Last updated January 01, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Agenized ApS (“Processor”, “we”, “us”, or “our”) and the customer that has accepted the Terms and Conditions for the Service (“Customer”, “Controller”, “you”). This DPA applies to the extent Processor processes Personal Data on behalf of Customer in connection with the Service.
1. Parties
Controller (Customer): The business entity that enters into the Terms and Conditions for the Service.
Processor: Agenized ApS, Slamrebjergvej 6A, 3730 Nexø, Denmark, VAT DK46093208.
2. Definitions
Terms used in this DPA have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”), unless otherwise defined.
- “Personal Data”: Any information relating to an identified or identifiable natural person.
- “Processing”: Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
- “Customer Personal Data”: Personal Data processed by Processor on behalf of Customer under this DPA.
- “Subprocessor”: Any processor engaged by Processor to assist in processing Customer Personal Data.
- “Security Incident”: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Personal Data Breach” under the GDPR).
3. Roles and Scope
Customer is the Controller of Customer Personal Data. Processor processes Customer Personal Data only as a Processor on behalf of Customer, except where Processor acts as a Controller for separate data it processes for its own purposes (for example, billing, account administration, and sales).
4. Subject Matter, Duration, Nature, and Purpose of Processing
Subject matter: Provision of the Service to Customer, including AI-assisted customer support workflows, integrations, and related features.
Duration: For the term of the Customer’s subscription and any additional period required for deletion, return, or retention as described in Section 11.
Nature and purpose: Hosting, storing, transmitting, and otherwise processing Customer Personal Data to operate, maintain, secure, and support the Service, and to carry out Customer’s documented instructions.
5. Categories of Data Subjects and Personal Data
The categories below are typical. Customer controls what data is submitted to the Service.
Data subjects may include:
- Customer’s representatives, administrators, and authorized users.
- Customer’s end-users and contacts (for example, Customer’s customers) who communicate via connected channels.
- Individuals whose Personal Data appears in Customer content, knowledge sources, tickets, messages, or integrations.
Personal Data may include:
- Identifiers and contact details (for example, name, email, phone number, usernames, social handles).
- Conversation content and metadata (for example, messages, timestamps, channel identifiers).
- Customer support context (for example, order references, ticket IDs, CRM identifiers) as provided by Customer or end-users.
- Technical data (for example, IP address, device data, logs) related to usage of the Service.
Special categories of data: Customer should not submit special categories of data (GDPR Article 9) unless Customer has a lawful basis and appropriate safeguards, and has enabled any relevant controls. [PLACEHOLDER: ADD RULES/CONTROLS IF YOU OFFER THEM]
6. Customer Instructions
Processor will process Customer Personal Data only on documented instructions from Customer, including instructions provided via Customer’s configuration and use of the Service.
If Processor believes an instruction violates applicable law, Processor will inform Customer (unless prohibited by law).
7. Processor Obligations
- Process Customer Personal Data only as set out in this DPA and Customer’s documented instructions.
- Ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Customer Personal Data (see Section 8 and Annex 2).
- Not sell Customer Personal Data.
8. Security Measures
Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures described in Annex 2 (Security Measures).
[PLACEHOLDER: INSERT YOUR SECURITY SUMMARY, FOR EXAMPLE ENCRYPTION IN TRANSIT, ACCESS CONTROLS, LOGGING, BACKUPS, INCIDENT RESPONSE]
9. Subprocessors
Customer grants Processor a general authorization to engage Subprocessors for the provision of the Service.
9.1 Current Subprocessors
Processor’s Subprocessors (suppliers) are listed in Annex 1. Customer may insert and maintain the list, or Processor may publish an up-to-date list at: [INSERT SUBPROCESSOR LIST URL].
9.2 Changes to Subprocessors
Processor will provide notice of intended changes to Subprocessors by updating Annex 1 or the published list. Customer may object to a new Subprocessor within [INSERT NUMBER] days of notice by providing written reasons related to data protection. If the parties cannot resolve the objection, Customer may terminate the affected part of the Service in accordance with the Terms and Conditions. [PLACEHOLDER: ALIGN TERMINATION MECHANISM WITH YOUR TERMS]
9.3 Subprocessor Terms
Processor will enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than those in this DPA. Processor remains responsible for Subprocessors’ performance of their obligations.
10. International Transfers
Customer Personal Data may be processed in the EEA and may be transferred outside the EEA depending on subprocessors and connected third-party platforms.
Where transfers outside the EEA occur, Processor will ensure appropriate safeguards are in place, such as:
- EU adequacy decisions, where applicable.
- European Commission Standard Contractual Clauses (“SCCs”).
- Other lawful transfer mechanisms under GDPR Chapter V.
[PLACEHOLDER: INSERT WHICH SCC MODULES APPLY AND WHERE SCCS ARE MADE AVAILABLE, FOR EXAMPLE “SCCs Module Two (Controller to Processor) apply and are available at [URL]”]
11. Deletion and Return of Data
Upon termination or expiration of the subscription, Processor will, at Customer’s choice and subject to the Service capabilities and applicable law:
- Return Customer Personal Data to Customer, and/or
- Delete Customer Personal Data.
Processor may retain Customer Personal Data where required by law or for a limited period for backups and security purposes, provided it remains protected and is deleted in accordance with Processor’s retention cycle.
[PLACEHOLDER: INSERT DATA EXPORT OPTIONS, RETENTION PERIODS, AND DELETION TIMELINES]
12. Assistance to Customer
Taking into account the nature of processing, Processor will provide reasonable assistance to Customer to:
- Respond to requests from data subjects (access, deletion, etc.), to the extent applicable and within Processor’s control.
- Meet GDPR obligations relating to security, breach notification, DPIAs, and consultations with supervisory authorities.
Customer acknowledges that certain assistance may require additional work and may be chargeable at Processor’s standard rates. [PLACEHOLDER: INSERT SUPPORT/CHARGING MODEL IF DESIRED]
13. Personal Data Breach Notification
Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
Processor’s notification will include, where available, relevant information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach.
Customer is responsible for determining whether to notify supervisory authorities and affected individuals, unless otherwise required by applicable law.
14. Audits and Compliance
Processor will make available information reasonably necessary to demonstrate compliance with this DPA.
Customer may conduct an audit no more than once per year, or more frequently if required by law or in response to a material Security Incident, subject to:
- Reasonable prior written notice.
- Scope limited to data protection controls relevant to the Service.
- Confidentiality and security requirements.
- Audit conducted during normal business hours, without unreasonable disruption.
- Customer bears its own costs and reimburses Processor’s reasonable costs for assistance. [PLACEHOLDER: CONFIRM THIS COST POSITION]
Processor may satisfy audit obligations by providing third-party reports or certifications where available (for example, SOC 2). [PLACEHOLDER: INSERT AVAILABLE REPORTS OR STATE “NONE”]
15. Confidentiality
Processor will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations. Each party will keep the other party’s confidential information confidential, subject to applicable law and the Terms and Conditions.
16. Liability
Liability under this DPA is subject to the liability provisions in the Terms and Conditions, except where liability cannot be limited under applicable law.
[PLACEHOLDER: IF YOU WANT DPA-SPECIFIC LIABILITY TERMS, INSERT HERE]
17. Order of Precedence
In case of conflict between this DPA and the Terms and Conditions regarding processing of Personal Data, this DPA will prevail. For all other conflicts, the Terms and Conditions will prevail.
18. Governing Law
This DPA is governed by the laws of Denmark, and disputes will be subject to the courts of Copenhagen, Denmark, unless mandatory law requires otherwise.
Annex 1: Subprocessors (Suppliers)
Insert your subprocessors below. You can keep this annex updated over time.
| Subprocessor Name | Service Provided | Processing Location(s) | Data Categories | Transfer Mechanism (If Outside EEA) | Link to Terms/Privacy or DPA |
|---|---|---|---|---|---|
| [INSERT SUPPLIER 1 NAME] | [INSERT PURPOSE, FOR EXAMPLE HOSTING, EMAIL, SUPPORT] | [INSERT COUNTRY/REGION] | [INSERT DATA TYPES] | [INSERT SCCS/ADEQUACY/OTHER, OR “N/A”] | [INSERT LINK] |
| [INSERT SUPPLIER 2 NAME] | [INSERT PURPOSE] | [INSERT COUNTRY/REGION] | [INSERT DATA TYPES] | [INSERT SCCS/ADEQUACY/OTHER, OR “N/A”] | [INSERT LINK] |
| [ADD MORE ROWS AS NEEDED] |
Annex 2: Security Measures
Processor maintains a security program appropriate to the nature of the Service and the risks to Customer Personal Data. The measures below are examples and should be adapted to your actual implementation.
- Access control: Role-based access, least privilege, strong authentication for administrative access.
- Encryption: Encryption in transit (TLS), encryption at rest where applicable. [PLACEHOLDER: SPECIFY]
- Logging and monitoring: Centralized logs, alerting for suspicious activity. [PLACEHOLDER: SPECIFY]
- Segregation: Logical separation of customer data and environments. [PLACEHOLDER: SPECIFY]
- Backups and recovery: Regular backups and tested restore procedures. [PLACEHOLDER: SPECIFY FREQUENCY]
- Vulnerability management: Patch management, dependency scanning, periodic security reviews. [PLACEHOLDER: SPECIFY]
- Incident response: Documented incident response process and breach notification workflow. [PLACEHOLDER: SPECIFY]
- Physical security: Data center controls provided by hosting suppliers. [PLACEHOLDER: SPECIFY]
- Employee confidentiality: Confidentiality commitments and security training. [PLACEHOLDER: SPECIFY]
Annex 3: Customer Instructions and Service Settings
Customer instructions are primarily provided through configuration and use of the Service, including:
- Connected channels and integrations selected by Customer.
- Knowledge sources and content uploaded or linked by Customer.
- Agent settings, routing, automations, and actions configured by Customer.
- Retention, deletion, and export settings available in the Service. [PLACEHOLDER: CONFIRM SETTINGS]
