Data Processing Agreement
Effective date: 2 April 2026 · LOCAVERDI B.V.
1. Scope and relationship to NLdigital Terms
This Data Processing Agreement ("DPA") supplements Chapter 4 (Art. 28–33) of the NLdigital Terms 2025, which apply to all agreements between LOCAVERDI B.V. ("Processor") and the client ("Controller"). This DPA provides Readmodel®-specific processing details as required by GDPR Art. 28(3).
In case of conflict: the NLdigital Terms prevail on general processor obligations; this DPA prevails on Readmodel®-specific processing details. Definitions follow the NLdigital Terms and the GDPR.
2. Roles of the parties
The Controller determines the purposes and means of processing personal data entered into Readmodel®. LOCAVERDI B.V. acts as Processor, processing personal data solely on behalf of and on documented instructions from the Controller for the purpose of providing the Readmodel® service.
3. Subject matter and duration
Subject matter: Provision of the Readmodel® SaaS application for GDPR data mapping, risk assessment, compliance documentation, breach notification management, and data subject rights tracking.
Duration: Processing begins when the Controller creates an account and continues for the term of the account. Processing ceases 30 days after account deletion, at which point all data is permanently deleted.
4. Nature and purpose of processing
- Storage, retrieval, display, and export of data entered by the Controller.
- AI-powered report generation (with anonymisation — see Section 9).
- Breach notification register management (GDPR Art. 33–34).
- Data subject rights request tracking (GDPR Art. 15–22).
- Risk scoring, compliance assessment, and ROPA generation.
The Processor does not process personal data for its own purposes beyond providing the service.
5. Categories of data subjects
- Controller's users: Employees or authorised persons with Readmodel® accounts.
- Data subjects in project data: Individuals whose names or roles the Controller enters as data users (we recommend role descriptions rather than real names).
- Third-party data subjects: Individuals whose personal data the Controller enters in the breach register (affected persons) or DSAR register (requesting persons).
6. Types of personal data processed
| Category | Data elements |
|---|---|
| Account data | Username, email address, display name, password (bcrypt-hashed), language preference |
| Billing data | Company name, address, VAT number (sent to Mollie for payment, Jortt for invoicing) |
| Security data | TOTP secrets (encrypted), backup codes (hashed), login timestamps, IP addresses, session hashes |
| Project data | Service names, data item names, user role descriptions, transfer descriptions, device groups, classifications, legal bases, retention periods, risk assessments, DPIA records, backup strategies |
| Breach register | Breach descriptions, categories of affected data, estimated number of affected subjects, notification status, remediation measures. May include names or identifiers of affected individuals if entered by the Controller. |
| DSAR register | Data subject names, email addresses, request type, dates, identity verification records, response documentation |
| Service documents | Uploaded files (DPA, SLA, contracts) — virus-scanned, stored with hashed filenames |
| AI reports | Generated analysis reports stored within the project |
| Audit logs | Records of data-modifying actions with timestamps, user ID, and action type |
7. Processor obligations (GDPR Art. 28(3))
7a. Instructions
The Processor processes personal data only on documented instructions from the Controller. Use of the Readmodel® application constitutes the Controller's instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR.
7b. Confidentiality
All persons authorised to process personal data are bound by confidentiality obligations.
7c. Security measures
The Processor implements the following technical and organisational measures (GDPR Art. 32):
- Encryption at rest: Transparent Data Encryption (TDE) on the database
- Password security: bcrypt hashing
- Two-factor authentication: TOTP (RFC 6238) available for all users
- CSRF protection: on all state-changing operations
- SQL injection prevention: prepared statements exclusively
- XSS prevention: output escaping on all user-generated content
- Virus scanning: ClamAV on all uploaded files
- Session security: httponly, SameSite=Strict, secure cookies; idle timeout (30 min), absolute timeout (8 hours)
- Brute-force protection: login rate limiting, IP-based lockout
- Bot protection: honeypot fields, timing validation, self-hosted proof-of-work challenge
- Audit logging: all data-modifying actions are logged with timestamp, user, and action type
- Infrastructure security: CrowdSec threat detection and intrusion prevention
- Data location: all data stored and processed exclusively within the EU/EEA
7d. Sub-processors
The Controller grants general authorisation for the Processor to engage the sub-processors listed in the Sub-processor Notice. The Processor will inform the Controller of changes to sub-processors in accordance with NLdigital Terms Art. 32.3. The Controller has the right to object.
The Processor imposes the same data protection obligations on sub-processors by contract.
7e. Data subject rights
The Processor assists the Controller in fulfilling data subject rights requests. The Controller can:
- Export all project data in JSON format (data portability, Art. 20)
- Edit or delete individual records within the application
- Delete their entire account and all associated data
For requests that cannot be fulfilled through the application, the Controller may contact the Processor via the contact form.
7f. Breach notification
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, in accordance with NLdigital Terms Art. 29 and GDPR Art. 33(2). The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
7g. Deletion and return of data
Upon termination of the service agreement or at the Controller's request:
- The Controller may export all data via the full project JSON export before deletion.
- Account data is retained for 30 days after deletion request (recovery window), then permanently deleted.
- All project data, breach register data, DSAR register data, service documents, and AI reports are deleted with the account (database CASCADE).
Note: The Controller is responsible for ensuring their own retention obligations (e.g. GDPR Art. 33(5) for breach records, Art. 5(2) for accountability) are met before requesting deletion.
7h. Audits
The Processor makes available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Art. 28. Audit and inspection rights are governed by NLdigital Terms Art. 30.
8. AI report processing
When the Controller generates an AI report, project data is submitted to a third-party AI provider (see Sub-processor Notice). The following safeguards are applied:
- The project name is replaced with "Project".
- Data user names are replaced with sequential labels ("User 1", "User 2", etc.).
- Breach register and DSAR register data: only aggregated statistics are included (total counts, severity distribution, response status). No personal data — no names, emails, breach titles, or request details — is transmitted.
- Service names, data item names, descriptions, and other project content are transmitted as entered.
9. International data transfers
All sub-processors are located in the EU/EEA (Netherlands, France, Luxembourg, Estonia). No personal data is transferred outside the EU/EEA. If future sub-processors require such transfers, appropriate safeguards (Standard Contractual Clauses) will be implemented and the Controller will be notified.
10. Governing law and disputes
This DPA is governed by Dutch law. Disputes are resolved in accordance with Art. 18 of the NLdigital Terms 2025 (arbitration via SGOA, Amsterdam).
11. Contact
LOCAVERDI B.V.
KvK: 96035056
BTW: NL867441264B01
Web: Contact form