Name: Campaign Builder
Brand: Campaign Builder Aps

Data Processing Agreement

Introduction

According to Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), concerning the processing of personal data by the data processor, as entered into between the customer, acting as the data controller,

and

Campaign Builder Aps
VAT number 37637343
Tueager 1
8200 Aarhus N, as the data processor.

Each of the parties constitutes a "party," and together they are referred to as the "parties."

The parties have agreed to the following standard contractual clauses to comply with the GDPR and ensure the protection of privacy and the fundamental rights and freedoms of natural persons.

These provisions establish the rights and obligations of the data processor when processing personal data on behalf of the data controller.

By using Campaignbuilder.io and any additional features associated with the platform (hereinafter referred to as the "Platform"), the data processor processes personal data on behalf of the data controller.

These provisions include three appendices, which form an integral part of the provisions.

Appendix A provides further details on the processing of personal data, including the purpose and nature of the processing, types of personal data, categories of data subjects, and the duration of the processing.

Appendix B contains the conditions under which the data processor may use subprocessors and a list of subprocessors approved by the data controller.

Appendix C contains instructions from the data controller concerning the data processor's processing of personal data, a description of the minimum security measures the data processor must implement, and procedures for supervising the data processor and any subprocessors.

The data controller is responsible for the processing of personal data on the platform. The data processor processes personal data according to the instructions of the data controller and in compliance with national data protection laws, including the GDPR, and its own privacy policy.

These provisions use definitions as defined in the GDPR and the Danish Data Protection Act.

The data controller's rights and obligations

The data controller is responsible for ensuring that the processing of personal data complies with the GDPR and other data protection provisions in EU law or national legislation and regulations.

The data controller has the right and obligation to decide the purposes and means of the processing of personal data. Furthermore, the data controller is responsible for ensuring that there is a legal basis for the processing of personal data instructed to the data processor.

The data controller has the obligation to inform the data subjects whose personal data is processed and instructs the data processor in the processing. This includes the obligation to provide guarantees regarding technical and security measures for the personal data of the data subjects.

When using the Platform, the data controller is responsible for providing only the personal data specified in Appendix A and for minimizing the processing of special categories of personal data as described in Article 9 of the GDPR. This limitation can be achieved by anonymizing certain personal data before transferring it to the data processor.

The processor acts on instructions

The processor may only process personal data based on documented instructions from the data controller, unless required by EU law or the national laws of the member state to which the processor is subject. These instructions are specified in Appendices A and C. The data controller may issue additional instructions during the processing of personal data, but these instructions must always be documented and stored in writing, including electronically, together with these provisions.

The processor promptly notifies the data controller if an instruction, in their opinion, violates this regulation or data protection provisions under other EU law or national law of the member states. The instructions described in Appendix C do not appear to prevent such processing of personal data.

If the processor determines that an instruction from the data controller is unlawful or contrary to applicable law, the processor shall inform the data controller, who must then rectify the instruction without undue delay. If the data controller is unable to rectify the instruction, the processor has the right to terminate the agreement between the parties.

The processor assists the data controller in implementing appropriate technical and organizational measures that correspond to the nature and category of the personal data being processed.

Furthermore, the processor assists the data controller in handling requests from data subjects regarding the exercise of their rights as defined in the GDPR. However, the processor does not respond to these requests unless specifically agreed upon with the data controller.

In the event of requests from the data controller for information or assistance regarding security measures or the processing of personal data, and if these requests exceed what is necessary under applicable data protection provisions, the processor is entitled to charge for such additional services.

Confidentiality

The processor may only grant access to personal data processed on behalf of the data controller to persons under the processor's authority to act in accordance with instructions, who are committed to confidentiality or are subject to an appropriate legal obligation of secrecy, and only to the extent necessary.

The list of individuals with access must be regularly reviewed. Based on this review, access to personal data may be revoked if no longer necessary, and thereafter, the personal data should no longer be accessible to these individuals.

Upon request from the data controller, the processor must be able to demonstrate that the relevant persons under the processor's authority to act in accordance with instructions are subject to the aforementioned duty of confidentiality.

Security of processing

Article 32 of the General Data Protection Regulation establishes that the data controller and the processor, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to those risks.

Both parties shall assess the risks to the rights and freedoms of natural persons posed by the processing. Security measures appropriate to those risks shall be implemented by both parties based on their respective assessments.

The processor assists the data controller in ensuring compliance with the obligations laid down in Article 32 of the General Data Protection Regulation. This includes, among other things, the processor providing the necessary information to the data controller regarding the technical and organizational security measures that the processor has already implemented in accordance with Article 32, and any other information necessary for the processor to identify and assess such risks.

If addressing the identified risks, according to the data controller's assessment, requires additional measures beyond those already implemented by the processor, the data controller shall specify the additional measures to be implemented in Annex C.

Use of Subprocessors

The processor shall comply with the conditions set forth in Article 28(2) and (4) of the General Data Protection Regulation to engage another processor (a subprocessor).

Therefore, the processor may not engage a subprocessor for the performance of these provisions without prior general written authorization from the data controller. The processor has general authorization from the data controller to use subprocessors.

The processor shall inform the data controller in writing of any planned changes concerning the addition or replacement of subprocessors and provide the data controller with the opportunity to object to such changes before the subprocessors in question are engaged. The list of subprocessors already approved by the data controller is found in Annex B.

When the processor engages a subprocessor to perform specific processing activities on behalf of the data controller, the processor shall ensure, through a contract or other legal document under EU law or the national law of Member States, that the subprocessor adheres to the same data protection obligations as those set out in these provisions. This includes ensuring adequate guarantees that the subprocessor will implement the technical and organizational measures in such a way that the processing meets the requirements of these provisions and the General Data Protection Regulation.

The processor is responsible for requiring the subprocessor to comply with at least the processor's obligations under these provisions and the General Data Protection Regulation.

Subprocessor agreements and any subsequent amendments shall be provided to the data controller upon request, enabling the data controller to ensure that equivalent data protection obligations as set forth in these provisions are imposed on the subprocessor. Terms related to commercial terms that do not affect the data protection content of the subprocessor agreement shall not be provided to the data controller.

In its agreement with the subprocessor, the processor shall designate the data controller as a third-party beneficiary in the event of the processor's insolvency, enabling the data controller to enforce the rights against the subprocessor, such as instructing the subprocessor to delete or return the personal data.

If the subprocessor fails to fulfill its data protection obligations, the processor remains fully liable to the data controller for ensuring that the subprocessor's obligations are met. This does not affect the rights of data subjects under the General Data Protection Regulation, including in particular Articles 79 and 82, against the data controller, the processor, and the subprocessor.

Transfer to Third Countries or International Organizations

Any transfer of personal data to third countries or international organizations shall only be carried out by the processor upon documented instruction from the data controller and always in accordance with Chapter 5 of the General Data Protection Regulation.

If a transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the data controller, is required under EU law or the national law of Member States to which the processor is subject, the processor shall notify the data controller of this legal requirement before the processing begins. This applies unless such notification is prohibited by the applicable law for reasons of important public interest.

Without documented instruction from the data controller, the processor cannot, within the scope of these provisions:

Transfer personal data to a data controller or processor in a third country or international organization
Entrust the processing of personal data to a subprocessor in a third country
Process the personal data in a third country

The data controller's instructions regarding a transfer of personal data to a third country, including the possible transfer basis under Chapter 5 of the General Data Protection Regulation, shall be specified in Annex C.8.

These provisions should not be confused with standard contractual clauses as referred to in Article 46(2), (c) and (d) of the General Data Protection Regulation, and these provisions cannot constitute a basis for the transfer of personal data as specified in Chapter 5 of the General Data Protection Regulation.

Assistance to the Data Controller

The processor supports the data controller to the fullest extent possible, taking into account the nature of the processing, by implementing appropriate technical and organizational measures to assist in fulfilling the data controller's obligations to respond to requests for the exercise of data subjects' rights, as described in Chapter 3 of the General Data Protection Regulation.

This entails that the processor, as much as possible, must assist the data controller in ensuring compliance with:

The obligation to provide information when collecting personal data from the data subject
The obligation to provide information if the personal data is not collected from the data subject
The right of access
The right to rectification
The right to erasure ("right to be forgotten")
The right to restriction of processing
The obligation to notify in connection with rectification or erasure of personal data or restriction of processing
The right to data portability
The right to object
The right not to be subject to a decision based solely on automated processing, including profiling

In addition to the processor's obligation to assist the data controller under Clause 6, the processor further assists, considering the nature of the processing and the information available to the processor, in:

The data controller's duty to notify the relevant supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and no later than 72 hours after becoming aware of a personal data breach, unless it is unlikely that the breach poses a risk to the rights and freedoms of individuals.
The data controller's obligation to notify the data subjects without undue delay in case of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals.
The data controller's obligation to conduct an analysis of the potential impact of the intended processing activities on the protection of personal data (a data protection impact assessment) before processing.
The data controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing, where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

In Annex C, the parties shall specify the necessary technical and organizational measures that the processor shall implement to support the data controller, including the scope and extent of these obligations in accordance with the requirements of Clause 9.

Notification of Personal Data Breaches

The processor shall immediately notify the data controller upon discovering a personal data breach. The notification to the data controller must be made within 36 hours of the processor becoming aware of the breach. This allows the data controller to fulfill its obligation to report the breach of personal data security to the relevant supervisory authority in accordance with Article 33 of the General Data Protection Regulation.

In accordance with Clause 9, the processor shall assist the data controller in making the notification of the breach to the relevant supervisory authority. This entails that the processor shall help gather the following information, as required under Article 33(3), which must be included in the data controller's notification of the breach to the supervisory authority:

The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records affected.
The likely consequences of the personal data breach.
The measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In Annex C, the parties shall specify the information that the processor is required to provide in assisting the data controller in its obligation to notify personal data breaches to the competent supervisory authority.

Deletion and Return of Information

When services related to the processing of personal data cease, the processor shall return all personal data and delete any existing copies, unless there are requirements under EU law or the national law of the Member States to retain the personal data.

The above does not apply to personal data that the processor processes as a data controller in the customer relationship between the processor and the data controller.

Audit, Including Inspection

The processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and these provisions, and shall facilitate and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.

The procedures for audits, including inspections, by the data controller with the processor and subprocessors are further specified in Annex C.

The processor is obligated to grant access to supervisory authorities, which under applicable law have access to the data controller's or processor's facilities, or representatives acting on behalf of such authorities, to the processor's physical facilities upon proper identification.

Agreement between the Parties on Other Matters

The parties may enter into agreements on other matters related to services related to the processing of personal data, such as liability for damages, provided that these agreements do not directly or indirectly conflict with the provisions of the Data Protection Regulation or in any way diminish the fundamental rights or freedoms of the data subjects.

Entry into force and termination

These provisions enter into force upon the signing of the service contract between the parties. Either party may request renegotiation of the provisions if changes in the law or inadequacies in the provisions give rise to such a request.

The provisions remain in effect for as long as the service related to the processing of personal data continues, and as long as the service contract is in force. During this period, the provisions cannot be terminated unless other provisions governing the provision of the service related to the processing of personal data are agreed upon between the parties.

The provisions are subject to Danish law, and any disputes are settled in the Danish legal system.

Appendix A - Information about the data processing

A.1 Purpose of the data processor's processing of personal data on behalf of the data controller

The purpose of the collaboration is for the data controller to utilize the platform to create campaigns aimed at engaging participants.

The data processor provides the data controller with a platform for configuring and launching campaigns where personal data is collected. The data processor stores the collected personal data and makes it available to the data controller.

A.2 The data processor's processing of personal data on behalf of the data controller primarily involves (nature of the processing)

The data controller determines which information is processed by the data processor, as the data controller decides which information the participant should request.

A.3 The processing includes the following types of personal data about the data subjects

The data controller determines which information is processed by the data processor, as the data controller decides which information the participant should request. Processing of participants' IP addresses is mandatory.

A.4 The processing includes the following categories of data subjects

Data subjects refer to individuals participating in campaigns through the platform, which may include, but is not limited to, registrations via forms.

A.5 The data processor's processing of personal data on behalf of the data controller may commence upon the entry into force of these provisions. The processing has the following duration

The processing is not limited by time and shall continue until this data processing agreement is terminated or canceled by either party.

Appendix B - Subprocessors of the Data Processor

The data processor's software relies on several subprocessors to operate effectively. These subprocessors include third-party vendors both within and outside the EU/EEA. An updated list of the data processor's subprocessors is provided below.

By using the platform, the data controller grants permission to involve the following subprocessors:

Supplier	Address	Hosting location	Purpose/Services
A/S ScanNet	Højvangen 4 8660 Skanderborg	Denmark	Hosting inMobile and placed in EU
Intercom Inc. FEIN: 45-3543192	55 Second Street, Suite 400 San Francisco, CA 94105	USA	Intercom is our primary tool for handling customer support. This includes communicating with our customers via email and chat directly within the platform. The data we exchange is limited to basic user information and the communication we have through support.
Sentry	45 Fremont Street, 8th Floor San Francisco, CA 94105	USA	We use Sentry for monitoring and error tracking to help us ensure a stable and secure experience for our users. Limited data is collected to debug and resolve issues.
Beamer	600 Congress Ave, Austin, Texas	USA	getbeamer.com is used to notify our users about new features and updates.
Amazon Web Services EMEA Sarl	Ireland & Paris regions	EU	All data is hosted on Amazon AWS infrastructure located in the EU. AWS provides scalable and secure cloud hosting.
Stripe Payments Europe, Ltd.	The One Building 1 Grand Canal Street Lower, Dublin 2	Ireland	Stripe is used to process payments securely and manage billing operations. This includes limited customer and payment data required for transactions and invoicing.
HeySender ApS	Jens Baggesens Vej 47 8200 Aarhus N	Denmark	HeySender is used to send transactional emails to our users. This includes system notifications, password resets, and other essential communications.
Klaviyo	United States	USA	Klaviyo is used for email marketing automation and customer engagement. We use it to send newsletters, product updates, and promotional content. User email and engagement metrics may be processed.

Appendix C - Instructions Regarding Processing of Personal Data

C.1 Subject/Instruction of Processing

The Data Processor processes personal data on behalf of the Data Controller by performing the following activities:

The Data Processor provides a marketing campaign platform to the Data Controller for creating and launching campaigns aimed at engaging and collecting personal data via these campaigns. The Data Processor is responsible for hosting the collected personal data and ensuring that this data is available to the Data Controller.

Any other processing of personal data covered by the service must be agreed upon between the parties and will be subject to the Data Processor's terms and privacy policies. However, processing of personal data as part of the service delivered to the Data Controller is carried out solely according to the Data Controller's instructions.

C.2 Processing Security

The security level must take into account:

The Data Processor generally maintains a control environment primarily based on established technical procedures, supplemented by manual guidelines and processes.

The Data Processor's technical control environment in the platform includes, among others:

Only approved hardware and software are used on networks that store or access data.
Two-factor login access control.
Access restriction to parts of the platform where personal data is stored.
Advanced malware and virus detection software is utilized.
Secure configuration for devices, with no default passwords used.
Automatic password expiration and individual password assignment.
Data encryption via hardware encryption of server data (AES-256 at rest on AWS RDS).
Encryption during transmission via https (minimum TLS 1.2).
Logging of events, platform access, and data exports.
Automatic data deletion in accordance with retention policies.

C.3 Assistance to the Data Controller

The Data Processor shall, as far as possible, assist the Data Controller in accordance with the provisions by implementing technical and organizational measures as follows:

The Data Processor has implemented measures to detect any data breaches and respond promptly to assist the Data Controller. The Data Processor has established procedures to support the Data Controller in fulfilling the rights of data subjects in accordance with GDPR legislation, such as:

Assisting the Data Controller in handling requests from data subjects. Data subjects can be searched directly on the platform, from where data can be managed.

C.4 Retention Period/Deletion Routine

The Data Processor deletes the processed personal data when it is no longer necessary for its purposes, including upon termination of the agreement between the parties. The Data Processor may retain personal data for a longer period if required by EU law or the national law of Member States. As there is a customer relationship between the parties where the Data Processor is also the Data Controller for other personal data, such personal data will be retained for 1 year after termination of the agreement.

C.5 Processing Location

Processing of personal data under the agreement may only take place in the following areas unless the Data Controller has given prior written permission: Denmark and Ireland.

C.6 Instructions Regarding Transfer of Personal Data to Third Countries

The Data Processor may only transfer personal data to third countries or international organizations to the extent specified in the Data Controller's instructions. Transfer of personal data may in all cases only take place to the extent permitted under the applicable regulation.

C.7 Procedures for the Data Controller's Reviews, Including Inspections, of the Processing of Personal Data Entrusted to the Data Processor

The Data Controller or the Data Controller's representative has the right to inspect, including physically inspect, the processing at the Data Processor's facilities when deemed necessary by the Data Controller. The Data Processor will invoice the Data Controller a fee of EUR 250 per hour excluding VAT for the time spent on these inspections.

C.8 Procedures for Reviews, Including Inspections, of the Processing of Personal Data Entrusted to Sub-Processors

The Data Processor or the Data Processor's representative shall also have access to documents. Data is hosted at Amazon in Ireland. Although Amazon does not allow physical inspections, the Data Processor has access to all documents, such as audit reports. The Data Processor has full access to all data on the servers.