SOMIGO LogoSOMIGO.io
Get Started

Data Processing Agreement (DPA)

Last Updated: March 10, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies when you use SOMIGO for business purposes as an organization.

Applicability: When the Customer is an organization using the Service for business purposes, the Customer acts as Data Controller and SOMIGO (Happyhill, based in Aarhus, Denmark) acts as Data Processor. For individual/personal accounts, SOMIGO acts as Data Controller and this DPA does not apply.

This DPA governs the processing of Personal Data as defined under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by SOMIGO on behalf of the Customer.
  • "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data.
  • "Data Processor" means SOMIGO, who processes Personal Data on behalf of the Data Controller.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by SOMIGO to process Personal Data.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Purpose of Processing

2.1 Subject Matter

SOMIGO provides a project management and task organization platform that processes Personal Data on behalf of the Customer.

2.2 Nature and Purpose of Processing

SOMIGO processes Personal Data to:

  • Provide the SOMIGO platform services to the Customer
  • Store and manage tasks, projects, notes, and user data
  • Enable collaboration between team members
  • Process billing and subscription management
  • Provide customer support
  • Ensure platform security and performance

2.3 Duration of Processing

Personal Data will be processed for the duration of the Customer's active subscription and for a period of 30 days following account cancellation or termination, after which all data will be permanently deleted.

2.4 Types of Personal Data

SOMIGO may process the following categories of Personal Data:

  • Account Information: Name, email address, job title
  • User-Generated Content: Tasks, projects, notes, comments
  • Usage Data: Login times, activity logs, feature usage
  • Billing Information: Payment method details (processed via Stripe)
  • Technical Data: IP addresses, browser type, device information

2.5 Categories of Data Subjects

Data Subjects include the Customer's employees, contractors, team members, and authorized users of the SOMIGO platform.

3. Data Processor Obligations

SOMIGO agrees to:

  • Process Personal Data only on documented instructions from the Customer, including for transfers to third countries or international organizations
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure data security (see Section 5)
  • Respect the conditions for engaging Sub-processors (see Section 4)
  • Assist the Customer in responding to Data Subject requests (see Section 7)
  • Assist the Customer in ensuring compliance with GDPR obligations
  • Delete or return all Personal Data after termination of services, unless retention is required by law
  • Make available all information necessary to demonstrate compliance with GDPR obligations
  • Notify the Customer without undue delay upon becoming aware of a Personal Data breach

4. Sub-processors

4.1 Authorized Sub-processors

The Customer acknowledges and agrees that SOMIGO may engage the following Sub-processors to process Personal Data:

DigitalOcean, LLC
Cloud hosting and infrastructure (EU data centers)
European Union
Stripe, Inc.
Payment processing services
United States (GDPR-compliant with SCCs)
Google LLC
Email delivery (Gmail SMTP) and website analytics
United States (GDPR-compliant with SCCs)

4.2 Changes to Sub-processors

SOMIGO will inform the Customer of any intended changes concerning the addition or replacement of Sub-processors via email notification at least 14 days in advance. The Customer may object to such changes by contacting contact@somigo.io within 7 days of notification.

4.3 Sub-processor Obligations

SOMIGO ensures that all Sub-processors are bound by data protection obligations equivalent to those set out in this DPA, including appropriate technical and organizational security measures.

5. Security Measures

SOMIGO implements the following technical and organizational measures to ensure data security:

5.1 Technical Measures

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC) and user authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Data Segregation: Logical separation of customer data
  • Backups: Regular automated backups with secure storage

5.2 Organizational Measures

  • Access Management: Strict access controls and principle of least privilege
  • Confidentiality: All personnel bound by confidentiality agreements
  • Security Monitoring: Continuous monitoring and logging of security events
  • Incident Response: Documented procedures for data breach response
  • Vendor Management: Due diligence on all Sub-processors

5.3 Data Center Security

All infrastructure is hosted in European Union data centers operated by DigitalOcean, which maintain:

  • ISO 27001 certification
  • SOC 2 Type II compliance
  • 24/7 physical security and monitoring
  • Redundant power and network connectivity

6. Data Subject Rights

SOMIGO will assist the Customer in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of Access: Provide access to Personal Data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete Personal Data ("right to be forgotten")
  • Right to Data Portability: Export data in machine-readable format
  • Right to Restriction: Limit processing of data
  • Right to Object: Object to processing

The Customer can exercise these rights through their SOMIGO account settings or by contacting contact@somigo.io. SOMIGO will respond to such requests within 30 days.

7. Data Breach Notification

7.1 Notification Timing

In the event of a Personal Data breach, SOMIGO will notify the Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

7.2 Notification Content

The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of affected Data Subjects
  • Categories and approximate number of Personal Data records
  • Contact point for more information (contact@somigo.io)
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

7.3 Cooperation

SOMIGO will cooperate with the Customer and provide all necessary information to enable the Customer to fulfill its GDPR breach notification obligations to supervisory authorities and Data Subjects.

8. Data Transfers

8.1 EU-Based Processing

All primary data processing and storage occurs within the European Union at DigitalOcean data centers in EU regions.

8.2 International Transfers

Limited Personal Data may be transferred to Sub-processors outside the EU (Stripe and Google in the United States). These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures ensuring adequate protection equivalent to GDPR
  • GDPR-compliant data processing agreements with all parties

9. Data Retention and Deletion

9.1 Retention Period

SOMIGO retains Personal Data only for as long as necessary to provide services to the Customer and fulfill the purposes outlined in this DPA.

9.2 Post-Termination

Upon termination or cancellation of the Customer's subscription:

  • Data remains accessible to the Customer for 30 days to allow for data export
  • After 30 days, all Personal Data is immediately deleted from SOMIGO's active production systems
  • Backup copies may persist for up to 90 days in secure backup systems before being automatically overwritten. During this period, backup data is isolated and cannot be accessed or restored except as required by law
  • The Customer can request immediate deletion of active data by contacting contact@somigo.io

9.3 Legal Retention

If retention is required by applicable law (e.g., tax, accounting, or regulatory requirements), SOMIGO will securely store the data for the legally mandated period and then delete it.

10. Audits and Compliance

10.1 Information Access

SOMIGO will make available to the Customer all information necessary to demonstrate compliance with GDPR Article 28 obligations.

10.2 Audit Rights

SOMIGO will provide evidence of compliance with this DPA through:

  • Providing relevant security documentation, policies, and procedures
  • Sharing security certifications from our infrastructure providers (ISO 27001, SOC 2 Type II)
  • Making available independent third-party audit reports where applicable

If the above documentation is insufficient, the Customer may conduct an on-site audit or appoint an independent auditor, subject to:

  • Reasonable advance notice (at least 30 days)
  • Execution of a confidentiality agreement
  • Scheduling during normal business hours
  • Payment of reasonable costs associated with the audit
  • No more than one audit per 12-month period

10.3 Security Certifications

SOMIGO maintains compliance with industry security standards through our infrastructure providers (DigitalOcean) who hold ISO 27001 and SOC 2 Type II certifications.

11. Liability and Indemnification

11.1 Joint Liability

Each party will be liable to Data Subjects for damages caused by processing that infringes GDPR, in accordance with GDPR Article 82.

11.2 Limitation

SOMIGO's liability under this DPA is subject to the limitations set forth in the Terms of Service, except where such limitations are prohibited by applicable law.

11.3 Indemnification

Each party will indemnify the other for losses arising from its breach of this DPA, to the extent permitted by applicable law.

12. Term and Termination

12.1 Term

This DPA takes effect on the date the Customer accepts the Terms of Service and continues until termination of the subscription.

12.2 Effect of Termination

Upon termination:

  • SOMIGO will cease all processing of Personal Data except as necessary for data return or deletion
  • The Customer may request export of all Personal Data
  • All Personal Data will be deleted within 30 days unless otherwise requested

12.3 Survival

Sections relating to confidentiality, liability, and data deletion will survive termination of this DPA.

13. Amendments

SOMIGO may update this DPA from time to time to reflect changes in data protection laws, our processing activities, or business practices. Material changes will be communicated to Customers via email at least 30 days before taking effect.

Continued use of the Service after changes take effect constitutes acceptance of the updated DPA.

14. Governing Law

This DPA is governed by the laws of Denmark and interpreted in accordance with the GDPR and other applicable EU data protection regulations.

Any disputes relating to this DPA shall be subject to the exclusive jurisdiction of the courts of Aarhus, Denmark.

15. Contact Information

For questions about this Data Processing Agreement or data protection matters, please contact:

16. Acceptance

By accepting the Terms of Service and using SOMIGO, the Customer acknowledges that they have read, understood, and agree to be bound by this Data Processing Agreement.

This DPA is incorporated into and forms part of the Terms of Service between the Customer and SOMIGO.