1. Parties and Purpose
This Data Processing Agreement ("DPA") is entered into between:
Controller: The Customer (as defined in the Terms of Service)
Processor: AddonNordic ApS, CVR 46495985, Denmark
This DPA governs AddonNordic's processing of personal data on behalf of the Customer in connection with use of AddonNordic services, pursuant to GDPR Art. 28.
2. Nature and Purpose of Processing
| Parameter | Description |
|---|---|
| Purpose | Delivery of AddonNordic services |
| Data types | Company data, contact details, transaction data |
| Categories of data subjects | Customer's clients and business contacts |
| Duration | Term of agreement + 30 days for deletion |
3. Processor Obligations
AddonNordic commits to:
- Processing personal data solely on documented instructions from the Customer
- Ensuring confidentiality — access restricted to authorised personnel only
- Implementing appropriate technical and organisational security measures
- Not engaging sub-processors without the Customer's approval (see § 4)
- Assisting the Customer in fulfilling data subject rights (access, erasure, etc.)
- Notifying the Customer without undue delay in the event of a personal data breach
- Deleting or returning all personal data upon termination of the agreement
- Making all necessary information available to demonstrate compliance
4. Sub-processors
The Customer grants general prior authorisation to the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | EU (Frankfurt) |
| Paddle.com Market Ltd. | Payment processing | UK/EU |
| Crisp IM SARL | Customer support | EU (France) |
| Resend Inc. | Transactional emails | EU |
| Sentry (Functional Software) | Error tracking | EU |
AddonNordic will notify the Customer at least 14 days in advance of adding new sub-processors. The Customer may object within this period.
5. Security Measures
AddonNordic applies as a minimum:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls and two-factor authentication on systems handling personal data
- Regular security reviews
- All data stored within the EU (Railway EU-West / Render Frankfurt / Supabase EU)
6. Data Breaches
In the event of a confirmed or suspected personal data breach, AddonNordic will notify the Customer within 72 hours, including:
- Description of the incident
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
7. Audits
The Customer has the right to conduct or commission an audit of AddonNordic's data processing activities with 30 days' written notice. AddonNordic will cooperate and provide relevant documentation.
8. Termination
Upon termination of this DPA, AddonNordic will delete all personal data processed on behalf of the Customer within 30 days, unless EU or Danish law requires continued retention.
9. Governing Law
This DPA is governed by Danish law and the GDPR.
10. Contact
Questions regarding this DPA: [email protected]