Data processing agreement
Last updated: 1 June 2026
This data processing agreement (DPA) applies when you, as a customer, use Palisai to process personal data, and forms an integral part of our terms. It sets out the framework for Palisai's processing of personal data on your behalf pursuant to GDPR Art. 28.
1. Roles
In relation to personal data you process via the platform, you are the data controller and Palisai is the data processor. Palisai processes personal data solely on your documented instructions.
2. Subject matter and duration
The processing covers the personal data necessary to provide the service, and lasts for as long as the agreement for the service is in force.
3. Processor obligations
- Process personal data only on the controller's instructions.
- Ensure confidentiality of persons with access to the data.
- Implement appropriate security measures under GDPR Art. 32.
- Assist the controller in responding to data subject requests.
4. Sub-processors
The controller grants general authorisation for the use of sub-processors. The current list is set out in our privacy policy. Palisai gives notice of changes so the controller can object.
5. International transfers
Personal data is processed and stored within the EU/EEA (hosting with Hetzner in Germany). Where transfers to third countries occur, a valid transfer mechanism such as the European Commission's Standard Contractual Clauses (SCCs) is put in place.
6. Security measures
Palisai applies technical and organisational measures, including encryption in transit, access management and network isolation of infrastructure.
7. Personal data breaches
Palisai notifies the controller without undue delay upon becoming aware of a personal data breach affecting the controller's data.
8. Deletion and return
On termination of the agreement, Palisai deletes or returns the processed personal data at the controller's choice, unless legislation requires continued storage.
9. Audit
Palisai makes available the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits. Requests for an audit must be submitted with at least 30 days' notice. Palisai is entitled to require that the audit be carried out by an independent third party under a duty of confidentiality, and that any direct costs are borne by the controller.
10. Contact
Questions about this data processing agreement can be directed to info@conxo.dk.