Data Processing Agreement

Last updated: May 15, 2026

JEDWare  —  Incorporated into Terms of Service

Version 2.0  |  Effective date: May 15, 2026  |  jed-ware.com/dpa

1. Preamble and Incorporation

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“ToS”) between JEDWare ApS (“JEDWare”, “Processor”) and the customer entity that has accepted the ToS (“Customer”, “Controller”). By accepting the ToS, installing, activating, accessing, or using the Services, the Customer also accepts this DPA in full, without requiring a separate signature. Acceptance may occur electronically and shall constitute a legally binding agreement between the parties.

This DPA reflects the requirements of Regulation (EU) 2016/679 (“GDPR”) Article 28, and any other applicable data protection legislation. In the event of a conflict between this DPA and the ToS, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

For the purposes of this DPA:

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • “Processing” has the meaning given in GDPR Article 4(2).
  • “Controller” means the Customer, who determines the purposes and means of processing.
  • “Processor” means JEDWare, who processes personal data on behalf of the Controller.
  • “Sub-processor” means any third party engaged by JEDWare to process personal data.
  • “3CX” refers to the telephony platform operated by the Controller or on the Controller’s behalf, integrated with the JEDWare service.

3. Details of Processing

3.1 Subject Matter

JEDWare provides reporting, wallboard, and analytics functionality that integrates with the Customer’s 3CX telephone system. To deliver these services, JEDWare processes certain data from the Customer’s 3CX environment as described in Section 3.4.

3.2 Duration

Processing shall commence upon the Customer’s acceptance of the ToS and shall continue for the duration of the active JEDWare subscription. Upon termination, JEDWare will delete the Customer’s extension name records and associated agent status data within 90 days unless the Customer requests earlier deletion and unless longer retention is required by applicable law.

3.3 Categories of Data Subjects

The data subjects whose personal data may be processed under this DPA are:

  • Employees, agents, or contractors of the Customer who are assigned extensions in the Customer’s 3CX environment.
  • Employees, agents, or contractors whose call-agent activity (status changes, queue logins/logouts) is recorded, where the Customer has opted in to Agent Status Data collection (see Section 3.5).

3.4 Categories of Personal Data and Processing Purposes

The following table sets out the categories of data processed, the purpose of processing, and whether the data is stored in JEDWare’s cloud infrastructure:

Data Category

Purpose

Cloud Stored

Retention / Notes

Extension Names

Generate reports, wallboards, and user rights

Yes

Retained to avoid repeated API calls

Extension Groups

Generate reports

Yes

Retained to avoid repeated API calls

Queue Ext. Numbers & Names

Reports, wallboards, and user rights

Yes

Retained to avoid repeated API calls

IVR Ext. Numbers & Names

Reports, wallboards, and user rights

Yes

Retained to avoid repeated API calls

Ring Group Ext. Numbers & Names

Reports, wallboards, and user rights

Yes

Retained to avoid repeated API calls

Agent Status Changes

Show agent status and queue login/logout history in reports

Yes*

*Requires explicit opt-in. Not stored in 3CX DB — captured by JEDWare only

Prompt Locations & Names

Display prompts in 3CX interface

Yes

Retained to show current prompts

3CX License Key

Match JEDWare license to 3CX license

Yes

Retained for license verification

3CX FQDN & HTTPS Port

Connect to and pull data from the 3CX server

Yes

Required for integration service

Call Data (Reports & Wallboards)

Generate reports; real-time wallboard display

No

Requested at generation; never saved. Sent directly between browser and local integration.

Extension Email, Mobile, Caller ID, Password, PIN, Recordings

Not used by JEDWare

No

Not stored or pulled

Data not listed in the “Cloud Stored: Yes” column is neither stored nor retained by JEDWare. Call audio files (recordings) are never accessed, stored, or transferred by JEDWare under any circumstances.

3.5 Agent Status Data — Explicit Opt-In Required

Agent Status Changes (login/logout events and status transitions) constitute personal data as they are attributable to individual employees. This data is NOT stored by 3CX and is captured exclusively by JEDWare. Because this category of data requires a lawful basis under GDPR Article 6, the Customer must explicitly enable this feature during JEDWare onboarding or via the account settings panel. The Customer is solely responsible for ensuring an appropriate lawful basis for such processing.

Until the Customer grants explicit opt-in consent for Agent Status Data collection, JEDWare will not collect or store this data category.

4. Obligations of JEDWare (Processor)

JEDWare shall:

  • Process personal data only on documented instructions from the Controller, as set out in this DPA and the ToS, unless required to do so by applicable law.
  • Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: pseudonymisation and encryption of personal data; the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection).
  • Assist the Controller in ensuring compliance with obligations under GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation).
  • At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.
  • Inform the Controller immediately if, in JEDWare’s opinion, an instruction infringes the GDPR or other applicable data protection legislation.

5. Obligations of the Customer (Controller)

The Customer shall:

  • Ensure that there is a lawful basis for the processing of personal data described in this DPA, including employee data relating to extension names and agent activity.
  • Ensure that data subjects (employees) have been appropriately informed of the processing, in accordance with GDPR Articles 13-14.
  • Not instruct JEDWare to process personal data in a manner that would violate applicable law.
  • Obtain any specific consents required for opt-in features, including Agent Status Data collection (Section 3.5).

6. Sub-processors

The Customer hereby grants JEDWare general written authorisation to engage sub-processors to perform specific processing activities. JEDWare’s current sub-processors are listed at jed-ware.com/sub-processors.

JEDWare shall impose data protection obligations equivalent to those in this DPA on any sub-processor by contract. JEDWare shall notify the Customer of any intended changes to sub-processors by updating the sub-processor list and providing at least 14 days’ prior notice via in-app notification. If the Customer objects to a new sub-processor on reasonable data protection grounds, the Customer may terminate the relevant service by providing written notice within 14 days of receiving such notification.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), JEDWare shall ensure an adequate level of protection for such transfers by relying on one of the following mechanisms:

  • An adequacy decision adopted by the European Commission pursuant to GDPR Article 45.
  • Appropriate safeguards pursuant to GDPR Article 46, including Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Any other lawful transfer mechanism permitted under the GDPR.

Details of transfer mechanisms in use are available at https://jed-ware.com/transfers/

8. Security Measures

JEDWare implements and maintains the following technical and organisational measures:

  • Encryption of personal data in transit using TLS 1.2 or higher.
  • Encryption of personal data at rest using industry-standard algorithms (AES-256 or equivalent).
  • Access controls limiting personal data access to authorised personnel on a need-to-know basis.
  • Regular review and testing of security measures.
  • Staff training on data protection and security awareness.
  • Vulnerability management and patch processes for systems that process personal data.

9. Personal Data Breaches

JEDWare shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification shall include, to the extent available:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach, including mitigation measures.

10. Data Subject Rights

JEDWare shall promptly notify the Controller upon receiving a request from a data subject exercising their rights under GDPR (Articles 15-22). JEDWare shall not respond to such requests directly, unless specifically instructed to do so by the Controller or required by applicable law. JEDWare shall provide reasonable assistance to the Controller in fulfilling such requests within the statutory timeframes.

11. Audits and Inspections

The Controller may, upon reasonable prior written notice of at least 90 days and no more than once per calendar year (unless there are grounds to suspect non-compliance), request an audit of JEDWare’s data processing activities covered by this DPA. JEDWare may satisfy audit requirements primarily through the provision of relevant certifications, third-party audit reports, security documentation, and other compliance materials. Any on-site inspection shall only occur where reasonably necessary, be limited in scope, subject to appropriate confidentiality obligations, conducted during normal business hours, and at the Customer’s expense.

12. Deletion and Return of Data

Upon termination or expiry of the ToS, JEDWare shall, at the Controller’s election:

  • Securely delete all personal data processed under this DPA; or
  • Return all personal data to the Controller in a commonly used, machine-readable format.

JEDWare shall complete the above within 90 days of termination and provide written confirmation to the Controller upon completion, unless applicable EU or Member State law requires retention of the personal data.

13. Liability

Each party’s liability under this DPA shall be subject to the limitations set out in the ToS, to the extent permitted by applicable law. This DPA does not limit either party’s liability to data subjects or to supervisory authorities under the GDPR.

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Denmark. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the Danish courts, without prejudice to the right of either party to seek urgent interim relief in any competent jurisdiction.

15. Amendments

JEDWare may amend this DPA from time to time to reflect changes in applicable law or its processing activities. Material amendments will be communicated to the Customer at least 14 days in advance via in-app notification. Continued use of the JEDWare service after the effective date of an amendment constitutes acceptance of the amended DPA. If the Customer objects to a material amendment on reasonable data protection grounds, the Customer may terminate the affected Services before the amendment takes effect.

16. Contact

For any questions, data subject requests, or security notifications relating to this DPA, please contact:

 

Entity

JEDWare ApS

Address

Bogensevej 90, DK-5270 Odense N, Denmark

VAT Number

DK-35653821

Email

[email protected]

DPA URL

jed-ware.com/dpa

Sub-processors

jed-ware.com/sub-processors

 

This DPA is incorporated by reference into the JEDWare Terms of Service. Acceptance of the Terms of Service constitutes acceptance of this DPA.