Alliance42
Call

Data Processing Agreement

How Alliance42 handles personal data on your behalf

Last updated: 8 April 2026

This is our standard data processing agreement. For your final signed version, book a call with us so we can adapt the agreement to your specific contract with Alliance42.

Get your DPA

Enter your CVR and signatory details. We will send the pre-filled Data Processing Agreement to your email so you can forward it internally.

SECTION 1

Key Terms

Controller is you, our customer. You decide what personal data flows through Alliance42's services and why.
Processor is us, Alliance42 ApS. We process personal data only on your instructions, for the purposes you've engaged us for.
Subprocessor is a vendor we use to deliver part of the service. We list every subprocessor in Section 5, and all of them are based in the EU or EEA, or operate under an EU adequacy decision.
Personal data is any information relating to an identified or identifiable person, as defined by GDPR Article 4.

SECTION 2

What We Process

When you engage Alliance42 for managed cybersecurity, NIS2 compliance, or network services, we process the following on your behalf:

Categories of data subjects: your employees, contractors, and any end users covered by the service.

Categories of personal data: names, work email addresses, work phone numbers, job titles, device identifiers, IP addresses, security event logs, authentication metadata, and any data your users generate through the services we operate for you.

Purposes: delivering managed detection and response, vulnerability management, NIS2 compliance evidence, identity and access management, security awareness training, network operations, and any other services covered by your contract with us.

We process data only on your documented instructions. The agreed scope of services in your contract serves as those instructions.

SECTION 3

How Long We Keep Data

Operational data (security logs, event data, network telemetry) is retained for the duration of your contract plus 12 months for incident investigation, then deleted.

Account data (your contact details, contract records, invoices) is retained for the duration of your contract plus 5 years for tax and bookkeeping compliance under Danish law (Bogføringsloven).

Personal data of your end users is deleted from production systems within 30 days of contract termination, and fully removed from all backup rotations within 90 days, or returned to you in machine-readable format on request.

You can request deletion of any data category at any time, and we will comply within 30 days unless we have a legal obligation to retain.

SECTION 4

Where Your Data Lives

All personal data processed under this DPA is stored and processed exclusively within the European Union and European Economic Area. We do not transfer personal data outside the EEA. Specifically:

  • All hosting infrastructure runs on Hetzner data centers in Germany.
  • All operational tooling runs on European-owned services (see Section 5).
  • We do not use AWS, Google Cloud, Microsoft Azure, or any US-incorporated cloud provider for data processing.
  • Alliance42 ApS is a Danish company, registered in Denmark (CVR 46047109), and is not subject to the US CLOUD Act, FISA, or any other extraterritorial legal regime that could compel disclosure of your data.

If we ever needed to engage a non-EU subprocessor, we would update this DPA, notify you in writing at least 30 days in advance, and give you the right to object before any data flows. Note: Alliance42's website uses Plausible Analytics for cookieless traffic measurement. Plausible is not a subprocessor under this DPA because it processes no personal data. No cookies, no IP retention, no user identification. We mention it here for transparency only.

SECTION 5

Subprocessors

We currently engage the following subprocessors. All are EU-based, EU-headquartered, or operating under an EU adequacy decision.

Crisp

Location: France

Service: Live chat widget on alliance42.eu for visitor and customer support.

EU Status: EU/EEA

Hetzner

Location: Germany

Service: Physical hosting infrastructure for all Alliance42 systems. Data centers in Germany.

EU Status: EU/EEA

n8n (self-hosted)

Location: Germany (self-hosted on Hetzner)

Service: Workflow automation platform, self-hosted on Hetzner infrastructure in Germany.

EU Status: EU/EEA

Proton Mail

Location: Switzerland

Service: Encrypted email for transactional notifications.

EU Status: Adequacy Decision

Supabase (self-hosted)

Location: Germany (self-hosted on Hetzner)

Service: Database and authentication platform, self-hosted on Hetzner infrastructure in Germany.

EU Status: EU/EEA

WithSecure

Location: Finland

Service: Endpoint protection engine for A42-C and A42-CC managed cybersecurity services.

EU Status: EU/EEA

We may add or replace subprocessors. When we do, we update this page and notify customers with at least 30 days advance notice. You have the right to object to any new subprocessor.

SECTION 6

How We Keep Your Data Safe

We implement technical and organizational measures appropriate to the risk:

Encryption: All data in transit is encrypted via TLS 1.3 or higher. Data at rest is encrypted at the storage layer.

Access controls: Only authorized Alliance42 personnel can access customer data. We enforce multi-factor authentication, principle of least privilege, and audit logs for all access to production systems.

Confidentiality: All Alliance42 personnel are bound by confidentiality obligations that survive the end of their engagement.

Alliance42 applies the NIS2 Article 21 framework internally, with the same rigor we help customers implement. Documentation is maintained proportional to our size.

Backups and recovery: Daily encrypted backups, retained for 30 days, with documented recovery procedures.

Incident response: Documented incident response plan, tested twice yearly via tabletop exercises.

SECTION 7

Your Rights as Controller

Instruct us. You can give documented instructions about how we process personal data, beyond what's already in your service contract.
Audit us. You can request information about our processing activities, our security measures, and our subprocessor arrangements. For larger engagements, you can request an on-site audit with reasonable notice.
Data subject assistance. When one of your users exercises their GDPR rights (access, rectification, erasure, portability, objection, restriction), you can request our assistance. We will respond within 7 business days.
Subprocessor objection. If we propose to add or replace a subprocessor, you have 30 days to object. If we cannot resolve the objection, you can terminate the affected services without penalty.

SECTION 8

Our Obligations as Processor (GDPR Article 28(3))

a. Process only on your instructions. We will not process personal data for any purpose other than delivering the agreed services.
b. Confidentiality. All personnel with access to your data are bound by written confidentiality obligations.
c. Security. We implement and maintain the technical and organizational measures listed in Section 6.
d. Subprocessor management. We engage subprocessors only with your prior general authorization (this DPA serves as that authorization), and we impose the same data protection obligations on them as we have to you.
e. Data subject rights. We assist you in responding to data subject requests, taking into account the nature of the processing.
f. Security and breach support. We assist you in meeting your obligations under GDPR Articles 32 to 36, including breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
g. Deletion or return. At the end of the service contract, we delete or return all personal data, at your choice, unless EU or Danish law requires continued storage.
h. Audit cooperation. We make available all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits.

SECTION 9

Breach Notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 24 hours of becoming aware. Our notification will include:

  • The nature of the breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records affected
  • The likely consequences of the breach
  • The measures we are taking or proposing to address it

You remain responsible for any notifications to supervisory authorities and affected data subjects under GDPR Articles 33 and 34. We provide all information needed to support those notifications.

SECTION 10

Data Portability and Deletion

Export: You can request a complete export of all personal data we process on your behalf, in a structured, commonly used, machine-readable format (JSON or CSV by default). We deliver the export within 14 days.

Deletion: You can request deletion of all or part of the personal data. We delete from production systems within 30 days, unless legally required to retain. Backups containing the data are fully removed in the normal backup rotation cycle within 90 days, after which no copies remain.

At the end of the contract, we will, at your choice, either return all personal data to you or delete it. By default, if you make no choice within 30 days of contract termination, we delete.

SECTION 11

Governing Law and Disputes

This DPA is governed by the laws of Denmark. Any disputes arising under this DPA will be resolved exclusively by the courts of Denmark.

SECTION 12

Contact

Questions about this DPA, or want to exercise any of your rights as controller? Contact us:

Alliance42 ApS
CVR 46047109
tobias@alliance42.eu
+45 42 80 25 42

This is our standard DPA, written in plain English for readability. The full pre-filled version is available via the generator above. For your final signed version, book a call with us so we can tailor the agreement to your specific contract with Alliance42.