Safespring: Comprehensive GDPR Protection Beyond Third-Country Transfer

Here we provide an in-depth overview of how our Swedish public cloud platform not only meets the strict requirements of GDPR, but also goes a step further to ensure your company's data protection. With Safespring, you get not just a solution that protects against data transfer to third countries, but a comprehensive strategy that covers more aspects of data protection and security.

External Data Protection Measures

In the context of data protection and GDPR, third-country transfers are often discussed. An entire chapter in the GDPR deals exclusively with the limitations of the possibilities to transfer data, and we have previously developed recommendations for organizations that are still grappling with this issue. But these are not the only requirements for data controllers where processors can help.

Safespring’s obligation as your data processor is to actively assist with your compliance (according to Article 28.3). We are here to make your work easier and more efficient when it comes to meeting data protection requirements. Our cloud platform ensures that you, as data controllers, can always meet the requirements GDPR imposes on you.

We interpret this as a positive obligation to not only implement security measures in our own systems but also to inform about the possibilities our infrastructure offers you to tailor data protection as needed. Below is a list of technical security features that can contribute to higher procedural security, which we either directly provide or can offer good advice on.

Federated Machine Learning

“There is value in having critical infrastructure located in Sweden where we are not dependent on other countries' legislation...“ – Ebba Kreamer, Scaleout



Read Use Case

Internal Data Protection Measures

Internal data protection measures are those that Safespring implements for personal data we ourselves are responsible for. We are a cloud company that operates towards other businesses. Our commercial activity involves personal data to a very limited extent. In production, only usernames and passwords for users on the platform are handled.

Administrative Data Management

In the administrative area, it is mainly in the handling of invoices, personnel administration, through our website, and in certain types of information distribution for marketing purposes that we handle contact details or aggregated statistics.

For all types of accounting actions, we are bound by the Companies Act, the Accounting Act, tax legislation, and guidelines on good auditing practice. Receipts, contracts, invoices (incoming and outgoing), or information on sickness compensation payments are preserved for seven years to accommodate the need for retrospective checks of our accounting. After this period, the information is culled in accordance with our data protection policy for personnel management.

For marketing beyond web analysis, it applies that one interacts with Safespring based on consent or our legitimate interest. This may be, for example, a person on some social media marking themselves as interested in cloud services and therefore, as a result, assumed by us to be interested in Safespring even if they have not personally contacted our CMO. In other cases, we receive contact details when people sign up for events and seminars.

For web analytics, we collect aggregated data handled via a local tool (Matomo) after a person visiting our website has indicated that they agree to such data collection. Further information is available on our website.