BalansPointe Health
Trust & Compliance

Data Processing Agreement (template)

Version 0.1 (draft) · Last updated 2026-05-14 · GDPR Art. 28

DRAFT — pending legal review. This template is published so customer procurement and DPO teams can review terms before signing. The signed agreement is the controlling document; if the wording below has not yet been confirmed by our legal counsel, the version we execute may differ. Email admin@balanspointe.com for the current execution copy.

This Data Processing Agreement (“DPA”) supplements the master services agreement (the “Agreement”) between the customer (“Controller”) and BalansPointe Health BV (“Processor”) and governs Processor’s processing of personal data on behalf of Controller.

1. Definitions

Terms not defined here have the meaning given in GDPR (EU Regulation 2016/679). “Personal Data”, “Data Subject”, “Processing”, “Processor”, “Controller”, and “Subprocessor” carry their GDPR meanings.

2. Subject matter, duration, nature and purpose

  • Subject matter: Processing of Personal Data submitted to Processor by Controller or its end users in connection with the workforce-insight and consulting services described in the Agreement.
  • Duration: The term of the Agreement, plus any retention period required by law or expressly permitted by Controller for return / deletion (see §10).
  • Nature and purpose: Hosting, analysis, reporting, aggregation, and presentation of workforce data; account management; customer support; security monitoring.
  • Categories of Data Subjects: Controller’s employees, contractors, clinical staff, and contact persons.
  • Types of Personal Data: Identification (name, employee ID), contact (work email, work phone), role and organizational unit, scheduling and time-attendance records, and related workforce metrics. No special-category data is intentionally processed unless explicitly contracted in a schedule.

3. Processor obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by EU or member-state law (in which case Processor will inform Controller before processing, unless that law prohibits notice on important grounds of public interest).
  • Ensure that persons authorised to process Personal Data are bound by an obligation of confidentiality.
  • Take all measures required pursuant to Article 32 GDPR (see §5).
  • Respect the conditions in this DPA for engaging Subprocessors (see §6).
  • Assist Controller, by appropriate technical and organisational measures, in fulfilling Controller’s obligation to respond to requests from Data Subjects (see §7).
  • Assist Controller in ensuring compliance with Articles 32–36 GDPR, taking into account the nature of processing and the information available.
  • Return or delete all Personal Data at the choice of Controller at the end of the provision of services (see §10).
  • Make available to Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR (see §9).

4. Controller obligations

Controller shall:

  • Have a lawful basis under GDPR for the Personal Data it provides to Processor.
  • Be responsible for the accuracy, quality, and legality of the Personal Data and the means by which Controller acquired it.
  • Provide all required privacy notices to Data Subjects.
  • Configure access controls and roles inside the service in accordance with its internal access policy.

5. Security measures (Art. 32 GDPR)

Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (database and backups).
  • Access control via SSO with multi-factor authentication available; role-based authorisation; least-privilege principle for staff access.
  • Network security: production secrets stored outside source control; production database not exposed to the public internet.
  • Audit logging of authentication events and mutating actions inside the application, retained for the term of the Agreement.
  • Backups: daily encrypted snapshots; 90-day rolling retention; documented restore procedure tested at least annually.
  • Personnel: staff bound by written confidentiality obligations; access provisioned and de-provisioned through a tracked process.
  • Vendor management: each Subprocessor reviewed for equivalent security and contractually bound to this DPA’s obligations.

A current technical and organisational measures (TOMs) summary is available on request.

6. Subprocessors

Controller authorises Processor to engage the Subprocessors listed at /subprocessors. Processor will:

  • Impose on each Subprocessor, by written contract, data-protection obligations no less protective than those in this DPA.
  • Remain fully liable to Controller for the performance of each Subprocessor’s obligations.
  • Notify Controller of any intended addition or replacement of a Subprocessor at least 30 days in advance, by email to the designated privacy contact and by updating the public list. Controller may object on reasonable grounds within that period; if a resolution cannot be reached, Controller may terminate the affected service.

7. Data subject rights

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Controller’s obligation to respond to Data Subject requests under Chapter III GDPR. If Processor receives a request directly from a Data Subject, Processor will not respond substantively and will forward the request to Controller without undue delay.

8. Personal-data breach notification

Processor will notify Controller without undue delay, and in any event within 72 hoursof becoming aware, of any Personal-Data Breach affecting Controller’s Personal Data. The notification will include, to the extent known:

  • The nature of the breach and the categories and approximate number of affected Data Subjects;
  • The likely consequences;
  • The measures taken or proposed to mitigate possible adverse effects;
  • The contact point for further information.

Processor will cooperate with Controller in any subsequent investigation and in any notifications Controller must make to a supervisory authority or Data Subjects.

9. Audits and records

Processor will make available to Controller, on reasonable request and at most once per year (more frequently following a confirmed breach), information necessary to demonstrate compliance with Article 28 GDPR and this DPA. Permissible means include:

  • Written responses to a security questionnaire;
  • Provision of relevant third-party audit reports (where available);
  • Remote review of policies and procedures; in-person audits where remote review is insufficient, scheduled at mutually agreed times and at Controller’s cost.

10. Return and deletion of data

Upon termination of the Agreement, Processor will, at Controller’s written choice, delete or return all Personal Data, and delete existing copies, unless EU or member-state law requires storage of the Personal Data. Standard return is by encrypted export of the Controller’s data in the service’s native format. Backup copies created before the termination date will age out within the documented 90-day backup-retention window and will not be restored absent legal obligation.

11. International transfers

Where Processor or a Subprocessor transfers Personal Data outside the European Economic Area, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 (or any successor), which are deemed incorporated into this DPA by reference. Modules and roles are determined by the relevant transfer (typically Module Two — Controller to Processor).

12. Liability and governing law

Liability under this DPA is governed by the limitation-of-liability clause in the Agreement. This DPA is governed by Dutch law; the courts of Amsterdam, the Netherlands have exclusive jurisdiction over disputes arising from it, without prejudice to mandatory rules of the law of the Data Subject’s habitual residence under GDPR.

13. Order of precedence

In the event of conflict between this DPA and the Agreement on matters of data protection, this DPA prevails. In the event of conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail.

Signatures

The executed version of this DPA is signed by the authorised representatives of both parties. Contact admin@balanspointe.com to begin DPA execution.