Data Processing Agreement
Effective date: March 14, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Balladic, operated by FORN Studio (CVR 39172569) (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) and governs the processing of personal data by the Processor on behalf of the Controller.
This DPA is based on the CommonPaper DPA Standard Terms (Version 1.0).
1. Key Terms
| Term | Details |
|---|---|
| Processor | Balladic, operated by FORN Studio (CVR 39172569) |
| Address | Søborg Hovedgade 177C 3TH, 2860 Søborg, Denmark |
| Contact | [email protected] |
| Processing purposes | Providing the Balladic cowork service, including task organisation, collaboration, notifications, search, and AI-powered features |
| Categories of data subjects | Controller’s employees, contractors, and clients who use the service |
| Types of personal data | Name, email address, profile picture, task and project content, file attachments, usage and activity data |
| Data location | European Union (Netherlands, Germany, France) |
| Applicable law | Laws of Denmark |
| Supervisory authority | Datatilsynet (Danish Data Protection Agency) |
2. Definitions
“Data Protection Laws” means all applicable laws relating to the processing of personal data, including GDPR (Regulation (EU) 2016/679) and any national implementing legislation.
“Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” have the meanings given in Article 4 of GDPR.
“Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
3. Scope and Roles
3.1. The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on behalf of and in accordance with the Controller’s documented instructions.
3.2. This DPA applies to all personal data processed by the Processor in connection with providing the Balladic service to the Controller.
3.3. The Processor shall not process personal data for any purpose other than those specified in this DPA, unless required by applicable law. In such case, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited by law.
4. Processor Obligations
4.1. The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA
- Ensure that persons authorised to process personal data have committed to confidentiality or are under a statutory obligation of confidentiality
- Implement appropriate technical and organisational security measures as described in Section 5
- Assist the Controller in fulfilling its obligations to respond to data subject requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36, taking into account the nature of processing and available information
- At the Controller’s choice, delete or return all personal data upon termination of the service, and delete existing copies unless applicable law requires storage
- Make available to the Controller all information necessary to demonstrate compliance with the obligations in GDPR Article 28
5. Security Measures
5.1. The Processor implements and maintains the following technical and organisational measures to protect personal data:
Infrastructure and access:
- All services hosted within the European Union, with primary infrastructure in the Netherlands (Amsterdam)
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access control with principle of least privilege
- Multi-factor authentication for infrastructure access
Application security:
- Authentication via secure token-based sessions
- Input validation and sanitisation at all boundaries
- Regular dependency updates and vulnerability scanning
Operational security:
- Automated backups with point-in-time recovery
- Monitoring and alerting for anomalous activity
- Incident response procedures with defined escalation paths
6. Sub-processors
6.1. The Controller grants general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
6.2. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
6.3. Current sub-processors:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Railway Corporation | Application hosting and infrastructure | Netherlands (EU) | DPF / SCCs |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, object storage (R2) | EU (with global edge network) | DPF / SCCs |
| Stripe, Inc. | Payment processing and billing | EU/US | DPF / SCCs |
| Mistral AI | AI-powered features (feed ranking, suggestions) | France (EU) | N/A (EU-based) |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | Germany (EU) | DPF / SCCs |
| PostHog, Inc. | Product analytics | Germany (EU) | DPF / SCCs |
| Resend, Inc. | Transactional email delivery | US | DPF / SCCs |
6.4. If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected service with 30 days’ notice.
7. Data Subject Rights
7.1. The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection.
7.2. If the Processor receives a request directly from a data subject, the Processor shall promptly redirect the request to the Controller, unless otherwise instructed.
8. Security Incident Notification
8.1. The Processor shall notify the Controller without undue delay after becoming aware of a security incident affecting personal data processed under this DPA.
8.2. The notification shall include:
- A description of the nature of the incident, including the categories and approximate number of data subjects and records concerned
- The name and contact details of a point of contact for further information
- A description of the likely consequences
- A description of measures taken or proposed to address the incident
8.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the incident.
9. International Transfers
9.1. The Processor shall not transfer personal data outside the EU/EEA unless appropriate safeguards are in place as required by GDPR Chapter V.
9.2. Where sub-processors process data outside the EU/EEA, the Processor ensures that Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms are in place.
9.3. Where sub-processors are established in the United States, the Processor relies on the EU-US Data Privacy Framework and/or Standard Contractual Clauses as the lawful transfer mechanism, as indicated in the sub-processor list above.
10. Audit Rights
10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28.
10.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably disrupt the Processor’s operations.
11. Term and Termination
11.1. This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller.
11.2. Upon termination of the service, the Processor shall, at the Controller’s election, delete or return all personal data within 90 days, except where applicable law requires continued storage.
12. Liability
12.1. The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12.2. Nothing in this DPA limits or excludes either party’s liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.
13. Contact
For questions about this DPA or to exercise data protection rights, contact us at [email protected].