Data Processing Agreement
Standard contractual clauses pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) concerning the data processor's processing of personal data.
Version 1.0, in force from 08-07-2026 · Last updated: 7 July 2026 · contact@justparity.com
1. The parties
Data processor
Just Parity ApS
CVR no. 46363906, Vesterbrogade 208, 1800 Frederiksberg C, Denmark
Contact: contact@justparity.com
Data controller
The customer
As defined in the service agreement with JustParity
Each a "party" and together the "parties". These standard contractual clauses (the "Clauses") form an integral part of the service agreement between the parties.
2. Preamble
These Clauses set out the data processor's rights and obligations when processing personal data on behalf of the data controller.
The Clauses have been designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation).
In connection with the provision of the JustParity compliance platform, the data processor processes personal data on behalf of the data controller in accordance with these Clauses.
The Clauses take priority over any similar provisions contained in other agreements between the parties.
Four appendices are attached to these Clauses, and the appendices form an integral part of the Clauses:
- Appendix A: Information about the processing (purpose, data categories, data subjects, duration)
- Appendix B: Sub-processors (approved sub-processors and conditions)
- Appendix C: Instruction regarding the processing (security measures, location, transfers, audits)
- Appendix D: The parties' regulation of other matters
Regarding special categories of personal data
JustParity processes pay data broken down by gender for pay gap analysis (with the Pay Transparency Directive 2023/970 as background). The processing may involve data that, in combination, can reveal special categories under GDPR Article 9, including data on trade union membership (via payroll reporting). The data controller is responsible for ensuring that a legal basis for the special categories exists, typically Article 9(2)(b), cf. Sections 7(2) and 12 of the Danish Data Protection Act, read together with the Danish Equal Pay Act.
3. Rights and obligations of the data controller
The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the General Data Protection Regulation, data protection provisions in other EU law or Danish law, and these Clauses.
The data controller has the right and the obligation to make decisions about the purposes for which and the means by which personal data may be processed.
The data controller is responsible for ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to carry out.
4. The data processor acts on instructions
4.1 The data processor may process personal data only on documented instructions from the data controller, unless required to do so by EU law or Danish law to which the data processor is subject. The instructions are specified in Appendices A and C. Subsequent instructions may be given while the processing is ongoing, but such instructions must always be documented and kept in writing.
4.2The data processor shall immediately inform the data controller if, in the data processor's opinion, an instruction infringes the General Data Protection Regulation or data protection provisions in other EU law or Danish law. The data processor is not obliged to comply with an instruction that would result in a breach of applicable law.
4.3The data controller's activation of a payroll system integration via the JustParity platform constitutes a documented instruction to the data processor to receive and process the personal data transferred by the payroll system in question. The data controller is responsible for ensuring that the transfer has a legal basis.
5. Confidentiality
The data processor may grant access to personal data processed on behalf of the data controller only to persons who are subject to the data processor's instruction authority, who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary.
The list of persons with access is reviewed on an ongoing basis. Access is closed when it is no longer necessary. The obligation of confidentiality also applies after the termination of the Clauses.
6. Security of processing (Article 32)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing in question, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the data processor implements appropriate technical and organisational measures to ensure a level of protection appropriate to those risks.
As the processing involves pay data, gender data and potentially data on trade union membership (Article 9), a high level of security must be established.
As a minimum, the data processor implements the following measures, cf. Appendix C:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest, encrypted database connections and backups
- Access control: Role-based access control (RBAC) following the least-privilege principle, multi-factor authentication (MFA) for privileged access, unique user accounts, automatic session timeout
- Data isolation: Multi-tenant Row Level Security (RLS). Customer data is logically separated via Row-Level Security, so that one customer's data is protected against access by other customers
- Logging and monitoring: All access to personal data is logged, system administrator activities are logged separately, automatic alerting on unauthorised access attempts
- Vulnerability management: Ongoing vulnerability scanning, critical security patches implemented as quickly as possible and within risk-based deadlines in the incident response procedure, as well as regular penetration testing in accordance with the security programme
- Backup and recovery: Daily automatic backup, point-in-time recovery, disaster recovery plan with documented RTO and RPO
- Incident response: Documented procedure for handling security incidents, classification by severity, escalation and notification pursuant to section 10
- Personnel: All employees with access to personal data have signed a confidentiality declaration and receive periodic security training
The data processor undertakes not to materially reduce the overall level of security without prior written notice to the data controller.
7. Use of sub-processors
7.1The data processor has the data controller's general authorisation to use the sub-processors listed in Appendix B. The data processor ensures that a written agreement is concluded with each sub-processor imposing on it the same data protection obligations as set out in these Clauses.
7.2 The data processor shall inform the data controller in writing of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice, thereby giving the data controller the opportunity to object to such changes.
7.3 The data controller may raise a reasoned objection to a new sub-processor within 14 days of receiving the notification. The data processor will make reasonable efforts to find an alternative solution. If the parties cannot reach agreement, the data controller may terminate the affected part of the service agreement with effect from the date on which the new sub-processor was to be used.
7.4If the sub-processor fails to fulfil its data protection obligations, the data processor remains fully liable to the data controller for the performance of the sub-processor's obligations. This does not affect the rights of the data subjects under the General Data Protection Regulation, including Articles 79 and 82.
8. Transfers to third countries or international organisations
Any transfer of personal data to third countries or international organisations may be carried out by the data processor only on the basis of documented instructions from the data controller and must always take place in accordance with Chapter V of the General Data Protection Regulation.
Personal data is stored and processed in EU/EEA data centres (primarily Frankfurt, Germany). A few sub-processors are US companies whose affiliated parent companies may have support access from third countries. For such transfers, EU standard contractual clauses (SCCs) have been concluded pursuant to Article 46(2)(c), supplemented by the EU-US Data Privacy Framework where the provider is certified.
The data controller's instructions regarding the transfer of personal data to third countries, including the transfer basis, are set out in Appendix C.
9. Assistance to the data controller
9.1Taking into account the nature of the processing, the data processor assists the data controller as far as possible in fulfilling the data controller's obligation to respond to requests for the exercise of the data subjects' rights as laid down in Chapter III of the General Data Protection Regulation. This entails assistance regarding:
- the obligation to provide information when collecting personal data from the data subject
- the obligation to provide information where personal data has not been collected from the data subject
- the right of access
- the right to rectification
- the right to erasure (the "right to be forgotten")
- the right to restriction of processing
- the notification obligation regarding rectification or erasure
- the right to data portability
- the right to object
- the right not to be subject to a decision based solely on automated processing
9.2 The data processor further assists the data controller with:
- notification of a personal data breach to the Danish Data Protection Agency (Datatilsynet), cf. Article 33
- communication of a breach to the data subjects, cf. Article 34
- data protection impact assessments (DPIA), cf. Article 35, by making available all necessary technical information about the platform's processing activities, security measures and data flows
- prior consultation of the Danish Data Protection Agency (Datatilsynet), cf. Article 36
10. Notification of a personal data breach
10.1 The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred. Notification takes place no later than 24 hours after the data processor becomes aware of the breach, so that the data controller can comply with its obligation to report the breach to the Danish Data Protection Agency (Datatilsynet) within 72 hours, cf. Article 33.
10.2 The notification must contain the following information (cf. Article 33(3)):
- the nature of the breach, including the categories and approximate number of data subjects concerned
- the categories and approximate number of personal data records concerned
- the likely consequences of the breach
- the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
- contact details for the data processor's contact person
11. Deletion and return of data
11.1 Upon termination of the services relating to the processing of personal data, the data processor returns all personal data to the data controller in a structured, commonly used and machine-readable format (CSV or JSON) and thereafter deletes existing copies no later than 30 days after termination, unless applicable law requires storage.
11.2 The data processor confirms in writing to the data controller that deletion has been carried out, including at all sub-processors.
11.3 The following rules require the storage of personal data after termination: the Danish Bookkeeping Act (5 years), tax and duty legislation, and employment law. Such data continues to be stored in accordance with the security provisions of these Clauses and is deleted when the storage obligation ceases.
12. Audit, including inspection
12.1 The data processor makes available to the data controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses, and allows for and contributes to audits, including inspections, carried out by the data controller or another auditor mandated by the data controller.
12.2The data controller may carry out an ordinary audit once a year with at least 30 days' prior notice. The audit may be carried out by an independent third party by mutual agreement. Alternatively, the data processor may make available an independent audit report as documentation of compliance.
12.3 In the event of a reasoned suspicion of a breach, or following a security breach, the data controller may carry out an extraordinary audit with reasonable notice.
12.4The data processor is obliged to grant the Danish Data Protection Agency (Datatilsynet), which under applicable law has access to the data controller's or the data processor's facilities, access to the data processor's facilities upon presentation of appropriate identification.
13. Other provisions agreed by the parties
13.1The data processor's total liability under these Clauses is limited to the amount the data controller has paid in subscription fees in the 12 months preceding the event giving rise to the claim. The limitation of liability does not apply to claims arising from infringement of the data subjects' rights under Article 82 (a mandatory rule), or where the loss is due to gross negligence or intent.
13.2 These Clauses are governed by Danish law. Disputes are settled by the Danish courts, with the Court of Frederiksberg (Retten på Frederiksberg) as the venue of first instance.
14. Commencement and termination
The Clauses come into force upon conclusion of the service agreement. Either party may request that the Clauses be renegotiated if changes in the law or inexpediencies give rise to this.
The Clauses apply for as long as the data processor processes personal data on behalf of the data controller. Upon termination, the provisions on confidentiality (section 5) and deletion (section 11) continue to apply.
15. Contact persons
The parties' contact persons for questions concerning these Clauses and for notification of a personal data breach are:
Data processor (Just Parity ApS)
General enquiries: contact@justparity.com
Personal data breaches: security@justparity.com
Name and title of security officer: ______________________
Data controller (the customer)
To be completed on conclusion of the agreement:
Contact person: ______________________
Data Protection Officer (DPO), if applicable: ______________________
Email: ______________________
Appendices
Appendix A: Information about the processing
| A.1 Purpose | Provision of the JustParity compliance platform for the EU Pay Transparency Directive (2023/970), including job architecture, pay bands, pay gap analysis, reporting to authorities, handling of employee requests and audit trail |
| A.2 Nature of the processing | Collection via API integration with payroll systems, structuring and categorisation, statistical analysis and calculation, report generation, display in a web application, storage in an encrypted database, deletion upon termination or instruction |
| A.3 Personal data | Ordinary: Name, employee ID, job title, job level, job category, department, hire date, termination date, working hours, base salary, allowances, bonus, pension, benefits, salary history, email, activity log Special categories (Art. 9): Gender (for pay gap calculation, legal basis: Art. 9(2)(b), cf. Sections 7(2) and 12 of the Danish Data Protection Act; the data controller is responsible for the basis). Trade union membership may occur indirectly in imported payroll data sets. CPR numbers: May be received transiently from connected payroll systems and used solely for the technical derivation of gender (last digit). The CPR number is not stored. |
| A.4 Data subjects | Current and former employees of the data controller, as well as platform users (HR staff, managers) |
| A.5 Duration | The processing continues for as long as the service agreement is in force. Deletion no later than 30 days after termination, cf. section 11. |
Appendix B: Sub-processors
Upon the entry into force of the Clauses, the data controller has approved the use of the following sub-processors. Changes are notified at least 30 days before they take effect, cf. section 7.2.
| Legal entity | Country | Data location | Processing activity | Transfer basis |
|---|---|---|---|---|
| Supabase Inc. | USA | EU (AWS eu-central-1, Frankfurt) | Cloud hosting, database, authentication. Core: all personal data incl. Art. 9 (gender) and transient CPR | SCCs (Art. 46(2)(c)). Not DPF-certified |
| Netlify, Inc. | USA | EU CDN and serverless | Hosting, CDN, serverless functions; stores the Gmail service secret in Netlify Blobs | EU-US DPF with SCCs as fallback |
| Google Ireland Limited (operated by Google LLC, USA) | Ireland / USA | EU/US | Transactional emails (Gmail DWD) | EU-US DPF (Google LLC) and SCCs |
| Slack Technologies LLC (Salesforce, Inc.) | USA | EU (Slack EU residency) | Internal notifications on user creation | EU-US DPF (Salesforce) and SCCs |
| Functional Software, Inc. (Sentry) | USA | EU (de.sentry.io) with EU org, otherwise US | Client-side error monitoring | EU region: no transfer, otherwise EU-US DPF and SCCs |
| Redis provider (to be determined, e.g. Upstash Inc.) | USA/EU | EU (eu-central-1) recommended | Rate limiting; processes IP addresses | EU region, otherwise SCCs |
Appendix C: Instruction regarding the processing of personal data
C.1 Subject matter of the processing
The data processor is instructed to receive pay data, employment data and demographic data from the data controller's payroll system(s) via API integration, structure these into job architecture and pay bands, perform statistical analysis of pay differences broken down by gender, generate statutory reports and make data available to the data controller via a web-based platform.
C.2 Security of processing
As the processing involves pay data and special categories of personal data (gender, potentially trade union membership), a high level of security must be established. The specific measures are described in section 6.
C.3 Assistance to the data controller
The data processor assists the data controller to the extent and in the manner set out in section 9. The data processor makes available technical information and documentation for use in impact assessments and prior consultations.
C.4 Storage period and deletion routine
Personal data is stored for as long as the service agreement is in force. Upon termination, data is deleted or returned within 30 days, cf. section 11. Statutory storage (the Bookkeeping Act, tax legislation, employment law) is exempt.
C.5 Location of processing
The processing of personal data takes place in EU/EEA data centres. A few sub-processors are US companies whose affiliated parent companies may have support access from third countries on an SCC/DPF basis, cf. Appendix B. Specific data centres are set out in Appendix B for the respective sub-processors. Processing may not take place at other locations without the data controller's prior written approval.
C.6 Instruction regarding transfers to third countries
The data controller instructs the data processor that personal data is processed in EU/EEA data centres. A few sub-processors' US parent companies may have affiliated support access from third countries; for these transfers, EU standard contractual clauses (SCCs) have been concluded pursuant to Article 46(2)(c), supplemented by the EU-US Data Privacy Framework where the provider is certified.
C.7 Procedures for auditing the data processor
The data controller or a representative of the data controller may carry out an annual audit with 30 days' notice, cf. section 12. The data processor may make available an independent audit report as an alternative. An extraordinary audit may be carried out in the event of a reasoned suspicion or following a security breach.
C.8 Procedures for auditing sub-processors
The data processor carries out ongoing supervision of the sub-processors and ensures that they comply with the General Data Protection Regulation and these Clauses. The data controller may request documentation of the sub-processors' compliance.
Appendix D: The parties' regulation of other matters
D.1 Third-party integrations
JustParity integrates with external payroll systems via API (including Zenegy, Planday, Xena and others). Activation of an integration constitutes a documented instruction, cf. section 4.3. The data controller is responsible for ensuring a legal basis for the transfer from the payroll system to JustParity.
Questions about the data processing agreement?
Do you have questions, or would you like a copy in PDF format? Contact us.