Data Processing Agreement

1. Definitions

Unless otherwise defined in this DPA, capitalised terms have the meaning given to them in the GDPR. For the purposes of this DPA, the following definitions apply:

• Controller means the customer, being the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• Processor means honoa, being the natural or legal person which Processes Personal Data on behalf of the Controller.
• Data Subject means an identified or identifiable natural person to whom the Personal Data relates.
• Personal Data means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller under this DPA.
• Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
• Sub-processor means any third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
• Supervisory Authoritymeans an independent public authority responsible for monitoring the application of the GDPR, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”).
• GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• UAVG means the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming).
• Services means the products and services provided by the Processor to the Controller under the Terms of Service, including the website builder, hosting, e-commerce features, content management system, AI-powered features, collaboration tools, and analytics.

2. Subject Matter and Duration

The subject matter of this DPA is the Processing of Personal Data by the Processor on behalf of the Controller. The Processor Processes Personal Data on behalf of the Controller solely for the purpose of providing the Services to the Controller in accordance with the Terms of Service and the Controller’s documented instructions.

This DPA takes effect on the date the Controller accepts the Terms of Service and remains in force for the entire duration of the Controller’s subscription to the Services. The duration of the Processing corresponds to the duration of the subscription under the Terms of Service and continues until the Processing of Personal Data ceases in accordance with Section 15 of this DPA.

3. Nature and Purpose of Processing

The Processor Processes Personal Data on behalf of the Controller for the purpose of providing the Services. The nature and purpose of the Processing include, without limitation:

• Hosting websites built by the Controller and delivering them to the public internet;
• Storing user-uploaded content, media files, and website data on Amazon Web Services (AWS) S3 infrastructure;
• Processing form submissions, e-commerce orders, subscriber lists, and analytics data generated by the Controller’s published websites;
• Providing AI-powered features, which involve the processing of text content only, with no storage of such content by Anthropic beyond the duration of the request;
• Providing collaboration features for the Controller’s team and workspaces.

4. Categories of Personal Data

The Personal Data Processed under this DPA may include, depending on how the Controller configures and uses the Services, the following categories:

• Website visitor data, including IP addresses, browser information, device information, and similar technical identifiers;
• End-customer data, including names, email addresses, postal and billing addresses, and payment information (processed via Stripe);
• Form submission data submitted by visitors through the Controller’s websites;
• Subscriber email lists and newsletter sign-up data;
• Any other Personal Data that the Controller chooses to collect, store, or process via its websites or through the Services.

5. Categories of Data Subjects

The Data Subjects whose Personal Data is Processed under this DPA may include, depending on how the Controller uses the Services:

• The Controller’s website visitors;
• The Controller’s end-customers;
• Newsletter subscribers;
• Form submitters.

6. Controller’s Obligations

The Controller is responsible for determining the purposes and means of the Processing of Personal Data through the Services. The Controller represents, warrants, and undertakes that:

• (a) it has, and will maintain throughout the term of this DPA, a valid lawful basis under the GDPR for all Processing of Personal Data carried out through the Services;
• (b) it has provided, and will continue to provide, all required privacy notices and other information to Data Subjects as required by applicable data protection law, including the GDPR and the UAVG;
• (c) it will not instruct the Processor to Process Personal Data in any manner that would cause the Processor to violate any applicable data protection law;
• (d) it is solely and exclusively responsible for the content it publishes and for all Personal Data it collects, stores, or processes through its websites and the Services, including the legality, accuracy, and integrity of that data;
• (e) it will comply with all applicable data protection laws, including the GDPR and the UAVG, in respect of its activities under this DPA.

The Controller acknowledges that, as the party determining the purposes and means of Processing, it bears primary responsibility for compliance with data protection law in respect of the Personal Data it Processes through the Services.

7. Processor’s Obligations

The Processor undertakes that it will:

• Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
• Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Section 8 of this DPA;
• Respect the conditions for engaging Sub-processors as set out in Section 9 of this DPA;
• Taking into account the nature of the Processing, assist the Controller, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subject rights and to comply with breach notification and related obligations;
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data, as set out in Section 15;
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits as set out in Section 13, upon reasonable written request, with thirty (30) days’ notice and at the Controller’s cost.

8. Technical and Organisational Measures (TOMs)

The Processor implements and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures include:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
• Access controls based on the principle of least privilege;
• Regular security assessments and reviews;
• Incident response procedures for detecting, reporting, and responding to security incidents;
• Storage of data on Amazon Web Services (AWS) infrastructure that maintains SOC 2 compliance.

9. Sub-processors

The Controller provides a general authorisation for the Processor to engage Sub-processors to Process Personal Data on behalf of the Controller. The Processor maintains an up-to-date list of the Sub-processors it engages at /subprocessors. By accepting this DPA, the Controller consents to the engagement of the Sub-processors currently listed there.

The Processor will give the Controller at least fourteen (14) days’ prior notice of the addition of any new Sub-processor or any material change to an existing Sub-processor’s Processing activities, via email or a notification in the Controller’s dashboard. The Controller may object to such a change on reasonable data protection grounds within fourteen (14) days of the notice by terminating its subscription to the Services. The Controller’s continued use of the Services after the expiry of the fourteen (14) day period constitutes acceptance of the new Sub-processor.

Where the Processor engages a Sub-processor, it will impose on that Sub-processor, by way of a contract or other legal act, data protection obligations that are no less protective than those set out in this DPA. The Processor remains fully responsible to the Controller for the performance of each Sub-processor’s obligations in accordance with Article 28(4) GDPR.

10. International Transfers

The Controller acknowledges and authorises that Personal Data may be transferred to and Processed in countries outside the European Economic Area (EEA), including the United States, in connection with the Processor’s use of Sub-processors such as Amazon Web Services (AWS) and Anthropic. Where Personal Data is transferred outside the EEA to a country that has not been the subject of an adequacy decision by the European Commission, the Processor relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission as the lawful transfer mechanism, together with any supplementary measures required to ensure an adequate level of protection. The Controller authorises these transfers and the use of the SCCs as the transfer mechanism.

11. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event no later than forty-eight (48) hours, after becoming aware of a personal data breach affecting the Controller’s Personal Data. Such notification will include, to the extent then available:

• The nature of the personal data breach;
• The categories of Data Subjects and Personal Data affected;
• The approximate number of records concerned;
• The likely consequences of the personal data breach;
• The measures taken or proposed to be taken to address the breach and mitigate its effects.

The Controller is solely responsible for notifying the competent Supervisory Authority (the AP) within seventy-two (72) hours where required, and for notifying affected Data Subjects where required by the GDPR. The Processor’s notification under this Section does not constitute an acknowledgement of fault or liability.

12. Data Subject Rights

Where the Processor receives a request directly from a Data Subject seeking to exercise their rights under the GDPR (a “DSAR”) in relation to Personal Data Processed on behalf of the Controller, the Processor will forward that request to the Controller within five (5) business days and will not respond to the Data Subject directly except to confirm that the request has been forwarded, unless legally required to do so. Taking into account the nature of the Processing, the Processor will assist the Controller, by appropriate technical and organisational means and insofar as this is possible, in fulfilling the Controller’s obligation to respond to such DSARs. The Controller is responsible for responding to and fulfilling the requests of Data Subjects.

13. Audit Rights

The Controller may audit the Processor’s compliance with this DPA upon thirty (30) days’ prior written notice, no more than once per calendar year (save where an audit is required by a Supervisory Authority or following a personal data breach), and at the Controller’s sole expense. Any audit must be conducted during normal business hours, with minimal disruption to the Processor’s operations, and subject to appropriate confidentiality obligations. The Processor may satisfy any audit request by providing the Controller with relevant third-party audit reports or certifications (such as ISO 27001 or SOC 2), and the Controller agrees that such reports are sufficient to demonstrate the Processor’s compliance where applicable.

14. Liability

15. Term and Termination

This DPA is incorporated into and forms part of the Terms of Service and terminates automatically upon termination or expiry of the Terms of Service. Upon termination of the Services, the Processor will, at the choice of the Controller, delete or return all Personal Data Processed on behalf of the Controller, and will delete existing copies within thirty (30) days of termination, unless and to the extent that retention of the Personal Data is required by Union or Member State law, in which case the Processor will retain the Personal Data only for as long as, and to the extent, required by such law and will continue to protect it in accordance with this DPA.

16. Governing Law

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it, its subject matter, or its formation shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law principles. The competent courts of the Netherlands shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.

17. Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Terms of Service, the provisions of this DPA shall prevail, but only with respect to the subject matter of data protection and the Processing of Personal Data. In all other respects, the Terms of Service remain in full force and effect.

Contact

If you have any questions about this DPA, please contact us at [email protected].