Request access

Data Processing Agreement

BeMyWords Skiwo AS · Pilestredet 17, 0164 Oslo, Norway · privacy@skiwo.com Effective date: 2026-04-24

This Data Processing Agreement ("DPA") supplements the Terms of Use and governs the processing of personal data by Skiwo AS ("Processor") on behalf of BeMyWords business customers ("Controller") when the Controller's workspace content contains personal data of the Controller's end-users or employees.

This DPA forms part of the agreement between Skiwo AS and the Controller. By accepting the Terms of Use and creating a paid workspace, the Controller is deemed to have accepted this DPA.

1. Scope

This DPA applies when the Controller uses BeMyWords to store or process source strings, translations, translation memory, comments, screenshots, or other workspace content that contains personal data of the Controller's end-users, employees, or contractors.

For processing of the Controller's own account data (e.g. login credentials of workspace members, billing data, usage telemetry), Skiwo AS acts as an independent controller — see the Privacy Policy. This DPA does not govern that processing.

2. Roles

Role Party Responsibilities
Controller The Controller Determines purposes and means of processing; obtains any necessary consents from data subjects; ensures lawful basis for making personal data available to the Processor.
Processor Skiwo AS Processes personal data only on the Controller's documented instructions, as set out in this DPA, the Terms of Use, and the Controller's explicit instructions via the Service.

3. Subject Matter and Purpose

The Processor processes personal data solely to provide the Service as described in the Terms of Use — specifically: storing workspace content, routing source strings to MT sub-processors when the Controller invokes MT features, serving translations via API and integrations, and providing editor, review, memory, and workflow features.

4. Duration

This DPA remains in effect for the duration of the Controller's subscription to the Service, plus any post-termination data-retention period described in Section 10.

5. Categories of Data Subjects and Personal Data

The personal data processed under this DPA is determined by what the Controller chooses to include in workspace content. Typically this may include:

  • Categories of data subjects: the Controller's end-users, employees, contractors, or any natural persons referenced in the Controller's source strings or translations.
  • Categories of personal data: names, email addresses, phone numbers, addresses, or other identifiers embedded in translatable content; contextual data in screenshots.

The Processor does not require special categories of personal data (GDPR Art. 9) for operation of the Service. The Controller is responsible for not uploading such data except where strictly necessary and with appropriate safeguards.

6. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller (this DPA, the Terms of Use, and Controller actions within the Service).
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures (see Section 8).
  • Assist the Controller, insofar as possible, in responding to data-subject requests (access, rectification, erasure, portability, objection).
  • Assist the Controller with data protection impact assessments and prior consultations where required.
  • Delete or return personal data upon termination, subject to Section 10.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow audits under the terms of Section 12.
  • Notify the Controller without undue delay of any personal data breach affecting the Controller's data (see Section 9).

7. Sub-processors

The Processor uses sub-processors to deliver the Service. The current list is maintained at Sub-processor List.

The Controller provides general authorisation for the Processor to engage sub-processors, subject to:

  • The Processor entering into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to this DPA.
  • Notifying the Controller at least 30 days before adding or replacing any sub-processor. The Controller may object to a proposed change within that period; if the objection cannot be resolved, the Controller may terminate the subscription.

The Processor remains fully liable to the Controller for the performance of its sub-processors' obligations.

8. Security Measures

The Processor implements:

  • Encryption of personal data in transit (TLS 1.2+)
  • Encryption at rest
  • Role-based access controls with principle-of-least-privilege enforcement
  • Audit logging of access to Controller data
  • Regular security reviews and vulnerability management
  • Incident response procedures
  • Staff training on data protection and security
  • 2FA for administrative access

Specific technical and organisational measures are described in the Security documentation (when published). The Processor will keep these measures current with industry practice; the overall level of protection shall not decrease.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Controller's data. The notification shall include, to the extent known:

  • The nature of the breach, including categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

The Processor shall provide reasonable assistance to the Controller in the Controller's own notification obligations to supervisory authorities and data subjects under GDPR Art. 33–34.

10. Deletion and Return of Data

Upon termination of the Controller's subscription:

  • The Controller may export workspace content via the Service's data-export feature for a period of 30 days following termination.
  • After 30 days, all personal data in the workspace is permanently deleted from production systems. Backups containing the data are purged according to the Processor's backup retention schedule (currently 30 days), after which no copies remain in the Processor's systems.
  • Records required to be retained for legal compliance (e.g. billing records under the Norwegian Bookkeeping Act) are retained for the minimum period required and then deleted.

The Processor will, on the Controller's written request, provide confirmation of deletion.

11. International Transfers

Personal data processed under this DPA is stored within the European Economic Area (hosting at Heroku in EEA regions; transactional email via AWS SES in eu-central-1). Some sub-processors may process data outside the EEA; such transfers rely on appropriate safeguards under Chapter V of the GDPR, including Standard Contractual Clauses where applicable. Details are listed in the Sub-processor List.

12. Audit Rights

The Controller may, once per calendar year at its own expense, audit the Processor's compliance with this DPA, subject to:

  • 30 days' prior written notice
  • A mutually agreed scope and schedule that does not unreasonably disrupt the Processor's operations
  • The auditor signing confidentiality undertakings
  • The Processor's right to satisfy audit requests by providing its current security documentation and any third-party audit reports it holds

A specific incident giving rise to reasonable concern may trigger an additional audit without the once-per-year limit.

13. Limitation of Liability

The liability provisions in the Terms of Use apply to this DPA.

14. Governing Law

This DPA is governed by Norwegian law. Disputes shall be subject to the exclusive jurisdiction of Oslo District Court.

15. Contact

For matters arising under this DPA:

privacy@skiwo.com Skiwo AS Pilestredet 17, 0164 Oslo, Norway