This page summarises komplai's standard Data Processing Agreement (DPA) in English. The signature-ready version is shipped as .docx the same day, without an NDA — write to hej@komplai.dk or use the Procurement tab. Version 1.0 — published 19 May 2026.

2026-05-19

Parties and purpose

Data controller: your organisation (the municipality, law firm or private company that has entered into a master agreement with komplai). Data processor: Progressify ApS, CVR 40351981, providing the komplai suite (hub, docs, templates, redact, Word plugin, browser extension). The purpose is to process personal data on your behalf as part of your own case work, document production and PII anonymisation.

Nature of processing

komplai processes personal data in three categories: (1) ordinary contact/identity data about your employees for auth (email, name, organisation affiliation) — stored in Zitadel; (2) document content you create or import in docs/templates — stored encrypted in Postgres; (3) ephemeral in-memory processing of text submitted to PII detection in redact and redact-detect — discarded immediately after the response is returned, never stored.

Duration

Processing follows the term of the master agreement. On termination: deletion or return (at your choice) of all personal data within 30 days. Backup rotation deletes automatically within an additional 30 days. Written confirmation of deletion is provided on request.

Sub-processors

komplai uses the sub-processors listed on the Sub-processors tab. Adding a new sub-processor or changing an existing one requires 30 days' written notice; you may object, and if we cannot find a solution that addresses your objection, you may terminate the master agreement without further notice. Sub-processors are bound by terms equivalent to this DPA.

Security measures

Technical measures: TLS 1.3 on all external channels; AES-256 on all persisted LLM API keys; OIDC + MFA-capable auth via Zitadel; role- and tenant-based access control via OpenFGA; hash-chained audit events for every mutation. Organisational measures: principle of least privilege on all internal access; mandatory review at onboarding; no production data on personal devices. ISAE 3402 Type II report: under implementation (engagement period Jul–Dec 2026); pre-audit documentation available on request.

Where data lives

Primary operations: Hetzner Online GmbH, Falkenstein, Germany (EU residency). Backups: same provider, same location. On-prem LLM (DGX Spark): at komplai in Denmark. If you actively select an external AI provider in your tenant settings (Anthropic, OpenAI and others), the text passed near the LLM is processed by that provider; this is documented separately as an additional sub-processor. The default is the local model — no data leaves the EU.

Personal data breaches

komplai notifies you in writing within 24 hours of becoming aware of a breach that poses a risk to data subjects' rights and freedoms. The notification contains the GDPR art. 33 elements: nature and scope, categories of data subjects and records, likely consequences, and proposed remedial measures. We provide copies of all relevant logs and assist you with your notification to the Danish DPA.

Assistance to the data controller

komplai assists you in meeting your obligations under GDPR art. 32–36 (security, DPIA, prior consultation) and art. 12–22 (data subject rights) — including by providing data in a structured format, deleting specific data subjects on request, and producing audit trails for the DPA. Assistance that goes beyond reasonable operations is billed hourly; in practice this is usually zero.

Governing law and venue

Danish law. Venue: Copenhagen. The agreement is subject to GDPR and the Danish Data Protection Act.

Order the signature-ready version

Write to hej@komplai.dk or use the Procurement tab — we send the .docx the same day, without an NDA. The DPA is ready for signing via MitID, your digital signature solution, or on paper.