1.1 This agreement (the "Agreement") has been entered into between the user company (the "Data Controller") and Exitplanner.app ApS (the "Data Processor" or "Exitplanner"), each referred to as a "Party" and collectively the "Parties".
1.2 This Agreement sets out the rights and obligations of the Data Controller and the Data Processor, when processing personal data on behalf of the Data Controller.
1.3 The Data Processor processes the types of personal data on behalf of the Data Controller that are listed in Appendix 1, and which are necessary for the use of the Exitplanner service. The personal data relates to the registered persons listed in Appendix 1.
2.1 The Data Processor may only process personal data for purposes that are necessary for the Data Controller to use the Exitplanner service.
3.1 To the extent that the Data Controller processes personal data in connection with the use of the Exitplanner service, the Data Controller is responsible for the existence of a legal basis for processing, including that any consent is specific, freely given, unambiguous and informed. The Data Controller is obliged, at the Data Processor's request, to explain in writing and / or document the basis for processing.
4.1 The Data Processor may only process the personal data necessary for making the Exitplanner-service available to the Data Controller in accordance with the terms and conditions, which may at any time be found at Exitplanner's website (exitplanner.app/legal/terms-of-service) ("Terms and Conditions"). The Data Processor is obligated to comply with all data protection legislation in force from time to time.
4.2 The Data Processor must take all necessary technical and organizational security measures, including any additional measures, required to ensure that the personal data specified in sec. 1.2 and 1.3 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorized third parties, abused or otherwise processed in a manner which is contrary to the Danish data protection legislation in force at any time.
4.3 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of applicable data protection legislation, including the requirement for documentation of data flows and written procedures/policies for the processing of personal data.
4.5 If the Data Processor processes personal data in another EU/EEA member state, the Data Processor is obligated to comply with applicable legislation regarding security measures in the country in question.
4.6 The Data Processor must notify the Data Controller if there is an interruption in operation, a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. If requested by the Data Controller, the Data Processor must assist the Data Controller with clarifying the extent of the security breach, including notifying the data subjects and the relevant authorities including the Danish Data Protection Agency and/or data subjects.
4.7 The Data Processor must make available to the Data Controller all information necessary to demonstrate that the Processor has implemented the necessary technical and organizational security measures. At the expense of the Data Controller, the Data Processor allows for and agrees to contribute with input in connection with a yearly data protection audit by an independent third party. The Data Controller must compensate the Data Processor for time spent in relation to such audits.
4.8 The Data Processor, or and any of its sub-data processors, must send requests and objections from data subjects to the Data Controller, for the Data Controller's further handling, unless the Data Processor is entitled to handle such requests and objections itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering and handling any such requests and/or objections.
5.1 The Data Processor may only transfer the personal data as stipulated in sec. 1.2 to sub-data processors with the written approval from the Data Controller. The Data Controller may only disclose personal data to third parties with the written approval from the Data Controller or if this follows from applicable legislation.
5.2 The Data Controller hereby grants the Data Processor a general power of attorney to enter into agreements with sub-data processors. The Data Processor must notify the Data Controller of any changes concerning the addition or replacements of sub-data processors by giving no more than one month's notice of such addition or replacement. The Data Controller can make reasonable and relevant objections against such changes.
5.3 When the Data Controller has approved that the Data Processor can use a sub-data processor the Data Processor must impose the same obligations on the sub-data processor as set out in this Agreement by entering into a separate data processing agreement with such sub data controller on terms identical to the terms of this Agreement ("back-to-back" terms).
5.4 If the personal data is transferred to sub-data processors outside EU/EEA, it must, in the data processing agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to sub-data processors. If the receiving sub-data processor is established within the EU/EEA, it must be stated in the data processing agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities must be complied with.
5.5 The Data Processor is obliged to enter into written data processor agreements with sub-data processors within the EU/EEA. As for sub-data processors outside the EU/EEA, the Data Processor must ensure the sufficient transfer mechanisms and enter into a sub-data processor agreement by entering into standard agreements in accordance with the EU Commission's Standard Contractual Clauses ("Standard Contracts"). Standard Contracts can be based on either Decision 2010/87/EU of 5 February 2010 or 2016/679/EU of 4 June 2021:
5.5.1 Standard Contracts based on 2010/87/EU of 5 February 2010 can be entered into until 27 September 2021 and can be used until 27 December 2022, whereafter they must be replaced by Standard contracts based on the General Data Protection Regulation 2016/679/EU of 4 June 2021.
5.5.2 Standard Contracts based on decision 2016/679/EU of 4 June 2021 can be used from 27 June 2021.
5.6 At the time of signing this Agreement, the Data Processor engages the sub-data processors listed in Schedule 2.
6.1 The Parties liability are regulated by ordinary Danish rules on tort and damages. However, no Party is entitled to claim damages for indirect losses or consequential damage irrespective of whether these are suffered by the Data Controller, the Data Processor or a third party. Losses in relation to lost business potential, loss of profit, operating loss, loss of goodwill, loss of data, hereunder as part af recreation of data, will always be considered indirect losses or consequential damage.
6.2 The Data Processor's total liability to pay damages under the Agreement is capped in accordance with sec. 9 and 10 in the Terms and Conditions.
7.1 The Agreement becomes effective according to sec. 2 of the Terms and Conditions.
7.2 The Agreement will terminate in accordance with sec. 2 and 7 of the Terms and Conditions. However, the Data Processor remains subject to the obligations stipulated in this Agreement, as long as the Data Processor processes personal data on behalf of the Data Controller.
7.3 Upon termination of this Agreement the Data Controller is entitled to demand deletion or return all personal data unless retention of the personal data is prescribed by EU or national law. Personal data will be handed over on an ordinary machine-readable media determined by the Data Processor.
8.1 This Agreement is governed by Danish law.
8.2 Any claim or dispute arising from or in connection with this Agreement is subject to Danish law. Any claim or dispute must be brought before the City Court of Copenhagen.
Types of personal data:
Regarding the Data Processor's cloud-based infrastructure the Data Processor use Google Cloud Platform (hereafter "GCP"), a branch of Alphabet Inc. The Data Processor has entered into a data processor agreement with AWS on standard terms.
For email correspondence between the Data Processor and the Data Controller the Data Processor use Google Workspace, a Google LLC product (https://workspace.google.com), established in USA. The Data Processor has entered into a data processor agreement with Google LLC on standard terms.
The Data Processor has entered into a data processor agreement with Intercom, Inc. a Delaware corporation with offices at 55 2nd Street, 4th Fl., San Francisco, CA 94105, USA, (https://intercom.com), on standard terms for showing messages to the user based on their behavior and with the purpose of improving the user experience.
The Data Processor has entered into a data processor agreement with Segment.io Inc, 101 Spear Street, Fl. 1, San Francisco, CA 94105-1580, USA on standard terms, for tracking and product analytics data.
The Data Processor has entered into a data processor agreement with Amplitude, Inc., 201 Third Street, Suite 200, San Francisco, CA 9410, USA on standard terms, for the processing of product analytics data with the purpose of improving the product.
The Data Processor has entered into a data processor agreement with HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA on standard terms, for custom relationship management.