Data Processing Agreement (DPA)
Verwerkersovereenkomst
Need a DPA for your organization?
If you are a Proventum customer and require a signed Data Processing Agreement, you can request one directly from your account settings. Log in to your Proventum account and navigate to Settings → DPA to submit your request.
Log in to request a DPAWhat is a Data Processing Agreement?
A Data Processing Agreement (DPA), known in Dutch as a Verwerkersovereenkomst, is a legally binding contract between a data controller and a data processor. Under the General Data Protection Regulation (GDPR, Article 28), organizations that process personal data on behalf of other organizations are required to have a DPA in place.
When you use Proventum to manage your customer relationships, support tickets, deals, and other business data, you act as the data controller (you determine the purposes and means of processing personal data), and Storekeeper B.V. acts as the data processor (we process data on your behalf according to your instructions).
Why is a DPA Required?
The GDPR requires a DPA whenever a data controller engages a data processor. This ensures that:
- Both parties understand their roles and responsibilities regarding data protection;
- Personal data is processed lawfully, securely, and in accordance with the controller's instructions;
- Data subjects' rights are protected throughout the processing chain;
- There is legal clarity about liability in case of a data breach or non-compliance;
- Organizations can demonstrate accountability and compliance with GDPR requirements.
If your organization is established in the EU/EEA, or if you process personal data of individuals in the EU/EEA, you are likely required to have a DPA with all your data processors, including SaaS platforms like Proventum.
What Does Our DPA Cover?
The Proventum DPA addresses all requirements set out in GDPR Article 28 and includes the following key areas:
Subject Matter and Duration
- Description of the processing activities (operating the Proventum platform on your behalf);
- Types of personal data processed (contact details, communication data, business records);
- Categories of data subjects (your customers, contacts, employees, end-users);
- Duration of processing (for the term of your Proventum subscription).
Obligations of the Processor
- Process personal data only on your documented instructions;
- Ensure that authorized personnel are bound by confidentiality obligations;
- Implement appropriate technical and organizational security measures;
- Assist with data subject access requests and other GDPR rights;
- Notify you without undue delay of any personal data breach;
- Delete or return all personal data upon termination of the agreement;
- Make available information necessary to demonstrate compliance.
Security Measures
Our DPA details the technical and organizational measures we implement to protect your data:
- Database isolation: Each customer account is stored in a separate PostgreSQL database, ensuring complete data isolation between tenants;
- Encryption: Data encrypted in transit (TLS 1.2+) and database credentials encrypted at rest;
- Access control: Role-based access control with granular permissions;
- Authentication: Support for two-factor authentication (2FA), login throttling, and secure password hashing;
- Infrastructure: Hosted in the EU (Hetzner, Germany) on dedicated servers;
- Backups: Regular automated backups with secure storage;
- Monitoring: Continuous security monitoring and error logging.
Sub-processors
The DPA includes a list of our sub-processors (third-party services that process data on our behalf). Currently, these include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and infrastructure | Germany (EU) |
| Resend, Inc. | Transactional email delivery | United States |
We will notify you in advance of any changes to our list of sub-processors, giving you the opportunity to object.
International Transfers
- Our primary data storage and processing occurs within the EU (Germany);
- Where data is transferred outside the EU/EEA (e.g., email delivery via Resend), appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs);
- Transfer impact assessments are conducted as required.
Data Breach Notification
- We will notify you of any personal data breach without undue delay and in any event within 72 hours of becoming aware of it;
- The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed;
- We will cooperate with you in investigating and remediating the breach.
Audits and Compliance
- We make available all information necessary to demonstrate compliance with GDPR Article 28;
- We allow for and contribute to audits and inspections conducted by you or an independent auditor mandated by you, subject to reasonable notice and scope;
- We will inform you immediately if we believe an instruction from you infringes the GDPR.
How to Request a DPA
If you are an existing Proventum customer:
- Log in to your Proventum account;
- Navigate to Settings → DPA (or go to
/app/dpa); - Fill in your company details and submit the request;
- Our team will review and process your request, typically within 5 business days;
- Once approved, the signed DPA will be available for download in your account.
If you are not yet a customer or have questions about our DPA, please contact us at privacy@getproventum.com.
Contact
- Company: Storekeeper B.V.
- Email: privacy@getproventum.com
- Website: https://getproventum.com