Data Processing Agreement

1. Contents

1. 1.These Clauses govern the processor's processing of personal data on behalf of the data controller pursuant to Article 28(3) of the General Data Protection Regulation.
2. 2.The Clauses consist of 15 sections and 4 appendices (A–D), all of which form an integral part of the agreement.
3. 3.The parties are the data controller and the processor, respectively, as identified on the cover page.

2. Preamble

1. 1.These Clauses set out the rights and obligations of the processor when processing personal data on behalf of the data controller.
2. 2.These Clauses have been designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the GDPR).
3. 3.This Agreement is Firma360 ApS' standard Data Processing Agreement, published at firma360.dk/databehandleraftale. The processor only processes personal data on behalf of the data controller and not for its own purposes.
4. 4.The Clauses take precedence over any similar provisions in other agreements between the parties.
5. 5.Four appendices are attached to these Clauses and form an integral part of them.
6. 6–9.Appendices A–D contain, respectively, information about the processing, sub-processors, instructions and other matters.
7. 10.The Clauses, together with their appendices, must be retained in writing by both parties. The version in force is available at firma360.dk/databehandleraftale.
8. 11.These Clauses do not release the processor from obligations imposed under the GDPR or other legislation.

3. Rights and obligations of the data controller

1. 1.The data controller is responsible for ensuring that the processing is carried out in accordance with the GDPR and these Clauses.
2. 2.The data controller has the right and obligation to make decisions about the purposes and means of the processing.
3. 3.The data controller is responsible for ensuring a lawful basis for processing.
4. 4.By entering into these Clauses, the data controller confirms that:

• a)personal data is processed in accordance with applicable data protection legislation;
• b)there is a lawful basis for processing and for disclosure to the processor;
• c)the data controller is responsible for the accuracy, integrity and lawfulness of the personal data;
• d)the information obligations towards data subjects have been complied with; and
• e)the relevant safeguards for technical and organisational security measures are in place.

4. The processor acts on instruction

1. 1.The processor may only process personal data on documented instructions from the data controller, unless required to do so by EU or national law. The instructions are specified in Appendices A and C.
2. 2.The processor shall immediately inform the data controller if, in its opinion, an instruction infringes the GDPR.
3. 3.If an instruction is unlawful in the processor's reasonable assessment, the processor may cease further processing other than storage until a supplementary instruction is given. Such cessation shall not be deemed a breach.

5. Confidentiality

1. 1.The processor may only grant access to personal data to persons subject to its instructions who have committed themselves to confidentiality or are under a statutory duty of confidentiality, and only to the extent necessary. The list of authorised persons is reviewed on an ongoing basis.
2. 2.The processor shall, upon request, be able to demonstrate that the relevant persons are subject to the duty of confidentiality.
3. 3.The confidentiality obligation also applies after the termination of the Clauses.

6. Security of processing

1. 1.The parties shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, cf. Article 32 of the GDPR, including:

• a)pseudonymisation and encryption of personal data;
• b)ongoing confidentiality, integrity, availability and resilience;
• c)the ability to restore access in a timely manner in the event of incidents; and
• d)a process for regular testing and evaluation of the effectiveness of the measures.

1. 2.The processor independently assesses the risks and implements measures to mitigate them.
2. 3.The processor assists the data controller in complying with Article 32. Additional required measures are set out in Appendix C.

7. Use of sub-processors

1. 1.The processor shall comply with the conditions of Article 28(2) and (4) of the GDPR in order to engage a sub-processor.
2. 2.The use of a sub-processor requires the data controller's prior general written authorisation.
3. 3.The data controller has granted general authorisation. The processor shall give at least 30 days' notice of any addition or replacement of sub-processors. The list is set out in Appendix B.
4. 4.The sub-processor is bound by the same data protection obligations as those set out in these Clauses.
5. 5.Sub-processor agreements are sent in copy to the data controller upon request.
6. 6.The processor remains fully liable towards the data controller even if a sub-processor fails to fulfil its obligations.

8. Transfer to third countries or international organisations

1. 1.Transfers to third countries may only take place on the basis of documented instructions and in accordance with Chapter V of the GDPR.
2. 2.If a transfer is required by EU or national law, the data controller shall be notified, unless the law prohibits this.
3. 3.Without documented instructions, the processor may not transfer data to third countries, entrust processing to sub-processors in third countries, or process data in third countries.
4. 4.The instruction relating to third countries is set out in Appendix C.6.
5. 5.These Clauses do not in themselves constitute a transfer basis pursuant to Chapter V of the GDPR.

9. Assistance to the data controller

1. 1.The processor assists in giving effect to the rights of data subjects (Chapter III of the GDPR). Requests from data subjects are forwarded to the data controller without delay. Assistance includes, among other things:

• a–b)Information obligations when collecting data and when data is not obtained from the data subject
• c)The right of access
• d)The right to rectification
• e)The right to erasure ("the right to be forgotten")
• f)The right to restriction of processing
• g)The obligation to notify rectification/erasure
• h)The right to data portability
• i)The right to object
• j)The right not to be subject to automated decisions

1. 2.The processor also assists with notifications of breaches (72 hours), notification of data subjects, impact assessments and prior consultation with the Danish Data Protection Agency.
2. 3.Further measures are set out in Appendix C.

10. Notification of personal data breaches

1. 1.The processor shall notify the data controller without undue delay after becoming aware of a personal data breach.
2. 2.Notification shall, where possible, take place no later than 48 hours after the breach has been identified, so that the data controller can comply with the 72-hour notification obligation to the Danish Data Protection Agency (Article 33).
3. 3.The processor assists with providing information about the nature, scope and likely consequences of the breach and the measures taken and proposed.
4. 4.Further information is set out in Appendix C.

11. Erasure and return of data

1. 1.On termination, all personal data is deleted from active systems no later than 30 days after the termination of the agreement. Data may remain in encrypted backups for up to 90 days, after which it is overwritten automatically. Erasure is confirmed in writing to the data controller.
2. 2.The processor processes personal data solely for the purposes and under the conditions set out in these rules.

12. Audit, including inspection

1. 1.The processor shall make available all information necessary and contribute to audits and inspections conducted by the data controller or an authorised auditor.
2. 2.The procedures for audits are set out in Appendix C.7 and C.8.
3. 3.The processor grants supervisory authorities access to facilities upon proper identification.

13. Other terms agreed by the parties

1. 1.The parties may agree on other terms, for example on liability for damages, as long as these do not conflict with the Clauses or diminish the fundamental rights of data subjects.

14. Entry into force and termination

1. 1.The Clauses enter into force upon conclusion of the Main Agreement and are automatically accepted as part of it.
2. 2.Firma360 ApS may update this Agreement with 30 days' notice by publication at firma360.dk/databehandleraftale.
3. 3.The Clauses remain in force for as long as the Main Agreement runs and cannot be terminated independently.
4. 4.When the service ends and data has been erased pursuant to Section 11, the Clauses may be terminated by written notice.
5. 5.The Agreement is governed by Danish law and disputes shall be settled by a Danish court.

15. Contact persons

1. 1.The parties communicate via contact persons. Processor's contact: Jim Sandholm, dba@firma360.dk. The data controller's contact person is stated in the Main Agreement.
2. 2.The parties shall keep each other informed of changes concerning contact persons.

¹ References to "Member State" shall be understood as references to "EEA Member States".

Appendix A — Information about the processing

A.1. Purposes

• Web hosting and operations — hosting, backup, monitoring and support
• Web and app development — design, development and maintenance
• Marketing and advertising — email marketing, advertising and analytics
• Consulting services — advice and implementation of digital solutions

A.2. Nature of the processing

Organisation, storage, filtering, retrieval, use, combination, restriction and/or erasure of personal data.

A.3. Types of personal data

Ordinary (Article 6):

• Contact details (name, email, phone, address)
• Login credentials and user data
• Transaction and order data
• IP addresses and cookie/tracking data
• Behavioural data from websites and apps
• Personal identification number (CPR) via EAN invoicing (confidential information)

Special categories (Article 9): Only by separate written agreement.

A.4. Data subjects

• The data controller's end users and customers
• The end users of the data controller's customers
• The data controller's employees
• Contact persons and business partners

A.5. Duration

Processing commences upon entry into force of the Main Agreement and ends upon termination of the Main Agreement, cf. Section 11 and Appendix C.4.

Appendix B — Sub-processors

B.1. Approved sub-processors

The list in force at any given time is available at firma360.dk/databehandleraftale.

DPF = EU-U.S. Data Privacy Framework · SCC = EU Standard Contractual Clauses. AI services are used via API/Business plans with a signed DPA. Apple App Store and Google Play Store act as independent data controllers.

B.2. Notice and procedure for changes

Notice of additions or replacements is given at least 30 days in advance by email and by publication at firma360.dk/databehandleraftale. Objections may be raised on reasonable and concrete data-protection grounds.

Appendix C — Instructions concerning the processing

C.1. Subject matter of the processing

Delivery of web hosting, web development, app development, marketing/advertising and/or consulting services in accordance with the Main Agreement.

C.2. Security of processing

C.2.1. Organisational security

• Documented information security policy
• Confidentiality obligations and ongoing data-protection training
• Data protection by design and by default
• Secure decommissioning of data equipment

C.2.2. Physical security

• Physical access control to locations with personal data
• Secure disposal of data media
• Logging of physical access

C.2.3. System and network security

• Up-to-date antivirus on all systems
• Firewalls and intrusion-prevention systems
• Network segmentation
• Ongoing vulnerability scanning and penetration tests
• Encryption in transit (minimum TLS 1.2)

C.2.4. Access control

• Least-privilege principle
• MFA for remote access
• Log data retained for at least 12 months

C.2.5. Backup

• Regular encrypted backups, separated from primary data processing
• Personal data in backups for up to 90 days, then automatic deletion

C.2.6–2.7. Incident response and test environments

• Documented procedures for security incidents
• Pseudonymised/anonymised data in test environments
• Production environments separated from test

C.3. Assistance

• Forwarding of requests from data subjects
• Assistance with rights, breaches, impact assessments and consultations
• Additional assistance is billed pursuant to Appendix D.5

C.4. Erasure routine

Erasure from active systems no later than 30 days after termination. Backups are overwritten automatically after a maximum of 90 days. Written confirmation is provided to the data controller.

C.5. Location

• Firma360 ApS, Vandtårnsvej 106B, 2860 Søborg
• Locations of approved sub-processors (cf. Appendix B)
• The data controller's locations where necessary

C.6. Transfer to third countries

General authorisation for countries with an adequate level of protection (Article 45) and DPF-certified organisations in the United States. Specific recipients are listed in Appendix B. The processor uses the applicable SCCs where necessary.

C.7. Audits

Audit concepts (max. once a year)

• Concept 1 – Self-assessment: Written request for documentation to dba@firma360.dk
• Concept 2 – Physical inspection: Written agreement at least 4 weeks in advance
• Concept 3 – Questionnaire: Primary audit method; written response within an agreed deadline

Existing ISAE/ISO 27001 reports (most recent 12 months) may replace a new audit. The processor makes time and resources available; the data controller's own costs are borne by the data controller.

C.8. Audit of sub-processors

Ongoing risk-based supervision via audit reports, questionnaires and, where applicable, physical inspections. Documentation is provided to the data controller upon request.

Appendix D — Other matters agreed by the parties

D.1. Precedence

Appendix D takes precedence over the Clauses, unless the provision in question is mandatory under the GDPR.

D.2. Unlawful instruction

The processor may cease processing in case of an unlawful instruction. The data controller shall indemnify the processor for any claims arising as a result.

D.3. Alternative security measures

The processor may implement alternatives with at least the same level of security.

D.4. Sub-processors on standard terms

Standard terms from sub-processors apply to the extent they are compatible with the GDPR. The data controller hereby accepts such terms.

D.5. Remuneration for assistance

Included at no additional charge:

• Basic assistance with requests from data subjects
• Notification of personal data breaches
• Questionnaire audit (concept 3) once a year

Billed by time spent:

• Extended assistance with requests and supervisory authorities
• Physical inspection (concept 2) and preparation of documentation
• Impact assessments and changes to instructions

D.6–7. Liability and claims from data subjects

The limitation of liability in the Main Agreement applies (cf. Terms of Service §10.6). The data controller shall indemnify the processor for claims that exceed the liability cap and arise from the data controller's own acts.