Data Processing Agreement

1. The Parties

Data Processor: Redefine v/Morten Bang Justesen, CVR 30270444, Denmark ("Flaplist").

Data Controller: The company or organisation that uses Flaplist to process personal data about employees, customers, collaborators, or other individuals.

This DPA supplements and forms an integral part of Flaplist's Terms of Service and Privacy Policy. In the event of conflict, this DPA takes precedence with respect to the processing of personal data.

2. Subject Matter and Nature of Processing

Flaplist processes personal data on behalf of the data controller solely for the purpose of delivering the services described in the Terms of Service.

Processing includes storing, displaying, organising, and updating information in lists, items, activity logs, and — for Business and Enterprise customers — forms created in the service.

Processing takes place for the duration of the active subscription and ceases when the data controller's account is deleted.

3. Categories of Personal Data and Data Subjects

The nature and scope of the personal data processed depends entirely on the data controller and the content they choose to create in the service.

The following categories may occur: names, email addresses, job titles, user behaviour (checkmarks, timestamps, and activity logs), and free-text information in lists, items, and forms.

Data subjects may include the data controller's own employees and collaborators, representatives of other companies or organisations, private users, and other individuals the data controller involves in their use of the service — including via shared lists and public links with checkbox access.

4. Processing Instructions and Purpose Limitation

Flaplist processes personal data only in accordance with documented instructions from the data controller, unless EU or Danish law requires otherwise.

The data controller is responsible for the lawfulness of the instructions given to Flaplist and for ensuring that an appropriate legal basis for processing is in place.

Flaplist will promptly notify the data controller if we receive an instruction that we consider to be in breach of applicable data protection legislation.

5. Confidentiality

Flaplist ensures that employees and sub-processors with access to the data controller's personal data are bound by enforceable confidentiality obligations.

6. Technical and Organisational Measures

Flaplist implements and maintains appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure.

Measures include: encrypted data transmission (TLS/HTTPS), access control and role management, secure hosting within the EU, regular updates to system components, and logging of access to system data.

7. Sub-processors

The data controller hereby grants general prior authorisation for Flaplist's use of sub-processors for hosting, authentication, and other technical operations.

A current list of sub-processors can be obtained by contacting support@flaplist.com. Flaplist will notify the data controller of planned changes in good time.

Flaplist ensures that all sub-processors are bound by data protection obligations equivalent to those in this DPA.

8. International Data Transfers

Flaplist endeavours to store and process personal data within the EU/EEA. Where sub-processors located outside the EU/EEA are used, this is done on the basis of the EU Commission's Standard Contractual Clauses (SCC) or an equivalent transfer mechanism.

9. Personal Data Breaches

Flaplist will notify the data controller without undue delay, and no later than 72 hours after becoming aware, of any personal data breach affecting data processed on the data controller's behalf.

The notification will include at minimum: a description of the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or planned to address the breach.

10. Deletion and Return of Data

The data controller may at any time export their data using the export function available in the service.

Upon termination of the subscription, Flaplist will delete the data controller's personal data in accordance with our deletion procedures as described in the Privacy Policy, unless retention is required by law.

11. Audit and Documentation

Flaplist will make available the documentation necessary to demonstrate compliance with this DPA. The data controller may request an audit with reasonable notice; any costs associated with such an audit shall be borne by the data controller.

12. Business and Enterprise — Special Terms

Business and Enterprise subscribers have access to additional features, including forms that can be completed and checked off by internal users or — via public links — by external parties. Data collected through forms is subject to the same data protection obligations as all other data processed under this DPA.

Enterprise customers may, by contacting Flaplist, have their own domain set up (e.g. checklist.yourorg.com) pointing to the Flaplist infrastructure, and apply their own logo and selected interface customisations (white-label). In such cases the service appears under the Enterprise customer's brand, but the underlying processing is still carried out by Flaplist as data processor under this DPA.

Flaplist accepts no responsibility for content or communication presented under the Enterprise customer's branding.

13. Entry into Force and Contact

This DPA takes effect when the data controller accepts Flaplist's Terms of Service and uses the service to process personal data about third parties. The DPA may be updated in accordance with the change procedure set out in the Terms of Service.

Business users who wish to receive a signed copy of the DPA or have questions about it may contact us at support@flaplist.com.