Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") forms part of the service agreement between the Controller and the Processor and applies to all processing of personal data carried out by DPO Agent on behalf of the Customer.

2. Subject matter and purpose

DPO Agent provides an AI-powered legal advisory service for data protection professionals. In the course of providing this service, the Processor may process personal data that the Controller or its authorised users include in queries submitted to the service.

The processing is carried out for the sole purpose of generating AI-assisted legal guidance responses in real time.

3. Nature and categories of personal data

The data subjects may include employees, customers, or other individuals whose data the Controller's authorised users choose to reference in their queries.

4. Obligations of the Processor

DPO Agent undertakes to:

• Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries (GDPR art. 28(3)(a)).
• Ensure that persons authorised to process the personal data are bound by confidentiality obligations (GDPR art. 28(3)(b)).
• Implement appropriate technical and organisational security measures in accordance with GDPR Article 32.
• Not engage sub-processors without prior written authorisation from the Controller (GDPR art. 28(2)).
• Assist the Controller in fulfilling its obligations regarding data subject rights under Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with security, breach notification, DPIA and prior consultation obligations (GDPR art. 28(3)(f)).
• Delete or return all personal data upon termination of the service, at the choice of the Controller (GDPR art. 28(3)(g)).
• Make available all information necessary to demonstrate compliance and cooperate with audits (GDPR art. 28(3)(h)).

5. Sub-processors

The Controller provides general authorisation for DPO Agent to engage the following sub-processors:

DPO Agent will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Microsoft processes data under its standard Data Processing Addendum and EU Standard Contractual Clauses.

6. International transfers

All primary processing takes place within the European Union on Microsoft Azure infrastructure in Sweden Central.

For transactional email delivery via SendGrid (Twilio Inc., USA), transfers to the United States are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914), supplemented by Twilio's Transfer Impact Assessment.

7. Technical and organisational security measures

DPO Agent has implemented the following measures in accordance with GDPR Article 32:

• Encryption in transit: All traffic encrypted via TLS 1.2+.
• Access control: Authentication via Microsoft Entra ID SSO. No unauthenticated access possible.
• No data retention: Conversation content is not stored. Azure OpenAI Stored Completions feature is disabled.
• Secrets management: API keys stored as encrypted environment variables in Azure. No credentials in source code.
• Managed Identity: Service-to-service authentication via Azure Managed Identity — no credentials stored.
• HTTPS enforced: HTTP requests are redirected to HTTPS.

A full description of privacy and security measures is available at dpoagent.dk/privacy.

8. Data subject rights

DPO Agent will assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (right of access, erasure, rectification, restriction, portability, and objection).

Requests relating to authentication data held by Microsoft Entra ID should be directed to the Controller's Microsoft 365 administrator, as DPO Agent does not independently store identity data.

9. Personal data breaches

DPO Agent will notify the Controller without undue delay — and no later than 48 hours — after becoming aware of a personal data breach affecting data processed under this DPA, in accordance with GDPR Article 33.

Notifications shall be sent to the contact email address registered at the time of sign-up, or to contact@dpoagent.dk if a designated contact has been specified.

10. Duration and termination

This DPA remains in force for the duration of the service agreement between the parties. Upon termination of the service agreement, DPO Agent will, within 30 days:

• Delete all personal data processed under this DPA, unless retention is required by applicable law.
• Provide written confirmation of deletion upon request.

As DPO Agent does not store conversation data, the primary data requiring deletion upon termination is authentication data held in Microsoft Entra ID, which is managed by the Controller.

11. Governing law and jurisdiction

This DPA is governed by Danish law. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the Danish courts, with the City Court of Copenhagen as the court of first instance.

This DPA implements the requirements of GDPR Article 28 and the Danish Data Protection Act (Databeskyttelsesloven, LBK nr. 289 af 15/03/2024).

12. Amendments and versioning

DPO Agent may update this DPA to reflect changes in applicable law, sub-processors, or technical measures. Material changes will be notified to the Controller at least 30 days before taking effect.

The current version and effective date are displayed at the top of this page. Previous versions are available on request.