Data Processing Agreement
Last updated: March 4, 2026
1. Parties
This data processing agreement ("Agreement") applies between:
- Processor: Waypointer Digital BV, established in the Netherlands, Chamber of Commerce number 99948710, trading as Kanbino ("Processor")
- Controller: the organization or natural person who creates and manages a Kanbino workspace ("Controller")
This data processing agreement is part of the Terms and Conditions and Privacy Policy.
2. Definitions
Terms in this agreement have the same meaning as in the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), unless defined differently below:
- Personal data — any data relating to an identified or identifiable natural person, processed in the context of using Kanbino
- Processing — any operation or set of operations performed on personal data, including collection, storage, modification, consultation, disclosure and deletion
- Sub-processor — a third party engaged by the Processor for part of the processing
- Data breach — a breach of security leading accidentally or unlawfully to the destruction, loss, alteration or unauthorized disclosure of or access to personal data
3. Subject and duration
The Processor processes personal data exclusively for the purpose of providing the Kanbino service to the Controller. This agreement is effective as long as the Controller uses Kanbino.
4. Categories of data subjects and personal data
Categories of data subjects:
- Employees and team members of the Controller
- External users (guests) invited by the Controller
- Contacts and customers managed in the workspace
Categories of personal data:
- Name, email address and profile information
- Content data: tasks, comments, time registrations, files and other content entered by users
- Technical data: IP address, browser information and login activity
5. Obligations of the Processor
The Processor commits to the following:
- Process personal data exclusively based on written instructions from the Controller, unless a legal obligation requires otherwise
- Ensure that persons with access to personal data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see article 8)
- Assist the Controller in fulfilling their obligations under articles 32 to 36 GDPR (security, data breaches, DPIAs)
- After completion of processing services, at the Controller's choice, delete or return all personal data, unless storage is legally required
- Make available all information necessary to demonstrate compliance with this agreement, and allow audits and inspections by or on behalf of the Controller
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and data storage | Falkenstein, Germany (EU) |
| Scaleway SAS | File storage (S3 object storage) | Amsterdam, Netherlands (EU) |
| BunnyWay d.o.o. (Bunny.net) | Content Delivery Network (CDN) | Ljubljana, Slovenia (EU) |
| Stripe Inc. | Payment processing | US (EU Standard Contractual Clauses) |
The Controller hereby gives general written consent for engaging sub-processors. The Processor will inform the Controller in advance of intended changes to sub-processors, allowing the Controller to object. Data processing agreements have been concluded with all sub-processors.
7. Transfers outside the EU/EEA
Primary processing takes place within the European Union (Hetzner, Germany). For sub-processors outside the EU/EEA, appropriate safeguards have been implemented through EU Standard Contractual Clauses (SCCs) pursuant to article 46(2)(c) GDPR.
8. Security measures
The Processor implements the following technical and organizational measures, among others:
- Encryption — all connections via TLS/HTTPS; passwords are stored hashed (bcrypt)
- Access control — role-based access control; employees only have access to data necessary for their function
- Backups — daily automated backups, stored within the EU
- Monitoring — continuous monitoring for availability and security incidents
- Updates — regular security updates for operating system and application
- Isolation — strict separation of tenant data at the application level
9. Data breaches
In the event of a data breach, the Processor will:
- Inform the Controller without undue delay and within 48 hours of discovery
- Describe the nature of the data breach, including the categories and estimated number of data subjects affected
- Describe the likely consequences
- Communicate the measures taken and proposed to address the data breach and mitigate its adverse effects
- Provide all cooperation the Controller needs to fulfill their notification obligations (articles 33 and 34 GDPR)
10. Assistance to the Controller
The Processor assists the Controller with:
- Responding to requests from data subjects (access, correction, deletion, portability, objection)
- Conducting a data protection impact assessment (DPIA), where applicable
- Fulfilling the notification obligation to the Data Protection Authority
11. Audit
The Controller has the right, at their own expense and with reasonable prior notice, to conduct or have conducted audits to verify compliance with this agreement. The Processor provides all reasonable cooperation. Audits take place no more than once a year, unless there is reason for an additional audit (e.g., after a data breach).
12. Retention and deletion
After termination of the agreement, the Processor deletes all personal data within 30 days, unless:
- The Controller requests return of the data (in a common, machine-readable format)
- Retention is legally required (e.g., fiscal retention obligation)
The Processor confirms deletion in writing upon request.
13. Liability
The Terms and Conditions apply to this data processing agreement. In case of conflict, this agreement prevails.
14. Applicable law and disputes
This agreement is governed by Dutch law. Disputes shall be submitted to the competent court in the Netherlands.
15. Contact
For questions about this data processing agreement:
Waypointer Digital BV
Email: privacy@kanbino.com