Data Processing Agreement (DPA) — Eerlijke Corvee

⚠️ DRAFT — requires legal review by a Dutch lawyer before being offered to customers or clubs. This is not legal advice. Placeholders marked <...> must be filled before publication. Verify all clauses against the current GDPR text and the Dutch Data Protection Authority’s model clauses. The Dutch version (dpa-nl.md) is the primary; this English version is a translation only — in case of conflict, the Dutch version prevails. This DPA is intended for B2B relationships with sports clubs or larger customers; individual team managers use the Terms of Service and Privacy Policy without a separate DPA.

Version: 0.1 (draft) — 2026-05-02

1. Parties

This Data Processing Agreement (“DPA”) is concluded between:

Controller (“Customer”):

  • Name: <NAME OF CLUB / LEGAL ENTITY>
  • Chamber of Commerce (KvK) number: <KVK NUMBER>
  • Address: <ADDRESS>
  • Represented by: <NAME AND ROLE>

Processor (“we”, “us”):

  • Name: <COMPANY NAME — e.g. Eerlijke Corvee B.V.>
  • Chamber of Commerce (KvK) number: <KVK NUMBER>
  • Address: <BUSINESS ADDRESS>
  • Represented by: <NAME AND ROLE>

Hereinafter jointly referred to as: “Parties”.

2. Background

The Customer has a main agreement (the “Main Agreement”) with the Processor for use of the Eerlijke Corvee Service. In the context of that Service, the Processor processes personal data on behalf of the Customer. This DPA records the agreements on that processing in accordance with Article 28 of the General Data Protection Regulation (GDPR).

In case of conflict between this DPA and the Main Agreement, this DPA prevails on matters concerning the processing of personal data.

3. Subject matter and duration

3.1 Subject matter

The Processor processes personal data on behalf of the Customer for the provision of the Service (duty assignment, match and training management, communication with team members).

3.2 Duration

This DPA remains in force as long as the Main Agreement is in effect, and terminates automatically upon its termination. Provisions that by their nature also apply after termination (such as return/erasure of data, confidentiality) remain applicable.

4. Nature, purposes and categories

4.1 Nature of the processing

Automated processing via cloud software, including:

  • Storage in a PostgreSQL database (hosted on Microsoft Azure, EU)
  • Sending of transactional email (via Resend)
  • Sending of push notifications (via VAPID Web Push, no intermediary)
  • Logging and audit
  • Backups

4.2 Purpose

Solely the provision of the Service as described in the Main Agreement and the Terms of Service. The Processor does not process personal data for its own purposes such as marketing or profiling outside the Service.

4.3 Categories of data subjects

  • Team managers, trainers, coaches
  • Parents / caretakers of players
  • Players (only name and age category by default; from age 13+ optionally an own account with email address)

4.4 Categories of personal data

  • Identifying data: name, email address
  • Role information within the team
  • Preferences and availability (availability status, task preferences)
  • Player information: name, age category, caretaker relationship
  • Activity data: duty assignments, attendance records
  • Technical data: IP address, browser user-agent (in logs)

4.5 No special categories

The Service is not designed to process special categories of personal data (such as health data, race, religion, political beliefs). Customer commits not to process such data via the Service. If Customer accidentally enters such data (e.g. in a free-text notes field), the Customer bears the responsibility.

5. Obligations of the Processor

The Processor:

a. Processes personal data solely on the basis of written instructions from the Customer, except where EU law or national law provides otherwise.

b. Ensures that persons with access to the personal data have committed to confidentiality (NDA or equivalent).

c. Takes appropriate technical and organisational security measures in accordance with Article 32 GDPR, including at least:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (Azure level)
  • Access control and least-privilege
  • Audit logging on administrative actions
  • Secrets in a secrets manager
  • Regular encrypted backups

d. Assists the Customer with data subject requests (access, rectification, erasure, etc.) by providing reasonable support, given the nature of the processing.

e. Assists the Customer in complying with the obligations under Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation).

f. Notifies the Customer of data breaches without undue delay, and in any event within 48 hours of detection, with the information the Customer needs to comply with its notification obligations.

g. After termination of the Service, at the Customer’s choice, makes all personal data available or erases them, and erases existing copies, except where Union or national law requires retention.

h. Makes available to the Customer all information necessary to demonstrate compliance with its GDPR obligations, and enables audits (see Article 7 below).

6. Sub-processors

6.1 Authorisation

The Customer hereby gives general authorisation for the engagement of sub-processors, provided that:

  • The Processor maintains a current list of sub-processors and shares it on request
  • The Customer is informed at least 30 days in advance of changes, and has the option to object on reasonable grounds
  • A data processing agreement is concluded with each sub-processor with at least the same protection measures as this DPA

6.2 List of sub-processors (as of 2026-05-02)

Sub-processorPurposeProcessing location
Microsoft Azure (Container Apps + PostgreSQL)Hosting + databaseEU (North Europe — Ireland)
ResendTransactional email<VERIFY REGION>
CloudflareDNS, static marketing site, DDoS mitigationGlobal edge network
Tikkie / ABN AMRO (interim)Payment processingNetherlands / EU
Mollie (after 50+ teams)Payment processingEU (Netherlands)
Plausible Analytics (optional)Anonymous analytics on marketing siteEU (Germany)

A current list is available at <DOMAIN>/dpa/subprocessors.

7. Audits and information requests

7.1 Audit

The Customer has the right to perform an audit once per calendar year (and more frequently if grounds exist following a data breach or suspected breach) into compliance with this DPA, at its own cost.

7.2 Practical implementation

Audits are conducted:

  • With at least 30 days’ advance notice
  • During regular working hours, in a manner that does not unreasonably disrupt the Processor’s business
  • If desired, by an independent third-party auditor with confidentiality obligation

7.3 Documentation as an alternative

The Processor may, instead of a physical audit, provide existing certifications (such as ISO 27001 of Microsoft Azure) or written questionnaires. This does not relieve the Customer of the audit right but can, by mutual agreement, make an audit unnecessary.

8. Transfer outside the EEA

The Processor does not transfer personal data outside the EEA without a valid transfer ground (adequacy decision, Standard Contractual Clauses, or an exception under Article 49 GDPR).

Cloudflare’s global edge network may temporarily cache static marketing content at locations outside the EEA. This does not concern personal data of data subjects using the Service.

9. Liability

The liability of the Parties for damage arising from this DPA is limited to the amount set out in the Main Agreement, on the understanding that:

  • For damage as a result of an attributable failure to comply with the GDPR by the Processor, a higher maximum applies of € 1,000 per event, or the annual amount agreed in the Main Agreement, if higher
  • Liability for intent or gross negligence by a Party or its managers is not limited
  • Mandatory statutory liability (such as under Article 82 GDPR for material and non-material damage of data subjects) remains unaffected

10. Final provisions

10.1 Amendments

Amendments to this DPA are only valid if agreed in writing between the Parties.

10.2 Governing law

This DPA is governed by Dutch law. Disputes will preferably be resolved through mutual consultation; failing that, the District Court of <DISTRICT> has exclusive jurisdiction.

10.3 Conflict

In case of conflict between this DPA and the Privacy Policy, Terms of Service or the Main Agreement, this DPA prevails for matters concerning the processing of personal data.

10.4 Signature

This DPA is signed electronically or physically by both Parties. A scanned, signed copy has the same legal force as an original.

Signature

Customer (Controller):

Name: ________________________________ Role: ________________________________ Date: ________________________________ Signature: ___________________________

Processor (Eerlijke Corvee):

Name: ________________________________ Role: ________________________________ Date: ________________________________ Signature: ___________________________

Version: 0.1 (draft) Last updated: 2026-05-02