Legal
Data Processing Agreement
Last updated: 3 July 2026
This Data Processing Agreement ("DPA") governs the processing of personal data that Statera Software ApS ("Statera", "we", "us", or "our"), CVR 45930920, carries out on behalf of a customer ("Customer", "you", or "your") when you use the Statera reporting platform (the "Platform"). It forms part of, and is subject to, the End User License Agreement or any separate written agreement between you and Statera (the "Agreement"). This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
For personal data we process as a controller in our own right — for example, data submitted through our public website or contact forms — please see our Privacy Policy instead. This DPA covers only personal data we process as a processor on your behalf within the Platform.
1. Roles of the parties
In respect of personal data contained in your Customer Data, you act as the data controller (or, where you process on behalf of your own customers, as a processor) and Statera acts as the data processor (or sub-processor). Each party is responsible for complying with the obligations that apply to it under the GDPR and applicable data protection law.
2. Subject matter and scope of processing
Statera processes personal data only to provide, secure, support, and maintain the Platform in accordance with the Agreement and your instructions. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in the Annex below.
3. Processing on documented instructions
Statera processes personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law. Your instructions are set out in this DPA and the Agreement, including your configuration and use of the Platform. We will inform you if we believe an instruction infringes the GDPR or other data protection law, and we are not obliged to act on an unlawful instruction.
4. Confidentiality
Statera ensures that all personnel authorised to process personal data are bound by an appropriate obligation of confidentiality and are made aware of the confidential nature of the data. Access to personal data is limited to personnel who need it to perform their duties under the Agreement.
5. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Statera implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. These measures include, as appropriate:
- Encryption of personal data in transit and, where appropriate, at rest;
- Access controls, authentication, and the principle of least privilege;
- Logical separation of customer environments and data;
- Regular backups and the ability to restore availability after an incident;
- Logging, monitoring, and vulnerability management;
- Processes for regularly testing and evaluating the effectiveness of these measures.
6. Sub-processors
You provide a general authorisation for Statera to engage sub-processors to assist in providing the Platform. Where Statera engages a sub-processor, it imposes data protection obligations on that sub-processor that are no less protective than those in this DPA, and remains liable to you for the performance of the sub-processor's obligations.
A current list of sub-processors is available on request at info@statera.app. We will give you reasonable prior notice of any intended addition or replacement of a sub-processor, and you may object on reasonable, data-protection-related grounds. If we cannot resolve your objection, you may terminate the affected part of the Platform in accordance with the Agreement.
7. Artificial intelligence
Where Statera uses artificial intelligence or machine learning services (including large language model providers such as OpenAI, Azure OpenAI, or Anthropic) to provide features of the Platform, the following applies:
- Any AI service provider is engaged as a sub-processor under section 6 and is subject to the same data-protection obligations.
- We transmit only the Customer Data necessary for the requested feature, and only for the purpose of returning a result to you within the Platform.
- We will not permit Customer Data to be used to train or improve generic AI models without your prior, explicit written consent. Where the AI sub-processor offers the option, we contractually require training on Customer Data to be disabled.
- On request, we will identify the AI sub-processors then in use, the categories of Customer Data processed through them, and the region in which the processing takes place.
You remain responsible for your own use of AI-generated output, including any obligations arising under the EU AI Act or other applicable law.
8. Assistance to the Customer
Taking into account the nature of the processing, Statera will:
- Assist you, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (such as access, rectification, erasure, restriction, and portability), insofar as possible;
- Assist you in ensuring compliance with your obligations under GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the information available to us.
9. Personal data breaches
Statera notifies you without undue delay after becoming aware of a personal data breach affecting your Customer Data, and provides information reasonably available to us to help you meet your own notification obligations under GDPR Articles 33 and 34.
10. International transfers
Statera primarily processes and stores personal data within the EU/EEA. Where a transfer of personal data outside the EU/EEA is necessary, we ensure an adequate level of protection through an appropriate transfer mechanism under Chapter V of the GDPR, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with any supplementary measures required.
11. Deletion or return of data
On termination or expiry of the Agreement, Statera will, at your choice, delete or return all personal data processed on your behalf and delete existing copies, unless EU or Member State law requires continued storage. We may retain personal data for a limited wind-down period to allow for export, and in backups until they are overwritten in the ordinary course.
12. Audits and information
Statera makes available to you the information necessary to demonstrate compliance with the obligations in GDPR Article 28, and allows for and contributes to audits, including inspections, conducted by you or another auditor mandated by you. Audits must be conducted on reasonable prior notice, during business hours, no more than once per year (unless required by a supervisory authority or following a personal data breach), and in a manner that does not disrupt our operations or compromise the confidentiality of other customers. We may satisfy audit requests by providing relevant certifications or third-party audit reports where available.
13. Liability and governing law
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the laws of Denmark, and any dispute is subject to the exclusive jurisdiction of the Danish courts, with the District Court of Aarhus (Retten i Aarhus) as the court of first instance, unless mandatory law provides otherwise. In the event of a conflict between this DPA and the Agreement on matters of data protection, this DPA prevails.
14. Contact
Questions about this DPA or our processing of personal data can be sent to info@statera.app or by post to the address listed below.
- Statera Software ApS
- CVR (company reg. no.): 45930920
- Ny Banegårdsgade 55, 3., 8000 Aarhus C, Denmark
Annex — Details of processing
Subject matter: Provision of the Statera reporting platform for preparing, managing, and filing disclosures and annual reports.
Duration: For the term of the Agreement, plus any deletion or return period described in section 11.
Nature and purpose: Hosting, storage, organisation, structuring, retrieval, and transmission of Customer Data for the purpose of providing, securing, and supporting the Platform.
Categories of data subjects: The Customer's Authorised Users (such as employees and contractors) and any individuals whose personal data the Customer includes in its Customer Data (for example, individuals named in reports, disclosures, or supporting documentation).
Types of personal data: Account and contact details of Authorised Users (such as name, work email, and role); usage and audit-log data; and any personal data that the Customer chooses to upload to or generate within the Platform as part of its reporting. The Customer should not include special categories of personal data unless strictly necessary for its reporting obligations.