When you collaborate with Digi-Tal, we process certain personal data on your behalf. To ensure that your and your employees' data is processed safely, securely, and in accordance with applicable legislation, we have drafted this standard data processing agreement. This agreement constitutes an integral part of our general terms of service and your main agreement with us.
Parties to the Agreement
When you accept our terms of service, this data processing agreement is automatically entered into between:
- The Data Controller: The Client (you/your company)
- The Data Processor: Digi-Tal ApS (CVR: 41308427)
1. Background and Purpose
1.1. This Data Processing Agreement (“DPA”) is an appendix to the Main Agreement regarding accounting and advisory services (“the Main Agreement”) entered into between the parties.
1.2. The purpose of the DPA is to ensure that the Data Processor's processing of personal data on behalf of the Data Controller takes place in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).
2. Data Processor's Obligations
2.1. Processing according to instructions: The Data Processor may only process personal data on the basis of documented instructions from the Data Controller. The Main Agreement and this DPA constitute the Data Controller's full instructions. Any processing outside these instructions is only permitted if required under EU law or Member State law to which the Data Processor is subject.
2.2. Confidentiality: The Data Processor ensures that all persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy.
2.3. Processing security: The Data Processor takes all technical and organisational security measures required under GDPR Article 32. This includes, but is not limited to:
- a) Access control to systems and data to prevent unauthorised access, including securing access via two-factor authentication (2FA).
- b) Ensuring the confidentiality, integrity, and resilience of systems and services.
- c) Establishing procedures for backup and timely restoration of data in the event of physical or technical incidents.
- d) Procedures for regular testing and evaluation of the effectiveness of security measures.
2.4. Notification of security breaches: The Data Processor notifies the Data Controller without undue delay after becoming aware that a breach of personal data security has occurred. The notification must contain the information necessary for the Data Controller to comply with its notification obligation to the supervisory authority.
3. Assistance to the Data Controller
3.1. The Data Processor assists, taking into account the nature of the processing, the Data Controller in fulfilling its obligations to respond to requests from data subjects (e.g. right of access, erasure, rectification).
3.2. The Data Processor assists the Data Controller in ensuring compliance with the obligations in GDPR Articles 32-36, including notification of personal data breaches to the supervisory authority.
3.3. All work associated with assistance under sections 3.1 and 3.2 is invoiced on a time-spent basis at the Data Processor's applicable advisory rates.
4. Deletion and Return of Data
4.1. Upon termination of the Main Agreement, the Data Processor undertakes, at the Data Controller's choice, to delete or return all personal data to the Data Controller and delete existing copies, unless EU law or national law requires continued storage (e.g. under the Bookkeeping Act).
5. Use of Sub-processors
5.1. By accepting this DPA, the Data Controller gives a general prior authorisation for the Data Processor to use sub-processors.
5.2. The Data Processor uses the following sub-processors (grouped by function):
International Transfers and Case Processing
- Digi Tal Accounting DMCC, Dubai, UAE — Processing: Onboarding, customer service, bookkeeping, tax returns, advance tax assessments, payroll accounting, and budgeting.
Infrastructure, Cloud & Communication
- Microsoft Ireland Operations Ltd. — Azure, Office365, email, file storage.
- Google Ireland Ltd. — Google Drive, Workspace.
- Slack Technologies — Internal communication.
- Gather Presence Inc. / Gather.town — Internal communication.
Bookkeeping, Payroll & Annual Report
- E-conomic International A/S — Only applies to clients where Digi-Tal provides the licence.
- Payroll systems via accountant arrangement: Danlon A/S, Visma Datalon A/S, Salary, Zenegy, Intect, MDC Lon.
- Annual report and tax: Caseware, Reportability, Wolters Kluwer.
- Accounting robots and specific tools: Officebot ApS, Revibot ApS, Kontolink.
Automation & AI Models
- Integrations and data flow: Make.com, N8n, Zapier, Convex (database).
- AI language models for data and text processing: OpenAI (ChatGPT), Anthropic, Google (Gemini), xAI (Grok).
Signature
- Penneo A/S — Digital signing of documents and annual reports.
5.3. The Data Processor shall inform the Data Controller of any planned changes regarding the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object.
5.4. The Data Processor ensures that any sub-processor used is subject to the same data protection obligations as those set out in this DPA.
5.5. Transfer to third countries: If the Data Processor or a sub-processor transfers personal data to a country outside the EU/EEA, the Data Processor ensures that a valid transfer basis exists, e.g. the European Commission's Standard Contractual Clauses (SCCs).
6. Supervision and Audit
6.1. The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with GDPR Article 28.
6.2. The Data Processor allows and contributes to audits, including inspections, carried out by the Data Controller or another auditor authorised by the Data Controller. Costs associated therewith are borne by the Data Controller.
7. Duration and Entry into Force
7.1. This DPA enters into force simultaneously with the Main Agreement and is valid for as long as the Data Processor processes personal data on behalf of the Data Controller.
Scope and Purpose of Data Processing
a) Purpose of processing:
Fulfilment of the Main Agreement, including performance of bookkeeping, payroll administration, VAT reporting, reconciliations, and preparation of annual accounts.
b) Categories of data subjects:
- The Data Controller's employees.
- The Data Controller's customers and suppliers (contact persons).
- The Data Controller's owners and management.
c) Categories of personal data:
- Ordinary personal data: Name, address, email, phone number, position, bank details, salary information, purchase and sales history.
- Special categories/sensitive data: CPR numbers (solely in connection with payroll administration and reporting to public authorities).
d) Duration of processing:
Processing takes place during the term of the Main Agreement. Certain data is subsequently retained in accordance with the Bookkeeping Act and other applicable legislation.