Dutch German Portuguese

Data processing agreement

1. PARTIES

This Data Processing Agreement ("DPA") forms part of the agreement between:

Controller:
The merchant, client, webshop owner or business entity using the services of SP Platform B.V. ("Controller").

Processor:
  • SP Platform B.V.
  • KvK number: 86013394
  • Emmasingel 33
  • 5611 AZ Eindhoven
  • The Netherlands

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR").

2. PURPOSE OF PROCESSING

Processor provides software infrastructure, fulfillment facilitation services, supplier coordination and operational tooling for e-commerce businesses.

Processor processes personal data solely on behalf of the Controller and only for purposes necessary to:

  • process and facilitate orders;
  • coordinate fulfillment activities;
  • communicate shipping and tracking updates;
  • synchronize webshop orders and fulfillment statuses;
  • provide customer support and operational assistance;
  • maintain platform functionality, fraud prevention and operational security.

Processor acts solely as a facilitator and processor and does not independently determine the purposes or means of processing personal data.

3. NATURE OF PROCESSING

Processing activities may include:

  • collection;
  • storage;
  • synchronization;
  • organization;
  • transmission;
  • consultation;
  • structured access;
  • deletion;
  • backup and recovery.

Processing is performed electronically through the Service Points platform infrastructure and integrated fulfillment systems.

4. CATEGORIES OF PERSONAL DATA

Processor may process the following categories of personal data:

  • First and last name;
  • Delivery address;
  • Email address;
  • Telephone number;
  • Order information;
  • Tracking information.

No special categories of personal data are intentionally processed.

5. CATEGORIES OF DATA SUBJECTS

The processed personal data relates to:

  • customers of the Controller;
  • webshop visitors;
  • order recipients;
  • merchant users of the platform.
6. OBLIGATIONS OF THE PROCESSOR

Processor shall:

  • process personal data solely on documented instructions from the Controller;
  • ensure confidentiality of persons authorized to process personal data;
  • implement appropriate technical and organizational measures;
  • assist the Controller with GDPR compliance obligations where reasonably required;
  • notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Data;
  • ensure that subprocessors are bound by appropriate contractual obligations;
  • upon termination of services, delete or return personal data unless retention is legally required.
7. OBLIGATIONS OF THE CONTROLLER

Controller represents and warrants that:

  • it has a valid legal basis for processing personal data;
  • it has properly informed data subjects;
  • any instructions provided to Processor comply with applicable privacy laws;
  • it remains solely responsible for determining the purposes and lawful basis of processing.
8. SECURITY MEASURES

Processor implements appropriate technical and organizational measures, including but not limited to:

  • role-based access controls;
  • encrypted backups;
  • server-level firewall protection;
  • authentication and access logging;
  • infrastructure redundancy;
  • operational monitoring;
  • restricted supplier access;
  • secured API integrations;
  • periodic security updates and maintenance.

Further details are included in Annex II.

9. SUBPROCESSORS

Controller grants Processor general authorization to engage subprocessors for operational, infrastructure, communication, analytics and fulfillment purposes.

A current list of subprocessors is included in Annex III.

Processor shall ensure that subprocessors are subject to data protection obligations substantially similar to those set forth in this DPA.

Processor shall remain responsible for the performance of its subprocessors under applicable law.

10. INTERNATIONAL DATA TRANSFERS

Certain processing activities may involve transfers of personal data outside the European Economic Area ("EEA"), including but not limited to:

  • cloud infrastructure providers with global operations;
  • international communications providers;
  • fulfillment suppliers located in China;
  • analytics or operational tooling providers.

Where personal data is transferred to countries not subject to an adequacy decision under GDPR, Processor shall ensure appropriate safeguards are implemented, including:

  • European Commission Standard Contractual Clauses ("SCCs");
  • contractual confidentiality obligations;
  • access restrictions;
  • transfer impact assessments where applicable.

Chinese fulfillment suppliers engaged by Processor are contractually restricted to using personal data solely for fulfillment and shipping purposes and may not use such data for independent commercial purposes.

11. DATA BREACHES

Processor shall notify Controller without undue delay after becoming aware of a confirmed personal data breach affecting Controller Data.

Such notification shall include, where reasonably available:

  • nature of the breach;
  • categories of affected data;
  • likely consequences;
  • mitigation measures taken.
12. AUDIT RIGHTS

Controller may request reasonable information necessary to demonstrate compliance with this DPA.

Any audit or inspection:

  • must be reasonable and proportionate;
  • may not unreasonably interfere with Processor operations;
  • must be subject to confidentiality obligations;
  • may be limited to documentation reviews where appropriate.
13. LIABILITY

The liability provisions contained in the master agreement between the parties shall apply equally to this DPA.

14. TERM

This DPA remains effective for the duration of the underlying services agreement between the parties.

15. GOVERNING LAW

This DPA shall be governed by Dutch law.

Any disputes arising under this DPA shall be submitted exclusively to the competent court in Oost-Brabant, the Netherlands.

ANNEX I — PROCESSING DETAILS

Subject Matter:

Provision of fulfillment facilitation, supplier coordination, order synchronization and operational software infrastructure.

Duration:

For the duration of the services agreement and any applicable statutory retention periods.

Nature & Purpose:

  • webshop synchronization;
  • order fulfillment;
  • supplier communication;
  • tracking synchronization;
  • operational support;
  • fraud prevention;
  • customer communication.

Categories of Personal Data:

  • name;
  • delivery address;
  • email address;
  • telephone number;
  • order information;
  • tracking information.

Categories of Data Subjects:

  • webshop customers;
  • order recipients;
  • merchant users.
ANNEX II — TECHNICAL & ORGANIZATIONAL MEASURES

SP Platform B.V. maintains commercially reasonable technical and organizational security measures, including:

Infrastructure Security:

  • managed cloud infrastructure;
  • firewall protection;
  • segmented hosting environments;
  • access authentication controls;
  • encrypted backups;
  • infrastructure monitoring.

Access Management:

  • role-based permissions;
  • restricted administrative access;
  • internal access logging;
  • limited supplier access rights.

Operational Security:

  • controlled deployment processes;
  • software maintenance and updates;
  • incident monitoring;
  • operational continuity measures.

Data Minimization:

Chinese fulfillment suppliers receive only the minimum order-related personal data necessary to process shipments.

Suppliers are contractually prohibited from:

  • using personal data for independent purposes;
  • reselling personal data;
  • using personal data outside fulfillment operations.
ANNEX III — SUBPROCESSOR LIST
  • DigitalOcean — Primary hosting & databases — EU / US
  • Kamatera — Secondary infrastructure — EU / US
  • SimpleBackup — Encrypted backups — Global
  • Google Cloud (BigQuery, Pub/Sub) — Analytics & messaging — EU / US
  • Stripe — Payment processing — EU / US
  • Pay.nl — EU payment processing — EU
  • Shopify — Webshop synchronization — Global
  • Mailgun — Transactional email — US / EU
  • SendGrid — Transactional email — US
  • HubSpot — CRM & lifecycle management — US
  • OpenAI — AI support tooling — US
  • Geoapify — Address validation — EU
  • ProductFruits — Product onboarding — EU
  • 17track — Shipment tracking — Global
  • Chinese fulfillment suppliers — Order fulfillment & shipping — China
ANNEX IV — INTERNATIONAL DATA TRANSFERS

Where personal data is transferred outside the EEA, Processor shall implement appropriate safeguards in accordance with Chapter V GDPR.

Such safeguards may include:

  • Standard Contractual Clauses adopted by the European Commission;
  • contractual confidentiality obligations;
  • technical access restrictions;
  • transfer impact assessments where applicable;
  • operational data minimization.

Primary customer infrastructure is hosted within the European Union.

Certain supporting infrastructure and operational services may process limited data outside the EEA where necessary for platform functionality, communications, analytics, fraud prevention, payment processing or fulfillment operations.

Processor implements commercially reasonable measures to ensure that any international transfer is proportionate, limited and protected.

CONTACT INFORMATION

SP Platform B.V.
Emmasingel 33
5611 AZ Eindhoven
The Netherlands
KvK: 86013394

Privacy inquiries: info@servicepoints.eu

Website: https://www.servicepoints.eu