Data Processing Agreement

You, as the Customer (the “Controller”), have entered into a Services Agreement with 24Slides ApS (the “Processor”) for the delivery of certain services. As part of providing these services, the Processor will handle personal data on your behalf. This Data Processing Agreement (the “DPA”) is made to comply with Article 28(3) of the GDPR and to protect the rights of individuals whose data is processed.

1. INSTRUCTIONS ON DATA PROCESSING

Subject to this DPA, the Processor processes on behalf of and on the instruction of the Controller the categories of personal data stated in section 2. If required by law, the Processor may process data without the explicit consent from the Controller but shall inform the Controller unless prohibited by law. The Processor may not process personal data for its own purposes and shall restrict access to authorised employees only. All instructions and any subsequent amendments from the Controller shall be documented and retained in writing or electronically.

2. PERSONAL DATA AND DATA PROCESSING

The DPA forms part of the Services Agreement entered into between the Controller and the Processor. The Processor processes personal data on behalf of the Controller concerning the Controller’s employees and customers (the “Data Subjects”). "Personal data" means any information relating to an identified or identifiable natural person, in accordance with art. 4(1) of the General Data Protection Regulation (the “GDPR”).

Personal data on Data Subjects includes: name and phone number, e-mail address and registered address, CV and job title, user behavioural data (pageviews, clicks, field changes, form submissions) as well as any other personal data that the data exporter transfers to the data importer. No personal social security/identification numbers or special categories of personal data about Data Subjects are processed.

Processing is limited to storage, sharing, and modification of draft presentation designs, sharing draft and/or final presentation designs by email, upload or other suitable tool as well as other purposes necessary for the functionality of the software platform.

3. STORAGE OF DATA

Personal data is stored on servers by the Processor’s sub-processors listed in Annex B. When signing this DPA, the Controller approves by way of explicit consent to the transfer of personal data to the USA for storage purposes. Any transfer to third countries shall be based on valid legal grounds as mentioned in GDPR Chapter V. The Processor must inform the Controller of changes in server hosting suppliers in advance.

4. PROCESSOR OBLIGATIONS

The Processor shall ensure that all employees with access to personal data are trained, authorised, and bound by confidentiality. Processing must solely be done in accordance with the purposes of this DPA, the Controller’s instructions and good data protection practice. The Processor shall maintain and periodically review a record of persons with access to the personal data. At the expiry/termination of the Services Agreement and at the Controller’s behest, the Processor shall erase or return all personal data and remove any copies unless otherwise required by law. The Processor shall provide written confirmation to the Controller once personal data have been deleted or returned. The Processor keeps personal data for as long as necessary to provide its services and comply with legal obligations or otherwise as requested by the Controller. Some anonymised data may be kept longer for analytics and business planning. Retention periods are determined by the type of data and its purpose, ensuring compliance with GDPR requirements.

The Processor must implement and maintain appropriate organisational and technical security measures to prevent loss, misuse or unauthorised access. The Processor shall regularly assess and update its organisational and technical measures to ensure a level of security appropriate to the risk. The Processor shall provide the Controller with documentation adequate to check whether the mentioned technical and organisational security measures are implemented.

The Processor shall, to the extent possible, assist the Controller in handling Data Subjects’ exercise of their rights in accordance with GDPR Chapter III. The Controller is responsible for direct communication with the Data Subjects and shall request for the Processor’s assistance in writing. The Processor shall also assist the Controller, where relevant, in carrying out data protection impact assessments and prior consultations under GDPR article 35 and 36.

Upon written request, giving not less than thirty (30) days’ notice, the Controller is entitled to audit the Processor’s compliance of this DPA, once a year, at the Controller’s own costs. The Processor shall cooperate and remedy any deficiencies identified. The Processor may provide independent third-party audit reports as sufficient evidence of compliance, unless the Controller reasonably requests an on-site inspection.

5. CONTROLLER OBLIGATIONS

The Controller is responsible for the lawfulness of processing instructions and for maintaining adequate security of its own systems and integrations. The Controller shall ensure that third-party tools connected to their own software platform comply with GDPR requirements.

6. MUTUAL REPORTING OBLIGATIONS

Both the Processor and the Controller shall promptly inform each other of any inquiries, deviations or incidents related to the processing. Suspected or actual personal data breaches must be reported immediately. The Processor shall notify the Controller without undue delay, who in turn notifies the Danish Data Protection Agency (Datatilsynet) of the breach within 72 hours.

7. SUB-PROCESSING

The Processor may engage sub-processors listed in Annex B and shall notify the Controller of any intended changes no later than one (1) month prior to the changes taking effect, giving the Controller reasonable opportunity to object. The Controller’s objection must be given within one (1) month. If the Controller chooses to object, the Processor is entitled to terminate all agreements with the Controller. All sub-processors must be made subject to the obligations which the Processor is subject to under this DPA.

8. INTERNATIONAL TRANSFERS

Any transfer of personal data to a third country or an international organisation shall follow the instructions from the Controller and shall comply with GDPR Chapter V. Standard contractual clauses adopted by the Commission in accordance with GDPR Article 46(2) may be used in order to ensure compliance.

9. NON-COMPLIANCE AND TERMINATION

If the Processor breaches its obligations under this DPA or any GDPR obligations, the Controller may suspend the processing until compliance is restored (no later than one (1) month following suspension) or the DPA is terminated. The Processor shall promptly inform the Controller if for whatever reason it is unable to comply with this DPA. Each Party may terminate this DPA if the other Party materially fails to comply with this DPA or its respective GDPR obligations and no remedy is made within reasonable time. Following termination of this DPA, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless storage is required by law. The Processor shall confirm deletion or return in writing to the Controller.

10. DURATION

The DPA will enter into force by signing and shall remain in force until the Services Agreement is terminated by either Party or the business relationship terminates.

11. CHOICE OF LAW AND LEGAL VENUE

This DPA is governed by the law and venue as stated in the main Services Agreement.