Data Processing Agreement

Last updated: 2026-05-10

1. Parties & Scope

This Data Processing Agreement ("DPA") is entered into between the customer (the "Controller") and GGFix, Vejlebrovej 18H, 2635 Ishøj, Denmark, CVR 45911667 ("Processor" or "GGFix"). It forms part of the GGFix Terms of Service and governs Processor's processing of personal data on Controller's behalf in connection with the GGFix monitoring platform (the "Service").

This DPA is governed by Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and, where applicable, the UK GDPR and the Swiss Federal Act on Data Protection.

2. Subject Matter & Duration

Subject matter: processing of telemetry, account, and contact data by Processor strictly to provide and operate the Service.

Duration: for as long as Controller maintains an active GGFix account, plus a maximum of ninety (90) days post-termination for backups, audit logs, and billing reconciliation, after which all personal data is deleted or anonymized.

3. Categories of Data

3.1 Machine Telemetry

  • Hardware sensor readings (CPU, GPU, RAM, fan, disk, NVMe, battery)
  • Top processes by memory, CPU and window title
  • Windows Event Log entries (BSOD, disk errors, app crashes)
  • System context (OS build, power plan, last boot reason)
  • Hostname, public IP, agent version

GGFix never collects keystrokes, screenshots, or open file contents.

3.2 Account & Contact Data

  • Email address and display name (Firebase Auth)
  • Billing identifiers and tax IDs (via Stripe)
  • Telegram chat ID where the user has linked the alerts bot
  • Optional team-member email addresses invited by the Controller

4. Categories of Data Subjects

  • The Controller's authorized employees, contractors, and team members
  • End users of machines on which the GGFix agent is installed by the Controller
  • Contacts submitted via the GGFix contact form on Controller's domain

5. Sub-Processors

Controller hereby grants Processor general written authorization to engage the following sub-processors, each of which is bound by data-protection terms no less protective than this DPA:

Sub-ProcessorPurposeRegion
Google LLC (Firebase / Google Cloud)Auth, Firestore, Cloud Functions, hostingUSA (us-central1) — EU SCCs in place
Anthropic, PBCAI alert generation, chat, monthly reports (Claude)USA — EU SCCs in place
Stripe Payments Europe, Ltd.Subscription billing, invoicing, payment processingEU / Ireland
Resend, Inc.Transactional email delivery (monthly reports, account)USA — EU SCCs in place
Telegram FZ-LLCAlert delivery via the @GGFixFleetBot bot (opt-in)Global (UAE/UK)
Cloudflare, Inc.Frontend hosting, CDN, R2 agent binary distributionGlobal edge — EU SCCs in place

Processor will notify Controller (via account email or in-app notice) of any intended addition or replacement of a sub-processor at least thirty (30) days in advance. Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection or, failing that, Controller may terminate the affected portion of the Service.

6. Security Measures

Processor implements appropriate technical and organizational measures, including:

AES-256

Encryption at rest

TLS 1.3

In transit

SHA-256

API key hashing

  • Role-based access controls; admin actions gated by Firebase custom claims
  • Least-privilege Cloud Function service accounts; Firestore security rules
  • Per-client telemetry rate limiting; idempotent Stripe webhook with signature verification
  • Single-use 30-minute enrollment tokens; hourly cleanup of expired credentials
  • Continuous monitoring of error and audit logs
  • Routine security review of dependencies and configuration

7. Personal Data Breach Notification

Processor will notify Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting Controller's data. The notice will include, to the extent known: the nature of the breach, categories and approximate volume of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Notice will be given to the email address on file for the Controller account.

8. Data Subject Rights

Processor will provide reasonable assistance to Controller in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection). Account holders may export or delete their telemetry and account data through the in-product Settings page or by emailing contact@ggfix.dk.

9. International Transfers

Where Processor or any sub-processor transfers personal data outside the European Economic Area, the transfer is governed by the European Commission's Standard Contractual Clauses (Decision 2021/914, Module Two: controller to processor) and, where required, the UK International Data Transfer Addendum. The clauses are incorporated into this DPA by reference and take precedence over any conflicting term.

10. Audit & Information Rights

On Controller's reasonable request, and no more than once per twelve-month period (except where required by a supervisory authority), Processor will make available the information necessary to demonstrate compliance with this DPA, including third-party security attestations of its sub-processors where available. On-site audits may be conducted by an independent auditor under mutually agreed conditions of confidentiality and at Controller's cost.

11. Return or Deletion on Termination

Upon termination of the Service, Processor will, at Controller's choice, delete or return all personal data processed under this DPA, and delete existing copies within ninety (90) days, except where storage is required by applicable law (in which case Processor will continue to protect the data and process it only for the purpose mandated by that law).

12. Liability & Order of Precedence

Each party's liability under this DPA is subject to the limitation-of-liability terms of the GGFix Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails.

13. Contact

GGFix Data Protection Unit

Email: contact@ggfix.dk
Phone: +45 28 60 92 02
Address: Vejlebrovej 18H, 2635 Ishøj, Denmark · CVR 45911667