Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between 3RD ApS ("Processor", "3RD") and the customer ("Controller", "Customer") regarding the provision of 3RD's SaaS platform and related services (the "Services").

This DPA governs the processing of personal data that 3RD performs on behalf of the Customer in connection with the Services, and is entered into in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

1. Definitions

In this DPA, the following terms have the meanings set forth below:

• Personal Data: Information as defined in GDPR Art. 4(1)
• Processing: Any activity as defined in GDPR Art. 4(2)
• Controller: The legal entity that determines the purposes and means of processing personal data
• Processor: The legal entity that processes personal data on behalf of the Controller
• Sub-processor: Any third-party processor engaged by the Processor
• Customer Data: All personal data that the Customer collects, uploads or otherwise makes available through the Services
• Data Protection Laws: GDPR and other applicable data protection legislation

2. Subject Matter and Purpose of Processing

2.1 Purpose of Processing

The Processor shall process Customer Data solely for the purpose of providing the Services in accordance with the Terms and Conditions and the Customer's documented instructions.

2.2 Nature of Processing

Processing includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, deletion and destruction.

2.3 Categories of Data Subjects

Processing may include personal data concerning:

• Customer's employees and users
• Customer's customers and end users
• Other persons identified in Customer Data

2.4 Categories of Personal Data

Processing may include the following categories:

• Identification information (name, email, username)
• Contact information (phone number, address)
• Company information (job title, organization)
• Usage data (log data, IP addresses, activity)
• Technical data (device information, cookies)
• Other Customer Content submitted through the Services

Special categories of personal data (GDPR Art. 9) must not be processed through the Services unless explicitly agreed in writing.

3. Processor's Obligations

3.1 Processing According to Instructions

The Processor shall:

• Process Customer Data solely according to documented instructions from the Customer
• Notify the Customer if, in the Processor's opinion, an instruction violates GDPR or other data protection laws
• Not process Customer Data for its own purposes or transfer data to third parties without the Customer's prior written consent

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Customer Data:

• Are subject to a duty of confidentiality or professional secrecy
• Have access only to the data necessary to fulfill their duties
• Are appropriately instructed and trained in data protection

3.3 Security Measures

The Processor implements appropriate technical and organizational measures pursuant to GDPR Art. 32:

Technical Measures:

• Encryption in transit (TLS 1.2 or higher)
• Encryption of sensitive data at rest
• Access control and authentication (MFA where relevant)
• Regular backup and disaster recovery
• Network segmentation and firewall protection
• Logging and monitoring of system access

Organizational Measures:

• Security policies and procedures
• Employee training in information security
• Incident response procedure
• Regular security reviews and audits
• Access control based on need-to-know principle
• Secure software development lifecycle (SDLC)

3.4 Assistance to the Controller

The Processor shall, taking into account the nature of processing and the information available to the Processor, assist the Customer with:

• Implementation of appropriate technical and organizational measures
• Fulfillment of the Customer's obligations to respond to data subject requests (GDPR Chapter III)
• Ensuring security of processing
• Notification of personal data breaches to supervisory authorities
• Data protection impact assessment (DPIA), if relevant
• Prior consultation with supervisory authorities, if relevant

Such assistance may, if it requires significant effort beyond normal operation of the Services, be invoiced at the Processor's then-current hourly rate.

4. Sub-processors

4.1 General Authorization

The Customer hereby grants general authorization for the Processor to use sub-processors for delivery of the Services, provided that:

• The sub-processor is subject to the same data protection obligations as the Processor
• The Processor remains fully liable to the Customer

4.2 List of Sub-processors

A current list of sub-processors is available at:

https://trust.get3rd.com/subprocessors

The list includes:

• Sub-processor's name and contact information
• Location of data processing
• Description of processing activity

4.3 Notice of Changes

The Processor shall notify the Customer of planned changes regarding addition or replacement of sub-processors at least 30 days before the change takes effect.

Notice is provided via:

• Email to the Customer's registered contact person
• Update at https://trust.get3rd.com/subprocessors

4.4 Right to Object

If the Customer has reasonable and documented objections to a new or changed sub-processor for data protection reasons, the Customer must object in writing within 14 days after receipt of notice.

If the objection cannot be accommodated, the Customer has the right to terminate the agreement with effect from the date when the new sub-processor would be used.

5. International Transfers

5.1 Transfer to Third Countries

Processing of Customer Data may take place in countries outside the EU/EEA, including through the use of third-party LLMs from providers based in the USA.

5.2 Transfer Mechanisms

The Processor ensures that international transfers are based on one of the following:

• EU Commission Standard Contractual Clauses (SCC)
• EU Commission adequacy decision
• Approved certification mechanisms
• Other GDPR-approved transfer mechanisms

5.3 Supplementary Measures

Where relevant, the Processor implements supplementary technical and organizational measures to ensure an adequate level of protection, including encryption and pseudonymization.

6. Personal Data Breaches

6.1 Notification

The Processor shall, without undue delay and no later than 48 hours after becoming aware of a personal data breach, notify the Customer.

6.2 Content of Notification

The notification shall include at minimum:

• Description of the breach, including categories and number of affected data subjects and data records
• Contact point for further information
• Description of likely consequences
• Description of implemented or proposed remedial measures

6.3 Documentation

The Processor shall document all personal data breaches and, upon request, make the documentation available to the Customer and supervisory authority.

7. Deletion and Return of Data

7.1 Upon Termination of Agreement

Upon termination of the Services, the Processor shall, at the Customer's choice:

• Delete all Customer Data, or
• Return Customer Data in a structured, commonly used and machine-readable format

7.2 Export Period

The Customer has the right to export Customer Data for up to 30 days after termination of the subscription, unless termination is due to the Customer's material breach.

7.3 Deletion

After expiry of the export period, the Processor deletes all Customer Data, including any copies, with the following exceptions:

• Backup copies may be retained for up to 90 days as part of normal backup rotation
• Data may be retained in anonymized or aggregated form
• Data may be retained to the extent required by applicable law

7.4 Confirmation

The Processor may, upon request, issue written confirmation that Customer Data has been deleted.

8. Audit and Inspection

8.1 Right to Audit

The Customer has the right to conduct an audit or have an independent auditor conduct an inspection of the Processor's processing of Customer Data to verify compliance with this DPA and GDPR.

8.2 Documentation and Certifications

The Processor makes the following documentation available:

• Security policies and procedures (in anonymized form)
• Relevant certifications (ISO 27001, SOC 2 Type II, if available)
• Third-party audits and penetration tests (summary reports)

8.3 On-site Audit

The Customer may request an on-site audit, provided that:

• The request is reasonable, justified and necessary
• The request is made with at least 30 days' written notice
• The audit is not conducted more than once annually (unless there is suspicion of breach)
• The audit is conducted in a manner that does not disrupt the Processor's business operations
• The Customer's representatives are subject to confidentiality obligations
• The Customer bears costs associated with the audit

8.4 Security and Confidentiality

Audits must not compromise other customers' data, security or trade secrets.

9. Data Protection Officer

The Processor has appointed a contact person for data protection matters:

Data Protection Contact

3RD ApS

Email: privacy@get3rd.com

10. Duration and Termination

10.1 Duration

This DPA takes effect simultaneously with the Terms and Conditions and remains in effect as long as the Processor processes Customer Data on behalf of the Customer.

10.2 Termination

This DPA terminates automatically upon termination of the Services, provided that all obligations regarding deletion or return of data have been fulfilled.

10.3 Surviving Provisions

The following provisions survive termination of the agreement:

• Confidentiality (Section 3.2)
• Data deletion (Section 7)
• Liability (Section 11)

11. Liability and Indemnification

11.1 Liability for Sub-processors

The Processor is fully liable to the Customer for sub-processors' fulfillment of data protection obligations.

11.2 Limitation of Liability

The Processor's liability under this DPA is subject to the limitations of liability set forth in the Terms and Conditions, to the extent permitted by applicable law.

11.3 Regulatory Authorities

Nothing in this DPA limits the parties' liability to supervisory authorities or data subjects under GDPR.

12. Governing Law and Jurisdiction

This DPA is subject to the same governing law and jurisdiction as the Terms and Conditions.

13. Amendments

This DPA may be amended to reflect changes in data protection legislation or the Processor's processing activities. Material changes are notified in accordance with the Terms and Conditions.

14. Contact

For questions regarding this DPA, contact:

3RD ApS

Pilestræde 52A

DK-1112 Copenhagen K

Denmark

Email: privacy@get3rd.com

Annex A: Technical and Organizational Measures

A.1 Physical Access Control

• Services are hosted with certified cloud providers (AWS, GCP) with physical security, access control and monitoring
• Data centers in EU regions with ISO 27001, SOC 2 Type II certifications

A.2 System Access Control

• Multi-factor authentication (MFA) for administrative access
• Role-based access control (RBAC)
• Unique user identification and strong passwords
• Automatic session timeout

A.3 Data Encryption

• TLS 1.2+ for all data in transit
• Encryption at rest for sensitive data
• Secure key management

A.4 Logging and Monitoring

• Centralized logging of system access and activity
• Real-time security monitoring and alerting
• Log retention for 12 months
• Regular review of security logs

A.5 Network Security

• Firewall and network segmentation
• DDoS protection
• Intrusion detection/prevention systems
• Regular vulnerability scans and penetration tests

A.6 Backup and Disaster Recovery

• Automatic daily backup
• Geographic redundancy
• Tested disaster recovery procedures
• RTO (Recovery Time Objective): 24 hours
• RPO (Recovery Point Objective): 24 hours

A.7 Development and Test Environments

• Separation of production, test and development
• Anonymization of production data in test environments
• Secure code review and deployment procedures

A.8 Organizational Measures

• Information security policy
• Annual security training for employees
• Background checks for employees with access to Customer Data
• Confidentiality agreements for all employees
• Incident response team and procedure
• Vendor risk management program

*This DPA is part of 3RD's legal framework and supplements the Terms and Conditions.*