Effective date: this version is published as of 6 July 2026 (Version 2026-07-06) and forms part of the Agreement; it applies to a Customer from the date the Customer accepts the Agreement.
This is the full text of Ansvar's Data Processing Addendum ("DPA"). It covers the GDPR Article 28 processing terms that apply when Ansvar processes personal data on behalf of a customer in connection with the Ansvar Gateway and related services. Self-serve Team and Company customers accept this DPA by reference at signup. The current sub-processors list is published at Sub-processors and is incorporated into Annex 3 below.
This Data Processing Addendum (the "DPA") is entered into between Ansvar (hereinafter the "Processor") and the Customer (hereinafter the "Controller"). Controller and Processor are individually referred to as a "Party" and, jointly, as the "Parties".
This DPA forms an integral part of the Agreement and has been entered into to ensure the Parties' compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").
In connection with the services provided by Processor to Controller under the Terms of Service (the "Agreement"), the Processor may Process Personal Data on behalf of the Controller in order to provide and secure an AI-enabled software service and related support. This DPA applies to such Processing and supplements the Agreement solely with respect to the Processing of Personal Data. For such Processing, the Controller acts as controller and the Processor acts as processor as those terms are defined in the GDPR.
To the extent the Agreement permits Controller Affiliates to receive the Services, the Controller entity signing this DPA may enter into this DPA on behalf of itself and those Controller Affiliates, provided that it remains responsible for coordinating all instructions, permissions, and communications under this DPA unless otherwise agreed in writing.
This DPA sets out the rights and obligations of both the Controller and the Processor in relation to the Processing of Personal Data and specifies the Controller's instructions to the Processor, as further described in Annex 1.
The Parties agree to comply with all obligations related to their corresponding role in accordance with Applicable Data Protection Law. The DPA shall not release the Parties from obligations to which the Parties are subject under Applicable Data Protection Law.
The Annexes attached to this DPA form an integral part of this DPA. In the event of any conflict between this DPA and the Agreement or any other agreement between the Parties relating to the Processing of Personal Data, this DPA shall prevail with respect to the Processing of Personal Data. Except as expressly supplemented by this DPA, the Agreement remains in full force and effect.
In this DPA, the following capitalised terms shall have the following meaning:
Unless otherwise defined in this DPA, the capitalised terms used in this DPA, such as "Controller", "Data Protection Impact Assessment", "Processor", "Processing", and "Process" shall have the same meaning as defined in Applicable Data Protection Law and the Agreement.
The Controller is responsible for ensuring that the instructions provided to the Processor comply with Applicable Data Protection Law and do not result in the Processor Processing Personal Data in violation of Applicable Data Protection Law.
The right to determine the purposes and the means of the Processing rests with the Controller.
The Controller has the right to issue instructions to the Processor regarding the Processing of Personal Data, as described in this DPA and Annex 1. During the term of this DPA, the Controller may issue new documented instructions or amend the documented instructions by notifying the Processor in writing, provided that any such instruction does not materially change the scope, nature, or cost of the Services. Any instruction that would materially change the scope, nature, or cost of the Services shall be subject to the Parties' prior written agreement.
The Processor shall Process Personal Data in compliance with Applicable Data Protection Law, this DPA, and the Controller's documented instructions unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's documented instructions for the Processing of Personal Data are given in this DPA and its Annexes or other written communications agreed between the Parties from time to time.
The Processor shall immediately inform the Controller, if, in the Processor's opinion, instructions provided by the Controller contravene Applicable Data Protection Law. The Parties shall cooperate in good faith to address any such concern.
In the absence of instructions that the Processor reasonably deems necessary to perform its obligations under the Agreement or this DPA, the Processor shall notify the Controller without undue delay and may suspend the affected Processing until it receives the required instructions.
The Processor shall not Process Personal Data for its own purposes or for any purpose other than those set out in the Agreement and the Controller's documented instructions, including training or fine-tuning the Processor's or any third party's general-purpose machine learning or AI models, unless the Parties expressly agree otherwise in writing.
Where the Services include the Audit Ledger feature (Company tier), the Controller's documented instructions for that feature are set out in Annex 4 (Audit Ledger), which forms an integral part of this DPA and applies only for so long as that feature is enabled. In the event of conflict between Annex 4 and the body of this DPA in respect of Audit Ledger Processing, Annex 4 prevails.
The Processor shall ensure that persons authorised to access and/or Process Personal Data, including the Processor's employees, persons under the Processor's authority, and Sub-processors, are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
The Processor shall ensure that persons authorised by the Processor to access or otherwise Process Personal Data do so only on a need-to-know basis and only to the extent necessary to fulfil obligations under this DPA and the Agreement. The Processor shall ensure that access rights are reviewed and withdrawn without undue delay if such access is no longer necessary.
The Processor shall implement appropriate technical and organisational measures required to protect the Personal Data against unauthorised access and loss, destruction, damage, alteration or disclosure, or against other unlawful Processing of the Personal Data and shall ensure a level of security appropriate to the risk of the Processing pursuant to Article 32 of the GDPR. Such measures shall correspond to the requirements set out in Applicable Data Protection Law and take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risks to the rights and freedoms of natural persons.
The Processor shall provide reasonable assistance to the Controller in ensuring compliance with the Controller's obligations as a controller pursuant to Article 32 of the GDPR, taking into account the nature of the Processing and the information available to the Processor.
The Parties agree that the technical and organisational measures specified in Annex 2 of this DPA are appropriate to the risk of the Processing and ensure the security of the Personal Data.
If the Controller requires additional measures beyond those set out in Annex 2 due to requirements specific to the Controller, its systems, policies, risk assessment, or intended use of the Services, the Controller shall notify the Processor thereof in writing. The Parties shall discuss in good faith whether and on what terms such additional measures can be implemented, and any agreed additional measures shall be documented in Annex 2.
If the Processor intends to make material changes to the technical and organisational measures documented in Annex 2 that are reasonably likely to reduce the overall security of the Processing, the Processor shall provide relevant information about the intended changes without undue delay.
In the event of a Personal Data Breach affecting the Personal Data, the Processor shall notify the Controller without undue delay after the Processor has become aware of the Personal Data Breach. The notification shall enable the Controller to assess its notification obligations under the GDPR and shall include, to the extent available to the Processor at the time, at least the following information:
If it is not possible to provide the information listed above at the same time, the Processor may provide this information in phases.
Upon becoming aware of a Personal Data Breach, the Processor shall without undue delay take commercially reasonable measures necessary to remedy or mitigate the effects of the Personal Data Breach.
The Controller is solely responsible for notifying the relevant Supervisory Authority and, where applicable, the affected Data Subjects where required by Applicable Data Protection Law. The Processor shall reasonably assist the Controller in complying with the Controller's notification obligations to the Supervisory Authority and to the Data Subjects, where applicable.
The Parties acknowledge that a Personal Data Breach caused solely by the compromise of credentials outside the Processor's systems does not of itself constitute a failure of the Processor's Annex 2 measures; this allocation does not affect the Processor's obligation to notify the Controller of any Personal Data Breach under this section.
The Controller grants the Processor a general authorisation to engage Sub-processors to Process Personal Data on the Controller's behalf to the extent necessary for the provision of the Services. The Sub-processors identified in Annex 3 (which incorporates the current list published at ansvar.eu/subprocessors) are engaged by the Processor as of the effective date of this DPA, subject to the notice and objection provisions below.
The Processor shall provide prior written notice to the Controller of any intended addition or replacement of Sub-processors or any changes to the Sub-processor list set out in Annex 3, at least fifteen (15) calendar days before such changes take effect. The Controller may, within ten (10) calendar days of receiving such notice, object in writing on reasonable data protection grounds specific to the relevant Sub-processor.
If the Controller does not object within such period, the Controller shall be deemed to have approved the relevant Sub-processor. Where the Controller raises a reasonable objection and the Parties are unable to resolve it in good faith, the Processor shall use commercially reasonable efforts to implement an alternative solution. If no such solution is reasonably available, the Controller may terminate only the affected part of the Services in accordance with the Agreement.
Where a Controller has raised a timely objection, the Processor shall not transfer that Controller's Personal Data to the objected-to Sub-processor until the objection is resolved or the affected Services are terminated.
The Processor shall ensure that each Sub-processor is bound by written agreement that imposes data protection obligations no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by that Sub-processor.
The Processor shall remain liable to the Controller for the acts and omissions of its Sub-processors.
The Processor shall not transfer Personal Data to, or permit access to Personal Data from, a Third Country without the Controller's prior written consent, unless required to do so by Union or Member State law.
Any such authorised transfer shall be subject to appropriate safeguards in accordance with Chapter V of the GDPR, including, where applicable, the execution of the Standard Contractual Clauses and the implementation of any necessary supplementary measures.
Transfers to a Third Country covered by an Adequacy Decision (including the EU–US Data Privacy Framework, for entities certified under it) do not require additional safeguards under Chapter V of the GDPR.
Taking into account the nature of the Processing, and insofar as this is possible through the Services or information available to the Processor, the Processor shall implement appropriate technical and organisational measures to assist the Controller in fulfilling its obligations to respond to Data Subject Requests.
The Processor shall promptly notify the Controller and provide the Controller with relevant information reasonably available to the Processor in the event of:
unless the Processor is prohibited from doing so under applicable law.
The Processor shall not respond to any Data Subject Requests, inquiries, or complaints, and shall not in any way represent or purport to represent the Controller in relation thereto, unless explicitly instructed in writing by the Controller.
Upon the Controller's request, and taking into account the nature of the Processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in connection with the preparation of Data Protection Impact Assessments (DPIAs) and with any prior consultations with the Supervisory Authority under Applicable Data Protection Law, including Articles 35 and 36 of the GDPR. Where such assistance requires material resources beyond standard cooperation, the Parties shall agree in advance on any reasonable cost reimbursement by the Controller.
The Processor shall make available to the Controller, upon reasonable written request, relevant information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and shall reasonably cooperate with audits, including inspections, conducted by the Controller or a third party mandated by the Controller, subject to the limitations in this Section.
In the event of an audit, the Controller shall provide the Processor with at least thirty (30) calendar days' prior written notice, except where a shorter notice period is reasonably required due to a Personal Data Breach or credible indications of material non-compliance with this DPA or Applicable Data Protection Law.
Such audits shall:
Any third-party auditor appointed by the Controller shall:
The Processor may, at its discretion, satisfy audit requests through the provision of third-party certifications, audit reports, or equivalent documentation where reasonably sufficient to demonstrate compliance.
Each Party shall bear its own costs and expenses in relation to an audit. However, where an audit requires significant allocation of Processor resources beyond standard cooperation, the Parties shall agree in advance on reasonable cost reimbursement by the Controller.
This DPA forms an integral part of the Agreement and shall enter into force on the effective date of the Agreement or, if signed later, on the date of the last signature by the Parties. Notwithstanding the termination or expiration of the Agreement, this DPA shall remain in force for as long as the Processor Processes Personal Data on behalf of the Controller under the Agreement, and until the Processor has returned or deleted the Personal Data, as described below.
Upon termination or expiry of the Agreement or upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return the Personal Data to the Controller or to a third party designated by the Controller within thirty (30) calendar days, unless otherwise required by applicable law or unless a shorter or longer period is specified in the Agreement.
Upon the Controller's written request, the Processor shall provide reasonable confirmation of deletion or destruction of Personal Data carried out in accordance with the preceding paragraph. Where deletion is performed through standard automated processes, the Processor may provide such confirmation in the form of a written statement describing its deletion practices.
The liability of each Party arising out of or in connection with this DPA, including any claims related to the Processing of Personal Data, shall be governed by, and subject to, the limitations of liability and exclusions of damages set out in the Agreement, as if fully incorporated herein.
This Annex 1 is made under and attached to this DPA and constitutes an inseparable part of this DPA.
Controller: As defined in the Agreement [insert legal entity, address, and privacy/security contact details].
Processor: Ansvar Systems AB (559547-2225)
Ingemarsboda 565, 841 74 Fränsta, Sweden
+46 736 20 74 35
jeffrey.von.rotz@ansvar.eu
Processor provides an AI-enabled software service under the Agreement. In providing the Services, Processor may receive, store, organise, retrieve, structure, transmit, or otherwise Process Personal Data submitted by or on behalf of Controller, including prompts, instructions, uploaded files, user account data, support requests, and other content necessary to generate, deliver, secure, and support the Services.
The purposes of the Processing are to host and operate the Services, generate and return outputs requested by Controller users, provide customer support, maintain service security, prevent abuse, monitor performance, and conduct troubleshooting.
Processor shall not use Controller Personal Data to train or fine-tune Processor's or any third party's general-purpose machine learning or AI models unless the Parties expressly agree otherwise in writing.
If Controller enables optional features, integrations, or professional services, the Processing may also include implementation, migration, configuration, and service-administration activities reasonably necessary to provide those features or services.
Where the Controller's subscription includes the Audit Ledger, the Processing also includes the capture, encryption, retention, integrity-protection, decryption-on-instruction, and export operations described in Annex 4. The Controller determines and approves the categories of Personal Data captured and the categories of Data Subjects, as necessary and proportionate to its compliance-evidence purpose.
The categories of Personal Data may include: account and profile data; prompts, instructions, chat content, queries, and uploads submitted to the Services; outputs generated in response to such inputs; support and correspondence data; technical and usage data such as device, log, authentication, and telemetry information; and any Personal Data that Controller chooses to include in the Services.
Special categories of personal data are not required for ordinary use of the Services, but may be Processed if Controller or its users choose to submit them. Controller remains responsible for determining whether submission of special categories of personal data is necessary and lawful.
Personal Data may also include information relating to third parties that appears in documents, communications, datasets, or other materials submitted to the Services by or on behalf of Controller.
Data Subjects may include Controller personnel and representatives, Controller customers and end users, prospects, suppliers, business partners, and any other individuals whose Personal Data is included in content submitted to the Services by or on behalf of Controller.
Where relevant to Controller's use case, Data Subjects may also include employees, contractors, or other persons identified in Controller materials processed through the Services.
Processor will Process Personal Data for the duration of the Agreement and thereafter only for as long as necessary to delete or return the Personal Data in accordance with this DPA.
Controller may specify shorter retention settings within the Services where such functionality is available.
This Annex 2 is made under and attached to this DPA and constitutes an inseparable part of this DPA.
This Annex describes the technical and organisational measures adopted by the Processor to ensure the security of the Personal Data.
The Processor implements the following technical and organisational measures: encryption in transit (TLS) and at rest; per-tenant logical isolation enforced at the data layer; role-based access control on a need-to-know basis; multi-factor authentication (per the measure below); logging and monitoring; vulnerability management; malware protection; backup and recovery; change management; and environment separation.
Multi-factor authentication is supported and can be enforced for access to the Service, including via the Customer's identity provider (SSO).
The Processor also maintains controls to detect, prevent, and respond to abusive or unauthorised use of the Services, including service misuse, credential compromise, and other security events relevant to an AI software environment.
Where the Processor relies on infrastructure, model, hosting, storage, support, or other vendors, access to Personal Data is limited through contractual, technical, and administrative controls appropriate to the vendor's role.
Additional or independently-certified assurances (including certifications and penetration-test summaries) are available to the Controller on request or under a separate written agreement, as and when available.
The Processor maintains the following organisational measures: confidentiality obligations for personnel; security and privacy policies; training and awareness measures; incident response procedures; vendor due diligence and contract management; access review processes; internal escalation paths for privacy and security matters; and governance procedures for assessing and updating safeguards over time.
Access to Personal Data is limited to personnel and contractors who need such access for legitimate business purposes connected to the Services and who are subject to appropriate confidentiality obligations.
The Processor reviews and may update these measures from time to time to reflect changes in the Services, risks, technology, and legal requirements, provided that the Processor will not materially reduce the overall security of the Services during the term of the Agreement.
This Annex 3 is made under and attached to this DPA and constitutes an inseparable part of this DPA.
The Processor engages Sub-processors to provide the Services. The material Sub-processors are Hetzner Online GmbH (hosting and key-management infrastructure, EEA) and — for the Company Audit Ledger only — DigiCert, Inc. (RFC-3161 timestamping of the daily aggregate Merkle root hash; United States; no Personal Data is transmitted, only a non-reversible hash — see Annex 4 A4.8).
The authoritative, current list of all Sub-processors — with each Sub-processor's name, address, processing location, and transfer mechanism — is published and maintained at ansvar.eu/subprocessors, which forms part of this DPA and is kept up to date in accordance with the "Sub-processors" section above. Additions and changes to that list are notified, and may be objected to, under that section.
This Annex is made under and attached to the DPA and is an inseparable part of it. It applies only where, and for so long as, the Services include the Audit Ledger. It supplements, and does not replace, the DPA; defined terms have the meaning given in the DPA unless defined below.
With respect to all Personal Data in the Audit Ledger (Event-Level only; A4.2), the Controller is the Customer and the Processor is Ansvar Systems AB (Art. 4(7)–(8), Art. 28). Ansvar Processes Ledger Data only on the Controller's documented instructions. The Controller determines the purposes and essential means — including the categories of Personal Data captured and the categories of Data Subjects (A4.2); Ansvar determines only non-essential technical means (the cryptographic design and key custody), which it implements as security measures under Art. 28(3)(c) and Art. 32.
Ansvar's technical ability to decrypt Ledger Data does not determine purposes or essential means and does not make Ansvar a Controller. Ansvar acknowledges that determining the purposes or means of Processing Ledger Data would render it a Controller under Art. 28(10); the no-own-purpose covenant in A4.3 is the boundary that prevents this.
This Annex prevails over the body of the DPA for conflicts concerning Ledger Data; all other DPA provisions continue to apply.
Independent-controller carve-out. Ansvar acts as an independent Controller — not Processor — only for the limited Personal Data it Processes for its own account (platform security / abuse-prevention logging and billing). Such processing never reads Ledger plaintext or Ledger-derived Personal Data, is sourced only from platform metadata Ansvar generates, and rests on Ansvar's own Art. 6(1)(f) basis with a documented legitimate-interests assessment.
The Controller instructs the Processor to capture, encrypt, and retain a Ledger Entry for each interaction, for the Controller's own purpose of maintaining a tamper-evident audit trail as compliance evidence. This Annex is the documented instruction for that Processing; absent it, no capture occurs.
(a) Event-Level Data — captured while the Audit Ledger is enabled. The Controller may scope, redact, or disable Event-Level capture through controls the Processor makes available (at minimum a field-level exclude and a global event-capture off switch); the Controller approves the captured categories as necessary and proportionate to its purpose.
(b) Reviewed Documents — never ledger-captured. The Audit Ledger does not ingest the body content of uploaded documents. Where a Reviewed Document is analysed, the Ledger records only the review event, the document content-hash, and the resulting citations — sufficient to evidence integrity and provenance over the document without holding a copy of it. The document itself is processed and stored for the document-review feature under the base DPA (Annex 1: security, retention, delete/return), and the Controller retains the document as its own underlying audit artifact. Re-introducing document-body capture into the Ledger would require a fresh DPIA and is out of scope of this Annex.
Ledger Entries are encrypted with per-tenant data-encryption keys wrapped by Processor-operated key-management (HashiCorp Vault / OpenBao Transit), derived per tenant and bound by encryption context to the Controller's tenant — a security measure under Art. 32. The Controller does not hold these keys and customer-held key control (HYOK) is not available; the Processor shall not represent customer-held-key (HYOK) availability in any agreement, sales, or marketing material. The Processor will publish and pursue a roadmap toward customer-held key control (HYOK / threshold / key-share).
The Processor may decrypt Ledger Entries only to (i) make Ledger Data available to the Controller or its authorised users on request; (ii) verify Ledger integrity at the Controller's request or pursuant to the DPA-instructed security measure; or (iii) operate, maintain, or secure the feature strictly on the Controller's documented instruction and for the Controller's benefit. The Processor shall not decrypt or Process Ledger Data for its own platform-security, abuse-prevention, risk-management, or any other own-account purpose, nor to train or fine-tune any model. Each decryption is recorded as a Ledger event carrying a structured reason-code (i/ii/iii), actor, and instruction reference, made available to the Controller.
Honest scope. The Service will incidentally Process Personal Data within Art. 9(1) and Art. 10 GDPR where it appears in free-text queries; such data is in scope of the Processor's DPIA. The Controller instructs the Processor to minimise such Processing (including via the scoping/redaction controls in A4.2), and undertakes not to route such data into capture beyond what is strictly necessary for the Controller's own purposes. This is an instruction to minimise, not a representation that such data is excluded.
Controller's basis, not the Processor's. Where Art. 9 / Art. 10 data is Processed through the Service, the Controller warrants that it holds and can evidence a valid Art. 9(2) condition and, for Art. 10 data, a basis under Art. 10 (official-authority control, or Union/Member-State law with appropriate safeguards). The Processor asserts no Art. 9(2) condition and no Art. 10 basis of its own; it Processes solely on the Controller's documented instruction (Art. 28(3)(a), Art. 29) and its lawfulness is derivative of the Controller's basis. This warranty allocates responsibility; it does not constitute, and shall not be relied upon as, a legal basis for Processing.
If the Processor becomes aware that an instruction or the Processing infringes GDPR or other applicable data-protection law — including the routing of Art. 9 / Art. 10 data without an evidenced basis — the Processor shall notify the Controller without undue delay and may suspend the affected capture until the Controller resolves the matter.
The Processor retains Ledger Entries for the duration of the Agreement, unless a shorter period is configured by the Controller where available. On termination/expiry or on the Controller's written request, the Processor deletes Ledger Data within thirty (30) calendar days, consistent with the "Term and termination" section of the DPA. Deletion is effected by Crypto-Shred (destruction of the per-tenant key), which the Parties agree satisfies the deletion obligation for Ledger Data; the Processor may confirm deletion by a written statement describing the Crypto-Shred.
An authorised administrator of the Controller (and only such an administrator) may export a plaintext Exported Audit Package. Once exported, it passes outside the Processor's technical and organisational measures and beyond Crypto-Shred. The Controller is the controller of, and solely responsible for, each Exported Audit Package (security, retention, erasure). The Processor's deletion and erasure obligations, including under Art. 17, do not extend to Exported Audit Packages the Controller holds; the Processor is neither controller nor processor for such exported copies.
The hash-chaining of Ledger Entries, the daily Merkle-root computation and RSA-PSS co-signing, and the RFC-3161 timestamping are integrity-and-confidentiality measures under Art. 32, implemented to serve the Controller's compliance-evidence purpose and instructed via this DPA. The Processor derives no independent purpose from them and shall not use the integrity artefacts for product-assurance, marketing claims, or self-exoneration.
Only the aggregate Merkle root hash is transmitted to the third-party RFC-3161 timestamp authority (DigiCert, Inc., USA; Annex 3); that hash contains no Personal Data and is not reversible to Ledger content. The transmission therefore does not constitute a transfer of Personal Data under Chapter V; the Processor maintains a tested control asserting that only the root imprint (with policy OID/nonce) — and no tenant identifier or per-receipt hash — is sent. The resulting timestamp has the legal effect of Article 41(1) of Regulation (EU) No 910/2014 (eIDAS), as amended by Regulation (EU) 2024/1183, but is not a qualified electronic timestamp, and no qualified-trust-service claim is made.
Ledger Data is stored and Processed within the EEA. No Ledger Data is transferred to, or accessible from, a Third Country, save the aggregate Merkle root hash in A4.8 (no Personal Data). Any future transfer of Ledger Personal Data remains subject to the "Transfers of Personal Data to Third Countries" section of the DPA (prior written consent + Chapter V safeguards).
The Sub-processors for the Audit Ledger are those in Annex 3, including Hetzner Online GmbH (hosting + key-management infrastructure, EEA) and DigiCert, Inc. (RFC-3161 timestamping of the aggregate root hash only, USA). The "Sub-processors" notice/objection rights apply.
On the Controller's request, and taking into account the nature of the Processing and information available, the Processor assists the Controller with data-subject-rights requests, DPIAs, and prior consultations relating to the Audit Ledger (the "Assistance to the Controller" section of the DPA). The Processor maintains Art. 30(2) records and appoints or confirms a Data Protection Officer where Art. 37(1) is triggered.
This DPA forms part of the contractual terms for paid customer use of the Service. See the Terms of Service for the general subscription terms, the Sub-processors page for the current authoritative Sub-processor list, the Privacy Notice for processing where Ansvar acts as controller, and the Security page for infrastructure and security posture. To request a countersigned copy of this DPA, contact privacy@ansvar.eu.