Data Processing Agreement (DPA)

Last updated: December 2025

This Data Processing Agreement (“DPA”) forms part of and is subject to the main service agreement and/or Terms of Service (the “Agreement”) between:

  • Ampliro AB, reg. no. 559488-1517, Warfvinges väg 31, 112 51 Stockholm, Sweden, acting on behalf of and as provider of the Diplino platform available at diplino.com (“Diplino”, the “Service”, the Processor), and
  • The customer identified in the Agreement (the Controller).

This DPA sets out the terms under which Ampliro processes Personal Data on behalf of the Controller in connection with the provision of Diplino certificate and credential management services.

In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall prevail to the extent of such conflict.


1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined in this DPA shall have the meaning given to them in the Agreement or under applicable Data Protection Laws.

  • “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”), the UK GDPR, and any national implementing legislation.

  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data.

  • “Processor” means the entity that processes Personal Data on behalf of the Controller.

  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).

  • “Processing”, “Data Subject”, “Personal Data Breach”, “Supervisory Authority”, “Sub-processor”, “Third Country” and other capitalised terms shall have the meaning given to them in the GDPR.

  • “Services” means the Diplino certificate and credential management services provided by Ampliro to the Controller under the Agreement.


2. Roles of the Parties

2.1 Controller and Processor
For the Processing of Personal Data described in this DPA, the Controller is the “controller” and Ampliro is the “processor” within the meaning of Applicable Data Protection Laws.

2.2 Independent Controller Activities
The Controller acknowledges that Ampliro may process certain Personal Data as an independent controller for its own legitimate purposes, such as billing and invoicing, compliance with legal obligations, maintaining security logs, fraud prevention, and service analytics as described in Ampliro’s/Diplino’s Privacy Policy. Such processing is outside the scope of this DPA and governed by the applicable privacy notices.


3. Subject Matter, Nature, Purpose and Duration of Processing

3.1 Subject Matter
Ampliro will process Personal Data on behalf of the Controller in connection with the provision of the Diplino Services, including the creation, management, storage, and verification of digital certificates and credentials.

3.2 Nature and Purpose of Processing
The Processing activities include, as necessary to provide and support the Services:

  • Generating, issuing and managing digital certificates and credentials;
  • Storing and managing participant and recipient information;
  • Providing certificate verification and validation functionality;
  • Managing user accounts and roles (e.g., administrators, instructors, issuers);
  • Sending email notifications related to certificates and the Service (e.g., issuance, updates, or reminders);
  • Providing support, maintenance, troubleshooting and security monitoring;
  • Hosting, backup, logging and technical operations required to deliver the Service.

3.3 Duration of Processing
The Processing shall commence on the Effective Date of the Agreement and continue for as long as Ampliro provides the Services to the Controller and for any retention period required or permitted under the Agreement or Applicable Data Protection Laws. Upon termination or expiry of the Agreement, Processing will cease and Personal Data will be deleted or returned in accordance with Section 12 of this DPA.


4. Categories of Data Subjects and Types of Personal Data

4.1 Categories of Data Subjects
The Personal Data processed by Ampliro on behalf of the Controller may relate to the following categories of Data Subjects:

  • Certificate recipients (e.g., course participants, learners, employees, contractors) whose certificates are issued by the Controller via Diplino;
  • Users of the Controller’s Diplino organisation (e.g., administrators, instructors, issuers);
  • Other individuals whose information may appear on certificates or within metadata, as determined by the Controller.

4.2 Types of Personal Data
The Personal Data processed may include, but is not limited to:

  • Identification and contact details:
    • Name, email address (optional depending on Controller’s configuration);
  • Professional information:
    • Company/organization name, department, job title or role;
  • Certificate and credential data:
    • Certificate details (e.g., course name, completion status, issue date, expiry date, unique certificate identifiers);
    • Verification and validation data (e.g., cryptographic signatures, hashes, verification logs);
  • Account and usage data:
    • User role within the Controller’s Diplino organisation (e.g., admin, instructor);
    • User IDs, login timestamps and activity logs within the Service;
  • Technical and security data:
    • IP address, browser type, approximate location (based on IP), security logs, and audit logs relating to access and changes.

The Controller undertakes not to intentionally submit any special categories of Personal Data (Article 9 GDPR) or Personal Data relating to criminal convictions and offences (Article 10 GDPR) into the Service, unless explicitly agreed in writing with Ampliro and subject to additional safeguards.


5. Processor’s Obligations

Ampliro, acting as Processor, shall:

5.1 Instructions
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a Third Country, unless required to do so by EU or Member State law or other Applicable Data Protection Laws. In such case, Ampliro shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information.

5.2 Confidentiality
Ensure that persons authorised to process Personal Data have committed themselves to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.3 Security of Processing
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Section 8 and Annex 1 – Technical and Organisational Measures.

5.4 Assistance with Data Subject Rights
Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Laws (see Section 10).

5.5 Assistance with Compliance
Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (or equivalent provisions under other Applicable Data Protection Laws), taking into account the nature of Processing and the information available to Ampliro, including in relation to security, data protection impact assessments, and consultations with supervisory authorities.

5.6 Records and Information
Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, and allow for and contribute to audits and inspections as described in Section 11.

5.7 Data Deletion and Return
Upon termination or expiry of the Services, delete or return all Personal Data processed on behalf of the Controller in accordance with Section 12, unless retention is required by Applicable Data Protection Laws.


6. Controller’s Obligations

The Controller shall:

  • Ensure that it has a valid legal basis for the Processing of Personal Data and for the engagement of Ampliro as Processor in accordance with Applicable Data Protection Laws;
  • Ensure that all necessary privacy notices have been provided to Data Subjects and, where required, consents have been obtained;
  • Not instruct Ampliro to process Personal Data in a manner that would violate Applicable Data Protection Laws;
  • Be responsible for the accuracy, quality and lawfulness of Personal Data provided to Ampliro and for how the Controller chooses to use the Services.

7. Sub-processors

7.1 Authorised Sub-processors
The Controller grants Ampliro a general authorization to engage Sub-processors for the Processing of Personal Data on behalf of the Controller, provided that Ampliro:

  • Ensures that each Sub-processor is bound by written data protection obligations that are no less protective than those set out in this DPA; and
  • Remains fully liable to the Controller for the performance of the Sub-processor’s obligations.

7.2 Current Sub-processors
The current list of Sub-processors used in connection with the Services is available at:

This list may be updated from time to time.

7.3 Changes to Sub-processors
Ampliro will provide notice of any intended changes to Sub-processors (for example, by updating the Subprocessor List and/or via the Service or email). The Controller may object to such changes on reasonable data protection grounds. If the Controller reasonably objects and the parties cannot reach a mutually acceptable solution, the Controller may terminate the affected Services in accordance with the Agreement.


8. International Data Transfers

8.1 Transfers
To the extent Ampliro or its Sub-processors transfer Personal Data from the EEA, the UK or Switzerland to a Third Country, such transfer shall be made in compliance with Applicable Data Protection Laws, including, where relevant:

  • The use of the European Commission’s Standard Contractual Clauses (SCCs) for the transfer of Personal Data to Third Countries; and/or
  • Any equivalent or replacement transfer mechanism recognised under Applicable Data Protection Laws (e.g., the UK International Data Transfer Addendum).

8.2 Further Assurances
Ampliro shall, upon written request, provide the Controller with information about the transfer mechanisms in place for relevant transfer scenarios and, where necessary, enter into appropriate supplementary agreements and safeguards.


9. Security Measures

Ampliro shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of Processing, and the risks of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures include, but are not limited to, those described in Annex 1 – Technical and Organisational Measures, and may include:

  • Encryption of data at rest and in transit (e.g., TLS 1.3 for data in transit);
  • Use of robust cryptographic signatures (e.g., Ed25519) for certificate integrity and verification;
  • Access controls, authentication and least-privilege principles for staff and system components;
  • Regular security monitoring, logging and auditing of access to Personal Data;
  • Secure software development and deployment practices.

Ampliro may update its technical and organisational measures from time to time, provided that such updates do not materially reduce the overall level of protection.


10. Data Breach Notification

In the event of a Personal Data Breach affecting Personal Data processed on behalf of the Controller, Ampliro shall:

  • Notify the Controller without undue delay after becoming aware of the Personal Data Breach and, where feasible, no later than 72 hours; and
  • Provide information reasonably available to Ampliro about:
    • The nature of the Personal Data Breach;
    • The categories and approximate number of Data Subjects and Personal Data records concerned;
    • The likely consequences of the Personal Data Breach;
    • The measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects.

Ampliro shall cooperate with the Controller and take reasonable steps to assist the Controller in meeting any obligations to notify supervisory authorities or Data Subjects under Applicable Data Protection Laws.


11. Data Subject Rights

Taking into account the nature of the Processing, Ampliro shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subject rights, including:

  • Right of access (Article 15 GDPR);
  • Right to rectification (Article 16 GDPR);
  • Right to erasure (Article 17 GDPR);
  • Right to restriction of processing (Article 18 GDPR);
  • Right to data portability (Article 20 GDPR);
  • Right to object (Article 21 GDPR).

If a Data Subject contacts Ampliro directly with a request related to Personal Data processed under this DPA, Ampliro will, to the extent permitted by law, inform the Data Subject that the request should be addressed to the relevant Controller and promptly forward such request to the Controller.


12. Audit and Inspection Rights

12.1 Documentation and Information
Ampliro shall make available to the Controller information reasonably necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Laws, which may include:

  • Documentation describing relevant technical and organisational measures;
  • Standard security documentation and/or third-party attestations (if available).

12.2 Audits
Where such documentation is not sufficient to demonstrate compliance, the Controller may, at its own cost and subject to reasonable notice (at least 30 days), conduct or mandate an audit, including inspections, of Ampliro’s facilities, systems and relevant documentation, limited to what is necessary to verify Ampliro’s compliance with this DPA. Any audit shall:

  • Be conducted during normal business hours;
  • Not unreasonably interfere with Ampliro’s operations;
  • Be subject to appropriate confidentiality obligations;
  • Be limited to once every 12 months unless Applicable Data Protection Laws require more frequent audits following a Personal Data Breach or under specific supervisory authority requirements.

13. Deletion and Return of Personal Data

13.1 Upon Termination
Upon termination or expiry of the Agreement, or upon the Controller’s written request, Ampliro shall:

  • Delete or anonymise Personal Data processed on behalf of the Controller; or
  • Return Personal Data to the Controller in a commonly used electronic format, if so requested and technically feasible,

unless Ampliro is required by Applicable Data Protection Laws to retain some or all of the Personal Data for a longer period (for example, for legal, tax or accounting purposes).

13.2 Backups and Logs
Personal Data stored in backups or archived logs will be securely protected and, where feasible, overwritten or deleted in accordance with Ampliro’s standard backup and retention cycles.

13.3 Aggregated and Anonymised Data
Nothing in this DPA shall prevent Ampliro from retaining or using anonymised or aggregated data that cannot be used to identify an individual, in accordance with Applicable Data Protection Laws.


14. Miscellaneous

14.1 Limitation of Liability
Any limitations of liability agreed between the parties in the Agreement shall apply also to this DPA, to the extent permitted by Applicable Data Protection Laws.

14.2 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.3 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction stated in the Agreement, except where otherwise required by Applicable Data Protection Laws.


15. Contact

For data protection and privacy-related inquiries concerning this DPA or the processing of Personal Data by Ampliro in connection with Diplino, the Controller may contact:

  • Email: privacy@diplino.com
  • Postal Address:
    Ampliro AB
    Attn: Privacy / Diplino
    Warfvinges väg 31
    112 51 Stockholm
    Sweden

Annex 1 – Technical and Organisational Measures

Without prejudice to Ampliro’s obligation to implement appropriate measures under Article 32 GDPR and other Applicable Data Protection Laws, the following measures illustrate key safeguards implemented in relation to the Diplino Service:

  1. Encryption and Cryptography

    • Encryption of data in transit using industry-standard protocols (e.g., TLS 1.3 or equivalent).
    • Encryption of data at rest in underlying databases and storage systems.
    • Use of robust cryptographic signatures (e.g., Ed25519) for the signing and verification of certificates, ensuring integrity and authenticity.
  2. Access Control and Identity Management

    • Role-based access control (RBAC) within the Service to restrict access to Personal Data based on user roles (e.g., admin, instructor).
    • Strong authentication mechanisms for administrative access.
    • Principle of least privilege applied to internal staff and systems accessing Personal Data.
  3. Network and Infrastructure Security

    • Use of secure cloud infrastructure and network segmentation where appropriate.
    • Firewalls, security groups and similar network controls to protect production systems.
    • Regular application of security patches and updates.
  4. Logging, Monitoring and Audit

    • Audit logging of user activities and access relating to certificates and Personal Data.
    • Centralised logging and monitoring of infrastructure events for anomaly detection and incident response.
    • Retention of audit logs in line with security and compliance needs.
  5. Development and Change Management

    • Secure software development practices, including code review, version control and testing.
    • Controlled deployment processes with restricted access to production environments.
    • Separation of development, staging and production environments.
  6. Organisational Measures and Training

    • Confidentiality obligations for employees and contractors with access to Personal Data.
    • Staff training and awareness on data protection and information security practices.
    • Internal policies regarding data protection, retention, and incident response.
  7. Business Continuity and Backup

    • Regular data backups and tested restore procedures to ensure availability and integrity of the Service.
    • Business continuity and disaster recovery plans for critical systems.
  8. Risk Management and Reviews

    • Periodic assessments of security risks and privacy risks related to the Service.
    • Review and improvement of security controls in light of new risks, industry practices and legal requirements.

Ampliro may update or refine these measures over time, provided that such changes do not result in a material reduction of the overall level of security.