ANNEX 2 - DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement (”DPA”) forms an integral part of the Master Service Agreement (”Agreement”) between Reseller (”Controller”) and Bloxsnap B.V. (”Processor”).
Capitalized terms not defined in this DPA have the meaning given in the Agreement.
1. SUBJECT MATTER, DURATION, AND NATURE OF PROCESSING
1.1. Subject Matter
Processor processes personal data on behalf of Controller solely for providing the Platform and related Services under the Agreement.
1.2. Duration
Processing continues for the term of the Agreement and any post-termination data retention period permitted by the Agreement.
1.3. Nature and Purpose of Processing
Processor processes personal data to operate, maintain, secure, and provide the Platform, including running AI-assisted features and infrastructure services as documented instructions by Controller.
1.4. Types of Personal Data
May include names, contact information, account identifiers, authentication credentials, payment details (if provided via the Platform), logs, metadata, and any other personal data submitted by Controller or its End-Users.
1.5. Data Subjects
End-Users, personnel of Controller, and any customers or other third Parties whose personal data is processed by the Controller via the Platform.
2. ROLES AND INSTRUCTIONS
2.1. Controller as Data Controller
Controller determines the purposes and means of the processing.
2.2. Processor as Data Processor
Processor processes personal data solely on documented instructions from Controller as set out in this DPA and the Agreement.
2.3. Instructions
The Agreement, this DPA, and Controller’s configuration and use of the Platform constitute Controller’s full and final instructions. Additional instructions require prior written agreement and may incur fees.
3. SUB-PROCESSORS
3.1. Authorization
Processor is authorized to use sub-processors as needed to provide the Services.
3.2. List of Sub-Processors
A current list is published at the URL specified in the Agreement (Annex 3) or provided promptly upon request.
3.3. Obligations
Processor ensures each sub-processor is bound by data protection obligations no less protective than those in this DPA.
3.4. Changes
Processor notifies Controller of new sub-processors, and Controller may object for legitimate data-protection reasons. If the Parties cannot resolve the objection, Controller may terminate the affected Services without penalty by providing written notice.
4. SECURITY AND DEMONSTRATION OF COMPLIANCE
4.1. Security Measures
Processor implements appropriate technical and organizational security measures as required under Article 32 GDPR. Details are described in the Agreement Section 8.
4.2. Confidentiality
Processor ensures persons authorized to process the data are bound by confidentiality.
4.3. Access Controls
Processor maintains controls preventing unauthorized access, alteration, or disclosure of data.
4.4. Logging and Monitoring
Processor maintains logs of relevant system activity and security events.
4.5. Backups and Disaster Recovery
Processor performs encrypted backups and maintains business continuity plans, as described in Agreement Section 8.3.
4.6. Data Breach Notification
Processor notifies Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a personal data breach, as detailed in Agreement Section 8.4.
4.7. Demonstration of Compliance and Audit Rights
Processor shall make available to Controller information necessary to demonstrate compliance with Article 28 GDPR, which may include security documentation, certifications, or summaries of independent assessments. Except as expressly permitted under Section 8.5 of the Agreement regarding approved, third-Party penetration testing, Controller has no right to conduct on-site audits, inspections, or obtain direct access to Processor’s systems, facilities, environments, or personnel. This Section 4.7 prevails over any conflicting audit provisions in the Agreement or its annexes.
5. DATA SUBJECT RIGHTS
5.1. Processor Assistance
Processor shall assist Controller, to the extent reasonably possible and technically feasible, in fulfilling data subject rights requests (access, rectification, deletion, restriction, portability, objection).
5.2. Direct Requests
Processor shall not respond to any data subject request directly unless required by law. If Processor receives such a request, it shall promptly forward it to the Controller.
6. INTERNATIONAL TRANSFERS
6.1. Permitted Transfers
Processor shall only transfer personal data internationally as permitted under Chapter V GDPR.
6.2. Transfer Mechanisms
Where required, Processor will rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
6.3. Safeguards
Processor shall provide details of transfer safeguards upon request.
7. RETURN OR DELETION OF DATA
7.1. Deletion Timeline
Upon termination or expiration of the Agreement, Processor will retain Customer Data for the sixty (60) day export period specified in Section 2.3(b) of the Agreement. Following this period, the Processor shall delete all Customer Data and copies, unless required by law to retain it longer.
7.2. Export Request
Controller may request export of the data during the applicable export period, as further detailed in the Agreement.
8. LIABILITY
8.1. Applicability of Agreement
The liability provisions of the Agreement apply to this DPA.
8.2. Governing Cap
In the event of conflict, the Agreement’s Super-Cap (Section 14.4) governs Processor’s liability arising from breach of its Processor obligations.
9. PRECEDENCE
9.1. Conflict Resolution
If there is a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA shall prevail.