Data Processing Agreement

Download (.md)

Effective Date: 2026-04-27

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Eddytor Terms of Service available at https://www.eddytor.com/terms (the "Agreement") between Eddytor ApS, CVR DK42920673 ("Eddytor", "Processor") and the customer identified in the Agreement ("Customer", "Controller"). It applies whenever Eddytor processes Personal Data on behalf of Customer in connection with the Service.

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") and, where applicable, the United Kingdom Data Protection Act 2018 and the UK GDPR. Where Personal Data is transferred outside the EU/EEA, the Standard Contractual Clauses ("SCCs") in the form of Commission Implementing Decision (EU) 2021/914 are incorporated by reference.

In case of conflict between this DPA and the Agreement on matters of data protection, this DPA prevails.

Capitalised terms not defined here have the meaning given in the GDPR or the Agreement.

  • "Personal Data" has the meaning given in Article 4(1) GDPR and refers to Customer Personal Data processed by Eddytor under the Agreement.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Data Subject" has the meaning given in Article 4(1) GDPR.
  • "Subprocessor" means any third party engaged by Eddytor to process Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" / "SCCs" means the EU Commission Standard Contractual Clauses (Decision (EU) 2021/914), Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor), as applicable.
  • "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Danish Data Protection Act, and any other data protection or privacy law applicable to the parties' processing under the Agreement.

2.1 Customer is the Controller and Eddytor is the Processor of Personal Data processed under the Agreement.

2.2 Each party will comply with its obligations under Applicable Data Protection Law.

2.3 Customer warrants that (a) it has a lawful basis for the Processing, (b) it has provided all required notices and obtained all required consents from Data Subjects, and (c) the Processing instructed via the Service does not violate Applicable Data Protection Law.

  • Subject matter: Provision of the Eddytor Master Data Management Service.
  • Duration: The term of the Agreement, plus any post-termination period required to delete or return Personal Data.
  • Nature and purpose: Storing, querying, organising, transforming, and otherwise processing Customer's master data via Lakehouse tables in object storage controlled by Customer (BYO) or in the Eddytor-hosted sandbox; transmitting Personal Data to LLM providers selected by Customer when AI Actions are initiated by Customer.
  • Categories of Data Subjects: As determined by Customer (typically employees, customers, suppliers, and other parties whose data Customer manages in the Service).
  • Categories of Personal Data: As determined by Customer. Eddytor does not require any specific category of Personal Data and does not encourage Customer to upload Special Categories of Personal Data.
  • Special Categories of Personal Data: Only if Customer chooses to process such data. Customer is responsible for any additional safeguards required.

4.1 Eddytor will process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by EU or Member State law to which Eddytor is subject.

4.2 The Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's complete and final documented instructions.

4.3 Eddytor will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Eddytor ensures that persons authorised to process Personal Data are bound by appropriate confidentiality obligations and have received adequate training on data protection.

6.1 Eddytor implements appropriate technical and organisational measures pursuant to Article 32 GDPR, as described in Annex II (Technical and Organisational Measures, "TOMs").

6.2 Eddytor regularly reviews and updates these measures to maintain an appropriate level of security.

7.1 Customer grants Eddytor a general authorisation to engage Subprocessors. The current list of Subprocessors is published at https://www.eddytor.com/subprocessors and is incorporated into this DPA by reference.

7.2 Eddytor will provide at least 30 days' prior notice (by email or in-app notice) of any addition or replacement of a Subprocessor. Customer may object to such change within the notice period for legitimate data-protection reasons by emailing privacy@eddytor.com. If the parties cannot reach a resolution, Customer may terminate the affected Service component without penalty.

7.3 Eddytor enters into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA.

7.4 Eddytor remains liable to Customer for the performance of each Subprocessor's data protection obligations.

8.1 Taking into account the nature of the Processing, Eddytor will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests under Articles 15–22 GDPR.

8.2 If Eddytor receives a request from a Data Subject relating to Customer's Personal Data, Eddytor will forward the request to Customer without undue delay and will not respond directly except as instructed by Customer or required by law.

9.1 Eddytor will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

9.2 The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach, and a contact point for further information.

Eddytor will provide Customer with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities (Articles 35 and 36 GDPR), taking into account the nature of the Processing and information available to Eddytor.

11.1 Eddytor will make available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR.

11.2 Eddytor will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to:

  • reasonable advance notice (at least 30 days, except where required earlier by a supervisory authority);
  • audits being conducted no more frequently than once per 12 months, except in the case of a Personal Data Breach or as required by a supervisory authority;
  • audits being conducted during normal business hours, in a manner that does not unreasonably interfere with Eddytor's operations;
  • the auditor signing reasonable confidentiality undertakings;
  • Customer bearing its own costs and Eddytor's reasonable costs of supporting the audit.

11.3 Where available, Eddytor may satisfy its audit obligations by providing certifications (such as SOC 2, once obtained) or third-party audit reports in lieu of an on-site audit.

12.1 Eddytor's self-developed services are operated within the EU. Where Personal Data is transferred to a Subprocessor or LLM provider located outside the EU/EEA, the parties rely on the SCCs (Module Two, Controller-to-Processor) and any additional supplementary measures as required by the Schrems II judgment of the Court of Justice of the European Union.

12.2 Where Customer is itself a Processor and Eddytor acts as a sub-processor, the parties rely on the SCCs Module Three (Processor-to-Processor) for any onward transfer outside the EU/EEA.

12.3 The parties agree to be bound by the SCCs as set out in Annex III.

13.1 At Customer's choice, Eddytor will delete or return all Personal Data after the end of the provision of services relating to Processing, and delete existing copies, unless EU or Member State law requires storage of the Personal Data.

13.2 Personal Data stored in Customer's own object stores (BYO) remains in Customer's control and is unaffected by termination of the Service. Personal Data stored in the Eddytor-hosted sandbox is deleted immediately on cancellation or downgrade.

13.3 Stored credentials (storage and LLM provider) are deleted from Eddytor's systems on termination.

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

This DPA is governed by the laws of Denmark, without prejudice to mandatory provisions of Applicable Data Protection Law. Any dispute arising out of or in connection with this DPA is subject to the jurisdiction set out in the Agreement.

This DPA enters into force on the Effective Date and continues for the duration of the Agreement. Sections that by their nature should survive termination (including Sections 9, 11, 13, 14, and 15) survive the termination of this DPA.

A. List of Parties

Data Exporter (Controller): The Customer identified in the Agreement. Data Importer (Processor): Eddytor ApS, CVR DK42920673, Denmark. Contact: privacy@eddytor.com / dpo@eddytor.com.

B. Description of Transfer

  • Categories of Data Subjects: Determined by Customer; typically employees, customers, suppliers, and other individuals whose master data Customer manages in the Service.
  • Categories of Personal Data: Determined by Customer; typically identifiers, contact data, employment data, transactional data, and other categories Customer chooses to manage as master data.
  • Special Categories: Only if Customer elects to process; not required by the Service.
  • Frequency of Transfer: Continuous, on-demand, for the duration of the Agreement.
  • Nature of Processing: Storage, querying, transformation, schema management, audit logging, and AI-assisted operations initiated by Customer.
  • Purpose of Processing: Provision of the Master Data Management Service.
  • Retention Period: For the duration of the Agreement, subject to Section 13.

C. Competent Supervisory Authority

The Danish Data Protection Authority (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark.

Eddytor implements the following measures, which it may update from time to time provided the level of protection is not reduced.

1. Pseudonymisation and Encryption

  • TLS 1.2+ for data in transit on all interfaces.
  • Encryption at rest for credentials and secrets in Supabase Vault.
  • Encryption at rest for sandbox storage in AWS eu-west-1.

2. Confidentiality, Integrity, Availability, and Resilience

  • Role-based access control for Eddytor personnel.
  • Multi-factor authentication required for administrative access.
  • Network segmentation between production, staging, and development.
  • Hardened production hosts in Hetzner Helsinki (Finland, EU).

3. Restoration of Availability

  • Regular backups of metadata and configuration.
  • Documented incident response procedures.
  • Monitoring and alerting on critical services.

4. Regular Testing and Evaluation

  • Periodic vulnerability scanning.
  • Pre-release security review of changes.
  • Logging and audit review.
  • Working towards SOC 2 certification.

5. Access Controls

  • Principle of least privilege for personnel access.
  • Documented onboarding and offboarding procedures.
  • Audit logs of administrative access to production systems.

6. Subprocessor Management

  • Written DPAs with all Subprocessors.
  • 30-day notice of additions or replacements.
  • Documented review of Subprocessor security posture.

Where Personal Data is transferred from the EU/EEA to a country that has not received an adequacy decision, the parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable, are incorporated into this DPA by reference and apply as follows:

  • Clause 7 (Docking clause): Optional clause applies.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorisation) applies, with a 30-day notice period.
  • Clause 11 (Redress): The optional independent dispute resolution clause does not apply.
  • Clause 17 (Governing law): The laws of Denmark.
  • Clause 18 (Choice of forum and jurisdiction): The courts of Denmark.
  • Annex I.A, I.B, I.C: As set out in Annex I above.
  • Annex II: As set out in Annex II above.
  • Annex III (List of sub-processors): As published at https://www.eddytor.com/subprocessors.

Where required, this DPA is executed electronically by Customer's acceptance of the Agreement and Eddytor's continued provision of the Service. Customers requiring a counter-signed copy may contact legal@eddytor.com.

Eddytor ApS CVR: DK42920673 Email: privacy@eddytor.com / dpo@eddytor.com / legal@eddytor.com

Eddytor ApS