Data Processing Agreement
Last updated: April 2026
Scope
This Data Processing Agreement (DPA) applies between TwinCurrent ApS ("Processor") and each student union using the Unios platform ("Controller"). It governs the processing of personal data on behalf of the Controller in accordance with GDPR Article 28.
Subject matter and duration
The Processor processes personal data on behalf of the Controller for the purpose of providing the Unios platform. Processing continues for the duration of the tenant agreement.
Nature and purpose of processing
Storage, retrieval, and display of member data including names, email addresses, event attendance records, and ticket purchase history.
Categories of data subjects
Members of the Controller's student union; event attendees; ticket purchasers.
Sub-processors
- Railway (PostgreSQL database hosting — EU region)
- Cloudflare R2 (file storage — EU jurisdiction)
- Resend (transactional email — EU)
- Stripe (payment processing — subject to Stripe's own DPA)
Technical and organisational measures
TLS in transit, AES-256 at rest, bcrypt password hashing, JWT-based auth with short-lived tokens, row-level security enforced per tenant, EU data residency.
Contact
This is a placeholder DPA template pending legal review. A signed DPA will be provided to each tenant before go-live.