Template — not yet binding. This document describes how Hugo Platret (Zaamsflow) handles personal data, and takes legal effect only when signed as part of a Principal Agreement and completed with the engagement-specific details in Annex 1. It is not legal advice; have it reviewed by a qualified professional before relying on it.
Processor: Hugo Platret, trading as Zaamsflow (KvK 98290010), registered at Vleutenseweg 126, Utrecht. Contact: hugo.platret@gmail.com.
Controller (Client): the client identified in the Principal Agreement that engages the Processor to provide the Services.
1. Definitions
Capitalised terms used in this Agreement have the meaning given to them in the GDPR. In addition:
- “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation), together with any national implementing legislation, including the Dutch UAVG.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and “Personal Data Breach” have the meanings given in Article 4 GDPR.
- “Client” means the controller identified in the Principal Agreement that engages the Processor to provide the Services.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Client.
2. Roles and scope
In respect of Personal Data processed while providing the Services, the Client acts as Controller and the Processor acts as processor. Where the Client is itself a processor for a third-party controller, the Client warrants that it is authorised to instruct the Processor on that controller's behalf.
This Agreement applies to all Processing carried out by the Processor on behalf of the Client. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out in Annex 1.
3. Processing on documented instructions
The Processor shall process Personal Data only on the documented instructions of the Client, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which the Processor is subject; in that case the Processor shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
The Processor shall immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
4. Confidentiality
The Processor shall ensure that any person authorised to process the Personal Data has committed to confidentiality or is under an appropriate statutory obligation of confidentiality, and processes the Personal Data only as instructed by the Client.
5. Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to Data Subjects, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 and in accordance with Article 32 GDPR.
6. Sub-processors
The Client grants the Processor general authorisation to engage the Sub-processors listed in Annex 3. The Processor shall inform the Client of any intended addition or replacement of a Sub-processor, giving the Client a reasonable opportunity to object.
The Processor shall impose on each Sub-processor, by written contract, data protection obligations equivalent to those in this Agreement, and remains fully liable to the Client for each Sub-processor's performance.
7. Assistance with data subject rights
Taking into account the nature of the processing, the Processor shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to requests to exercise Data Subject rights under Chapter III GDPR.
If a Data Subject contacts the Processor directly, the Processor shall forward the request to the Client without undue delay and shall not respond except on the Client's documented instructions.
8. Personal data breaches
The Processor shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting the Client's Personal Data, and shall provide the information reasonably required for the Client to meet its obligations under Articles 33 and 34 GDPR.
9. Impact assessments and prior consultation
The Processor shall provide reasonable assistance to the Client with data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
10. International transfers
The Processor shall not transfer Personal Data outside the European Economic Area unless it has put in place appropriate safeguards under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses or an adequacy decision. Transfers arising from the Sub-processors in Annex 3 are subject to such safeguards.
11. Audits and information
The Processor shall make available to the Client all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Client or a mandated auditor, subject to reasonable notice, confidentiality undertakings, and no more than once per year unless required by a supervisory authority.
12. Return and deletion of data
At the choice of the Client, the Processor shall delete or return all Personal Data after the end of the provision of the Services, and delete existing copies, unless Union or Member State law requires storage of the Personal Data.
13. Liability
Each party's liability arising out of or related to this Agreement is subject to the limitations and exclusions of liability set out in the Principal Agreement.
14. Term
This Agreement takes effect on the effective date of the Principal Agreement and remains in force for as long as the Processor processes Personal Data on behalf of the Client.
15. Governing law
This Agreement is governed by the laws of the Netherlands. If this Agreement and the Principal Agreement conflict on data protection matters, this Agreement prevails.
Annex 1 · Details of the processing
- Subject matter
- Processing of Personal Data necessary for the Processor to deliver the software development, AI integration and consulting Services described in the Principal Agreement.
- Duration
- For the term of the Principal Agreement and any period during which the Processor retains Personal Data in accordance with Clause 12.
- Nature and purpose
- Development, testing, debugging, maintenance and AI-assisted processing of the Client's systems and data, solely to provide the Services.
- Types of Personal Data
- As determined by the Client's systems and data made available to the Processor. To be specified per engagement; by default may include names, contact details, account identifiers and content submitted by the Client's users. Special categories of data are not processed unless expressly agreed in writing.
- Categories of Data Subjects
- As determined by the Client; typically the Client's customers, users, employees and contacts. To be specified per engagement.
Annex 2 · Technical and organisational measures
- Access to Client systems and data is restricted to the Processor and granted on a least-privilege, need-to-know basis.
- Multi-factor authentication and strong, unique credentials managed in a password manager.
- Full-disk encryption on all devices used to access Client Personal Data.
- Encryption of data in transit (TLS) and use of encrypted, reputable storage and transfer services.
- Up-to-date operating systems, security patches and endpoint protection.
- Secrets, credentials and API keys kept out of source control and handled securely.
- Separation of Client environments and dedicated credentials per engagement where feasible.
- Prompt removal of access on completion of the engagement, and deletion or return of Personal Data in accordance with Clause 12.
- Confidentiality obligations binding on the Processor and any authorised personnel.
Annex 3 · Approved sub-processors
AI / large language model processing (Claude API) for AI-assisted development and product features.
United States — transfers safeguarded by EU Standard Contractual Clauses.