Legal

Data Processing Agreement
DPA — Uptide B.V.

Version 1.0 — 13 June 2025

What does this document cover?

Uptide processes personal data as a controller for customer and order data, and as a processor when an external party instructs us to process data on their behalf. This document sets out the obligations that apply under Article 28 GDPR when Uptide acts as a processor.

1. Parties and definitions

In this Data Processing Agreement, the following terms apply:

ControllerThe party that determines the purpose and means of processing personal data and instructs Uptide to process data on their behalf.

ProcessorUptide B.V., established in the Netherlands, which processes personal data on behalf of and for the controller.

Data subjectThe natural person whose personal data are being processed.

Personal dataAny information relating to an identified or identifiable natural person, as defined in Article 4 GDPR.

ProcessingAny operation or set of operations performed on personal data, as referred to in Article 4(2) GDPR.

GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data.

2. Subject matter and duration of processing

This agreement governs the processing of personal data by Uptide as processor, in the context of services Uptide provides to the controller. The processing covers:

Name, email address, and contact details of data subjects
Order and transaction data to the extent processed on behalf of the controller
Technical data generated through use of the Uptide platform

The duration of processing equals the term of the main agreement between the parties, unless statutory retention obligations require a longer retention period.

3. Obligations of Uptide as processor

Uptide commits to the following as processor:

3.1

Follow instructionsUptide processes personal data solely on the basis of documented instructions from the controller, unless a legal obligation requires otherwise.

3.2

ConfidentialityUptide ensures that persons authorised to process personal data are bound by a duty of confidentiality or subject to an appropriate statutory obligation of confidentiality.

3.3

Technical and organisational measuresUptide implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. This includes at minimum: encryption of personal data in transit (TLS), access restrictions on a need-to-know basis, and regular review of security measures.

3.4

Sub-processorsUptide engages sub-processors (see Article 4). Uptide imposes on these sub-processors the same obligations as set out in this agreement. Uptide remains fully responsible for compliance by sub-processors.

3.5

Assistance with data subject rightsUptide assists the controller in fulfilling requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, portability, objection, restriction).

3.6

Assistance with security requirementsUptide assists with carrying out data protection impact assessments (DPIAs) and with mandatory consultation of supervisory authorities, where relevant to the processing.

3.7

Reporting data breachesUptide reports a data breach affecting the processed personal data to the controller without undue delay, and at the latest within 24 hours of discovery, so that the controller can meet the 72-hour notification obligation to the supervisory authority.

3.8

Return or deletion after terminationAfter the end of the processing services, Uptide deletes all personal data or returns it to the controller, unless a statutory retention obligation applies.

3.9

Audit rightUptide makes available all information necessary to demonstrate compliance with the obligations in Article 28 GDPR. Uptide allows inspections carried out by the controller or an auditor authorised by the controller, with reasonable prior notice.

4. Sub-processors

Uptide uses the following sub-processors in the performance of its services:

Mollie B.V.Payment processingNetherlandsGDPR-compliant, EU

Resend Inc.Transactional emailUnited StatesStandard Contractual Clauses

Railway Corp.Database & infrastructureUnited StatesStandard Contractual Clauses

Vercel Inc.Website hostingUnited StatesStandard Contractual Clauses

Uptide informs the controller of any intended changes regarding the engagement or replacement of sub-processors and gives the controller the opportunity to object.

5. International transfers

Where personal data are transferred to sub-processors outside the European Economic Area (EEA), Uptide ensures appropriate safeguards in accordance with Chapter V GDPR. In practice this means using the Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914).

6. Liability

Uptide is liable for damage caused by processing that does not comply with the GDPR or with the instructions of the controller set out in this agreement, unless Uptide demonstrates that it is not responsible for the event giving rise to the damage. Uptide's liability is in any case limited to direct damage and to the amount paid by the controller in the three months preceding the event giving rise to the damage.

7. Governing law and dispute resolution

This Data Processing Agreement is governed by Dutch law. Disputes are submitted exclusively to the competent court in the Netherlands. The parties will first endeavour to resolve any disputes by mutual agreement.

8. Entry into force and acceptance

This Data Processing Agreement enters into force when a party uses Uptide's services involving the processing of personal data on that party's behalf, or upon written acceptance. By using the service, the controller confirms that they have read and agree to the contents of this agreement.

For questions about or deviations from this Data Processing Agreement: info@uptide.eu.

Uptide — Data Controller

Uptide B.V. · Netherlands · info@uptide.eu

Data Processing AgreementDPA — Uptide B.V.