Data Processing Agreement (DPA)

Updated: Published:

Data Processing Agreement (DPA)

Between Morningscore ApS and the User

1. Parties

Data Controller (“User”):

Any company or organization that creates an account with Morningscore ApS and uses the Services.

Data Processor (Morningscore ApS):

  • Name: Morningscore ApS
  • Company ID: DK39311437
  • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
  • Contact: info@morningscore.io
  • Managing Director: Karsten Madsen
  • Website: https://morningscore.io

2. Purpose and Scope

This Data Processing Agreement (“Agreement”) governs Morningscore ApS’s processing of personal data on behalf of the User in connection with the provision of Morningscore’s SEO tools and related services (“Services”).

The Agreement is entered into in accordance with:

  • EU General Data Protection Regulation (GDPR) Article 28
  • Danish Data Protection Act

2.1 Acceptance of Agreement

This DPA automatically takes effect when the User:

  • Creates an account with Morningscore, and
  • Accepts Morningscore’s Terms of Service

By using the Services, the User confirms having read and accepted this DPA.

2.2 Availability

This DPA is always available at:

  • Morningscore’s website: https://morningscore.io/dpa

3. Nature and Purpose of Processing

3.1 Nature of Processing

Morningscore processes personal data as part of providing the following services:

  • SEO analysis tools
  • AI analysis tools
  • Link analysis tools
  • Keyword tracking
  • Competitor analysis
  • Reporting and data visualization
  • User administration and account management

3.2 Purpose of Processing

Personal data is processed exclusively for the purpose of:

  • Providing and maintaining the Services
  • Managing User accounts and user access
  • Generating SEO reports and analyses
  • Providing technical support
  • Fulfilling contractual obligations

4. Categories of Personal Data

Morningscore processes the following categories of personal data:

4.1 User Information

  • Name
  • Email address
  • Phone number (if provided – not required)
  • Company name
  • Job title (if provided)
  • Login credentials (encrypted passwords)

4.2 Technical Data

  • IP addresses
  • Browser type and version
  • Operating system
  • Visit data and usage statistics
  • Cookies and similar technologies
  • Log files

4.3 SEO-Related Data

  • Search queries
  • Website data
  • Competitor data
  • Backlink information
  • Keyword data

4.4 Communication Data

  • Email correspondence
  • Support inquiries
  • Chat messages (via Crisp)

4.5 User-Generated Content

  • Text notes created by the user in the tool
  • Only accessed by support with the User’s explicit consent

5. Categories of Data Subjects

Data subjects include:

  • User’s employees and authorized users
  • User’s contact persons
  • Visitors to User’s websites (indirectly via tracking – anonymized where possible)

6. Data Processor’s Obligations

6.1 Processing Instructions

Morningscore may only process personal data according to documented instructions from the User, unless processing is required by EU law or member state legislation.

6.2 Confidentiality

Morningscore ensures that persons with access to personal data:

  • Are subject to confidentiality obligations
  • Only process data according to instructions from the User
  • Are properly instructed in data protection

6.3 Technical and Organizational Security Measures

Morningscore has implemented the following security measures:

Technical Measures:

  • SSL/TLS encryption of data transmission
  • Encrypted passwords (all passwords encrypted)
  • Secure servers behind firewalls
  • SSH access with secure private/public keys (key employees only)
  • Regular security updates
  • Backup procedures
  • Access control and authentication
  • Logging of employee access in all IT systems
  • No personally identifiable data stored or processed locally at the office

Organizational Measures:

  • Access control based on “need-to-know” principle
  • Only support has access to user database with personally identifiable data
  • Employee training in data security
  • Confidentiality agreements with employees
  • All passwords stored in LastPass with 2-factor authentication
  • Office locked securely
  • Incident response procedures
  • Regular review of security measures

Secure Coding Practices:

  • Careful use of jQuery.html()
  • CSRF protection (Cross-Site Request Forgery)
  • SQL Injection protection
  • Remote File Inclusion protection
  • PHP files start with <?php tag that is never closed
  • .php extension for all PHP scripts
  • Avoidance of dangerous functions (eval, exec, passthru, system, popen, preg_replace with “e” modifier)
  • Ongoing code review to identify bad practices

7. Sub-processors

7.1 No Sub-processors

Important: Morningscore does NOT use sub-processors or share personal data with third parties for processing.

7.2 Hosting and Data Storage

All data is stored with:

  • Hetzner Online GmbH
  • Location: Germany (EU)
  • Purpose: Hosting and data storage
  • GDPR compliance: Yes (EU-based)

Database access:

  • Requires secure SSH connection
  • Not shared with 2nd or 3rd parties
  • Only key employees have access

7.3 CRM System (not a sub-processor)

Morningscore transfers the following information to its own CRM system in certain cases:

  • HubSpot CRM (via Morningscore’s own account)
  • Data transferred: Company name, name, email, phone number (if provided)
  • Purpose: User administration and communication
  • Status: Morningscore is data controller for this processing

7.4 Communication and Support

  • Crisp IM SARL (France) – Live chat platform
  • Purpose: User support via live chat
  • Location: France (EU)
  • GDPR compliance: https://help.crisp.chat/en/article/whats-crisp-eu-gdpr-compliance-status-nhv54c/

8. Transfer to Third Countries

8.1 No Transfer Outside EU

All personal data is processed and stored within the EU/EEA.

Specifically:

  • Hosting: Hetzner Online GmbH in Germany
  • Support chat: Crisp IM SARL in France
  • No data sent outside the EU

8.2 Future Transfers

Should it become necessary to transfer data outside the EU/EEA in the future, Morningscore will:

  • Inform the User in advance
  • Ensure use of EU Standard Contractual Clauses (SCC) or other lawful transfer mechanisms
  • Obtain User’s approval where required

9. Self-Service Functions and User Control

9.1 Self-Service Functions

Morningscore provides the following self-service functions so the User can fulfill data subjects’ rights:

Right to Erasure:

  • User can delete their account at any time via Settings → Account → “Delete Account”
  • Upon deletion, ALL data is removed immediately

Right to Rectification:

  • User can change their own information at any time via account settings

Right to Access:

  • User has full access to all their data via the platform
  • User can export reports and data as needed

Right to Data Portability:

  • User can export their data in common formats via the platform’s export functions

9.2 Limited Assistance

Morningscore provides assistance ONLY in the following cases:

  • Technical problems preventing self-service functions
  • Data protection questions answered by reference to this DPA
  • Formal GDPR requests requiring special documentation

Morningscore is NOT obligated to:

  • Manually delete data when self-service function works
  • Manually export data when export functions are available
  • Perform tasks that User can do themselves via the platform

9.3 Response Time for Formal Requests

For formal GDPR requests that CANNOT be handled via self-service, Morningscore responds within 5 business days.

10. Data Breach Notification

10.1 Notification Obligation

Morningscore shall, without undue delay and no later than 24 hours after becoming aware, notify the User of any personal data breach.

10.2 Content of Notification

The notification shall include:

  • Description of the breach
  • Categories and number of affected data subjects
  • Categories and number of affected personal data records
  • Likely consequences of the breach
  • Measures taken or proposed to remedy the breach
  • Contact information for further information

10.3 Documentation

Morningscore shall document all personal data breaches, including circumstances, consequences, and remedial measures.

11. Data Deletion

11.1 Self-Service Deletion (Primary Method)

User deletes their own account and all data by:

  1. Logging into Morningscore
  2. Going to Settings → Account
  3. Clicking “Delete Account”

This action deletes ALL data immediately. No further action from Morningscore is necessary.

11.2 Automatic Deletion for Non-Payment

If User does not renew their subscription, the account and all data are automatically deleted after 90 days.

11.3 Backup Copies

Backup copies are automatically deleted according to Morningscore’s backup retention policy (maximum 90 days).

11.4 No Manual Return

Morningscore does NOT offer manual return of data. User must export desired data via the platform’s export functions BEFORE deleting the account.

11.5 Confirmation

User automatically receives confirmation via email when the account is deleted.

12. Documentation and Transparency

12.1 Available Documentation

Morningscore makes the following documentation available:

  • This Data Processing Agreement
  • Privacy Policy
  • Terms of Service
  • Security measures (described in this DPA)

12.2 No Physical Audit

Morningscore does NOT offer physical access to premises or servers for security reasons.

12.3 Data Security Questions

Questions about data security are answered by:

  1. Reference to this DPA (which contains all relevant information)
  2. Written response via info@morningscore.io (if DPA does not cover the question)

12.4 Response Time

Written inquiries about data security are answered within 5 business days.

12.5 Third-Party Certifications

Morningscore may, at its discretion, make third-party certifications or audit reports available.

13. Liability and Indemnification

13.1 Liability

Morningscore is liable for damages caused by processing personal data in violation of:

  • This Agreement
  • GDPR
  • Documented instructions from the User

13.2 Limitation of Liability

Morningscore’s liability is limited in accordance with the general terms for the Services.

Morningscore is NOT liable for:

  • User’s failure to use available self-service functions
  • Data loss if User has not exported data before account deletion
  • Delays caused by User’s failure to use self-service tools

13.3 User’s Responsibility

User is responsible for:

  • Using the available self-service functions
  • Exporting data before account deletion
  • Informing their own users about data processing

14. Duration and Termination

14.1 Duration

This Agreement is valid as long as the User has an active account with Morningscore.

14.2 Automatic Termination

The Agreement terminates automatically when:

  • User deletes their account via self-service function
  • Account is automatically deleted due to non-payment (after 90 days)
  • Morningscore ceases to provide the Services

14.3 No Notice Period

There is no notice period. User can delete their account immediately at any time via the self-service function.

15. Changes to the Agreement

15.1 Right to Changes

Morningscore may change this Agreement to:

  • Reflect changes in legislation
  • Implement new security measures
  • Improve self-service functions
  • Clarify existing terms

15.2 Notice of Changes

Material changes are notified at least 30 days in advance via:

  • Email to User’s registered email address
  • Notification in the Morningscore platform
  • Update on website with change date

15.3 Acceptance of Changes

By continuing to use the Services after the changes take effect, User accepts the new terms.

If User does not accept the changes, User must delete their account via the self-service function before the changes take effect.

16. Contact and Communication

16.1 Contact Information

Questions regarding this DPA should be sent in writing to:

Morningscore ApS:

  • Email: info@morningscore.io
  • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
  • Company ID: DK39311437

16.2 Preferred Communication Method

  • General questions: Use support chat or email
  • GDPR requests: Send to info@morningscore.io with subject “GDPR”
  • Technical issues: Use support function in the platform

16.3 Response Times

  • Support inquiries: 1-3 business days
  • GDPR requests: Within 5 business days
  • Data breach notifications: Within 24 hours

17. Governing Law and Jurisdiction

17.1 Governing Law

This Agreement is governed by Danish law.

17.2 Jurisdiction

Any disputes shall be resolved by Danish courts with Odense City Court as venue.

18. Acceptance and Effective Date

This Data Processing Agreement takes effect upon User’s acceptance of Morningscore’s Terms of Service and constitutes an integral part of the agreement between the Parties.

By using Morningscore’s Services, User confirms having read, understood, and accepted the terms of this Data Processing Agreement.

Appendix A: Technical and Organizational Security Measures

A.1 Access Control

  • Multi-factor authentication (2FA) via LastPass for all employees
  • Role-based access control
  • Only support has access to user database with personally identifiable data
  • SSH access with private/public keys (key employees only)
  • Regular review of user rights
  • Automatic log-off on inactivity
  • Strong password requirements
  • Logging of employee access in all IT systems

A.2 Encryption

  • SSL/TLS encryption of all data transmission
  • All User passwords are encrypted (hashing with salt)
  • Encryption of sensitive data at rest
  • Secure storage of all passwords in LastPass

A.3 Network Security

  • Firewalls on servers
  • SSH connection required for database access
  • DDoS protection
  • Regular security updates
  • Network segmentation
  • No sharing of database access with 2nd or 3rd parties

A.4 Physical Security at Office

  • Office locked securely
  • No personally identifiable data stored or processed locally
  • Clear desk policy
  • Secure data disposal

A.5 Physical Security at Hosting Provider (Hetzner)

  • Secure data centers in Germany with access control
  • Video surveillance
  • Redundant power supplies
  • Climate control
  • ISO certifications

A.6 Backup and Disaster Recovery

  • Daily automatic backups
  • Geographic redundancy
  • Regular testing of recovery procedures
  • Documented disaster recovery plans

A.7 Logging and Monitoring

  • Logging of system access
  • Logging of employee access in all IT systems
  • Monitoring of abnormal activity
  • Regular review of logs
  • Alerting on security incidents

A.8 Employee Security

  • Confidentiality agreements with all employees
  • Regular security training
  • Data protection instruction
  • Confidentiality obligations
  • All passwords in LastPass with 2FA

A.9 Development Security and Secure Coding Practices

Morningscore follows these security principles in code development:

General Principles:

  • Secure coding practices
  • Code reviews
  • Ongoing code review for bad practices
  • Security testing before deployment

Specific Security Measures:

  • Careful use of jQuery.html() to avoid XSS
  • CSRF protection (Cross-Site Request Forgery prevention)
  • SQL Injection protection in all database queries
  • Remote File Inclusion protection
  • PHP files start with <?php tag that is never closed
  • Use of .php extension for all PHP scripts
  • Avoidance of dangerous functions: eval(), exec(), passthru(), system(), popen(), preg_replace() with “e” modifier

A.10 Data Protection by Design

  • Data protection by design principle applied
  • Data protection by default principle applied
  • Data collection minimization
  • Only necessary data collected
  • User-generated content accessed only with User’s explicit consent

Appendix B: Hosting and Third-Party Services

IMPORTANT: Morningscore does NOT use sub-processors. The following is an overview of hosting and third-party services.

B.1 Hosting and Data Storage

Hetzner Online GmbH:

  • Type: Hosting provider (NOT a sub-processor)
  • Purpose: Hosting application and storing all data
  • Location: Germany (EU)
  • Address: Industriestr. 25, 91710 Gunzenhausen, Germany
  • GDPR compliance: Yes (EU-based)
  • Security measures: ISO certifications, physical security, redundancy
  • Access: Only via secure SSH connection with private/public keys
  • Sharing: Database access NOT shared with 2nd or 3rd parties

B.2 CRM System (Morningscore is Data Controller)

HubSpot CRM:

  • Type: CRM system (Morningscore is data controller for this processing)
  • Purpose: User administration and communication
  • Data transferred: Company name, name, email, phone number (if provided)
  • Use: Via Morningscore’s own HubSpot account
  • Status: Morningscore processes data as data controller, not as data processor

B.3 Communication and Support

Crisp IM SARL:

  • Type: Live chat platform
  • Purpose: User support via live chat
  • Location: France (EU)
  • GDPR compliance: Yes
  • Website: https://crisp.chat
  • Documentation: https://help.crisp.chat/en/article/whats-crisp-eu-gdpr-compliance-status-nhv54c/
  • Data processed: Chat messages, IP address, browser type, voluntarily provided information

B.4 Confirmation

Morningscore confirms that:

  • NO sub-processors are used
  • All data remains within the EU
  • No personal data sent outside the EU
  • Database access not shared with external parties

Appendix C: Data Breach Procedure

C.1 Discovery

  • Continuous monitoring of systems
  • Employees instructed to report suspicious incidents
  • Automatic alerts on abnormal activity

C.2 Assessment

  • Immediate assessment of breach scope
  • Identification of affected data and data subjects
  • Assessment of potential consequences

C.3 Containment

  • Immediate measures to stop the breach
  • Isolation of affected systems
  • Securing evidence

C.4 Notification

  • Notification of User within 24 hours
  • Notification to Data Protection Authority (if relevant)
  • Notification of data subjects (if required)

C.5 Remediation

  • Implementation of corrective measures
  • Restoration of normal operations
  • Documentation of incident

C.6 Follow-up

  • Analysis of causes
  • Implementation of preventive measures
  • Update of security procedures

Last updated: November 10, 2025

Version: 1.1

Signature and Approval

This Data Processing Agreement is approved by:

For Morningscore ApS:

  • Name: Karsten Madsen
  • Title: Managing Director
  • Date: November 10, 2025

This Data Processing Agreement is prepared in accordance with GDPR Article 28 and should be read in conjunction with Morningscore’s Terms of Service (https://morningscore.io/terms/) and Privacy Policy (https://morningscore.io/privacy-policy/).

By using Morningscore’s services, User accepts the terms of this Data Processing Agreement.