Data processing agreement (DPA)
This DPA forms part of the service agreement between WeCode A/S, Thorsgade 59, 2.sal 2200 Copenhagen, Denmark, CVR DK37496510 ("Voltcast", the processor) and the subscribing customer ("Customer", the controller), and applies wherever Voltcast processes personal data on the Customer's behalf. Scale customers may request a countersigned copy via [email protected].
1. Subject matter and scope
Voltcast is a market-data and forecasting API. The personal data we process on your behalf is intentionally minimal: account contacts (names, emails), API usage records attributable to your users' keys, and webhook endpoint URLs you configure. Price data, forecasts and optimization results contain no personal data.
2. Duration, nature and purpose
Processing lasts for the subscription term plus the retention window in our privacy policy (90 days post-deletion; invoices per statutory retention). Purpose: providing the Service — authentication, entitlement enforcement, delivery of webhooks, billing and support.
3. Processor obligations (Art. 28(3) GDPR)
- Process personal data only on documented instructions from the Customer (the service configuration constitutes such instructions).
- Ensure persons authorised to process the data are bound by confidentiality.
- Apply the technical and organisational measures in §5.
- Assist the Customer with data-subject requests and Art. 32–36 obligations.
- Delete or return all personal data at contract end, on request.
- Make available information necessary to demonstrate compliance and allow audits (on 30 days' notice, at most annually, at Customer cost, under NDA).
- Notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer data.
4. Sub-processors
The Customer grants general authorisation for these sub-processors; Voltcast will give 30 days' notice before adding or replacing one:
- Stripe Payments Europe Ltd — payments and invoicing (EU; EU SCCs where applicable)
- Cloudflare — object storage for bulk data exports (no personal data at rest)
- Hosting provider (EU data centre) — compute and database
- Google Ireland Ltd — only where the Customer's users choose Google sign-in
5. Security measures (Art. 32)
- TLS on all endpoints; HSTS; API keys stored as one-way hashes; webhook payloads HMAC-signed.
- Least-privilege production access limited to the founders; audit trail via ingestion/delivery logs.
- Encrypted backups; EU-jurisdiction infrastructure.
- No third-party trackers; personal data never used for model training.
6. International transfers
Processing occurs in the EU/EEA. Where a sub-processor transfers data outside the EEA, EU Standard Contractual Clauses apply.
7. Liability and order of precedence
Liability follows the service agreement (terms §3). In case of conflict regarding personal data, this DPA prevails.
Last updated 2026-07-10 · Questions: [email protected]