Data Processing Agreement (DPA)

Effective: 2025-08-20

Last updated: 2025-08-20

Standard Data Processing Terms

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Jurre Robertus ("Processor") and the Client ("Controller") for the provision of B2B SaaS marketing services.

1. Definitions

"Controller":The Client who determines the purposes and means of processing personal data
"Processor":Jurre Robertus, who processes personal data on behalf of the Controller
"Personal Data":Any information relating to an identified or identifiable natural person
"Processing":Any operation performed on personal data, including collection, storage, use, and deletion
"Data Subject":The individual to whom the personal data relates
"GDPR":General Data Protection Regulation (EU) 2016/679

2. Scope and Purpose of Processing

2.1 Processing Activities

The Processor shall process Personal Data for the following purposes:

  • • Content creation and marketing strategy development
  • • Campaign performance analysis and reporting
  • • Email marketing and lead generation activities
  • • Social media management and advertising
  • • Website analytics and conversion optimization
  • • Customer relationship management
  • • Market research and competitor analysis

2.2 Categories of Data

Types of Personal Data that may be processed:

  • • Contact information (names, email addresses, phone numbers)
  • • Professional information (job titles, company names)
  • • Behavioral data (website interactions, email engagement)
  • • Communication preferences and history
  • • Marketing campaign responses
  • • Business-related social media profiles

2.3 Categories of Data Subjects

  • • Controller's customers and prospects
  • • Controller's employees and contractors
  • • Business contacts and leads
  • • Website visitors and newsletter subscribers

3. Processor Obligations

3.1 General Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure confidentiality of all personnel authorized to process Personal Data
  • Implement appropriate technical and organizational security measures
  • Not transfer Personal Data outside the EEA without appropriate safeguards
  • Assist the Controller in responding to data subject requests
  • Delete or return all Personal Data upon termination of services

3.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under GDPR.

4. Security of Processing

4.1 Technical and Organizational Measures

The Processor implements the following security measures:

Technical Measures:

  • • Encryption of data in transit (TLS/SSL)
  • • Secure password policies
  • • Regular security updates
  • • Access logging and monitoring
  • • Firewall protection

Organizational Measures:

  • • Limited access on need-to-know basis
  • • Confidentiality agreements
  • • Regular security training
  • • Incident response procedures
  • • Regular risk assessments

4.2 Data Minimization

The Processor shall ensure that Personal Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

5. Personal Data Breach

5.1 Breach Notification

In the event of a personal data breach, the Processor shall:

  • • Notify the Controller without undue delay and within 72 hours of becoming aware
  • • Provide details of the nature of the breach and categories of data affected
  • • Estimate the number of data subjects concerned
  • • Describe likely consequences of the breach
  • • Detail measures taken or proposed to address the breach
  • • Provide contact details for more information

5.2 Breach Response

The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each personal data breach.

6. Subprocessors

6.1 General Authorization

The Controller provides general authorization for the Processor to engage subprocessors, subject to the Processor informing the Controller of any intended changes concerning the addition or replacement of subprocessors.

6.2 Subprocessor Obligations

When engaging a subprocessor, the Processor shall:

  • • Impose the same data protection obligations as set out in this DPA
  • • Ensure the subprocessor provides sufficient guarantees of compliance
  • • Remain fully liable for the subprocessor's performance
  • • Notify the Controller of any subprocessor changes with 30 days notice

6.3 Current Subprocessors

The following subprocessors are currently authorized:

• None at this time - Controller will be notified before any engagement

7. International Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without:

  • • Prior written consent from the Controller
  • • Appropriate safeguards (Standard Contractual Clauses, adequacy decision)
  • • Compliance with applicable data protection laws

Current data location: All data is processed and stored within the EEA (Netherlands/France) on Scaleway infrastructure.

8. Audit and Compliance

8.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8.2 Audit Procedures

  • • Audits shall be conducted with reasonable notice (minimum 30 days)
  • • Audits shall be during regular business hours
  • • The Controller shall bear the costs of any audit
  • • Audits shall not unreasonably interfere with Processor's business operations

9. Liability and Indemnification

9.1 Liability

Each party's liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set out in the main Service Agreement.

9.2 Indemnification

Each party shall indemnify the other against all damages, losses, and expenses arising out of any breach by that party of its obligations under this DPA or applicable data protection laws.

10. Term and Termination

10.1 Duration

This DPA shall remain in effect for the duration of the Service Agreement between the parties.

10.2 Data Return and Deletion

Upon termination of the Service Agreement, the Processor shall, at the Controller's option:

  • • Return all Personal Data to the Controller in a structured, commonly used format
  • • Delete all Personal Data and certify such deletion to the Controller
  • • Retain Personal Data only to the extent required by applicable law

10.3 Survival

Obligations of confidentiality and security shall survive termination of this DPA.

11. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Netherlands.

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Amsterdam, Netherlands.

12. Contact Information

Data Protection Contact

Name: Jurre Robertus

Role: Data Protection Officer

Email: jurre.robertus@cnsdr.io

Address: Amsterdam, Netherlands

Response Time: Within 48 business hours

Agreement Execution

This DPA is entered into and becomes a binding part of the Service Agreement between the parties. By engaging the services of Jurre Robertus, the Controller agrees to these data processing terms.

Processor

Jurre Robertus

B2B SaaS Marketing Consultant

Amsterdam, Netherlands

Controller

[Client Name]

[Client Title]

[Client Company]