Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the the Master Subscription Agreement (“MSA”) and describes the terms and conditions related to the Processing of Personal Data by Blockbax B.V. (‘‘Processor’’) on behalf of you or the entity you represent (‘‘Controller’’), together referred to as Parties or individually as Party.
As part of the Service (as defined in the MSA), the Processor will Process Personal Data for the Controller. The Processor is bound by the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementing Act (Uitvoeringswet AVG). The terms and conditions of this DPA shall apply to all Processing of Personal Data under the Agreement. In the event of a conflict between the MSA and this DPA with respect to the Processing of Personal Data, this DPA shall prevail.
1. Term Agreement
1.1 The DPA comes into effect when the MSA comes into effect.
1.2 The DPA terminates when the Processor stops Processing of Personal Data under the MSA and the arrangements concerning the erasure of Personal Data outlined in the MSA have been fulfilled.
1.3 When the DPA terminates the confidentiality obligation remains in force.
2. Subject Agreement
2.1 The Processor processes the Personal Data solely on behalf of the Controller and only in accordance with its written instructions, this DPA and MSA, unless the Processor is required to process the Personal Data based on a legal obligation. In such a case, the Processor shall notify the Controller in advance of this legal obligation, unless such notification is prohibited by law.
2.2 The Processor shall inform the Controller without undue delay if, in the Processor’s opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law.
2.3 The nature, propose and duration of Processing as well as the categories of Personal Data and Data Subjects are outlined in Annex 1.
3. Data Processing
3.1 Data Security. The Processor takes all necessary technical and organizational measures to properly secure the Personal Data, as described in Article 32 of the GDPR.
3.2 Data Subject rights. When requests for the exercise of Data Subject rights as described in Articles 15 to 21 of the GDPR occur, the Processor will support the Controller in this process within the time prescribed by law.
3.3 Confidentiality. The Processor and those working under the authority of the Processor are obliged to treat the Personal Data as confidential, unless a legal provision obliges the Processor to disclose such information or disclosure is necessary due to the Processor’s tasks. Accordingly, the aforementioned persons working under its authority have signed non-disclosure agreements, or are otherwise bound by written confidentiality obligations.
3.4 Sub-processors. If a Processor engages a sub-processor, it is obligated to ensure that the sub-processor complies with all the obligations imposed under this DPA and specifically Articles 28.2 and 28.4 of the GDPR. The sub-processors the Processor uses at the time of forming the DPA are outlined in Annex 2. The Controller grants consent for the sub-processors listed. Once the DPA comes into effect, the Processor will inform the Controller when engaging new sub-processors. If the Controller objects to a new sub-processor on reasonable grounds within that period, the Parties shall work in good faith to resolve the objection.
3.5 Processing within the European Economic Area (EEA). The Processor ensures that the personal data is not processed outside the EEA unless the conditions laid down in Articles 45 or 46 of the GDPR are satisfied. Once the DPA comes into effect, the Processor will inform the Controller when engaging new Processing activities outside the EEA.
3.6 Audits. The Processor will fully cooperate in audits for compliance with this DPA by a certified auditor, unless the Processor has demonstrated, by means of valid certification (such as ISO/IEC 27001) by an accredited institution, that it is compliant. The Controller will bear all costs related to such verification, unless the auditor identifies major shortcomings on the Processor’s part to fulfil its obligations under the GDPR and this DPA that harm the Controller.
3.7 DPIA. The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities, as required under Articles 35 and 36 of the GDPR, to the extent that such assistance relates to the Processing of Personal Data by the Processor.
4. Data Breaches
4.1 In the event of a Personal Data Breach, the Processor will inform the Controller without undue delay, but no later than within 36 hours. Processor will report, in so far as this is known (i) the nature and cause of the Breach; (ii) the category and number of Data Subjects affected; (iii) the category of Personal Data affected. Additionally the Processor will take all necessary measures to limit any potential damage and prevent further Breaches.
4.2 The Processor will keep a detailed log of the Breaches and the measures taken in response to Breaches. The Controller will be given access to that log if and when it so requests.
4.3 The Processor will provide full cooperation so that the Controller can fulfill its obligations to timely inform the supervisory authority and/or the Data Subject.
4.4 The Controller consults with the Processor to assess whether the Breach should be reported to the supervisory authority and/or the Data Subject and informs the Processor in advance if they decide to do so.
5. Liability
5.1 Any limitations of liability agreed in the MSA also extend to the DPA.
6. Miscellaneous
6.1 This agreement shall be governed by Dutch law. Any disputes that cannot be settled amicably shall be referred to the competent court specified in the MSA.
6.2 Upon termination of the Agreement, the Processor shall delete all Personal Data after a Retrieval Period in accordance with Section 16 (Effect of Termination) of the MSA. The Processor shall provide written confirmation of deletion upon the Controller’s request.
Annex 1: Details of Processing
Nature and Purpose of Processing: The Processor processes Personal Data contained in Customer Data solely as necessary for the provision of the Service, including storage, display, transmission and technical support. The Processor does not actively access the content of Customer Data except as necessary to resolve support requests or maintain the Service.
Duration of Processing: For the duration of the Agreement and thereafter in accordance with Section 16 (Effect of Termination) of the MSA or as required by applicable law or regulation.
Categories of Personal Data: As determined by the Controller. The Controller is responsible for ensuring that Personal Data included in Customer Data is limited to what is necessary for the Controller’s use of the Service.
Categories of Data Subjects: As determined by the Controller.
Annex 2: Sub-processors
| Sub-processor | Description | Country in which sub-processing will take place |
|---|---|---|
| Amazon Web Services | Hosting | Ireland |
This Data Processing Agreement was last updated on May 20, 2026.