Data Processing Agreement

Last updated: 2026-05-07 · v2.0

This Data Processing Agreement (“DPA”) sets out the terms under which suPlay BV (“Processor”) processes Personal Data on behalf of the Customer (“Controller”) in connection with the Supplier Satisfaction Analysis Platform (“SSA Platform”). It is designed to meet the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

How to sign: download the PDF version on request, fill in Annex A with your organisation’s details, sign, and email the signed copy to privacy@suplay.nl. We will counter-sign within five business days. Enterprise-tier customers may also sign via DocuSign on request.

1. Definitions

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Subprocessor”, “Data Subject” have the meanings given in the GDPR.
• “Services” means the SSA Platform as described in our Terms of Service.
• “Main Agreement” means the Terms of Service and any signed order form under which the Controller uses the Services.

2. Subject matter and duration

This DPA applies to all Processing of Personal Data carried out by suPlay BV on behalf of the Controller under the Main Agreement. It is in force for the duration of the Main Agreement and survives until all Personal Data processed hereunder has been deleted in accordance with §10.

3. Nature and purpose of processing

The Processor processes Personal Data solely to provide the Services: to operate buying-firm accounts, distribute and collect supplier-satisfaction surveys, deliver analysis and reporting, handle transactional email, and manage billing. A full description of Processing activities, categories of Data Subjects, and categories of Personal Data is set out in Annex B.

4. Documented instructions

The Processor processes Personal Data only on documented instructions from the Controller. Use of the Services through their documented user interfaces and APIs constitutes such instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

5. Confidentiality of personnel

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security (Art. 32)

The Processor implements appropriate technical and organisational measures, including those described at /security. Measures include, at minimum:

• TLS 1.2+ for all external traffic; HSTS enforced.
• Encryption of backups at rest (GPG AES-256 symmetric; key held by suPlay BV only).
• bcrypt password hashing and SHA-256 token hashing.
• Role-based access control; least-privilege staff access.
• Hardened server configuration (SELinux enforcing, fail2ban, hardened SSH on port 5022).
• Multi-tenant data isolation; partial unique indexes preventing cross-tenant data access.
• Rate limiting on authentication and sensitive endpoints.
• Error-monitoring PII scrubbing (no response content or supplier identifiers in Sentry).
• Audit logging of administrative impersonation and privilege escalation.

7. Subprocessors

The Controller authorises the Processor’s engagement of the Subprocessors listed on our Subprocessors page as of the Effective Date. The Processor will:

• Impose contractual obligations on each Subprocessor no less protective than this DPA.
• Give the Controller at least 30 days’ written notice before adding or replacing any Subprocessor.
• Allow the Controller to object on reasonable grounds within that 30-day period; if the objection cannot be resolved, the Controller may terminate the affected subscription on a pro-rata basis.

8. Assistance (Arts. 28(3)(e), (f))

Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to Data Subject rights requests (Chapter III GDPR), data breach notification, data protection impact assessments, and prior consultation with the supervisory authority.

• Buying-firm users: self-service via /admin/profile (access, rectification, erasure).
• Supplier respondents: on request via privacy@suplay.nl within 30 days.

9. Personal-data breach notification (Art. 33)

The Processor notifies the Controller without undue delay, and in any case within 72 hours of becoming aware, of any Personal Data breach affecting the Controller’s data. The notification will describe the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and remediation measures taken or proposed.

10. Return or deletion of Personal Data

On termination of the Main Agreement, the Controller may export its Personal Data for 30 days. After that period, the Processor deletes all Personal Data processed under this DPA within 90 days, including from database backups on their next rotation, unless Union or Member State law requires longer storage (for example, Dutch tax law requires billing records to be retained for seven years).

11. Audit (Art. 28(3)(h))

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, including this DPA, the Subprocessors page, the Security Summary, and our internal processing inventory on request. The Processor supports remote, questionnaire-based audits at no cost, and on-site audits at the Controller’s reasonable expense. The Controller will provide at least 30 days’ notice and audits will not disrupt operations. Audits are limited to once per calendar year unless required by a supervisory authority.

12. International transfers

Where Personal Data is transferred outside the European Economic Area to a Subprocessor, the transfer is made on the basis of the European Commission’s Standard Contractual Clauses (Decision 2021/914 or any successor), unless the recipient country has an adequacy decision under Art. 45 GDPR.

13. Liability and order of precedence

Each party’s liability under this DPA is subject to the liability limits of the Main Agreement. In case of conflict between this DPA, the Main Agreement, and the GDPR, the GDPR prevails, then this DPA, then the Main Agreement.

14. Governing law and jurisdiction

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the District Court of Overijssel (Rechtbank Overijssel, locatie Almelo), without prejudice to a Data Subject’s statutory rights of complaint to a supervisory authority.

---

Annex A — Parties (to be completed by the Customer)

Processor: suPlay BV, Ruwerstraat 9, 7545 SM Enschede, The Netherlands. KvK: 70176264. VAT: NL858175691B01. Represented for signature by Holger Schiele, Managing Director. Data Protection contact: Frederik Vos (Co-founder), privacy@suplay.nl.

Controller:

• Legal name: ____________________________________
• Registered address: ____________________________
• Company registration (KvK / trade register / equivalent): ___________
• VAT ID: ___________________________________________
• Represented by (name, title): ____________________
• Privacy contact (name, email): ____________________
• Effective date: ___________________________________

Annex B — Processing description

Subject matter and duration: operation of the SSA Platform, for the duration of the Main Agreement.

Nature and purpose: delivering a supplier-satisfaction survey platform enabling buying organisations to invite their suppliers to complete structured questionnaires, analyse results, and generate reports — with associated transactional email, billing, and error monitoring.

Categories of Data Subjects:

• Buying-firm users — the Controller’s employees and contractors who administer surveys and access results.
• Supplier respondents — individuals at the Controller’s supplier organisations who are invited by name to complete surveys.
• Consultants — third-party consultants granted access by the Controller.

Categories of Personal Data:

• Contact data: name, email address, employer, role.
• Authentication data: bcrypt-hashed password, session identifiers (buying-firm users only).
• Survey response content: answers to Likert-scale and open-text questions about buyer–supplier relationships. Responses do not include special-category data unless the Controller introduces it through free-text fields.
• Invitation data: personalized survey links tied to named supplier contacts.
• Billing data (when billing is enabled): PayPal payer ID, subscription ID, transaction history, company VAT ID.
• Technical log data: IP address, user-agent, request path, timestamp (retained 90 days maximum).

Special categories of data: none are knowingly processed. The Controller is responsible for ensuring no special-category data (Art. 9 GDPR) is submitted through survey responses or free-text fields unless a separate lawful basis applies.

Processing operations: collection, storage, analysis (statistical aggregation, AI-assisted report generation), display to authorised parties, transmission to Subprocessors for email / error-monitoring / payments, erasure on request or schedule.

Annex C — Subprocessors

The current list of Subprocessors is maintained on our Subprocessors page and incorporated into this DPA by reference.

← Back