Data Processing Agreement

Læs på dansk

Last updated: 2 June 2026 Effective date: 2 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer (the "Controller") and Kontekstwork ApS (the "Processor" or "Kontekstwork"), the provider of the Kontekstboard service (the "Service"), for the Customer's use of the Service as set out in the Kontekstboard Terms of Service available at https://kontekstboard.com/terms (the "Main Agreement").

Kontekstboard is a product of Kontekstwork ApS.

This DPA reflects the parties' agreement on the processing of personal data carried out by Kontekstwork on behalf of the Customer in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

This version replaces all earlier versions of the DPA from the effective date above.

Language. This DPA is published in English and Danish. The English version is the official text and prevails in case of any discrepancy.

1. Parties

Processor: Kontekstwork ApS, provider of the Kontekstboard service CVR no.: 46512669 Address: Hørkrogen 6, 5270 Odense N, Denmark Contact: [email protected]

Controller: The legal entity identified as the customer in the Kontekstboard account that accepted the Main Agreement.

By accepting the Main Agreement (or by continuing to use the Service after this DPA is published), the Controller is deemed to have entered into this DPA with Kontekstwork.

2. Definitions

Capitalised terms used and not otherwise defined in this DPA have the meaning given to them in the GDPR. In particular:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Kontekstwork on behalf of the Controller in connection with the Service.
  • "Customer Data" has the meaning given in the Main Agreement (boards, columns, work items, comments, attachments, Skills, links and documentation uploaded by the Controller and its end users).
  • "Data Subject", "Processing", "Controller", "Processor" and "Personal Data Breach" have the meanings set out in Article 4 GDPR.
  • "Sub-processor" means any third party engaged by Kontekstwork to process Personal Data on behalf of the Controller.

3. Roles, scope and carve-outs

The Controller is the controller of the Customer Data processed under this DPA. Kontekstwork is the processor of that Customer Data and processes it only on documented instructions from the Controller, as set out in the Main Agreement, this DPA and Annex I, and as necessary to provide the Service.

Independent controller carve-out. Kontekstwork is an independent controller (not a processor) for: account, profile, billing, support, security/audit, abuse-prevention, fraud-prevention, analytics-consent and diagnostic data that Kontekstwork generates or processes to operate, secure and improve the Service, as further described in the Privacy Policy at https://kontekstboard.com/privacy-policy. This DPA does not govern that processing.

The Controller's general written instruction is set out in Annex I (Description of Processing). The Controller may issue further reasonable instructions in writing during the term, provided they are consistent with the functionality of the Service. If Kontekstwork believes an instruction infringes data protection law, Kontekstwork will inform the Controller without undue delay.

4. Kontekstwork's obligations

Kontekstwork shall:

(a) process Personal Data only on the documented instructions of the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law to which Kontekstwork is subject; in such a case, Kontekstwork shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) take all measures required pursuant to Article 32 GDPR (security of processing), as further described in Annex II;

(d) respect the conditions for engaging Sub-processors set out in Section 6 below;

(e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR;

(f) assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of processing and the information available to Kontekstwork;

(g) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies, unless EU or Member State law requires storage of the Personal Data; and

(h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with Section 11 below.

5. Controller's obligations

The Controller shall:

(a) ensure that it has all necessary legal grounds (including Data Subject consent where required) to process and to instruct Kontekstwork to process the Personal Data; (b) provide accurate Personal Data and keep it up to date through the Service; (c) be solely responsible for the security of Personal Data after it leaves the Service (for example, when the Controller authorises an external AI tool to access Customer Data via the MCP server, API or CLI); (d) ensure that its end users use the Service in accordance with the Acceptable Use provisions of the Main Agreement; and (e) inform Kontekstwork without undue delay if the Controller becomes aware that Personal Data processed under this DPA is inaccurate or has been processed in a manner not compatible with the Main Agreement.

6. Sub-processors

The Controller hereby provides general written authorisation for Kontekstwork to engage Sub-processors. The current list of Sub-processors is set out in Annex III.

Kontekstwork shall:

(a) impose data protection terms on each Sub-processor that are no less protective than those set out in this DPA, including in particular the obligations set out in Article 28(3) GDPR; (b) remain fully liable to the Controller for the performance of each Sub-processor's obligations; and (c) inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change takes effect (by updating the list at https://kontekstboard.com/sub-processors and notifying registered Customer administrators by email), giving the Controller the opportunity to object on reasonable data protection grounds.

If the Controller objects to a new Sub-processor, the parties will work together in good faith to find a workaround. If the parties cannot resolve the objection within 30 days of the objection being raised, the Controller may terminate the affected part of the Service with effect from the date the Sub-processor is engaged, and Kontekstwork will refund any prepaid fees for the unused portion.

7. International transfers

All hosting of Personal Data takes place exclusively within the European Union (Hetzner data centres in Germany or Finland).

Where the use of certain Sub-processors involves a transfer of Personal Data to a country outside the EU/EEA, such transfer takes place only if one of the following safeguards applies, as further specified per Sub-processor in Annex III:

(a) the European Commission has issued an adequacy decision in respect of the recipient country (e.g. EU-US Data Privacy Framework), and the Sub-processor is currently certified under that framework; or

(b) the parties or the Sub-processor have entered into the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable, supplemented where necessary by additional technical, contractual and organisational measures following a transfer impact assessment.

The Controller hereby authorises Kontekstwork to enter into the relevant Standard Contractual Clauses on the Controller's behalf with such Sub-processors.

A list of the safeguards in place for each Sub-processor is available on request from [email protected].

8. Security

Kontekstwork shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. The current measures are set out in Annex II and may be updated from time to time, provided the level of protection is not materially reduced.

9. Data subject requests

If Kontekstwork receives a request from a Data Subject relating to Personal Data processed on behalf of the Controller, Kontekstwork will, unless legally prohibited, forward the request to the Controller without undue delay and will not respond to the request itself except on the documented instruction of the Controller.

Kontekstwork will assist the Controller in responding to Data Subject requests by providing standard tools in the Service (export in the format described in the Main Agreement, edit and delete) and, where additional assistance is reasonably required, on a time-and-materials basis at Kontekstwork's then-current rates.

10. Personal data breaches

Kontekstwork shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Kontekstwork will aim to notify within 48 hours of confirmation where reasonably possible. The notification will, to the extent then known, describe:

  • the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
  • the likely consequences;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

Kontekstwork will provide updates as further information becomes available, and will reasonably assist the Controller in fulfilling the Controller's obligations under Articles 33 and 34 GDPR.

11. Audits

Kontekstwork shall make available to the Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA, including current security documentation (such as Kontekstwork's security overview, the latest penetration test summary if available, and the Sub-processor list).

If Kontekstwork is certified to or audited under SOC 2, ISO 27001 or an equivalent standard, the Controller agrees that the corresponding report or certificate, together with the documentation above, will be accepted in lieu of an on-site audit, unless a competent supervisory authority requires otherwise.

If the information made available is not sufficient to demonstrate compliance, the Controller (or an independent third-party auditor mandated by the Controller and reasonably acceptable to Kontekstwork, provided the auditor is not a direct competitor of Kontekstwork in offering a substitute kanban-for-AI service) may conduct an audit, on reasonable prior written notice (not less than 30 days), no more than once per 12-month period (unless required by a competent supervisory authority or following a confirmed Personal Data Breach), during normal business hours and without unreasonably interfering with Kontekstwork's operations.

The Controller bears its own and any third-party auditor's costs. Kontekstwork's reasonable assistance time is invoiced at Kontekstwork's then-current rates, except where the audit reveals material non-compliance, in which case Kontekstwork bears its own costs.

12. Return and deletion of personal data

On termination of the Main Agreement, or at any earlier reasonable request from the Controller, Kontekstwork will:

(a) make Personal Data available for export through the Service for a period of 30 days, after which Kontekstwork will delete the Personal Data from production systems; and

(b) overwrite Personal Data in backups within the routine backup overwrite cycle, which is no longer than 35 days,

unless EU or Member State law requires Kontekstwork to retain specific Personal Data, in which case Kontekstwork will isolate and protect that Personal Data and only process it as required by such law.

Immediate deletion. If the Controller requests deletion without the 30-day export window, Kontekstwork will action the deletion within 7 days of the request, subject to the same backup overwrite cycle in (b).

On request, Kontekstwork will provide written confirmation of deletion.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement.

14. Conflict and order of precedence

In the event of conflict, this DPA prevails over the Main Agreement with respect to the processing of Personal Data. The Standard Contractual Clauses (where applicable) prevail over this DPA in respect of international transfers.

15. Term

This DPA enters into force on acceptance of the Main Agreement and remains in force for as long as Kontekstwork processes Personal Data on behalf of the Controller, and thereafter to the extent necessary for return or deletion of Personal Data under Section 12.

16. Governing law and venue

This DPA is governed by the laws of Denmark. Any dispute arising out of or in connection with this DPA shall be submitted to the courts of Copenhagen (Københavns Byret).


Annex I — Description of the processing

A. Subject matter and duration

Provision of the Service (the Kontekstboard kanban platform for software teams with attached Skills, surfaced to AI coding tools via an MCP server, API and CLI) for the duration of the Main Agreement and any required return/deletion period.

B. Nature and purpose of the processing

Hosting, storage, transmission, display, organisation, retrieval, modification and deletion of Personal Data as required to provide the Service to the Controller and its end users, and to operate, secure, support and improve the Service.

C. Categories of Data Subjects

  • The Controller's end users (employees, contractors, collaborators) who have a Kontekstboard account associated with the Controller.
  • Other individuals identified in content uploaded by the Controller's end users (for example, names appearing in work item descriptions, comments or attachments).
  • Where applicable, individuals listed in the Controller's billing or SSO configuration.

D. Categories of Personal Data

  • Identification and contact data (name, display name, email, hashed password, avatar, preferred AI tool, UI preferences).
  • Account and access data (account type, registration date, last login, refresh tokens, hashed CLI tokens, SSO configuration including encrypted OIDC/SAML credentials, email domain allowlists).
  • Billing data (billing name, email, company name, address, country, VAT/tax ID; payment card data is handled by Polar.sh and not collected by Kontekstwork).
  • Work content (boards, columns, work items, comments, attachments, Skill assignments, item links, board documentation).
  • Activity and audit data (board and item activity, login events including IP address, administrative actions with actor and timestamp).
  • Network and security data (IP addresses and request metadata for rate-limiting, fraud-prevention and security logging).
  • Diagnostic data (feedback submissions; application logs, metrics and error traces processed by our self-hosted observability stack on Hetzner).

E. Special categories of Personal Data

None expected. The Controller agrees not to upload special categories of Personal Data (Article 9 GDPR) to the Service unless expressly agreed in writing with Kontekstwork.

F. Frequency of processing

Continuous, throughout the term of the Main Agreement.

G. Retention

For the duration of the Main Agreement, then as set out in Section 12 (Return and deletion). See the Privacy Policy retention table for category-specific periods.


Annex II — Technical and organisational security measures (Article 32 GDPR)

Kontekstwork maintains the following measures, which are reviewed at least annually. Specific tooling is indicative and may be replaced with equivalent industry-standard alternatives provided the level of protection is not materially reduced.

Pseudonymisation and encryption (Art. 32(1)(a))

  • Encryption in transit using TLS 1.2 or higher for all Service traffic, with weak cipher suites disabled. TLS 1.3 is preferred and used where supported by the client.
  • Encryption at rest of database storage using AES-256.
  • Passwords stored using adaptive password hashing (currently bcrypt with cost factor 12).
  • CLI tokens stored in hashed form; refresh tokens stored in httpOnly, Secure browser cookies.
  • SSO credentials (OIDC/SAML) stored encrypted at rest.

Confidentiality, integrity, availability and resilience (Art. 32(1)(b))

  • Role-based access control (RBAC) inside the Service.
  • Least-privilege access for Kontekstwork personnel; access to production systems limited to a small number of authorised engineers, logged and reviewed.
  • Multi-factor authentication required for administrative access to Kontekstboard production systems (including our self-hosted observability tooling); we additionally require MFA on each external admin console where the underlying provider supports it.
  • Network segmentation, firewalls and managed cloud infrastructure within the EU (Hetzner DE/FI).
  • Audit logging of administrative and security-relevant events.
  • Automated dependency and code vulnerability scanning using industry-standard tooling.
  • Documented secure software development lifecycle including code review and pre-deployment testing.
  • Observability. Application logs, metrics and error traces are collected by a self-hosted observability stack on the same EU infrastructure (Hetzner), accessible only to Kontekstwork engineers. No third-party error-monitoring service is used.

Restoration of availability (Art. 32(1)(c))

  • Encrypted backups of the production database, retained no longer than 35 days. Where backups are replicated across multiple Hetzner availability zones or data centres, this is noted in our security overview.
  • Documented restore procedures, tested at least annually.
  • Monitoring and alerting on Service availability and integrity.

Regular testing (Art. 32(1)(d))

  • We commission an independent third-party penetration test at least every 24 months. The latest report is available to the Controller under NDA on request, once one has been completed.
  • Annual review of security policies and this Annex II.

Confidentiality of personnel

  • All personnel with access to Personal Data are bound by written confidentiality obligations.
  • Background checks for personnel with access to production systems, where permitted by law.

Incident response

  • Documented Personal Data Breach response procedure.
  • Notification to the Controller without undue delay and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting the Controller's Personal Data, with a target of 48 hours where reasonably possible (see Section 10).

Sub-processor management

  • Pre-engagement assessment of each Sub-processor against this Annex II.
  • Written data processing terms with each Sub-processor as required by Article 28 GDPR.

Annex III — Sub-processors

The current list of Sub-processors used by Kontekstwork to provide the Service.

Sub-processor Role / Service Personal Data processed Location of processing Transfer mechanism (if outside EEA)
Hetzner Online GmbH Cloud hosting (compute, database, file storage) for the Service All Personal Data processed by Kontekstwork Germany / Finland (EU) N/A — within EEA
Resend, Inc. Transactional and notification email delivery Recipient name, email address, message content (e.g. password reset, security alerts, invoices) United States EU Standard Contractual Clauses (Decision 2021/914), Module Two, supplemented with technical and organisational measures
Google Ireland Ltd. (and Google LLC) — Google Analytics 4 Web analytics on the marketing website only (loaded outside the signed-in app), and only where the visitor has consented Pseudonymous usage data, truncated IP address, device/browser metadata EU servers; Google LLC (US) involved as joint controller / onward recipient Google LLC is certified under the EU-US Data Privacy Framework
Polar.sh, Inc. Merchant of Record — subscription billing, invoicing, payment processing, tax Billing name and address, email, company name, VAT ID, transaction data; payment card data (collected and processed by Polar, not by Kontekstwork) United States EU Standard Contractual Clauses (Decision 2021/914), Module Two, supplemented with technical and organisational measures

Application logs, metrics and error traces are processed by self-hosted observability tooling on the Hetzner infrastructure already listed in this Annex and do not reach a third party. No third-party error-monitoring sub-processor is used.

The current list is also published at https://kontekstboard.com/sub-processors. Updates are made in accordance with Section 6.