Data Processing Agreement (DPA)

Data Processing Agreement in accordance with Art. 28 GDPR

Version: 2025.1

Date: 22 november 2025

Compliant with: Art. 28 AVG (GDPR Art. 28)

✅ Mandatory Document
This Data Processing Agreement (DPA) is mandatory for all services where ID2Bytes® processes personal data on behalf of clients, in accordance with Art. 28 GDPR.

✓ GDPR Compliant ✓ Art. 28 Compliant ✓ SCCs Included ✓ AI Processing

📥 Download Documents

Download the complete Data Processing Agreement including all annexes.

📄 Download DPA PDF (42 KB) 📝 Download Markdown

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally required contract between a Data Controller (client) and a Data Processor (ID2Bytes®) for the processing of personal data.

This agreement defines how ID2Bytes® handles personal data, which security measures are applied, and what rights and obligations both parties have.

Key Components

📋 Processing Details

Purpose, nature, categories of personal data, data subjects, and processing duration (see Annex A).

🔐 Security Measures

Technical and organizational measures (TOM) in accordance with Art. 32 GDPR, including encryption, access control, and incident response (see Annex C).

👥 Subprocessors

Transparent list of all subprocessors with 30-day notification and right to object (see Annex B and www.id2bytes.com/subprocessors).

🌍 International Transfers

Standard Contractual Clauses (SCCs) for international transfers to third countries such as the United States (see Annex D).

⚠️ Data Breaches

48-hour notification obligation for data breaches with complete incident response procedures.

✅ Audit Rights

Clients have the right to audits and inspections (max 1x per year, with reasonable conditions).

DPA Annexes

The Data Processing Agreement contains 4 mandatory annexes in accordance with Art. 28 GDPR:

Annex A

Processing Details (client-specific)

Annex B

List of Subprocessors
→ View online

Annex C

Technical & Organizational Measures (TOM)

Annex D

Standard Contractual Clauses (SCCs)

AI-Specific Provisions

Our DPA contains extensive provisions for AI processing:

Zero Data Retention: AI providers (OpenAI, Anthropic) do not store data
Opt-in Model Training: Client data is NOT used for model training (unless explicitly opt-in)
Bias Detection: Monitoring and mitigation of AI bias
Human Oversight: Human control for high-risk decisions
EU AI Act Ready: Preparation for EU AI Act compliance (phased 2025-2027)

⚠️ Important for AI Services
When using AI Agents or other AI services, additional safeguards apply, as described in Art. 23 of our Terms and Conditions and Art. 3 of the DPA.

International Transfers

ID2Bytes® uses subprocessors in the United States (such as OpenAI, Anthropic, Microsoft Azure US). The following safeguards apply to these international transfers:

✓ Standard Contractual Clauses (SCCs) in accordance with EU Implementing Decision 2021/914
✓ EU-US Data Privacy Framework (DPF) for certified providers
✓ Transfer Impact Assessment (TIA) conducted in accordance with EDPB guidelines
✓ Technical measures: Encryption (AES-256), data minimization, zero retention

Data Subject Rights

ID2Bytes® supports all data subject rights in accordance with Art. 15-22 GDPR, with clear response times:

Access (Art. 15): 10 business days
Rectification (Art. 16): 10 business days
Erasure (Art. 17): 5 business days
Data Portability (Art. 20): 10 business days

Contact Privacy Officer

For questions about the Data Processing Agreement or privacy, please contact:

Privacy Officer: ID2Bytes
Email: privacy@id2bytes.com
Phone: +31 (0)6 52 21 51 59
Response time: Within 10 business days

🚨 Report Data Breach
If you suspect a data breach, contact us immediately via privacy@id2bytes.com and +31 (0)6 52 21 51 59. Response time: within 1 hour.