Data Processing Agreement
Last update: 01-07-2026
This Data Processing Agreement was created by Cyver B.V. (referred to herein as “we”, “us”, “our”, and “Cyver”) to disclose our processes and standards for handling and processing Company Personal Data. Cyver collects information from our users, visitors, clients, and their clients (collectively referred to as “users”, “you”, “your”, or “Company”, throughout this Agreement) as well as Company Personal Data needed to carry out Services. This Agreement shares how this data will be used by us as well as by any third parties (Contracted Processors) we might rely on to deliver those services, including but not limited to email, web hosting, storage, and data analytics providers. This Agreement forms part of the contract for Services, as detailed in the Subscription Contract.
Herein, the parties consist of:
- The Company or User acting as a Data Controller and wishing to subcontract Services from Cyver, which necessitates the processing of personal data by the Data Processor
- Cyver, acting as a Data Processor, and providing services
GDPR
This Data Processing Agreement complies with the requirements of the current legal framework with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, better known as the GDPR.
PROCESSING OF PERSONAL COMPANY DATA
Cyver B.V. shall:
- Comply with all applicable Data Protection Laws in the processing of Company Personal Data, including but not limited to the GDPR.
- Process Company Personal Data solely on the documented instructions of the Company and exclusively for the purpose of providing the Services under the Subscription Agreement. Cyver shall not process Company Personal Data for its own purposes, including marketing, analytics unrelated to service delivery, or any other independent commercial purpose.
- Take reasonable steps to ensure the reliability of any employee, agent, contracted professional, or Contracted Processor who may have access to Company Personal Data. Cyver B.V. will ensure this by choosing our Contracted Processors with care, by maintaining adequate contracts and Data Processing Agreements with Contracted Processors, and by reviewing data usage and processing in case of any suspicion that data is not being processed in accordance with agreements.
- No individuals will have access to Company Personal Data where it is not strictly necessary for the purpose of carrying or delivering Services in accordance with the Subscription Agreement and to comply with Applicable Laws.
- All individuals with access to Company Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Disclose Company Personal Data only where required by applicable law or based on the documented instructions of the Company. Cyver shall not comply with non-binding, informal, or voluntary disclosure requests unless a valid legal basis exists. Where legally permitted, Cyver shall notify the Company prior to such disclosure.
- Promptly notify the Company if Cyver reasonably believes that any documented instruction provided by the Company infringes applicable Data Protection Laws or regulations.
SECURITY
Cyver B.V. shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of Company Personal Data, in accordance with Article 32 of the GDPR. These measures aim to protect Company Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Cyver shall take all reasonable steps to ensure the security and reliability of Company Personal Data processed through its Platform, Services, and by any Contracted Processors. These applied security measures are further described in our Security Policy.
Cyver shall ensure that any Contracted Processors engaged in the processing of Company Personal Data provide sufficient guarantees to implement appropriate technical and organisational measures consistent with this Agreement and Article 28(3)(c) of the GDPR.
In assessing the appropriate level of security, Cyver and its Contracted Processors shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
SUBPROCESSING
Cyver may engage Contracted Processors where necessary to deliver the Services under the Subscription Agreement.
Cyver shall maintain an up-to-date list of Contracted Processors and shall notify the Company of any intended addition or replacement of a Contracted Processor involving the processing of Company Personal Data.
The Company may raise reasonable objections to such changes on legitimate data protection grounds within thirty (30) days of notification. The Parties shall cooperate in good faith to address such concerns.
Cyver shall ensure that any Contracted Processors engaged provide appropriate guarantees and are subject to contractual obligations consistent with this Agreement and applicable Data Protection Laws.
DATA SUBJECT RIGHTS
Cyver B.V. shall implement appropriate technical and organizational measures, insofar as is possible, to fulfill obligations, as reasonably understood by Cyver, to respond to requests to exercise Data Subject Rights under Data Protection Laws.
Further, Cyver shall promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect to Company Personal Data. Cyver will not respond to that request except on the documented instructions of the Company or as required under Applicable Laws. In this case, Cyver shall, to the extent permitted by Applicable Laws, inform Company of that legal requirement before or immediately following responding to the request.
Cyver shall provide reasonable assistance to the Company in fulfilling its obligations under applicable Data Protection Laws in relation to Data Subject requests, taking into account the nature of the processing and the information available to Cyver.
COMPANY PERSONAL DATA BREACH
In the case of a company personal data breach, Cyver shall:
- Notify the Company without undue delay, and where feasible within 24 hours after we become aware that Company Personal Data was impacted by the breach.
- Cooperate with the Company and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
- Assess the impact of the breach in consultation with third parties to determine appropriate next steps, which may include providing third-party access to a Data Protection Impact Assessment Consultation, consulting with Supervising Authorities, and consulting with other competent data privacy authorities as Company and Cyver consider reasonable and in accordance with Articles 35 or 36 of the GDPR.
- Provide reasonable cooperation and assistance to the Company in investigating, mitigating, and remediating any Personal Data Breach involving Company Personal Data.
DELETION OR RETURN OF COMPANY PERSONAL DATA
Company may at any time request the deletion or return of Company Personal Data.
Under the terms of this Agreement, Cyver agrees to process requests for data deletion promptly. Data will be changed or removed from our servers no later than thirty (30) days following the request.
In addition, Cyver will delete or procure the deletion of any copies of personal data within ninety (90) days of cessation of Services.
AUDIT RIGHTS
Cyver shall provide data showing compliance with this Agreement on request. Company may request proof of compliance and Cyver will allow for and contribute to audits, including audits by Company or an auditor mandated by the Company in relation to the processing of Company Personal Data by Cyver or its Contracted Processors.
DATA TRANSFER
Cyver may not transfer or authorize the transfer of Company Personal Data to countries outside the EU or the EEA without the prior written consent of the Company. If Company Personal Data processed under this Agreement is transferred outside of the EEA, Cyver will take reasonable measures to ensure that data is adequately protected.
GENERAL TERMS
Each Party must keep this Agreement and the information it receives about the other Party and its business in connection with this Agreement confidential. This information may not be used or disclosed without prior written consent of the other Party except where that disclosure is required by law or the relevant information is already in the public domain.
All notices and communications under this Agreement must be in writing and must be delivered personally, via email, or by post, to an address set out in this Agreement.
CONTROLLING JURISDICTION
These Terms will be interpreted in accordance with the Laws of the Netherlands. You and we agree to submit to the personal jurisdiction of a court located in Noord Holland, The Netherlands for any actions in which the parties retain the right to seek an injunction or equitable relief.
DISPUTE RESOLUTION
You and Cyver agree that, where possible, any dispute, claim, or controversy arising out of or relating to the Agreement or its breach, termination, enforcement, interpretation, or validity will be settled by binding arbitration, with the exception that each party retains the right to seek injunctive or equitable relief in the case of actual or threatened infringement of a party's intellectual property rights.
DEFINITION OF TERMS
Unless otherwise herein defined, the following terms and expressions shall have the following meanings:
Agreement – This Data Processing Agreement
Company Personal Data – Any personal data processed on behalf of Company pursuant or in connection with the Subscription Agreement
Contracted Processor – A subprocessor, e.g., an email service or hosting platform utilized by Cyver B.V.
Data Protection Laws – EU Data Protection Laws to the extent applicable
EEA – The European Economic Area
GDPR – The EU General Data Protection Regulation 2016/679
Data Transfer – A transfer of Company Personal Data from the Company to a Contracted Processor or between two Contracted Processors
Services – Services contracted in the Subscription Agreement
The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

