Legal
Data Processing Agreement
Effective Date: 29 March 2026 · Valueclose ApS, registered in Denmark
This Data Processing Agreement (“DPA”) forms part of the agreement between Valueclose ApS (“Valueclose,” “we,” “us,” “our”) and the customer entity that has accepted our Terms of Service (“Customer,” “you”). This DPA is incorporated into and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on matters of data processing, this DPA controls.
This DPA applies where Valueclose processes personal data on behalf of the Customer in the course of providing the Service, as required by Article 28 of the General Data Protection Regulation (GDPR).
1. Definitions
In this DPA:
- “Controller” means the Customer, who determines the purposes and means of processing personal data of their personnel and session participants.
- “Processor” means Valueclose, who processes personal data on behalf of the Controller.
- “Data Subject” means the individual to whom the personal data relates (primarily employees, contractors, and team members of the Customer who participate in training sessions on the Service).
- “Personal Data,” “Processing,” “Supervisory Authority,” and “Personal Data Breach” have the meanings given to them in the GDPR.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- “EEA” means the European Economic Area.
- “Sub-processor” means any third-party processor engaged by Valueclose to carry out Processing activities on behalf of the Controller.
- “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission.
- “Service” means the Valueclose value selling training platform as described in the Terms of Service.
2. Roles of the Parties
The parties agree that, in relation to the Processing of personal data of the Customer's personnel and session participants, the Customer acts as Controller and Valueclose acts as Processor. Valueclose processes personal data only for the purpose of providing and improving the Service and only on the documented instructions of the Controller, except where required to do so by applicable law, in which case Valueclose will inform the Controller of that legal requirement before Processing (unless prohibited by law on important grounds of public interest).
3. Details of Processing
3.1 Subject matter
The provision of the Valueclose training platform, including session management, scoring, private feedback delivery, team management, and related features.
3.2 Duration
For the duration of the Customer's subscription or active access to the Service, plus any retention period specified in section 11 below.
3.3 Nature and purpose of Processing
Valueclose processes personal data to: create and maintain user accounts; facilitate structured role-play training sessions; record, store, and deliver session scores and written feedback to participants; enable session invitations and notifications; maintain team and company account records; and provide customer support.
3.4 Types of personal data processed
- Name and email address (account credentials and identification)
- Company name and role within the company
- Session scores (numerical performance data)
- Written feedback submitted by and delivered to participants
- Session participation history
- IP addresses and device/browser information (technical logs)
- Billing contact information (transmitted to Stripe for payment processing)
3.5 Categories of data subjects
- Employees, contractors, and team members of the Customer
- Individuals invited to training sessions by Customer personnel
4. Controller Obligations
The Customer, as Controller, is responsible for:
- Ensuring it has a lawful basis under GDPR to instruct Valueclose to process personal data, including where applicable obtaining necessary consents from data subjects or ensuring another lawful basis applies.
- Providing data subjects with appropriate privacy notices, including information about processing carried out by Valueclose as Processor on the Controller's behalf, to the extent required by applicable law.
- Ensuring that any instructions given to Valueclose regarding the Processing of personal data comply with applicable data protection law.
- Promptly informing Valueclose of any changes to applicable data protection law that affect the Processing under this DPA.
5. Processor Obligations
Valueclose, as Processor, agrees to:
- Process personal data only on documented instructions from the Controller, unless required by applicable EU or Member State law. Where Processing is required by law, Valueclose will notify the Controller unless the law prohibits such notification.
- Ensure that all personnel authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures as described in section 7 of this DPA (Security Measures).
- Assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR, to the extent Valueclose is reasonably able to do so given the nature of the Processing.
- Assist the Controller in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, and prior consultation), taking into account the nature of the Processing and information available to Valueclose.
- At the choice of the Controller, delete or return all personal data to the Controller on termination of the Service, and delete existing copies unless applicable law requires continued storage, subject to section 11.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations in GDPR Article 28, and allow for and contribute to audits as described in section 10 of this DPA.
6. Sub-processors
The Controller provides general authorisation for Valueclose to engage sub-processors. Valueclose currently uses the following sub-processors to deliver the Service:
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure | EU | Data stored in EU, no transfer outside EEA |
| Scaleway SAS | Cloud infrastructure | EU (France) | EU entity, no transfer outside EEA |
| Brevo SAS | Transactional email | EU (France) | EU entity, no transfer outside EEA |
| Cloudflare, Inc. | Image storage and content delivery | US (EU data centre options) | EU-US Data Privacy Framework / Standard Contractual Clauses |
| Stripe, Inc. | Payment processing (billing contact data only) | US | EU-US Data Privacy Framework / Standard Contractual Clauses |
Valueclose will impose data protection obligations on all sub-processors equivalent to those set out in this DPA. Valueclose will notify the Controller of any intended changes to sub-processors by updating this DPA on our website and, where practicable, notifying the Controller by email at least 14 days before the change takes effect. The Controller may object to a new sub-processor on reasonable grounds related to data protection by notifying Valueclose in writing within 14 days of receiving notice. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service on written notice.
Valueclose remains fully liable to the Controller for the acts and omissions of its sub-processors in performing the Processing under this DPA.
7. Security Measures
Valueclose implements the following technical and organisational security measures in accordance with GDPR Article 32:
- Encryption in transit: All data transmitted between users and Valueclose servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Personal data stored on Valueclose infrastructure is encrypted at rest.
- Password security: Passwords are stored exclusively as cryptographic hashes (bcrypt or equivalent). Passwords are never stored or transmitted in plain text.
- Access controls: Access to personal data is restricted to personnel who need it to perform their job functions (least privilege). Role-based access controls are enforced at both the application and database layers. Administrative access requires secure authentication and is logged for audit purposes.
- Network security: Firewall rules and private networking are applied at the hosting layer. Application services communicate over private networks where possible.
- Data isolation: Personal data is logically isolated per company account. No company account can access another company's data through the application layer.
- Incident response: Valueclose maintains an incident response process that includes detection, containment, assessment, notification, and post-incident review.
- Organisational measures: Personnel with access to personal data are subject to confidentiality obligations. Security awareness is maintained among staff with access to the Service infrastructure.
Valueclose will regularly review and, where appropriate, update these security measures in response to technological developments and changes in the risk profile of the Processing.
Valueclose cannot guarantee that any security measures will be completely effective. No system can be fully secured. The Controller is responsible for its own access credential security and for ensuring its personnel comply with these Terms.
8. Data Subject Rights
Valueclose will, upon receiving a data subject rights request that appears to relate to personal data processed under this DPA, promptly forward the request to the Controller (using the billing contact on file) and cooperate with the Controller to fulfil the request within the applicable legal deadline.
If a data subject contacts Valueclose directly to exercise their rights, Valueclose will inform them that their request should be directed to the Customer as Controller, unless the request specifically relates to Valueclose's own processing (e.g., deletion of account data). Valueclose will respond to requests for account deletion and data access that fall within Valueclose's own controller obligations under GDPR.
9. Personal Data Breach Notification
In the event Valueclose becomes aware of a Personal Data Breach affecting personal data processed under this DPA, Valueclose will:
- Notify the Controller without undue delay, and where feasible within 72 hours of becoming aware of the breach, to allow the Controller to meet its own notification obligations under GDPR Article 33.
- Provide the Controller with sufficient information to allow the Controller to comply with its notification obligations, including: the nature of the breach; the categories and approximate number of data subjects and personal data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach.
- Take reasonable steps to mitigate the effects of the breach and prevent recurrence.
Valueclose's notification of a breach does not constitute an acknowledgement of fault or liability. The Customer, as Controller, remains responsible for assessing whether the breach requires notification to the relevant supervisory authority and to affected data subjects under GDPR Articles 33 and 34.
10. Audit Rights
Valueclose will, upon reasonable written request from the Controller (with at least 30 days' notice), make available to the Controller information reasonably necessary to demonstrate compliance with the obligations in this DPA.
Where the Controller requires an audit or inspection, the Controller may conduct such an audit itself or appoint a mutually agreed independent third-party auditor subject to reasonable confidentiality undertakings. Audits must be conducted during normal business hours, with minimal disruption to Valueclose's operations, and at the Controller's own cost unless the audit reveals a material breach of this DPA by Valueclose. The parties will agree in advance on the scope, timing, and duration of any audit. Audits may not be conducted more than once per calendar year unless there has been a confirmed Personal Data Breach.
11. Deletion and Return of Data
On termination or expiry of the Customer's subscription, or on written request from the Controller:
- Valueclose will delete personal data relating to the Customer's account and personnel within 90 days of the termination date, subject to any legal retention obligations.
- If the Controller requests export of session data (scores, participation records) before termination, Valueclose will provide a data export in a machine-readable format where technically feasible.
- Valueclose may retain personal data where required by applicable law (e.g., accounting and tax records), for the duration required by that law. Retained data will not be processed for any other purpose.
12. International Data Transfers
Personal data processed under this DPA is primarily stored on EU-based infrastructure (DigitalOcean and Scaleway, both with EU data centres). Where personal data is transferred to sub-processors located outside the EEA (Cloudflare, Stripe), Valueclose ensures appropriate safeguards are in place: either the EU-US Data Privacy Framework adequacy decision or Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
Valueclose will not transfer personal data outside the EEA to any sub-processor that is not covered by an approved transfer mechanism.
13. Limitation of Liability
The limitation of liability provisions in section 13 of the Terms of Service apply to claims arising under this DPA. Each party's total liability under this DPA, whether in contract, tort, or otherwise, shall not exceed the amounts set out in the Terms of Service liability cap. Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages arising under this DPA.
Nothing in this DPA excludes or limits either party's liability for: fraud; death or personal injury caused by negligence; any liability that cannot be excluded or limited by applicable law; or wilful misconduct or gross negligence.
This DPA does not affect either party's liability to data subjects or supervisory authorities under applicable data protection law. GDPR enforcement by supervisory authorities (including administrative fines under GDPR Articles 83 and 84) operates independently of the contractual liability regime in this section.
14. Conflict and Order of Precedence
In the event of any conflict between this DPA and the Terms of Service on matters relating to the Processing of personal data, this DPA will control. In all other respects, the Terms of Service continue to apply.
15. Governing Law
This DPA is governed by and construed in accordance with the laws of Denmark. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Copenhagen, Denmark, consistent with the Terms of Service.
16. Changes to This DPA
Valueclose may update this DPA from time to time to reflect changes in law, security practices, or sub-processor arrangements. Material changes will be notified to the Controller by email or by notice within the Service at least 14 days before they take effect. The updated DPA will be published at valueclose.com/dpa. Continued use of the Service after the effective date constitutes acceptance of the revised DPA.
Customers subject to contracts that require a countersigned DPA should contact [email protected] to arrange a countersigned version.
17. Contact
For questions about this DPA, data subject rights requests, or to request a countersigned version of this agreement:
Email: [email protected]
Processor: Valueclose ApS, Denmark
See also: Terms of Service · Privacy Policy · Valueclose ApS, Denmark