We comply with procedures and controls which ensures that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:
- Written procedures ensures processing only occurs when instructions are in place.
- Annual review of procedures is conducted as a minimum.
- Processing is limited to what is set out in agreed Data Processing Agreement.
- Notifications to data controller if instructions breach GDPR requirements.
- Read the full and most updated version of the DPA, here: Updated DPA
We comply with procedures and controls which ensures that we have implemented technical measures to ensure relevant processing security:
- Risk-based technical security measures implemented.
- System monitoring and alerts in place.
- Encryption for transmission of confidential and sensitive data.
- Regular vulnerability scans and penetration tests.
We comply with procedures and controls which ensures that we have implemented organisational measures to ensure relevant processing security:
- Management-approved information security policy in place.
- Employee vetting conducted upon recruitment.
- Confidentiality agreements and security training upon employment.
- Ongoing awareness training on IT security and data processing
We comply with procedures and controls which ensures that personal data can be deleted or returned should an agreement to that effect be concluded with the client:
- Written procedures for storage and deletion in accordance with agreements.
- Compliance with agreed retention periods and deletion routines.
- Data returned or deleted upon termination of processing.
We comply with procedures and controls which ensures that we only store personal data in accordance with the agreement with the data controller:
- Written procedures ensures storage complies with data controller agreements.
- Proessing and storage limited to approved locations, countries, or geographical areas.
We comply with procedures and controls which ensures that only approved sub-processors are used, and that we ensure adequate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects.
- Written procedures for use of sub-processors.
- Only approved sub-processors are used.
- Timely notification of changes to generally approved sub-processors.
- Regular follow-up through meetings, inspections, or audit reviews.
- Read the full list of sub-processors here: List of sub-processors.
We comply with procedures and controls which ensures that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism:
- Written procedures requiring valid transfer mechanisms.
- Transfers only occur following data controller instructions.
- Valid transfer mechanisms assessed and documented.
We comply with procedures and controls which ensures that we can assist the data controller with disclosure, rectication, deletion, or restriction of information about the processing of personal data to the data subject:
- Written procedures for assisting data controller with data subject rights.
- Established procedures enable timely assistance with disclosure, rectification, deletion, restriction, and information provision.
- Valid transfer mechanisms assessed and documented.
We comply with procedures and controls which ensures that any security breaches can be handled in accordance with the concluded Data Processing Agreement:
- Written procedures for notifying data controllers of personal data breaches.
- Controls established for identifiying breaches (employee awareness, network monitoring, access logging).
- Notification to data controller without undue delay.
- Procedures in place for assisting with notifications to Data Protection Authority.

