This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Sempleo ApS(“Sempleo,” “Processor”) and the customer identified in the applicable Order Form (“Customer,” “Controller”). It governs Sempleo’s processing of personal data on Customer’s behalf under Article 28 of Regulation (EU) 2016/679 (the “GDPR”).
1. Scope and roles
Customer is the controller of the personal data contained in Customer Data. Sempleo is the processor. The categories of data subjects and personal data, the nature and purposes of processing, and the duration are set out in Annex A.
For personal data we collect directly from you and your users to operate our business (account, billing, support), Sempleo is the controller and our Privacy Policy applies.
2. Processing instructions
Sempleo processes personal data only on Customer’s documented instructions, which include the Terms, this DPA, and the Customer’s configuration of the Service. If we believe an instruction infringes data-protection law, we will inform Customer without undue delay.
3. Confidentiality
Personnel authorised to process personal data are bound by confidentiality obligations (contractual or statutory) and are granted access on a need-to-know basis using scoped access controls.
4. Security
Sempleo implements and maintains the technical and organisational measures set out in Annex C to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
5. Sub-processors
Customer grants Sempleo general authorisation to engage sub-processors to deliver the Service, subject to the safeguards in this Section. The current list of sub-processors is set out in Annex B and is kept up to date on this page.
Sempleo will (a) impose data-protection obligations on sub-processors at least equivalent to those in this DPA, (b) give Customer at least 30 days’ notice before appointing a new sub-processor or replacing an existing one, and (c) allow Customer to object on reasonable, documented data-protection grounds. If we cannot accommodate a reasonable objection, Customer may terminate the affected subscription for the remainder of its term.
6. International transfers
Personal data is stored in the European Union by default. Where a sub-processor operates outside the EU/EEA, Sempleo relies on the European Commission’s Standard Contractual Clauses (Module 3 where relevant) together with supplementary measures such as encryption in transit and at rest. Transfer details are recorded in Annex B.
7. Data-subject requests
Sempleo will promptly forward any data-subject request it receives concerning Customer Data and will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures in fulfilling its obligation to respond. Standard in-product tooling for access, correction, export, and deletion is provided at no additional charge.
8. Assistance with GDPR obligations
Taking into account the nature of processing and the information available, Sempleo will assist Customer with:
- responding to data-subject requests (Section 7);
- ensuring the security of processing (Article 32) via the measures in Annex C;
- notification of personal-data breaches (Article 33) as set out in Section 9;
- data-protection impact assessments (Article 35) and prior consultation with supervisory authorities (Article 36), by providing available information about the processing.
9. Personal-data breach notification
Sempleo will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer Data. The notification will include (to the extent known) the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed.
10. Audits
Customer may audit Sempleo’s compliance with this DPA once per year, on at least 30 days’ written notice, during business hours, and in a manner that does not disrupt operations or compromise the security of other customers. Sempleo may satisfy audit obligations by providing up-to-date third-party certifications (e.g. ISO 27001, SOC 2 Type II) and responses to a reasonable written questionnaire.
11. Return or deletion of data
On termination of the Service, Sempleo will, at Customer’s choice, return or delete Customer Data within 30 days, unless retention is required by EU or member- state law. Backup copies are purged according to the rolling schedule described in Annex C.
12. Liability and conflicts
The liability provisions of the Terms apply to this DPA. If there is a conflict between the Terms and this DPA in relation to personal data, this DPA prevails.
13. Governing law
This DPA is governed by Danish law and the GDPR, with venue as set out in the Terms.
Annex A — Description of processing
- Subject matter: provision of the Sempleo team-context platform.
- Duration: the term of the subscription plus the 30-day export window.
- Nature and purpose:hosting, indexing, and retrieval of the Customer’s five-layer context; execution of installed agents and workflows; storage of audit logs and review-queue records; provision of support.
- Types of personal data: identifiers (name, work email), employment data (role, team), any personal data contained in files, notes, emails, or other content Customer uploads or connects, and technical identifiers (user IDs, timestamps, IP addresses) in audit logs.
- Categories of data subjects:Customer’s employees, contractors, and any third parties whose data appears in content Customer chooses to process (e.g. clients, suppliers, partners).
Annex B — Sub-processors
Sempleo engages the following sub-processors to deliver the Service. Transfers outside the EU/EEA rely on the EU Standard Contractual Clauses and supplementary measures.
- Hosting & database— Hetzner Online GmbH (Germany). Processes Customer Data at rest and in transit. Location: EU.
- Inference (default)— Anthropic PBC (United States). Processes prompts containing the minimum context required for a given run. Transfers covered by SCCs and provider’s no-training commitment. Customers on the enterprise plan may substitute their own Anthropic or OpenAI account.
- Transactional & newsletter email— Resend, Inc. (United States). Processes recipient email address and message content. Transfers covered by SCCs.
- Analytics (website only)— Umami Software, Inc. (Umami Cloud, EU region). Cookieless, privacy-preserving page analytics; no personal identifiers, no cross-site tracking. Location: EU.
- Error monitoring— self-hosted in the EU; no third-party sub-processor for runtime telemetry.
Changes to this list are announced at least 30 days in advance by in-product notification and email to the account’s admin contacts.
Annex C — Technical and organisational measures
- Access control. Scoped RBAC; least-privilege access to production; mandatory SSO and MFA for Sempleo personnel; quarterly access reviews.
- Encryption. TLS 1.2+ in transit; AES-256 at rest for database and file storage; secrets managed in a dedicated KMS.
- Tenant isolation. Per-tenant row-level policies in Postgres and per-tenant namespaces in the vector store; no shared caches that could leak across tenants.
- Audit logging. All administrative actions and agent runs produce an append-only audit record; logs retained 12 months.
- Backups. Encrypted daily backups retained 30 days; restore tested quarterly.
- Vulnerability management. Automated dependency scanning on every build; critical patches within 7 days of public disclosure.
- Change management. Peer review and CI gates for production changes; no direct write access to production databases except through auditable tooling.
- Personnel. Background checks where permitted by law; confidentiality obligations; security-awareness training on hire and annually.
- Business continuity. Multi-AZ hosting; documented incident-response runbook; post-incident reviews.
- Deletion. Soft-delete immediately on request; hard-delete within 30 days; backup rotation completes within 60 days.
Last updated: 23 April 2026