Data Processing Agreement
Effective 2026-06-09 · Last updated 2026-06-09
We use cookies to understand how you use our site and improve your experience. Cookie policy
Effective 2026-06-09 · Last updated 2026-06-09
This Data Processing Agreement ("DPA") applies between the Customer (as defined in the Palette Services Order Form, (together with its appendices, the "Agreement")), hereafter referred to as the "Controller" and Palette Group ApS, CVR no. 45344266 ("Palette" or the "Processor"), each a "Party" and together the "Parties".
1.1. The Parties have entered into an Agreement incorporating the above referenced Order Form regarding Palette's provision of Services (as defined in the Agreement) to the Controller. The Controller's use of Palette's Services as well as the Parties' fulfillment of its obligations under the Agreement, will involve the processing of personal data by the Processor on behalf of the Controller. The Parties enter into this DPA to ensure that such processing is conducted lawfully, transparently, securely and in compliance with Applicable Data Protection Law.
1.2. Terms not defined in this DPA such as but not limited to personal data, processing and data subject, have the meaning set forth in the GDPR. "In writing" and "written" is interpreted in line with Article 28(9) GDPR and includes electronic form (e.g. via email).
1.3. The Parties agree that this DPA and the Agreement set out the Controller's complete and final instructions to Processor in relation to Processor's processing of personal data on Controller's behalf. Any additional instructions must be provided to Processor in writing and signed by both Parties to be valid and applicable. Controller acknowledges and agrees that Processor may anonymize personal data and use such anonymized data to improve and develop the Services.
1.4. The Controller acknowledges and agrees that its use of the Services involves the Processor using AI algorithms, including Third Party Models (as defined in the Agreement), to process Controller's personal data solely to deliver the Services. The Processor confirms that regarding:
2.1. "Applicable Data Protection Law" refers to all privacy and personal data legislation of an EU Member State or in EU law along with any other obligations directly applicable to data processors under local data protection legislation applicable to the Parties' activities under this DPA.
2.2. "EU SCCs" means the standard contractual clauses adopted by the European Commission that are stated in the Annex to the European Commission's Implementing Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914
2.3. "GDPR" means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2.4. "Sub-processor" refers to a natural or legal person, public authority, agency or other body which, in the capacity of subcontractor to the Processor, processes personal data on behalf of the Controller. The term Sub-processor has the same meaning as "another processor" referred to under the GDPR Article 28(2).
2.5. "Third Country(ies)" means any country that is not a member of the European Union (EU) or the European Economic Area (EEA) which has not been deemed to ensure an adequate level of data protection by the European Commission pursuant Articles 44-50 (Chapter V) of the GDPR.
2.6. "UK SCCs" means the standard contractual clauses adopted by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
3.1. The Controller undertakes to ensure that there is a legal basis for the processing at all times and that the instructions covered by this DPA are appropriate with regard to the nature and purpose of the processing and the type of personal data and categories of data subjects so that the Processor and applicable Sub-processor(s) can fulfil their tasks according to this DPA and the Agreement.
3.2. The Controller is responsible for informing data subjects about the processing and protecting their rights as well as taking any other action incumbent on the Controller according to Applicable Data Protection Law.
3.3. The Controller is responsible for assessing Processor's technical and organization measures as appropriate for the types of personal data and processing activities in scope for Controller's use of the Services.
4.1. The Processor undertakes to process personal data only: (i) for purposes necessary to deliver and perform the Services; (ii) in accordance with and in order to comply with this DPA, the Agreement and other reasonable instructions provided by the Controller to the extent such instructions are consistent with the terms of the Agreement and; (iii) in accordance with Controller's documented lawful instructions. Where the Processor reasonably believes that any instruction from the Controller infringes Applicable Data Protection Law, the Processor shall promptly notify the Controller in writing before acting on that instruction, unless applicable law prohibits such notification on important grounds of public interest.
4.2. If the Processor is required to process the personal data for purposes related to fulfilling legal obligations under Applicable Data Protection Law to which the Processor is subject and such purposes cannot be regarded as covered by the Controller's instructions under this DPA, the Processor undertakes to inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.3. The Processor ensures that any individual or party authorized to process the personal data in connection with Processor's activities under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Upon request by the Controller, the Processor shall demonstrate that persons authorized to access personal data are subject to the confidentiality obligations described in this clause.
4.4. Considering the nature of the processing and the information available, Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to i) respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR; and ii) ensure compliance with its obligations pursuant to Articles 32 to 36 of the GDPR.
4.5. The Processor undertakes to notify the Controller without undue delay after becoming aware of a personal data breach, in order to give the Controller sufficient time to meet its obligation to notify the relevant supervisory authority within 72 hours under Article 33 GDPR. Notification shall include:
4.6. Where, and in so far as, it is not possible to provide the information listed in the previous clause at the same time, the information will be provided in phases without undue further delay.
5.1. Controller hereby gives its general written authorization for Processor to use Sub-processors to carry out processing activities on behalf of Controller under this DPA provided that Processor:
5.2. The Processor shall use reasonable efforts to include in Sub-processor agreements a provision enabling the Controller, in the event the Processor becomes insolvent, ceases to exist in law or is otherwise unable to fulfil its obligations under this DPA, to instruct the Sub-processor directly to delete or return the Controller's personal data processed on the Controller's behalf.
5.3. Information on the Sub-processors currently used by the Processor is available at https://trust.palette.team/. The Processor will inform the Controller of any intended changes regarding Sub-processors, giving the Controller the opportunity to object to such changes on reasonable grounds relating to the protection of personal data. Where Controller wishes to object, Controller must inform Processor in writing by emailing privacy@palette.team within 14 days following the Processor's notification. In the event of a timely objection, the Parties will negotiate in good faith a solution to Controller's objection. If the Parties fail to agree on a solution within 60 days of Processor's receipt of Controller's objection, Processor will implement one of the following, prioritized in the order listed:
6.1. Controller acknowledges that it is necessary for the performance of the Services that Processor directly and/or through its use of Sub-processors may transfer or permit the transfer of Controller's personal data to recipients located in a Third Country provided that such transfers comply with Applicable Data Protection Law. The Controller is responsible for assessing whether it must conduct a data transfer assessment reflecting the transfer of its personal data in addition to relying on a valid transfer mechanism as per this DPA. Processor will provide reasonable assistance with such assessment upon request.
6.2. Standard Contractual Clauses (SCCs). The Parties agree to use the EU SCCs to the extent Processor's transfer of Controller's personal data is subject to the EU GDPR respectively the UK Addendum to the extent Processor's transfer of Controller's personal data is subject to the UK GDPR. The EU SCCs and UK SCCs include the applicable modules and optional clauses specified in Appendix II to this DPA. The Controller shall be considered the "data exporter" and the Processor the "data importer" under the clauses. Controller acknowledges that signature of the Agreement includes and constitutes binding signature also of the applicable SCCs.
6.3. Data Privacy Framework. In the event a Sub-processor is located in the United States and is certified under the EU-U.S. Data Privacy Framework (DPF, see https://www.dataprivacyframework.gov/s/) or any successor framework recognized by the European Commission under Article 45 GDPR, the Processor may rely on such certification as an alternative transfer mechanism.
6.4. For the avoidance of doubt, this DPA does not constitute standard contractual clauses within the meaning of Article 46(2)(c) or (d) GDPR and may not be relied upon as a transfer mechanism in its own right under Chapter V GDPR.
6.5. Government access requests. Where the Processor or a Sub-processor receives a legally binding request for Customer's personal data from a public authority, the Processor will, to the extent permitted by law: (a) promptly notify the Controller; (b) challenge any request that appears unlawful, overbroad or in conflict with Applicable Data Protection Law; and (c) disclose only the minimum data necessary to comply. The Processor maintains records of such requests and will share aggregate information with the Controller on reasonable request.
7.1. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Parties undertake to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
7.2. In assessing the appropriate level of security, the Parties undertake to particularly take into account and manage risks related to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
7.3. More details on Processor's security measures and ongoing work with data protection related to the Services are available at https://trust.palette.team/ and in Appendix III – Security Schedule to this DPA. Controller acknowledges that the Processor's security measures are subject to technical progress and development and that Processor may update the security measures from time to time provided that such modifications do not result in the degradation of the overall data protection and security for the processing of personal data carried out by Processor on behalf of the Controller.
8.1. Trust portal and standard documentation (default). The Processor maintains a trust portal at https://trust.palette.team/ where Controller may access, on request and subject to the confidentiality provisions of the Agreement, the documentation necessary to demonstrate Processor's compliance with this DPA — including, as available, third-party audit reports (e.g. SOC 2), penetration test summaries, the current sub-processor list, security policies, and responses to standard security questionnaires (e.g. CAIQ, SIG Lite). The Parties agree that this documentation is the primary means of satisfying Controller's audit obligations.
8.2. Written questionnaires. Where the trust portal documentation does not address a specific question relevant to Controller's compliance with Applicable Data Protection Law, Processor will reasonably respond in writing to a focused security or privacy questionnaire from Controller, subject to confidentiality, at no additional charge.
8.3. External Auditors. Palette uses independent and qualified external auditors to verify the adequacy of its data protection measures and compliance relevant for its obligations under this DPA. The Processor's current attestations and certification roadmap (including SOC 2 Type II and ISO 27001, pursued via Vanta) are published at https://trust.palette.team/.
8.4. On-site audit (exception). Only where Controller's audit obligations under Applicable Data Protection Law cannot reasonably be satisfied through the documentation under clauses 8.1–8.3 and Controller has a mandatory right to conduct an on-site audit under Applicable Data Protection Law, Controller may request such audit by providing at least 30 days' advance written notice to privacy@palette.team. An on-site audit per this clause i) may be conducted no more than once annually unless an additional check is required by Applicable Data Protection Law or reasonably necessary due to a substantiated concern regarding Processor's compliance with this DPA; ii) must be conducted during normal business hours with reasonable duration; iii) must not interfere with Processor's operations; iv) must be conducted by Controller or a mutually-agreed independent auditor under written confidentiality obligations; and v) must take place at Processor's headquarters or an agreed business office. The audit will not involve access to any data relating to other Palette customers, nor will it cover secured facilities, source code, or systems which could violate Processor's security controls or cause Processor to violate its confidentiality obligations to any third party. Controller is responsible for its own costs and expenses, and for Processor's reasonable costs, relating to any on-site audit it requests beyond the documentation provided under clauses 8.1–8.3.
9.1. If a Party breaches this DPA or Applicable Data Protection Law, such Party shall indemnify the other Party for any damage caused by the breach. However, this shall not apply if the breaching Party can show that it is in no way responsible for the event, act or omission that caused the other Party damage, such as that the damage could not have been avoided by fulfilling the Party's obligations under this DPA, Applicable Data Protection Law or instructions issued by the Data Controller.
9.2. For the avoidance of doubt, fines pursuant to Article 83 of the GDPR, or the Danish Data Protection Act (Lov nr. 502 af 23. maj 2018) with supplementary provisions to the EU's data protection regulation shall be borne by the Party to the Agreement named as recipient of such sanctions.
9.3. In the event of a claim for compensation for damage to be paid to a data subject due to an infringement of a provision under the DPA confirmed through a judgment or final settlement, instructions and/or applicable provision in Applicable Data Protection Law, Article 82 of the GDPR shall apply.
9.4. The Processor shall only be liable for breaches of obligations that are directly addressed at "processors" under Applicable Data Protection Law.
9.5. If either Party becomes aware of circumstances that could be detrimental to the other Party, the first Party shall immediately inform the other Party thereof and work actively with the other Party to prevent and minimize the damage and potential loss.
9.6. The liability of either Party under this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the Agreement.
10.1. This DPA is incorporated into and forms part of the Agreement. It becomes effective upon the Controller's acceptance of Palette's Terms of Service (available at https://palette.team/terms), including acceptance via click-through or electronic signature of an Order Form, and remains in force at least as long as the Processor processes personal data on behalf of the Controller.
10.2. Upon termination of this DPA, the Processor undertakes to, at the choice of the Controller, delete or return all applicable personal data to the Controller within the timeframes set out in Section 8.5 of the Agreement, and delete existing copies unless storage of the personal data is required under EU law or relevant national law where processing may be carried out pursuant to the Agreement.
10.3. If personal data or associated information is returned to the Controller, it must be in a commonly used and standardized format, unless the Parties have agreed to another format.
10.4. Either Party shall be entitled to request renegotiation of this DPA if material changes in Applicable Data Protection Law or binding regulatory guidance render any provision of this DPA materially inadequate or incompatible with applicable requirements.
11.1. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Applicable Data Protection Law.
Controller's contact details for notifications under the DPA: Controller will be added to a notification email group (dpa-notifications@palette.team) where they will be given notice upon DPA changes.
Processor's contact details for notifications under the DPA: trust@palette.team
The Parties shall promptly inform each other in writing of any changes to the contact details above.
Processor identity: Palette Group ApS, CVR no. 45344266, Flaesketorvet 38B, 1711 Copenhagen, Denmark.
Nature, purpose and scope of the processing: Provide the Services under the Agreement, including synthesizing organisational signals into a shared context layer for the Controller's team. Collection, organization, structuring, adaptation, retrieval, combination, restriction and other processing of the information that the Controller uploads to/enters in/creates and otherwise handles within the scope of the Services under the Agreement. Storage of personal data, deletion upon request from the Controller; and troubleshooting, consultation and support for the Services. Processing activities will include hosting and other processing of personal data as specifically instructed by the Customer through its use of the Services or under the Agreement.
Duration of processing and retention: The contract period according to the Agreement and time for return and/or deletion according to the DPA.
Data subjects: Customer may, at its sole discretion, submit personal data to the Services, which may include, but is not limited to: individuals whose personal data appear in such content that the Controller manages through or otherwise makes available to the Services and individuals whose personal data appear in the information fields related to the aforementioned digital content.
Individuals in scope may relate to Controller's employees (including contractors and temporary employees), relatives of employees, customers, prospective customers, service providers, business partners, vendors, end users, advisors (all of whom are natural persons) of Customer and any natural person(s) authorized by Customer to use the Services.
Categories of personal data:
The Processor only processes sensitive (special category) personal data if the Controller handles content containing such information in connection with the Services.
Processing location: Palette's primary infrastructure is hosted in Railway's eu-west region (Amsterdam, Netherlands). Persistent customer data — signals, conversations, and agent memory — remains in EU-hosted databases. Certain Sub-processors (AI model providers, workflow orchestration, integration platform, observability) may process data outside the EEA under valid transfer mechanisms. See Appendix IV and https://trust.palette.team/ for current Sub-processor locations.
Retention periods:
| Data category | Retention period |
|---|---|
| Account and customer data | Duration of subscription |
| Signals and conversations | Duration of subscription; deleted within 30 days of written request or termination |
| Data from disconnected integrations | Purged within 7 days of disconnection |
| Application and access logs | 12 months |
| WorkOS audit logs | 30 days (configurable on request) |
| Database backups | 6-day rolling window |
| Payment records | 5 years (Danish Bookkeeping Act / Bogføringsloven) |
| Support communications | 3 years |
EU SCCs. Where the EU SCCs are used as a transfer mechanism, they are considered completed as follows:
UK SCCs. Where the UK SCCs apply, they will be deemed completed as follows:
The following describes Palette's key technical and organizational security measures in place as of the date of this DPA. Current controls and the Processor's certification status are published at https://trust.palette.team/.
The following Sub-processors are authorised as at the date of this DPA. The live, up-to-date list is always maintained at https://trust.palette.team/. For change notification procedures, see Section 5.3.
| Sub-processor | Country | Purpose | Transfer mechanism |
|---|---|---|---|
| Railway | Netherlands (EU) | Application hosting, PostgreSQL, Redis, backups | N/A — EU hosted |
| Anthropic | USA | LLM inference (Claude models) | EU SCCs; DPF certification |
| OpenAI | USA | LLM inference and embeddings | EU SCCs; DPF certification |
| WorkOS | USA | Authentication, authorisation (FGA), audit logs | EU SCCs; DPF certification |
| Nango | USA | Integration platform, OAuth token storage and management | EU SCCs |
| Inngest | USA | Workflow orchestration and durability | EU SCCs |
| Composio | USA | MCP agent tools | EU SCCs |
| Mastra Observability | USA | AI observability, prompt tracing, evaluation | EU SCCs |
| Sentry |
Doppler is used for operational secrets management only and does not process personal data of data subjects.
Questions about this DPA: legal@palette.team
| USA |
| Error monitoring and diagnostics |
| EU SCCs; DPF certification |
| Better Stack | USA | Log management and uptime monitoring | EU SCCs |
| PostHog | EU / USA | Product analytics | EU SCCs |
| Knock | USA | Multi-channel notifications | EU SCCs |
| Loops | USA | Transactional and lifecycle email | EU SCCs |
| Vanta | USA | Compliance platform (SOC 2 Type II, ISO 27001) | EU SCCs |