GDPR Compliance
Our Commitment
KerrOS is a Swedish company. GDPR isn't a checkbox for us — it's how we operate. We apply GDPR-level protections to all users regardless of location. Your data rights don't depend on where you live.
The Six Principles
Everything we do with personal data is guided by the six core principles of the GDPR.
Lawfulness, Fairness, and Transparency
We always have a legal basis for processing your data. We tell you what we collect and why — no hidden agendas, no surprises.
Purpose Limitation
We collect data for specific, stated purposes only. We don't repurpose your data without telling you.
Data Minimization
We only collect what we need. If we don't need it, we don't ask for it.
Accuracy
We keep your data accurate and up to date. You can correct your information at any time.
Storage Limitation
We don't keep your data longer than necessary. See our Privacy Policy for specific retention periods.
Integrity and Confidentiality
We protect your data with strong technical and organizational measures to ensure its security and confidentiality.
Your Rights
Under the GDPR, you have comprehensive rights over your personal data. We respond within 30 days — complex requests may take up to 60 days with notice. All rights are free to exercise.
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | See all personal data we hold about you | Account Settings or dpo@kerros.com |
| Rectification | Fix incorrect data | Account Settings or dpo@kerros.com |
| Erasure | Delete your personal data | Account Settings > Delete Account or dpo@kerros.com |
| Restriction | Limit how we process your data | Email dpo@kerros.com |
| Portability | Get your data in a structured, machine-readable format | Account Settings > Export Data |
| Object | Object to processing based on legitimate interest | Email dpo@kerros.com |
| Withdraw Consent | Revoke consent at any time without affecting prior processing | Account Settings > Privacy |
| Automated Decisions | Not be subject to solely automated decisions | We don't make automated decisions with legal effects |
| Complain | File a complaint with a supervisory authority | IMY (imy.se) or your local authority |
How We Protect Your Data
Technical Measures
- Encryption at rest: AES-256 for all stored data
- Encryption in transit: TLS 1.2+ for all connections
- Application-layer encryption: Additional encryption for secrets and sensitive credentials
- Access logging: Comprehensive audit trails for all data access
- Vulnerability management: Automated scanning and regular security assessments
Organizational Measures
- Role-based access: Minimum privilege principle for all team members
- Training: Regular data protection training for all staff
- Incident response: Documented and tested breach response procedures
- Vendor assessment: GDPR compliance evaluation for all sub-processors
Data Processing
All sub-processors are bound by Data Processing Agreements (DPAs) that meet GDPR requirements. See our Privacy Policy and Data Processing Agreement for full details.
When we add a new sub-processor, we provide 30 days notice. You can object during that period. If we can't resolve your concern, you can terminate.
For international data transfers, we rely on the EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), and supplementary technical measures to ensure your data is protected regardless of where it is processed.
Data Protection Officer
Our Data Protection Officer can be reached at dpo@kerros.com. We respond within 5 business days.
Supervisory Authority
Our lead supervisory authority is the Swedish Authority for Privacy Protection (IMY).
IMY — Box 8114, 104 20 Stockholm, Sweden — imy.se
If you're in another EU country, you can also contact your local data protection authority. Find yours at edpb.europa.eu.
Breach Notification
In the event of a personal data breach, we notify the relevant supervisory authority within 48 hours and affected users within 72 hours. Our notification includes:
- What happened: Nature of the breach
- What data was affected: Categories and approximate scope
- Our response: Measures taken to address and mitigate the breach
- What you can do: Recommendations to protect yourself
KerrOS Sweden AB
Org. nr 559501-8960
Stockholm, Sweden
Postal address: Kivra: 559501-8960, 106 31 Stockholm
Last updated: March 30, 2026