Data Processing Agreement (DPA)

LEGAL

home.contact_us_section.cta_button

Data Processing Agreement (DPA)

Last updated: May 20, 2025

This Data Processing Agreement (“Agreement”) governs the processing of personal data between:

  • EcoRay™ (Data Controller)
    • This service is provided by Northware ApS (CVR: 41365897) on behalf of EcoRay.
    • Copenhagen, Denmark
    • Email: info@ecoray.dk
  • and any external service provider or partner that processes data on EcoRay’s behalf (Data Processor).

1. Purpose

This Agreement ensures that all personal data processing activities performed by the Processor on behalf of the Controller comply with the EU General Data Protection Regulation (GDPR).

2. Scope of Processing

The Processor may process personal data solely for the following purposes:

  • Generating solar quotes
  • Handling user inquiries
  • CRM operations and communication
  • Technical infrastructure and analytics The Processor must not use the data for its own purposes or beyond the scope of this agreement.

3. Nature and Type of Data

Data processed may include:

  • Name, email, phone number
  • Energy usage and property data
  • IP address and browser metadata Categories of data subjects include: website visitors, leads, and customers.

4. Obligations of the Processor

The Processor shall:

  • Process data only per documented instructions from the Controller
  • Ensure confidentiality and train personnel appropriately
  • Implement appropriate technical and organisational measures (TOMs)
  • Assist with data subject rights and GDPR compliance
  • Notify the Controller promptly in case of a data breach
  • Allow audits or inspections by the Controller

5. Sub-Processors

The Processor may engage sub-processors only with written approval from the Controller and must ensure they provide equivalent data protection. A list of approved sub-processors shall be maintained and updated upon request.

6. International Transfers

Personal data may not be transferred outside the EEA without prior written consent from the Controller and only with adequate safeguards (e.g., Standard Contractual Clauses).

7. Duration and Termination

This Agreement is effective for the duration of the processing relationship. Upon termination, all personal data must be returned or securely deleted, with the Processor confirming deletion in writing.

8. Liability

Each party is liable for its own compliance. The Processor is liable for damages caused by its failure to meet obligations under this Agreement or GDPR.

9. Governing Law

This Agreement is governed by the laws of Denmark and subject to the jurisdiction of the Danish courts.

Contact

For questions, contact: info@ecoray.dk