This is the template Data Processing Agreement (DPA) Berserk ApS offers to customers who, in the course of a support engagement or under a managed offering, share personal data with us. The DPA is the instrument by which Berserk ApS becomes a processor of personal data on the customer's instructions, with the customer remaining the controller under GDPR Article 4(7).
The version of this template effective on the date of execution is binding. Earlier versions remain binding for engagements that referenced them, until superseded.
Status: Template — present this to your legal team. Berserk welcomes minor edits and standard customer DPA forms; material edits trigger an internal legal review on our side.
This DPA is between:
| Item | Detail |
|---|---|
| Subject matter | Berserk processes personal data on the Customer's instructions in connection with the support engagement or managed offering. |
| Duration | The duration of the underlying engagement, plus any post-termination handover period. |
| Nature and purpose | Diagnostic review of telemetry the Customer shares; assistance with deployment, debugging, or operations. |
| Type of personal data | As selected by the Customer when sharing telemetry. Berserk does not pre-define the categories. |
| Categories of data subjects | Determined by the Customer (typically: Customer's end users, Customer's employees, system identifiers). |
The Customer's documented instructions to Berserk are:
Additional instructions may be given in writing (including email).
Berserk:
If Berserk becomes aware of a personal-data breach affecting the Customer's data, Berserk notifies the Customer without undue delay, with a target of ≤24 hours from awareness. The notification includes, to the extent known at the time:
This commitment supplements the Customer's own GDPR Article 33 obligations to its supervisory authority. Berserk maintains an internal breach-notification procedure aligned with this commitment; it is available to enterprise customers under NDA on request.
The Customer authorizes Berserk to engage sub-processors as listed at Sub-processors. Berserk:
Berserk does not transfer personal data outside the EU/EEA without the Customer's prior written instruction. Where transfer is necessary for a specific support engagement and the Customer instructs it, Berserk relies on the appropriate transfer mechanism (Standard Contractual Clauses 2021/914, or the destination country's adequacy decision).
The Customer may, no more than once per year, request a remote audit or written attestation from Berserk regarding the technical and organizational measures in Annex A. Berserk responds with the information available — typically the artifacts at Trust Overview and the SBOMs shipped in container images — and may charge reasonable costs for additional bespoke audit work.
If the Customer is itself subject to a regulator audit and the regulator requires direct access to Berserk's systems, Berserk reasonably cooperates, subject to confidentiality and proportionality.
Liability under this DPA is governed by the underlying service or support agreement. Where no underlying agreement specifies, Danish law applies.
This DPA is in force for the duration of the underlying engagement. Sections governing breach notification, return/deletion, audit, and liability survive termination to the extent necessary.
These measures reflect Berserk ApS's controls as of the version date on this document. The current version is at Trust Overview and Security Whitepaper.
| Area | Measure |
|---|---|
| Framework alignment | Internal control set mapped to NIS2 Article 21(2) and NIST CSF 2.0; target profile maintained per CSF function. Mapping available to the Customer under this DPA on request. |
| Encryption in transit | TLS on every external HTTP and gRPC interface; the Rust backend services use rustls (aws-lc-rs backend), and non-Rust surfaces use the hosting provider's TLS termination. Internal cluster traffic is over an authenticated Netbird overlay. |
| Encryption at rest | Provider-managed encryption-at-rest on Hetzner volumes and on the OCI registry. Internal K8s control-plane encryption-at-rest is on the roadmap. |
| Access control | SSH-key authentication; per-user accounts on customer-environment access (no shared admin); standing access to customer environments is not granted. |
| Authentication | Per-user accounts on Proton, GitHub, and other SaaS. 2FA is enabled on Proton and on personnel GitHub accounts; broader 2FA enforcement (SSH, every cloud console) is on the roadmap. |
| Logging | Per-host SSH logs; per-service application logs; aggregated audit logging is on the roadmap. |
| Personnel | Confidentiality obligations in employment contracts; security awareness on onboarding and annually. |
| Incident response | Documented severity matrix and incident response runbook; staged-reporting commitments per NIS2 Article 23 and GDPR Article 33. |
| Vulnerability management | Daily dependency-advisory scanning across every ecosystem; CycloneDX 1.6 SBOM in every shipped container image; coordinated vulnerability disclosure policy. |
| Sub-processors | Listed at Sub-processors, with 30-day change notice. |
| Backups | Postgres dump-and-restore on the engagement-relevant data; S3-as-trust-root model documented; annual recovery rehearsal. |
For each engagement under this DPA, the parties record:
The log lives in the Customer's preferred system or, by default, Berserk's internal engagement record.
[For execution by both parties; presented separately at engagement start.]