Data Processing Agreement

Data Controller: The client organization. Data Processor: Data & More ApS, Flaesketorvet 68, DK-1711 København V, CVR-nr.: 38185659.

Purpose: Data cleanup and visual overview of unnecessary/obsolete PII data for deletion; maintenance of the Data & More Compliance Server.

Nature: Retrieval and structuring of sensitive personal data from unstructured datasets (email accounts, file-sharing drives) per controller instructions.

Data types processed include: addresses, bank details, billing documents, dates of birth, emails, IP addresses, names, passwords, phone numbers, social security numbers, usernames, and various other organizational data.

Data subjects include: employees, former employees, job applicants, customers, suppliers, affiliates, and customer-related individuals.

The processor acts only on documented controller instructions unless required by law. Access to personal data is restricted to authorized personnel bound by confidentiality obligations on a need-to-know basis.

Both parties implement appropriate technical and organizational measures per Article 32 GDPR, including pseudonymization, encryption, system resilience, and regular effectiveness testing.

Sub-processor engagement requires prior written authorization. Authorized sub-processor: Hetzner Online GmbH (DE812871812), Industriestr. 25, 91710 Gunzenhausen, Germany — server hosting and backup services.

Data breach notification is provided without undue delay, ideally within 24 hours. Upon service termination, the processor deletes all personal data and certifies completion.

Kristian Boe Helweg Hansen, Customer Success & Compliance Manager. Phone: +45 60843418. Email: kbhh@dataandmore.com. Technical Support: support@dataandmore.com.