Data Processing Agreement
This Data Processing Agreement (DPA) governs the processing of personal data by Better Desk as processor on behalf of your organization as data controller, in accordance with the General Data Protection Regulation (GDPR).
Definitions
In this data processing agreement, the following terms are defined:
GDPR
The General Data Protection Regulation (EU) 2016/679.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation relating to personal data, such as collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure, or destruction.
Data Controller
The Customer who determines the purposes and means of the processing of personal data.
Processor
Better Desk B.V., which processes personal data on behalf of the Data Controller.
Data Subject
The natural person to whom the personal data relates.
Sub-processor
A third party engaged by the Processor for the processing of personal data.
Data Breach
A breach of security leading to the destruction, loss, alteration, or unauthorized access to personal data.
Subject and Duration
2.1 Subject
This data processing agreement relates to the processing of personal data by Better Desk in the context of providing the Better Desk application for IT asset management, document generation, and digital signatures.
2.2 Nature of Processing
The processing includes storing, consulting, modifying, and deleting personal data for the purpose of asset tracking, document generation, signing, and user management.
2.3 Purpose of Processing
Processing takes place exclusively for the purpose of performing the services as described in the main agreement and the General Terms and Conditions.
2.4 Duration
This agreement is effective for as long as the main agreement is in effect. After termination, the provisions regarding confidentiality and data deletion remain applicable.
Types of Personal Data
The following categories of personal data may be processed:
Identification data
Name, email address, job title, department
Account data
Username, profile photo, authentication tokens
Organization data
Organization name, location, departments
Asset-related data
Asset assignments, transfer history
Document data
Generated documents, signatures
Technical data
IP addresses, device IDs, browser type
Location data
GPS coordinates during signing (with consent)
Audit logs
User actions, timestamps, changes
Note: Better Desk does not process special categories of personal data (such as medical data, religion, or criminal records) unless expressly agreed upon with additional security measures.
Categories of Data Subjects
The personal data relates to the following categories of data subjects:
- Employees of the Controller
Users who have access to Better Desk within the organization
- IT Administrators
Administrators who configure and manage the Better Desk environment
- Asset Recipients
Persons to whom IT equipment is transferred
- Signatories
Persons who digitally sign documents
- Contact Persons
Persons mentioned in documents or transfers
Obligations of the Processor
Better Desk commits to the following obligations:
Obligations of the Controller
The Controller guarantees that:
- The processing of personal data is based on a valid legal basis
- Data subjects have been adequately informed about the processing of their data
- Instructions to the Processor comply with the GDPR
- Adequate security measures are taken on the organization's side
- Employees have been instructed on the safe use of the application
Sub-processors
7.1 Consent
The Controller hereby grants general consent to Better Desk to engage sub-processors for the processing of personal data.
7.2 Conditions
Better Desk ensures that sub-processors are bound by the same or stricter obligations as set out in this agreement.
7.3 Current List
A current list of sub-processors is available on our website. Changes are announced at least 30 days in advance.
View sub-processors7.4 Objection
The Controller may object to a new sub-processor within 14 days of notification. In case of a justified objection, Better Desk will not engage the sub-processor or will provide an alternative solution.
Security Measures
Better Desk has implemented the following technical and organizational measures:
Encryption
- TLS 1.3 for data in transit
- AES-256 for data at rest
- Encrypted backups
Access Control
- OAuth 2.0 authentication
- Role-based access control
- Multi-factor authentication
Infrastructure
- ISO 27001 certified data centers
- Firewall and DDoS protection
- Physical access security
Monitoring
- 24/7 system monitoring
- Automatic error detection
- Audit logging
Personnel
- Non-disclosure agreements
- Security awareness training
- Restricted access on a need-to-know basis
Continuity
- Daily backups
- Disaster recovery plan
- 99.9% uptime SLA
Data Breach Notification
9.1 Notification Period
Better Desk will notify the Controller of a data breach without undue delay and, where possible, within 24 hours of discovery.
9.2 Notification Content
The notification shall contain at minimum:
- Nature of the data breach and affected categories of data
- Estimated number of data subjects and data records affected
- Contact details for further information
- Description of likely consequences
- Description of measures taken or proposed
9.3 Assistance
Better Desk shall provide all reasonable cooperation to the Controller in investigating the data breach and any notifications to the supervisory authority or data subjects.
Data Subject Rights
Better Desk supports the Controller in handling data subject requests regarding:
Better Desk shall promptly inform the Controller of any requests received and shall cooperate in handling them within the statutory timeframes.
Audit and Inspection
11.1 Audit Right
The Controller has the right to conduct or have audits conducted to verify compliance with this agreement.
11.2 Conditions
- Audits must be announced at least 30 days in advance
- Audits take place during normal business hours
- The auditor is bound by confidentiality
- Audit costs are borne by the Controller
11.3 Certifications
Better Desk may provide certifications or audit reports from external parties as an alternative to or supplement to an audit.
Termination and Data Deletion
12.1 Export Option
For 30 days after termination of the agreement, the Controller has the option to export all personal data in a common, machine-readable format.
12.2 Deletion
After the export period, all personal data will be permanently deleted, including all copies and backups, unless statutory retention periods require otherwise.
12.3 Confirmation
Upon request, Better Desk shall provide written confirmation of the deletion of all personal data.
Liability
13.1 Own Liability
Each party is liable for damages resulting from its own actions or omissions in violation of the GDPR or this agreement.
13.2 Limitation
The liability of Better Desk is limited in accordance with the provisions of the General Terms and Conditions, unless there is intent or gross negligence.
13.3 Indemnification
The parties indemnify each other against claims from third parties (including data subjects and supervisory authorities) arising from a breach of the GDPR by the other party.
Contact and Final Provisions
14.1 Contact Person
For questions about this data processing agreement or data protection:
14.2 Applicable Law
This agreement is governed by Dutch law. Disputes shall be submitted to the competent court in the district where Better Desk is established.
14.3 Amendments
Amendments to this agreement are only valid if agreed in writing. Better Desk may unilaterally amend this agreement if necessary for compliance with changed legislation, with 30 days prior notice.
Need a signed copy?
Do you need a signed copy of this data processing agreement for your records? Get in touch with us.
Request DPAQuestions about the data processing agreement?
Get in touch with our legal team.
legal@better-desk.app