Data Processing Agreement (DPA)

TheScanBadge
Last updated: January 2026

1. Parties

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

and

The business customer using TheScanBadge Services
(hereinafter: “Controller”).

This DPA applies where the Controller processes personal data through the Services and TheScanBadge acts as Processor within the meaning of Article 4(8) GDPR.

2. Roles & Scope

2.1 Controller

The Controller determines:

• The purposes of processing
• The categories of personal data
• The categories of data subjects

2.2 Processor

TheScanBadge processes personal data solely on behalf of and in accordance with documented instructions from the Controller.

3. Subject Matter & Duration

Processing activities include:

• Hosting of digital profiles
• NFC badge provisioning
• QR-based sharing
• Reservation system management
• API integrations
• User account management

Duration: For the term of the Service Agreement and until deletion or return of personal data after termination.

4. Categories of Personal Data

Depending on configuration by the Controller:

• Name
• Company name
• Contact details (email, phone)
• Reservation data
• Digital profile information
• Pet identification information
• User-supplied medical information (if enabled by Controller)
• Technical data (IP address, device logs)

The Processor does not independently determine which data is processed.

5. Data Subjects

May include:

• Employees
• Customers
• Business contacts
• Reservation guests
• Pet owners
• End users of digital badges

6. Processing Instructions

The Processor shall:

• Process personal data only on documented instructions
• Not use data for its own purposes
• Not sell or commercially exploit data
• Not engage in profiling or automated decision-making

If an instruction violates GDPR, the Processor will inform the Controller.

7. Confidentiality

The Processor ensures:

• Personnel are bound by confidentiality obligations
• Access is limited to authorized staff
• Role-based access control is applied

8. Security Measures (Article 32 GDPR)

The Processor implements appropriate technical and organizational measures, including:

• Encrypted data transmission (TLS)
• Secure hosting within the EU
• Role-based access control
• Logging & monitoring
• Least privilege access
• Secure software deployment
• Infrastructure in certified EU data centers

Hosting locations include:

• Rotterdam (NL)
• Heerlen (NL)
• Falkenstein (DE)
• Eindhoven (NL)

Infrastructure is operated within the European Economic Area.

9. Subprocessors

The Controller authorizes the use of the following subprocessors:

• Hetzner Online GmbH (EU hosting – Germany)
• Mollie B.V. (payment processing – Netherlands)
• Google Maps Platform (address lookup functionality)

The Processor ensures that subprocessors:

• Are bound by GDPR-compliant agreements
• Provide adequate security guarantees
• Process data only as instructed

The Processor remains liable for subprocessors’ compliance.

10. International Transfers

Personal data is processed within the EEA.

If transfers outside the EEA occur, they shall be protected by:

• Standard Contractual Clauses (SCCs), or
• Other GDPR-compliant safeguards.

11. Data Subject Rights

The Processor shall:

• Assist the Controller in responding to data subject requests
• Provide tools for data access, correction, and deletion where available
• Notify the Controller of any direct request received

The Controller remains responsible for responding to data subject requests.

12. Data Breach Notification

In case of a personal data breach, the Processor shall:

• Notify the Controller without undue delay
• Provide available details regarding nature, scope, and mitigation
• Cooperate in investigation and remediation

The Controller remains responsible for regulatory notification unless otherwise agreed.

13. Data Retention & Deletion

Upon termination of Services:

• Personal data shall be deleted or returned at the Controller’s request
• Backup deletion shall occur within a reasonable retention cycle

Legal retention obligations may apply.

14. Audit Rights

The Controller may request information regarding compliance with this DPA.

Audits:

• Must be reasonable
• Conducted during business hours
• Not interfere with other customers
• May require NDA

Existing certifications and security documentation may satisfy audit requests.

15. Liability

Liability under this DPA follows the limitation of liability set forth in the Terms of Service.

Nothing in this DPA limits mandatory rights under GDPR.

16. Governing Law

This DPA is governed by Dutch law.

Disputes are subject to the competent courts of the Netherlands.