Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between:
PortTask ApS ("Data Processor" / "We")
c/o Legal Department, Rotterdam, Netherlands
Company Registration No: CVR 43 21 00 00
and
[CUSTOMER COMPANY NAME] ("Data Controller" / "You")
[CUSTOMER ADDRESS]
Company Registration No: [CUSTOMER COMPANY NUMBER]
(together "the Parties")
Effective Date: 12 March 2026
1. DEFINITIONS
1.1 "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
1.2 "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
1.3 "GDPR" means the General Data Protection Regulation (EU) 2016/679.
1.4 "Services" means the PortTask maritime operations platform and all associated services.
2. SCOPE AND PURPOSE
2.1 The Data Processor processes Personal Data on behalf of the Data Controller solely for the purpose of providing the Services described in the Master Service Agreement.
2.2 Categories of data subjects: Vessel operators, shipping agents, port agents, vendor personnel, and other maritime professionals using the Services.
2.3 Categories of personal data: Names, email addresses, professional titles, organizational affiliations, operational data related to maritime activities.
2.4 The Data Processor shall not process Personal Data for any purpose other than as instructed by the Data Controller.
3. OBLIGATIONS OF THE DATA PROCESSOR
3.1 The Data Processor shall:
- (a) Process Personal Data only on documented instructions from the Data Controller;
- (b) Ensure that persons authorized to process Personal Data are bound by confidentiality;
- (c) Implement appropriate technical and organizational security measures per Article 32 GDPR;
- (d) Assist the Data Controller in responding to data subject rights requests;
- (e) Delete or return all Personal Data upon termination of Services;
- (f) Make available all information necessary to demonstrate compliance.
3.2 Technical and organizational measures include:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Role-based access control and least-privilege principles
- Regular security assessments and penetration testing
- Audit logging of all data access
- Incident response procedures with 72-hour breach notification
4. SUB-PROCESSORS
4.1 The Data Controller authorizes use of the following sub-processors:
- Supabase Inc. — Database hosting (USA, EU data residency available)
- Vercel Inc. — Application hosting (global edge network)
- Resend Inc. — Transactional email delivery
- Sentry Inc. — Error monitoring (anonymized data only)
4.2 The Data Processor shall notify the Data Controller of any intended changes to sub-processors with 30 days' notice.
5. INTERNATIONAL TRANSFERS
5.1 Any transfer of Personal Data outside the EEA shall be subject to appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission.
6. DATA BREACH NOTIFICATION
6.1 The Data Processor shall notify the Data Controller of any Personal Data breach without undue delay and within 72 hours of becoming aware of the breach.
7. TERM AND TERMINATION
7.1 This DPA remains in force for the duration of the Master Service Agreement.
7.2 Upon termination, the Data Processor shall delete all Personal Data within 30 days unless required by law to retain it.
8. GOVERNING LAW
8.1 This DPA is governed by the laws of Denmark.
SIGNATURES
Data Controller
Signature
Name: [SIGNING REP NAME]
Title: [SIGNING REP TITLE]
Date: 12 March 2026
Company: [CUSTOMER COMPANY NAME]
Data Processor
Signature
Name: [PORTTASK REPRESENTATIVE]
Title: Chief Executive Officer
Date: 12 March 2026
Company: PortTask ApS