Data Processing Agreement (DPA)

Version: 1.0 (GDPR Compliant)

This DPA is entered into between the Energy Advisor (Controller) and EPAdossier (Processor).

1. Subject Matter

The Processor will store and process personal data concerning property owners and building metrics on behalf of the Controller to facilitate energy label registration.

2. Security Measures

We implement industry-standard security measures, including data encryption at rest (AWS/Neon) and in transit (TLS). Access is restricted to authorized personnel only.

3. Approved Sub-processors

The Controller authorizes the use of the following sub-processors:

• Cloud & Infrastructure: AWS, Neon
• Payments & Billing: Stripe
• Communications: Resend
• Analytics: Posthog
• External Data: Google Maps, Energiekezaak, RVO, EP-Online

4. Data Breaches

In the event of a data breach, the Processor will notify the Controller without undue delay (within 72 hours) to allow the Controller to meet their legal notification obligations.

5. Termination

Upon termination of the service, the Processor will, at the choice of the Controller, delete or return all personal data, unless Dutch law requires further storage.