Data Processing Agreement

These Contractual Clauses (the “Clauses”) are the data processing agreement for the purposes of Article 28(3) of Regulation 2016/679 (the GDPR) between the Customer (the data controller) and Torii ApS, business registration no. (CVR) 46310020, Sukkervænget 53, 5000 Odense C, Denmark (the data processor), each a “party” and together the “parties”. They form part of, and are incorporated into, the Services Agreement, and are accepted electronically when the Customer accepts that agreement.

2. Preamble

1. These Clauses set out the rights and obligations of the data controller and the data processor when processing personal data on behalf of the data controller.
2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of the GDPR.
3. In the context of the provision of the Torii authentication service (the “Service”), the data processor will process personal data on behalf of the data controller in accordance with the Clauses.
4. The Clauses shall take priority over any similar provisions contained in other agreements between the parties.
5. Four appendices are attached to the Clauses and form an integral part of them.
6. Appendix A contains details about the processing, including its purpose and nature, the types of personal data, the categories of data subject, and the duration of the processing.
7. Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of authorised sub-processors.
8. Appendix C contains the data controller’s instructions on the processing, the minimum security measures to be implemented, and how audits are to be performed.
9. Appendix D contains provisions for other activities not covered by the Clauses.
10. The Clauses and their appendices shall be retained in writing, including electronically, by both parties.
11. The Clauses do not exempt the data processor from obligations to which it is subject under the GDPR or other legislation.

3. The rights and obligations of the data controller

1. The data controller is responsible for ensuring that the processing complies with the GDPR (Article 24), the applicable data protection provisions, and the Clauses.
2. The data controller has the right and obligation to make decisions about the purposes and means of the processing.
3. The data controller is responsible, among other things, for ensuring that there is a legal basis for the processing the data processor is instructed to perform.

4. The data processor acts according to instructions

1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law. Such instructions are specified in Appendices A and C. Subsequent instructions may be given throughout the duration of the processing, but shall always be documented and kept in writing, including electronically.
2. The data processor shall immediately inform the data controller if, in its opinion, an instruction contravenes the GDPR or applicable data protection provisions.

5. Confidentiality

1. The data processor shall grant access to the personal data only to persons under its authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only on a need-to-know basis. The list of persons with access shall be kept under periodic review, and access withdrawn when no longer necessary.
2. The data processor shall, at the data controller’s request, demonstrate that the persons concerned are subject to that confidentiality.

6. Security of processing

1. Article 32 GDPR requires that, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks involved, the parties implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
2. The data processor shall (independently of the data controller) evaluate the risks and implement measures to mitigate them, and shall assist the data controller in ensuring compliance with its Article 32 obligations, including by providing information about the measures already implemented (see Appendix C).
3. Any additional measures required by the data controller are specified in Appendix C.

7. Use of sub-processors

1. The data processor shall meet the requirements of Article 28(2) and (4) GDPR in order to engage a sub-processor.
2. The data processor has the data controller’s general written authorisation for the engagement of sub-processors. The data processor shall inform the data controller in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data controller the opportunity to object before the sub-processor is engaged. The list of authorised sub-processors is in Appendix B.
3. Where the data processor engages a sub-processor, the same data protection obligations as in these Clauses shall be imposed on it by contract, in particular sufficient guarantees of appropriate technical and organisational measures.
4. A copy of the sub-processor agreement shall, at the data controller’s request, be submitted to the data controller (business terms not affecting data protection may be redacted).
5. If the sub-processor fails to fulfil its data protection obligations, the data processor remains fully liable to the data controller for the sub-processor’s performance. This does not affect the rights of data subjects under the GDPR, in particular Articles 79 and 82.

8. Transfer of data to third countries or international organisations

1. Any transfer of personal data to third countries or international organisations shall occur only on documented instructions from the data controller and always in compliance with Chapter V GDPR.
2. Where such a transfer is required of the data processor under Union or Member State law, it shall inform the data controller of that legal requirement before processing, unless prohibited on important grounds of public interest.
3. Without documented instructions from the data controller, the data processor cannot transfer personal data to, or have it processed in, a third country.
4. The data controller’s instructions regarding third-country transfers, including the applicable transfer tool under Chapter V, are set out in Appendix C.6.
5. These Clauses are not standard data protection clauses within the meaning of Article 46(2)(c)–(d) GDPR, and cannot themselves be relied upon as a transfer tool under Chapter V.

9. Assistance to the data controller

1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR.
2. Taking into account the nature of the processing and the information available to it, the data processor shall also assist the data controller in ensuring compliance with its obligations to: notify a personal data breach to the competent supervisory authority and to data subjects; carry out data protection impact assessments; and consult the supervisory authority prior to high-risk processing (Articles 32–36 GDPR).
3. The scope and extent of the assistance are specified in Appendix C.

10. Notification of personal data breach

1. On becoming aware of a personal data breach, the data processor shall notify the data controller without undue delay.
2. The data processor’s notification shall, if possible, take place within the time specified in Appendix C after it becomes aware of the breach, to enable the data controller to comply with its Article 33 obligation.
3. The data processor shall assist the data controller in obtaining the information required for the data controller’s notification to the supervisory authority under Article 33(3), as further specified in Appendix C.

11. Erasure and return of data

1. On termination of the provision of personal data processing services, the data processor shall delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so, unless Union or Member State law requires storage of the personal data.

12. Audit and inspection

1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 and these Clauses, and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor it mandates.
2. The procedures for the data controller’s audits and inspections are specified in Appendices C.7 and C.8.
3. The data processor shall provide supervisory authorities (or their representatives) that have access under applicable legislation with access to its physical facilities on presentation of appropriate identification.

13. The parties’ agreement on other terms

1. The parties may agree other clauses concerning the provision of the personal data processing service, for example on liability, as long as they do not directly or indirectly contradict the Clauses or prejudice the rights and freedoms of data subjects or the protection afforded by the GDPR. These are set out in Appendix D.

14. Commencement and termination

1. These Clauses become effective when the Customer accepts the Services Agreement, of which they form part.
2. Both parties may require the Clauses renegotiated if changes to the law or inexpediency of the Clauses give rise to it.
3. The Clauses apply for the duration of the provision of personal data processing services. For that duration they cannot be terminated unless other clauses governing the provision of the services have been agreed between the parties.
4. If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller under Clause 11.1 and Appendix C.4, the Clauses may be terminated by written notice by either party.

15. Contacts

The data processor’s contact point for these Clauses is privacy@torii.so. The data controller’s contact point is the email address on its Torii account. The parties shall keep each other informed of changes to their contact points.

---

Appendix A: Information about the processing

A.1 Purpose. The data processor processes personal data on behalf of the data controller in order to provide the Torii authentication Service: to authenticate the data controller’s end users and to create, store, update, and delete their accounts, sessions, and sign-in state for the data controller’s applications, across sandbox and production environments.

A.2 Nature of the processing. Collection, storage, organisation, retrieval, use, transmission, and deletion of end-user authentication data in the course of operating the Service.

A.3 Types of personal data. Email address; first and last name; authentication credentials and identifiers (including hashed passwords, social/OAuth identity identifiers, and electronic-ID attributes where the data controller enables them); session and device data; IP address; and sign-in activity and audit-log entries. The Service is not designed or intended for special categories of personal data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR). The data controller shall not submit, store, or otherwise process such data through the Service unless Torii has expressly agreed otherwise in writing, and the security measures in Appendix C.2 assume that no such data is processed.

A.4 Categories of data subject. The data controller’s end users, the natural persons who authenticate through the data controller’s applications using the Service.

A.5 Duration. The processing is performed for the duration of the Services Agreement.

Appendix B: Authorised sub-processors

B.1 Approved sub-processors. On commencement, the data controller authorises the engagement of the sub-processors listed below. The authoritative, maintained list is published at /legal/sub-processors, which forms part of this Appendix B.

Name	Reg. no.	Location	Description of processing
Hetzner Online GmbH	HRB 6089 (DE)	Falkenstein, Germany (EU)	Hosting and storage of the Service and its database; server logs
Cloudflare, Inc.	- (USA)	USA; global edge network	Edge proxy, TLS termination, DDoS/bot protection (IP and request metadata)
AhaSend BV	- (NL)	Netherlands (EU)	Transactional email delivery (verification, password reset, security notices)
Signicat AS	988 421 statistical (NO)	Norway (EEA)	MitID / electronic-ID verification, where the data controller enables it

B.2 Prior notice. The data processor shall give the data controller at least 30 days’ written notice before a new sub-processor begins processing personal data, by updating the published list and notifying the data controller.

Appendix C: Instructions on the processing

C.1 Subject of the instruction. The data processor shall process personal data solely to provide the Service in accordance with the Services Agreement and the data controller’s configuration and use of the Service.

C.2 Security of processing. The processing does not, by default, involve special categories of personal data, so a standard level of security applies. The data processor shall, at a minimum, implement: encryption of personal data in transit (TLS) and at rest; hashing of passwords using a strong, salted algorithm; role-based access control on a need-to-know basis; processing within the EU (see C.5); regular backups with a tested restore capability; logging and audit of access and account actions; and regular testing and evaluation of the effectiveness of these measures.

C.3 Assistance. The data processor assists the data controller with data-subject requests through the export and deletion functions of the dashboard and API, and by providing breach information and, on request, the information needed for a data protection impact assessment. Where a personal data breach affects the controller’s data, the data processor notifies the controller without undue delay and at the latest within 48 hours of becoming aware of it (the time referred to in Clause 10.2).

C.4 Storage period / erasure. Personal data is deleted within 30 days after the data controller’s account or engagement is terminated, unless law requires retention. On termination of the provision of the services, the data processor deletes the personal data and certifies deletion in accordance with Clause 11.1.

C.5 Processing location. Processing takes place in Falkenstein, Germany (EU), at Hetzner Online GmbH, and otherwise only at the locations of the authorised sub-processors set out in Appendix B.

C.6 Third-country transfers. The data controller instructs the data processor to transfer personal data to the United States to the extent necessary for the sub-processor Cloudflare, Inc. (Appendix B). The transfer tool under Chapter V GDPR is the EU–US Data Privacy Framework, where the sub-processor is certified, or otherwise the European Commission’s Standard Contractual Clauses. No other third-country transfer is authorised.

C.7 Audits of the data processor. The data processor shall, on request, make available to the data controller an independent third-party audit or inspection report (for example SOC 2 or ISAE 3402) concerning its compliance with the GDPR and these Clauses. Where such a report is insufficient to demonstrate compliance, the data controller or its representative may, on reasonable notice and at its own cost, inspect the facilities and systems used for the processing.

C.8 Audits of sub-processors. The data processor supervises its sub-processors’ compliance and, on request, provides the data controller with the documentation of that supervision. The data processor remains fully responsible for its sub-processors’ compliance.

Appendix D: The parties’ terms on other subjects

As between the parties, the data processor’s liability under these Clauses is subject to the limitation of liability set out in the Services Agreement. This does not affect the rights of data subjects under Articles 79 and 82 GDPR, nor any liability that cannot be limited under mandatory law.