Legal

Data Processing Agreement

Last updated: May 16, 2026

1. Parties and Purpose

This Data Processing Agreement ("DPA") is entered into between:

Controller: The Customer (as defined in the Terms of Service)
Processor: AddonNordic ApS, CVR 46495985, Denmark

This DPA governs AddonNordic's processing of personal data on behalf of the Customer in connection with use of AddonNordic services, pursuant to GDPR Art. 28.

2. Nature and Purpose of Processing

ParameterDescription
PurposeDelivery of AddonNordic services
Data typesCompany data, contact details, transaction data
Categories of data subjectsCustomer's clients and business contacts
DurationTerm of agreement + 30 days for deletion

3. Processor Obligations

AddonNordic commits to:

  1. Processing personal data solely on documented instructions from the Customer
  2. Ensuring confidentiality — access restricted to authorised personnel only
  3. Implementing appropriate technical and organisational security measures
  4. Not engaging sub-processors without the Customer's approval (see § 4)
  5. Assisting the Customer in fulfilling data subject rights (access, erasure, etc.)
  6. Notifying the Customer without undue delay in the event of a personal data breach
  7. Deleting or returning all personal data upon termination of the agreement
  8. Making all necessary information available to demonstrate compliance

4. Sub-processors

The Customer grants general prior authorisation to the following sub-processors:

Sub-processorPurposeLocation
Supabase Inc.Database and authenticationEU (Frankfurt)
Paddle.com Market Ltd.Payment processingUK/EU
Crisp IM SARLCustomer supportEU (France)
Resend Inc.Transactional emailsEU
Sentry (Functional Software)Error trackingEU

AddonNordic will notify the Customer at least 14 days in advance of adding new sub-processors. The Customer may object within this period.

5. Security Measures

AddonNordic applies as a minimum:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and two-factor authentication on systems handling personal data
  • Regular security reviews
  • All data stored within the EU (Railway EU-West / Render Frankfurt / Supabase EU)

6. Data Breaches

In the event of a confirmed or suspected personal data breach, AddonNordic will notify the Customer within 72 hours, including:

  • Description of the incident
  • Categories and approximate number of data subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

7. Audits

The Customer has the right to conduct or commission an audit of AddonNordic's data processing activities with 30 days' written notice. AddonNordic will cooperate and provide relevant documentation.

8. Termination

Upon termination of this DPA, AddonNordic will delete all personal data processed on behalf of the Customer within 30 days, unless EU or Danish law requires continued retention.

9. Governing Law

This DPA is governed by Danish law and the GDPR.

10. Contact

Questions regarding this DPA: [email protected]