Data Processing Agreement

Last updated: January 2025

This Data Processing Agreement ("DPA") applies to all processing of personal data that Binadit B.V. ("Processor") carries out on behalf of the Client ("Controller") in the context of the agreement for managed cloud and infrastructure services concluded between the parties. This DPA forms an integral part of that agreement and is drawn up pursuant to Article 28 of the General Data Protection Regulation (GDPR).

Article 1 – Subject Matter and Duration

The Processor shall process personal data solely for the purpose of providing services to the Controller as described in the main agreement. Processing shall take place only for the duration of the main agreement, unless otherwise agreed in writing by the parties or a legal obligation requires longer retention.

Article 2 – Nature and Purpose of Processing

The processing encompasses all activities necessary to provide managed cloud, hosting, infrastructure and DevOps services. Personal data shall be processed solely on documented instructions from the Controller, unless a legal obligation requires otherwise, in which case the Processor will inform the Controller promptly, to the extent permitted by law.

Article 3 – Categories of Personal Data and Data Subjects

The processing concerns the categories of personal data and data subjects specified in the schedule to the main agreement or service contract. Typically this involves contact details of employees of the Controller and end-users of its applications.

Article 4 – Obligations of the Processor

The Processor undertakes to:

  • process personal data only on documented instructions from the Controller;
  • ensure confidentiality: persons with access to personal data are bound by a duty of confidentiality;
  • implement appropriate technical and organisational security measures (see Article 6);
  • assist the Controller in responding to requests from data subjects to exercise their rights;
  • assist the Controller in meeting GDPR obligations, including security, breach notification and DPIAs;
  • at the Controller's choice, delete or return all personal data upon termination of services;
  • provide all information necessary to demonstrate compliance with the obligations set out in this Article.

Article 5 – Sub-processors

The Processor may engage sub-processors to perform services. The Controller hereby grants general authorisation to engage sub-processors, provided the Processor:

  • informs the Controller in advance of any changes to the list of sub-processors;
  • imposes data protection obligations on sub-processors equivalent to those in this DPA;
  • remains fully liable to the Controller for the performance of obligations by sub-processors.

Current sub-processors: Hetzner Online GmbH (infrastructure), TransIP B.V. (infrastructure), Google LLC (analytics).

Article 6 – Technical and Organisational Measures

The Processor shall implement appropriate measures to ensure a level of security appropriate to the risk, including:

  • encryption of data in transit (TLS 1.2+) and, where applicable, at rest;
  • pseudonymisation of personal data where possible;
  • access controls based on the principle of least privilege;
  • regular security audits and vulnerability management;
  • backup and recovery procedures;
  • staff training on data protection.

Article 7 – Personal Data Breaches

The Processor shall notify the Controller of a personal data breach without undue delay, and in any event within 72 hours of becoming aware. The notification shall include at minimum: the nature of the breach, the categories and estimated number of data subjects affected, the likely consequences and the measures taken or proposed. The Processor shall document all breaches pursuant to Article 33(5) GDPR.

Article 8 – Transfers Outside the EEA

Personal data shall not be transferred to countries outside the European Economic Area unless an adequacy decision exists or appropriate safeguards pursuant to Chapter V GDPR are in place (standard contractual clauses). The Processor will inform the Controller of any intended transfers outside the EEA.

Article 9 – Audit Rights

The Controller has the right to verify compliance with this DPA through an audit conducted by an independent third party, upon written notice with at least 30 days' lead time. Audit costs are borne by the Controller. The Processor will provide all reasonably requested information to support the audit.

Article 10 – Termination

Upon termination of the main agreement, the Processor shall, at the Controller's choice, delete or return all personal data. Copies shall be deleted unless a legal obligation requires retention. The Processor shall confirm deletion in writing.

Article 11 – Governing Law

This DPA is exclusively governed by Dutch law. The provisions of Article 11 of Binadit's Terms and Conditions apply accordingly.