Status — compliant. Berserk ApS aligns with the EU General Data Protection Regulation (Regulation 2016/679). Because the shipped product is self-hosted, customer telemetry stays in the customer's infrastructure — Berserk ApS has no customer-data sub-processors today.
This page is the procurement-shaped GDPR readiness extract. For the day-one DPA your legal team needs see DPA Template; for the website-visitor privacy notice see Privacy Notice; for the buyer-readiness summary see Trust Overview.
Berserk ApS acts in two distinct roles depending on the activity. The role determines which GDPR articles bind us and how to read the rest of this page.
| Activity | Berserk's role | Controller |
|---|---|---|
| Self-hosted product (telemetry from customer apps) | Not a processor. Berserk has no access to the data; it never leaves the customer. | The customer. |
| Support engagement under DPA — customer shares specific telemetry | Processor under Article 28. | The customer (or, if the customer is itself a processor, the customer's controller — we are then a sub-processor). |
| Employee + contractor records, payroll, contractor invoicing | Controller under Article 4(7). | Berserk ApS. |
| Sales contacts and prospect outreach | Controller. | Berserk ApS. |
hello@bzrk.dev and security@bzrk.dev inboxes | Controller. | Berserk ApS. |
| Job applications, server logs (bzrk.dev), newsletter (when active) | Controller. | Berserk ApS. |
For the activities where Berserk ApS is the controller, the Article 6 lawful basis per category:
| Processing | Lawful basis under Art. 6 |
|---|---|
| Employee + contractor records | Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)). |
| Sales / marketing contacts | Legitimate interest (Art. 6(1)(f)), with opt-out at every contact point. |
hello@ / security@ inboxes | Legitimate interest (Art. 6(1)(f)) — responding to enquiries; operating the CVD process. |
| Job applications | Pre-contractual measures at the data subject's request (Art. 6(1)(b)). |
| Server logs (bzrk.dev) | Legitimate interest (Art. 6(1)(f)) — operating, debugging, abuse handling. |
| Newsletter / waitlist (when active) | Consent (Art. 6(1)(a)). |
We do not process special categories of personal data (Art. 9) as a controller.
When Berserk ApS acts as a processor under DPA, the customer (as controller) determines the Article 6 lawful basis for the underlying processing. Berserk acts only on the customer's documented Article 28 instructions and does not establish its own Article 6 basis for that data. The instructions in force are recorded in the DPA Template and may be supplemented in writing during the engagement.
Berserk does not require, request, or pre-define special-category data (Art. 9) on the processor side; if a customer chooses to share such data during a support engagement, the customer remains responsible for the Article 9 lawfulness of that disclosure under its own instructions.
Requests under Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making) are handled by the CEO. Response SLA: 30 days from receipt.
Routing:
hello@bzrk.dev, subject line GDPR request.We do not charge a fee for legitimate requests; manifestly unfounded or excessive requests may attract a reasonable fee under Art. 12(5).
The role determines the route. Berserk runs both clocks from the same internal procedure, but the obligations differ.
For breaches affecting data Berserk holds as controller
(employee + contractor records, sales contacts, hello@ / security@
inboxes, job applications, server logs, newsletter): Berserk notifies
Datatilsynet (Danish DPA) under GDPR Article 33 within
72 hours of becoming aware, unless the breach is unlikely to
result in a risk to the rights and freedoms of natural persons.
Where the breach is likely to result in a high risk to those
rights, Berserk also notifies affected data subjects directly under
GDPR Article 34, without undue delay; the Article 34 notice may
be skipped where Article 34(3) conditions are met (e.g. the data
was rendered unintelligible by encryption, or follow-up measures
have eliminated the high risk).
For breaches affecting personal data Berserk holds as processor under DPA, GDPR Article 33(2) governs: Berserk notifies the customer (controller) without undue delay, with a target of ≤24 hours from awareness — see DPA §"Personal-data breach notification". The controller — not Berserk — decides whether the breach meets the Article 33 / 34 thresholds and notifies its supervisory authority and data subjects accordingly. Berserk assists the controller in that assessment under Article 28(3)(f) by providing the technical information available to it.
The internal breach-notification procedure (notification timeline,
content template, escalation tree, Art. 33 vs Art. 28 routing) is
available to enterprise customers under NDA on request to
security@bzrk.dev. It is exercised every October together with
the NIS2 Article 23 drill — see the NIS2
page for that side, the Trust Overview for the
technical reporting model, and the
Coordinated Vulnerability Disclosure
policy for the inbound side.
Berserk operates from Denmark and uses EU/EEA-located infrastructure (Hetzner Germany, Proton Switzerland — Switzerland has a Commission adequacy decision under Art. 45). Customer data shared under DPA is not transferred outside the EU/EEA without the customer's explicit written instruction. Where a transfer is necessary and the customer instructs it, we rely on Standard Contractual Clauses 2021/914 or an adequacy decision for the destination.
The customer-facing Art. 28 sub-processor list with locations is at Sub-processors; the broader corporate-vendor list (which is in the controller-side scope) is in our internal supplier register, available under NDA. Schrems II considerations are reflected in vendor selection (preference for EU/EEA-domiciled or adequacy-covered providers; SCCs where used).
Berserk ApS maintains an Article 30(1) controller register covering the three controller activities above (employee data, sales contacts, security@/hello@ inboxes). The register names purpose, categories of data subjects, categories of personal data, recipients, transfers (none), retention windows, and security measures.
Article 30(2) processor register: minimal — customer-by-customer DPA engagements are logged with categories, purpose, sharing dates, and deletion confirmation, per the procedure in our internal data-handling policy.
Both registers are available to enterprise customers under NDA on
request to security@bzrk.dev. The summary public version of the
controller register is in this page; the processor register is
operational and is shared per-engagement to the customer it concerns.
| Class | Default retention |
|---|---|
| Customer data (under DPA) | Length of the support engagement only; then deletion per the customer's choice. |
| Employee data | Per Danish employment / tax law (typically 5 years post-employment for payroll). |
| Sales contacts | Until objection or 3 years inactive, whichever is sooner. |
| Security@ / hello@ correspondence | 12 months unless the thread relates to an open engagement or an unresolved security issue. |
| Internal logs (Berserk-controlled systems) | 90 days hot, longer for incident-related; older than 90 days only on a documented justification. |
The technical and organizational measures we apply as both controller and processor are summarised in the DPA Template Annex A and detailed in the Security Whitepaper. The internal mapping to the NIS2 / ISO 27001 control sets is at ISO 27001 Readiness and the Security Roadmap for items in flight.
The two are different and we keep them separate:
Sub-processors under GDPR Art. 28 — third parties that process customer personal data on the customer's behalf under our DPA. The full list is at Sub-processors. The shipped product itself has none because it runs in customer infrastructure; during voluntary support engagements only Proton applies, and only for the email channel the customer chose.
Corporate vendors — third parties Berserk ApS uses to run the
company (hosting, email, source control, chat, identity provider,
engineering tooling). For the data Berserk holds as controller,
these vendors are recipients in the GDPR sense, not Art. 28
sub-processors. They are tracked in an internal supplier register
available to enterprise customers under NDA on request to
security@bzrk.dev. Today: Hetzner (DE), Proton (CH, adequacy),
GitHub (US, SCCs), Discord (US, SCCs), OpenAI (US, SCCs),
Anthropic (US, SCCs), Netbird (NL), FoxIDs (DK).
When a sub-processor is added or replaced for a customer engagement under DPA, the customer receives 30 days' notice before the change takes effect (DPA §"Sub-processors"). Corporate-vendor changes are not customer-notifiable; they appear in the next revision of the internal supplier register.
Berserk ApS is not required to appoint a DPO under GDPR Art. 37 today: we have no public-authority status (Art. 37(1)(a)), no large-scale regular and systematic monitoring of data subjects as a core activity (Art. 37(1)(b)), and no large-scale processing of special-category or criminal-conviction data (Art. 37(1)(c)). We re-evaluate against the same Art. 37 criteria on every material change in the nature, scope, context, or purpose of our processing — most relevantly: a managed offering that scales the processing of customer end-user data; a product change that crosses into systematic monitoring of data subjects; or any introduction of special-category-data processing on the controller side. Headcount or revenue alone are NIS2 size-cap concepts and are not GDPR Art. 37 triggers; we mention them only because they often co-occur with processing-side changes.
The internal trigger list lives in the data-handling policy and is reviewed annually as part of the management review.
Berserk ApS's competent supervisory authority is Datatilsynet
(the Danish Data Protection Agency, Carl Jacobsens Vej 35, 2500
Valby, Denmark — dt@datatilsynet.dk).
hello@bzrk.dev with subject GDPR request.security@bzrk.dev.hello@bzrk.dev.Under NDA on request to security@bzrk.dev:
policies/data-handling-policy.md).procedures/breach-notification-procedure.md).2026-05-04. Review cadence: annual (June) plus on every material change to the DPA template or to a sub-processor. The internal compliance calendar that drives this and every other recurring compliance task is NDA-only; the public extract of the review-cadence summary lives at ISO 27001 Readiness §"Review cadence".