Data Processing Agreement
This document is an English-language version provided for information purposes only. The original Dutch version is the legally binding text. In the event of any discrepancy or dispute, including in court proceedings, the Dutch version shall prevail.
Parties
1. The Controller:
The natural person or legal entity that has entered into an Agreement with Bimizi B.V. for the use of the Platform (hereinafter: "Controller" or "Client").
2. The Processor:
Bimizi B.V., established at Hanenweg 1, 4317 NJ Noordgouwe, The Netherlands, registered with the Chamber of Commerce under number [to be completed], hereinafter: "Processor" or "Bimizi".
The Controller and the Processor hereinafter jointly referred to as the "Parties" and individually as a "Party".
Whereas:
- The Controller uses the AI-powered SaaS platform for automated quotation generation in the construction industry offered by the Processor (the "Platform");
- The Processor processes personal data on behalf of the Controller in the context of performing the Agreement;
- The Parties are required by Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: "GDPR") to record the arrangements regarding this processing in writing;
- The Parties intend by means of this Data Processing Agreement (hereinafter: "DPA") to comply with the requirements of Article 28(3) GDPR;
Have agreed as follows:
Article 1 — Definitions
Terms used with a capital letter in this DPA shall have the meaning ascribed to them in the GDPR, the Dutch GDPR Implementation Act (Uitvoeringswet AVG) or the Terms and Conditions of the Processor, unless an alternative definition is set out in this DPA.
The following supplementary definitions apply:
Data Subject: the natural person to whom the Personal Data relates.
Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as referred to in Article 4(12) GDPR.
Personal Data: all data relating to an identified or identifiable natural person, as referred to in Article 4(1) GDPR, that the Processor processes in the context of this DPA on behalf of the Controller.
Sub-processor: a third party engaged by the Processor to process (part of) the Personal Data on behalf of the Controller.
Processing: any operation or set of operations performed on Personal Data, as referred to in Article 4(2) GDPR.
Article 2 — Subject Matter and Duration of Processing
1. This DPA forms an integral part of the Agreement between the Parties regarding the use of the Platform and the associated Terms and Conditions of Bimizi B.V.
2. The duration of the processing shall be equal to the term of the Agreement, including any renewals, unless otherwise provided in this DPA.
3. Upon termination of the Agreement, the Processor shall cease the processing of Personal Data, subject to the obligations set out in Article 12 of this DPA.
Article 3 — Nature, Purpose and Basis of Processing
1. The Processor processes Personal Data solely in the context of performing the Agreement, namely: making the Platform available to enable the Controller to upload construction drawings, after which the Processor's AI system automatically segments building elements, calculates areas and volumes, matches these against Bills of Quantities (BOQ) entered by the Controller, and generates quotations on that basis.
2. The processing comprises the following operations: storage, organisation, consultation, use (including AI-driven analysis), disclosure by transmission to the Controller, and erasure or destruction of Personal Data.
3. The Controller warrants that it has a valid legal basis for the processing of the Personal Data within the meaning of Article 6 GDPR and that the processing by the Processor does not infringe the rights of Data Subjects or third parties.
Article 4 — Types of Personal Data and Categories of Data Subjects
1. Categories of Data Subjects:
The processing relates to Personal Data of the following categories of Data Subjects:
- Employees and contact persons of the Controller who have access to the Platform (Users);
- Persons whose data is contained in construction drawings or Bills of Quantities uploaded by the Controller, insofar as these contain personal data (for example, names of clients, project managers or contact persons);
- Persons whose data is contained in quotations generated by the Platform.
2. Types of Personal Data:
The processing may relate to the following types of Personal Data:
- Account data: name, email address, phone number, job title, company name;
- Login data: username, (hashed) passwords, IP addresses, session data;
- Usage data: log files, activity records on the Platform, times of use;
- Project data: data contained in construction drawings, Bills of Quantities and quotations generated therefrom uploaded by the Controller, insofar as these contain personal data;
- Communications data: messages and correspondence via the Platform or with the Processor's customer support.
3. The Processor does not process special categories of personal data within the meaning of Article 9 GDPR, unless such data is inadvertently included by the Controller in uploaded documents. The Controller shall ensure that this does not occur.
Article 5 — Obligations of the Processor
The Processor undertakes the following:
1. Instructions. The Processor shall process Personal Data only on the basis of documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless the Processor is required to do so by Union or Dutch law. In that event, the Processor shall inform the Controller of that legal requirement prior to the processing, unless that law prohibits such notification on important grounds of public interest.
2. Instructions conflicting with the GDPR. If the Processor is of the opinion that an instruction from the Controller infringes the GDPR or other Union or national data protection provisions, the Processor shall immediately inform the Controller thereof in writing.
3. Confidentiality. The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security. The Processor shall implement appropriate technical and organisational measures as referred to in Article 32 GDPR to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the varying likelihood and severity of the risks to the rights and freedoms of Data Subjects. These measures shall include, where appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5. Record of processing activities. The Processor shall maintain a record of processing activities as referred to in Article 30(2) GDPR.
Article 6 — Assistance to the Controller
1. Taking into account the nature of the processing, the Processor shall assist the Controller, insofar as possible, in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including the right of access, rectification, erasure, restriction, portability and objection). If a Data Subject contacts the Processor directly with such a request, the Processor shall forward the request to the Controller without delay.
2. Other obligations. Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in complying with its obligations under:
- Article 32 GDPR: security of processing;
- Articles 33 and 34 GDPR: notification of Data Breaches;
- Article 35 GDPR: data protection impact assessment (DPIA);
- Article 36 GDPR: prior consultation with the supervisory authority.
3. The Processor shall be entitled to charge reasonable costs for the assistance referred to in this article, insofar as such assistance exceeds the normal level of service.
Article 7 — Data Breaches
1. The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours of becoming aware, of any Data Breach involving Personal Data processed in the context of this DPA.
2. The notification to the Controller shall contain at least the following information, insofar as available at the time:
- the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
- the name and contact details of the contact person at the Processor where further information can be obtained;
- the likely consequences of the Data Breach;
- the measures proposed or taken by the Processor to address the Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
3. Where it is not possible to provide all information simultaneously, the Processor shall provide the information in phases without further undue delay.
4. The Processor shall document all Data Breaches, including the facts, effects and corrective measures taken, and shall make this documentation available to the Controller upon request.
5. Notification of a Data Breach by the Processor to the Controller shall not be construed as an acknowledgement of fault or liability on the part of the Processor.
Article 8 — Sub-processors
1. The Controller hereby grants the Processor general written authorisation to engage Sub-processors for the performance of the processing.
2. At the time of entering into this DPA, the Processor engages the following Sub-processors:
| Sub-processor | Service | Processing location |
|---|---|---|
| [Hosting provider — to be completed] | Hosting and storage of the Platform and data | EU/EEA |
| Stripe, Inc. / Mollie B.V. | Payment processing | EU/EEA (Stripe: partly US, under adequacy decision) |
| [Other — to be completed] | [Service] | [Location] |
3. The Processor shall notify the Controller in advance of any intended changes to the list of Sub-processors, including the addition or replacement of a Sub-processor. The Controller shall have the right to object to an intended change within fourteen (14) days of notification. If the Parties are unable to reach agreement following an objection, the Controller shall have the right to terminate the Agreement and this DPA.
4. The Processor shall impose on each Sub-processor, by way of contract, the same data protection obligations as those set out in this DPA, in particular the obligation to provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures.
5. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.
6. A current list of Sub-processors shall be available from the Processor upon request and may also be published on the Platform.
Article 9 — Transfers Outside the EEA
1. The Processor shall, as a general rule, process Personal Data exclusively within the European Economic Area (EEA).
2. Transfer of Personal Data to a country outside the EEA or to an international organisation shall only be permitted where:
- the European Commission has adopted an adequacy decision in respect of that country pursuant to Article 45 GDPR; or
- appropriate safeguards have been put in place pursuant to Article 46 GDPR, including Standard Contractual Clauses (SCCs) adopted by the European Commission; or
- one of the derogations set out in Article 49 GDPR applies.
3. The Processor shall inform the Controller in advance of any intended transfer outside the EEA and shall provide information about the safeguards in place.
Article 10 — Audit
1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
2. The Controller may carry out an audit no more than once per calendar year, unless there is a specific reason (such as a Data Breach or suspected non-compliance) that justifies an additional audit. The Controller shall give the Processor at least thirty (30) days' written notice of any audit.
3. The audit shall be conducted in a manner that minimises disruption to the Processor's operations. The auditor shall be bound by confidentiality obligations.
4. The Processor shall be entitled to charge the Controller reasonable costs for its cooperation with an audit.
5. Where the Processor holds a current audit report, certification or statement from an independent third party (such as a SOC 2 report or ISO 27001 certification), the Controller may accept this as (partial) fulfilment of its audit right.
Article 11 — Liability
1. The Processor's liability to the Controller in the context of this DPA shall be governed by the liability provisions in the Processor's Terms and Conditions, insofar as these are not inconsistent with the GDPR.
2. Each Party shall be liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR. The allocation of liability between the Parties shall not affect the rights of Data Subjects against either Party.
3. The Controller shall indemnify the Processor against all claims from Data Subjects or third parties arising from or in connection with the Controller's failure to comply with its obligations under the GDPR or this DPA, including the provision of Personal Data without a valid legal basis.
Article 12 — Termination and Return or Deletion of Data
1. Upon termination of the Agreement and this DPA, the Processor shall, at the Controller's election:
- return all Personal Data to the Controller in a commonly used, machine-readable format; and/or
- delete and destroy all Personal Data and existing copies.
2. The Controller shall communicate its choice as referred to in paragraph 1 in writing within thirty (30) days of termination. In the absence of a timely choice, the Processor shall be entitled to delete and destroy the Personal Data.
3. Following deletion or destruction, the Processor shall provide the Controller with written confirmation thereof.
4. The obligation to delete shall not apply insofar as the Processor is required by Union or Dutch law to retain the Personal Data for a longer period. In that case, the Processor shall inform the Controller of the applicable retention obligation and shall ensure the confidentiality of the data concerned.
Article 13 — Specific Provisions Regarding AI Processing
1. The Platform uses artificial intelligence to analyse construction drawings and generate quotations. The Processor processes data uploaded by the Controller using AI models solely for the purpose of performing the Agreement.
2. The Processor may use anonymised, non-identifiable data to train and improve its AI models, unless the Controller objects in writing. Data used for this purpose no longer qualifies as Personal Data within the meaning of the GDPR.
3. The Processor shall take appropriate measures to prevent Personal Data contained in uploaded documents from being unintentionally disclosed to unauthorised third parties through the AI output.
4. The Processor shall endeavour to comply with the transparency obligations under Regulation (EU) 2024/1689 (the AI Act), insofar as these relate to the processing of Personal Data.
Article 14 — Cooperation with the Supervisory Authority
1. The Processor shall cooperate with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or any other competent supervisory authority in the exercise of its duties, insofar as this relates to the processing of Personal Data in the context of this DPA.
Article 15 — Miscellaneous
1. In the event of conflict between the provisions of this DPA and the Terms and Conditions, the provisions of this DPA shall prevail insofar as the processing of Personal Data is concerned.
2. Amendments to this DPA shall only be valid if agreed in writing by both Parties.
3. This DPA shall be governed by the laws of the Netherlands. Disputes shall be submitted to the competent court in the district of Zeeland-West-Brabant, unless mandatory statutory provisions designate a different court.
Article 16 — Contact Details
For questions about this DPA or about the processing of Personal Data, please contact:
Bimizi B.V.Hanenweg 1, 4317 NJ Noordgouwe, The Netherlands
Email: hello@bimizi.com
Annex A — Technical and Organisational Measures (Article 32 GDPR)
The Processor has implemented the following technical and organisational measures to protect Personal Data:
Access Control
- Access to Personal Data is restricted to authorised personnel on a need-to-know basis.
- Multi-factor authentication (MFA) is mandatory for access to production systems.
- Access rights are reviewed periodically and revoked immediately upon departure.
Encryption
- Personal Data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher).
Network Security
- The Platform is protected by firewalls, intrusion detection/prevention systems and DDoS protection.
- Periodic vulnerability scans and penetration tests are carried out.
Backup and Recovery
- Automated daily backups are made of all Personal Data.
- Recovery procedures are tested periodically.
Logging and Monitoring
- Access to and processing of Personal Data is logged.
- Anomalies and security incidents are monitored and investigated.
Organisational Measures
- Personnel with access to Personal Data are bound by confidentiality obligations.
- Personnel receive periodic security awareness training.
- An internal policy has been established for reporting and handling security incidents and Data Breaches.
Physical Security
- Servers and infrastructure are hosted in certified data centres within the EEA with appropriate physical access controls.
These measures are reviewed periodically and updated where necessary in accordance with the state of the art and the nature of the processing.