Data Processing Addendum (DPA)

Last updated: August 9, 2025

This DPA forms part of the agreement between techbase (the Processor) and the customer identified in the order/signup (the Customer or Controller) governing use of Cortexium. Capitalized terms not defined here have the meanings in the Agreement or the GDPR.

1) Scope & Roles

Customer is controller and techbase is processor of Customer Personal Data. Processor will process only to provide, maintain and secure the Service and as documented by Customer.

2) Processing Instructions

Processor will process solely on Customer’s documented instructions (including with regard to third‑country transfers) and will notify Customer if an instruction appears to infringe GDPR.

3) Confidentiality

Authorized persons are bound by confidentiality and receive appropriate training.

4) Security

Processor implements appropriate technical and organizational measures (TOMs) as described in Annex II and Article 32 GDPR.

5) Subprocessing

  • Authorization. Customer authorizes Subprocessors listed on the Subprocessors page and any others added in compliance with this DPA.
  • Onboarding. Processor will contractually impose data‑protection obligations no less protective than this DPA.
  • Changes. Processor will give advance notice of new/replacement Subprocessors, allowing Customer to object on reasonable grounds related to data protection. If not resolved, parties will discuss alternatives or Customer may terminate the affected service with a pro‑rated refund.

6) Assistance

Processor will assist Customer to fulfill data‑subject requests and conduct DPIAs/consultations, taking into account the nature of processing and available information.

7) Breach Notification

Processor will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and provide available information to help meet obligations.

8) Return or Deletion

At termination, at Customer’s choice, Processor will delete or return all Customer Personal Data and delete existing copies within a reasonable period, unless law requires storage. Backups are deleted on their standard cycle.

9) Audits & Records

Processor will make available information necessary to demonstrate compliance and allow audits by Customer or an independent auditor, once per 12 months (or as required by a competent authority), subject to notice, confidentiality and non‑disruption. Independent audit reports/certifications may be provided where appropriate.

10) International Transfers & SCCs

  • Where Customer Personal Data is processed outside the EEA/UK in a country without an adequacy decision, the Standard Contractual Clauses (EU 2021/914) (Module 2 and, where applicable, Module 3) are incorporated by reference.
  • Details required by the SCCs are set out in Annex I–III.
  • Governing law for SCCs: Denmark. Supervisory authority: Datatilsynet (Denmark).
  • Docking clause applies.

11) Liability

Liability follows the Agreement’s limitations, except where prohibited by law.

12) Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls for processing of Customer Personal Data. If there is a conflict between this DPA and the SCCs, the SCCs prevail.

Annex I – Processing Details

  • Controller: Customer (as identified in order/signup).
  • Processor: techbase (CVR: 21663948), Gråspurvevej 15, 3. 2., 2400 Copenhagen NV, Denmark. Contact: privacy@cortexium.io.
  • Subject matter: Provision of the Service and related support.
  • Duration: Term of Agreement + backup retention.
  • Nature & purpose: Hosting, storage, transmission, analysis, support, security, maintenance.
  • Types of data: Identification (name, email), organization/role, usage/log data (IP, timestamps), and any personal data included in Customer Content.
  • Data subjects: Customer’s users; individuals in Customer Content.
  • Special categories: Not intended. If submitted, TOMs in Annex II apply.
  • Transfers: As necessary to Subprocessors listed; mechanisms per Section 10.
  • Competent SA: Datatilsynet (Denmark).

Annex II – Technical & Organizational Measures (Summary)

  • Access control: Role‑based access; least‑privilege; MFA for admin access; periodic reviews.
  • Data security: TLS in transit; encryption at rest where available; secrets management; network isolation.
  • Logging & monitoring: Centralized logs; alerts; anomaly detection; time‑synced logs.
  • Vulnerability mgmt: Updates; dependency monitoring; timely patching; security reviews.
  • Business continuity & backup: Encrypted backups; restoration testing; multi‑AZ/region where applicable (none cross‑region currently).
  • Development security: Code review; CI/CD least privilege; secrets hygiene.
  • Personnel security: Confidentiality commitments; awareness training; access revocation on exit.
  • Physical security: Provider data centers with industry‑standard controls.
  • Incident response: Runbooks; on‑call for critical incidents; post‑incident review.
  • Data minimization & retention: Only as needed; scheduled deletion.
  • Testing: Staging environments; separation of duties; targeted penetration tests as applicable.

Annex III – Subprocessors

Subprocessors are listed at Subprocessors and incorporated by reference; updates follow DPA §5.