Back to overview

Data Processing Agreement (DPA)

1 Parties

Data Controller:

[Insert: Company name, address, CVR/VAT number]

Contact Person:
[Insert contact person and contact details]

Data Processor:

ChangeForce ApS
Pytgade 11
6400 Sønderborg
CVR: 42229830

Contact: contact@digiops.eu

The above are hereinafter referred to individually as “Party” and jointly as the “Parties”.

2 Preamble

2.1 Definitions such as “personal data”, “special categories of personal data”, “processing”, “data subject”, “controller” and “processor” shall be understood as defined in the GDPR.

2.2 The purpose of this Agreement is to ensure GDPR compliance and to document the Controller’s instructions to the Processor. Processing is carried out for enabling the Controller to use the DigiOps platform — a digital service designed to support operational management, standardization, and compliance documentation — as described in the Terms of Service.

2.3 This Agreement outlines both Parties’ rights and obligations related to personal data processing.

2.4 In case of conflict, this Agreement overrides other terms regarding data processing. It remains valid as long as the Controller uses the DigiOps platform.

2.5 Nothing in this Agreement releases the Processor from its statutory obligations under GDPR.

3 Controller Responsibilities

3.1 The Controller ensures all data processed via DigiOps complies with GDPR Article 24 and other applicable regulations.

3.2 The Controller determines the purpose and means of data processing, including which data is entered or generated.

3.3 The Controller confirms a valid legal basis for processing and for any transfers to sub-processors (see Appendix B).

3.4 The Controller is responsible for the lawfulness, accuracy, integrity, and reliability of the data.

3.5 The Controller ensures all required regulatory approvals are obtained.

3.6 The Controller fulfills its duty to inform data subjects as per GDPR Articles 13 and 14.

3.7 The Controller acknowledges that the Processor has implemented adequate security measures as described in Section 5.

4 Processor Obligations

4.1 The Processor shall process personal data only on documented instructions from the Controller, unless required by EU or Member State law. In such cases, the Processor shall inform the Controller prior to processing, unless prohibited by law.

4.2 The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 The Processor shall not process personal data for its own purposes, including marketing, profiling, or analytics, unless such data has been fully anonymized or aggregated.

4.4 The Processor shall maintain a record of processing activities carried out on behalf of the Controller in accordance with GDPR Article 30(2).

4.5 The Processor shall promptly inform the Controller if, in its opinion, an instruction from the Controller infringes GDPR or other EU/Member State data protection provisions.

5 Security of Processing

5.1 The Processor implements suitable technical and organizational measures in accordance with GDPR Article 32, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

5.2 Only authorized individuals bound by confidentiality shall access personal data, and only where necessary for the performance of their duties.

5.3 The Processor has implemented the following measures:

  • Risk assessments aligned with GDPR Articles 25 & 32
  • Encryption of data in transit (TLS) and at rest
  • IT security training for all staff
  • Firewall-restricted access and network segmentation
  • Role-based access control with principle of least privilege
  • Automated daily backups with encrypted off-site storage
  • Incident response and disaster recovery procedures
  • Regular vulnerability scanning and penetration testing
  • Controlled change management for infrastructure and application code

5.4 The Processor shall regularly evaluate and, where necessary, update these measures to ensure a level of security appropriate to the risk.

6 Data Subject Rights

6.1 The Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III.

6.2 If the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller and shall not respond to the data subject without the Controller’s prior instruction, unless required by law.

7 Personal Data Breach Notification

7.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach as defined in GDPR Article 4(12).

7.2 The notification shall include, to the extent possible:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of the Processor’s contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

7.3 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any data breach.

8 Use of Sub-processors

8.1 The Controller hereby provides general written authorization for the Processor to engage sub-processors listed in Appendix B.

8.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

8.3 The Processor shall impose the same data protection obligations as set out in this Agreement on any sub-processor by way of a written contract in accordance with GDPR Article 28(4).

8.4 Where a sub-processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the performance of that sub-processor’s obligations.

9 International Data Transfers

9.1 Personal data shall primarily be processed and stored within the EU/EEA. Where a sub-processor listed in Appendix B processes data outside the EU/EEA, such transfer is carried out only under one of the safeguards recognized under GDPR Chapter V (adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules), and the transfer mechanism is identified in Appendix B.

9.2 If a transfer to a third country beyond those listed in Appendix B is necessary, the Processor shall ensure an adequate level of protection through one of the mechanisms recognized under GDPR Chapter V (adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules).

9.3 The core hosting infrastructure for platform data (accounts, content, backups) is located in Germany (see Appendix B). AI-assisted processing features (see Section 13) may transfer limited user-submitted content to a sub-processor in the United States under the EU-US Data Privacy Framework.

10 Audit and Inspection

10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and shall allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller.

10.2 Audits shall be carried out with reasonable prior notice, during normal business hours, and in a manner that does not unduly disrupt the Processor’s operations. Each Party shall bear its own costs.

11 Termination and Data Deletion

11.1 Upon termination of the service agreement, the Processor shall, at the Controller’s choice, return all personal data to the Controller in a commonly used, machine-readable format, or delete all personal data and confirm such deletion in writing.

11.2 The Controller shall have a reasonable period after termination to request a data export. After this period, the Processor shall delete all personal data within a reasonable timeframe, unless retention is required by EU or Member State law.

11.3 The Processor shall ensure that any sub-processors also delete or return the Controller’s personal data in accordance with this section.

11.4 The Processor may retain anonymized or aggregated data that cannot be linked to any data subject, in accordance with the Terms of Service.

12 Liability

12.1 Each Party shall be liable for damages caused by processing that infringes GDPR, in accordance with Articles 82 and 83.

12.2 The Processor shall be liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside of or contrary to the Controller’s lawful instructions.

13 AI-Assisted Processing

13.1 Scope. The DigiOps platform offers AI-assisted features that send user-submitted text to a large-language-model provider (see Appendix B) and return a rewritten or generated response. At the date of this Agreement, the production AI feature is limited to AI text refinement (“Renskrivning”), which reformats and rewrites text the user explicitly submits for that purpose. Additional AI features (such as an in-platform assistant) are in development and will be added to this section before release.

13.2 Legal basis. AI-assisted processing is carried out on the Controller’s instruction, pursuant to GDPR Article 28, and relies on the Controller’s own legal basis for processing the underlying content (typically Article 6(1)(b) performance of contract or 6(1)(f) legitimate interests).

13.3 Data categories sent to the AI sub-processor. Only the specific text the user actively submits to an AI feature, together with a prompt template maintained by DigiOps, is transmitted. No account credentials, platform logs, or other content is sent. The Controller is responsible for not entering special categories of personal data (GDPR Article 9) or other sensitive content into AI-enabled fields.

13.4 International transfer mechanism. The AI sub-processor (OpenAI, L.L.C., United States) is certified under the EU-US Data Privacy Framework. The transfer takes place on that basis, with Standard Contractual Clauses available as a fallback mechanism under OpenAI’s Data Processing Addendum. The Processor may migrate the AI sub-processor to an EU-hosted equivalent (for example, Azure OpenAI Service in an EU region, or another EU-region deployment of a comparable large-language-model service) if business, regulatory, or customer requirements make this preferable. Any such change will be reflected in Appendix B and communicated in accordance with Section 8.2.

13.5 Retention at the sub-processor. Content sent via the standard OpenAI API is retained by the sub-processor for up to 30 days for abuse and misuse monitoring, after which it is deleted. Content submitted through the AI feature is not used by the sub-processor to train its models, in accordance with OpenAI’s API data-usage terms.

13.6 Opt-out. The Controller may disable all AI-assisted processing for its tenant at any time through the company settings (“AI enabled” toggle). When disabled, no content from the Controller’s tenant is transmitted to the AI sub-processor.

13.7 Automated decision-making. Output from the AI feature is advisory and editorial in nature. It does not constitute a decision with legal or similarly significant effect on a data subject within the meaning of GDPR Article 22.

13.8 Data-subject requests. Because submitted content is not retained on a per-data-subject basis by the AI sub-processor beyond the abuse-monitoring window described in 13.5, rectification and erasure requests are fulfilled on the DigiOps platform side. The Controller is responsible for removing the underlying content from its DigiOps tenant if a data subject exercises rights under GDPR Articles 16 or 17.

Appendices

Appendix A – Categories of Personal Data and Data Subjects

A. Categories of Personal Data

The Controller decides which categories are processed. These may include:

  • Name
  • Title / role
  • Email address
  • Phone number
  • Business address
  • User activity logs (login timestamps, actions performed)

In addition, special categories of personal data (sensitive information under GDPR Article 9) may be processed if input by the Controller. Such data is outside the Processor’s control and responsibility.

B. Categories of Data Subjects

The Controller determines the data subjects, which may include:

  • Employees of the Controller
  • End users of the Controller’s DigiOps account
  • Contact persons of the Controller
  • Customers and end users of the Controller
  • Employees of the Controller’s customers
  • Other individuals whose data is entered into the platform by the Controller

Appendix B – Sub-processors

The following sub-processors are authorized as of the date of this Agreement:

Name Description Location
AzeHosting Hosting and infrastructure provider Germany (EU)
Hetzner Online GmbH Data center operator (ISO 27001 certified) Germany (EU)
OpenAI, L.L.C. AI-assisted text processing (see Section 13). Content is used only to generate a response; not used for model training. United States — EU-US Data Privacy Framework