This Data Processing Agreement ("DPA") forms part of the Galdr Terms of Service and applies when your organisation (the "Controller") uses the Galdr service to process personal data of data subjects. It is required by GDPR Article 28.
1. Parties
Controller: The organisation that has subscribed to the Galdr service (identified in the account).
Processor: Galdr ApS, Nørreport 14, 3. sal, 1165 Copenhagen K, Denmark (CVR 44 55 66 77).
2. Definitions
Terms used in this DPA have the meanings given in GDPR (EU 2016/679). "Personal data", "processing", "data subject", "controller", "processor", and "supervisory authority" all have the meanings set out in GDPR Art. 4.
3. Subject matter & scope of processing
Duration
For the duration of the Controller's subscription to the Galdr service.
Nature & purpose
Providing a cloud-based video conferencing and collaboration service, including: conducting video and audio calls, screen sharing, in-meeting chat, meeting recording (where enabled), and account management.
Categories of personal data
- Identity data: name, email address, profile photo (optional)
- Communication data: audio, video, screen-share, chat messages during meetings
- Technical data: IP address, browser type, device identifiers, connection logs
- Meeting metadata: meeting title, duration, participant list, timestamps
Categories of data subjects
Employees, contractors, and clients of the Controller who use the Galdr service.
4. Processor obligations
Galdr ApS shall:
- Process personal data only on documented instructions from the Controller (these Terms and this DPA constitute such instructions)
- Ensure that persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (see Section 6)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in fulfilling obligations under GDPR Articles 32–36 (security, breach notification, DPIAs)
- Delete or return all personal data upon termination of the service, per Section 10
- Make available all information necessary to demonstrate compliance and support audits per Section 9
- Notify the Controller immediately if it believes an instruction infringes GDPR
5. Sub-processors
The Controller authorises the use of the following sub-processors. We will provide at least 14 days' advance written notice before adding or replacing sub-processors.
- Hetzner Online GmbH (Germany) — Cloud infrastructure & hosting
- Stripe Payments Europe Limited (Ireland) — Payment processing (billing data only)
All sub-processors are EU-based and bound by GDPR-compliant data processing agreements. No personal data is transferred outside the EEA.
6. Security measures
Galdr implements and maintains the following technical and organisational measures:
- Encryption in transit: TLS 1.3 for all connections; end-to-end encryption for video/audio streams
- Encryption at rest: AES-256 for all stored data including recordings
- Access control: Role-based access; multi-factor authentication for all staff; least-privilege principle
- Infrastructure: ISO 27001-certified datacenters in Frankfurt and Amsterdam
- Monitoring: Continuous security monitoring and intrusion detection
- Backups: Daily encrypted backups with tested restore procedures
- Vulnerability management: Regular penetration testing; responsible disclosure programme
- Staff training: Annual data protection training for all personnel with access to personal data
7. Personal data breach notification
In the event of a personal data breach, Galdr shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of it. Notification shall include:
- Description of the nature of the breach
- Categories and approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Breach notifications shall be sent to the Controller's registered email address and to security@galdr.eu.
8. Data subject rights assistance
Galdr will provide the Controller with reasonable assistance in responding to data subject rights requests under GDPR Chapter III (access, rectification, erasure, portability, restriction, objection). Where technically feasible, account holders can exercise these rights directly from their account settings.
9. Audit rights
Galdr shall make available all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, with reasonable prior notice (at least 30 days) and at the Controller's expense. Audits shall not unreasonably interfere with Galdr's operations. Galdr may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certificates) in lieu of on-site inspections where the Controller reasonably accepts this.
10. Deletion & return of data
Upon termination of the Galdr service subscription, Galdr shall delete all personal data within 30 days, unless longer retention is required by applicable EU or Danish law. Upon request submitted before termination, Galdr will provide an export of the Controller's data in JSON format. Confirmation of deletion will be provided in writing.
How to sign this DPA
For Pro plan subscribers, this DPA is incorporated by reference into your subscription agreement and is effective upon your acceptance of the Terms of Service. No separate signature is required for the standard DPA.
If you require a countersigned DPA, or a customised DPA for your organisation, please contact legal@galdr.eu.