§1 Parties, background and precedence
This Data Processing Agreement ("DPA") is entered into between the customer identified in the main agreement ("Customer", acting as data controller) and PowerQuant ApS, CVR 46274067, Denmark ("PowerQuant", acting as data processor). It forms an integral part of the main agreement (order confirmation or Design Partner Agreement). In case of conflict regarding processing of personal data, this DPA prevails over the main agreement.
§2 Definitions, roles and duration
Terms such as "personal data", "processing", "controller" and "processor" have the meaning given in Regulation (EU) 2016/679 ("GDPR"). Customer is controller; PowerQuant is processor. This DPA applies for as long as PowerQuant processes personal data on behalf of Customer and survives termination of the main agreement until deletion/return per §11 is completed.
§3 Scope of processing
| Categories of data subjects | Customer's employees, contractors, applicants (where AI inventory references them) |
| Types of personal data | Names, emails, employment-roles, AI-system access-permissions; NO special categories (Article 9) |
| Purposes of processing | Generation of compliance evidence (Annex IV documentation, Article 4 register, Module 2 deliverables) |
| Duration | Length of contract + 7 years (audit-trail) |
§4 Sub-processors (Art. 28(2) and 28(4))
Customer grants a general written authorisation to the sub-processors listed at /trust/sub-processors. PowerQuant gives 30 days' notice of intended changes; Customer has a 14-day objection window. PowerQuant imposes the same data-protection obligations as set out in this DPA on every sub-processor by written contract and remains fully liable to Customer for the sub-processor's performance.
§5 Processing only on documented instructions (Art. 28(3)(a))
PowerQuant processes personal data only on documented instructions from Customer — including with regard to transfers to third countries — unless required to do so by Union or Member State law; in that case PowerQuant informs Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. PowerQuant immediately informs Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. The main agreement and this DPA constitute the complete initial instructions.
§6 Confidentiality (Art. 28(3)(b))
PowerQuant ensures that all persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to persons with a need-to-know for the purposes in §3.
§7 Security measures (Article 32)
- Encryption at rest (LUKS volumes, Supabase native)
- Encryption in transit (TLS 1.3)
- Access control (RBAC + MFA)
- Audit log (Ed25519-signed)
- Backup (30-day rolling, encrypted)
- Incident detection (Trivy + UFW + fail2ban + 24/7 alerting)
- Penetration testing (post-Day-180 milestone)
§8 Personal data breach notification (Art. 33(2))
PowerQuant notifies Customer without undue delay — and no later than 48 hours — after becoming aware of a personal data breach affecting Customer's personal data. The notification includes, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point. Information may be provided in phases as it becomes available.
§9 Assistance to Customer (Art. 28(3)(e)-(f))
- Article 32 security measures (technical + organisational)
- Articles 33-34 breach notification support (input within the 48h window in §8)
- Article 35 DPIA (Customer-side; PowerQuant provides technical input — see /trust/dpia)
- Article 36 prior consultation (where applicable)
- Articles 12-22 data subject requests: PowerQuant forwards any request received directly and assists with appropriate technical and organisational measures, insofar as possible
§10 International transfers (SCCs)
For US-hosted sub-processors, Standard Contractual Clauses Module 2 (controller-to-processor, EU 2021/914) are attached as Annex 1 of the executed DPA, supplemented where relevant by transfer impact assessments.
§11 Return or deletion of data (Art. 28(3)(g))
On contract termination, at Customer's choice return or deletion, within 30 days:
- Customer-data deleted from active systems
- Backups purged within 60 days (30-day rolling + 30-day SLA)
- Audit-log identifying tags redacted; cryptographic chain preserved per Article 17(3)(b) GDPR — legal obligation for audit-trail integrity
§12 Audit rights (Art. 28(3)(h))
PowerQuant makes available all information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections:
- 30 days' notice
- Once per year unless triggered by suspected breach
- During business hours
- Customer-paid
- Subject to mutual NDA
§13 Liability, governing law and venue
Liability follows the main agreement's liability regime. This DPA is governed by Danish law; venue is the City Court of Copenhagen. If any provision is invalid, the remainder stays in force and the invalid provision is replaced by a valid provision reflecting the original intent.
Annexes
- Annex 1: SCCs Module 2 full text (EU 2021/914) — attached at signature for US transfers
- Annex 2: Technical and Organisational Measures (TOMs) — §7 above, cross-walked to ISO 27002
- Annex 3: Live sub-processor list — /trust/sub-processors
Changelog: v1.0 (2026-06-12) — komplet aftale; afløser skelet-versionen. Næste planlagte revision: efter ekstern advokat-gennemgang Q3 2026.