles 32–36. Taking into account the nature of the processing and the information available to it, Speudio assists the Customer in ensuring compliance with the Customer's obligations regarding security of processing, breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.
6.3 Personal data breach. Speudio will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects; information may be provided in phases as it becomes available. Speudio's notification is not an acknowledgement of fault or liability.
7. Deletion and return of data
7.1 During the term. The Customer can export Customer Content at any time (full JSON export at Settings → Privacy → Export my data) and can delete individual data or the entire account at any time.
7.2 On termination — return or deletion at the Customer's choice (Art 28(3)(g)). At the end of the provision of the service, Customer Content is, at the Customer's choice, returned and/or deleted: the return option is exercised through the self-service full JSON export (Section 7.1) at any time before deletion. Upon termination of the service — including the Customer's self-service account deletion at Settings → Privacy → Delete account — Speudio deletes all Customer Content: account deletion executes immediately on confirmation as a hard delete in a single transaction (database records with cascading deletion of related records, plus removal of stored attachment files), completed at most within 24 hours. The Customer is responsible for exporting any data it wishes to keep before deleting the account.
7.3 Residual copies. Speudio does not currently operate backups of Customer Content. If backups are introduced (planned: EU-region object storage), this DPA and the sub-processor list will be updated and versioned first, including the deletion-from-backup cycle, before any backup of Customer Content exists. Security and server logs (which may incidentally reference Customer activity, but not mailbox content) are retained for up to 90 days. Copies held by the sub-processor OpenAI are deleted under its retention terms (maximum approximately 30 days, abuse monitoring only).
7.4 Legal retention. Deletion under this Section applies unless Union or Member State law requires storage of the personal data, in which case Speudio will protect the data from further processing and delete it when the requirement lapses.
8. Audit and demonstration of compliance
8.1 Information. Speudio makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, on written request to info@speudio.com.
8.2 Proportionate audits. Speudio is a small provider; the parties agree that audit rights are exercised in a manner proportionate to that scale. Speudio satisfies audit requests first through written answers, documentation, and available third-party attestations (e.g. the hosting provider's ISO 27001 certification). If the Customer reasonably demonstrates that this is insufficient to verify compliance, the Customer (or a mandated auditor that is not a competitor of Speudio) may conduct an audit, subject to: reasonable advance written notice of at least 30 days, at most one audit per 12-month period (except after a personal data breach or where required by a supervisory authority), during business hours, under confidentiality, without access to other customers' data, and at the Customer's cost.
8.3 Mandatory audit right. Nothing in this Section limits the audit and inspection rights mandated by Article 28(3)(h) GDPR.
9. Liability and order of precedence
9.1 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent such limitation is not permitted by applicable law. Nothing in this DPA limits a data subject's rights or either party's liability to data subjects under Article 82 GDPR.
9.2 Order of precedence. In case of conflict between this DPA and the Agreement (including the Terms of Service), this DPA prevails with respect to the processing of personal data. In case of conflict between this DPA and the Standard Contractual Clauses or another mandatory transfer mechanism, the transfer mechanism prevails to the extent of the conflict.
9.3 Severability. If any provision of this DPA is held invalid, the remainder stays in effect, and the invalid provision is replaced by a valid one that most closely reflects its intent.
10. Governing law and venue
This DPA is governed by the laws of Sweden, without regard to its conflict-of-laws rules. The courts of Sweden have exclusive jurisdiction over disputes arising out of or in connection with this DPA, without prejudice to mandatory data-subject rights and the competence of supervisory authorities (for Sweden: IMY — Integritetsskyddsmyndigheten, imy.se).
Annex A — Details of the processing (Art 28(3) GDPR)
Subject matter. Processing of the mailbox content the Customer imports into Speudio ("Customer Content") to provide the Speudio service.
Duration. The term of the Agreement — from when the Customer connects a mailbox until the account is terminated or deleted, plus the deletion period in Section 7 (immediate hard delete, completed at most within 24 hours).
Nature and purpose of the processing. Read-only retrieval of emails and attachments from the mailbox the Customer connects (IMAP or OAuth, read-only scope); storage; indexing and search; derivation of CRM contact profiles from the imported correspondence; generation of AI-derived data (image captions, embeddings, summaries, suggested questions) using the sub-processors in Annex C; display to the Customer's authorised users; export; deletion. The service never modifies, deletes, or sends mail from the connected mailbox, and Customer Content is not used to train AI models.
Types of personal data.
- Emails and their metadata (sender/recipient names and addresses, subjects, timestamps, bodies);
- Attachments, including documents and images;
- Derived CRM contact profiles (names, email addresses, organisations, and other profile fields derived from the correspondence or edited by the Customer);
- AI-derived data (captions, embeddings, summaries, suggested questions) generated from the above.
Special categories of data (Article 9 GDPR) are not intentionally processed; they may appear incidentally inside the Customer's mailbox content, which is determined and controlled by the Customer.
Categories of data subjects. The Customer's correspondents — typically the Customer's own customers, suppliers, partners, and other contacts whose emails appear in the connected mailbox — and the Customer's users insofar as their own messages appear in that mailbox.
Plan-related retention during the term. On the Free plan the service keeps a rolling window of the 2,000 most recent emails; paid plans retain full history while the account exists.
Annex B — Technical and organisational measures (Art 32 GDPR)
- Hosting. Customer Content is hosted in ISO 27001-certified data centres within Europe.
- Encryption in transit. All connections — between the user and the service, and between the service and the connected mailbox or sub-processors — use encrypted transport (TLS).
- Least-privilege mailbox access. Mailbox connections use read-only scope; the service cannot modify, delete, or send mail.
- Tenant isolation. Per-user tenancy isolation is enforced server-side: every data access is scoped to the authenticated account.
- Authentication. Passwords are stored only as bcrypt hashes; session cookies are httpOnly; recovery codes are provided for account recovery. Account creation is rate-limited, and administrative account functions are restricted to authorised staff.
- No human content access. As an operational rule, humans do not read Customer email content; processing is programmatic, including AI processing.
- No model training. Customer Content is not used to train AI models, by Speudio or (per its API terms) by the AI sub-processor.
- Deletion. Self-service, immediate hard deletion of the entire account with cascading removal of related records and stored attachment files (Section 7).
- Logging. Security and server logs are retained for up to 90 days to detect and investigate abuse and incidents.
- Confidentiality. Personnel with any access are bound by confidentiality obligations (Section 3.3).
Annex C — Authorised sub-processors
| Sub-processor | Role | Location / transfer mechanism |
|---|---|---|
| one.com (Group.One) | VPS hosting of the service and Customer Content in ISO 27001-certified data centres within Europe; transactional email delivery (send.one.com — password resets, invite links) | EU (no third-country transfer) |
| OpenAI | AI processing: chat assistants, vision captions, embeddings, web-search sub-calls | USA — OpenAI Data Processing Addendum (executed with OpenAI Ireland Ltd, 12 June 2026) incorporating EU Standard Contractual Clauses; API data not used for model training by default; retained max ~30 days for abuse monitoring. |
| Cohere | Search-relevance processing: when the AI searches Customer Content, the search text and short excerpts of candidate documents are sent to Cohere's reranking API to order results by relevance | USA/Canada — Cohere's data-processing terms incorporating the EU Standard Contractual Clauses; API data not used for model training (disabled via Cohere's data controls); retained max ~30 days for abuse monitoring. |
| Cloudflare | Off-site backup storage (R2 object storage, EU-jurisdiction bucket). Every backup is encrypted client-side on Speudio's server (restic) before upload — Cloudflare stores only ciphertext it cannot read | EU bucket; US-headquartered provider — Cloudflare's Data Processing Addendum incorporating the EU Standard Contractual Clauses; contents additionally protected by client-side encryption. |
No other sub-processors are engaged. Speudio uses no analytics, advertising, or tracking vendors. The Customer's own mail provider (Google, Microsoft, or other) is the Customer's chosen data source, not a sub-processor (Section 4.4).
Change log: Cohere (search relevance) and Cloudflare (encrypted backup storage) were added in the July 2026 revision of this list, per the change procedure in Section 4.2.
Signature block
This DPA applies by incorporation into the Terms of Service (Section 1.3). Where a countersigned copy is required:
Processor: [SK Creations — sole proprietorship, reg. no. provided upon execution] Hagvägen 41, 194 40 Upplands Väsby, Sweden Signature: _________________________ Name: _________________________ Date: ____________
Controller (Customer): _________________________________________ Signature: _________________________ Name: _________________________ Date: ____________
SK Creations Hagvägen 41 194 40 Upplands Väsby Sweden info@speudio.com
This document is provided in English as the authoritative version; any translations are for convenience only and the English version prevails.

