Data Processing Agreement
At Setso, we take the protection of your data seriously. This agreement explains how we process personal data on your behalf, comply with GDPR, and ensure your information is secure through robust measures. It highlights your control over your data and our commitment to safeguarding it, including how we handle breaches, retain data, and work with trusted partners.
Publication Date: February 2025
This Data Processing Agreement, including all appendices (hereinafter: “Data Processing Agreement”), is entered into between Setflow B.V. and Client. The Setso Terms of Use form an integral part of this Data Processing Agreement.
Article 1. Definitions
1.1 “GDPR”: the General Data Protection Regulation (Regulation 2016/679/EU).
1.2 “Data Subject”: the natural person to whom a Personal Data relates.
1.3 “Data Breach”: a breach of security which, accidentally or unlawfully, results in the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, transmitted, stored or otherwise processed Personal Data.
1.4 “Main Agreement”: the agreement entered into by the Controller and the Processor for the provision of services by the Processor, of which the Data Processing Agreement forms a part. The Setso Terms of Use form an integral part of the Main Agreement.
1.5 “Client”: the natural person or legal entity that is designated as such in the Main Agreement.
1.6 “Personal Data”: all information relating to an identified or identifiable natural person, as described in Article 4(1) of the GDPR, which the Processor processes in the context of the execution of its obligations arising from the Main Agreement.
1.7 “Sub-Processor”: the natural person or legal entity that assists a Processor in processing Personal Data on behalf of the Controller.
1.8 “Controller”: the natural person, legal entity, or any other body, or the authority that, alone or together with others, determines the purpose and means for the Processing of Personal Data.
1.9 “Processing”: any operation or set of operations performed on Personal Data, including at least the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as the restriction, erasure or destruction of data.
1.10 “Processor”: a natural person or legal entity, a public authority, agency or other body which processes Personal Data on behalf of a Controller.
1.11 The above and other terms shall be interpreted in accordance with the GDPR.
1.12 All words and terms used above in the singular shall have the same meaning in the plural and vice versa.
1.13 The headings above the articles of this Data Processing Agreement are solely for the purpose of improving its readability. The content and scope of an article included under a particular heading are not limited to that heading.
Article 2. Roles of the Parties
2.1 The Parties agree that with respect to the Processing of Personal Data pursuant to the Main Agreement, Setflow B.V. is designated as the Processor within the meaning of the GDPR.
2.2 The Parties agree that with respect to the Processing of Personal Data pursuant to the Main Agreement, the Client is designated as the Controller within the meaning of the GDPR. The Controller has authority over the Personal Data and has determined the purpose and means for the Processing of the Personal Data by the Processor.
Article 3. General
3.1 This Data Processing Agreement applies exclusively to the Processing of Personal Data by the Processor on behalf of the Controller in the context of the Main Agreement.
3.2 This Data Processing Agreement forms an integral part of the Main Agreement. All rights and obligations arising from the Main Agreement, including limitations of liability, shall therefore also apply to this Data Processing Agreement.
3.3 Annex I includes and describes the following components:
the Personal Data that may be processed for the purpose of executing the Data Processing Agreement;
the retention period of the Personal Data;
an overview of the category(ies) of Data Subjects;
an overview of the Sub-Processors permitted by the Controller;
the nature and purpose of the Processing.
Article 4. Processing of Personal Data
4.1 The Processor processes Personal Data solely for the execution of the Main Agreement and other instructions agreed in writing with the Controller, unless a provision of Union or Member State law applicable to the Processor otherwise requires it. In the latter case, the Processor shall notify the Controller, prior to the Processing, of that legal requirement, unless such legislation prohibits this notification for compelling reasons of general interest.
4.2 Within the framework of the provision in the previous paragraph, the Processor shall process only the Personal Data specified in Annex I, within the scope of the nature and purposes of the Processing described in that Annex.
4.3 The Processor shall follow all reasonable instructions from the Controller in connection with the Processing of Personal Data pursuant to this Data Processing Agreement. The Processor shall immediately inform the Controller if, in its opinion, such instructions are in conflict with the applicable legislation regarding the Processing of Personal Data.
4.4 The Processor shall, taking into account the nature of the Processing and the information available to the Processor, provide assistance to the Controller, if necessary and to the extent possible, in complying with the obligations pursuant to Articles 32 to 36 of the GDPR.
4.5 The Controller guarantees that the Processing of Personal Data by the Processor under this Data Processing Agreement is not in conflict with legislation regarding data protection, including the GDPR, and is not unlawful on any grounds. The Controller indemnifies the Processor for all claims, damages, and fines related thereto, including claims and/or fines in connection with infringements of Data Subjects’ rights.
Article 5. Technical and Organizational Security Measures
5.1 The Processor shall take appropriate technical and organizational security measures as described in Annex II, to secure the Personal Data against a Data Breach. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing as described in Annex I and the risks to Data Subjects, the Controller acknowledges that these technical and organizational measures are appropriate and adequate in the sense of Article 32 in conjunction with Article 28(1) of the GDPR.
5.2 The Processor grants its personnel access to the Personal Data being Processed only to the extent that it is strictly necessary for the Processing pursuant to this Data Processing Agreement. The Processor shall ensure that individuals, not limited to employees, who participate in the Processing at the Processor are bound by a confidentiality obligation regarding the Personal Data.
Article 6. Data Breach
6.1 The Processor shall inform the Controller as soon as possible after detecting a Data Breach. In the event of a Data Breach, the Processor shall take measures as quickly as possible to remedy the Data Breach and to minimize its consequences as much as possible.
6.2 The Processor shall provide the Controller with all information in its possession that is necessary to comply with the obligations under Article 33 of the GDPR in a timely manner. The Processor shall, moreover, provide the relevant information as quickly as possible in a commonly used format determined by the Processor.
6.3 It is solely for the Controller to determine whether a detected Data Breach is to be reported to the Data Protection Authority and/or to the affected Data Subjects. Upon request, the Processor may advise on this matter for a fee.
Article 7. Sub-Processors
7.1 The Processor has the general permission from the Controller to engage Sub-Processors, as listed in Annex 2, for the execution of the Agreement. The Processor shall notify the Controller in writing at least 14 days in advance of any intended changes to that list by adding or replacing Sub-Processors, so that the Controller has sufficient time to raise a reasoned objection to such changes before the involved Sub-Processor(s) are engaged. If the Controller objects, the Parties shall cooperate in good faith to reach a reasonable solution. If the Parties cannot reach a reasonable solution, the Processor may immediately terminate the Agreement without any obligation to pay damages.
7.2 The Processor shall ensure that its Sub-Processors are contractually bound to obligations equivalent to those under this Data Processing Agreement, which provide no less protection to the Personal Data than that to which the Processor is bound under this Data Processing Agreement. If a Sub-Processor does not wish to accept the additional obligations from this Data Processing Agreement, the Controller may decide to exempt the Processor from those additional obligations for the relevant Processing, so that the Processor can still enter into the sub-processing agreement.
7.3 The Processor remains fully responsible to the Controller for the actions of the Sub-Processor with respect to the execution of this Data Processing Agreement.
Article 8. Retention Periods
8.1 The Controller is responsible for determining the retention periods with respect to the Personal Data. Retention periods are included in Annex I.
8.2 The Processor shall delete the Personal Data within 60 days after the termination of the Agreement or, at the option of the Controller, transfer it to the Controller, unless the Personal Data must be retained for a longer period, such as in the context of (legal) obligations of the Processor, or when necessary for the nature and purpose of the Processing as specified in Annex I, or if the Controller requests that the Personal Data be retained for a longer period and the Processor and the Controller agree on the costs and other conditions of such extended retention, without prejudice to the Controller’s responsibility to observe the statutory retention periods. Any transfer to the Controller shall be at the expense of the Controller.
Article 9. International Transfer of Personal Data
9.1 The Processor may not transfer any Personal Data to countries outside the EEA unless:
the Controller has given prior written consent; or
there is a decision by the European Commission that the transfer to the respective country has an adequate level of protection; or
the transfer is made on the basis of the EU Standard Contractual Clauses; or
the transfer is made on the basis of binding corporate rules applicable within a group, as referred to in Article 47 of the GDPR.
Article 10. Rights of Data Subjects
10.1 If the Controller has direct access to the Personal Data, it shall respond to all requests from Data Subjects under the GDPR regarding the Personal Data without support from the Processor. The Processor shall immediately forward any requests received from Data Subjects regarding their rights to the Controller.
10.2 Only to the extent that it is not possible as stated in the preceding paragraph, the Processor shall cooperate with reasonable requests from the Controller relating to rights asserted by Data Subjects under the GDPR.
10.3 If the Controller is obliged to do so, the Processor shall, upon a reasonably given request, cooperate in a Data Protection Impact Assessment (DPIA) or a subsequent prior consultation as referred to in Articles 35 and 36 of the GDPR.
10.4 The Processor shall cooperate with requests from the Controller for the deletion or correction of Personal Data to the extent that the Controller is unable to do so itself.
10.5 The costs and requirements for the cooperation mentioned in the preceding paragraph shall be determined jointly by the Parties. In the absence of an agreement on this matter, the costs shall be borne by the Controller.
Article 11. Audit
11.1 Upon request, the Processor shall enable the Controller to verify compliance with the Data Processing Agreement at a time to be determined by mutual agreement between the Parties and at the expense of the Controller.
11.2 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR. If an expert engaged by the Controller issues an instruction which, in the opinion of the Processor, is in conflict with the GDPR or other legislation or constitutes an unacceptable breach of the security measures implemented by the Processor, then the Processor may refuse the instruction.
11.3 The investigation by the Controller pursuant to this article shall always be limited to the systems of the Processor that are used for the Processing of Personal Data. The Controller shall treat the information found during the audit confidentially and only use it to verify the Processor’s compliance with the obligations under this Data Processing Agreement, and shall delete the information or parts thereof as soon as possible. The Controller shall ensure that any expert engaged also assumes these obligations.
Article 12. Other Provisions
12.1 Amendments to this Data Processing Agreement shall only be valid if agreed in writing between the Parties.
12.2 The Parties shall adjust this Data Processing Agreement to changes or additions in legislation, additional instructions from the relevant authorities, and developments in the application of the GDPR (for example, through but not limited to case law or reports), the introduction of standard clauses, and/or other events or insights that necessitate such an adjustment.
Annex I – Processing of Personal Data
(Attached to the Data Processing Agreement concluded between the Controller and the Processor regarding the Processing of Personal Data)
I. The following categories of Personal Data will be processed by the Processor on behalf of the Controller:
First Name;
Last Name;
Middle Name/Prefix;
Date of Birth;
Email Address;
Telephone Number;
Address;
Dietary Preferences;
Clothing Sizes;
Gender (optional) and/or Gender identity;
Position/Role;
In Case of Emergency number;
Agent/Company connected to this person;
Kilometers driven (possibly with which car);
Hours worked;
Overtime worked;
Impression of how the day was for this person (emoticon).
II. The Personal Data relate to the following categories of Data Subjects:
Employees of the Controller;
Self-employed persons and (small) companies that are not directly employees but provide services to the Controller;
Participants (natural persons) in production/project who are not directly employees.
III. Nature and Purpose of the Processing:
The Processor processes the Personal Data solely for the purpose of being able to offer its services pursuant to the Main Agreement and to develop and improve its services.
IV. Retention Periods:
All Personal Data, with the exception of first name, last name, and position/role, shall be retained only for the duration of the Main Agreement.
First name, last name, and position/role shall be retained as long as it is necessary to generally develop, improve, and deliver services.
V. Sub-Processors:
The Sub-Processors as referred to in Article 7 of the Data Processing Agreement for which the Controller gives consent are:
Microsoft Ireland Operations Limited
Country of Registration: Ireland
Service Name: Azure
Purpose: Cloud and VPN provider
Personal Data Processed: All
Data Storage Location: EUMongoDB, Inc.
Country of Registration: United States
Service Name: MongoDB
Purpose: Database for the Setso platform, hosted by Azure
Personal Data Processed: All
Data Storage Location: EUPostHog, Inc.
Country of Registration: United States
Service Name: PostHog
Purpose: Product analytics platform
Personal Data Processed: User data
Data Storage Location: EUClerk, Inc.
Country of Registration: United States
Service Name: Clerk
Purpose: User management and authentication
Personal Data Processed: User data
Data Storage Location: EUHubSpot, Inc.
Country of Registration: United States
Service Name: HubSpot
Purpose: Customer Relationship Management (CRM)
Personal Data Processed: Customer data
Data Storage Location: EUStripe, Inc.
Country of Registration: United States
Service Name: Stripe
Purpose: Payment processing services
Personal Data Processed: Payment data
Data Storage Location: EU
Annex II – Technical and Organizational Measures
(Attached to the Data Processing Agreement concluded between the Controller and the Processor regarding the Processing of Personal Data)
The technical and organizational measures that are implemented by the Processor in any case are as follows:
Security software, such as antivirus and firewall.
TLS (formerly SSL): Personal Data is transmitted via a secure internet connection.
DKIM, SPF, and DMARC: Three internet standards used to prevent the Controller from receiving emails in our name that contain viruses, are spam, or are intended to obtain personal (login) data.
Encryption on, among other things, the local drives of the Processor;
Accounts available via the Website are secured with passwords and MFA, and accounts available via the App are secured with a PIN code and/or biometric security;
The IT environment is regularly monitored for unusual activities.
The Processor conducts penetration/hack tests at regular intervals.