Data Processing Agreement
This Data Processing Agreement (“DPA”) optionally supplements the Master Subscription Agreement (“MSA”) to describe the additional terms and conditions related to the Processing of Personal Data, and is an agreement between Blockbax B.V., having its statutory seat in Rotterdam, The Netherlands, registered address at Delftsestraat 17D, 3013AC Rotterdam and with the trade register of Netherlands under number 70370346 hereafter referred to as Processor; and you or the entity you represent as the data controller hereafter referred to as Controller, together hereafter referred to as Parties or individually as Party.
As part of the Service (as defined in the MSA), the Processor will Process Personal Data for the Controller. In general Processor is bound by the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementing Act (Uitvoeringswet AVG). Additionally Parties agree that these terms and conditions shall apply to the Processing of Personal Data.
1. Term Agreement
1.1 The DPA comes into effect when the MSA comes into effect.
1.2 The DPA terminates when the Processor stops Processing of Personal Data under the MSA and the arrangements concerning the erasure of Personal Data outlined in the MSA have been fulfilled.
1.3 When the DPA terminates the confidentiality obligation remains in force.
2. Subject Agreement
2.1 The Processor processes the Personal Data solely on behalf of the Controller and only in accordance with its written instructions, this DPA and MSA, unless the Processor is required to process the Personal Data based on a legal obligation. In such a case, the Processor shall notify the Controller in advance of this legal obligation, unless such notification is prohibited by law.
2.2 The nature, propose and duration of Processing as well as the categories of Personal Data and Data Subjects are outlined in Annex 1.
3. Data Processing
3.1 Data Security. The Processor takes all necessary technical and organizational measures to properly secure the Personal Data, as described in Article 32 of the GDPR.
3.2 Data Subject rights. When requests for the exercise of Data Subject rights as described in Articles 15 to 21 of the GDPR occur, the Processor will support the Controller in this process within the time prescribed by law.
3.3 Confidentiality. The Processor and those working under the authority of the Processor are obliged to treat the Personal Data as confidential, unless a legal provision obliges the Processor to disclose such information or disclosure is necessary due to the Processor’s tasks. Accordingly, the aforementioned persons working under its authority have signed non-disclosure agreements, or are otherwise bound by written confidentiality obligations.
3.4 Sub-processors. If a Processor engages a sub-processor, it is obligated to ensure that the sub-processor complies with all the obligations imposed under this DPA and specifically Articles 28.2 and 28.4 of the GDPR. The sub-processors the Processor uses at the time of forming the DPA are outlined in Annex 2. The Controller grants consent for the sub-processors listed. Once the DPA comes into effect, the Processor will inform the Controller when engaging new sub-processors.
3.5 Processing within the European Economic Area (EEA). The Processor ensures that the personal data is not processed outside the EEA unless the conditions laid down in Articles 45 or 46 of the GDPR are satisfied. Once the DPA comes into effect, the Processor will inform the Controller when engaging new Processing activities outside the EEA.
3.6 Audits. The Processor will fully cooperate in audits for compliance with this DPA by a certified auditor, unless the Processor has demonstrated, by means of valid certification (such as ISO/IEC 27001) by an accredited institution, that it is compliant. The Controller will bear all costs related to such verification, unless the auditor identifies major shortcomings on the Processor’s part to fulfil its obligations under the GDPR and this DPA that harm the Controller.
4. Data Breaches
4.1 In the event of a Personal Data Breach, the Processor will inform the Controller without undue delay, but no later than within 36 hours. Processor will report, in so far as this is known (i) the nature and cause of the Breach; (ii) the category and number of Data Subjects affected; (iii) the category of Personal Data affected. Additionally the Processor will take all necessary measures to limit any potential damage and prevent further Breaches.
4.2 The Processor will keep a detailed log of the Breaches and the measures taken in response to Breaches. The Controller will be given access to that log if and when it so requests.
4.3 The Processor will provide full cooperation so that the Controller can fulfill its obligations to timely inform the supervisory authority and/or the Data Subject.
4.4 The Controller consults with the Processor to assess whether the Breach should be reported to the supervisory authority and/or the Data Subject and informs the Processor in advance if they decide to do so.
5. Liability
5.1 Any limitations of liability agreed in the MSA also extend to the DPA.
6. Miscellaneous
6.1 This agreement shall be governed by Dutch law. Any disputes that cannot be settled amicably shall be referred to the competent court specified in the MSA.
Annex 1: Details of Processing
Nature and Purpose of Processing: Processor will process Controller’s User’s Personal Data as necessary to provide the Service under the MSA, for the purposes specified in the MSA and this DPA, and in accordance with Controller’s instructions as set forth in this DPA.
Duration of Processing: Processor will process Controller’s Personal Data as long as required (i) to provide the Service to Controller under the MSA; (ii) for Processor’s legitimate business needs; or (iii) by applicable law or regulation. Controller’s Personal Data will be processed and stored as set forth in the MSA and this DPA.
Categories of Personal Data: Refer to MSA regarding User Personal Data.
Categories of Data Subjects: Controller’s Authorized Users as described in MSA.
Annex 2: Sub-processors
| Sub-processor | Description | Country in which sub-processing will take place |
|---|---|---|
| Amazon Web Services | Hosting | Ireland |
This Data Processing Agreement was last updated on July 7, 2023.