Assetify
Legal · DPA getassetify.com →

Legal · Document 04 of 04

Data Processing
Agreement.

The contract that governs how Assetify processes personal data on behalf of our customers — written to satisfy GDPR Article 28 in plain Dutch business terms.

In effect · May 2026
Last Updated
May 2026
Clauses
16
Frameworks
GDPR Art. 28 · AVG
Data Region
European Union only
Party 01 · Decides Data Controller. The Customer. Determines the purposes and means of processing personal data within their Assetify environment.
Instructs →
Party 02 · Processes Data Processor. Assetify. Processes personal data only on documented instructions from the Controller.
§ 01

Parties

This Data Processing Agreement (DPA) is entered into between Assetify (the "Data Processor") and the Client (the "Data Controller").

§ 02

Scope

The Processor processes personal data on behalf of the Controller solely for the purposes of providing the Assetify platform — including asset management, license tracking, contract management, and related services.

Out of scope

The Processor does not process student or patient data directly. It may process organizational data including staff information, device assignments, and usage logs.

§ 03

Data subject categories

Personal data may include information about employees, IT staff, contractors, and other individuals identified in asset or contract records. This does not include direct processing of student or patient data unless explicitly agreed in writing.

§ 04

Data categories

The following categories of personal data may be processed under this DPA:

Device identifiers Hardware serial numbers Software license details Contract information Employee names & roles Email addresses Device locations Access logs Audit trails
§ 05

Duration

This DPA remains in effect for the duration of the service agreement and continues until all personal data is deleted or returned per § 09.

§ 06

Processor obligations

The Processor commits to the following, consistent with GDPR Article 32:

Obligation 01
Documented instructions only
Process personal data only on documented instructions from the Controller.
Obligation 02
Confidentiality
Persons authorized to process personal data are bound by confidentiality or an equivalent legal obligation.
Obligation 03
Technical & organizational measures
Encryption, access controls, audit logging, and regular security assessments.
Obligation 04
Data subject rights support
Assist the Controller in fulfilling rights requests within 30 days.
Obligation 05
DPIA assistance
Support data protection impact assessments where required.
Obligation 06
Breach notification support
Assist with GDPR-mandated breach notifications to authorities and data subjects.
§ 07

Sub-processors

The Processor may engage sub-processors for hosting, backups, and integrations. The Controller will be notified of any sub-processor changes with at least 30 days notice.

Right

The Controller may object to any new sub-processor on reasonable grounds.

§ 08

Data security

  • Data is stored in European Union data centers in compliance with GDPR data residency requirements.
  • Encryption is applied both in transit and at rest.
  • Access is restricted to authorized personnel with role-based access controls.
  • Regular penetration testing and vulnerability assessments are conducted.
  • Incident response procedures are documented and tested.
§ 09

Data deletion and return

Upon termination of the service agreement, the Controller may request deletion or return of personal data. The Processor follows this timeline:

Day 0 Service agreement ends. Controller may request return or deletion.
Within 30 days Personal data is deleted or returned, unless retention is legally required.
+ 90 days Backup copies retained for disaster recovery; then permanently deleted.
§ 10

International transfers

All data is processed and stored within the European Union. No transfers outside the EEA occur without explicit written consent and appropriate safeguards.

§ 11

Data breach notification

The Processor shall notify the Controller without undue delay, and in any case within 24 hours, upon becoming aware of a personal data breach. The Processor shall provide all information necessary for the Controller to meet legal notification obligations.

§ 12

Data subject rights

The Processor shall, at the Controller's request, assist in fulfilling data subject rights:

Access Rectification Erasure Restriction Portability Objection
§ 13

Audit and compliance

The Processor shall make available all information necessary to demonstrate compliance with GDPR and allow for audits and inspections by the Controller or a third-party auditor upon reasonable notice.

§ 14

Liability

The Processor's liability for breaches of this DPA shall not exceed the fees paid by the Controller in the twelve months preceding the breach, unless the breach involves a data protection violation.

§ 15

Governing law

This DPA shall be governed by the laws of the Netherlands and the GDPR.

§ 16

Amendments

This DPA may be amended to reflect changes in GDPR requirements, data processing activities, or security standards. Material amendments require written consent from the Controller.