CVR Pilot

Data Processing Agreement (DPA)

Databehandleraftale · Senest opdateret: 6. juli 2026 · ← Terms of Service · cvrpilot.dk

This Data Processing Agreement applies where CVR Pilot acts as a processor on the Customer's behalf (e.g. hosting the Customer's own workspace/account data and any data the Customer uploads or configures). For the B2B lead dataset CVR Pilot builds from public sources, CVR Pilot is an independent controller and the Customer becomes an independent controller on export — that relationship is governed by the Privacy Policy, not by this DPA. See §2 (Roles) for the split.

Parties

This DPA forms part of and is incorporated by reference into the CVR Pilot Terms of Service. Where this DPA conflicts with the Terms in respect of the processing of personal data by CVR Pilot as processor, this DPA prevails. It gives effect to Article 28(3) GDPR (Regulation (EU) 2016/679).

1. Definitions

Terms not defined here have the meaning given in the GDPR. "GDPR" means Regulation (EU) 2016/679 and, where applicable, the Danish Data Protection Act (databeskyttelsesloven). "Customer Personal Data" means personal data CVR Pilot processes on the Customer's behalf under the Terms (see Annex I). "Sub-processor" means a third party engaged by CVR Pilot to process Customer Personal Data. "Data Subject", "processing", "controller", "processor", "personal data breach" and "supervisory authority" have their GDPR meanings. The competent supervisory authority is Datatilsynet (the Danish DPA).

2. Roles and scope

2.1 For Customer Personal Data (Annex I), the Customer is the controller and CVR Pilot is the processor. CVR Pilot processes Customer Personal Data only to provide the Service and only on the Customer's documented instructions (§3).

2.2 For the B2B lead/prospect dataset CVR Pilot assembles from public sources (public company websites and directories, Google Maps/Places, and the CVR business register), CVR Pilot is an independent controller. When the Customer exports leads into its own systems, the Customer becomes an independent controller for its own use of that data and is responsible for the lawfulness of its outreach (GDPR + Danish markedsføringsloven § 10). That processing is not governed by this DPA; see the Privacy Policy §4–§5. This DPA does not make CVR Pilot the Customer's processor for the lead dataset.

2.3 Where the lead/prospect dataset concerns sole proprietorships (enkeltmandsvirksomheder) or other personally-owned businesses (PMV), the relevant business-contact data may constitute personal data under the GDPR — unlike incorporated entities such as ApS/A/S, which are separate legal persons. CVR Pilot processes such data as independent controller under the Privacy Policy (legitimate interests, Art. 6(1)(f), with a maintained balancing test), applies the data-subject rights and CVR reklamebeskyttelse screening described there, and does not collect or resell owners'/employees' personal email addresses or mobile numbers without a valid legal basis — it limits itself to publicly available business master-data. On export, the Customer becomes independent controller for its own use of any such personal data.

3. Controller instructions

3.1 CVR Pilot processes Customer Personal Data only on the Customer's documented instructions, including as to international transfers, unless required otherwise by EU or Danish law (in which case CVR Pilot informs the Customer of that legal requirement before processing, unless the law prohibits it on important grounds of public interest).

3.2 The Customer's complete and final instructions are: (a) this DPA and the Terms; (b) the configuration and features the Customer uses in the Service; and (c) any further written instruction the Customer gives via privacy@cvrpilot.dk. The Service, its documentation, and this DPA reflect the ordinary instructions for the agreed subject-matter (Annex I).

3.3 CVR Pilot will inform the Customer if, in its opinion, an instruction infringes the GDPR or other data-protection law (GDPR Art. 28(3), final paragraph). CVR Pilot may suspend the processing concerned until the instruction is confirmed or amended.

4. Subject-matter, duration, nature and purpose (Art. 28(3) chapeau)

5. Confidentiality

CVR Pilot ensures that persons authorised to process Customer Personal Data are bound by confidentiality (contractual or statutory) and process the data only as instructed. Access is on a least-privilege, need-to-know basis.

6. Security of processing (Art. 32)

CVR Pilot implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures actually in place are set out in Annex II and include, in summary: EU data residency; TLS/HTTPS in transit with HSTS; passwords hashed with scrypt (memory-hard, work factor 2^15); authenticated encryption of stored OAuth/integration tokens (stdlib encrypt-then-MAC, HMAC-SHA256) keyed off a secret held only in the environment, never in the database; client-side AES-256 encrypted, off-box backups in the EU; tenant isolation; session tokens that are random, HttpOnly and revocable, with expiry; strict HTTP security headers; rate-limiting and a bot shield; least-privilege access; and a tamper-evident audit log. CVR Pilot may update measures provided the level of security is not materially reduced.

7. Sub-processors (Art. 28(2), 28(4))

7.1 The Customer gives general authorisation for CVR Pilot to engage sub-processors. The current list is reproduced at Annex III. CVR Pilot imposes on each sub-processor, by written contract, data-protection obligations equivalent to those in this DPA (in particular Art. 32 security), and remains fully liable to the Customer for a sub-processor's failure to meet those obligations.

7.2 Change notification. Before adding or replacing a sub-processor, CVR Pilot will give the Customer at least 30 days' prior notice (by email and/or by updating the sub-processor list with a dated entry), so the Customer has a reasonable opportunity to object on reasonable data-protection grounds. If the Customer objects and the parties cannot resolve it, the Customer may terminate the affected part of the Service.

8. Assistance with data-subject rights (Art. 28(3)(e))

Taking into account the nature of the processing, CVR Pilot assists the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests to exercise Data-Subject rights (access, rectification, erasure, restriction, portability, objection). In practice, for Customer Personal Data: the Customer can self-serve via the in-app Settings → Privacy & data (export the workspace data as JSON; delete the account and its data); CVR Pilot additionally assists on request via privacy@cvrpilot.dk. Where CVR Pilot receives a request from a Data Subject that relates to Customer Personal Data, it will not respond directly (save to acknowledge and redirect) but will forward it to the Customer without undue delay, per CVR Pilot's internal data-subject-rights workflow.

9. Assistance with controller obligations (Art. 28(3)(f), Art. 32–36)

CVR Pilot assists the Customer, taking into account the nature of processing and the information available to it, in ensuring compliance with the Customer's obligations under Art. 32–36, i.e. security of processing, personal-data-breach notification, communication to data subjects, data protection impact assessments and prior consultation.

10. Personal-data-breach notification (Art. 33(2))

CVR Pilot notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Personal Data. The notice will describe, to the extent known: the nature of the breach and categories/approximate numbers of data subjects and records affected; the likely consequences; the measures taken or proposed; and a contact point. CVR Pilot will provide further information as it becomes available and cooperate so the Customer can meet its own Art. 33/34 obligations. (CVR Pilot reports breaches affecting data for which it is controller directly to Datatilsynet under Art. 33.)

11. Return or deletion on termination (Art. 28(3)(g))

11.1 On termination of the Service, and at the Customer's choice, CVR Pilot deletes or returns all Customer Personal Data and deletes existing copies, unless EU or Danish law requires storage (e.g. bookkeeping records kept under the Danish Bookkeeping Act, typically 5 years).

11.2 Deletion mechanics. Account/workspace deletion is a two-step, email-confirmed erasure that removes the workspace data from the live database immediately, cancels the Stripe customer, and purges CRM tokens, integration state and tied contact/support records. Deletions propagate to encrypted backups within the backup-retention window (target 30 days); because backups are point-in-time, CVR Pilot maintains an out-of-band erasure log that is replayed on restore/boot so that restoring an older backup does not resurrect erased data.

11.3 CVR Pilot confirms deletion in writing on request.

12. Audit rights (Art. 28(3)(h))

12.1 CVR Pilot makes available to the Customer the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates.

12.2 In practice, CVR Pilot first satisfies audit requests by providing this DPA, the sub-processor list, Annex II security documentation, and any available reports/certifications. If that is insufficient, the Customer may request an audit on reasonable prior written notice (at least 30 days), no more than once per 12 months (unless required by a supervisory authority or following a breach), during business hours, without unreasonable disruption, and subject to confidentiality. Each party bears its own costs of an audit.

13. International transfers (Chapter V)

13.1 CVR Pilot processes and stores Customer Personal Data in the EU by default (hosting and backups in Frankfurt/fra1; email via EU providers) — see Annex III.

13.2 Where a sub-processor processes Customer Personal Data outside the EU/EEA, the transfer is covered by an appropriate Chapter V safeguard, namely the Standard Contractual Clauses (SCCs) and/or the recipient's EU-US Data Privacy Framework certification, together with any supplementary measures required. This applies in particular to the US sub-processors: Anthropic (AI enrichment), Google / Google Places (sign-in; company discovery) and Stripe (payments), and to Cloudflare (bot shield). The Customer authorises these transfers as instructions under §3. Copies of the relevant safeguards are available via privacy@cvrpilot.dk.

14. Liability, term and general

This DPA takes effect when the Customer accepts the Terms and lasts as long as CVR Pilot processes Customer Personal Data. Liability is governed by the limitation-of-liability provisions of the Terms. Governing law: Denmark; disputes as per the Terms. If a provision is invalid, the rest stands. This DPA (with its Annexes, the Terms and the Privacy Policy) is the entire agreement on this subject-matter.

Annex I — Description of processing

For clarity, the lead/prospect dataset CVR Pilot builds is not Customer Personal Data and is not in scope of this Annex — CVR Pilot is controller for it (see §2.2 and Privacy Policy §4).

Annex II — Technical and organisational security measures (Art. 32)

Annex III — Authorised sub-processors

As at the date above, the authorised sub-processors are:

Sub-processorPurposeLocation / safeguard
Anthropic PBCAI enrichmentUS — SCCs + DPA, zero-retention
DigitalOceanHostingEU (fra1/Frankfurt)
DigitalOcean SpacesEncrypted backupsEU (fra1/Frankfurt)
Brevo (Sendinblue)Transactional emailEU (France)
Simply.comMarketing-site hostingEU (Denmark)
GoogleOAuth sign-inEU/US — SCCs/DPF
Google PlacesCompany discoveryUS — SCCs/DPF
StripePaymentsEU/US — SCCs/DPF
Cloudflare TurnstileBot shieldEU/US — SCCs/DPF

Dansk resumé (kort) — Databehandleraftale

Dette er et kort dansk resumé til orientering. Ved uoverensstemmelse gælder den fulde engelske version ovenfor.

Denne databehandleraftale (DPA) opfylder GDPR artikel 28, stk. 3, for de tilfælde, hvor CVR Pilot er databehandler for kunden (hosting af kundens workspace-/kontodata). CVR Pilot behandler kun kundens personoplysninger efter kundens dokumenterede instruks, sikrer fortrolighed, gennemfører passende sikkerhedsforanstaltninger (art. 32 — bl.a. scrypt, autentificeret kryptering af tokens, TLS, EU-datacenter i Frankfurt, krypterede off-box-backups, adgangsstyring), anvender kun underdatabehandlere med tilsvarende forpligtelser og med forudgående varsel om ændringer, bistår kunden med de registreredes rettigheder, underretter om brud på persondatasikkerheden inden for 72 timer, sletter eller tilbagelevererer data ved ophør, giver revisionsret, og sikrer internationale overførsler via SCC/Data Privacy Framework for underdatabehandlere i USA (Anthropic, Google/Google Places, Stripe, Cloudflare). For det lead-datasæt, CVR Pilot selv opbygger fra offentlige kilder, er CVR Pilot selvstændig dataansvarlig — det er ikke omfattet af denne aftale (se privatlivspolitikken §4–§5).

Selskabsoplysninger udleveres på forespørgsel via privacy@cvrpilot.dk.