BRANTHIQ
Data Processing
Data Processing Agreement
Last updated: 7 May 2026
When Branthiq ApS processes personal data on behalf of a client, a Data Processing Agreement is signed under GDPR article 28. This page describes the general terms - a specific agreement is tailored and signed separately at engagement start.
Parties
- Data controller: The client (the company Branthiq delivers to).
- Data processor: Branthiq ApS, VAT 45786943.
Subject matter and duration
The processing concerns the personal data necessary to deliver the agreed services (development, hosting, support, marketing, etc.). The agreement is in force for as long as services involving personal data are delivered.
Processor obligations
Branthiq:
- Only processes personal data on documented instructions from the controller.
- Ensures confidentiality - only employees with a need have access.
- Implements appropriate technical and organisational measures (per art. 32).
- Assists the controller in fulfilling data subject rights.
- Notifies the controller without undue delay of any personal data breach.
- Deletes or returns personal data upon termination.
- Makes all necessary information available for audits.
Sub-processors
Branthiq uses the following sub-processors. The client accepts these on engagement, and changes are notified with 30 days notice.
| Provider | Purpose | Location / transfer basis |
|---|---|---|
| Netlify, Inc. | Hosting, CDN, deploys | USA - EU-US Data Privacy Framework |
| Supabase Inc. | Database, auth, storage | EU (Frankfurt) |
| Google LLC | Analytics, Tag Manager (consent only) | USA - EU-US Data Privacy Framework |
| Resend Inc. | Transactional emails from contact form | USA - EU Standard Contractual Clauses |
| Anthropic, PBC | AI assistant (chat features, only on active use) | USA - SCCs + zero-retention API endpoints |
| GitHub, Inc. | Source code, deploy pipeline (no client personal data) | USA - EU-US Data Privacy Framework |
Security (art. 32)
- TLS 1.3 on all data traffic.
- Hashed passwords (bcrypt/argon2) - no plaintext.
- Row Level Security (RLS) in Supabase - data isolated per client/user.
- Two-factor authentication on all administrator accounts.
- Encrypted backups with restricted access.
- Logging of all changes in production systems.
- Least-privilege principle for employee access.
Personal data breach
In the event of a data breach, we notify the controller without undue delay and within 24 hours of detection at the latest. The notification contains all relevant information per GDPR art. 33.
Audit
The controller may, once a year, request an audit. The audit may be conducted by the controller or an independent third party with prior agreement. Branthiq bears its own costs; the auditor bears their own.
Deletion and return
Upon termination, Branthiq deletes or returns all personal data within 30 days, unless legislation requires continued retention (e.g. accounting for 5 years).
Governing law
The agreement is governed by Danish law. Disputes are decided by the District Court of Odense, Denmark.
Signing a specific DPA
Email contact@branthiq.com to receive our specific DPA template for signature.