Data Processing Agreement (DPA)

Definitions

• Controller: the client who determines the purpose and means of processing.
• Processor: Speedy ICT, processing personal data on behalf of the controller.
• Personal data: any information relating to an identified or identifiable natural person.
• Processing: any operation on personal data, including collection, storage, access, and deletion.

Purpose of processing

Speedy ICT processes personal data solely to deliver services for the controller, including:

• provision and management of hosting environments;
• development and maintenance of websites and applications;
• management of custom systems and integrations;
• support, monitoring, and incident response.

Obligations of Speedy ICT

• Process personal data only on written instructions from the controller.
• Ensure employees and engaged parties are bound by confidentiality.
• Implement and continuously improve technical and organisational safeguards.
• Never use or share data for Speedy ICT’s own purposes.

Security

Speedy ICT maintains a high security baseline with:

• encryption of data in transit and at rest;
• logging and continuous monitoring of systems;
• strict access control with least-privilege principles;
• comprehensive audit logging for transparency and traceability.

Sub-processors

Speedy ICT engages only trustworthy sub-processors that comply with European privacy rules. The controller is informed about relevant sub-processors and may object to new parties. Contracts include equivalent privacy obligations.

Data breaches

In case of a suspected or actual data breach, Speedy ICT informs the controller immediately, shares relevant details, and cooperates on investigation and remediation. Every incident is logged to guarantee traceability.

Data subject rights

Speedy ICT supports the controller in fulfilling requests from data subjects, including the rights of access, rectification, erasure, restriction, and data portability.

Retention periods

Personal data is not stored longer than necessary. After the engagement ends Speedy ICT deletes or returns the data according to the controller’s instructions and confirms completion in writing.

Liability

Each party remains responsible for its own obligations under the GDPR and this agreement. Any damages are settled according to the main agreement between the parties.

Term and termination

This DPA remains in force for as long as Speedy ICT provides services involving personal data. After termination all data is deleted or returned to the controller.

Governing law

Dutch law applies, and disputes are submitted to the competent court in the Netherlands.

Contact

Questions about this DPA or need additional arrangements? Reach out via the Speedy ICT contact page.