Data Processing Agreement (DPA)

Concentio takes data protection seriously. When Concentio provides its consent management platform to customers, it may process personal data on the customer's behalf in connection with the Services. This page explains Concentio's general approach to Data Processing Agreements (DPAs) and when a DPA may be relevant.

1. When a DPA may be needed

If you use Concentio to manage consent on your website or digital properties, Concentio may process certain personal data on your behalf as part of providing the service.

Depending on your implementation and configuration, this may include information such as:

• consent records;
• timestamps;
• pseudonymous visitor identifiers;
• IP addresses;
• user agent or device-related technical data; and
• related configuration or audit information.

In many cases under laws such as the GDPR, the customer will act as the controller and Concentio will act as the processor with respect to this data. A Data Processing Agreement helps document that relationship and sets out the parties' responsibilities for handling personal data.

2. Role of the parties

In general:

• the customer determines whether and how to deploy Concentio on its website or properties;
• the customer determines the purposes of its consent-management implementation and related notices;
• Concentio provides the platform and processes relevant personal data on the customer's behalf in order to deliver the service.

Concentio may also act as a controller for separate categories of data related to its own business operations, such as account administration, billing, support communications, and operation of its own website. Those activities are described separately in Concentio's Privacy Policy.

3. What our DPA is intended to cover

Where applicable, Concentio's DPA is intended to address the processor-controller relationship for customer data processed through the Services.

Depending on the final contracting framework, the DPA may address topics such as:

• the subject matter and duration of processing;
• the nature and purpose of processing;
• the types of personal data involved;
• the categories of data subjects;
• the documented instructions of the customer;
• confidentiality obligations;
• technical and organizational security measures;
• use of subprocessors;
• assistance with data subject requests;
• assistance with security incidents and breach notifications;
• return or deletion of personal data at the end of the relationship; and
• audit or information rights, subject to reasonable conditions.

4. GDPR Article 28 alignment

Concentio intends for its DPA to reflect the requirements generally associated with processor terms under Article 28 of the GDPR, where applicable.

However, the final terms available to a given customer may depend on the applicable service arrangement, the customer's jurisdiction, and whether the customer is contracting under self-serve terms or a negotiated enterprise agreement.

5. How to request a DPA

A DPA may be made available to eligible customers as part of the sales, procurement, or contracting process.

If you are an existing customer or are evaluating Concentio for your organization, you can request information about DPA availability by contacting:

• Legal / privacy: [email protected]
• Sales (enterprise inquiries): [email protected]

For some customers, the DPA may be incorporated into the contracting process, provided alongside an order form, or handled as part of enterprise review.

6. International transfers

Where personal data is transferred across borders, Concentio intends to implement appropriate safeguards where required by applicable law.

Depending on the circumstances, this may include contractual protections such as Standard Contractual Clauses or other lawful transfer mechanisms.

Details of any applicable international transfer arrangements should be confirmed in the final contractual documentation and supporting privacy documentation.

7. Subprocessors

Concentio may use subprocessors or service providers to help deliver the Services, such as infrastructure, hosting, support, or payment vendors.

Where Concentio engages subprocessors for customer data, those relationships are expected to be governed by appropriate contractual and data protection obligations.

Information about subprocessors may be made available through Concentio's subprocessor page, contracting materials, or upon request, depending on the stage of the product and contracting process.

8. Security and assistance

Concentio aims to implement reasonable technical and organizational measures appropriate to the nature of the service and the data involved.

Where applicable, the DPA may also describe how Concentio assists customers with:

• responding to data subject requests;
• handling personal data incidents;
• managing subprocessor transparency; and
• returning or deleting customer data at the end of the service relationship.

The exact scope of these commitments should be confirmed in the final DPA and customer agreement.

9. This page is an overview only

This page is intended as a general explanation of Concentio's approach to DPAs. It is not itself the full legal agreement governing processing activities.

The binding terms, if applicable, will be set out in the final DPA and related customer agreements.

10. Contact

If you would like to request a DPA or ask questions about data processing arrangements, please contact:

• Legal / privacy: [email protected]
• Sales: [email protected]
• Postal address: TODO_REGISTERED_ADDRESS, Odense, Denmark