Data Processing Agreement ("DPA")
Last updated: 12 May 2025
This Data Processing Agreement ("Agreement") forms part of the Terms of Service ("Principal Agreement") between GuusLab (eenmanszaak), Emmaweg 46, 3603 AN Maarssen, Netherlands, KvK 95954600 ("Processor" or "GuusLab") and the customer entity that has accepted the Principal Agreement ("Controller" or "Customer").
By using the Service, Customer accepts this DPA.
1. Definitions
Terms defined in the EU General Data Protection Regulation (2016/679) ("GDPR") have the same meaning in this DPA. "Data Protection Law" means GDPR and any other applicable privacy or data‑protection legislation.
2. Subject Matter and Duration
- Subject Matter. Processor processes Personal Data on behalf of Controller to provide the services described in the Principal Agreement: GuusLab, ArtiFiles and Project Stride (the "Services").
- Duration. Processing shall continue for the term of the Principal Agreement plus any retention period outlined in Annex II.
3. Nature and Purpose of Processing
Processor will process Personal Data solely for the purpose of delivering, maintaining and improving the Services, providing support, and fulfilling Processor's legal obligations.
4. Obligations of Processor
- Processing on Instructions. Processor will process Personal Data only on documented instructions from Controller, unless required by EU or Member‑State law.
- Confidentiality. Processor shall ensure persons authorised to process Personal Data are bound by confidentiality.
- Security. Processor shall implement the technical and organisational measures set out in Annex III.
- Sub‑processors. Processor may engage the Sub‑processors listed in Annex IV. Processor will notify Controller of intended additions or replacements at least 30 days in advance, granting Controller the right to object.
- Data Subject Rights. Taking into account the nature of the processing, Processor shall assist Controller in fulfilling data‑subject requests.
- Assistance. Processor shall assist Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA).
- Deletion or Return. At termination, Processor will, at Controller's choice, delete or return all Personal Data, except where retention is required by law.
- Audits. Processor will make available information necessary to demonstrate compliance and allow for audits (maximum once per year) subject to reasonable notice and confidentiality obligations.
- Breach Notification. Processor shall notify Controller without undue delay and within 72 hours after becoming aware of a Personal‑Data Breach.
5. Obligations of Controller
- Controller shall ensure that it is entitled to transfer the Personal Data to Processor.
- Controller shall be solely responsible for the accuracy, quality and legality of Personal Data and the means by which Controller acquired it.
- Controller shall respond to data‑subject requests and comply with Data Protection Law.
6. International Transfers
Where Processor transfers Personal Data outside the EEA or Switzerland to a country that does not provide an adequate level of protection, Processor shall ensure such transfer is subject to the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914), Module 2 (Controller→Processor), which are incorporated by reference.
7. Liability
The liability provisions of the Principal Agreement apply to this DPA. Nothing in this DPA limits either party's liability under GDPR.
8. Hierarchy
In case of conflict, the Standard Contractual Clauses prevail, followed by this DPA, then the Principal Agreement.
9. Governing Law and Jurisdiction
This DPA is governed by Dutch law. Disputes shall be resolved by the competent courts of Amsterdam, unless the SCCs specify otherwise.
10. Signatures
By accepting the Principal Agreement or executing an Order Form that references it, the parties agree to this DPA.
Annex I – Details of Processing
| Item | Description |
|---|---|
| Categories of Data Subjects | Customer's end‑users, employees, contractors, collaborators, and any individuals whose data are uploaded or stored via the Services. |
| Categories of Personal Data | Account details (name, email), subscription data, user‑generated content, AI chat messages, file metadata, IP addresses, telemetry logs. |
| Special Categories | None intentionally processed. |
| Frequency of Transfer | Continuous as determined by Controller's use of the Services. |
| Purpose of Transfer & Processing | Provide, secure, maintain and improve the Services, customer support, billing, fraud prevention. |
| Retention | See Annex II. |
Annex II – Retention Schedule
| Data Category | Retention Period |
|---|---|
| Account & User Content | Life of account + 30 days (or earlier upon request) |
| AI Chat Logs | Until user deletes or 2 years of inactivity |
| Payment Records | 7 years (Dutch tax law) |
| Back‑ups | Rolling 30‑day encrypted back‑ups |
Annex III – Technical & Organisational Measures
- Physical Security – Mac mini server stored in locked premises in Maarssen, NL; restricted access.
- Network Security – TLS 1.2+ encryption; Cloudflare WAF & DDoS; firewall and intrusion‑detection.
- Data‑at‑Rest – AES‑256 encryption on local disks and Wasabi object storage.
- Access Control – Role‑based access; least privilege; MFA for admin; audit logs.
- Operational Security – Regular patching, vulnerability scanning, code review; off‑site encrypted backups.
- Incident Response – Breach detection monitoring; 72‑hour notification window; documented response plan.
- Business Continuity – Automated daily backups to Wasabi EU region; restore tested quarterly.
Annex IV – Approved Sub‑processors
| Sub‑processor | Service | Location | Transfer Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | CDN/DNS/WAF | USA | DPF & SCCs |
| Stripe Payments Europe, Ltd. | Payment processing | EEA, USA | SCCs |
| Wasabi Technologies, LLC (EU region) | Object storage & backups | EU | SCCs |
| Google LLC (Identity & AI) | Auth, optional AI | USA | DPF & SCCs |
| OpenAI, L.L.C. | AI processing | USA | SCCs |
Processor will update this list via email or in‑app notice at least 30 days before engaging a new Sub‑processor.
End of DPA