Data Processing Agreement

This Data Processing Agreement governs the processing of personal data undertaken by SecureFirst on your behalf as a client. The Data Processing Agreement becomes effective upon your registration as a client.

This Data Processing Agreement has been concluded pursuant to Article 28, paragraph 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) to regulate SecureFirst’s processing of personal data on your behalf as a client.

The agreement has been entered into between:

Between:

Data Controller:

[Insert: Company, address, CVR number]

Contact Person:

[Contact Person and Contact Information]

and

Data Processor:
SecureFirst ApS,
Lyskær 3B 2,
2730 Herlev DK-Denmark
CVR No: 44238780

Contact: info@securefirst.dk

Hereinafter, the parties are referred to as the “data controller” and the “data processor”, and collectively as “the parties”.

1. Preamble

1.1 The definitions of “personal data”, “special categories of personal data” (sensitive data), “data processing”, “data subject”, “data controller”, and “data processor” are as stipulated in the General Data Protection Regulation.

1.2 The purpose of this data processing agreement is to ensure the parties' compliance with applicable data protection legislation and to document the data controller's instructions to the data processor. The purpose of the data processor's processing of personal data on behalf of the data controller is to facilitate the data controller's use of the IT security platform SecureFirst, as further described in SecureFirst's terms and conditions.

1.3 This data processing agreement defines the rights and obligations of the parties when the data processor processes personal data on behalf of the data controller.

1.4 This Data Processing Agreement shall take precedence over any conflicting provisions concerning the processing of personal data within SecureFirst's terms and conditions or other agreements between the parties. This Data Processing Agreement remains valid between the parties as long as the Data Controller subscribes to SecureFirst.

1.5 This Data Processing Agreement does not exempt the Data Processor from any additional obligations imposed by applicable data protection legislation.

2. Data Controller's Rights and Obligations

2.1 The Data Controller is responsible for ensuring that the processing of personal data in connection with the use of the SecureFirst application complies with GDPR Art. 24, other EU law or national law, and this Data Processing Agreement.

2.2 The Data Controller has the right and obligation to determine the purpose(s) and means by which personal data may be processed. Furthermore, it is solely under the Data Controller's control which personal data is processed, including data entered and generated within the SecureFirst application.

2.3 The Data Controller is responsible for ensuring the existence of a lawful basis for the processing and disclosure of personal data, as instructed to the Data Processor. This includes disclosure to the sub-processors utilized by the Data Processor, which are consistently listed here.

2.4 The Data Controller is responsible for the accuracy, integrity, content, reliability, and lawfulness of the personal data processed by the Data Processor.

2.5 The Data Controller has fulfilled all mandatory requirements and obligations regarding notification to or obtaining authorization from the relevant public authorities concerning the processing of personal data.

2.6 The Data Controller has fulfilled its information obligation to data subjects regarding the processing of personal data in accordance with applicable data protection legislation.

2.7 The data controller confirms that the data processor has provided the necessary guarantees regarding the implementation of technical and organizational security measures to protect the rights of data subjects and their personal data upon entering into this data processing agreement.

3. The Data Processor Acts on Instruction

3.1 The data processor may only process personal data according to documented instructions from the data controller, unless required by EU or national law to which the data processor is subject. By entering into this data processing agreement, the data controller instructs the data processor to process personal data in the following ways:

3.1.1 in accordance with applicable law;

3.1.2 to fulfill its obligations under SecureFirst's terms of use for the application;

3.1.3 as further specified by the data controller's normal use of the application;

3.1.4 as described in this data processing agreement.

3.2 The data processor shall immediately inform the data controller if an instruction is deemed to be in violation of applicable data protection legislation or other EU or national law.

4. Processing Security

4.1 The data processor is obligated to ensure a high level of security. This is achieved through the implementation of relevant organizational, technical, and physical security measures.

Implementation takes into account available technology and the costs of implementation, as well as the scope, context, and purposes of processing, to ensure an adequate level of security that addresses the risk and the category of personal data to be protected.

4.2 The data processor may only grant access to personal data processed on behalf of the data controller to individuals who have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality – and only to the extent necessary. The duty of confidentiality shall also apply after the termination of the data processing agreement.

4.3 SecureFirst has implemented several security measures and internal data protection policies to ensure the confidentiality, integrity, resilience, and accessibility of personal data. This includes, but is not limited to, the following measures:

4.3.1 Risk assessments of its own security posture to ensure that current technical and organizational measures adequately protect personal data, in compliance with GDPR Art. 32 concerning security of processing and GDPR Art. 25 regarding privacy by design and by default.

4.3.2 Implementation of effective encryption for personal data transferred over the internet.

4.3.3 Continuous awareness training for all employees, emphasizing IT security and the processing of personal data.

4.3.4 External access to systems and databases utilized for processing personal data is exclusively facilitated through an integrated firewall.

4.3.5 Restriction of access to personal data, limited to personnel whose access is essential for fulfilling the requirements and obligations stipulated in the data processing agreement.

4.3.6 Implementation of established controls for identifying and reporting any personal data security breaches.

4.3.7 Annual execution of vulnerability scans and/or penetration tests to ensure the proper implementation and validation of technical measures.

4.3.8 Implemented procedures to ensure consistent changes across systems, databases, and networks, thereby maintaining their integrity.

5. Engagement of Sub-processors

5.1 As part of SecureFirst's operations, the Data Processor engages sub-processors. This Data Processing Agreement constitutes the Data Controller's prior general written authorization for the Data Processor's use of sub-processors. Such sub-processors may include other entities within the DDSA Holding group, of which SecureFirst is a constituent, or third-party providers both within and outside the EU/EEA. The Data Processor's sub-processors are enumerated in the currently applicable list of sub-processors.

5.2 The data processor shall ensure that its sub-processors adhere to obligations and requirements analogous to those stipulated in this data processing agreement. The data controller must be notified at least 30 days prior to the data processor's engagement of a new sub-processor. The data controller reserves the right to object to a new sub-processor, processing personal data on their behalf, if said sub-processor fails to process data in compliance with applicable data protection legislation. In such an event, the data processor must demonstrate compliance by granting the data controller access to the data processor's data protection assessment and relevant documentation concerning the sub-processor's engagement. Should disagreement regarding the sub-processor's use persist, the data controller may terminate their subscription with a reduced notice period to prevent their personal data from being processed by the contentious sub-processor.

6. Transfers to Third Countries or International Organizations

6.1 Any transfer of personal data to a third country or an international organization necessitates the execution of the EU Commission's Standard Contractual Clauses (EU SCCs) or another valid transfer mechanism. The data controller hereby authorizes the data processor to establish an adequate basis for the transfer of personal data to a third country on the data controller's behalf.

7. Assistance to the Data Controller

7.1 The Data Processor shall, to the extent feasible, assist the Data Controller with appropriate technical and organizational measures, considering the nature of the processing and the categories of data available to the Data Processor, to ensure the Data Controller's compliance with obligations under applicable data protection legislation.

7.2 The Data Processor shall assist the Data Controller in complying with GDPR Articles 32-36, which includes, among other things, processing security, notification of personal data breaches to the supervisory authority, and communication of personal data breaches to the data subject, taking into account the nature of the processing and the information available to the Data Processor.

7.3 The Data Processor shall not respond to requests from data subjects unless explicitly authorized by the Data Controller. Furthermore, the Data Processor shall not disclose information pertaining to this Data Processing Agreement to governmental authorities, including law enforcement, nor shall it disclose personal data, unless legally compelled to do so by a court order or equivalent legal mandate.

7.4 Furthermore, the Data Processor shall, to the extent possible and lawful, notify the Data Controller if:

7.4.1 A request for access to personal data is received directly from the data subject;

7.4.2 A request for access to personal data is received directly from governmental authorities, including law enforcement, unless the Data Processor is explicitly instructed not to notify the Data Controller.

7.3 If the Data Controller requests information or assistance regarding security measures, documentation, or general details on how the Data Processor processes personal data, and such a request extends beyond what is mandated by applicable data protection legislation, the Data Processor reserves the right to charge for these supplementary services.

8. Notification of Personal Data Breach

8.1 The Data Processor shall, without undue delay, notify the Data Controller upon becoming aware of a personal data breach involving personal data processed by the Data Processor on behalf of the Data Controller. This notification aims to support the Data Controller in fulfilling their subsequent obligations related to the breach.

8.2 The Data Processor shall notify the Data Controller, via the designated contact person specified in the Data Processing Agreement, if the Data Processor becomes aware of a security vulnerability.

9. Notification of Personal Data Breach

9.1 As part of the Application's operation, the Data Processor engages sub-processors. The Data Controller has the option to retrieve (export) their data upon the termination of a SecureFirst subscription. Following the subscription's termination, the Data Processor will delete or anonymize all personal data that it has processed on behalf of the Data Controller. This process will adhere to the applicable terms.

10. Audit, including Inspection

10.1 The Data Controller is entitled to initiate an audit of the Data Processor's obligations under the Data Processing Agreement.

10.2 If the proposed scope of the audit aligns with an ISAE 3000, ISO, or similar assurance report conducted by a qualified third-party auditor within the preceding twelve months, and the Data Processor confirms that no material changes have occurred in the measures subject to the audit, the Data Controller shall accept this audit in lieu of requesting a new audit of the measures already covered.

10.3 Should the Data Processor's assistance during an audit exceed the standard service that the Data Processor is required to provide under applicable data protection legislation, this will be billed separately.

11. Commencement and Termination

11.1 This Data Processing Agreement remains in effect as long as the Data Processor processes personal data on behalf of the Data Controller in connection with the Data Controller's use of the SecureFirst application.

11.2 The Data Processor is entitled to retain personal data after the termination of the Data Processing Agreement to the extent necessary under applicable law, which, in such an event, will occur in accordance with the technical and organizational security measures described in the Data Processing Agreement.

12. Amendments to the Data Processing Agreement

12.1 The current version of the Data Processing Agreement will be accessible on the website at all times. Material changes will be notified 30 days prior to their effective date via email. Use of the SecureFirst application after the update constitutes acceptance of the Data Processing Agreement.

13. Liability

13.1 Liability for actions contrary to the provisions of this Data Processing Agreement shall be governed by the liability and indemnity clauses within the terms and conditions for the SecureFirst application. This also applies to any breaches committed by the Data Processor's sub-processors.

14. Governing Law and Jurisdiction

14.1 This Data Processing Agreement shall be governed by Danish law, and any dispute arising from this Data Processing Agreement shall be brought before the City Court of Copenhagen.

Appendix A – Categories of Personal Data and Data Subjects

A. Categories of Personal Data

a. The Data Controller determines which categories of personal data are processed within the SecureFirst application, which may include, but are not limited to:

• Name
• Title
• Phone number
• Email
• Address
• Optional

In addition to the above, special categories of personal data (sensitive data) may be processed by the Data Processor, to the extent that the Data Controller processes such information within the SecureFirst application. However, this remains outside the Data Processor's control.

B. Categories of Personal Data

a. The Data Controller determines which categories of data subjects are processed within the SecureFirst application, which may include, but are not limited to:

• Data Controller's End-Users
• Data Controller's Employees
• Data Controller's Contact Persons
• Data Controller's Customers and their End-Users
• Data Controller's Customers' Employees
• Data Controller's Customers' Contact Persons
• Optional