<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">

Data Processing Agreement

Template agreement for establishing data processing terms and responsibilities between parties.

Last updated at 17 November 2025

Instructions
This template should be customised to your situation. Amend and delete sections that are not applicable to your operations. Square brackets indicate the specific details you should enter.

The Undersigned Parties:

1. [Company], having its place of business at [address], for the purpose hereof represented by the undersigned legal representative, hereinafter referred to as “Company”;

2. Codekeeper BV, having its place of business at World Trade Center - The Hague, Prinses Margrietplantsoen 33, 2595 AM The Hague, The Netherlands, for the purpose hereof represented by the undersigned legal representative, hereinafter referred to as “Processor”;

together as the “Parties”,

Whereas:

  1. Company acts as a Data Controller.
  2. Company wishes to subcontract certain Services, which imply the processing of personal data, to the data Processor.
  3. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  4. The Parties wish to lay down their rights and obligations.

Now, therefore, the parties hereby agree to the following standard contractual clauses:

Article 1 - Definitions

1.1 Any interpretation of any word and/or term and/or provision of this agreement shall be limited to the definition and meaning set out hereinafter:

“Agreement”:
This data processing agreement and all Schedules;

“Company Personal Data”:
Any personal data processed by a Processor or Subprocessor on behalf of Company pursuant to or in connection with the Principal Agreement.

“Data Protection Laws”:
EU Data Protection Laws, and the standard contractual clauses to the applicable extent.

“Data Subject”:
An individual whose Personal Data is processed and therefore subject to Data Protection Laws.

“EEA”:
European Economic Area.

“EU Data Protection Laws”:
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”), as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR, and in respect of the United Kingdom any applicable national legislation that replaces or concerts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.

“GDPR”:
EU General Data Protection Regulation 2016/679.

“Data Transfer”:
  1. A transfer of Company Personal Data from the Company to a Subprocessor; or
  2. An onward transfer of Company Personal Data from a Subprocessor to a subcontracted processor, or between two establishments of a Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

“Principle Agreement”:
Any services agreement including, but not limited to a master service agreement, terms of service or use, statement of work, or any other services agreement or supplement to such services agreement between Parties.

“Processing”:
Any operation or set of operations performed on Company Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

“Processor”:
An entity that Processes Company Personal Data on behalf of Company.

“Services”:
The services provided for under the escrow agreement between Processor and Company.

“Schedule”:
Any document, schedule, or appendix that is attached to and forms part of this Agreement, providing additional information, specifications, or details that are referenced in the main body of the Agreement.

“Subprocessor”:
Any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, "Commission", "Controller", "Data Subject", “Data Subject Rights”, "Member State", "Personal Data", "Personal Data Breach" and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Law, and their cognate terms shall be construed accordingly.

1.3 All capitalized terms not defined in this Agreement shall have the meanings set forth in the applicable Data Protection Law.

Article 2 - Effect and Invariability of the Clauses

2.1 These Articles set out appropriate safeguards, including enforceable Data Subject rights and effective legal remedies, pursuant to article 46(1) and article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from Controller to Subprocessors and/or Subprocessors to Subprocessors, standard contractual clauses pursuant to article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate module(s) or to add or update information in the Schedule. This does not prevent the Parties from including the standard contractual clauses laid down in these Articles in a wider contract and/or to add other provisions or additional safeguards, provided that they do not contradict, directly or indirectly, these Articles or prejudice the fundamental rights or freedoms of Data Subjects.

Article 3 - Interpretation

3.1 Where these Articles use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

3.2 These Articles shall be read and interpreted in the light of the provisions of Data Protection Laws.

3.3 These Articles shall not be interpreted in a way that conflicts with rights and obligations provided for in Data Protection Laws.

Article 4 - Data Transfer

4.1 Processor shall:

4.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

4.1.2 process Company Personal Data only on the relevant Company’s documented instructions. Company may give such instructions throughout the duration of this Agreement.

4.2 Processor shall promptly inform the data exporter if it is unable to follow those instructions.

4.3 The Subprocessor shall process the personal data only for the specific purpose(s) of the transfer, as set out in Schedule 1, unless on further instructions from Company.

4.4 On request, Company shall make a copy of this Agreement, including its Schedules as completed by the Parties, available to the Data Subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Schedule 2 and Company Personal Data, Company may redact part of the text of the Schedule to these Articles prior to sharing a copy, but shall provide a meaningful summary where the Data Subject would otherwise not be able to understand its content or exercise his/her rights. On request, Company shall provide the Data Subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Article is without prejudice to the obligations of Company under articles 13 and 14 of Regulation (EU) 2016/67.

4.5 If Processor becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall promptly inform Company of such. In this case, the Processor shall provide reasonable cooperation to Company to erase or rectify the data.

Article 5 - Processor Personnel

5.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Article 6 – Security

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

6.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6.3 Processor shall grant access to the Company Personal Data to members of its personnel only to the extent necessary for the implementation, management and monitoring of the Principal Agreement between Processor and Company. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Article 7 – Subprocessing

7.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or where it has Company’s general authorization for the engagement of Subprocessor(s). A list of the Subprocessor(s) engaged by Processor shall be provided to Company upon a written request to Processor. Processor shall specifically inform Company in writing of any intended changes to that list through the addition or replacement of sub-processors at least fifteen (15) calendar days in advance, thereby giving Company sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). Processor shall provide Company with the information reasonably necessary to enable Company to exercise its right to object.

7.2 Processor shall, as far as reasonably practicable, notify Company of any failure by the Subprocessor to fulfil its obligations under that contract.

Article 8 – Data Subject Rights

8.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

8.2 Processor shall:

8.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

8.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform Company of that legal requirement before the Subprocessor responds to the request.

Article 9 - Personal Data Breach

9.1 Processor shall notify Company without undue delay and upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

9.2 Processor shall cooperate with the Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Article 10 – Data Protection Impact Assessment and Prior Consultation

10.1 Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.

Article 11 - Documentation and Compliance

11.1 Processor shall promptly and adequately deal with enquiries from the Company that relate to the processing under these Articles.

11.2 The Parties shall be able to demonstrate compliance with these Articles. In particular, Processor shall keep appropriate documentation on the processing activities carried out on behalf of Company.

Article 12 – Deletion and Return of Company Personal Data

12.1 Processor shall promptly and in any event within ten (10) business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data. Until the Company Personal Data is deleted, Processor shall continue to ensure compliance with these Articles. In case of local laws applicable to the Processor and/or Subprocessors that prohibit deletion of the Company Personal Data, Processor warrants that it will continue to ensure compliance with these Articles and will only process it to the extent and for as long as required under that local law. This is without prejudice to Article 17, in particular the requirement for the Processor under Article 17.2 to notify Company throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Article 17.1

Article 13 - Audit Rights

13.1 Subject to this Article 13, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement.

13.2 Information and audit rights of the Company only arise under Article 13.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

Article 14 – Data Transfer Outside the EEA

14.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If Company Personal Data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, hereinafter “onward transfer”, the Parties shall ensure that the Company Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the onward transfer of personal data.

Article 15 – Liability and Indemnity

15.1 This Agreement shall be subject to the liability provisions agreed to between Company and Processor in the Principal Agreement.

Article 16 - Supervision

16.1 The supervisory authority with responsibility for ensuring compliance by Processor with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Schedule 1.C, shall act as competent supervisory authority.

16.2 Processor agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Articles. In particular, Company agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

Article 17 - Obligations of Processor in Case of Access by Public Authorities

17.1 The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by Processor, including any requirements to disclose personal data or measures authorising access by public authorities, prevent Processor from fulfilling its obligations under these Articles.

17.2 Processor agrees to notify Company promptly if, after having agreed to these Articles and for the duration of the contract between Processor and Company, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Article 17.1, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in Article 17.1.

17.3 Should Processor be legally compelled to disclose Company Personal Data as a result of a court order from a court of competent jurisdiction or the at the request of an appropriate regulatory body, Processor agrees to provide the minimum amount of information permissible when responding to such request for disclosure, based on a reasonable interpretation of the request.

Article 18 - Non-Compliance and Termination

18.1 Processor shall promptly inform Company if it is unable to comply with these Articles, for whatever reason.

18.2 In the event that Processor is in breach of these Articles or unable to comply with these Articles, Company shall suspend the transfer of personal data to Processor until compliance is again ensured or the contract between Processor and Company is terminated.

18.3 Company shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Articles, where:

(i) Company has suspended the transfer of personal data to Processor pursuant to Article 18.2 and compliance with these Articles is not restored within a reasonable time and in any event within one month of suspension;

(ii) Processor is in substantial or persistent breach of these Articles; or

(iii) Processor fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Articles.

18.4 In these cases above, Company shall inform the competent supervisory authority of such non-compliance.

Article 19 - Governing Law and Jurisdiction

19.1 The (performance of the) Agreement and all modifications or amendments thereto shall be governed by and construed in accordance with the laws of The Netherlands. The parties shall submit any dispute that might arise with respect to (the performance of) the Agreement in the first instance to the jurisdiction of the competent court in Amsterdam.

Article 20 - General Terms

20.1 Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;

(b) the relevant information is already in the public domain.

20.2 All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

20.3 Where the word ‘written’ or ‘writing’ is mentioned in this Agreement, this also means by email, unless otherwise specified.

20.4 This Agreement may be executed in any number of counterparts and by different parties in separate counterparts. Each counterpart when so executed shall be deemed to be an original and all of which together shall constitute one and the same agreement.

20.5 If any of the provisions of this Agreement shall be held by a court of competent jurisdiction to be contrary to law, the remaining provisions of this Agreement will remain in full force and effect.

20.6 This Agreement may not be amended, modified, altered or supplemented other than by means of a written instrument duly executed and delivered on behalf of all parties hereto.

Article 21 - Controller

21.1 Controller contact and registration information:

[Company]
[Address]

Email: [Controller point of contact]

21.2 Controller certifies that this information is correct and agrees that Escrow Agent will treat this information as complete and valid for the purposes of this Escrow Agreement.

Article 22 - Processor

22.1 Controller assigns the entity below as Escrow Agent within the context of this Agreement:

Codekeeper BV
World Trade Center
Prinses Margrietplantsoen 33
2595 AM
The Hague
The Netherlands

Email: service@codekeeper.co

22.2 Any written notice required or permitted to be given to Escrow Agent must be addressed to the Codekeeper BV, World Trade Center, The Hague, Prinses Margrietplantsoen 33, 2595 AM, The Hague, The Netherlands’ office, irrespective of the territorial jurisdiction of this Escrow Agreement.

22.3 All electronic notice required or permitted to be given to Escrow Agent must be addressed to Codekeeper at service@codekeeper.co.

Schedule 1 - Description of Transfer and Processing

1. LIST OF PARTIES
Data exporter:
Name: [Company Name]
Contact: As specified in Article 21 above
Activities relevant to the data transfer: Use of the Service provided by Processor
Role: Controller

Data Importer:
Name: Codekeeper BV, provider of the Service to Controller
Contact details: As specified in Article 22 above
Activities relevant to the data transfer: Provision of the Service to Controller
Role: Processor

2. DESCRIPTION OF TRANSFER

Categories of personal data transferred:

(i) Company Personal Data that Controller provides to Processor or through an end-user’s interaction with the Service including but not limited to names, email addresses and other Company Personal Data as provided by Controller

(ii) Company Personal Data from other third-party services Controller uses in conjunction with the Services provided by Processor

(iii) Data relating to Controller and end-users’ use of the Service. This includes but is not limited to interactions with the user interface, device information, IP address, location, browser type and language

Frequency of the transfer:

(i) Processor will process Company Personal Data when Controller accesses and utilizes the Services provided by Processor

Period for which the Company Personal Data will be retained:

(i) Processor shall retain Company Personal Data for as long as is necessary to provide the Service to Controller, subject to legal obligations that may require further retention of such information.

(ii) Processor may retain information to comply with applicable law or other regulatory processes Processor is required to adhere to.

3. COMPETENT SUPERVISORY AUTHORITY

Dutch Data Protection Commissioner (Autoriteit Persoonsgegevens).

Schedule 2 - Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

Description of the technical and organisational measures implemented by the Processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

1. DATA CENTER SECURITY

(i) Processor utilizes data centers that implement strict security requirements such as those required to be ISO/IEC 27001 and ISO/IEC 27018 compliant.

(ii) Data centers utilized by Processor are held in secure SOC2 certified data centers that implement firewalls and access restrictions.

(iii) Data centers utilized by Processor actively monitor the systems used and undergo third-party annual security audits and assessments to ensure Processor’s practices adhere to the highest security standards.

(iv) All database servers are isolated inside virtual private cloud and only accessible by key personnel via multi-factor authentication

(v) All access to Data centers are logged, and access can be immediately revoked.

2. PROTECTION FROM DATA LOSS AND CORRUPTION

(i) Company Personal Data shall be encrypted with AES256/612 encryption

(ii) All data is backed up continuously and stored in multiple storage regions

(iii) All data operations are mirrored to a redundant secondary database

(iv) Processor has a business continuity plan in place which shall allow it to respond and recover from any major disruption of its services and requires of its data center partners to have the same

(v) Processor has an incident response plan in place and shall inform Controller without delay if such incident occurs that directly affects Controller.

3. MEASURES OF PSEUDONUMIZATION AND ENCRYPTION OF PERSONAL DATA

(i) Account passwords are hashed.

(ii) Multi-factor authentication is supported for all internal administrator functions of the application.

(iii) All code changes require code reviews via an enforced code review process.

(iv) Dependency analysis tools are in place to identify security issues and threats.

(v) Processor conducts regular vulnerability scanning.

4. INTERNAL MEASURES AND TRAINING PROTOCOLS

(i) All new employees undergo security and data privacy training during their onboarding period, and where applicable this training is tailored to the relevant job function.

(ii) All employees undergo security training at regular intervals.

(iii) Any new product changes and improvements undergo data privacy consideration before the project or change continues to implementation.

Let's build bulletproof software resilience together.

Book a demo