Data Processing Agreement
Last updated: 2 July 2026.
This Data Processing Agreement (DPA) forms part of the Varhugi terms of service and applies automatically to every company using the service, on any plan. It is made to satisfy Article 28 of the General Data Protection Regulation (GDPR) and the Icelandic Data Protection Act no. 90/2018, which require a contract between controller and processor. Pro and enterprise customers can request a countersigned copy via the Contact page.
1. Roles of the parties
The company that creates an account ("the customer") is the controller of the personal data it puts into the service, including data about its staff. Varhugi is the processor and processes that data only on the customer's behalf and in accordance with this agreement.
2. Subject matter, nature and purpose of processing
The processing consists of providing security-awareness training: maintaining staff lists, assigning modules, recording quiz results, issuing certificates, and producing statistics and audit reports for the customer. Processing lasts for as long as the customer has an active account, plus the deletion period described in the section on deletion and return of data.
3. Categories of data and data subjects
The following categories of personal data are processed: staff name, email address, department and role; training progress, quiz results and issued certificates; and technical records of sign-ins and usage (timestamps, IP addresses, browser type). The data subjects are the customer's staff and administrators. The service is not intended for special categories of personal data and the customer must not enter such data into it.
4. Controller's instructions
Varhugi processes personal data only on the customer's documented instructions. Use of the service under the terms, settings made in the dashboard, and written requests constitute such instructions. If Varhugi considers an instruction to infringe data protection law, it will inform the customer without delay.
5. Confidentiality
Everyone processing personal data on Varhugi's behalf is bound by confidentiality, whether by contract or by law. Access to customer data is limited to those who need it to operate and support the system.
6. Security of processing
Varhugi implements appropriate technical and organisational measures in accordance with Article 32 of the GDPR. These include encryption of data in transit (TLS) and at rest, role-based access control, separation of data between organisations, rate limiting, and regular security updates. The measures are reviewed regularly in light of the nature of the processing and the risk involved.
7. Sub-processors
The customer grants a general authorisation for the use of sub-processors. The current sub-processors are: Vercel (hosting and running the software), Neon (database, Frankfurt), Resend (transactional email), Stripe (payment processing, on paid plans), and Upstash (cache used for rate limiting). Each receives only the data its service requires and is bound by a data processing agreement with Varhugi. Varhugi gives customers 30 days' notice of intended changes to the list, and the customer may object to a change on reasonable grounds before it takes effect.
8. Assistance to the controller
Taking into account the nature of the processing, Varhugi assists the customer in responding to data subjects' requests for access, rectification, erasure and other rights under Chapter III of the GDPR, and where applicable with data protection impact assessments and prior consultation with the supervisory authority.
9. Notification of data breaches
If Varhugi becomes aware of a personal data breach affecting the customer's data, it notifies the customer without undue delay. The notification describes the nature of the breach, which data and individuals may be affected, the likely consequences, and the measures taken. This enables the customer to meet its own obligation to notify the supervisory authority within 72 hours where applicable.
10. Deletion and return of data
At the end of the service, or on request, Varhugi deletes the customer's personal data within 30 days or returns it in a commonly used electronic format, unless the law requires longer retention (for example, accounting law). Issued certificates remain stored so they can be verified on the public verification page, as this is part of the service, but they are deleted if the customer or the data subject specifically requests it.
11. Audits and information
Varhugi makes available to the customer the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. The customer may request an audit, conducted through written enquiries or by an independent third party, with reasonable notice and at most once per year, unless a data breach or a demand from a supervisory authority justifies otherwise.
12. Transfers outside the EEA
Service data is hosted within the European Economic Area as a rule. Some sub-processors are US companies, and any transfer of personal data outside the EEA relies on the European Commission's Standard Contractual Clauses (SCC) or on the sub-processor's participation in the EU-US Data Privacy Framework, under Varhugi's data processing agreement with each party. The list of sub-processors is maintained in the privacy policy.
13. Term and precedence
This agreement applies for as long as Varhugi processes personal data for the customer. In case of conflict between this agreement and other Varhugi terms, this agreement prevails with respect to the processing of personal data. This agreement is governed by Icelandic law.

