pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) between Power Solutions CRM ApS (the Data Processor) and the Customer (the Data Controller)

This Data Processing Agreement (DPA) forms an integral part of the Terms of Service for Power Solutions CRM and automatically takes effect when the Customer accepts the Terms of Service.

This Data Processing Agreement (“DPA”) governs Power Solutions CRM ApS’s (“the Data Processor”) processing of personal data on behalf of the Customer (“the Data Controller”) in connection with the provision of the SaaS platform Power Solutions CRM.

By accepting the Terms of Service for Power Solutions CRM, the Customer automatically accepts this DPA, which constitutes an integral and binding part of the agreement between the parties.

This DPA is designed in accordance with Article 28(3) of the GDPR and ensures protection of the fundamental rights and freedoms of natural persons.

1. Definitions

“Customer” or “Data Controller” means the legal or natural person who has entered into an agreement to use the Power Solutions CRM platform and who processes personal data in the platform.

“Data Processor” means Power Solutions CRM ApS, Registration No. [insert number], which provides the CRM platform and processes personal data on behalf of the Customer.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction.

“Sub-processor” means a third party that the Data Processor uses to perform specific processing activities on behalf of the Customer.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

“Platform” or “Services” means the Power Solutions CRM SaaS platform and all associated services as described in the Terms of Service.

“Terms of Service” means the general terms for use of Power Solutions CRM, of which this DPA is part.

2. Subject Matter and Duration of Processing

2.1 Subject Matter of Processing. The Data Processor processes personal data on behalf of the Data Controller for the purpose of delivering the Platform and related services as described in the Terms of Service.

2.2 Duration of Processing. This DPA applies for the entire period during which the Customer has an active subscription to the Platform, as well as for a period of up to 30 days after termination of the subscription for the purpose of data return or deletion.

2.3 Nature and Purpose of Processing. The processing includes storage, administration, and presentation of customer data in a cloud-based CRM platform. The purpose is to enable the Customer to manage customer relationships, sales processes, and communications.

2.4 Types of Personal Data. The Platform may process the following types of personal data depending on Customer usage:

• Contact information: name, address, email, phone number.
• Business information: registration number, job title, company name.
• Communication data: emails, notes, call history.
• Activity data: meetings, tasks, sales activities.
• User data: login credentials, user activity in the system.

IMPORTANT: The Platform is NOT designed for processing sensitive personal data as defined in GDPR Article 9 (e.g., health data, national identification numbers, trade union membership). The Customer must not upload such data to the Platform without prior written agreement.

2.5 Categories of Data Subjects. Depending on Customer usage, data subjects may include:

• Customer’s own customers and prospective customers.
• Customer’s employees and business partners.
• Contact persons at partner organizations.
• Other persons registered by Customer in the CRM system.

3. Customer Rights and Obligations

3.1 Customer Responsibilities. The Customer is the Data Controller and is responsible for:

• Ensuring lawful basis for processing personal data in the Platform.
• Ensuring processing complies with GDPR and applicable legislation.
• Informing data subjects about processing pursuant to GDPR Articles 13 and 14.
• Ensuring only relevant and necessary personal data is processed.
• Not uploading sensitive personal data without specific agreement.
• Instructing the Data Processor through Platform features and settings.

3.2 Customer Right to Instructions. The Customer has the right to instruct the Data Processor regarding processing of personal data through:

• Platform user settings and administration tools.
• Support requests to the Data Processor.
• Written instructions sent to support@powersolutionscrm.com.

4. Data Processor Obligations

4.1 Processing According to Instructions. The Data Processor may only process personal data according to documented instructions from the Customer, unless processing is required by EU law or Member State law. If the Data Processor considers an instruction to violate GDPR, the Data Processor shall immediately inform the Customer.

4.2 Confidentiality. The Data Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Only employees with legitimate work-related need are granted access to Customer data.

4.3 Data Minimization. The Data Processor processes only personal data necessary to deliver the Services. The Data Processor does not use Customer personal data for own purposes or for marketing.

5. Security Measures

The Data Processor has implemented the following technical and organizational security measures:

5.1 Encryption

• TLS 1.3 or higher for all data transmission.
• AES-256 encryption for data at rest.
• Encrypted databases.
• Secure key management with regular rotation.

5.2 Access Control

• Multi-factor authentication (MFA) for all administrative accounts.
• Role-based access control (RBAC).
• Principle of least privilege.
• Automatic logout after inactivity.
• Regular review of user access.

5.3 Network Security

• Firewall protection at all levels.
• Intrusion Detection and Prevention Systems (IDS/IPS).
• DDoS protection.
• Isolated network segments.
• Regular security scans and penetration testing.

5.4 Backup and Recovery

• Automated daily backups.
• Geographic redundancy – backups stored in separate locations.
• Encrypted backups.
• Regular testing of recovery procedures (minimum quarterly).
• Recovery Time Objective (RTO): 24 hours.
• Recovery Point Objective (RPO): 24 hours.

5.5 Logging and Monitoring

• Comprehensive logging of all significant events.
• 24/7 security monitoring.
• Automated alerts for unusual activity.
• Logs retained encrypted for minimum 12 months.
• Regular security log reviews.

5.6 Physical Security

• ISO 27001 certified datacenters.
• Tier III or higher datacenter standards.
• 24/7 physical access control and video surveillance.
• Redundant power supplies and cooling systems.
• Fire protection and environmental monitoring.

5.7 Personnel Security

• Background checks for employees with customer data access.
• Ongoing security training for all employees.
• Confidentiality agreements for all employees.
• Immediate access revocation upon termination.

5.8 Incident Response

• Documented incident response plan.
• Dedicated security team.
• Customer notification within 48 hours of data breach.
• Cooperation with Customer on incident handling.

6. Use of Sub-Processors

6.1 General Authorization. The Customer hereby grants general authorization for the Data Processor to use sub-processors to deliver the Services. An updated list of sub-processors is available at www.powersolutionscrm.com/subprocessors.

6.2 Current Sub-processors. The Data Processor uses the following categories of sub-processors:

Hosting and Infrastructure: EU/EEA-based cloud hosting provider – Operation of servers and infrastructure.

Email Services: EU/EEA-based email service provider – Sending transactional emails.

Backup Services: EU/EEA-based backup provider – Data backup
Monitoring and Security: EU/EEA-based security provider – Security monitoring and logging.

6.3 Changes to Sub-processors. When adding new or replacing existing sub-processors:

• Data Processor notifies Customer at least 30 days before change takes effect.
• Notification via email to Customer’s registered contact person and/or message in Platform.
• If Customer has legitimate objection to new sub-processor, Customer may terminate agreement with 14 days’ notice.
• Updated list always available at www.powersolutionscrm.com/subprocessors.

6.4 Requirements for Sub-processors. The Data Processor ensures that all sub-processors:

• Are subject to same data protection obligations as this DPA.
• Implement appropriate technical and organizational security measures.
• Only process data within EU/EEA, unless otherwise agreed.
• Only process data according to Data Processor instructions.

The Data Processor remains fully liable to Customer for sub-processors’ compliance with their obligations.

7. Transfer to Third Countries

7.1 General Rule. All personal data is processed and stored within the EU/EEA. The Data Processor does not transfer personal data to third countries (countries outside EU/EEA) without Customer’s prior written approval.

7.2 Exceptions. If transfer to third countries becomes necessary and approved by Customer, Data Processor ensures:

• Transfer complies with GDPR Chapter V.
• EU Commission Standard Contractual Clauses are used, or;
• Recipient country has adequate level of protection approved by EU Commission, or;
• Other lawful transfer mechanisms under GDPR are applied.

7.3 Notification. If Data Processor is legally required to transfer data to third country, Data Processor immediately notifies Customer, unless such notification is prohibited by law.

8. Assistance to Data Controller

8.1 Assistance with Data Subject Rights. Data Processor assists Customer in fulfilling Customer’s obligations to respond to data subject requests regarding:

• Right of access (Article 15).
• Right to rectification (Article 16).
• Right to erasure (Article 17).
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20).
• Right to object (Article 21).

Customer can handle most requests through Platform features. For assistance, contact support@powersolutionscrm.com. Data Processor responds to such requests within 5 business days.

8.2 Assistance with Impact Assessment. If Customer must conduct Data Protection Impact Assessment (DPIA), Data Processor assists by providing:

• Information about processing nature, scope, and purpose.
• Documentation of implemented security measures.
• Information about sub-processors.
• Other relevant information for risk assessment.

8.3 Assistance with Supervisory Authority. Data Processor assists Customer with prior consultation with supervisory authority if such consultation is required.

9. Notification of Data Breaches

9.1 Notification Obligation. Data Processor notifies Customer without undue delay and at latest 48 hours after becoming aware of personal data breach affecting Customer’s personal data.

9.2 Notification Content. Notification must include at minimum:

• Description of breach nature.
• Categories and approximate number of affected data subjects.
• Categories and approximate number of affected records.
• Contact details of Data Processor’s data protection officer or other contact.
• Description of likely consequences of breach.
• Description of measures taken or proposed to address breach.

9.3 Ongoing Information. If not all information can be provided simultaneously, Data Processor sends ongoing updates as additional information becomes available.

9.4 Cooperation. Data Processor fully cooperates with Customer on breach handling and implementation of remedial measures.

10. Deletion and Return of Data

10.1 Upon Agreement Termination. Upon termination of Customer subscription:

• Customer must within 30 days choose to have data returned or deleted.
• Customer can export data through Platform export function.
• Data Processor automatically deletes all Customer data at latest 30 days after subscription termination, unless Customer requested return.
• Deletion includes all copies including backups, unless legislation requires continued retention.

10.2 Documentation. Data Processor can upon request document that data has been deleted.

10.3 Legal Retention. If EU law or Member State law requires continued retention of certain data (e.g., billing information), Data Processor retains only such data to extent and duration legally required.

11. Audit and Review

11.1 Customer Right to Audit. Customer has right to audit Data Processor’s compliance with this DPA through one of following methods:

• Review of Data Processor’s annual ISO 27001 certification or equivalent security certification.
• Review of SOC 2 Type II report or equivalent auditor statement.
• Written request for specific information regarding security measures.

11.2 Physical Inspection. If above methods do not provide sufficient assurance, Customer may request physical inspection under following conditions:

• Written request with minimum 30 days’ notice.
• Maximum once annually (unless justified suspicion of serious breach).
• Coordinated time that does not disrupt normal operations.
• Inspection conducted by qualified auditor bound by confidentiality.
• Customer bears inspection costs, unless it reveals significant deficiencies.

11.3 Follow-up. Data Processor informs Customer within 30 days about measures implemented in response to audit recommendations.

12. Liability and Indemnification

12.1 Data Processor Liability. Data Processor is liable for damages caused by processing that does not comply with GDPR or this DPA. However, liability limitations in Terms of Service continue to apply, unless GDPR directly requires unlimited liability.

12.2 Customer Liability. Customer is responsible for:

• Lawfulness of processing basis for data in Platform.
• Compliance with information obligations towards data subjects.
• Reporting data breaches to supervisory authority if required.
• Instructions given to Data Processor.

13. Entry Into Force and Termination

13.1 Entry into Force. This DPA automatically takes effect when Customer accepts the Terms of Service for Power Solutions CRM.

13.2 Duration. The DPA applies for entire period Customer has active subscription, plus up to 30 days after subscription termination.

13.3 Amendments. Data Processor may update this DPA to:

• Comply with legislative changes.
• Reflect changes in security measures or sub-processors.
• Improve data protection.

Significant changes notified to Customer at least 30 days before taking effect via email and/or Platform notification. Latest version always available at www.powersolutionscrm.com/dpa