Data Processing Agreement

Last updated: March 2026

This DPA takes effect automatically upon acceptance of our Terms of Service. No separate signature is required.

1. Parties

This Data Processing Agreement ("DPA") is entered into between FalseViking Labs ("Processor"), sole trader, Denmark, and the client named in the service order ("Controller").

2. Definitions

Personal Data, Processing, Controller, Processor, Data Subject, and Supervisory Authority have the meanings given in GDPR (Regulation 2016/679).

3. Subject Matter and Duration

FalseViking Labs processes personal data on behalf of the Controller solely to deliver the agreed services. Processing continues for the duration of the service agreement and ceases upon termination.

4. Nature and Purpose of Processing

FalseViking Labs processes personal data for the following purposes:

  • Hosting the Controller's website, application, or service
  • Storing and serving content uploaded by the Controller
  • Performing backups of hosted data
  • Security monitoring and maintenance

Categories of data processed depend on the Controller's service and may include website visitor IP addresses and usage data, end-user account data, and any personal data contained within hosted content.

5. Processor Obligations

FalseViking Labs shall:

  1. Process personal data only on documented instructions from the Controller, unless required by EU or Danish law.
  2. Ensure that authorised personnel are bound by confidentiality obligations.
  3. Implement appropriate technical and organisational security measures in accordance with GDPR Art. 32, including encryption at rest and in transit, access controls, and regular security updates.
  4. Notify the Controller without undue delay, and within 72 hours, upon becoming aware of a personal data breach affecting the Controller's data.
  5. Assist the Controller in responding to data subject rights requests (access, erasure, portability etc.) where technically feasible.
  6. Assist the Controller in fulfilling obligations under GDPR Art. 32–36 (security, breach notification, DPIAs) where relevant.
  7. Upon termination, delete or return all personal data as instructed by the Controller within 7 days, and delete existing copies unless EU or Danish law requires retention.
  8. Make available all information necessary to demonstrate compliance with this DPA, and allow for audits or inspections with reasonable notice.

6. Sub-Processors

FalseViking Labs currently uses the following sub-processors:

Sub-processor Purpose Location
Hetzner Online GmbHServer infrastructureEU (Germany/Finland)
StripePayment processingEU/EEA (SCCs apply)
ResendTransactional emailEU/EEA (SCCs apply)

FalseViking Labs will notify the Controller of any intended changes to sub-processors with at least 14 days notice. The Controller may object in writing within that period.

7. Controller Obligations

The Controller:

  1. Warrants that it has a lawful basis for any personal data it instructs FalseViking Labs to process.
  2. Is responsible for ensuring its own privacy notices cover processing performed by FalseViking Labs as processor.
  3. Shall not instruct FalseViking Labs to process personal data in a manner that violates applicable law.

8. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

9. Governing Law

This DPA is governed by the laws of Denmark and the European Union.