toggle-open-icon
toggle-close-icon

Data Processing Agreement

Last Updated: June 25th, 2025

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the purpose of the processing of personal data by the data processor

 

Uniconomic A/S

VAT 36958723

St. Lundgaard Vej 54

7400 Herning

Denmark

 

hereinafter referred to as the “data processor 

each of whom is a “party” and together constitute the “parties”

HAVE AGREED to the following standard contractual clauses (the Clauses) in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons

 

 

1. Preamble

 

  1. These Regulations set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
  2. These provisions are designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  3. In connection with the provision of Uniconomic solutions, the data processor processes personal data on behalf of the data controller in accordance with these Terms. The provisions take precedence over any similar provisions in other agreements between the parties.
  4. There are four annexes to these Regulations, and the annexes form an integral part of the Regulations.
  5. Annex A contains further information on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
  6. Annex B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors that the data controller has approved for use.
  7. Annex C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how the data processor and any sub-processors are supervised. 
  8. Annex D contains provisions regarding other activities not covered by the Regulations.
  9. The provisions and associated annexes must be kept in writing, including electronically, by both parties.
  10. These Provisions do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.

 

2. Rights and obligations of the data controller

 

  1. The data controller is responsible for ensuring that the processing of personal data is in accordance with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or [1]the national law of the Member States and these Regulations.
  2. The data controller has the right and obligation to make decisions about the purpose(s) for which and the means by which personal data may be processed.
  3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to carry out.

 

3. The data processor acts on instructions

 

  1. The processor may only process personal data on documented instructions from the controller, unless required by Union law or the national law of the Member States to which the processor is subject. Such instructions shall be specified in Annexes A and C. Subsequent instructions may also be given by the controller while personal data are being processed, but such instructions shall always be documented and kept in writing, including electronically, together with these Terms.
  2. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union law or the national law of the Member States.

 

 

4. Confidentiality

 

  1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's instruction powers, who have undertaken confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed on an ongoing basis. Based on this review, access to personal data may be closed if access is no longer necessary, and the personal data shall then no longer be accessible to these persons.
  2. The data processor must, upon request from the data controller, be able to demonstrate that the persons concerned, who are subject to the data processor's powers of instruction, are subject to the above-mentioned confidentiality obligation.

 

5. Treatment safety

 

  1. Article 32 of the GDPR states that the controller and the processor, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing in question, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures to ensure a level of protection appropriate to those risks.

 

The controller must assess the risks to the rights and freedoms of natural persons represented by the processing and implement measures to address those risks. Depending on their relevance, this may include:

 

  1. Pseudonymization and encryption of personal data
  2. ability to ensure the ongoing confidentiality, integrity, availability and robustness of processing systems and services 
  3. ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of processing.
  5. According to Article 32 of the Regulation, the processor must also assess – independently of the controller – the risks to the rights of natural persons represented by the processing and implement measures to address those risks. For the purpose of this assessment, the controller must provide the processor with the necessary information to enable it to identify and assess such risks.
  6. In addition, the processor must assist the controller in complying with the controller's obligation under Article 32 of the Regulation, including by providing the controller with the necessary information regarding the technical and organizational security measures that the processor has already implemented pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.

 

If addressing the identified risks – in the opinion of the data controller – requires the implementation of additional measures than those already implemented by the data processor, the data controller must specify the additional measures to be implemented in Annex C.

 

6. Use of sub-processors

 

  1. The data processor must meet the conditions set out in Article 28(2) and (4) of the GDPR to make use of another data processor (a sub-processor).
  2. The data processor may not use a sub-processor to comply with these Provisions without prior general written approval from the data controller.
  3. The processor has the general approval of the controller for the use of sub-processors. The processor shall notify the controller in writing of any planned changes regarding the addition or replacement of sub-processors at least 30 days in advance, thereby giving the controller the opportunity to object to such changes before the use of the sub-processor(s) in question. Longer notice periods for notification in connection with specific processing activities may be specified in Annex B. The list of sub-processors already approved by the controller is set out in Annex B.
  4. Where the processor uses a sub-processor to carry out specific processing activities on behalf of the controller, the processor shall, by means of a contract or other legal instrument in accordance with Union law or the national law of the Member States, impose on the sub-processor the same data protection obligations as those set out in these Regulations, in particular providing the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing will comply with the requirements of these Regulations and the General Data Protection Regulation.

 

The data processor is therefore responsible for requiring that the sub-processor at least comply with the data processor's obligations under these Terms and the General Data Protection Regulation.

 

  1. Sub-processor agreement(s) and any subsequent amendments thereto shall be sent – upon request by the data controller – in copy to the data controller, who shall thereby be able to ensure that corresponding data protection obligations resulting from these Provisions are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement shall not be sent to the data controller.
  2. If the sub-processor fails to comply with its data protection obligations, the processor shall remain fully liable to the controller for the performance of the sub-processor's obligations. This shall not affect the rights of data subjects under the General Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, against the controller and the processor, including the sub-processor.

 

7. Transfer to third countries or international organisations

 

  1. Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions from the data controller and must always be in accordance with Chapter V of the General Data Protection Regulation.
  2. Where the transfer of personal data to third countries or international organisations, which the processor has not been instructed to do by the controller, is required by Union law or the national law of the Member States to which the processor is subject, the processor shall inform the controller of this legal requirement prior to processing, unless that law prohibits such notification on grounds of important public interest.
  3. Without documented instructions from the data controller, the data processor cannot, within the framework of these Provisions:
  4. transfer personal data to a data controller or processor in a third country or an international organization
  5. entrust the processing of personal data to a sub-processor in a third country
  6. process the personal data in a third country
  7. The data controller's instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, must be stated in Annex C.6.
  8. These Terms should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the GDPR, and these Terms cannot constitute a basis for the transfer of personal data as referred to in Chapter V of the GDPR.

 

8. Assistance to the data controller

 

  1. The data processor, taking into account the nature of the processing, shall, as far as possible, assist the data controller by means of appropriate technical and organizational measures in fulfilling the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the General Data Protection Regulation.

 

This means that the data processor must, to the extent possible, assist the data controller in ensuring compliance with:

 

  1. the obligation to provide information when collecting personal data from the data subject
  2. the duty to provide information if personal data has not been collected from the data subject
  3. right of access
  4. the right to rectification
  5. the right to erasure (“the right to be forgotten”)
  6. the right to restriction of processing
  7. the obligation to notify in connection with the rectification or deletion of personal data or restriction of processing
  8. the right to data portability
  9. the right to object
  10. the right not to be subject to a decision based solely on automated processing, including profiling
  11. In addition to the processor's obligation to assist the controller pursuant to Clause 6.3., the processor shall also, taking into account the nature of the processing and the information available to the processor, assist the controller with:
  12. the obligation of the data controller to notify the personal data breach to the competent supervisory authority, the Danish Data Protection Authority, without undue delay and, if possible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights or freedoms of natural persons
  13. the obligation of the data controller to notify the data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons;
  14. the obligation of the data controller to carry out an analysis of the implications of the intended processing activities for the protection of personal data (an impact assessment) prior to processing;
  15. the obligation of the data controller to consult the competent supervisory authority, the Danish Data Protection Authority, prior to processing if a data protection impact assessment shows that the processing will result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
  16. The parties shall specify in Annex C the necessary technical and organisational measures with which the data processor shall assist the data controller and to what extent and extent. This applies to the obligations arising from Clauses 9.1 and 9.2.

 

9. Notification of a personal data breach

 

  1. The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach.
  2. The data processor's notification to the data controller must, if possible, take place no later than 48 hours after the latter has become aware of the breach, so that the data controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation. 
  3. In accordance with Clause 9.2.a, the processor shall assist the controller in notifying the breach to the competent supervisory authority. This means that the processor shall assist in providing the following information, which, according to Article 33(3), must be included in the controller's notification of the breach to the competent supervisory authority:
  4. the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
  5. the likely consequences of the personal data breach
  6. the measures that the controller has taken or proposes to take to address the personal data breach, including, where relevant, measures to limit its possible harmful effects. 
  7. The parties shall specify in Annex C the information that the data processor shall provide in connection with its assistance to the data controller in its obligation to report personal data breaches to the competent supervisory authority.


 

10. Deletion and return of information

 

  1. Upon termination of the services relating to the processing of personal data, the data processor is obliged to delete all personal data that have been processed on behalf of the data controller and confirm to the data controller that the data has been deleted unless EU law or the national law of the Member States requires the retention of the personal data.

 

11. Audit, including inspection

 

  1. The data processor shall make all information necessary to demonstrate compliance with Article 28 of the GDPR and these Provisions available to the data controller and shall allow for and contribute to audits, including inspections, carried out by the data controller or another auditor authorised by the data controller.
  2. The procedures for the controller's audits, including inspections, with the processor and sub-processors are set out in Annexes C.7 and C.8.
  3. The data processor is obliged to grant supervisory authorities who, under applicable law, have access to the facilities of the data controller or the data processor, or representatives acting on behalf of the supervisory authority, access to the data processor's physical facilities upon proper identification.

 

12. Agreement of the parties on other matters

 

  1. The parties may agree on other provisions regarding the service regarding the processing of personal data, for example on liability, as long as these other provisions do not directly or indirectly conflict with the Provisions or impair the fundamental rights and freedoms of the data subject as set out in the General Data Protection Regulation.

 

13. Entry into force and termination

 

  1. The provisions shall enter into force on the date of signature by both parties.
  2. Both parties may demand that the Provisions be renegotiated if changes in the law or inadequacies in the Provisions give rise to this.
  3. The Terms are valid for the duration of the personal data processing service. During this period, the Terms cannot be terminated unless other terms governing the provision of the personal data processing service are agreed between the parties. 
  1. If the provision of the services relating to the processing of personal data ceases and the personal data is deleted or returned to the controller in accordance with Clause 11.1 and Annex C.4, the Terms may be terminated by written notice by either party.

 

 

 

On behalf of the data processor

 

Name                  Mathias Kobberup

Position              CEO

Telephone        +45 52114161

Email                  mk@uniconomic.com

 

 

14. Contact persons at the data controller and data processor

 

  1. The parties can contact each other via the contact persons below.
  2. The parties are obliged to keep each other informed of any changes regarding contact persons.

 

Name                

Position             

Telephone number       

Email                

 

 

Name                 Mathias Kobberup

Position              CEO

Telephone        +45 52114161

Email                  mk@uniconomic.com

 

 

 

Appendix A         Information about the treatment

 

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller

☐Solution 1: Uniconomic Platform

SaaS solution that allows companies to manage their financial operations.

☐Solution 2: Uniconomic Advisor

SaaS solution for financial advisors where they can manage their clients.

  

A.2. The processing of personal data by the data processor on behalf of the data controller primarily concerns (the nature of the processing)

 

Solution 1: Uniconomic Platform

Accounting, document storage, invoicing, subscription management, payroll, inventory management, AI agents.

AI agents create reports for boards, automatically bookkeeping based on vouchers, CFO chatbot.

 

Solution 2: Uniconomic Advisor

SaaS solution for financial advisors where they can manage their clients, bookkeeping for clients, storage of documents, transaction analysis, task management for clients.

 

A.3. The processing includes the following types of personal data about the data subjects:

 

Solution 1: Uniconomic Platform

Customer users: user information

Customers' employees: Salary information, sick leave, pension, driving, bank information, CPR number, etc.

Customers' customers, suppliers, etc.: Contact information for contact persons

 

Solution 2: Uniconomic Advisor

Customer users: user information

Customers' customers: Salary information, sick leave, pension, driving, bank information, CPR number, etc. Contact information for contact persons at customers, partners and suppliers.

 

 

A.4. The processing includes the following categories of data subjects:

See A.3 

A.5. The processing of personal data by the Data Processor on behalf of the Data Controller may commence after these Terms and Conditions come into force. The processing has the following duration:

Until the main agreement is terminated.

 

Annex B    Sub-processors

 

B.1. Authorized sub-processors

 

Upon entry into force of the Regulations, the data controller has approved the use of the following sub-processors:

 

NAME

CVR

ADDRESS

DESCRIPTION OF TREATMENT

TRANSFER BASIS

Microsoft Ireland Operations Limited

REACH

One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland

 

Data center location: Netherlands and Ireland

Hosting of application server, database server and backup.

 

Sending emails.

Data Privacy Framework

Hubspot, Inc.

REACH

Two Canal Park
Cambridge, MA 02141 USA

Hosting of ticket solution.

Data Privacy Framework

Bank Integration ApS

37534862

Lykkegaardsvej 54
9210 Aalborg SØ

Bank transactions and supplier payments.

REACH

FarPay ApS

37295043

Wildersgade 10B, 2, 1408 Copenhagen

Payment provider

REACH

Mastercard Payment Services Denmark A/S

40695869

Arne Jacobsens Alle 13, 2300 Copenhagen

Salary transfers

REACH

 

Upon entry into force of the Regulations, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the written approval of the data controller – use a sub-processor for a processing activity other than the one described and agreed upon or use another sub-processor for this processing activity.

 

B.2. Notification for approval of sub-processors

30 days

 

Appendix C         Instructions regarding the processing of personal data

 

C.1. Subject matter/instructions of the processing

The data processor's processing of personal data on behalf of the data controller occurs by the data processor performing the following:

 

Delivery of Uniconomic platform or advisor.

 

C.2. Processing security

The security level must reflect:

 

The processing includes a large amount of confidential personal data, which is why a "high" level of security must be established.

 

The data processor is then entitled and obliged to make decisions about which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security.

 

However, the data processor must – in all circumstances and as a minimum – implement the following measures, which have been agreed with the data controller:

 

  1. Requirements for pseudonymization and encryption of personal data:


All personal information must be encrypted using industry standard encryption protocols (AES-256 or equivalent) when stored or transmitted. Pseudonymization techniques must be used where practicable to replace identifiable information with pseudonyms and thereby minimize risk.

 

  1. Ensuring confidentiality, integrity, availability and robustness:


The data processor must implement robust access control mechanisms, including role-based access control and two-factor authentication, to ensure confidentiality and integrity. There must be regular backup procedures to ensure availability. Systems must be continuously monitored and protected by up-to-date antivirus, firewall and intrusion detection/prevention systems.

 

  1. Restoring availability and access to data:


The data processor must maintain a disaster recovery and business continuity plan that ensures restoration of data and access within a maximum of 24 hours (unsure of the exact number of hours) after an incident.

 

  1. Regular testing, assessment and evaluation:


Technical and organizational measures must be assessed regularly through quarterly vulnerability scans, annual penetration tests, and ongoing audits to ensure continued effectiveness and compliance with security requirements.

 

  1. Requirements for access to information via the Internet:


Remote access to personal data via the Internet must be encrypted with secure protocols such as HTTPS, VPN or other secure channels, and be protected by secure authentication mechanisms (two-factor authentication).

  1. Protection of information during transmission:


All transmissions of personal data must take place via encrypted channels (TLS 1.2 or higher) to ensure that personal data remains protected during transmission.

 

  1. Protection of information during storage:


Stored personal data must be encrypted at rest with industry-standard encryption algorithms and secured with robust key management practices to prevent unauthorized access.

 

  1. Physical security at data processing locations:


Data processing locations must have limited physical access, secured with access control systems such as key cards, biometric systems and/or security personnel. Server rooms and data centers must have environmental controls, monitoring and access logging.

 

  1. Use of home working/teleworking:


Teleworking or working from home must comply with the company's established security guidelines, including encrypted communications, secure remote connections (VPN), and physical security standards for equipment.

 

  1. Logging requirements:


The data processor must maintain secure, tamper-proof logs recording access to personal data, failed access attempts, changes to data and system operations, and these must be retained for at least 3 months. Logs must be reviewed regularly for unauthorized access or deviations.

 

C.3 Assistance to the data controller

The data processor shall, to the extent possible and within the scope and extent set out below, assist the data controller in accordance with Clauses 9.1 and 9.2 by implementing the following technical and organisational measures:

  • Establish procedures for assistance to the data controller
  • Ensure that delivered solutions have appropriate technical features to support assistance to data controllers.

 

C.4 Retention period/deletion routine

 

Personal data is retained for 5 years + 4 weeks after the end of an accounting period for existing customers, after which it must be securely deleted or anonymized by the data processor. If a customer terminates the agreement, data will be made available for export and retained for 4 weeks after termination.

 

Upon termination of the service relating to the processing of personal data, the data processor shall either delete or return the personal data in accordance with clause 11.1, unless otherwise instructed by the data controller. Changes shall be documented and stored in writing, including electronically, together with this agreement.

 

C.5 Location of treatment

Processing of personal data covered by the Regulations may not take place at locations other than the following without the prior written approval of the data controller:

 

See locations in Appendix B.

 

C.6 Instructions regarding the transfer of personal data to third countries

If the data controller does not provide documented instructions in these Terms or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to carry out such transfers within the framework of these Terms.

 

C.7 Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The data processor must, at its own expense, continuously obtain documentation of supervision carried out by an independent third party regarding the data processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

 

It is agreed between the parties that the following types of documentation may be used in accordance with these Terms:

 

Audit reports containing control objectives from ISAE 3000 on GDPR

 

The documentation will be forwarded without undue delay to the data controller upon request.

 

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

 

The controller or a representative of the controller shall also have access to carry out inspections, including physical inspections, of the premises from which the processor processes personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the controller deems it necessary.

 

Any costs incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its inspection.

 

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

 

Based on a risk assessment of each sub-processor, the data processor shall determine what type of supervision should be conducted and how often. Where the risk assessment requires it, the data processor shall regularly obtain, at its own expense, a supervision report from an independent third party regarding the sub-processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

 

It is agreed between the parties that the following types of documentation may be used in accordance with these Terms:

 

Audit reports containing control objectives from ISAE 3000 on GDPR

 

The documentation will be forwarded without undue delay to the data controller upon request.

 

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

 

The processor or a representative of the processor shall also have access to carry out inspections, including physical inspections, of the premises from which the sub-processor carries out the processing of personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the processor (or the data controller) deems it necessary.