Data Processing Agreement

Version 2.0 — 12.04.2026
Replaces v1.0 dated 28.08.2023

This Data Processing Agreement (“DPA”) is entered into between the Customer (as defined in the Terms of Service), referred to in this DPA as the “User”, and

Metriks ApS
Ryvangs Allé 81, 2.
2900 Hellerup
Denmark
DK42805807

hereinafter “Metriks”

for the purpose of regulating Metriks’ processing of personal data on behalf of the User in connection with the Service.

This DPA forms part of, and is subject to, the Terms of Service at https://metriks.dk/terms. By using the Service, the User accepts this DPA.

§ 1 Interpretation

  1. In this Data Processing Agreement:

“DPA” shall mean this Data Processing Agreement;

“GDPR” shall mean the General Data Protection Regulation (Regulation (EU) 2016/679);

“Data Protection Law” shall mean all regulation and legislation relating to the protection of personal data applicable to the processing described herein;

“Connected System” shall mean any third-party software platform that the User connects to the Service. Connected Systems are categorised as Input Systems, Output Systems, or both, depending on the direction of data flow. Connected Systems are the User’s own services and are not Metriks sub-processors;

“End Customer” shall mean a client, counterparty, or other party whose records appear in the Customer Data. An End Customer may be a natural person or a legal entity;

“Input System” shall mean a Connected System from which Metriks retrieves data on the User’s instruction (e.g. accounting software such as e-conomic, Dinero, or Microsoft Dynamics);

“Output System” shall mean a Connected System to which Metriks transmits data or derived results on the User’s instruction (e.g. CRM software such as Pipedrive). A Connected System may function as both an Input System and an Output System;

“Customer Data” shall mean all data the User provides to the Service and all data retrieved from the User’s Connected Systems, which may contain Personal Data of the User’s End Customers and individuals associated with them. This includes, but is not limited to, invoicing and transaction records;

“Personal Data” shall mean any information relating to an identified or identifiable natural person contained within the Customer Data, including details of individuals associated with the User’s End Customers (such as contact persons, invoice recipients, and company representatives);

“Service” shall mean the Metriks platform, including data retrieval from Input Systems, analysis, visualisation, reporting, and transmission of data or results to Output Systems, as further defined in the Terms of Service;

“Sub-processor” shall mean any third party engaged by Metriks to process Customer Data on behalf of the User;

“Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed on behalf of the User.

In case of unclarity, the definitions in the GDPR will be applied.

§ 2 Roles and Scope

  1. With respect to the Customer Data:

  1. The User is the controller. The User determines the purposes and means of processing and is responsible for its own compliance obligations under Data Protection Law, including ensuring a lawful basis for the collection of Customer Data and its sharing with Metriks.

  2. The User warrants that it has the legal right to share the Customer Data with Metriks and that doing so does not violate any applicable law, regulation, or agreement with a third party.

  3. Metriks is the processor. Metriks processes the Customer Data solely to provide the Service to the User in accordance with the User’s instructions.

  1. With respect to the User’s own account information (such as names and email addresses of the User’s employees who access the Service), Metriks acts as an independent controller. This account data is governed by Metriks’ Privacy Policy and is not covered by this DPA. Third-party services that only process account data on Metriks’ behalf (such as email, CDN, and AI providers) are Metriks’ own processors under its Privacy Policy and are not sub-processors under this DPA.

  2. Connected Systems (both Input Systems and Output Systems) are the User’s own third-party services. The User’s relationship with these providers is governed by the User’s own agreements with them. These providers are not Metriks sub-processors. The current list of supported Connected Systems is maintained in Appendix 3.

  3. The User agrees not to provide, directly or indirectly, to Metriks any special categories of personal data as defined in GDPR art. 9.

§ 3 Processing Details

  1. Data sources and flows

  1. Metriks retrieves Customer Data from the User’s connected Input System(s) via integration APIs, on the User’s instruction and authorisation.

  2. Metriks stores the Customer Data and processes it to provide analysis, visualisation, and reporting within the Service.

  3. On the User’s instruction, Metriks transmits data or derived results (such as churn indicators and other analytical outputs) to the User’s connected Output System(s). These results may contain Personal Data to the extent necessary to identify the relevant End Customers.

  4. On the User’s instruction, Metriks may facilitate the creation of records (such as invoices) through the Service and transmit them to the relevant Connected System. Any further processing by that Connected System, including email communication to End Customers, is handled entirely by that system. Metriks does not send emails or other communications to the User’s End Customers.

  1. Categories of Personal Data processed

The following Personal Data may be processed, to the extent present in the Customer Data: End Customer names, email addresses, postal addresses, phone numbers, invoice amounts, payment history, and other information contained in the records retrieved from Input Systems.

  1. Categories of data subjects

The data subjects are the User’s End Customers and individuals associated with them whose details appear in the Customer Data.

  1. Purposes of processing

  1. Retrieving and storing Customer Data from the User’s Input System(s).

  2. Displaying and visualising Customer Data within the Service.

  3. Analysing Customer Data and generating reports, insights, and derived metrics for the User.

  4. Transmitting data or analysis results to the User’s Output System(s) on the User’s instruction.

  5. Facilitating record creation (e.g. invoices) and transmission to the relevant Connected System on the User’s instruction.

  1. Metriks does not use the Personal Data for any purpose other than providing the Service to the User as described in this section.

  2. For the avoidance of doubt, data that has been aggregated and anonymised such that it no longer constitutes Personal Data is outside the scope of this DPA. The use and retention of such data, including but not limited to sector-level data, is governed by the Terms of Service.

§ 4 Duration

  1. This DPA is effective from the date the User begins using the Service and remains in force until:

  1. the agreement(s) related to the Service are terminated, regardless of the initiating party; or

  2. this DPA is terminated in accordance with § 12.

§ 5 Metriks’ Obligations

  1. Instructions

  1. Metriks shall process Personal Data only on documented instructions from the User, unless required to do so by EU or Danish law, in which case Metriks shall inform the User of that legal requirement before processing (unless prohibited by law from doing so).

  2. Metriks shall immediately inform the User if, in its opinion, an instruction from the User infringes the GDPR or other Data Protection Law.

  1. Security Measures

  1. Metriks shall implement and maintain the technical and organisational measures described in Appendix 2 to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

  2. The measures shall be appropriate to the risk, taking into account the state of the art, cost of implementation, and the nature and scope of the processing. The Personal Data processed under this DPA is commercial data containing incidental personal identifiers and is not considered high-risk data.

  3. Metriks shall review the security measures at least annually and update them as necessary.

  1. Employees

  1. Metriks shall ensure that all persons authorised to process Personal Data are bound by a duty of confidentiality.

  2. Access to Personal Data shall be limited to employees who require it to provide the Service.

  3. Metriks shall provide data protection awareness training to employees with access to Personal Data.

  1. Data Breach Notification

  1. Metriks shall notify the User of a Data Breach without undue delay and in any event within 24 hours of becoming aware of it.

  2. The notification shall include: a description of the nature of the breach, including where possible the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address it and mitigate its effects.

  3. Metriks shall document all Data Breaches, including the facts, effects, and remedial actions taken, and shall provide this documentation to the User or supervisory authorities upon request.

  4. Metriks shall cooperate with and assist the User in meeting its obligations under Art. 33 and Art. 34 GDPR.

  1. Data Subject Requests

  1. Metriks does not have a direct relationship with the data subjects whose Personal Data is contained in the Customer Data. If Metriks receives a request from a data subject, Metriks shall promptly forward it to the User and shall not respond directly without the User’s prior instruction.

  2. Metriks shall assist the User in responding to data subject requests under Chapter III GDPR by providing the User with the ability to access, export, and delete data through the Service.

  3. Metriks shall respond to the User’s instructions regarding data subject requests within 5 working days.

  1. Data Retention and Deletion

  1. Metriks stores Customer Data for as long as the User’s account is active.

  2. Metriks does not retain Personal Data after the purpose for which it was processed has been fulfilled, unless required by law.

  3. The User may delete specific data at any time through the self-service deletion functionality in the Service, or by written request to Metriks.

§ 6 Sub-processors

  1. The User hereby grants Metriks general written authorisation to engage sub-processors for the processing of Customer Data, subject to the conditions in this section.

  2. A current list of sub-processors is maintained at https://metriks.dk/processors. The User is responsible for reviewing this list periodically.

  3. Metriks shall inform the User of any intended changes concerning the addition or replacement of sub-processors by updating the list at https://metriks.dk/processors. The User is responsible for reviewing the sub-processor list periodically. Continued use of the Service after a sub-processor change takes effect constitutes acceptance of that change.

  4. The User may object to the engagement of a new or replacement sub-processor by providing written notice to Metriks before the change takes effect. The objection must state reasonable grounds.

  5. If the User objects and the Parties cannot reach a mutually acceptable resolution within 30 days, the User may terminate this DPA and the related Service agreement(s) without penalty.

  6. Metriks shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a written agreement.

  7. For the avoidance of doubt, the User’s Connected Systems (Input Systems and Output Systems) are not Metriks sub-processors. Data retrieved from or transmitted to these systems is done on the User’s instruction, and the User is responsible for the processing carried out by those systems.

  8. Third-party services that Metriks uses solely in its capacity as controller of the User’s account data (such as email delivery, CDN, and AI providers) are not sub-processors under this DPA, as they do not process Customer Data.

§ 7 International Data Transfers

  1. As of the date of this DPA, all processing of Customer Data by Metriks and its sub-processors takes place within the European Economic Area (EEA).

  2. Metriks shall not transfer Customer Data to a country outside the EEA unless:

  1. an adequacy decision exists under Art. 45 GDPR for the recipient country;

  2. appropriate safeguards have been provided under Art. 46 GDPR, including Standard Contractual Clauses; or

  3. the User has given prior written consent and a derogation under Art. 49 GDPR applies.

  1. If Metriks becomes aware that a sub-processor transfers Customer Data outside the EEA, Metriks shall notify the User promptly.

  2. The User acknowledges that data transmitted to the User’s own Connected Systems on the User’s instruction may be transferred internationally depending on the User’s configuration of those systems. Such transfers are the User’s responsibility.

§ 8 Costs

  1. Metriks shall not charge separately for its obligations under this DPA, except where assistance requested by the User goes materially beyond what is required under Art. 28 GDPR, in which case the Parties shall agree on reasonable compensation in advance.

§ 9 Liability

  1. Liability clauses in the Terms of Service apply to this DPA as if they were an integral part hereof.

§ 10 Force Majeure

  1. Force majeure clauses in the Terms of Service apply to this DPA as if they were an integral part hereof.

§ 11 Confidentiality

  1. Confidentiality clauses in the Terms of Service apply to this DPA as if they were an integral part hereof.

  2. This DPA and all appendices are subject to confidentiality.

§ 12 Termination

  1. This DPA may be terminated:

  1. upon termination of the Service agreement(s), regardless of the initiating party;

  2. by the User under § 6(5) of this DPA; or

  3. as otherwise provided in the Terms of Service.

  1. Effects of termination:

  1. Upon termination, Metriks shall cease processing Customer Data on behalf of the User.

  2. Metriks shall delete all Customer Data within 30 days of the effective date of termination, unless retention is required by EU or Danish law. Metriks shall provide written confirmation of deletion upon request.

  3. Customer Data may be retained in encrypted backups for up to 90 days after termination, after which it shall be permanently deleted. All obligations under this DPA continue to apply during this period.

§ 13 Dispute Resolution

  1. Dispute resolution clauses in the Terms of Service apply to this DPA as if they were an integral part hereof.

  2. This DPA is subject to Danish Law.

  3. In case of any dispute in connection with the DPA, Metriks and the User shall cooperate in good faith to settle the dispute.

  4. If the Parties are unable to resolve a dispute, either Party may demand that the dispute be settled by the ordinary courts. The court in Lyngby is selected as the venue.

§ 14 Precedence

  1. In case of any discrepancies between this DPA and the Terms of Service, the DPA takes precedence, unless otherwise specified.

§ 15 Service Availability

  1. Metriks does not guarantee any specific level of availability or uptime for the Service. The Service is provided on a commercially reasonable basis.

  2. Unless separately agreed in writing, no service level agreement (SLA) applies.

§ 16 Contact

  1. For all data protection matters arising under this DPA, the User may contact Metriks at: support@metriks.dk.

Appendix 1: Sub-processors

A current list of sub-processors is maintained at https://metriks.dk/processors.

As of the date of this DPA, the following sub-processors process Customer Data on behalf of the User:

Company Location Purpose Updated
Netcup GmbH EU (Germany) Hosting and infrastructure 12.04.2026
Hetzner Online GmbH EU (Germany) Hosting and infrastructure 12.04.2026
OVH SAS EU (France) Hosting and infrastructure 12.04.2026

All sub-processors listed above are located within the EEA.

Note: third-party services that Metriks uses solely for its own operations as controller (such as email delivery, CDN, and AI providers) are not listed here, as they do not process Customer Data. Those are documented at https://metriks.dk/processors under a separate section.

Appendix 2: Technical and Organisational Measures

Metriks implements the following measures, proportionate to the nature of the data processed (commercial data containing incidental personal identifiers). These measures are reviewed annually.

  1. Access Control

  1. Role-based access control ensuring employees access only what is necessary for their function.

  2. Unique credentials per employee; shared accounts are not permitted.

  3. Multi-factor authentication for access to production systems.

  4. Access revoked promptly upon role change or departure.

  1. Application-Level Access

  1. Each User account is logically separated; team members within a User’s organisation can only access their own organisation’s data.

  2. Metriks employees do not access Customer Data unless required for support purposes and authorised by the User, or as necessary to maintain the Service.

  1. Integration Security

  1. Connections to the User’s Connected Systems are authenticated using OAuth, API keys, or equivalent mechanisms as provided by the respective platforms.

  2. Metriks stores integration credentials securely and does not share them with third parties.

  3. The User may revoke integration access at any time through their Connected System.

  1. Encryption

  1. Data in transit: TLS 1.2 or higher.

  2. Data at rest: AES-256 or equivalent.

  3. Backups are encrypted.

  1. Infrastructure Security

  1. Firewalls and network-level access controls.

  2. Regular patching and vulnerability management.

  3. Separation of production, staging, and development environments.

  4. No real Personal Data used in development or testing.

  1. Availability and Recovery

  1. Regular automated backups with tested restoration procedures.

  2. Redundant hosting across providers to minimise downtime.

  1. Logging and Monitoring

  1. Access to Personal Data and administrative actions are logged.

  2. Logs are retained for a minimum of 12 months.

  3. Alerts configured for anomalous access patterns.

  1. Incident Response

  1. Documented incident response procedure covering detection, containment, remediation, and notification.

  2. Post-incident review conducted after each Data Breach.

  1. Data Minimisation

  1. Metriks retrieves only the data fields made available through the integration APIs that are necessary to provide the Service.

  2. Customer Data is deleted when the User’s account is terminated, in accordance with § 12.

  3. Metriks does not independently collect data about the User’s End Customers and does not contact them directly. Any communication to End Customers (e.g. invoice delivery) is handled by the relevant Connected System.

Appendix 3: Connected Systems

Connected Systems are the User’s own third-party services that the User connects to Metriks. They are not sub-processors. The User is responsible for its own agreements with these providers.

Metriks may add support for new Connected Systems over time. The addition of a new supported integration does not constitute a change to this DPA, as no Connected System is activated without the User’s explicit instruction and authorisation.

The following Connected Systems are currently supported:

Input Systems

Systems from which Metriks retrieves data on the User’s instruction.

System Type Data Retrieved
e-conomic Accounting Invoicing and transaction records, including customer details
Dinero (planned) Accounting Invoicing and transaction records, including customer details
Microsoft Dynamics (planned) ERP / Accounting Invoicing and transaction records, including customer details

Output Systems

Systems to which Metriks transmits data or derived results on the User’s instruction.

System Type Data Transmitted
Pipedrive CRM Analytical results (e.g. churn indicators) which may include customer identifiers

Dual-Direction Systems

Systems that function as both Input and Output.

System Type Input Output
e-conomic Accounting Invoicing and transaction records Invoices created through the Service

Note: when Metriks transmits data to an Output System or a Dual-Direction System, any further processing by that system (including email delivery to End Customers) is handled entirely by that system and is outside the scope of this DPA.