Data Processing Agreement

Last updated: September 2025

Data Processing Agreement

between the Data Controller and LetsBuild Holding SA

This Data Processing Agreement (“Agreement”) is entered into between:

Data Controller: The legal entity using LetsBuild Services
Data Processor: LetsBuild Holding SA (and its affiliates, including GenieBelt)

Each a “Party” and collectively the “Parties”.

1. Definitions and Interpretation

1.1. For the purposes of this Agreement, the terms “personal data”, “processing”, “data subject”, “data controller”, “data processor” and “personal data breach” shall have the meanings as set out in Article 4 of Regulation (EU) 2016/679 (GDPR).

1.2. Applicable Law: The GDPR and any Danish legislation supplementing or implementing it.

1.3. Services: Any software-as-a-service (SaaS) product or professional service provided by LetsBuild under the “LetsBuild Subscription”.

1.4. LetsBuild Subscription: The Terms of Service, Privacy Policy, signed Service Order, and/or any invoice forming the legal basis for provision of Services.

1.5. Third Country: A country outside the European Economic Area (EEA) not recognised by the European Commission as providing an adequate level of data protection.

1.6. References to any law shall include updates, amendments, and successor legislation.

2. Purpose and Scope

2.1. The Data Processor shall only process personal data on behalf of and in accordance with documented instructions from the Data Controller.

2.2. The processing shall be limited to what is necessary to provide the Services and as further described in section 3 of this Agreement.

2.3. The Data Processor shall not process, disclose or transfer personal data unless:

  • expressly instructed by the Data Controller,

  • required by law (with prior notice to the Data Controller where permitted), or

  • authorised under this Agreement.

3. Description of Processing

3.1. Purpose: The Data Processor processes personal data solely to provide the Services under the LetsBuild Subscription.

3.2. Nature of Processing:

  • Collection, storage, organisation, structuring, consultation, use, transmission, erasure, etc.

3.3. Categories of Data Subjects:

  • Employees or contractors of the Data Controller

  • Users and potential users of the Services

3.4. Categories of Personal Data:

  • Name

  • Email address

  • Phone number

4. Security of Processing

4.1. The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

4.2. These measures include but are not limited to:

  • Access controls

  • Encryption

  • Physical security of hosting environments

  • Employee training

  • Annual review of internal procedures

4.3. Staff involved in processing must be subject to confidentiality obligations and trained in data protection.

4.4. For more detail, the Data Processor’s Privacy Policy shall apply and is hereby incorporated by reference.

5. Sub-Processing

5.1. The Data Processor has general authorisation to use sub-processors. The current list is available on request.

5.2. The Data Processor will notify the Data Controller of any intended additions or replacements at least 30 days in advance. The Data Controller may object within 7 days if it has justified concerns.

5.3. All sub-processors must be bound by written agreements imposing the same data protection obligations as those set out in this Agreement.

5.4. In the event of the Data Processor’s insolvency, the Data Controller may contact sub-processors directly to ensure continuity.

6. Data Transfers

6.1. The Data Processor shall not transfer personal data outside the EEA unless:

  • The transfer is to a country with an adequacy decision, or

  • It is covered by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs).

6.2. Transfers to the United States shall only occur to entities participating in the EU-U.S. Data Privacy Framework or bound by SCCs.

7. Rights of Data Subjects

7.1. The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR, including:

  • Access

  • Rectification

  • Erasure

  • Objection

  • Data portability

7.2. The Data Processor shall respond promptly and fully to Data Controller requests for assistance.

8. Personal Data Breaches

8.1. In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay upon becoming aware of it.

8.2. The notification shall include all available information required under Article 33 GDPR.

8.3. The Data Processor shall not notify any third party or supervisory authority without the Data Controller’s prior written consent, unless legally required to do so.

9. Documentation and Audit

9.1. The Data Processor shall maintain records of all processing activities under its responsibility as required by Article 30 GDPR.

9.2. The Data Controller (or appointed third party) may audit the Data Processor’s compliance with this Agreement, with reasonable notice.

9.3. The Data Processor shall also ensure that its sub-processors enable similar audits and provide relevant documentation.

9.4. All audit costs shall be borne by the Data Controller, unless a breach is discovered.

10. Term and Termination

10.1. This Agreement remains in force for as long as the Data Processor processes personal data on behalf of the Data Controller.

10.2. Upon termination:

  • The Data Processor shall return or securely delete personal data at the request of the Data Controller.

  • One export is provided free of charge; subsequent exports may be invoiced at a reasonable rate.

  • If legal obligations prevent deletion, the data shall be archived securely and no longer processed except for compliance.

11. Liability and Indemnity

11.1. Each Party shall be liable for damages resulting from its own violations of this Agreement or applicable data protection law.

12. Changes to the Agreement

12.1. Any modifications must be in writing and signed by both Parties.

12.2. The Data Processor shall update sub-processors with relevant amendments.

12.3. Legal changes requiring amendments shall be implemented with 30 days’ notice unless otherwise agreed.

13. Confidentiality

13.1. The Data Processor shall maintain strict confidentiality of all personal data and other confidential information accessed during the provision of Services.

13.2. This obligation continues after termination of the Agreement.

14. Governing Law and Jurisdiction

14.1. This Agreement shall be governed by and construed in accordance with the laws of Denmark.

14.2. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the City Court of Copenhagen (Københavns Byret).