runi.services
Contract · GDPR Art. 28

Data Processing Agreement

When runi.services processes personal data on your behalf, this is the standard-form agreement that governs how. Short enough to read. Precise enough to sign.

Draft v0.1 · pending legal review

This is our working draft, published openly while counsel finalises the signable version. Customers who need a DPA immediately should write to kontakt@runi.services — we will adapt to your form or sign this one as-is with lawyer sign-off attached.

Read annexes Download PDF — v1 pending Print-ready via your browser — print styles included

Parties and scope

This Data Processing Agreement (the “DPA”) is entered into between Runi Consulting ApS (CVR 39337487) (“Processor”) and the customer identified in the underlying Services Agreement (“Controller”). It governs any processing of Customer Personal Data by the Processor on the Controller’s behalf in connection with the Services.

This DPA forms part of and is subject to the Services Agreement. In the event of conflict on data-protection matters, this DPA prevails. Capitalised terms not defined here take their meaning from GDPR (Regulation 2016/679).

Operative clauses

Clause 1
Roles and subject matter

The Controller determines the purposes and means of processing. The Processor processes Customer Personal Data only on documented instructions from the Controller — including the Services Agreement itself as the primary written instruction — and as further specified in Annex I.

Clause 2
Duration

This DPA is effective from the earlier of (a) the effective date of the Services Agreement and (b) the first access by the Processor to Customer Personal Data, and continues for the duration of the Services plus any post-termination period required to return or delete data under Clause 10.

Clause 3
Processor obligations

The Processor shall:

  • process Customer Personal Data only on the Controller’s documented instructions, including with regard to transfers to third countries;
  • ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement the technical and organisational measures set out in Annex II;
  • respect the conditions for engaging sub-processors set out in Clause 5;
  • assist the Controller in fulfilling data-subject rights and in meeting obligations under GDPR Art. 32–36;
  • at the Controller’s election, delete or return all Customer Personal Data at the end of the Services, as described in Clause 10;
  • make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits under Clause 9.
Clause 4
Security of processing

Taking into account the state of the art and the risks to data subjects, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex II. The Processor reviews and updates these measures at least annually and whenever a material change warrants it.

Clause 5
Sub-processors

The Controller provides general written authorisation for the Processor to engage sub-processors, subject to:

  • the sub-processors listed in Annex III and at /subprocessors/ are approved as of the Effective Date;
  • the Processor notifies the Controller at least 30 days before adding or replacing a sub-processor processing Customer Personal Data;
  • the Controller may object for documented reasons within the notice period; if the objection cannot be resolved, the Controller may terminate the affected Service with written notice;
  • the Processor imposes on each sub-processor the same data-protection obligations as in this DPA by written contract.
Clause 6
International transfers

Where Customer Personal Data is transferred to a jurisdiction outside the EEA without an adequacy decision, such transfer is performed under the EU Commission Standard Contractual Clauses (Decision 2021/914), Module Three (processor to processor), and/or the EU-US Data Privacy Framework where the recipient is certified. The SCCs are incorporated by reference into this DPA; Annex III identifies the transfer mechanism per sub-processor.

Clause 7
Data-subject requests

The Processor shall, taking into account the nature of the processing, assist the Controller with appropriate technical and organisational measures, insofar as possible, in responding to requests to exercise data-subject rights under GDPR Chapter III. Where a data subject contacts the Processor directly, the Processor forwards the request to the Controller without undue delay.

Clause 8
Breach notification

The Processor notifies the Controller without undue delay and in any event within 48 hours of becoming aware of a personal-data breach affecting Customer Personal Data. The notification describes the nature of the breach, likely consequences, the categories and approximate number of data subjects and records concerned, and measures taken or proposed.

Clause 9
Audits

The Processor provides the Controller with audit evidence sufficient to demonstrate compliance with this DPA, including current third-party certifications held by the Processor and its sub-processors (e.g. ISO 27001, SOC 2), summary reports, and, on reasonable notice and subject to confidentiality, a remote audit session. On-site audits are available on written request at the Controller’s expense, limited to once per calendar year unless a material breach or regulatory investigation warrants more.

Clause 10
Return or deletion

On termination of the Services, the Processor shall, at the Controller’s election: (a) provide a full export of Customer Personal Data in a durable format within 30 days, or (b) delete Customer Personal Data from active systems within 30 days and from backups within 90 days. Records retained under EU or Member State law (e.g. Bogføringsloven accounting obligations) are preserved for the statutory minimum and no longer.

Clause 11
Governing law

This DPA is governed by Danish law. Disputes are resolved by the courts of Copenhagen. Nothing in this DPA limits the rights of data subjects or the supervisory authority under GDPR or applicable national law.

Annex I
Description of processing
Subject matter
Provision of AI-agent services by the Processor to the Controller as described in the Services Agreement, including agent configuration, operation, memory handling, and related support.
Duration
The term of the Services Agreement, plus the post-termination handover and deletion windows in Clause 10.
Nature and purpose of processing
Hosting, storage, retrieval, transmission, and analysis of Customer Personal Data to operate AI agents on the Controller’s behalf; security monitoring, incident response, support.
Categories of data subjects
Employees, contractors, and other authorised users of the Controller; third parties whose data the Controller chooses to provide to the agents (e.g. counterparties referenced in the Controller’s communications).
Categories of personal data
  • Account and identity data (name, email, role, organisation)
  • Content the Controller provides to the agents (messages, files, memory entries)
  • Operational and security telemetry (auth events, audit logs, no content)
  • Support correspondence
Special categories
None expected. If the Controller’s use case requires special categories under Art. 9, the parties will agree the Art. 9(2) basis in writing before processing begins.
Frequency
Continuous, for the duration of the Services.
Annex II
Technical and organisational measures
Access control
Microsoft Entra ID-based authentication with mandatory MFA for all human accounts accessing Customer Personal Data. Least-privilege role assignments reviewed at least annually. Break-glass accounts audited.
Network security
TLS 1.2+ in transit. Private endpoints or IP allowlists where supported. No public service endpoints expose Customer Personal Data without authentication.
Encryption at rest
Azure platform-managed encryption with keys under Microsoft KeyVault. Customer-managed keys available on request.
Logging and audit
Auth events, administrative actions, and sub-processor invocations logged to immutable storage for at least 90 days. Logs accessible to the Controller on request.
Secrets management
API keys and tokens stored in Azure KeyVault, rotated on a defined cadence or on incident.
Backups and recovery
Daily automated backups with geo-redundant storage inside the EEA. Recovery tests at least annually.
Incident response
Defined playbook with on-call rotation. Breach notification within 48 hours of awareness per Clause 8.
Organisational
Written confidentiality obligations for all personnel with access to Customer Personal Data. Security-awareness training at onboarding and refreshers as warranted.
Vendor management
Every sub-processor assessed before engagement. Annual re-review against updated risk register.
Annex III
Approved sub-processors

The authoritative, versioned list is maintained at /subprocessors/. The following vendors are approved as of the Effective Date of this DPA:

  • Microsoft — Azure hosting, Entra ID, Microsoft Graph, M365 — EU regions — EU-resident, SCCs available
  • Anthropic — Claude models for agent reasoning — US — DPF + SCCs
  • Google — Gemini models (text/audio/video) — US/EU — DPF + SCCs
  • OpenAI (via Azure OpenAI) — backup GPT models — EU — EU-resident
  • GitHub — code and issue hosting — US — DPF + SCCs
Draft published 2026-04-17 · Version 0.1 · Next review 2026-07 · See Privacy and Sub-processors for related disclosures.