Data Processing Agreement

Version 1 - 22 Mar 2023

This Processor Agreement (‘Agreement’) is an agreement between the user (s) of the Platform (‘Controller’) and Gangverk ehf, or any of its subsidiaries (‘Processor’).

This Agreement forms part of the Contract for Services under the Terms and Conditions of Use.



You operate as the Data Controller for all data that users generate ('User Generated Data').


You function as the Data Subject concerning ' User Data.'


You intend to delegate certain services to Gangverk ehf, services which involve the processing of Personal Data.


Both parties aim to establish a data processing agreement adhering to the prevailing legal standards about data processing, especially the Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016. This regulation concerns the protection of individuals in relation to personal data processing and the free circulation of this data, replacing Directive 95/46/EC (known as the General Data Protection Regulation).


Both parties are keen to clarify and solidify their respective rights and responsibilities.




Gangverk ehf, inclusive of its subsidiary companies (referred to as 'Processor')


Home Care Service Provider / Accredited User (termed 'Controller')



The Processor has developed "", a secure platform tailored for home care.

B is offered by the Processor as a versatile platform, accessible via mobile or desktop devices, functioning as a service governed by the Processor from distant servers.


Beyond this, the Processor extends supplementary offerings, including but not limited to, implementation, training, and advisory services complementing its software.


The Controller, whether as an individual health professional or as part of a broader healthcare entity, is keen to harness the software and services presented by the Processor. In response, the Processor commits to delivering these provisions.

This Agreement encompasses:


The Agreement itself


Standard Terms and Definitions


Agreement on Data Processing

Engaging with the Platform signifies your acceptance of the Data Processing Agreement detailed herein. For a holistic understanding, we urge you to peruse the regulations and accords found at:

Standard Terms and Definitions

Use Policy

Guidelines set by the Processor regarding the Platform's usage, aligned with best practices and healthcare standards.


Refers to this Data Processing Agreement.

Verified Users

Individuals granted permission to utilize the Platform as detailed:

Verified Users have registered a account. All Verified Users must adhere to Terms of Use, and Privacy Protocol.

User-Specific Data

Personal information related to the Verified Users on the Platform. Platform

The unique software designed by the Processor, offering a secure space for delivering home care.

Controller, Processor, Data Individual, Health-related Data, Personal Details, Data Breach, Data Handling, and Adequate Safety Protocols: As outlined in the Data Safety Laws.

Data Safety Laws

The 2018 Data Protection Act embodying the General Data Protection Regulation (EU) 2016/679, subject to changes and inclusive of any legislative updates.

General Information

Refers to generic data that doesn't fall under User-Created Data or User-Specific Data categories.

Personal Information

Encompasses both User-Created Data and User-Specific Data.

Privacy Protocol

Processor's evolving privacy terms available at

User-Generated Data

Information entered into the Platform either by the Controller, by Verified Users, or on behalf of the Controller by the Processor. This notably includes care recipient health records.

Data Processing Agreement

Personal Data

Within this Data Processing Agreement, operates in dual roles, acting both as the data controller and data processor concerning User Data. Notably, those using are considered data subjects.  

Additionally, it's recognized that the Authorized Users of the Platform retain control over User Generated Data, with operating as its processor.  
The stipulations of the Privacy Policy govern handling of both User Data and User Generated Data. The processing of these data categories by the Processor aligns strictly with Data Protection Legislation.

Data Processing, as the Processor, will:


Handle Personal Data strictly within the scope and manner essential for service provision, aligning with the directives of the Privacy Policy. Personal Data will not be processed beyond these specifications unless mandated by any European Union member state. In such scenarios, the Processor will, where permissible, inform the Controller prior to such mandated processing.


Adhere to the Controller's specific directives during data processing.

Preservation and Elimination of Personal Data

- platform offers the capability to either erase or export user data from its systems. Post deletion on the platform, any retained user data on your systems will be eradicated, barring the data within specified retention or backup periods. It's essential to note that user data shared with other Platform users is governed by those individual users and isn't influenced by the previously mentioned actions.

- delineates and observes all data retention periods in our structured data retention timeline.


Upon the culmination of this agreement, it's imperative to initiate all actions required to remove pertinent user data from the Platform. Moreover, ensuring all associated data processed by and affiliated subprocessors is terminated, unless legally mandated data retention protocols state otherwise.  


For a comprehensive understanding of our data retention timelines, we invite you to get in touch.

Security Provisions

The Processor commits to initiating all necessary technical and structural measures to safeguard Personal Data against any unauthorized or illicit processing.

The Controller is tasked with continual supervision and requisite updates to amplify Personal Data security measures.  

Employee Protocols

The Processor pledges to:


Endeavor to validate the credibility of employees accessing Personal Data;  


Ensure Personal Data accessibility is restricted to only those employees whose roles necessitate it;  


Limit data access to only essential segments pertinent to an employee's job functions;


Mandate all engaged employees to uphold the confidentiality of Personal Data and undergo extensive training about Data Protection Legislation and best practices.

Subprocessors, as the Processor, will only enlist a third-party subprocessor to handle the Personal Data if:  


Prior consent has been obtained from the Controller (which shouldn't be unreasonably denied), given the Processor has furnished exhaustive details of the proposed subprocessor;


The subprocessor's agreement ensures its data protection clauses mirror, in essence, those detailed in this Data Processing Commitment.

The Controller explicitly approves the processing of Personal Data by the subsequent Sub-Processors:

Subprocessor: Amazon Web Services (AWS)
Information: uses AWS as our Cloud Provider.
Data storage location: Ireland
Processed data: User data, User Generated data, Operational data
More information: All data is encrypted at rest and in transit.

Subprocessor: SendGrid
Information: uses SendGrid for outgoing emails.
Data storage location: SendGrid uses Twilio infrastructure in USA.
Processed data: Outgoing emails may contain user information such as names and encrypted links to verify identity.
More information:

Subprocessor: Segment
Information: uses Segment to better understand how users interact with our applications. This is essential to ensure we can continue to improve our service and better serve our customers. Data sent to Segment only reflects user behaviour and never includes any personally identifiable data.
Data storage location: Ireland
Processed data: No personally identifiable data.

Protection of Data Subject Rights

The Processor commits to empowering the Controller with fitting technical and organizational strategies, within reasonable capabilities, to facilitate the Controller’s adherence to their responsibilities. This pertains to addressing requests aimed at exercising the Data Subject's rights as delineated in Articles 12 to 23 of the GDPR (Rights of the Data Subject). A collaborative, good-faith dialogue will be undertaken by the Parties to justly distribute the associated expenses.

In instances where a Data Subject presents complaints or queries concerning the Processing of User Generated Data, the Processor is obliged to promptly relay such communications to the Controller. The responsibility for adequately managing and responding to such requests rests primarily with the Controller.

Adherence to Compliance Protocols

The Processor is committed to:


Swiftly adhering to any directive from the Controller that necessitates the amendment, transfer, or deletion of Personal Data.


On request by the Controller, furnishing a copy of all Personal Data in its possession, presented in a format and via media as reasonably determined by the Controller.


Erasing the Controller's User Data upon receiving a directive to do so from the Controller.


Immediate notification to the Controller if there is an awareness of any unauthorized or unlawful processing, or in cases of loss, damage, or destruction of Personal Data.


Keeping meticulous, accurate records and information as a testament to its compliance with the obligations as set out in this Data Processing Agreement.


Safeguarding the integrity of the Personal Data, preventing any unauthorized alterations, and ensuring that the Personal Data remains distinct from any other created information.

Documentation and Audit Procedures

The Processor commits to providing the Controller with access to all necessary records and information required to validate compliance with the obligations specified in this Data Processing Agreement.

The Controller reserves the right to conduct inspections directly or through appointed representatives. This includes the examination of facilities, equipment, documentation, and electronic data pertinent to the Processor’s handling of Personal Data. A minimum notice of 5 days should be given for such inspections by the Controller, except in cases where the Controller suspects that the Processor might be violating the terms specified in this Data Processing Agreement, whereby the notice requirement may be waived.

For communications or queries directed at Data Protection Officer (DPO), the designated email contact is:

Ármúli 1
105 Reykjavík