Data processing agreement

Standard contractual clauses

pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) for the purposes of the processor's processing of personal data

Between

The customer (you)

(as specified in the Master Agreement on access to XpressU, cf. clause 1.3 below)

(hereinafter "the controller")

and

XpressU ApS
CVR no.: 39899191
Ordrupvej 112c
2920 Charlottenlund, Denmark
Denmark

(hereinafter "the data processor")

(each of which is a "party" and together constitute the "parties")

Have agreed the following standard contractual clauses (the Clauses) in order to comply with the GDPR and ensure the protection of the privacy and fundamental rights and freedoms of natural persons.

Content

Preamble
Rights and obligations of the controller
The data processor acts on instructions
Confidentiality
Treatment safety
Use of sub-processors
Transfer to third countries or international organizations
Assistance to the controller
Personal data breach notification
Deletion and return of information
Audit, including inspection
The parties' agreement on other matters
Entry into force and termination
Contact persons at the data controller and data processor

Annex A Information about the processing
Annex B Sub-processors
Appendix C Instructions for the processing of personal data
Appendix D The parties' regulation of other matters

1. preamble

1. These Clauses set out the rights and obligations of the processor when processing personal data on behalf of the controller.
2. These provisions are designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. Hosting, conversion and support of user media in connection with the use of XpressU as agreed in the commercial agreement between the Data Processor and the Data Controller (hereinafter the "Master Agreement"), the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.
4. The provisions take precedence over any corresponding provisions in other agreements between the parties.
5. There are four annexes to these Regulations and the annexes form an integral part of the Regulations.
6. Annex A contains details on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
7. Appendix B contains the controller's conditions for the processor's use of sub-processors and a list of sub-processors that the controller has approved the use of.
8. Appendix C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum and how the data processor and any sub-processors are supervised.
9. Annex D contains provisions regarding other activities not covered by the Clauses.
10. The clauses and their appendices shall be kept in writing, including electronically, by both parties.
11. These Clauses do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.

2. Rights and obligations of the controller

1. The controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR (see Article 24 of the GDPR), data protection provisions of other EU law or Member State law national law and these Regulations.
2. The controller has the right and obligation to decide for which purpose(s) and with which means personal data may be processed.
3. The controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to perform.

3. The data processor acts on instructions

1. The data processor may only process personal data following documented instructions from the data controller, unless required by EU or Member State law to which the data processor is subject. This instruction shall be specified in Annexes A and C. Subsequent instructions may also be given by the controller while processing personal data, but the instruction must always be documented and stored in writing, including electronically, together with these Clauses.
2. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.

4. Confidentiality

1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's instruction powers, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed on an ongoing basis. Based on this review, if access to personal data is no longer necessary, access may be closed and the personal data shall no longer be accessible to these individuals.
2. At the request of the controller, the data processor must be able to demonstrate that the persons concerned, who are subject to the data processor's powers of instruction, are subject to the aforementioned duty of confidentiality.

5. Security of processing

Article 32 of the GDPR states that the controller and processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to those risks.The controller shall assess the risks to the rights and freedoms of natural persons posed by processing and implement measures to address those risks. Depending on their relevance, this may include:
A: Pseudonymization and encryption of personal data
B: ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and servicesC: ability to restore in a timely manner the availability of and access to personal data in the event of a physical or technical incident
D: a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.
According to Article 32 of the Regulation, the processor must - independently of the controller - also assess the risks to the rights of natural persons posed by the processing and implement measures to mitigate those risks. For the purposes of this assessment, the controller must provide the processor with the necessary information to enable it to identify and assess such risks.
In addition, the processor shall assist the controller in its compliance with the controller's obligation under Article 32 of the Regulation by, inter alia, providing the controller with the necessary information regarding the technical and organizational security measures already implemented by the processor pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.
If addressing the identified risks - in the controller's assessment - requires the implementation of additional measures to those already implemented by the processor, the controller shall specify the additional measures to be implemented in Annex C.

6. Use of sub-processors

1. The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR to use another data processor (a sub-processor).
2. Thus, the Data Processor may not use a Sub-Processor to fulfill these Clauses without prior general approval from the Data Controller.
3. The Processor has the Controller's general approval for the use of sub-processors. The Processor shall notify the Controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 14 days' notice, thereby giving the Controller the opportunity to object to such changes prior to the use of the sub-processor(s) in question. Longer notice periods for notification for specific processing operations may be specified in Annex B. The list of sub-processors already authorized by the controller is set out in Annex B.
4. When the data processor uses a sub-processor to carry out specific processing activities on behalf of the data controller, the data processor must, through a contract or other legal document under EU or Member State law, impose on the sub-processor the same data protection obligations as those set out in these Clauses, in particular providing appropriate guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Clauses and the GDPR. The data processor is therefore responsible for requiring that the sub-processor at least complies with the data processor's obligations under these Clauses and the GDPR.
5. The sub-processor agreement(s) and any subsequent amendments thereto shall - at the request of the data controller - be sent in copy to the data controller, which thereby has the opportunity to ensure that similar data protection obligations arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-processor agreement shall not be sent to the controller.
6. The processor must include the controller as a third party beneficiary in its agreement with the sub-processor in the event of the bankruptcy of the processor so that the controller can subrogate itself to the rights of the processor and enforce them against sub-processors, for example, enabling the controller to instruct the sub-processor to delete or return the personal data.
7. If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the controller for the fulfillment of the sub-processor's obligations. This shall be without prejudice to the rights of data subjects resulting from the GDPR, in particular Articles 79 and 82 thereof, vis-à-vis the controller and the processor, including the sub-processor.

7. Transfer to third countries or international organizations

1. Any transfer of personal data to third countries or international organizations may only be made by the data processor on the basis of documented instructions from the data controller and must always be in accordance with Chapter V of the General Data Protection Regulation.
2. Where the transfer of personal data to third countries or international organizations which the processor has not been instructed to carry out by the controller is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such notification for reasons of important public interest.
3. Without documented instructions from the controller, the data processor may not, within the framework of these Rules:
  A: transfer personal data to a controller or processor in a third country or an international organizationB: entrust the processing of personal data to a sub-processor in a third country
  C: process the personal data in a third country
4. The controller's instructions regarding the transfer of personal data to a third country, including any transfer basis in Chapter V of the GDPR on which the transfer is based, shall be specified in Annex C.6.
5. These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses shall not constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

8. Assistance to the controller

1. The data processor shall, taking into account the nature of the processing, assist the controller as far as possible, using appropriate technical and organizational measures, in fulfilling the controller's obligation to respond to requests for the exercise of data subjects' rights as laid down in Chapter III of the GDPR.This means that the data processor shall, as far as possible, assist the controller in connection with the controller ensuring compliance with:
  A: the obligation to provide information when collecting personal data from the data subject
  B: the obligation to provide information if personal data is not collected from the data subject
  C: the right of access
  D: the right to rectification
  E: the right to erasure ("right to be forgotten")
  F: the right to restriction of processing
  G: the obligation to provide information in relation to rectification or erasure of personal data or restriction of processing
  H: the right to data portability
  I: the right to object
  J: the right not to be subject to a decision based solely on automated processing, including profiling
2. In addition to the data processor's obligation to assist the data controller in accordance with Clause 5.3., the data processor shall, taking into account the nature of the processing and the information available to the data processor, also assist the data controller with:
  A: the data controller's obligation to notify a personal data breach to the competent supervisory authority, the Danish Data Protection Agency, without undue delay and if possible no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  B:the controller's obligation to notify the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons
  C: the controller's obligation to carry out a pre-processing analysis of the impact of the envisaged processing operations on the protection of personal data (an impact assessment)
  D: the controller's obligation to consult the competent supervisory authority, the Data Protection Authority, prior to processing, where a data protection impact assessment shows that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
3. The parties shall specify in Annex C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and to what extent. This applies to the obligations arising from Clauses 8.1. and 8.2.

9. Personal data breach notification

1. The Processor shall notify the Controller without undue delay after becoming aware that a personal data breach has occurred.
2. The data processor's notification to the data controller shall, if possible, take place no later than 48 hours after it has become aware of the breach so that the data controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
3. In accordance with Clause 8.2.a, the processor shall assist the controller in making the notification of the breach to the competent supervisory authority. This means that the processor shall assist in providing the following information, which, according to Article 33(3), shall be included in the controller's breach notification.
  A: the nature of the personal databreach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
  B: the likely consequences of the personal data breach
  C: the measures taken or proposed to be taken by the controller to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.
4. The parties shall specify in Annex C the information to be provided by the processor in the context of its assistance to the controller in its obligation to notify personal data breaches to the competent supervisory authority.

10. Deletion and return of data

1. Upon termination of the personal data processing services, the processor shall be obliged to erase all personal data processed on behalf of the controller and confirm to the controller that the data have been erased, unless Union or Member State law provides for the storage of the personal data.

11. audit, including inspection

1. The Processor shall provide the Controller with all information necessary to demonstrate compliance with Article 28 of the GDPR and these Clauses and shall enable and contribute to audits, including inspections carried out by the Controller or another auditor authorized by the Controller.
2. The procedures for the controller's audits, including inspections, with the data processor and sub-processors are detailed in Appendices C.7 and C.8.
3. The data processor is obliged to grant supervisory authorities that have access to the data controller's or data processor's facilities under applicable legislation, or representatives acting on behalf of the supervisory authority, access to the data processor's physical facilities against proper identification.

12. agreement of the parties on other matters

1. The parties may agree on other provisions concerning the service relating to the processing of personal data, such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the data subject's fundamental rights and freedoms under the GDPR.

13. Entry into force and termination

1. The provisions enter into force on the date of entry into force of the Main Agreement.
2. Either party may demand renegotiation of the Provisions if changes in legislation or inappropriateness in the Provisions give rise to this.
3. The Clauses shall remain in force for the duration of the Personal Data Processing Service. During this period, the Clauses cannot be terminated unless other provisions governing the provision of the personal data processing service are agreed between the parties.
4. If the provision of the Personal Data Processing Services ceases and the Personal Data has been deleted or returned to the Controller in accordance with Clause 10.1 and Appendix C.4, the Clauses may be terminated with written notice by either party.

14. contact persons at the controller and processor

1. The parties can contact each other via the contact persons below.
2. The parties are obliged to keep each other informed of changes regarding contact persons.

Contact person Data Controller

The Data Controller's contact person and contact details for the Data Controller are the same as stated in the Master Agreement.

Contact person Data Processor

The Data Processor's contact person and contact information is the same as stated in the Main Agreement.
Inquiries can always be made to support@xpressu.dk

Annex A Information about the processing

A.1 Purpose of the data processor's processing of personal data on behalf of the controller

The purpose of the processing is to make the media and communication platform XPressU available to the customer and the customer's users, including communicating to users regarding updates to the system, news and contact with the customer regarding support etc.

A.2 Processing of personal data by the data processor on behalf of the data controller primarily relates to (nature of the processing)

The data processor provides the data controller with a system that enables the storage, sharing and composition of presentations, including video, images and PowerPoint presentations. The system enables users to create, edit, update and share content with both internal and external users. The solution is used for e-learning and related educational activities.

The processing of personal data primarily includes general information such as name, email address and contact details of the users of the system. Statistics are also kept on usage.

The Data Processor shall only process personal data in accordance with the Data Controller's instructions and shall ensure that the necessary technical and organizational measures are implemented to protect the processed data in accordance with applicable data protection legislation.

A.3. The processing includes the following types of personal data of the data subjects

General data is processed about the customer's employees, including name, email, contact details.

A.4. The processing includes the following categories of data subjects

Customer's employees and Customer's members.

A.5 The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of these Clauses. The processing has the following duration

The processing is not limited in time, which is why the data processor processes personal data on behalf of the data controller for the duration of the agreement.

Appendix B Sub-processors

B.1 Approved sub-processors

NAME	COMPANY REGISTRATION NUMBER	ADDRESS	DESCRIPTION OF TREATMENT
Visma e-conomic A/S	29403473	Gærtorvet 3, 1799 Copenhagen V	Billing
Intercom R&D Unlimited Company	IE VAT IE3273393EH	Saint Stephen's Green 124, , Dublin	Support and communication with end users
Microsoft Azure	VAT number DK20812842	Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, 018 P521, Ireland	Storing and servicing encrypted data for XpresUMicrosoft GDPR
CloudConvert	Sales Tax Act: DE316913979	Lunaweb GmbH Nördliche Münchner Straße 47 DE-82031 Grünwald GermanyCommercial register: Amtsgericht MünchenRegister entry: HRB 238086	Media conversion

Upon entry into force of the Clauses, the Data Controller has approved the use of the above-mentioned sub-processors for the processing activity described. The Data Processor may not - without the Data Controller's written approval - use a Sub-Processor for a processing activity other than the described and agreed processing activity or use a different Sub-Processor for this processing activity.

B.2 Notification for approval of sub-processors

Please refer to section 6.3 of the Regulations.

Appendix C Instruction regarding the processing of personal data

C.1. Subject matter/instruction of the processing

The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the following:

The data processor makes XpressU available to the data controller and, as part of the data controller's use of XpressU, processes personal data on behalf of the data controller.

C.2 Processing security

The security level must reflect:

The processing includes a small amount of personal data, i.e. primarily name and contact information for the administration of support tasks. None of this information is covered by GDPR Article 9 or otherwise particularly confidential. Statistics are also stored for the use of XpressU.

The Data Processor is then entitled and obliged to make decisions on which technical and organizational security measures must be implemented to establish the necessary (and agreed) security level.

However, the processor shall - in any case and as a minimum - implement the following measures agreed with the controller:

Data is not pseudonymized, but encrypted data is sent between backend and frontend, and up-to-date security measures have been implemented around the platform.

A number of technical and organizational security measures have been implemented. The system uses encryption both when transferring and storing data to protect against unauthorized access. Access controls are in place to ensure that only authorized users have access to the relevant material and that their actions can be traced. Regular security updates and system maintenance are carried out to ensure that the system is resilient to security threats. User information, including name, email and statistical user patterns, is stored in a secure system with appropriate access restrictions. Backup and recovery procedures are also implemented to ensure data availability and integrity in case of system failure or unforeseen events. The system is designed to withstand potential attacks and can quickly recover from crashes, ensuring continuous operation.

Routine data backup is established, including support on the server.
We have continuous updates and review of optimization of server conditions.
Personal data cannot be accessed without a two-factor login to XpressU Admin or Intercom software.
Data is encrypted.
Data is stored in Microsoft Azure database conditions, with the recommended settings.
Microsoft and Intercom data centers, secured according to their security procedures.
XpressU's employees have no personal data on their computers other than access to Email, Microsoft Azure and Intercom.
There is a standard weblog on Azure server and we track usage behavior ourselves.

C.3 Assistance to the controller

The data processor shall, as far as possible - within the scope and extent set out below - assist the data controller in accordance with Clauses 8.1 and 8.2 by implementing the following technical and organizational measures:

XpressU provides assistance to a reasonable extent. For assistance beyond the usual and relatively limited scope, XpressU reserves the right to charge for time spent in accordance with XpressU's usual hourly rates.

XpressU will notify the Data Controller of any identified data breach and then provide assistance to a reasonable extent. For assistance beyond the usual and relatively limited scope, XpressU reserves the right to charge for time spent in accordance with XpressU's usual hourly rates. XpressU never contacts the supervisory authority without prior agreement with the Data Controller. The Data Processor must notify the Data Controller of security breaches within 48 hours.

C.4 Retention period/deletion routine

Information associated with the individual user is automatically deleted 30 days after subscription termination.

C.5 Location of treatment

Processing of the personal data covered by the Clauses takes place at the time of the conclusion of the agreement at the following locations. Changes to this can only take place without the consent of the Data Controller if such relocation does not entail an increased risk under data protection law, i.e. if a relocation takes place within the same country or e.g. within the EU/EEA, this will generally be possible without the prior consent of the Data Controller, whereas relocation from e.g. the USA to another third country will not be possible without such prior consent:

Name	Location for treatment	Treatment activity
Visma e-conomic A/S	Gærtorvet 3, 1799 Copenhagen V	Billing
Intercom	San Francisco 55 2nd Street, 4th Floor, San Francisco, CA 94105	Support and communication with end users
Microsoft Azure	Evert van de Beekstraat 354, 1118 CZ Luchthaven Schiphol, Noord-Holland, Netherlands.	Software execution and data processing
CloudConvert	Lunaweb GmbH Nördliche Münchner Straße 47 DE-82031 Grünwald GermanyCommercial register: Amtsgericht MünchenRegister entry: HRB 238086	Media conversion

C.6 Instructions for the transfer of personal data to third countries

The Data Processor is instructed to transfer personal data to the following country(ies) outside the EU/EEA / international organization(s): USA / Intercom.

In these cases, processing and transfer are carried out in accordance with the EU-U.S. Data Privacy Framework, and Intercom has implemented EU Standard Contractual Clauses (SCCs) for the company's other subsidiaries in order to ensure broad compliance with data protection law.

If the controller does not provide in these Clauses or subsequently a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of these Clauses.

C.7 Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The controller or a representative of the controller shall carry out the inspection by sending a questionnaire to the data processor, which the data processor shall answer in order to determine the data processor's compliance with the General Data Protection Regulation, data protection provisions of other EU law or Member State law and these Clauses.

C.8 Procedures for audits, including inspections, of processing of personal data entrusted to sub-processors

The data processor or a representative of the data processor shall carry out an inspection by either sending a questionnaire to the sub-processor, which the sub-processor shall answer, in order to determine the sub-processor's compliance with the GDPR, data protection provisions of other EU law or Member State law and these Clauses.

The controller may, upon request, obtain the results of the processor's inspections of sub-processors, including relevant findings and any significant issues identified, to the extent necessary to assess compliance with data protection rules in the supply chain.

We refer to subcontractors' data processing declarations:

Microsoft's privacy statement

How Intercom complies with GDPR

Data Processing Agreement Visma e-conomic A/S

Cloud Convert Pravacy Policy

When supervising subcontractors, XpressU makes use of the Danish Data Protection Agency's guidelines

Cookie	Duration	Description
cookielawinfo checkbox analytics	11 months	This cookie is set by gdpr cookie consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo checkbox-necessary	11 months	This cookie is set by gdpr cookie consent plugin. The cookies are used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by gdpr cookie consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo checkbox performance	11 months	This cookie is set by gdpr cookie consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It doesn't store any personal data.