Data Processing Agreement
GDPR-Compliant
Last update: May 2025
1. Subject Matter and Duration
This Agreement governs the Processing of Personal Data by Refybe on behalf of the Customer, in accordance with Article 28 of the GDPR. The duration of Processing shall be the term of the main agreement between the Parties, or until all Personal Data is deleted or returned to the Customer.
2. Nature and Purpose of Processing
- Purpose: To provide gamification services through Refybe.com.
- Nature: Collection, storage, structuring, analysis, and transmission.
- Types of Personal Data: Names, email addresses, user IDs, Participant Data (such as participant email, name, address etc.), activity logs.
- Categories of Data Subjects: End-users of the Customer’s services.
3. Obligations of the Data Processor
- Process Personal Data only on documented instructions from the Customer.
- Ensure confidentiality of personnel handling data.
- Implement appropriate technical and organizational measures.
- Assist the Controller in fulfilling data subject rights requests.
- Assist with security, breach notifications, and DPIAs.
- Delete all Personal Data upon termination.
4. Sub-Processing
The Customer authorizes Refybe to engage Sub-processors listed in Annex I. Refybe shall inform the Customer of any intended changes to the list and allow objections.
5. International Data Transfers
Refybe shall ensure that transfers of Personal Data outside the EEA are subject to appropriate safeguards in accordance with GDPR Chapter V.
6. Data Subject Rights
Refybe will assist the Customer in fulfilling obligations to respond to data subject requests as per GDPR Articles 12–23.
7. Personal Data Breach
Refybe shall notify the Customer upon becoming aware of a breach, and provide all relevant breach details.
8. Deletion or Return of Data
Upon service termination, Refybe shall delete all Personal Data unless retention is required by law.
9. Liability
Each Party shall be liable for its own GDPR violations. Nothing in this Agreement limits data subjects' rights or regulatory powers.
10. Governing Law
This Agreement is governed by the laws of the European Union and the laws of The Netherlands.
Annex I – Authorized Sub-processors
| Sub-Processor | Service | Location | Safeguards |
|---|---|---|---|
| AWS | Hosting / Email | Germany / Sweden | EEA, ISO 27001 |
| Hetzner | Hosting | Germany | EEA, ISO 27001 |
| SendGrid | USA / EU | SCCs |