Data Processing Agreement

Pursuant to Article 28 of the General Data Protection Regulation (GDPR) · Effective 10 July 2026

This Data Processing Agreement forms an integral part of our Terms of Service for services where we process personal data on your company's behalf and becomes binding when the Main Agreement is entered into. If your customer relationship was entered into under an earlier version of the terms, or you need a separate countersigned copy, request one at kontakt@dinfirmaadresse.dk.

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It forms part of, and is subject to, the Terms of Service and any service agreement (the "Main Agreement") between:

  • Dinfirmaadresse.dk ApS, CVR 45957969, Gunderupvej 16, 9260 Gistrup, Denmark (the "Processor"); and
  • The customer identified in the Main Agreement (the "Controller").

Where the Controller acts on behalf of its own customers, the Processor may act as a sub-processor; in that case obligations equivalent to those below apply. In the event of conflict between this DPA and the Main Agreement on matters of personal-data protection, this DPA prevails.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller to provide the services ordered under the Main Agreement: a virtual business address and mail handling (receipt, notification, scanning, digital storage, forwarding or physical hand-over) and, where purchased, telephone answering (receiving and transferring calls, recording contact details and messages, and delivering call summaries). Processing also includes the necessary account administration, continues for the duration of the Main Agreement and terminates in accordance with clause 9.

2. Nature and purpose of processing

  • Purpose:Provision of a registered business address, mail handling and, where purchased, telephone answering on the Controller's behalf.
  • Categories of data subjects:The Controller's representatives and account users; senders and named recipients of correspondence; persons calling the Controller; and any third parties whose personal data appears in received mail or telephone messages.
  • Categories of personal data: Name, business and postal address, email, telephone number, account and billing data; call time, contact details and message content; and any personal data contained in received correspondence (which may be unstructured).
  • Special categories: Not requested or required by the service. Any special-category data present in received mail or telephone messages is incidental and processed only as needed to store, notify, scan, forward or communicate the relevant item or enquiry.

3. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, including this DPA and use of the service, unless required otherwise by EU or Danish law (in which case it will inform the Controller in advance unless the law prohibits this).
  • Ensure that persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures pursuant to Article 32 GDPR (see Annex 1).
  • Respect the conditions in clause 4 for engaging sub-processors.
  • Assist the Controller, taking into account the nature of processing, in responding to data-subject requests under Chapter III GDPR.
  • Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data-protection impact assessments).
  • Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting the Controller's data.
  • At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Danish law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, on reasonable notice.

4. Sub-processors

The Controller grants a general authorisation for the Processor to engage sub-processors for hosting, storage, transactional notifications, error monitoring, mail logistics and payment processing. The Processor imposes data-protection obligations equivalent to those in this DPA on each sub-processor and remains liable for their performance. The Processor will inform the Controller of intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable grounds.

Current providers

ProviderRole and purposePrimary location / transfer mechanism
VercelSub-processor — application hosting and server functionsRuntime in Ireland; provider processing may occur in the US and other countries under SCCs or another valid mechanism
Supabase (AWS)Sub-processor — database and mail-scan storagePrimary storage in the EU — Ireland (eu-west-1); other provider processing under a valid transfer mechanism
ResendSub-processor — transactional email, including mail notificationsUS — EU-US Data Privacy Framework and/or SCCs
SentrySub-processor — error monitoring and operational securityPrimary data storage in the EU — Germany
StripeSub-processor or independent controller depending on the payment activityIreland, the US and other service locations under an applicable adequacy decision and/or SCCs

The providers are sub-processors to the extent they process personal data on our behalf. For certain legal, fraud-prevention and payment activities, Stripe may act as an independent controller; those activities are not governed by this DPA. The Processor keeps this list current and will inform the Controller of material changes.

5. International transfers

The primary database and mail-scan storage are located in Ireland. Selected providers, including Vercel, Resend and Stripe, may process the personal data necessary for their function in the United States or other countries outside the EU/EEA. Such transfers are made only under a valid Chapter V GDPR mechanism (for example an adequacy decision, the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses). Current locations and transfer mechanisms are listed in clause 4.

6. Obligations of the Controller

  • The Controller warrants that it has a valid legal basis for the processing and that its instructions comply with applicable data-protection law.
  • The Controller is responsible for the lawfulness of the personal data it (and its correspondents) transmit to the Processor via received mail.

7. Security

The Processor maintains the technical and organisational measures set out in Annex 1, appropriate to the risk, taking into account the state of the art, costs, and the nature, scope, context and purposes of processing.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability agreed in the Main Agreement. Nothing in this DPA limits either party's liability where such limitation is not permitted under applicable data-protection law.

9. Term and termination

This DPA takes effect on the date of the Main Agreement and remains in force for as long as the Processor processes personal data on behalf of the Controller. On termination, the Processor deletes or returns the data in accordance with clause 3. If EU or Danish law requires specific data to be retained, it will be isolated from ordinary processing and used only for the statutory purpose until it can be deleted.

10. Governing law and venue

This DPA is governed by Danish law. Disputes are subject to the venue agreed in the Main Agreement or, failing that, the courts of Denmark.

Annex 1 — Technical and organisational measures (Article 32 GDPR)

Access control (primary safeguard for mail content)

  • Row-Level Security (RLS) enforces per-user ownership: a user can only access records belonging to their own account.
  • Scanned mail is stored in a private storage bucket; no public URLs are ever issued.
  • Access to a scanned item requires a server-side ownership check, after which a short-lived signed URL (valid for one hour) is minted; no persistent public links exist.
  • Role-based access to the customer portal with unique accounts and session controls.

Encryption

  • In transit: TLS/HTTPS between the user's device, the application and the core storage providers.
  • At rest: provided transparently at the infrastructure/storage layer (AES-256) by the hosting sub-processor for both the database and stored mail scans.
  • Application-level AES-256-GCM encryption is additionally applied to stored third-party API credentials and OAuth tokens.

Other measures

  • Physical security: received physical mail stored in access-controlled premises; scanned items handled by authorised personnel only.
  • Confidentiality: staff and sub-processors bound by confidentiality obligations.
  • Resilience: regular backups and the ability to restore availability of data in a timely manner.
  • Data minimisation and retention: mail and scans retained only as long as necessary for the service or as required by law, then deleted.
  • Breach management: documented procedure for detecting, assessing and reporting personal-data breaches.