Consultancy Processor Data Processing Agreement
Effective: 2026-05-12 · LOCAVERDI B.V. · English version controls
1. Scope and relationship to the engagement letter
This Data Processing Agreement ("DPA") governs the processing of personal data that the Client (acting as Controller) shares with LOCAVERDI B.V. (acting as Processor) in connection with a Readmodel® consultancy engagement. It applies on top of the engagement letter signed for that engagement and forms Schedule B of that letter.
This DPA is distinct from the SaaS DPA at dpa.php, which governs the Client's use of the Readmodel® service as a self-serve subscriber. Where the same client is both a self-serve subscriber and a consultancy client, the SaaS DPA governs the SaaS use and this DPA governs the consultancy engagement; clauses do not double-apply.
2. Roles of the parties
The Client determines the purposes and means of the processing of personal data shared during the engagement and is therefore the Controller within the meaning of GDPR Art. 4(7). LOCAVERDI B.V. processes that personal data only on documented instructions from the Client and is therefore the Processor within the meaning of Art. 4(8). LOCAVERDI B.V. does not become a joint controller for any of the processing covered by this DPA.
3. Subject matter, nature and purpose
The subject matter of the processing is the delivery of the consultancy engagement (data mapping, risk assessment, DPIA / FRIA documentation, transfer assessment, sub-processor mapping, executive reporting, AI-assisted analysis where applicable). The nature of the processing includes collecting, structuring, storing, analysing, summarising, exporting, and ultimately deleting personal data as needed to produce the deliverables.
4. Duration
Processing begins on the engagement start date and ends on the later of (a) the final delivery date plus the post-engagement retention window agreed in Section 7, or (b) the date the Client confirms receipt of all deletion certifications.
5. Categories of data subjects
The categories of data subjects whose personal data may be processed include, depending on what the Client uploads to the workspace:
- Employees, contractors and former employees of the Client
- Customers, prospects and former customers of the Client
- Suppliers, vendors and their staff
- Visitors and end users of the Client's services
- Other natural persons whose data appears in the Client's systems and is mapped during the engagement
6. Types of personal data
The Client decides what data to share with us; we do not need raw personal data to deliver most engagements (a register of data items, classifications and flows is sufficient). When personal data is shared, it may include:
- Identifying data (names, employee IDs, work emails)
- Contact data (work addresses, phone numbers)
- Authentication data (account names, role assignments — never passwords)
- Operational metadata (which user has access to which service)
- In the case of uploaded documents (DPAs, privacy policies, sub-processor lists): whatever personal data those documents happen to contain
The Client must not upload special categories of personal data (Art. 9), criminal data (Art. 10), or production payloads (e.g. a customer database export) into the engagement workspace. The engagement is documentation work; raw personal data dumps are out of scope and the Client warrants it will not transmit such data to us.
7. Processor obligations (GDPR Art. 28(3))
(a) Documented instructions
We process personal data only on the Client's documented instructions, including with regard to international transfers, unless required to do so by Union or Member State law (in which case we will inform the Client of that legal requirement before processing, unless the law prohibits such information). The signed engagement letter, this DPA, and any subsequent written instructions in the engagement workspace constitute documented instructions.
(b) Confidentiality
Persons authorised to process the personal data are bound by a contractual or statutory duty of confidentiality.
(c) Security (Art. 32)
We implement appropriate technical and organisational measures, including: encryption in transit (TLS 1.2+) and at rest, access control with MFA on all administrative accounts, logging of access to client workspaces, principle of least privilege, regular backups, and patch management. The full list is published in our security overview.
(d) Sub-processors
The Client gives general written authorisation to engage sub-processors. The current sub-processor list for consultancy engagements is published at subprocessors.php and includes our infrastructure provider and our email/transactional/payment providers. Note that AI-assisted analysis (Section 9) does not involve an AI sub-processor — it runs on our own infrastructure. We will provide at least 30 days' prior written notice (by email to the engagement contact and by update to the published list) of any intended additions or replacements of sub-processors. The Client may object on reasonable data-protection grounds within those 30 days; if the parties cannot resolve the objection, the Client may terminate the engagement and receive a pro-rated refund of unused fees.
We impose data-protection obligations on each sub-processor at least equivalent to those in this DPA and remain fully liable to the Client for any sub-processor's failure to meet them.
(e) Data subject rights
Taking into account the nature of the processing, we assist the Client by appropriate technical and organisational measures, insofar as possible, to fulfil the Client's obligation to respond to data-subject requests under Chapter III of the GDPR. In practice, because we hold only what the Client uploaded, the Client can satisfy most rights by acting on its source systems; we will support search, export and deletion within the engagement workspace on request without additional charge.
(f) Assistance with controller obligations
We assist the Client in ensuring compliance with Art. 32–36 (security, breach notification, DPIA consultation), taking into account the nature of processing and the information available to us. Significant assistance work outside the package scope is invoiced at our hourly rate as an add-on.
(g) Personal data breach notification
We notify the Client without undue delay and in any event within 48 hours after becoming aware of a personal data breach concerning Client personal data. The notification will describe (to the extent then known) the nature of the breach, the categories and approximate number of data subjects, the likely consequences, and the measures taken or proposed.
(h) Audit rights
We make available to the Client the information necessary to demonstrate compliance with this DPA. The Client may, on reasonable prior notice (at least 14 days), once per calendar year and at the Client's cost, audit our compliance — by reviewing our written security documentation, sub-processor list, audit logs of activity in the Client's workspace, and answers to a written questionnaire. On-site audits are available where reasonably required and are scheduled at mutually convenient times.
8. International data transfers
We process personal data within the European Economic Area where reasonably possible. Where a sub-processor processes personal data outside the EEA, the transfer relies on (a) an adequacy decision under Art. 45, (b) the EU–US Data Privacy Framework certification of the sub-processor where applicable, or (c) the EU Standard Contractual Clauses (Decision 2021/914) plus supplementary measures consistent with EDPB Recommendations 01/2020. The applicable mechanism for each sub-processor is published at subprocessors.php.
9. AI-assisted analysis
Some deliverables (executive briefings, document summarisation, AI-system classification) are produced with AI assistance. That AI processing runs on a language model hosted on infrastructure operated by us (LOCAVERDI B.V.): Client personal data is not transmitted to any third-party AI provider and is not used to train, fine-tune, or improve any model. There is therefore no AI sub-processor for the engagement. Because the data never leaves our infrastructure, no anonymisation step is applied to it.
10. Termination & deletion
On termination of the engagement, and unless Union or Member State law requires us to retain the personal data, we will at the Client's choice either return the personal data to the Client (via export from the engagement workspace) or delete it. Default behaviour, absent the Client's instruction, is:
- Active engagement workspace: we offer the Client a transfer to its own Readmodel® subscription. If the Client does not accept the transfer within 30 days of final delivery, the workspace is archived and access is suspended.
- Archived workspace: deleted 90 days after final delivery, including from primary storage and routine backups (per our backup retention policy). The Client may request earlier deletion at any time; deletion is effective within 14 days from request, with a written confirmation.
- Email and ticketing correspondence relating to the engagement: retained for the longer of 7 years (Dutch fiscal retention obligation) or the duration of any ongoing dispute. This correspondence is not retained in the engagement workspace.
We provide a written deletion certification on request.
11. Liability
The liability cap and exclusions in the engagement letter (Section 11) apply to claims arising under or in connection with this DPA, save that liability for damage caused by infringement of the GDPR attributable to a party may not be excluded to the extent the GDPR prohibits exclusion (Art. 82(2)).
12. Order of precedence
In case of conflict between this DPA and the engagement letter, this DPA prevails on personal-data matters. The signed engagement letter prevails on all other matters.
13. Governing law and disputes
This DPA is governed by the laws of the Netherlands. Disputes are submitted to the exclusive jurisdiction of the District Court of the Northern Netherlands (Rechtbank Noord-Nederland).
14. Contact
Operational questions about this DPA, sub-processor changes, breach notifications and audit requests are handled via our contact form. We do not publish a direct email address; the contact form routes to the responsible party with the same SLA as direct email.