Data Processing Agreement
Last updated: 18 June 2026
In short
This Data Processing Agreement applies when Numina keeps your books and therefore processes personal data on your behalf — e.g. data about your company’s customers, suppliers and employees. Here you are the data controller and Numina is the data processor. The agreement is entered into under Article 28 of the GDPR and, together with your Engagement Letter and our Terms of Service, forms part of the Agreement between us.
The processing for which Numina is itself the data controller (e.g. customer administration and anti-money-laundering) is instead described in our Privacy Policy.
This Data Processing Agreement (the "Clauses") is entered into pursuant to Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the GDPR) for the purpose of the data processor’s processing of personal data, between:
- the data controller: the Customer as identified in the Engagement Letter (the "data controller"), and
- the data processor: Numina Regnskab ApS, reg. no. 46553705, Kanonbådsvej 2, 1437 Copenhagen K (the "data processor"),
each a "party" and together the "parties".
The Clauses set out the data processor’s rights and obligations when it processes personal data on behalf of the data controller. The Clauses form an integral part of the Agreement, cf. the Terms of Service, and apply to the extent the data processor processes personal data on the data controller’s behalf. This also covers personal data the data controller enters or uploads to the Platform during a Trial, cf. the Terms of Service. Terms defined in the Terms of Service have the same meaning here.
1. Preamble
1.1: These Clauses set out the data processor’s rights and obligations when processing personal data on behalf of the data controller.
1.2: The Clauses are designed to ensure the parties’ compliance with Article 28(3) of the GDPR.
1.3: In connection with providing bookkeeping and accounting services, the data processor processes personal data on behalf of the data controller in accordance with these Clauses.
1.4: The Clauses take precedence over any similar provisions in other agreements between the parties, as regards the processing of personal data.
1.5: Three appendices are attached to these Clauses and form an integral part of them. Appendix A contains details about the processing, including its purpose and nature, the types of personal data, the categories of data subjects and the duration of the processing. Appendix B contains the conditions for the data processor’s use of sub-processors and a list of approved sub-processors. Appendix C contains the data controller’s instructions and a description of the security measures the data processor implements as a minimum.
1.6: The Clauses and their appendices are retained in writing, including electronically, by both parties.
1.7: These Clauses do not release the data processor from obligations imposed on it by the GDPR or any other legislation.
2. The data controller’s rights and obligations
2.1: The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24), data protection provisions in other EU law or the national law of the member states, and these Clauses.
2.2: The data controller has the right and obligation to make decisions about the purpose(s) and means of the processing of personal data.
2.3: The data controller is responsible, among other things, for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.
3. The data processor acts on instructions
3.1: The data processor may only process personal data on documented instructions from the data controller, unless required to do so by EU law or the national law of the member states to which the data processor is subject. In that case, the data processor informs the data controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
3.2: The data controller’s instructions are set out in these Clauses and their appendices, in the Engagement Letter and in the Terms of Service. A preliminary set of instructions is described in Appendix C. The instructions may at any time be amended or further specified by the data controller in writing.
3.3: The data processor immediately informs the data controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
4. Confidentiality
4.1: The data processor ensures that only persons currently authorised may access the personal data processed on behalf of the data controller. Access is therefore closed down immediately if the authorisation is withdrawn or expires.
4.2: The data processor grants access to the personal data only to persons for whom access is necessary in order to fulfil the data processor’s obligations to the data controller.
4.3: The data processor ensures that persons authorised to process personal data on behalf of the data controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.4: At the data controller’s request, the data processor must be able to demonstrate that the persons concerned are subject to the above confidentiality obligation.
5. Processing security
5.1: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the data processor implements appropriate technical and organisational measures to ensure a level of security appropriate to those risks, cf. Article 32 of the GDPR. The minimum measures implemented by the data processor are set out in Appendix C.
5.2: The data processor assists the data controller in ensuring compliance with the controller’s obligation under Article 32, among other things by making available the information necessary regarding the technical and organisational security measures the data processor has already implemented.
6. Use of sub-processors
6.1: The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR in order to engage another processor (a sub-processor).
6.2: The data processor has the data controller’s general authorisation to use sub-processors. The list of sub-processors approved by the data controller is set out in Appendix B.
6.3: The data processor informs the data controller in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data controller the opportunity to object to such changes before the sub-processor in question is engaged.
6.4: Where the data processor uses a sub-processor, it imposes on the sub-processor, by way of a contract, the same data protection obligations as those set out in these Clauses, including the requisite guarantees of appropriate technical and organisational measures.
6.5: If the sub-processor fails to fulfil its data protection obligations, the data processor remains fully liable to the data controller for the performance of the sub-processor’s obligations.
7. Transfer to third countries or international organisations
7.1: Any transfer of personal data to third countries or international organisations may only be carried out by the data processor on documented instructions from the data controller and must always take place in accordance with Chapter V of the GDPR.
7.2: Numina processes all personal data covered by this Data Processing Agreement within the EU/EEA, including AI processing, on Microsoft Azure data centres in the EU. All sub-processors in Appendix B process personal data within the EU/EEA. The data processor does not transfer personal data to third countries or international organisations without the data controller’s documented instructions, unless required to do so by EU or national law; in that case, the data processor informs the data controller of the requirement before processing, unless notification is prohibited. Should such a transfer take place, it is carried out on a valid transfer basis under Chapter V, such as the European Commission’s Standard Contractual Clauses (SCCs).
8. Assistance to the data controller
8.1: Taking into account the nature of the processing, the data processor assists the data controller, as far as possible and by appropriate technical and organisational measures, in fulfilling the controller’s obligation to respond to requests to exercise the data subjects’ rights under Chapter III of the GDPR, including:
- the duty to inform when collecting data from the data subject
- the duty to inform when personal data have not been collected from the data subject
- the right of access
- the right to rectification
- the right to erasure (the “right to be forgotten”)
- the right to restriction of processing
- the duty to notify in connection with rectification or erasure of personal data or restriction of processing
- the right to data portability
- the right to object
- the right not to be subject to a decision based solely on automated processing, including profiling
8.2: Taking into account the nature of the processing and the information available to it, the data processor further assists the data controller in complying with the obligations under Articles 32-36 of the GDPR, including:
- notification of a personal data breach to the Danish Data Protection Agency, where possible within 72 hours of the data controller becoming aware of the breach
- communication of a personal data breach to the data subjects
- carrying out a data protection impact assessment (DPIA)
- prior consultation of the Danish Data Protection Agency
8.3: The data processor is entitled to payment on a time-spent basis for assistance under this section to the extent the assistance goes beyond what the data processor is itself obliged to provide under the GDPR, cf. the Terms of Service.
9. Notification of a personal data breach
9.1: The data processor notifies the data controller without undue delay after becoming aware that a personal data breach has occurred. The notification is made, where possible, within 72 hours of the data processor becoming aware of the breach, so that the data controller can comply with any obligation to notify the breach to the Danish Data Protection Agency under Article 33 of the GDPR.
9.2: The data processor assists the data controller in providing the information that, under Article 33(3), must be included in the controller’s notification, including:
- the nature of the breach, including where possible the categories and approximate number of data subjects and personal data records concerned
- the likely consequences of the breach
- the measures taken or proposed to address the breach, including to mitigate its possible adverse effects
10. Erasure and return of data
10.1: The following rules require retention of personal data after the processing has ended: the obligation to retain information obtained for customer due diligence under section 30 of the Danish Anti-Money Laundering Act (5 years after the end of the business relationship) and the obligation to retain accounting materials under the Danish Bookkeeping Act (5 years from the end of the financial year concerned). During that period the data processor processes the data solely for those purposes.
10.2: On termination of the processing, and once the statutory retention in section 10.1 has expired, the data processor must, at the data controller’s choice, either delete or return and delete existing copies of all personal data processed on behalf of the data controller, unless EU or national law requires continued storage.
10.3: The data controller may request the necessary documentation that erasure or return has taken place.
11. Audit, including inspection
11.1: The data processor makes available to the data controller all information necessary to demonstrate compliance with Article 28 of the GDPR and these Clauses, and allows for and contributes to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
11.2: Audits and inspections are carried out on reasonable notice, during normal business hours and without undue disruption to the data processor’s operations. The data processor may demonstrate compliance by means of up-to-date audit reports or certifications, where available.
11.3: The data processor grants supervisory authorities that have access under applicable law access to the data processor’s physical facilities upon proper identification.
12. The parties’ agreement on other matters
12.1: Provisions on e.g. liability between the parties are governed by the Terms of Service and the Engagement Letter. Such provisions must not, directly or indirectly, conflict with these Clauses or diminish the data subjects’ fundamental rights and freedoms under the GDPR.
13. Commencement and termination
13.1: The Clauses take effect at the same time as the Agreement, cf. the Terms of Service, and remain in force for as long as the processing of personal data on behalf of the data controller continues.
13.2: Either party may require the Clauses to be renegotiated if changes in the law or inconveniences give rise to this.
13.3: The Clauses cannot be terminated separately for as long as the processing continues. When the processing ends and the personal data have been deleted or returned in accordance with section 10, the Clauses terminate automatically.
13.4: Section 4 (Confidentiality) and the obligations that by their nature are to have effect after termination remain in force after the Clauses terminate.
Appendix A – Details about the processing
A.1. Purpose and nature
The data processor’s processing of personal data on behalf of the data controller takes place for the purpose of providing the agreed bookkeeping and accounting services, including ongoing bookkeeping, posting, bank reconciliation, accounts receivable and payable management, voucher and expense handling, invoicing and — where agreed — VAT and tax reporting and preparation of the annual report. The processing comprises collection, recording, organisation, storage, use, combination (including by means of artificial intelligence under human supervision) and erasure or return of the data.
A.2. Types of personal data
The processing comprises, among other things, ordinary personal data such as name, contact details (email, phone, address) and position, as well as financial data, transaction and invoice data and bank details (e.g. account numbers). In the accounting materials the processing may exceptionally comprise Danish civil registration (CPR) numbers. To the extent that scanning and filtering of the data controller’s email traffic (e.g. Gmail) forms part of the service, the processing may also comprise special categories of personal data (Article 9 of the GDPR) and data relating to criminal offences (Article 10) where such data appear in the email traffic scanned on the data controller’s behalf.
A.3. Categories of data subjects
The processing comprises personal data about the data controller’s management, owners and employees, as well as about the data controller’s own customers, suppliers and other business contacts, to the extent such data form part of the accounting materials.
A.4. Duration
The processing begins on the entry into force of the Clauses and lasts for as long as the data processor provides the services. The data are thereafter deleted or returned, cf. section 10, subject to the statutory retention under the Anti-Money Laundering Act and the Bookkeeping Act (5 years).
Appendix B – Sub-processors
B.1. Approved sub-processors
On the entry into force of the Clauses, the data controller has approved the use of the following sub-processor:
- Numina Technologies ApS (reg. no. 44991225) — the data processor’s parent company, which develops, owns and operates the Platform and supplies it to the data processor. Processing takes place within the EU/EEA.
- Microsoft (Microsoft Azure) — hosting and AI inference. Processing takes place within the EU/EEA, in data centres in the EU.
- Google (Google Workspace) — email and communications. Processing takes place within the EU/EEA (EU data region).
- Enable Banking (Enable Banking Oy) — secure account access (PSD2) to retrieve bank transactions. Processing takes place within the EU/EEA.
The data processor configures its AI providers so that the data controller’s data are not stored by, or used to train the models of, the provider. An up-to-date list of sub-processors can be requested at any time by contacting support@numina.app.
Third-party services that the data controller chooses to connect to the platform (e.g. bank, Stripe and Gmail) are not the data processor’s sub-processors but are subject to the relevant provider’s own terms, cf. the Terms of Service.
Providers that only process personal data for which Numina is itself the data controller — e.g. website hosting and product analytics — are not sub-processors under this Data Processing Agreement and are instead set out in the Privacy Policy.
B.2. Notice of new sub-processors
The data processor informs the data controller in writing of intended additions or replacements of sub-processors at least 30 days in advance, so that the data controller can object, cf. section 6.3.
Appendix C – Instructions and security measures
C.1. Subject of the processing
The data processor processes personal data on behalf of the data controller for the purpose of providing the bookkeeping and accounting services agreed in the Engagement Letter, including AI-assisted processing under human supervision. Anonymised and aggregated data that can no longer be attributed to any individual may be used to improve the data processor’s services and AI; this forms part of the data controller’s instructions, and the data controller may object to it at any time. This improvement use does not take place during a Trial, cf. the Terms of Service, section 3.9. For data originating from Google services, the specific Limited Use restrictions described in the Privacy Policy also apply.
C.2. Security measures
The data processor implements, as a minimum, the following technical and organisational measures, cf. Article 32 of the GDPR:
- all processing, including AI processing, takes place within the EU/EEA, on Microsoft Azure data centres in the EU
- encryption of personal data in transit and at rest
- access control on a least-privilege basis and use of multi-factor authentication to prevent unauthorised access
- access to the data controller’s data is limited to authorised employees and closed down when no longer necessary
- logging and monitoring of access to and processing of the data
- regular backups and tested procedures for restoring data
- a confidentiality obligation for all employees who process the data
- configuration of AI providers so that the data are not stored by, or used to train the models of, the provider
C.3. Storage and erasure
Personal data are retained in accordance with the retention obligation in section 30 of the Anti-Money Laundering Act (5 years after the end of the business relationship) and the Bookkeeping Act. The data processor thereafter deletes or returns the data at the data controller’s choice, cf. section 10.