Skip to content
DOENio
NLEN
Back

Last updated: May 4, 2026

Download PDF

Data Processing Agreement

DRAFT — LEGAL REVIEW REQUIRED. This text is a first draft based on Article 28 GDPR and the guidance of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and must be reviewed by legal counsel before being published in production. The Dutch version (dpa-nl.md) is the leading version; this English version is provided for convenience.

This Data Processing Agreement applies to every processing of personal data that DOENio VOF (the "Processor") performs on behalf of the customer (the "Controller") in the context of using the DOENio platform and the subscriptions concluded under it (the "Main Agreement").

DOENio VOF Chamber of Commerce (KvK): 42052522 VAT: [FILL IN] Email: legal@doenio.nl

By accepting DOENio's General Terms, the Controller also accepts this Data Processing Agreement.

1. Definitions

Terms defined in the GDPR have the same meaning in this agreement. In addition:

  • GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).
  • Personal Data: any data relating to an identified or identifiable natural person ("data subject") that the Processor processes on behalf of the Controller.
  • Sub-processor: a third party engaged by the Processor to process Personal Data in the context of the Main Agreement.
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Subject and term

2.1. The Processor processes Personal Data only in the context of performing the Main Agreement. The subject, nature, purpose, types of personal data and categories of data subjects are further described in Annex 1.

2.2. This Data Processing Agreement applies for the duration of the Main Agreement and ends automatically when the Main Agreement ends, without prejudice to provisions which by their nature continue to apply thereafter.

3. Instructions and purposes

3.1. The Processor processes Personal Data only on documented instructions from the Controller, including instructions set out in the Main Agreement, the product configuration in the Platform, and this Data Processing Agreement.

3.2. The Processor does not use Personal Data for its own purposes and does not share it with third parties, other than as expressly permitted by this agreement or required by law.

3.3. If the Processor considers that an instruction infringes the GDPR or other privacy law, it will inform the Controller without delay in writing.

4. Confidentiality

4.1. The Processor ensures that persons authorised to process Personal Data (employees, contractors and persons working for Sub-processors) have committed themselves to confidentiality, either contractually or under a statutory obligation.

4.2. Access is granted on a "least privilege" basis: only to persons for whom access is necessary to perform their task.

5. Security

5.1. The Processor implements appropriate technical and organisational measures to secure Personal Data, taking into account the state of the art and the cost of implementation, as well as the nature, scope, context and purposes of the processing. These measures are described in Annex 3.

5.2. The measures include, where appropriate, pseudonymisation and encryption, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore the availability of and access to Personal Data in a timely manner in the event of an incident, and a process for regularly testing and evaluating the effectiveness of those measures.

5.3. The Controller acknowledges that the measures described in Annex 3 are appropriate for the processing described in Annex 1.

6. Sub-processors

6.1. The Controller grants the Processor general prior authorisation to engage the Sub-processors listed in Annex 2.

6.2. Where the Processor wishes to add or replace a Sub-processor, it notifies the Controller at least thirty (30) days in advance. The Controller may object on reasonable grounds in writing within that period; the parties will then consult to find a reasonable solution. If no solution is found, either party may terminate the relevant part of the Main Agreement.

6.3. The Processor imposes on each Sub-processor, by way of a written agreement, the same obligations as those imposed on the Processor under this agreement, in particular as regards security.

6.4. The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations (Article 28(4) GDPR).

7. Assistance with data subject rights

7.1. Taking into account the nature of the processing, the Processor provides reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under the GDPR (including access, rectification, erasure, restriction, portability and objection).

7.2. Requests from data subjects received directly by the Processor are not handled by the Processor independently; the Processor forwards them to or refers the data subject to the Controller.

8. Personal Data Breaches and other assistance

8.1. The Processor informs the Controller without undue delay, and in any event within 24 hours of becoming aware of it, of any Personal Data Breach affecting the Personal Data it processes for the Controller. The notification contains at least the information referred to in Article 33(3) GDPR.

8.2. The Processor provides reasonable assistance to the Controller in complying with its obligations under Articles 32 to 36 GDPR, including in the context of security incidents, data protection impact assessments (DPIAs) and prior consultations.

9. Audit

9.1. On the Controller's request, the Processor makes available all information necessary to demonstrate compliance with Article 28 GDPR.

9.2. The Controller is entitled to (have a third party) carry out an audit at most once per calendar year, and additionally upon a serious suspicion of breach, at its own cost and on at least four (4) weeks' prior notice. Audits will be conducted in a manner that minimises disruption to the Processor's operations.

9.3. Where the Processor holds current certifications (such as ISO 27001 or SOC 2) or recent independent audit reports, the Controller may accept these as adequate fulfilment of its audit right, to the extent they cover the relevant subject matter.

10. Transfers outside the EEA

10.1. The Processor will not transfer Personal Data to a country outside the European Economic Area (EEA) or to an international organisation without implementing an appropriate transfer mechanism under the GDPR (such as an adequacy decision or the European Commission's Standard Contractual Clauses).

10.2. Any Sub-processors located outside the EEA are listed in Annex 2, indicating the applicable transfer mechanism.

11. Return and deletion

11.1. After the end of the Main Agreement, or earlier on the Controller's request, the Processor deletes the Personal Data or returns it to the Controller, at the Controller's choice. The Processor also deletes copies, unless statutory retention obligations require otherwise.

11.2. Deletion takes place no later than within thirty (30) days of the end of the Main Agreement, except for back-up media which are rotated according to a fixed retention schedule.

12. Liability

12.1. The liability regime of the Main Agreement applies to liability arising under this Data Processing Agreement, without prejudice to liability that may arise directly between the parties or towards data subjects under Article 82 GDPR.

13. Final provisions

13.1. In the event of a conflict between the Main Agreement and this Data Processing Agreement, this Data Processing Agreement prevails for matters concerning the processing of Personal Data.

13.2. This Data Processing Agreement is governed by Dutch law. Disputes are submitted to the competent court in Rotterdam, the Netherlands.

Annex 1 — Description of the processing

Subject and nature: the hosting and processing of personal data for the purpose of operating the DOENio platform, including user management, executing AI agents and related workflows, integrations with external services designated by the Controller (such as email, calendar, chat, ticketing) and storing results and logs.

Purpose: performing the Main Agreement and providing the services described in it.

Duration: for the term of the Main Agreement, followed by the deletion period referred to in article 11.

Categories of data subjects:

  • the Controller's users (employees, administrators);
  • persons whose data flow into the Platform via connected external services (such as senders of emails, participants in chats or calendar events, customers or contacts in CRM/ticketing systems);
  • other persons entered into the Platform by the Controller (for example in knowledge base documents or as input for agents).

Types of personal data:

  • contact and account data (name, email, language preference, organisation, role);
  • content of messages and documents provided or processed by or on behalf of the Controller;
  • usage metadata of the Platform (such as activity and audit logs);
  • credentials and session tokens (where applicable encrypted or hashed).

The Controller ensures that no special categories of personal data (such as health, religion, or criminal record data) are entered into the Platform unless the Controller has its own legal basis for doing so and has agreed this with the Processor in writing.

Annex 2 — Sub-processors

The following Sub-processors are engaged by the Processor:

Sub-processorPurposeProcessing locationTransfer mechanism (if outside EEA)
[FILL IN — e.g. hosting provider]Hosting / infrastructure[FILL IN][FILL IN]
[FILL IN — e.g. email provider]Transactional email[FILL IN][FILL IN]
[FILL IN — e.g. LLM provider]AI model inference[FILL IN][FILL IN]
Mollie B.V.Payment processingEU (Netherlands)n/a

A current list of Sub-processors is available on request via legal@doenio.nl.

Annex 3 — Technical and organisational security measures

The Processor implements at least the following measures, to the extent applicable to processing under this agreement:

Access control and authentication

  • role-based access control to production systems on a "least privilege" basis;
  • mandatory strong passwords and, where possible, multi-factor authentication for access by Processor personnel;
  • support for multi-factor authentication for end users in the Platform.

Encryption

  • encryption of personal data in transit using TLS 1.2 or higher;
  • encryption of sensitive secrets at rest (such as OAuth tokens) using AES-256-GCM.

Logging and monitoring

  • centralised audit logs of security-relevant events;
  • monitoring of the Platform and alerting on anomalies.

Availability and recovery

  • regular backups of personal data;
  • recovery procedures for access and availability in the event of an incident.

Secure software development

  • code review and automated tests;
  • dependency management and periodic updates of components;
  • separation of development, test and production environments.

Organisational measures

  • confidentiality obligations for employees;
  • information security awareness and training measures;
  • security incident and breach management process.

The Processor periodically evaluates these measures and adjusts them based on the state of the art, identified threats and changes in the nature of the processing.