Template version last updated: 8 June 2026
This Data Processing Agreement (the "Agreement") is entered into between
Controller (the customer):
__________________________ (name)
__________________________ (company reg. no.)
__________________________ (address)
__________________________ (contact / email)
(hereinafter the "Controller")
and
Processor:
Oscar Hangaard
Vilkestrupvej 1
4623 Lille Skensved
Denmark
Contact: kontakt@zolva.io
(hereinafter the "Processor" or "Zolva")
Together, the "Parties".
Effective date: ______________ (to be completed on signature)
Template version last updated: 8 June 2026
The Controller has entered into an agreement with the Processor regarding the provision of Zolva — a personal AI assistant for email, calendar, and reminders ("the Main Agreement"). In connection with the provision of the service, the Processor processes personal data on behalf of the Controller.
The purpose of the Agreement is to establish the obligations of the Processor under Article 28 of Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") and under Danish data protection law.
The Agreement takes precedence over conflicting provisions in the Main Agreement or any other agreements between the Parties, insofar as the processing of personal data is concerned.
The terms "personal data", "processing", "controller", "processor", "data subjects", "personal data breach" etc. have the same meaning as in Article 4 of the GDPR.
The subject, duration, nature, purpose, categories of data subjects and types of personal data are set out in Annex A.
The Controller is responsible vis-à-vis data subjects for the Processor's processing of personal data and determines the purposes and means. The Controller has the right and obligation to set out the instructions according to which the Processor may carry out processing.
The Controller warrants that there is a lawful basis for processing under Article 6 of the GDPR (and Article 9, where relevant), and that data subjects have been informed in accordance with Articles 13–14 of the GDPR.
The Processor shall process personal data only on documented instructions from the Controller — including with regard to transfers to third countries — unless required to do so by EU law or Danish law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Instructions from the Controller are given through (i) use of the Service in accordance with the documentation, (ii) settings chosen by the Controller in the app or through administrative interfaces, and (iii) written requests to kontakt@zolva.io.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.
The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to data is limited to personnel whose function requires it.
The Processor shall take all measures required pursuant to Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the risks to the data subjects. The measures implemented by the Processor are described in Annex C.
The Processor shall continuously inform the Controller of material changes to the measures. The Controller cannot claim lack of knowledge of changes if the Processor has communicated them through the usual channels.
The Processor may use the sub-processors listed in Annex B. The Controller hereby gives the Processor general prior authorization to use them.
When adding or replacing sub-processors, the Processor shall notify the Controller in writing at least 30 days before the change takes effect, stating the sub-processor's name, role, and location. During this period, the Controller may object in writing on reasonable grounds related to data protection.
If the Parties cannot agree on a new sub-processor, the Controller is entitled to terminate the Main Agreement effective as of the date the change takes effect, without further payment obligation beyond services already delivered.
The Processor shall impose on every sub-processor the same data protection obligations as set out in the Agreement, and the Processor remains fully liable to the Controller for the sub-processors' performance.
If the Processor — itself or through a sub-processor — transfers personal data to a third country or an international organization, it shall do so only on a valid transfer basis under Chapter V of the GDPR, including:
The applicable transfer basis per sub-processor is set out in Annex B.
Taking into account the nature of processing, the Processor shall assist the Controller — insofar as possible — by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising the data subjects' rights under Chapter III of the GDPR (access, rectification, erasure, restriction, objection, portability).
The Processor shall also make available the information necessary for the Controller's compliance with obligations under Articles 32–36 of the GDPR — including security, breaches, impact assessments, and prior consultation — and shall assist to a reasonable extent.
Assistance materially exceeding the normal operation of the Service may be billed at the Processor's standard hourly rate.
The Processor shall notify the Controller without undue delay — and no later than 48 hours after becoming aware — of a personal data breach. The notification is sent to the contact address provided by the Controller and contains at least:
The obligation to report the breach to the Danish Data Protection Agency and to notify data subjects lies with the Controller.
Upon termination of the Main Agreement, the Processor shall delete all personal data processed on behalf of the Controller — or return it at the Controller's choice — unless retention is required by EU or Danish law.
Deletion covers backup copies in accordance with the Processor's normal backup deletion routine (typically within 35 days after deletion from production systems).
The Controller may request deletion in writing to kontakt@zolva.io.
Upon written request from the Controller with reasonable notice and no more often than once per year — unless there is a specific suspicion of non-compliance — the Processor shall make the following available:
The Controller may, at its own cost and with 30 days' written notice, appoint an independent, mutually approved auditor to conduct an audit to the extent necessary to document the Processor's compliance with the Agreement. The auditor shall sign a confidentiality undertaking. The audit must not unduly affect the Processor's operations.
Costs of audits shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear reasonable costs.
The Parties' liability under the Agreement is subject to the limitation of liability set out in the Main Agreement, provided that limitations do not apply to liability that cannot be waived under mandatory law — including fines imposed on a Party by a supervisory authority where the other Party's breach materially contributed to the fine.
Each Party is liable for its own breach of the GDPR and shall be liable to the data subjects in accordance with Article 82 of the GDPR.
The Agreement enters into force on the Effective Date and remains in force for as long as the Processor processes personal data on behalf of the Controller under the Main Agreement. Provisions that by their nature should survive termination — including those on deletion, confidentiality, and limitation of liability — remain in effect.
The Agreement cannot be terminated separately from the Main Agreement. If the Main Agreement is terminated, the Agreement terminates concurrently and the Processor deletes data in accordance with Clause 12.
The Processor may amend the Agreement to the extent necessary to reflect (i) changes in legislation, (ii) guidance from supervisory authorities, or (iii) changes in the technical setup of the Service. Material changes shall be notified in writing with at least 30 days' notice. If the Controller cannot accept changes that materially weaken the Controller's rights, the Controller may terminate the Main Agreement effective as of the date the change takes effect.
Other amendments require written agreement between the Parties.
The Agreement is governed by Danish law. Disputes shall be heard by the Court of Roskilde (Retten i Roskilde) as the court of first instance, unless otherwise required by mandatory law.
For the Controller:
Name: __________________________
Title: __________________________
Date: ______________
Signature: __________________________
For the Processor (Zolva):
Name: Oscar Hangaard
Title: Owner
Date: ______________
Signature: __________________________
Provision of the Zolva Service — a personal AI assistant for email, calendar, and reminders — to the Controller's employees and users.
Processing of special categories of personal data (Art. 9 GDPR) is not the purpose of the Service. If such information inadvertently appears in email or calendar content, it is processed at the same security level as other data, but the Controller is encouraged to minimize this through its own internal practices.
Data is processed for as long as the user's account is active, and deleted upon account deletion or termination of the Main Agreement, cf. Clause 12.
As of the Effective Date, the Processor uses the following sub-processors:
| Name | Role | Location | Transfer basis |
|---|---|---|---|
| Supabase Inc. | Database, authentication, and edge functions. Primary data store. | EU (eu-west-1, Ireland). Company headquartered in the US. | Data resides in the EU. For any administrative access from the US: EU-US Data Privacy Framework / SCCs. |
| Anthropic PBC | AI model (Claude) for generating replies and summaries. | US. | EU-US Data Privacy Framework (where certified) and/or SCCs. Retains prompts for up to 30 days for abuse monitoring; does not use data for training. |
| Expo Application Services | Push notifications via Apple Push Notification service and Firebase Cloud Messaging. | US. | SCCs. Only push token and notification text are processed. |
| Google LLC | OAuth, Gmail API, Google Calendar API. Activated only if the user connects their Google account. | US. Data resides in the user's own Google account. | EU-US Data Privacy Framework / SCCs. Data accessed via the user's own refresh token. |
| Microsoft Corp. | OAuth, Microsoft Graph. Activated only if the user connects their Microsoft account. | US. Data resides in the user's own Microsoft account. | EU-US Data Privacy Framework / SCCs. Data accessed via the user's own refresh token. |
| Apple Inc. | App distribution, Sign in with Apple, Push Notification service, and iCloud Mail/Calendar (IMAP/CalDAV) when the user connects an iCloud account. | US. Mailbox/calendar data resides in the user's own iCloud account. | EU-US Data Privacy Framework / SCCs. Accessed via the user's app-specific password. |
| RevenueCat, Inc. | Subscription and entitlement management. Activated only if the user purchases a subscription. | US. | SCCs. Receives a pseudonymous app-user identifier and subscription events; no email, calendar, or payment-card data. |
The current list of sub-processors is published at zolva.io/privacy-en. Changes are notified in accordance with Clause 8.
The Processor has implemented the following measures pursuant to Article 32 of the GDPR, taking into account the state of the art, the cost of implementation, the nature of processing, and the risks to the data subjects: