FlareTech's standard Data Processing Agreement.

This page describes FlareTech's standard Data Processing Agreement ("DPA") that we enter into with clients where we process personal data on the client's behalf — typically when we develop or operate a platform that contains personal data about the client's end users.

The DPA meets the requirements of GDPR Article 28, and the actually signed version is tailored to the specific engagement. The contents of this page describe the framework — the legally binding version is provided as a separate document before processing begins.

The agreement is entered into between two parties with clearly defined roles under GDPR:

The data controller

Our client — the company or organisation that determines the purposes of and means for processing the personal data.

The data processor

FlareTech, VAT (CVR) 46309162, Rs Hansensvej 15, 4520 Svinninge — processing personal data on behalf of the data controller under this agreement.

The DPA governs FlareTech's processing of personal data on behalf of the data controller in connection with the service agreed in the main agreement (typically a development or operations agreement).

The DPA enters into force at the same time as the main agreement and runs for as long as FlareTech processes personal data on behalf of the data controller. Provisions on deletion, confidentiality and assistance continue to apply after the agreement ends, for as long as relevant.

The nature and purpose of FlareTech's processing of personal data follow from the main agreement. Typically the processing covers:

• Hosting and operation of the platform, including storage of data in databases and file systems.
• Development, debugging and support where access to production data may be necessary.
• Backup and restore of data as part of normal operation.
• Monitoring and logging for security, performance and capacity purposes.
• Communication with end users on the data controller's behalf (e.g. transactional emails) where it is part of the deliverable.

FlareTech processes personal data only on documented instructions from the data controller. The main agreement and this DPA constitute the documented instructions. Further instructions can be given in writing — for example via email.

The specific categories of personal data and data subjects depend on the specific engagement and are specified in an annex to the signed DPA. Typically that includes:

Ordinary personal data

Name, email, phone number, user profile, login data, IP address, technical log files, content generated by users on the platform.

Sensitive data (special categories)

Processed only if it is explicitly part of the deliverable and specified in the annex — e.g. health data in a healthcare SaaS. Requires additional technical and organisational measures.

Categories of data subjects

End users of the client's platform, the client's employees, the client's customers, or others who interact with the platform — as specified in the annex.

FlareTech undertakes to:

• Process personal data only on documented instructions from the data controller.
• Ensure that persons processing the personal data are bound by confidentiality.
• Implement and maintain appropriate technical and organisational security measures (cf. section 9).
• Not engage a new sub-processor without the data controller's prior general or specific written authorisation (cf. section 8).
• Assist the data controller in fulfilling its obligations under GDPR (cf. section 10).
• Notify the data controller without undue delay after becoming aware of a personal data breach.
• At the data controller's choice, delete or return all personal data at the end of the agreement.
• Make available all information necessary to demonstrate compliance with the agreement, and allow for and contribute to audits (cf. section 13).

FlareTech may use sub-processors to fulfil the agreement. With the DPA, the data controller gives a general prior authorisation for FlareTech to use sub-processors — provided FlareTech enters into a written agreement with each sub-processor that imposes the same data protection obligations as those in the DPA.

FlareTech maintains a current list of sub-processors and announces changes to the data controller with reasonable prior notice — typically 30 days — so the data controller has the opportunity to object. The standard list of typical sub-processors is set out in an annex to the signed DPA.

FlareTech remains fully liable to the data controller for the sub-processor's performance.

FlareTech implements and maintains appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk of the processing. This includes — but is not limited to:

• Encryption of data in transit (TLS 1.2+) and at rest where the vendors support it.
• Access control following the least-privilege principle and role-based access (RBAC).
• Multi-factor authentication (MFA) on all employee accounts and critical systems.
• Secure development: code review, automated testing, dependency scanning and secrets management outside the codebase.
• Logging and monitoring of access to production, with retention of logs up to 30 days (or longer for security investigations).
• Backup procedures with periodic restore tests for critical systems.
• Incident response procedures, including escalation paths, contacts and the obligation to notify the data controller without undue delay.
• Regular evaluation and review of the security level.

Detailed TOMs for the specific engagement are specified in an annex to the signed DPA so the scope matches the actual risk picture.

FlareTech assists the data controller in fulfilling its obligations under GDPR, to the extent the nature of the processing allows. This includes:

• Assistance with responding to requests from data subjects exercising their rights (access, rectification, erasure, objection, data portability).
• Assistance with fulfilling obligations on security, breach notification and data protection impact assessments (DPIA).
• Assistance with carrying out prior consultations with the Danish Data Protection Agency where required.

Assistance going beyond what naturally follows from the agreement may be invoiced separately at the standard rates in the main agreement.

FlareTech notifies the data controller without undue delay after becoming aware of a personal data breach. The notification includes, where possible:

• A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records affected.
• The name and contact details of a contact person at FlareTech who can provide more information.
• A description of the likely consequences of the breach.
• A description of the measures FlareTech has taken or proposes to take to address the breach and mitigate its consequences.

It is the data controller's responsibility to assess whether the breach triggers an obligation to notify the Danish Data Protection Agency and/or the data subjects. FlareTech assists with providing additional information.

Upon termination of the DPA, FlareTech shall, at the data controller's choice, delete or return all personal data to the data controller. The data controller must give written choice no later than 30 days after the termination — failing such choice, FlareTech deletes the personal data after 90 days.

Backups and log files containing personal data are deleted under the standard rotation described in the annex. EU legal retention obligations (e.g. tax and bookkeeping) take precedence over the deletion requirement for the data they cover.

The data controller is entitled to audit compliance with the DPA. The audit may take place via:

• FlareTech's own documentation (TOM description, security policies, log extracts, certificates).
• Written questionnaires and follow-up answers.
• Inspection at FlareTech's office with reasonable prior notice (typically 30 days), conducted by the data controller or an independent third party bound by confidentiality.

Inspections must not unduly disrupt FlareTech's normal operations. Costs of the inspection are borne by the data controller, unless the inspection uncovers material breaches of the DPA.

FlareTech's primary operating environment is located within the EU/EEA, and we aim for all processing to take place within the EU/EEA. If processing in a specific case involves transfer to a third country, it only happens on a valid transfer mechanism — typically the European Commission's Standard Contractual Clauses (SCCs), supplemented by technical and organisational measures.

Any transfers to third countries are disclosed in the specific annex and may require specific authorisation from the data controller.

The DPA is governed by Danish law. Disputes arising in connection with the DPA shall be settled at the District Court of Holbæk as court of first instance, unless mandatory rules provide otherwise.

To discuss the actual signed DPA for a specific engagement, or for questions about the contents, write or call:

FlareTech

Rs Hansensvej 15, 4520 Svinninge, Denmark

VAT (CVR)

46309162

Email

sales@flaretech.dk

Phone

+45 50 56 90 77