Data Processing Agreement

1. Parties

This data processing agreement is entered into between:

The parties expressly agree that this is a controller-processor relationship within the meaning of GDPR Art. 28 and NOT a joint-controller relationship within the meaning of Art. 26. Each party determines its own purposes and means of processing only in respect of the data flows for which it is the controller; neither party becomes a joint controller of the other's separately determined processing. This clarification aligns with EDPB Guidelines 07/2020 on the concepts of controller and processor.

2. Background and purpose

The Customer has entered into an agreement with Philip Sloth for managed-service hosting and maintenance of the Customer's website / application / SaaS (hereinafter the "Service"). As part of delivering the Service, Philip Sloth processes personal data about the Customer's end-users on behalf of the Customer. This agreement satisfies the requirements of GDPR Article 28 and Section 7 of the Danish Data Protection Act for a written agreement between controller and processor.

3. Subject matter and duration

The subject matter of processing is the operation, hosting, maintenance, and continued development of the Service. The duration of this agreement follows the underlying managed-service engagement: this agreement enters into force at the start of the engagement and terminates automatically when the engagement ends (cf. § 16). Obligations regarding confidentiality, return or deletion of data, and audit rights survive termination for 5 years, cf. § 16.

4. Nature and purpose of processing

Processing includes receipt, storage, transmission, display, backup, indexing, and deletion of personal data as necessary for the Service to function according to the Customer's specification. The purpose is to make the Customer's digital service available to end-users. Philip Sloth does not analyse, profile, or resell the Customer's end-user data; data is processed solely as part of the operational delivery of the Service.

5. Categories of personal data and data subjects

6. Documented instructions (Art. 28(3)(a))

Philip Sloth processes personal data solely on the Customer's documented instructions. Documented instructions consist of: (a) this agreement, (b) the underlying Statement of Work, (c) the Customer's written additions or changes, and (d) the Customer's configuration of the Service (admin settings, permissions, integration set-up). If Philip Sloth receives an instruction that, in his reasonable judgement, conflicts with the GDPR or other EU or Member State law, Philip Sloth shall notify the Customer without undue delay before processing begins.

Note: Where Danish law obliges Philip Sloth to process personal data without the Customer's instruction (e.g. court order, Bogføringsloven §12), Philip Sloth shall notify the Customer before processing unless that law prohibits such notification on grounds of important public interest.

Philip Sloth maintains a record of all categories of processing activities carried out on behalf of the Customer in accordance with GDPR Article 30(2). The record contains: (i) the name and contact details of Philip Sloth; (ii) the categories of processing carried out; (iii) where applicable, transfers to third countries with safeguards documented; (iv) where possible, a general description of the technical and organisational security measures referred to in Art. 32. The record is made available to Datatilsynet on request, and to the Customer on reasonable written request as part of audit-rights exercise (cf. § 13).

7. Confidentiality (Art. 28(3)(b))

Philip Sloth is a sole proprietor and is the only natural person with access to the personal data. Philip Sloth is bound to confidentiality both contractually under this agreement and statutorily under § 19 of the Danish Marketing Practices Act (trade secrets). Where sub-processors (cf. § 9) have access to personal data, Philip Sloth ensures they are bound by equivalent confidentiality obligations or by statutory professional secrecy.

8. Security measures (Art. 28(3)(c) and Art. 32)

Philip Sloth implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, cf. GDPR Article 32. The measures listed below CONSTITUTE the contractual minimum baseline under this agreement and may not be downgraded without the Customer's written acceptance. Measures may be upgraded (e.g. newer TLS version, stronger algorithm, supplementary layer) without the Customer's acceptance so long as the overall protection level is not reduced.

• Encryption in transit: TLS 1.3 on all endpoints (Cloudflare-managed); HSTS enabled with preload.
• Encryption at rest: AES-256 on the Supabase database (Postgres-level, automatically managed by Supabase) and on the Cloudflare R2 backup bucket.
• Pseudonymisation where relevant: customer tokens and payment-link tokens are non-guessable random strings; user identifiers are UUIDs, not sequential.
• Row Level Security (RLS) enabled on every Postgres table — customers cannot read each other's data.
• Service-role keys server-side only (Cloudflare Worker secrets), never in browser bundles. No credentials or secrets committed to Git.
• Cloudflare Turnstile + honeypot + per-IP rate-limiting on public forms (defence against credential stuffing and automated abuse).
• Magic-link authentication for admin panels (no passwords to steal), allowlist-based access.
• Stripe webhook signatures verified via HMAC-SHA256 (rejects forged webhooks).
• Backup and restoration (Art. 32(1)(c)): daily automated backup to Cloudflare R2 (03:30 UTC) with SHA-256 hash-chain tamper-evidence + local Sync.com archival. RPO (Recovery Point Objective): max 24 hours. RTO (Recovery Time Objective): max 4 hours for critical data, 24 hours for full recovery. 5-layer 3-2-1 backup architecture (live database → R2 cloud → local disk → external SSD monthly → GitHub schema).
• Regular testing and evaluation (Art. 32(1)(d)): Supabase advisors (Security + Performance) run on every migration. Hash-chain verification of backups runs daily automatically. Restore drill performed at least every 6 months (procedure documented in RUNBOOK §12).
• Security monitoring: Cloudflare logging, Supabase audit log, and application logging of all privileged operations (admin actions, deletions, API key rotation). Logs retained 90 days rolling in Cloudflare and 13 months in cold archive.

The current — and potentially extended — list is also available at /legal/processing-record. In case of conflict between the list above and /legal/processing-record, the higher security standard between the two prevails.

9. Sub-processors (Art. 28(2) and 28(3)(d))

The Customer hereby gives its general written authorisation for Philip Sloth to use the sub-processors listed at /legal/sub-processors. That page is the canonical, up-to-date list. When Philip Sloth intends to add or replace a sub-processor, Philip Sloth shall notify the Customer at least 30 calendar days in advance by email to the contact specified in the Statement of Work. The Customer has the right to object to the new sub-processor within the notice period. If the Customer objects and the parties cannot find a commercially reasonable alternative, the Customer may terminate the Service with immediate effect and receive a refund for any prepaid period.

Philip Sloth imposes on every sub-processor — by written data processing agreement or other legal act — the same data protection obligations as those set out in this agreement, cf. GDPR Art. 28(4). Philip Sloth is fully liable to the Customer for the sub-processors' fulfilment of their obligations.

Annex 3 captures the sub-processor list AS OF the effective date of this DPA — the frozen snapshot. The /legal/sub-processors page is the canonical update channel: additions and removals announced there constitute the 30-day prior notice required under this section. The Customer should subscribe to the page or set a calendar reminder for semi-annual review.

10. Assistance with data-subject rights (Art. 28(3)(e))

Taking into account the nature of the processing, Philip Sloth shall — insofar as this is possible — assist the Customer by appropriate technical and organisational measures in fulfilling the Customer's obligation to respond to requests for the exercise of data-subject rights (access, rectification, erasure, restriction, portability, and objection — GDPR Art. 15-22).

If a data subject contacts Philip Sloth directly, Philip Sloth shall forward the request to the Customer within 5 business days and shall not respond substantively to the request unless the Customer has requested so in writing.

11. Assistance with security incidents and DPIAs (Art. 28(3)(f))

If Philip Sloth becomes aware of a personal data breach (Art. 4(12) GDPR), Philip Sloth shall notify the Customer without undue delay and no later than 24 hours after becoming aware. The notification shall contain at least the information specified in Art. 33(3) GDPR to the extent available at the time of notification, including a description of the breach, the categories and approximate number of affected data subjects and records, the likely consequences, and the measures taken or proposed to address the breach. The short 24-hour window gives the Customer time to fulfil the 72-hour notification obligation to the supervisory authority (Datatilsynet), cf. Art. 33(1) GDPR.

Philip Sloth shall also assist the Customer — taking into account the nature of processing and the information available to Philip Sloth — with data protection impact assessments (DPIA, Art. 35) and prior consultations (Art. 36).

12. Return or deletion (Art. 28(3)(g))

Upon termination of the engagement, Philip Sloth shall — at the Customer's choice — delete or return all personal data to the Customer and delete all existing copies, unless EU or Danish law requires continued storage. The Customer has an 14 calendar-day export window from the termination date to make its choice and receive the data, cf. also § 4.4 of Payment Terms. After the export window expires, data is permanently deleted — except data subject to Bogføringsloven §12 (5-year statutory retention), which Philip Sloth retains for the statutory period in a separate accounting archive outside the production environment and solely for the purpose of fulfilling the accounting obligation.

13. Audit rights (Art. 28(3)(h))

The Customer has the right — once per calendar year and on at least 30 days' written notice — to audit Philip Sloth's compliance with this agreement. Audits are performed by written questionnaire and documentation review (Philip Sloth operates as a sole proprietor and cannot accommodate on-site audits without material disruption to operations). Audits must not compromise other customers' data or confidential matters.

For sub-processors, Philip Sloth shall provide on written request:

• Cloudflare: ISO 27001:2022, ISO 27018, ISO 27701, SOC 2 Type II, PCI-DSS Level 1, and EU-US Data Privacy Framework certification.
• Stripe: PCI-DSS Level 1, SOC 1 Type II, SOC 2 Type II, ISO 27001, and EU-US Data Privacy Framework + EEA SCCs (Modules 2 and 3).
• Supabase: SOC 2 Type II, HIPAA-readiness documentation, EU region (eu-central-1, Frankfurt) — data does not leave the EU during normal operation.
• Resend: SOC 2 Type II, EU-US Data Privacy Framework certification, and DPA on file.

The list is current as of this DPA's effective date. If a sub-processor changes or loses a certification, Philip Sloth notifies the Customer within 30 days per § 9. Philip Sloth — as a sole proprietor — does NOT hold an independent SOC 2 or ISO 27001 certification; the technical and organisational measures specified in § 8 constitute the documented security standard, and Annex 2 + /legal/processing-record serve as public evidence.

If Datatilsynet or another competent supervisory authority requires an audit on Philip Sloth, Philip Sloth shall fully cooperate — without prior notice — to the extent required by law. The Customer's audit right is not displaced by an authority audit.

14. International transfers (GDPR Chapter V)

Some sub-processors are established in the United States — primarily Stripe Inc. and Resend. Transfers are made under the EU-US Data Privacy Framework (Commission Implementing Decision 2023/1795), supplemented — where relevant — by Standard Contractual Clauses (Commission Implementing Decision 2021/914, Modules 2 and 3). The relevant services are certified under the DPF and listed at dataprivacyframework.gov.

A copy of the relevant SCCs is provided to the Customer on written request. If the DPF decision is annulled, or a sub-processor loses its DPF certification, Philip Sloth shall without undue delay implement appropriate supplementary measures or replace the sub-processor — observing the notification process in § 9.

In line with EDPB Recommendations 01/2020 on supplementary measures for transfer tools, Philip Sloth has conducted a Transfer Impact Assessment (TIA) for the US-based sub-processors listed in Annex 3. The TIA covers:

• (a) the legal regime in the third country (US) including FISA Section 702 and Executive Order 12333 considerations and Schrems II-relevance assessment;
• (b) technical safeguards (encryption in transit via TLS 1.3, encryption at rest, access controls, sub-processor SOC 2 Type II);
• (c) contractual safeguards (DPF certification + SCCs Modules 2/3);
• (d) Philip Sloth's commitment to challenge unlawful access requests and notify the Customer of any government-access request received — to the extent lawful to do so.

The TIA is updated when material changes occur in the third-country legal regime or in the sub-processor's safeguards and is provided to the Customer on written request. If the TIA concludes that the combined safeguards are no longer essentially equivalent to the EU level, Philip Sloth suspends transfers and implements supplementary measures or replaces the sub-processor.

15. Liability and indemnification

Each party is liable for damages caused by that party's failure to comply with the GDPR and this agreement. The general liability cap in § 9 of Payment Terms applies equally to liability under this agreement, except that liability for direct losses tied to a specific fine from Datatilsynet or another supervisory authority is bounded only by Art. 82 GDPR (not by the contractual liability cap).

The contractual liability cap for direct losses under this DPA equals the total fees paid by the Customer to Philip Sloth in the 12 months preceding the event giving rise to liability, with a floor of DKK 5,000 and a ceiling of DKK 500,000 per event. Indirect losses, consequential damages, business interruption, lost profits, and data-reconstruction costs are excluded from the liability cap in line with § 9 of Payment Terms, unless the loss is caused by gross negligence or wilful breach.

Where a fine is imposed as a result of one party's breach, the other party shall be indemnified to the extent the liability can be attributed to the breaching party. Where liability is joint, the fine shall be apportioned proportionally per Art. 82(4) GDPR. Fine-related liability is NOT bounded by the contractual cap above — only by Art. 82 GDPR's own framework — because the parties cannot contractually waive their statutory fine liability towards Datatilsynet.

16. Term, termination, and survival

This agreement enters into force simultaneously with the underlying managed-service agreement and terminates automatically when the underlying agreement terminates. The following provisions survive termination for 5 years: § 7 (confidentiality), § 12 (return or deletion), § 13 (audit), § 15 (liability). § 8 (security measures) survives for as long as Philip Sloth retains the Customer's personal data due to a statutory retention obligation.

17. Governing law and disputes

This agreement is governed by Danish law. Disputes are settled by the Maritime and Commercial High Court (Sø- og Handelsretten) in Copenhagen in commercial matters; otherwise by the ordinary Danish courts. Supervision and enforcement of the GDPR is conducted by Datatilsynet independently of the agreement's venue. Consumer disputes may also be brought before the Forbrugerklagenævn (Consumer Complaints Board) in accordance with Danish law.

18. Notices

All notices under this agreement (including breach notifications under § 11, sub-processor change notifications under § 9, audit requests under § 13, terminations, and notices required by law) shall be delivered as follows:

A notice is deemed received on the day of delivery if delivered before 17:00 CET on a business day — otherwise the next business day. A read receipt or mail-server delivery acknowledgement constitutes sufficient delivery. The burden of proof for correct delivery lies with the sender in case of dispute.

19. Order of precedence

The engagement is governed by several documents. In the event of conflict between provisions in different documents, the following order of precedence applies — the higher document prevails over the lower:

1. Standard Contractual Clauses (Commission Implementing Decision 2021/914) where applicable to international transfers;
2. This Data Processing Agreement (DPA);
3. The underlying Statement of Work (SoW) for the specific engagement;
4. Payment Terms (philipsloth.com/legal/payment-terms);
5. Terms (philipsloth.com/terms).

For data-protection-specific matters, the SCCs and this DPA always prevail over commercial terms in the SoW or Payment Terms. For commercial matters (prices, delivery dates, termination notice), the SoW prevails over DPA provisions that are not data-protection-related.

20. Language and execution

This agreement is executed in Danish and English. The Danish version controls in case of conflict between the versions; the English version is provided for convenience only. Both versions otherwise have equal force.

Execution may be by (i) physical handwritten signature, (ii) qualified electronic signature per the eIDAS Regulation 910/2014, (iii) advanced electronic signature via a recognised provider (DocuSign, MitID Erhverv, etc.), or (iv) simple electronic acceptance (clickwrap, email confirmation) when the engagement's commercial size justifies it. Counterparts executed by different methods together constitute one agreement.

Annexes