Go Back Up

DPA

Last Updated: March 28, 2025

DATA PROCESSING AGREEMENT

Between
[Name of Data Controller] (the “Controller”)
and
Mensbo (the “Processor”)
Website: mensbo.com

(collectively the “Parties”)

1. Preamble

  1. This Data Processing Agreement (“DPA”) sets out the Processor’s rights and obligations when processing personal data on behalf of the Controller.

  2. This DPA is designed to ensure the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of 27 April 2016 (the “General Data Protection Regulation” or “GDPR”), concerning the protection of natural persons in relation to the processing of personal data and the free movement of such data.

  3. In connection with the provision of web hosting, development, advisory services, and related digital products, the Processor processes personal data on behalf of the Controller in accordance with this DPA.

  4. In case of any conflict between this DPA and other agreements between the Parties, the terms of this DPA shall prevail with respect to the processing of personal data.

  5. This DPA includes four annexes (A, B, C, D), which form an integral part of the DPA.

  6. Annex A contains detailed information about the data processing, including its purpose, nature, type of personal data, categories of data subjects, and duration of processing.

  7. Annex B contains the Controller’s conditions for the Processor’s use of sub-processors and a list of sub-processors already approved by the Controller.

  8. Annex C contains the Controller’s instructions regarding the Processor’s processing of personal data, including a description of the minimum security measures the Processor must implement, and information on how audits/inspections will be conducted.

  9. Annex D contains provisions regarding any additional activities not covered by the main body of this DPA (optional).

  10. The DPA and its annexes must be retained in writing (including electronically) by both Parties.

  11. Nothing in this DPA releases the Processor from obligations it is subject to under the GDPR or other applicable law.

 

2. The Controller’s Rights and Obligations

  1. The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see GDPR Article 24), other relevant EU data protection legislation, any applicable Member State laws, and this DPA.

  2. The Controller retains the right and obligation to make decisions about the purposes and means of the processing of personal data.

  3. The Controller is responsible, among other things, for ensuring there is a valid legal basis for the processing of personal data that the Controller instructs the Processor to perform.

 

3. The Processor Acts on Instructions

  1. The Processor shall only process personal data in accordance with documented instructions from the Controller, unless required to do so by EU or Member State law to which the Processor is subject. Such instructions shall be specified in Annexes A and C.

    • Subsequent instructions may also be given by the Controller during the term of the processing, but such instructions must always be documented and kept in writing (including electronic form).

  2. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

  3. The Processor agrees to process personal data solely for the purposes, during the period, and under the conditions prescribed by the Controller.

 

4. Confidentiality

  1. The Processor shall only grant access to personal data being processed on behalf of the Controller to persons under the Processor’s authority who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of such persons with access shall be reviewed on an ongoing basis, and access shall be removed if no longer necessary.

  2. The Processor shall, upon request, demonstrate to the Controller that the relevant persons under the authority of the Processor are subject to the above confidentiality obligation.

 

5. Security of Processing

  1. Under Article 32 GDPR, both the Controller and the Processor, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    1. These measures may include, as appropriate:

      • Pseudonymization and encryption of personal data.

      • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.

      • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

      • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

  2. Independently of the Controller, the Processor shall also assess the risks to the rights and freedoms of data subjects and implement measures to mitigate those risks. For this assessment, the Controller shall provide the Processor with the necessary information to identify and evaluate such risks.

  3. The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under Article 32 GDPR, inter alia by making available information regarding the technical and organizational security measures that the Processor has already implemented. If mitigating the identified risks, in the Controller’s judgment, requires additional measures beyond what the Processor has already implemented, the Controller shall specify these additional measures in Annex C.

 

6. Use of Sub-processors

  1. The Processor shall meet the conditions laid down in Article 28(2) and 28(4) GDPR when engaging another processor (“Sub-processor”).

  2. The Processor may not engage a Sub-processor for the performance of this DPA without the Controller’s prior general written authorization.

  3. The Controller grants a general authorization for the Processor to use Sub-processors. The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors with at least one (1) month’s notice, giving the Controller the opportunity to object to such changes before the Sub-processor is engaged. A longer notice period may be specified in Annex B for specific processing activities. A list of Sub-processors that the Controller has already approved is set out in Annex B.

  4. Where the Processor engages a Sub-processor to carry out specific processing activities on behalf of the Controller, the Processor shall impose on the Sub-processor the same data protection obligations as set out in this DPA, such that the Sub-processor will be required to provide at least the same level of protection for the personal data as is required by this DPA and by the GDPR.

  5. Upon request, the Processor shall provide the Controller with copies of the Sub-processor agreements (and any amendments thereto) to allow the Controller to verify that the same obligations regarding data protection as set out in this DPA have been imposed on the Sub-processor—commercial terms that do not affect the data protection obligations may be redacted.

  6. In the event of the Processor’s bankruptcy, the Processor shall ensure the Controller can enforce relevant rights directly against any Sub-processor (e.g., instruct the Sub-processor to delete or return the personal data).

  7. If the Sub-processor fails to fulfill its data protection obligations, the Processor remains fully liable to the Controller for the performance of the Sub-processor’s obligations. This is without prejudice to the rights of data subjects under the GDPR, particularly Articles 79 and 82, against both the Controller and the Processor (including the Sub-processor).

 

7. Transfers to Third Countries or International Organizations

  1. Any transfer of personal data to a third country or an international organization by the Processor shall only occur on the basis of documented instructions from the Controller and must always take place in compliance with Chapter V of the GDPR.

  2. If a transfer is required by EU or Member State law to which the Processor is subject, the Processor shall inform the Controller of this legal requirement prior to processing, unless the law in question prohibits such notification on grounds of important public interests.

  3. Without documented instructions from the Controller, the Processor shall not:

    • Transfer personal data to a data controller or a data processor in a third country or an international organization,

    • Allow the data to be processed by a Sub-processor in a third country, or

    • Process the data itself in a third country.

  4. The Controller’s instructions regarding transfers of personal data to third countries (including the legal basis under Chapter V of the GDPR) shall be set out in Annex C.6.

  5. This DPA must not be confused with the European Commission’s standard contractual clauses under Article 46(2)(c) or (d) GDPR, nor can it in itself constitute a valid transfer basis under Chapter V of the GDPR if actual transfers outside the EU/EEA occur.

(Note: Based on your information, Heroku, MongoDB, and HubSpot are hosting/storing data in the EU, and you currently do not intend to transfer data outside the EU/EEA. Hence, no specific third-country transfer mechanism is described here.)

 

8. Assistance to the Controller

  1. Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR. This means the Processor shall, to the best of its ability, assist the Controller in ensuring compliance with, for example:

    • Duty to provide information when collecting personal data from the data subject.

    • Duty to provide information when personal data have not been obtained from the data subject.

    • The right of access by the data subject.

    • The right to rectification.

    • The right to erasure (“the right to be forgotten”).

    • The right to restriction of processing.

    • Notification obligation regarding rectification or erasure of personal data or restriction of processing.

    • The right to data portability.

    • The right to object.

    • The right not to be subject to a decision based solely on automated processing, including profiling.

  2. In addition to the Processor’s obligation to assist the Controller pursuant to Section 8.1 above, the Processor shall also assist the Controller in ensuring compliance with:

    • The obligation to notify the relevant supervisory authority (e.g., the Danish Data Protection Agency) of a personal data breach without undue delay and, where feasible, within 72 hours after having become aware of it (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons).

    • The obligation to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons.

    • The obligation to carry out a data protection impact assessment (DPIA) if the Controller’s processing is likely to result in a high risk to the rights and freedoms of data subjects.

    • The obligation to consult the relevant supervisory authority prior to processing if a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.

  3. The Parties shall agree in Annex C the appropriate technical and organizational measures by which the Processor is required to assist the Controller as well as the scope and the extent of such assistance.

 

9. Notification of Personal Data Breach

  1. The Processor shall notify the Controller without undue delay after becoming aware of any personal data breach.

  2. Such notification should ideally be provided within 60 hours of the Processor becoming aware of the breach, so the Controller can comply with its obligation to notify the supervisory authority (within 72 hours).

  3. In accordance with Section 8.2(a), the Processor shall assist the Controller in notifying the breach to the supervisory authority. This means that the Processor shall help compile the following information, which must be included in the Controller’s notification under GDPR Article 33(3):

    • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.

    • The likely consequences of the personal data breach.

    • The measures taken or proposed by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  4. The specific information the Processor must provide for purposes of assisting the Controller with personal data breach notification is set out in Annex C.

 

10. Deletion and Return of Data

  1. Upon termination of the services relating to the processing of personal data, the Processor shall, at the choice of the Controller, either delete all personal data processed on the Controller’s behalf and confirm to the Controller that it has been deleted, or return all personal data to the Controller and delete existing copies, unless EU or Member State law requires storage of the personal data.

 

11. Audits and Inspections

(If you do not wish to provide an audit right, please note that under GDPR Article 28(3)(h), the Controller must be able to audit the Processor. You can adjust the text as needed, but some form of inspection right is typically required.)

  1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and this DPA and shall allow for and contribute to audits, including on-site inspections, conducted by the Controller or another auditor mandated by the Controller.

  2. The procedures for such audits and inspections, including with regard to any Sub-processor(s), are set out in Annex C.7 and C.8.

  3. The Processor is obliged to grant the competent supervisory authorities, upon production of appropriate identification, access to the Processor’s facilities.

 

12. Other Provisions Agreed by the Parties

  1. The Parties may agree to include other clauses regarding the provision of the service involving the processing of personal data, for example, relating to liability/indemnity. Such clauses must not contradict or undermine this DPA or the data subjects’ rights and freedoms under the GDPR.

  2. If any such additional clauses apply, they may be set out in Annex D (optional).

 

13. Commencement and Termination

  1. This DPA shall enter into force on the date it is signed by both Parties (or otherwise agreed to) and remains in effect as long as the Processor processes personal data on behalf of the Controller.

  2. Either Party may request renegotiation of this DPA in the event of changes to the law or identified deficiencies that necessitate amendments.

  3. This DPA cannot be terminated for convenience as long as the Processor processes personal data on behalf of the Controller, unless the Parties have entered into another valid data processing agreement.

  4. If the provision of the services involving processing of personal data ends, and the Processor has deleted or returned the data in accordance with Section 10, either Party may terminate this DPA with written notice.

 

14. Contact Persons

  1. The Parties may contact each other via the contact persons listed below.

  2. The Parties shall be under an obligation to inform each other in writing of any changes regarding contact persons.

For the Controller
Name:
Title:
Telephone:
Email:

For the Processor (Mensbo)
Name: Martin Mensbo Christiansen
Title: CPO
Telephone: 93630495
Email: martin@mbdesign.nu

 

Signatures

On behalf of the Controller:
Name:
Title:
Date:
Signature: ____________________________

On behalf of Mensbo (Processor):
Name:
Title:
Date:
Signature: ____________________________

 

Annex A: Information on the Processing

A.1. The Purpose of the Processing

The Processor assists the Controller with services such as website hosting, application development, and/or related digital/marketing services.

A.2. Nature of the Processing

  • The Processor may access personal data within the systems to which the Controller grants access, in order to provide the contracted services (e.g., development, troubleshooting, analytics, updates).

A.3. Categories/Types of Personal Data

  • The specific categories of personal data depend on the Controller’s use of the systems but may include typical data fields for website or application users (e.g., names, emails, phone numbers, etc.).

  • Sensitive personal data (special categories) are only processed if expressly agreed and instructed by the Controller.

A.4. Categories of Data Subjects

  • Potentially:

    • Website users/customers.

    • Employees or contractors of the Controller (if relevant).

    • Any other data subjects whose personal data is stored in the Controller’s systems relevant to the Processor’s services.

A.5. Systems in Scope

  • The processing is limited to the specific systems or applications for which the Processor has been engaged, such as:

    • Websites, hosting environments, databases, CRM systems, analytics tools, etc.

A.6. Duration of the Processing

  • The Processor will process personal data for as long as the Parties have a contractual relationship for the relevant service(s), until this DPA (or main service agreement) is terminated, and any personal data is deleted or returned in accordance with Section 10.

 

Annex B: Sub-processors

Below is a list of Sub-processors that the Controller has approved as of the effective date of this DPA.

Sub-processor Name Address / HQ (if public) Description of Processing
Heroku Salesforce UK Limited, Floor 26, Salesforce Tower, 110 Bishopsgate, London, EC2N 4AY (EU data centers) Cloud hosting for Mensbo’s applications.
MongoDB MongoDB Europe (various EU data centers) Database storage for application data.
HubSpot HubSpot European data centers Contact data management (CRM) and marketing automation.

  1. Notification of New Sub-processors

    • Mensbo will notify the Controller in writing (email is sufficient) about any intended changes to Sub-processors at least one (1) month in advance, giving the Controller the opportunity to object.

  2. Changes in Sub-processors

    • The Controller has provided general approval for Mensbo to change or add Sub-processors for the services described, provided that Mensbo informs the Controller and ensures that the new Sub-processor is bound by obligations at least as strict as those contained in this DPA.

 

Annex C: Instructions on Processing of Personal Data

Below is a high-level outline of the instructions from the Controller regarding the Processor’s processing of personal data, including the minimum technical and organizational measures, assistance obligations, and other relevant details.

  1. Processing Instructions

    • The Processor shall only process personal data for the purpose of delivering the agreed services under the main service agreement (e.g., hosting, development, maintenance, marketing services, etc.).

    • The Processor shall not use the personal data for any other purposes unless explicitly instructed in writing by the Controller.

  2. Security Measures

    • Mensbo shall implement appropriate technical and organizational security measures as required by Article 32 GDPR, including (where relevant):

      • Use of secure connections (HTTPS/SSL/TLS) when transmitting data over the internet.

      • Access control and authentication measures, ensuring only authorized personnel can access systems containing personal data.

      • Regular backups and the ability to restore data.

      • Logical separation of customer environments (multi-tenant solutions).

      • Processes for handling security incidents (including breach notification).

    • Mensbo shall regularly review these measures and update them as needed.

  3. Assistance with Data Subjects’ Rights

    • Upon the Controller’s request, Mensbo shall assist in handling data subjects’ requests (access, rectification, erasure, restriction, data portability, objection, etc.).

    • The Controller remains responsible for responding to the data subject’s request. Mensbo’s role is to facilitate or provide tools/data as instructed.

  4. Deletion/Return of Data

    • Upon termination of the service, Mensbo shall either delete or return all personal data (at the Controller’s choice), unless EU or Member State law requires retention.

    • Mensbo shall confirm in writing once data is deleted, if the Controller requests such confirmation.

  5. Personal Data Breach Notification

    • Mensbo shall notify the Controller without undue delay (and ideally within 60 hours) if it becomes aware of a personal data breach.

    • Mensbo shall include all relevant information it possesses that helps the Controller fulfill the Article 33 GDPR obligations (e.g., nature of the breach, likely consequences, measures taken, etc.).

  6. Transfer of Data Outside EU/EEA

    • Mensbo currently uses only EU-based data centers for Heroku, MongoDB, and HubSpot. No transfers to third countries are foreseen.

    • Should Mensbo need to transfer data outside the EU/EEA, it will only do so upon the Controller’s explicit instruction and subject to a valid transfer mechanism under Chapter V of the GDPR (e.g., Standard Contractual Clauses).

  7. Audit and Inspection

    • The Controller (or an independent auditor on its behalf) is entitled to request documentation or conduct on-site audits (during normal business hours and with reasonable notice) to verify Mensbo’s compliance with this DPA.

    • Mensbo shall provide relevant information and support, subject to any necessary confidentiality restrictions.

  8. Monitoring of Sub-processors

    • Mensbo shall ensure that all Sub-processors are contractually bound by the same data protection obligations as in this DPA.

    • The Controller retains the right to request relevant information about Sub-processors or to object to changes under Section 6 of this DPA.