Data Processing Agreement
Between the Customer and Proper ApS. Together with the Customer, the Parties and separately a Party.
1. Scope of the Agreement
1.1 This Agreement reflects the Parties’ agreement with regard to the processing of personal data.
1.2 Proper ApS acts as a data processor for the Customer, as Proper ApS processes personal data for the Customer as set out in Annex 1.
1.3 The personal data to be processed by Proper ApS concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
1.4 “Personal data” means any information relating to an identified or identifiable natural person, see article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation “GDPR”). If other confidential information than personal data is processed for the purpose of fulfilling the Agreement, e.g. information considered confidential according to the Financial Business Act, any reference to “personal data” shall include the other confidential information. Sensitive Data and Special Category Data will not be processed pursuant to this DPA and the Customer warrants and represents that the Customer will not be sharing, disclosing or otherwise transferring such data to Proper ApS.
2. Processing of Personal Data
2.1 Instructions: Proper ApS is instructed to process the personal data only for the purposes of providing the data processing services set out in Annex 1. Proper ApS may not process or use the Customer’s personal data for any other purpose than provided in the instructions, including the transfer of personal data to any third country or an international organisation, unless Proper ApS is required to do so according to Union or member state law. In that case, Proper ApS shall inform the Customer in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2 If the Customer in the instructions in Annex 1 or otherwise has given permission to a transfer of personal data to a third country or to international organisations, Proper ApS must ensure that there is a legal basis for the transfer, e.g. the EU Commission’s Standard Contractual Clauses for the transfer of personal data to third countries.
2.3 If Proper ApS considers an instruction from the Customer to be in violation of the GDPR, or other Union or member state data protection provisions, Proper ApS shall immediately inform the Customer in writing about this.
2.4 If Proper ApS is subject to legislation of a third country, Proper ApS declares not to be aware of the mentioned legislation preventing Proper ApS from fulfilling the Agreement. Proper ApS will notify the Customer in writing without undue delay, if Proper ApS becomes aware of such hindrance.
3. Proper ApS’s General Obligations
3.1 Proper ApS must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Proper ApS shall implement appropriate technical and organisational measures to prevent that the personal data processed is:
- accidentally or unlawfully destroyed, lost or altered,
- disclosed or made available without authorisation, or
- otherwise processed in violation of applicable laws, including the GDPR.
3.3 Proper ApS must also comply with any special data security requirements that apply to the Customer, e.g. as potentially outlined in Annex 1 or as otherwise required by the Customer, and with any other applicable data security requirements that are directly incumbent on Proper ApS; including the data security requirements in the country of establishment of Proper ApS or in the country where the data processing will be performed.
3.4 The appropriate technical and organisational security measures must be determined with due regard for:
- the current state of the art,
- the cost of their implementation, and
- the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Proper ApS shall upon request provide the Customer with sufficient information to enable the Customer to ensure that Proper ApS complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented.
3.6 Proper ApS must give authorities who by Union or member state law have a right to enter the Customer’s or the Customer’s supplier’s facilities, or representatives of the authorities, access to Proper ApS’s physical facilities against proper proof of identity.
3.7 Proper ApS must without undue delay after becoming aware of the facts in writing notify the Customer about:
- any request for disclosure of personal data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law,
- any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Proper ApS under the Agreement, or (b) other material failure to comply with Proper ApS’s obligations under Clause 3.2 and 3.3 in this Agreement.
3.8 Proper ApS must promptly assist the Customer with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, restriction or deletion. Proper ApS must also assist the Customer by implementing appropriate technical and organisational measures, for the fulfillment of the Customer’s obligation to respond to such requests.
3.9 Proper ApS must assist the Customer with meeting the other obligations that may be incumbent on the Customer according to Union or member state data protection law where the assistance of Proper ApS is implied, and where the assistance of Proper ApS is necessary for the Customer to comply with its obligations. This includes, but is not limited to, at request to provide the Customer with all necessary information about an incident under Clause 3.7 (ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.
3.10 Any services from Proper ApS as set out in Annex 4 or clause 3.6 and 3.8 to 3.9 are billable and will be charged in accordance with the price list made available to the Customer upon concluding this Agreement.
3.11 In Annex 1, Proper ApS has stated the location of the processing used to provide the data processing services. Proper ApS undertakes to inform the Customer about any changes to the location by providing a prior written notice of 30 days to the Customer. This does not require a formal amendment of Annex 1, but Proper ApS must give prior written notice by mail or email.
4. Sub-data Processors
4.1 Proper ApS may engage a sub-data processor. At the time of the Agreement, Proper ApS uses the sub-data processors set out in Annex 2. Proper ApS undertakes to inform the Customer of any intended changes concerning the addition or replacement of a sub-data processor by providing 30 days prior written notice to the Customer. The Customer may object to the use of a sub-data processor if such objection is relevant and reasoned in regards to data protection issues. If the objection is relevant and reasoned, Proper ApS may suggest a new sub-data processor in order for the Customer to accept that one or give the Customer the right to cancel the Agreement (at Proper ApS’ sole discretion). For avoidance of doubt, the discontinuance of sub-data processors do not require written notices to the Customer.
4.2 Prior to the engagement of a sub-data processor, Proper ApS shall conclude a written agreement with the sub-data processor, in which at least the same data protection obligations as set out in the Agreement shall be imposed on the sub-data processor, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
4.3 The Customer has the right to receive a copy of Proper ApS’s agreement with the sub-data processor as regards the provisions related to data protection obligations. Proper ApS shall remain fully liable to the Customer for the performance of the sub-data processor’s obligations.
5. Confidentiality
5.1 Proper ApS shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis.
6. Amendments and Assignments
6.1 The Parties may at any time agree to amend this Agreement. Amendments must be in writing and the Customer accepts that notifications about such amendments can be made via email or via the Customer’s Proper ApS account.
6.2 Neither party may assign this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, both parties may assign their rights and obligations under this Agreement in connection with a consolidation, merger, acquisition or sale of substantially all of its assets, shares or activities without the prior written consent of the other party.
7. Term and Termination
7.1 The Agreement enters into force on the Effective Date and remains in force until terminated by one of the Parties.
7.2 Each party may terminate the Agreement upon 30 days written notice.
7.3 Regardless of the terms of the Agreement, the Agreement shall be in force as long as Proper ApS processes the personal data, for which the Customer is data controller.
7.4 On termination of the Agreement Proper ApS shall on the Customer’s request immediately delete all personal data, which Proper ApS is processing for the Customer, unless Union or member state data protection law requires storage of the personal data.
8. Priority
8.1 If any of the provisions of the Agreement conflicts with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of the Agreement shall prevail. However, the requirements in Clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Proper ApS. Furthermore, the Agreement shall not apply if and to the extent the EU Commission’s Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for Proper ApS and/or for sub-suppliers.
Annex 1: Processing Activities
This Annex constitutes the Customer’s instruction to Proper ApS in connection with Proper ApS’ data processing for the Customer, and is an integrated part of the Agreement.
| Type | Categories of data | Data subjects | Purpose | Processing locations | Nature of processing |
|---|---|---|---|---|---|
| Ordinary | Contact details such as name, email, address and telephone/mobile number; payment and billing history, bank details and account information; information about agreements in place between the Customer and their customers and the content of these agreements; communication between the Customer and their customers via the Proper Platform. | Customer’s customers / tenants | To deliver our services to our customers in accordance with the specific Agreement in place between Proper and the Customer. This may include subscription management, collection of payments, reminders to payers / debtors and to enable the Customer to process and manage data about their customers / tenants. | Denmark, EU/EEA, United Kingdom, Ireland, United States | Collecting, storing, and processing of personal data on behalf of the Customer. |
Annex 2: List of Sub-data Processors
| Company | Address | Service | Description | Purpose | Location |
|---|---|---|---|---|---|
| Amazon Web Services EMEA SARL | 38 Avenue John F. Kennedy, L-1855 Luxembourg | AWS Hosting | Hosting of data | Proper use Amazon AWS as our infrastructure for all parts of our product. | Ireland |
| Asana, Inc. | 633 Folsom Street Suite 100, San Francisco, CA 94107 | Asana | Web and mobile application for team work management | Proper use Asana for work management. | United States |
| IVXS UK Limited | 86-90 Paul St, London EC2A 4NE, United Kingdom | ComplyAdvantage | Financial crime risk technology | Proper use ComplyAdvantage to manage KYC and AML. | United Kingdom |
| Contractbook ApS | Masnedøgade 22, 2100 Copenhagen, Denmark | Contractbook | Contract management platform | Proper use Contractbook for signing legal documents. | Denmark |
| Danske Bank A/S | Holmens Kanal 2-12, DK-1092 Copenhagen | Danske Bank | Banking and financial services | Proper use Danske Bank for reconciling payments. | Denmark |
| DocSpring, Inc. | 2035 Sunset Lake Road, Suite B-2, Newark, Delaware 19702, USA | DocSpring | PDF form generation platform | Proper use DocSpring to generate documents. | United States |
| Mailgun Technologies, Inc. | 112 E Pecan St. #1135, San Antonio, TX 78205, USA | Mailgun | Transactional email | Proper use Mailgun to send transactional emails. | EU/EEA |
| Twilio, Inc. | 101 Spear Street, Suite 300, San Francisco, CA 94105, USA | Twilio | Two-factor authentication | Proper use Twilio to send transactional messages. | United States |
| Vercel Inc. | 440 N Barranca Ave #4133, Covina, CA 91723, USA | Vercel | Frontend hosting platform | Proper use Vercel to host part of our product. | EU/EEA |
| Zapier, Inc. | 548 Market St. #62411, San Francisco, CA 94104, USA | Zapier | Online automation tool | Proper use Zapier to connect apps and services. | United States |
| Zendesk, Inc. | 989 Market Street, San Francisco, CA 94103, USA | Zendesk | Customer service software | Proper use Zendesk to manage our support. | EU/EEA |
| Google Cloud EMEA Limited | 70 Sir John Rogersons Quay, Dublin, Ireland | Google Workspace | Cloud productivity and collaboration tools | Proper use Google Workspace for collaboration and productivity internally. | Ireland |
Annex 3: Security Setup
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, Proper ApS has implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Annex 4: Audits
Proper ApS accepts and agrees to the Customer being able to conduct audits in the manner chosen by the Customer. The audits may be conducted as written audits or as inspections at Proper ApS’s location. The Customer must give Proper ApS 30 days prior written notice of inspections at Proper ApS’s location.
The Customer is entitled at its own cost to appoint an independent expert who shall have access to Proper ApS’s location and receive the necessary information in order to be able to audit whether Proper ApS complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented. The expert shall upon Proper ApS’s request sign a customary non-disclosure agreement, and treat all information obtained or received from Proper ApS confidentially, and may only share the information with the Customer and Proper ApS.
Proper ApS shall cooperate with the Customer without undue delay and provide the Customer with requested signed declarations, statements and similar to verify the compliance with this DPA and GDPR.
Annex 5: International Transfers
Where a transfer of personal data occurs between Proper ApS and a sub-data processor located outside of the EEA, the transfer of personal data will include one of the following appropriate safeguards, as applicable:
(i) The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
(ii) Any other appropriate safeguards recognized by the European Data Protection Regulation 2016/679 such as an adequacy decision, an approved code of conduct or an appropriate certification mechanism.
Questions about this DPA?
If you have questions about how Rumli processes personal data, or if you would like to execute a signed copy of this DPA, please reach out to our Data Protection team.