Data Processing Agreement

1. Parties, definitions and place within the agreement

This Data Processing Agreement (the DPA) is entered into between:

• The controller: the agency (the customer) that creates an account on or uses the Calmer Agency platform (you or the agency); and
• The processor: Calmer Agency, trading as Envoyers Studio / D. Valies (Calmer Agency or we).

This DPA forms an integral part of the main agreement between you and Calmer Agency (the service terms under which you use the platform). By using the platform you accept this DPA. It applies whenever Calmer Agency processes personal data on your behalf and complies with Article 28 of the General Data Protection Regulation (the GDPR / AVG).

Definitions

• Controller: the party that determines the purposes and means of the processing of personal data; under this DPA, that is you.
• Processor: the party that processes personal data on behalf of the controller; under this DPA, that is Calmer Agency.
• Personal data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data, such as collecting, storing, accessing, using, transmitting, erasing or destroying.
• Sub-processor: a third party engaged by Calmer Agency to process personal data on our behalf.
• Data subject: the natural person to whom the personal data relates.
• Supervisory authority: the competent data protection authority, which for the Netherlands is the Autoriteit Persoonsgegevens.

2. Subject matter, duration, nature and purpose of the processing

Subject matter. Calmer Agency processes personal data solely to provide you with the platform: a calm client operations platform that marketing agencies use to manage clients, access, tasks, messages, billing and collaboration.

Nature and purpose. The processing consists of hosting, storing, structuring, displaying, transmitting and processing the data that you and your team members enter or upload, so that you can use the platform's features. We do not process this data for our own purposes.

Duration. The processing lasts for as long as the main agreement is in force, followed by the return or deletion period described in section 9.

A detailed description is set out in Annex 1.

3. Types of personal data and categories of data subjects

Depending on how you use the platform, we may process the following data, among others:

You decide what data you upload. Calmer Agency does not ask you to process special categories of personal data; if you choose to, you do so under your own responsibility and legal basis.

4. Obligations of Calmer Agency as processor

4.1 Processing only on instructions

We process personal data only on your documented instructions, which include this DPA, the settings you choose in the platform and ordinary use of its features. If the law requires us to process otherwise, we will tell you beforehand, unless that law prohibits it. If we believe an instruction breaches the GDPR, we will let you know.

4.2 Confidentiality of personnel

Everyone under our authority who has access to personal data is bound by confidentiality and processes data only as far as necessary.

4.3 Security (Article 32 GDPR)

We take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit and at rest (TLS for transport, encrypted storage and backups).
• EU/Swiss data residency: production data is held on Exoscale (Switzerland/EU).
• Access controls with strong authentication and role-based permissions.
• Tenant isolation through row-level security, so each agency's data stays separated.
• Audit logging of relevant actions and access.
• Backups and recovery procedures.
• Least-privilege: staff receive only the access their role requires.
• Support access to your data only with your consent and recorded in the audit log.

A current overview is set out in Annex 2. We may adjust measures provided the level of protection remains equivalent.

5. Sub-processors

You give Calmer Agency a general written authorisation to engage sub-processors. We publish an up-to-date list of sub-processors on our public sub-processors page (see Annex 3).

By contract, we impose on each sub-processor the same data protection obligations set out in this DPA. If we change the list or add a sub-processor, we will give advance notice through the sub-processors page or by email. You have the right to object on reasonable grounds; if we cannot resolve the matter together, you may terminate the affected service.

Our current EU-first stack includes:

6. International transfers

We deliberately choose EU and Swiss providers. Your production data is stored within the EU/Switzerland. Where processing through a sub-processor established outside the EU is unavoidable, or where data may pass in transit, we base that transfer on appropriate safeguards, in particular the European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary by additional measures. We do not claim to use no US providers: Cloudflare acts as a transit sub-processor, and Linear for support is established in the US, in each case under SCCs.

7. Assistance to the controller

Taking into account the nature of the processing, we assist you, as far as reasonably possible, with:

• responding to data subject requests (access, rectification, erasure, restriction, portability and objection), through the platform's features and, where needed, additional support;
• carrying out data protection impact assessments (DPIAs);
• any prior consultation with the supervisory authority;
• your security obligations under Articles 32 to 36 GDPR.

If we receive a request directly from a data subject about your data, we will in principle refer them to you and will not act on it ourselves unless you instruct us to.

8. Personal data breach notification

If we become aware of a personal data breach, we will inform you without undue delay and in any case within 72 hours of becoming aware of it. We will provide at least:

• the nature of the breach and, where possible, the categories and approximate number of data subjects and records concerned;
• the likely consequences;
• the measures taken or proposed to address the breach and mitigate its effects;
• a point of contact for more information.

Notifying the supervisory authority and data subjects remains your responsibility; we support you in doing so.

9. Return or deletion of data

At the end of the service, at your choice, we will delete all personal data or return it to you, and we will delete existing copies, unless law or regulation requires retention. You can export your data during the term and on termination through the platform's export features. Backups are overwritten in line with our regular rotation cycle.

10. Audits and inspections

At your reasonable request, we will make available the information necessary to demonstrate compliance with Article 28 GDPR. We allow for inspections, conducted by you or an independent auditor mandated by you, subject to reasonable advance notice, during business hours, with respect for confidentiality and without disrupting our service. Where available, we may satisfy this through certifications or reports from independent third parties, so that repeated inspections are kept to a minimum.

11. Liability and order of precedence

The liability provisions and any limitations in the main agreement also apply to this DPA. In the event of any conflict between this DPA and the main agreement regarding the processing of personal data, this DPA prevails. The Standard Contractual Clauses prevail where they apply to an international transfer.

12. Governing law and signed copy

This DPA is governed by the law of the Netherlands, in accordance with the GDPR and other applicable EU law. Disputes are submitted to the competent court as set out in the main agreement. If you would like a copy counter-signed by both parties, simply request one via our contact page and we will send you a signed version.

Annex 1 - Details of the processing

• Subject matter: providing the Calmer Agency platform.
• Duration: the term of the main agreement plus the return/deletion period.
• Nature and purpose: hosting, storing, structuring, displaying, transmitting and processing customer data for client operations, access management, communication, tasks, billing and collaboration.
• Types of personal data: as described in section 3.
• Categories of data subjects: agency team members, the agency's clients and their contacts, and end customers/other individuals in uploaded content.

Annex 2 - Technical and organisational measures (TOMs)

• Encryption of data in transit (TLS) and at rest.
• Production data residency in the EU/Switzerland (Exoscale).
• Role-based access control and strong authentication.
• Tenant isolation through row-level security.
• Audit logging of access and relevant actions.
• Regular backups with recovery testing.
• Least-privilege access for staff.
• Support access to customer data only with consent and with logging.
• Confidentiality obligations for all personnel.
• Security obligations imposed on sub-processors through flow-down requirements.

Annex 3 - Sub-processors

The current list of sub-processors is maintained on our public sub-processors page. The sub-processors known at the time of this DPA are listed in section 5. We give advance notice of changes, with a right to object as described there.