Data Processing Agreement (DPA)

Data Processing Agreement preamble

This Data Processing Agreement ("DPA") is entered into between Propane ApS, a company incorporated in Denmark ("Propane"), and the customer identified in the applicable Propane Unified Commercial Agreement (UCA) ("Customer").
‍

This DPA reflects the parties' commitment to comply with all applicable data-protection requirements, including Article 28(3) of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other similar laws governing the processing of personal data.
‍

For the purposes of this DPA, Propane acts as the data processor and Customer acts as the data controller. For readability, this DPA uses "Propane" and "Customer" throughout rather than the formal GDPR terms.
‍

The DPA forms part of, and is subject to, the terms of the UCA. Capitalized terms not defined in this DPA have the meanings given in the UCA.

1. Purpose and Scope
‍

This DPA sets out the terms under which Propane processes Customer Personal Data on behalf of Customer when providing the Services described in the UCA. It ensures compliance with Article 28(3) of the EU General Data Protection Regulation (GDPR) and any other applicable data-protection laws.
‍

Processing Purposes

Propane will process Customer Personal Data solely for the following purposes:

• to provide, operate, and support the Services as defined in the CA;
• to maintain and improve the performance, security, and functionality of those Services;
• to comply with any applicable legal or regulatory obligations; and
• to analyze aggregated and anonymized usage data for product improvement and development purposes, as described in the CA.
  ‍

Instructions and Limitations

Propane acts only on documented instructions from Customer, as set out in this DPA and the UCA, and will not process Customer Personal Data for any other purpose. By using the Services, Customer instructs Propane to process Customer Personal Data in accordance with the terms of this DPA.

Conflict and Precedence

If there is a conflict between this DPA and the UCA regarding the processing of Customer Personal Data, this DPA will prevail.

Term

This DPA applies for the entire duration of Customer's use of the Services and remains in effect until Propane has deleted or returned all Customer Personal Data in accordance with Section 11.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings assigned to them in the Propane Unified Commercial Agreement (UCA).

Applicable Data Protection Laws

means all applicable privacy and data protection laws and regulations that apply to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws in other jurisdictions.

Personal Data

means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

Processing (and "Process")

means any operation performed on Personal Data, whether automated or not, including collection, storage, alteration, retrieval, use, disclosure, or deletion.

Personal Data Breach

means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

Subprocessor

means any third party engaged by Propane to process Customer Personal Data on Propane's behalf as part of providing the Services.

Standard Contractual Clauses (SCCs)

means the EU-approved standard contractual clauses for data transfers to third countries, as updated or replaced by the European Commission or relevant authority.

3. Details of Processing

Nature and Purpose of Processing

Propane processes Customer Personal Data solely to provide, maintain, support, and improve the Services described in the Propane Unified Commercial Agreement (UCA). Processing activities may include the collection, storage, analysis, and transmission of Customer Data and related operational metadata.

Categories of Data Subjects

Customer Personal Data may relate to the following categories of data subjects:

• Employees, contractors, and other authorized users of the Customer
• End-users or customers of the Customer (where such data is input, collected, or processed through the Services)
• Other individuals whose data the Customer chooses to process through the Services
  ‍

Categories of Personal Data

The Customer Personal Data processed by Propane may include:

• Contact information (e.g., names, email addresses, job titles)
• Account and authentication details (e.g., usernames, encrypted credentials)
• Usage data and platform interaction logs
• Feedback, survey responses, or interview data collected through the Services
• Technical identifiers and metadata (e.g., IP address, device information, browser type)
• Other data submitted or integrated by the Customer or its authorized users
  ‍

Special Categories of Data

Propane does not intentionally collect or process any special categories of data (as defined in GDPR Article 9). If the Customer chooses to upload or process such data, the Customer is solely responsible for ensuring that an appropriate lawful basis and safeguards are in place.
‍

Duration of Processing

Propane processes Customer Personal Data for the duration of the Services under the UCA. Data deletion and return procedures are set out in Section 11 of this DPA.

Location of Processing

Customer Personal Data is primarily processed within the European Union (EU).

Where Propane or its Subprocessors transfer data outside the EU/EEA, such transfers are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) or applicable adequacy decisions, as described in this DPA.

4. Obligations of the Parties

Both parties agree to comply with all Applicable Data Protection Laws in relation to the processing of Customer Personal Data under this DPA. Propane will process Customer Personal Data only on documented instructions from the Customer, as described in this DPA and the Propane Unified Commercial Agreement (UCA).
‍

Customer Obligations

The Customer, as Controller, is responsible for:

• ensuring that all Personal Data provided to Propane has been collected and disclosed in accordance with Applicable Data Protection Laws;
• maintaining a lawful basis for all processing activities carried out by Propane on the Customer's behalf;
• providing all legally required privacy notices and disclosures to data subjects;
• configuring and using the Services in compliance with applicable laws and its internal data-protection requirements; and
• promptly notifying Propane of any changes to the lawful basis, data categories, or purposes of processing that may affect Propane's performance under this DPA.
  ‍

Propane Obligations

Propane, as Processor, will:

• process Customer Personal Data only on the Customer's documented instructions and not for any other purpose;
• ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
• implement and maintain appropriate technical and organizational measures to protect Customer Personal Data as described in Appendix A;
• maintain records of processing activities as required by GDPR Article 30(2);
• assist the Customer, to the extent reasonably possible, in meeting its obligations under Articles 32 to 36 GDPR, including data-subject rights, security, breach notification, and impact assessments;
• notify the Customer without undue delay if Propane reasonably believes that an instruction infringes Applicable Data Protection Laws; and
• make available to the Customer all information necessary to demonstrate compliance with this DPA upon reasonable request.
  ‍

Confidentiality

Propane ensures that all employees, contractors, and Subprocessors with access to Customer Personal Data are subject to confidentiality obligations at least as protective as those in the UCA and this DPA.
‍

Records and Cooperation

Propane will maintain appropriate records of its processing activities and cooperate with supervisory authorities or regulators as required by Applicable Data Protection Laws.

5. Security of Processing
‍

Security Measures

Propane implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures are described in Appendix A (Technical and Organizational Measures) and are regularly reviewed and updated to reflect evolving industry standards.
‍

Security Standards and Roadmap

Propane's controls are designed to align with recognized frameworks such as ISO 27001 and the SOC 2 Trust Services Criteria.

While Propane is not yet certified, obtaining such certifications is part of its compliance roadmap.

Propane's primary infrastructure and hosting providers maintain active SOC 2 Type II and ISO 27001 certifications.
‍

Access Controls

Access to Customer Personal Data is restricted to authorized personnel who require such access to fulfill their job responsibilities.

All access is logged, monitored, and subject to multi-factor authentication and least-privilege principles.
‍

Encryption and Data Protection

Customer Personal Data is encrypted in transit and at rest using industry-standard encryption protocols.

Propane employs additional data integrity and redundancy controls to prevent unauthorized access or loss of data.
‍

Incident Response and Business Continuity

Propane maintains an incident response process and a business continuity and disaster recovery plan to promptly detect, respond to, and mitigate the impact of security incidents. Regular testing and training are conducted to ensure operational readiness.
‍

Review and Audits

Propane periodically assesses its security controls through internal audits and third-party testing. Findings are remediated promptly in accordance with internal risk management procedures.

6. Subprocessors

Use of Subprocessors

Propane may engage third-party service providers ("Subprocessors") to assist in providing, maintaining, and improving the Services. Each Subprocessor will only process Customer Personal Data to the extent necessary to perform the services assigned to it and will be bound by written data protection obligations no less protective than those set out in this DPA.

Subprocessor List

Propane maintains an up-to-date list of authorized Subprocessors at https://usepropane.ai/legal/subprocessors. This list identifies the Subprocessor's name, location, and the nature of services provided. Propane will update this list as necessary and provide Customer the ability to subscribe for change notifications.

Notification of New Subprocessors

Before authorizing a new Subprocessor, Propane will update the Subprocessor List and provide at least thirty (30) days' prior notice to the Customer. If the Customer objects to a new Subprocessor on reasonable data-protection grounds within that period, Propane will work in good faith to address the objection, such as by reviewing alternative solutions or ending the engagement.

Liability for Subprocessors

Propane remains fully responsible for the performance of each Subprocessor's obligations under this DPA. Engaging Subprocessors does not relieve Propane of its data-protection responsibilities toward the Customer.

Authorized Affiliates

Propane may also allow its corporate affiliates to act as Subprocessors, provided they are bound by equivalent contractual and technical safeguards.

7. International Data Transfers

Transfers Outside the EEA and UK

Propane may transfer and process Customer Personal Data in locations outside the European Economic Area (EEA) and the United Kingdom (UK), including through the use of authorized Subprocessors. Such transfers will only occur where appropriate safeguards are in place to ensure an adequate level of data protection.
‍

Transfer Mechanism

Where Customer Personal Data is transferred outside the EEA or UK to a country not recognized by the European Commission or the UK authorities as providing an adequate level of protection, Propane will rely on one or more of the following mechanisms:

• the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA);
• a legally recognized certification mechanism or code of conduct; or
• any other safeguard approved by the competent supervisory authority.
  ‍

Standard Contractual Clauses

When Propane acts as the data importer under the SCCs, the parties agree that:

• Module 2 (Controller to Processor) applies;
• Propane will process Customer Personal Data in accordance with the terms of this DPA;
• the governing law for the SCCs is the law of Denmark; and
• the competent supervisory authority is the Danish Data Protection Authority.
  ‍

Onward Transfers

Propane will ensure that any onward transfer of Customer Personal Data by a Subprocessor outside the EEA or UK is made only under equivalent safeguards and contractual commitments consistent with this DPA and applicable data protection laws.
‍

Documentation and Cooperation

Upon request, Propane will provide Customer with documentation or information necessary to demonstrate compliance with applicable transfer safeguards.

8. Data Subject Rights and Assistance

Data Subject Requests

Propane will provide reasonable assistance to the Customer, through appropriate technical and organizational measures, to help the Customer fulfill its obligations to respond to requests from data subjects under Applicable Data Protection Laws.

Such requests may include rights of access, rectification, erasure, restriction, portability, and objection.
‍

Customer Responsibility

The Customer is responsible for verifying the identity of a data subject making a request and for determining whether the request should be fulfilled.

Propane will not respond directly to any data-subject request unless expressly authorized by the Customer or required by law.

Notification of Requests

If Propane receives a data-subject request that relates to Customer Personal Data, it will promptly notify the Customer and forward the request without responding directly (unless legally required). Propane will assist the Customer in responding to such requests to the extent reasonably possible.

Assistance with Compliance Obligations

Propane will provide reasonable support to the Customer in:

• performing data protection impact assessments (DPIAs);
• conducting prior consultations with supervisory authorities; and
• meeting any other obligations under Applicable Data Protection Laws that relate to Propane's processing activities.

9. Personal Data Breach Notification

Notification of Breach

Propane will notify the Customer without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. Such notification will include sufficient information to allow the Customer to meet its obligations under Applicable Data Protection Laws.

Information Provided

To the extent known, Propane's notification will include:

• the nature of the Personal Data Breach, including categories and approximate number of affected data subjects and data records;
• the likely consequences of the breach;
• the measures taken or proposed by Propane to address the breach and mitigate its possible adverse effects; and
• contact details for further information.

Ongoing Cooperation

Propane will promptly investigate the breach and take reasonable steps to mitigate its effects. Propane will provide the Customer with updates as additional relevant information becomes available and cooperate with the Customer's reasonable requests to assist in meeting any legal or regulatory obligations.

Customer's Responsibility

The Customer is responsible for determining whether the Personal Data Breach must be reported to any supervisory authority or data subjects and for making any such notifications, unless Propane is directly obligated by law to do so.
‍

Exclusions

Minor security incidents that do not result in unauthorized access to or loss of Customer Personal Data are not considered reportable breaches under this section.

10. Audits and Certifications

Audit Rights

The Customer may, once per twelve-month period and with reasonable advance notice, request information necessary to verify Propane's compliance with this DPA.

Propane will make available documentation such as security summaries, third-party audit reports, or compliance questionnaires sufficient to demonstrate its adherence to Applicable Data Protection Laws and the technical and organizational measures described in Appendix A.
‍

Independent Audits and Reports

Propane maintains regular internal and external assessments of its security controls.

Upon written request, Propane will provide the Customer with relevant extracts from independent audit reports or certifications (for example, SOC 2 Type II or ISO 27001, once obtained). These reports may be subject to reasonable confidentiality restrictions.
‍

On-Site Audits

If the documentation provided by Propane does not reasonably satisfy the Customer's audit requirements, the Customer may conduct an on-site audit of Propane's relevant facilities and systems, subject to the following conditions:

• at least fifteen (15) days' prior written notice;
• the audit is limited to areas relevant to the processing of Customer Personal Data;
• it is conducted during normal business hours and without disrupting operations; and
• both parties bear their own costs, unless a material breach of this DPA is identified.
  ‍

Certification Roadmap

Propane's information-security controls are designed to align with the SOC 2 Trust Services Criteria and ISO 27001 standards. Formal certification is part of Propane's compliance roadmap. Propane's primary hosting and infrastructure providers already maintain such certifications.
‍

Regulatory Cooperation

Where required by a supervisory authority, Propane will cooperate with and provide relevant audit information directly to that authority in connection with the Services provided to the Customer.

11. Data Return and Deletion

Return or Deletion Upon Termination

Upon expiration or termination of the Services under the Propane Unified Commercial Agreement (UCA), Propane will, at the Customer's choice, either delete or return all Customer Personal Data within sixty (60) days, unless retention is required by Applicable Data Protection Laws.
‍

Customer Access During Transition

Before deletion, Propane will provide the Customer with a reasonable opportunity to export or retrieve Customer Personal Data in a standard format, consistent with available product functionality.
‍

Deletion from Backups

Customer Personal Data stored in backup systems will be securely deleted within the standard retention cycle of those systems, which shall not exceed ninety (90) days after termination.

Retention Required by Law

If Propane is legally required to retain any Customer Personal Data after termination, it will ensure that such data remains protected by this DPA and is used only as necessary for the required retention purpose.
‍

Certification of Deletion

Upon written request, Propane will confirm in writing that deletion of Customer Personal Data has been completed in accordance with this section.

12. Liability and Relationship

Liability

All liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is governed exclusively by the Limitation of Liability section of the Propane Unified Commercial Agreement (UCA).
‍

Nothing in this DPA creates any additional liability obligations or increases either party's liability beyond what is stated in the UCA.
‍

Allocation of Responsibilities

The Customer is responsible for:

• determining the lawful basis for processing Customer Personal Data;
• ensuring the accuracy and legality of Customer Personal Data provided to Propane; and
• complying with its obligations as Controller under Applicable Data Protection Laws.

Propane is responsible for:

• implementing appropriate security and processing controls consistent with this DPA; and
• processing Customer Personal Data only on documented instructions from the Customer.
  ‍

Independent Parties

The parties remain independent contractors. This DPA does not create any partnership, joint venture, or agency relationship. Neither party has authority to bind the other beyond what is expressly stated in the UCA or this DPA.
‍

13. Contact Information

For all matters specifically related to data protection, including Personal Data Breaches, data subject requests, security incidents, or communications with supervisory authorities, contact:

Propane ApS
Vesterbrogade 26 1 th,
1620 København V
Denmark
Attn: Data Protection Officer
Email: legal@usepropane.ai

For general commercial notices under the UCA (such as termination, billing, or contract amendments), refer to the Notices section of the UCA. All communications under this DPA must be in writing (including by email) and are deemed received upon confirmation of delivery. Propane may update this contact information by written notice to Customer or by publishing an updated version of this DPA at https://usepropane.ai/legal/dpa.
‍

14. Governing Law and Jurisdiction

This DPA is governed by the same law and jurisdiction provisions set out in the Propane Unified Commercial Agreement (UCA). For clarity, this means the laws of Denmark apply and the courts of Copenhagen, Denmark have exclusive jurisdiction, except where Applicable Data Protection Laws require otherwise.

Appendices

Appendix A – Technical and Organizational Measures (TOMs)

Propane maintains appropriate technical and organizational measures ("TOMs") to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These controls are designed to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing.
‍

Information Security Management

Propane operates an internal information security program aligned with ISO 27001 and SOC 2 Trust Services Criteria. Formal certification is part of Propane's compliance roadmap. This program includes periodic risk assessments, policy reviews, and ongoing improvement of security controls.
‍

Access Control and Authentication

• Access to production systems and Customer Personal Data is restricted to authorized personnel.
• Role-based access control (RBAC) and least-privilege principles are applied.
• Multi-factor authentication (MFA) is required for all administrative access.
• Access logs are maintained and periodically reviewed.
  ‍

Data Protection and Encryption

• Customer Personal Data is encrypted in transit and at rest using industry-standard protocols (e.g., TLS 1.2+, AES-256).
• Encryption keys are securely managed and rotated according to policy.
• Data segregation is enforced logically between customer environments.
  ‍

Infrastructure and Network Security

• Propane's primary hosting providers maintain SOC 2 Type II and ISO 27001 certifications.
• Propane meets intrusion detection requirements through a defense-in-depth, cloud-native strategy. This includes WAF and DDoS protection, active monitoring and alerting on VPC Flow Logs and system logs, and continuous monitoring of Firewall rules and configuration.
• Regular vulnerability scanning and patch management are performed across all production systems.
• Network segmentation and security groups enforce least-privilege access between components.
  ‍

Operational Security and Monitoring

• Continuous monitoring of production environments and system logs.
• Automated alerts for suspicious or anomalous behavior.
• Regular penetration tests by independent security firms.
  ‍

Incident Response and Business Continuity

• A documented Incident Response Plan defines roles, escalation paths, and reporting obligations.
• Backups are encrypted and tested periodically for recovery validation.
• A Business Continuity and Disaster Recovery Plan (BC/DR) ensures service restoration in case of disruption.
  ‍

Personnel Security and Training

• All employees and contractors undergo background checks as permitted by law.
• Confidentiality obligations are included in employment and contractor agreements.
• Regular security awareness and data-protection training is mandatory.
  ‍

Vendor Management

• All vendors with potential access to Customer Personal Data are subject to security and privacy due diligence.
• Contracts with such vendors include equivalent data-protection obligations.

Appendix B – Subprocessors

Propane engages certain third-party providers to support the delivery of its Services.

Each Subprocessor only processes Customer Personal Data as necessary to perform its contracted function and under obligations no less protective than those in this DPA.

Subprocessor List and Updates

Propane maintains an up-to-date list of authorized Subprocessors at:

https://usepropane.ai/legal/subprocessors

The list identifies each Subprocessor's name, location, and function. Propane will update this list as necessary and provide Customers with the ability to receive email notifications of material changes. Customer may object to a new Subprocessor within thirty (30) days of notice on reasonable data-protection grounds.

‍