Data processing agreement
Last updated: June 5, 2026
This data processing agreement (GDPR art. 28) forms part of the agreement between the customer ("controller") and Riemersma RMS (Breuningslaan 26, 8471 ZT Wolvega, KvK 96579153; "processor"). It governs the processing of end-customers' personal data via the Service.
1. Subject and purpose
We process personal data solely on behalf of and according to the instructions of the customer, for the purpose of providing the Service (POS, webshop, dashboard, inventory, accounting).
2. Categories of data subjects and data
- Data subjects: the customer's end-customers, the customer's staff, website visitors.
- Data: identification and contact data, order and transaction data, account and session data, and technical logs.
3. Retention periods
| Category | Retention |
|---|---|
| Account and transaction data | Contract term + 30-day export window |
| Technical logs | 12 months rolling |
| Backups | 30 days rolling |
| Deleted data (trash) | 30 days after deletion |
The statutory tax retention obligation (7 years) lies with the customer; make your own timely exports.
4. Obligations of the processor
We: process only on instruction; ensure confidentiality; take appropriate technical and organisational security measures; and assist the customer with its GDPR obligations.
5. Sub-processors
We engage the following sub-processors; data stays within the EU/EEA:
| Sub-processor | Purpose |
|---|---|
| Hosting provider (EU) | Hosting of platform and database |
| PayNL | Payment processing |
| MyParcel | Shipping and delivery |
| Postmark | Transactional email |
| Sentry | Error monitoring (filtered) |
If sub-processors change, we inform the customer in advance, allowing objection.
6. Data breaches
In the event of a data breach we inform the customer without undue delay and no later than 72 hours after discovery, with the information the customer needs to meet its notification duty (GDPR art. 33/34).
7. Data subject rights
We reasonably assist the customer with data subject requests (access, rectification, erasure, restriction, portability, objection).
8. Location and transfers
Processing takes place within the EU/EEA. Transfers to third countries do not occur without appropriate safeguards (such as standard contractual clauses).
9. Audit
The customer may verify compliance, after reasonable notice (30 days), without disproportionately disrupting operations. We may also satisfy this via a questionnaire or certifications.
10. Term and termination
This agreement applies as long as we process data. After termination we delete or anonymise the data after the export window, subject to statutory retention.
11. Liability
Liability under this agreement is limited in accordance with the terms of service.
Questions? Email rowan@riemersma.co.nl.