Data Processing Agreement

Effective Date: April 1, 2026
(For the previous version of our DPA, valid until March 31, 2026, click here)

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions or other service agreement (“Service Agreement”) entered into between:

Controller: The customer identified in the Service Agreement

Processor: CookieHub ehf., reg. no. 6801211090, Hafnargata 51–55, 230 Reykjanesbær, Iceland

1. Purpose and Scope

1.1 This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).

1.2 This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the CookieHub consent management platform (the “Service”).

1.3 For the purposes of this DPA, Personal Data has the meaning set out in Article 4(1) GDPR.

2. Order of Precedence

In the event of any conflict, the following order of precedence applies:

  1. The Service Agreement
  2. This DPA
  3. Any annexes to this DPA

3. Processing Instructions

3.1 The Service Agreement and this DPA constitute the Controller’s complete documented instructions to the Processor.

3.2 The Processor shall process Personal Data only in accordance with these documented instructions, unless required to do otherwise by applicable law.

3.3 Where the Processor believes an instruction infringes applicable data protection law, it shall inform the Controller without undue delay.

4. Confidentiality

The Processor shall ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations.

5. Security of Processing

5.1 The Processor shall implement appropriate technical and organisational measures in accordance with Article 32 GDPR, taking into account the nature, scope, context, and risks of the processing.

5.2 Security measures are aligned with generally recognised information security standards, including ISO/IEC 27001 principles, and are applied uniformly across all customers.

5.3 No customer-specific security controls or certifications are provided unless expressly agreed in writing.

6. Sub-processing

6.1 The Controller grants the Processor general authorisation to engage Sub-processors for the provision of the Service.

6.2 The Processor shall maintain an up-to-date list of Sub-processors, including their country of location, and make it available to the Controller.

6.3 The Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.

7. International Transfers

Personal Data may be transferred outside the European Economic Area only where appropriate safeguards under Chapter V GDPR are in place, including Standard Contractual Clauses where applicable.

8. Assistance to the Controller

8.1 Taking into account the nature of the processing, the Processor shall provide reasonable assistance to enable the Controller to:

respond to data subject requests under Chapter III GDPR; and

comply with its obligations under Articles 32–36 GDPR.

8.2 Assistance under this section may be subject to reasonable fees where permitted by law.

9. Personal Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller’s data.

9.2 Such notification shall include information reasonably available to the Processor to enable the Controller to comply with its notification obligations.

10. Compliance Information

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

11. Data Deletion and Return

Upon termination of the Service Agreement, the Processor shall delete or return Personal Data in accordance with the Service Agreement, subject to technical constraints, backup retention cycles, and legal obligations.

12. Liability

Liability arising under this DPA is subject to the limitations of liability set out in the Service Agreement.

This Agreement is entered into with effect from the commencement date set out above.

On behalf of the Controller,

Signature:         
Print Name:       ______________________________
Title:                   ______________________________
Date Signed:

On behalf of the Processor,

Signature:         
Print Name:       ______________________________
Title:                   ______________________________
Date Signed:

 

Annex 1 – Details of Processing (Article 28(3))

Nature of processing:
Provision and operation of the CookieHub consent management platform, including:

Recording and storage of user consent signals

Management of customer accounts and configured services

Delivery of service-related communications

Customer support and technical assistance

Purpose of processing:

Enabling customers to collect, manage, and demonstrate user consent

Operating and securing the Service

Communicating with customers regarding their account and use of the Service

Providing support and service updates

Categories of data subjects:

Website visitors (end users of the Customer’s website)

Customer account users

Customer contact persons

Categories of personal data:

A. Website visitor data (pseudonymous):

Consent token

Anonymized IP address

URL at time of consent

Country code

User agent

Date and time of consent

B. Customer account and contact data:

Name

Email address

Account credentials (hashed)

Service configuration data

Communication records

Billing-related contact information

Special categories of data:
No special categories of personal data are intentionally processed. Customers are responsible for ensuring that special category data is not transmitted to the Service unless lawful and appropriate safeguards are in place.

Retention:
Personal data is retained for the duration of the Service Agreement and in accordance with documented retention settings, including standard retention of consent logs for up to one (1) year.

Annex 2 – Approved Sub-processors

Name Purpose Country
Amazon Web Services Inc. Cloud hosting, data storage, monitoring and security solutions Germany, United Kingdom
Amazon Web Services Inc. Content delivery network Worldwide
Online S.A.S. Cloud hosting, data storage, monitoring and security solutions France, Netherlands
BunnyWay d.o.o. Content delivery network Worldwide
Cloudflare Content delivery network, WAF and DDOS protection Multiple
Help Scout Customer support United States
Userlist, Inc. Transactional and marketing email delivery United States

 Where Sub-processors are located outside the EEA, transfers are subject to appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses where applicable.

CookieHub Logo
United KingdomDenmarkGermanySpainFranceItaly

Products

CookieHub CMPWordPress PluginCompliance CheckerConsent Mode CheckerPrivacy Policy Generator

Solutions

Google Consent ModeMicrosoft UET Consent ModeClarity Consent APIIAB TCF v2.3IAB GPPGlobal Privacy Control (GPC)Shopify Customer Privacy APIWordPress Consent APIHubSpot Consent API

Regulations

GDPR (EU)Digital Markets Act (EU) UK GDPR - DUAACCPA (California)CPA (Colorado)CNIL (France)LGPD (Brazil)PDPL (Saudi Arabia)DPDP (India)PIPL (China)

Integrations

Google Tag ManagerMatomo Tag ManagerWordPressShopifyMagentoWixWebflowWeeblyReact

Resources

BlogWhitepapersManagement APIJavaScript APISupport

Company

About usContact usReseller programAffiliate program

©2018-2026 CookieHub ehf.

CookieHub CMP offers tools and services for managing cookies and online privacy.

Terms & ConditionsPrivacy Policy
Google Certified CMP PartnerISO-27001IAB TCF Certification