Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

Kombiner ApS
VAT/CVR: 46281489
Sommerstedgade 34, 1 th
1718 Copenhagen V
Denmark
(“Processor”)

and

The Customer identified in the applicable Order Form
(“Controller”)

1. Purpose and Scope

This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the provision of the Services.

This DPA is entered into to ensure compliance with:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);
  • The Danish Data Protection Act;
  • Other applicable data protection laws.

In the event of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

2. Roles of the Parties

The parties acknowledge that:

  • Controller determines the purposes and means of processing personal data;
  • Processor processes personal data solely on behalf of Controller.

Processor shall not process personal data for its own purposes.

3. Categories of Data and Data Subjects

3.1 Categories of Data Subjects

Personal data processed under this DPA may relate to:

  • Controller’s customers
  • Controller’s employees
  • Controller’s business partners
  • End users of configured products
  • Contact persons and recipients in quotes and orders

3.2 Categories of Personal Data

The data may include:

  • Name
  • Email address
  • Phone number
  • Company name
  • Business address
  • VAT/CVR number
  • Order information
  • Quote details
  • Payment and transaction data (if applicable)
  • User login information

Processor does not intentionally process special categories of data (Article 9 GDPR).

4. Nature and Purpose of Processing

Processor processes personal data for the purpose of:

  • Providing access to the platform;
  • Managing product configurations;
  • Generating quotes and orders;
  • Integrating with third-party systems;
  • Hosting and storing Customer Data;
  • Providing support services.

Processing operations may include:

  • Collection
  • Storage
  • Organization
  • Retrieval
  • Transmission
  • Deletion

5. Processor Obligations

Processor shall:

  • Process personal data only on documented instructions from Controller;
  • Ensure that personnel with access to personal data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational security measures;
  • Assist Controller in responding to data subject requests;
  • Assist Controller in meeting GDPR obligations relating to security, breach notification, DPIAs, and consultations with supervisory authorities;
  • Delete or return personal data upon termination, as described below.

6. Security Measures

Processor implements appropriate technical and organizational measures, including:

  • Encryption in transit (HTTPS/TLS);
  • Secure cloud infrastructure;
  • Role-based access controls;
  • Authentication and authorization safeguards;
  • Logging and monitoring;
  • Backup and disaster recovery procedures.

Security measures may be updated over time provided that the overall level of protection is not materially reduced.

7. Sub-Processors

Processor may engage sub-processors to provide parts of the Services.

Typical sub-processors may include:

  • Cloud hosting providers
  • Email service providers
  • Analytics providers
  • Payment providers (if applicable)

Processor shall:

  • Enter into written agreements with sub-processors imposing data protection obligations consistent with this DPA;
  • Remain responsible for the acts and omissions of sub-processors.

A current list of sub-processors is available on the list of sub-processors page.
Processor may update this list from time to time in accordance with this DPA.

Processor shall inform Controller of any intended changes concerning the addition or replacement of sub-processors by updating the above webpage.

Controller may object to a new sub-processor on reasonable data protection grounds.

8. International Transfers

Where personal data is transferred outside the EU/EEA, Processor shall ensure that appropriate safeguards are implemented, such as:

  • EU Standard Contractual Clauses (SCCs);
  • Adequacy decisions by the European Commission;
  • Other legally recognized transfer mechanisms.

9. Data Breach Notification

In the event of a personal data breach affecting Customer Data, Processor shall notify Controller without undue delay after becoming aware of the breach.

The notification shall include:

  • Nature of the breach;
  • Categories of data affected;
  • Likely consequences;
  • Measures taken or proposed.

Controller remains responsible for notifying supervisory authorities and affected individuals where required.

10. Data Subject Rights

Processor shall assist Controller, taking into account the nature of processing, in fulfilling Controller’s obligations to respond to requests for:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

Where possible, assistance shall be provided through built-in platform functionality.

11. Audit Rights

Controller may request reasonable documentation demonstrating compliance with this DPA.

Formal audits may be conducted:

  • No more than once per year;
  • During normal business hours;
  • At Controller’s expense;
  • Subject to confidentiality safeguards.

12. Deletion or Return of Data

Upon termination of the Services:

  • Controller may request export of its data within thirty (30) days;
  • After thirty (30) days, Processor may delete personal data unless retention is required by law.

Backup data may be retained temporarily in accordance with standard backup retention policies.

13. Liability

Liability under this DPA is subject to the limitation of liability set forth in the Terms of Service.

Last updated: 26. February 2026