Data Processing Agreement
Last updated: 4 April 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the entity agreeing to these terms (the “Controller” or “Customer”) and SOAK A/S, operating as Conzentor (the “Processor”), for the processing of personal data in connection with the Conzentor cookie consent management service (the “Service”).
1. Definitions
Terms not defined herein shall have the meanings ascribed to them in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the applicable Terms of Service.
2. Subject Matter and Duration
This DPA governs the Processor’s processing of personal data on behalf of the Controller in connection with the provision of the Service. The duration of processing shall correspond to the term of the subscription agreement between the parties.
3. Nature and Purpose of Processing
The Processor processes personal data for the sole purpose of providing cookie consent management services to the Controller, including:
- Recording and storing consent decisions made by the Controller’s website visitors.
- Providing audit logs demonstrating GDPR and ePrivacy Directive compliance.
- Generating aggregated consent analytics and reports.
- Serving consent banners and managing cookie categorisation.
4. Categories of Data Subjects
The data subjects are visitors to the Controller’s website(s) who interact with the consent banner powered by the Service.
5. Types of Personal Data
The following categories of personal data are processed:
- Hashed IP addresses — SHA-256 hashes of visitor IP addresses, generated using daily rotating salts. Raw IP addresses are never stored.
- Country codes — two-letter country codes derived from IP geolocation at the time of the request.
- Consent choices — the visitor’s acceptance or rejection of each cookie category.
- Session identifiers — randomly generated IDs used to correlate consent interactions within a single browser session.
- User agent hashes — SHA-256 hashes of browser user agent strings.
- Timestamps — the date and time at which consent was recorded.
6. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7).
- Assist the Controller in fulfilling its obligation to respond to data subject requests.
- Assist the Controller in ensuring compliance with obligations related to data protection impact assessments and prior consultations with supervisory authorities.
- At the choice of the Controller, delete or return all personal data upon termination of the Service (see Section 11).
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
7. Security Measures
The Processor implements the following technical and organisational security measures:
- Encryption in transit — all data transmitted between end users, the Service, and the database is encrypted using TLS 1.2 or higher.
- Pseudonymisation — all personally identifiable information (IP addresses, user agents) is hashed using SHA-256 with daily rotating salts before storage, rendering re-identification computationally infeasible.
- EU data residency — all consent data is stored in a PostgreSQL database hosted in Frankfurt, Germany (Neon).
- Row-level security — database-level tenant isolation ensures that each Controller’s data is accessible only to that Controller.
- Access controls — access to production systems is restricted to authorised personnel on a need-to-know basis, using multi-factor authentication.
- Audit logging — all consent records are maintained in append-only audit tables with full provenance.
8. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | Frankfurt, Germany (EU) |
| Cloudflare | CDN, API hosting, and edge compute | Global (with EU-priority routing) |
| Lemon Squeezy | Billing and subscription management | United States |
| Resend | Transactional email delivery | United States |
For sub-processors located outside the European Economic Area, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects affected.
- The name and contact details of the Processor’s data protection point of contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
10. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audit requests must be made in writing with at least 30 days’ prior notice and shall be conducted during normal business hours in a manner that does not unreasonably disrupt the Processor’s operations.
11. Data Deletion
Upon termination or expiry of the subscription agreement, the Processor shall, at the Controller’s election, delete or return all personal data processed on behalf of the Controller within 30 days, unless applicable law requires further retention. The Processor shall provide written confirmation of deletion upon request.
12. International Data Transfers
Where personal data is transferred to sub-processors outside the European Economic Area, the Processor shall ensure that such transfers are conducted in compliance with Chapter V of the GDPR, using appropriate transfer mechanisms such as Standard Contractual Clauses or adequacy decisions.
13. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the applicable Terms of Service.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of laws provisions.
15. Contact
For questions regarding this DPA or to exercise rights under it, contact:
SOAK A/S
Email: privacy@conzentor.com