Last updated: 1 January 2026

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Agreement") between you ("Controller", "Customer") and CNSDR ("Processor", "EchoVote", "we", "us").

Within the framework of the implementation of the EchoVote Services pursuant to the Agreement, the Processor processes personal data for the Controller within the meaning of the General Data Protection Regulation 2016/679/EC ("GDPR").

Within this context:

• The Customer is the "Controller" within the meaning of Article 4(7) of the GDPR

• CNSDR is the "Processor" within the meaning of Article 4(8) of the GDPR

1. Subject of the Data Processing Agreement

1.1 Controller's Guarantees

The Controller guarantees that:

• They can lawfully process the personal data made available and provide it to the Processor pursuant to and in accordance with prevailing privacy legislation, including the GDPR and all additional applicable national privacy legislation ("Applicable Privacy Law")

• They only process personal data, and have it processed by the Processor, that serves the purpose of the Agreement

• They have provided appropriate privacy notices to data subjects whose data is processed through the Service

1.2 Categories of Data

The categories of personal data processed by the Processor are detailed in Addendum II of this DPA.

1.3 Controller's Responsibilities

The Controller is and remains responsible for:

• Their own systems and infrastructure

• The lawfulness of data collection from their end-users

• Responding to data subject requests from their end-users

• Ensuring appropriate legal basis for processing

1.4 Processing Instructions

The Processor will:

• Only process personal data within the framework of the activities agreed in the Agreement

• Only process personal data on documented instructions from the Controller

• Follow all lawful instructions from the Controller, except where prohibited by applicable law

• Process personal data prudently and carefully, in accordance with Applicable Privacy Law

1.5 Data Deletion

• At the Controller's request, the Processor will delete or return personal data in a manner to be agreed upon

• After termination of the Agreement, the Processor will delete personal data within 30 days, except where retention is required by law

• Where the Processor is required to retain personal data due to legal obligations, processing will continue in accordance with Applicable Privacy Law

2. Rights of Data Subjects and Data Breach Notification

2.1 Communication

The Processor will notify the Controller about facts and circumstances that can reasonably be expected to affect the processing of personal data by the Controller.

2.2 Data Subject Rights

The Processor will cooperate with the Controller in fulfilling obligations under Applicable Privacy Law within statutory time limits, including but not limited to:

• Requests for access to personal data

• Requests for rectification or completion

• Requests for erasure ("right to be forgotten")

• Requests for restriction of processing

• Requests for data portability

• Objections to processing

2.3 Data Breach Notification

If the Processor discovers any actual or suspected:

• Unlawful or unauthorized processing of personal data

• Breach of security measures

• Personal data breach as defined in Article 4(12) GDPR

The Processor will:

• Notify the Controller without undue delay and in any case within 48 hours

• Provide sufficient information to enable the Controller to meet any obligations to report a data breach to supervisory authorities or data subjects

• Take reasonably necessary measures to prevent or mitigate further violations

2.4 Data Protection Officer

The Controller and Processor ensure that, if either party employs a Data Protection Officer, this officer is promptly and appropriately involved in data protection matters.

3. Technical and Organisational Security Measures

3.1 Security Obligations

The Processor will, taking into account:

• The state of the art

• The costs of implementation

• The nature, scope, context, and purposes of processing

• The risks to the rights and freedoms of data subjects

Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are detailed in Addendum III.

3.2 Security Review

At the Controller's reasonable request, the Processor will inform the Controller to what extent security measures are implemented and up to date, and consult about any necessary adjustments.

4. Confidentiality

4.1 Confidentiality Obligations

The Processor is bound by confidentiality regarding all personal data processed within the framework of the Agreement, except when:

• The personal data is manifestly not of a confidential nature

• The data is already publicly known

• The Processor has a legal duty to disclose the data to a supervisory authority or court

4.2 Additional Measures

At the Controller's explicit request, the Processor will take additional confidentiality measures for specific personal data, which may include destruction of data when no longer needed.

5. Personnel

5.1 Access Documentation

The Processor will:

• Document which personnel have access to personal data supplied by the Controller

• Update this documentation when changes occur

• Ensure personal data is processed only by authorised personnel

5.2 Personnel Obligations

The Processor guarantees that authorised personnel:

• Are bound by confidentiality obligations (contractual or statutory)

• Have received appropriate training on data protection

• Will abide by Applicable Privacy Law and this DPA

6. Sub-processors

6.1 General Authorization

The Controller grants general authorization for the Processor to engage sub-processors listed in Addendum I.

6.2 Sub-processor Requirements

The Processor ensures that all sub-processors:

• Comply with GDPR requirements

• Are bound by written agreements imposing data protection obligations equivalent to this DPA

• Provide sufficient guarantees for appropriate technical and organisational measures

6.3 Data Location

The Processor will only store personal data on:

• Its own servers, or

• Servers of sub-processors that comply with GDPR

For sub-processors outside the EU/EEA, the Processor ensures an adequate level of protection through:

• EU adequacy decisions

• EU-US Data Privacy Framework

• Standard Contractual Clauses

• Other legally recognized transfer mechanisms

6.4 Changes to Sub-processors

When the Processor intends to engage a new sub-processor:

• The Processor will inform the Controller in writing (via email to the account administrator) of the identity, function, and data processing location of the new sub-processor

• The Controller has 30 days to object to the change

• If no objection is received within 30 days, consent is deemed granted

• The Controller will not withhold consent on unreasonable grounds but may attach reasonable conditions

If the parties cannot agree on a new sub-processor, either party may terminate the Agreement with one month's notice.

6.5 Sub-processor Compliance

The Processor ensures that each sub-processor complies with this DPA and the Processor remains fully liable to the Controller for the sub-processor's performance.

7. Audit Rights

7.1 Regulatory Audits

The Processor acknowledges the audit powers of supervisory authorities, in particular the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The Processor will support the Controller in providing access for regulatory audits concerning personal data processed under this DPA.

7.2 Controller Audits

The Controller may verify compliance with this DPA through:

• Security questionnaires or documentation requests (at any reasonable time)

• Third-party audit reports or certifications provided by the Processor

• An independent audit (no more than once per calendar year)

7.3 Audit Process

For independent audits:

• The parties will jointly agree on the auditor and scope

• The audit shall not unreasonably disrupt the Processor's operations

• Audit costs are borne by the Controller, unless the audit reveals material non-compliance attributable to the Processor

• Each party bears its own personnel costs

7.4 Audit Results

The parties will discuss audit results. The Processor will implement reasonable recommendations within a mutually agreed timeframe.

8. Liability

Liability of the Processor for shortcomings in fulfilling obligations under this DPA or Applicable Privacy Law shall be governed by the liability provisions in the Terms of Service.

9. Governing Law and Jurisdiction

9.1 Governing Law

This DPA is governed by the laws of the Netherlands.

9.2 Jurisdiction

The courts of Amsterdam, the Netherlands, shall have exclusive jurisdiction over any disputes arising from this DPA, provided that the Controller may also bring proceedings before another competent Dutch court.

10. General Provisions

10.1 Amendments

This DPA may only be amended by explicit written agreement between the parties.

10.2 Conflict

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

10.3 Duration

This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor processes personal data on behalf of the Controller.

Contact

CNSDR
1098LG Amsterdam
The Netherlands

KvK: 88676471
Email: privacy@echovote.xyz

ADDENDUM I — List of Sub-processors

This addendum forms an integral part of the Data Processing Agreement.

The Processor uses the following sub-processors to provide the Services:

Google Cloud Platform (Google LLC)
Service: Cloud infrastructure, database (Firestore), authentication (Firebase Auth), file storage
Company Location: United States
Data Location: European Union (Netherlands, europe-west4)

Firebase (Google LLC)
Service: Authentication, real-time database, analytics
Company Location: United States
Data Location: European Union (Netherlands, europe-west4)

Vercel Inc.
Service: Website hosting, content delivery network, serverless functions
Company Location: United States
Data Location: European Economic Area (EEA) & United States (EU-US Data Privacy Framework)

Stripe Payments Europe, Limited
Service: Payment processing, subscription management
Company Location: Ireland
Data Location: European Economic Area (EEA)

Framer B.V.
Service: Marketing website hosting (echovote.xyz), visitor analytics
Company Location: Netherlands
Data Location: Global CDN (primary: EU nodes)

Brevo SAS
Service: Transactional and marketing email delivery, email analytics
Company Location: France
Data Location: European Union (France/Germany data centers)

Notes:

• Google Cloud Platform and Firebase are both operated by Google LLC; Firebase is listed separately for clarity

• Framer hosts only the marketing website (echovote.xyz), not the application

• The application (app.echovote.xyz and *.echovote.xyz) is hosted on Vercel

• All customer feedback data is stored in Firebase (EU region only)

• Brevo sends emails on behalf of EchoVote but does not control email content

• Stripe processes payment data and acts as both processor and controller for payment card information

• All US-based sub-processors (Google, Vercel) rely on EU-US Data Privacy Framework and Standard Contractual Clauses for data transfers

The Processor may update this list from time to time in accordance with Section 6.4 of this DPA.

ADDENDUM II — Processing of Personal Data

This addendum forms an integral part of the Data Processing Agreement.

Categories of Data Subjects

The following categories of data subjects are relevant to this DPA:

• Workspace administrators — Employees or representatives of the Controller who manage EchoVote workspaces

• Team members — Users invited by the Controller to access their workspace

• End-users — Individuals who submit feedback, vote, or comment on the Controller's feedback boards

Categories of Personal Data

The following categories of personal data are processed by EchoVote as Processor:

Account data: First name, last name, email address, profile picture (optional). Purpose: User authentication and identification.

Authentication data: Login credentials (hashed), OAuth tokens, session data. Purpose: Secure access to the Service.

Feedback content: Posts, comments, votes submitted by end-users. Purpose: Core functionality of the Service.

Usage data: IP address, browser type, device information, timestamps. Purpose: Security, fraud prevention, service improvement.

Special Categories of Data

The Processor does not intentionally collect or process special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR).

The Controller shall not submit special category data to the Service unless explicitly agreed in writing.

Processing Activities

Account creation
Description: Storing user credentials and profile information
Legal Basis (Controller): Contract performance

Authentication
Description: Verifying user identity for access
Legal Basis (Controller): Contract performance

Feedback collection
Description: Storing posts, votes, and comments from end-users
Legal Basis (Controller): Legitimate interest / Consent (Controller determines)

Analytics
Description: Aggregated, anonymized usage statistics
Legal Basis (Controller): Legitimate interest

Support
Description: Responding to user inquiries
Legal Basis (Controller): Contract performance

Retention Periods

Account data: Duration of account plus 30 days after deletion

Feedback content: Duration of workspace plus 30 days after termination

Usage logs: 90 days

Payment records: 7 years (legal requirement)

ADDENDUM III — Technical and Organisational Security Measures

This addendum forms an integral part of the Data Processing Agreement.

The Processor has implemented the following technical and organisational security measures to protect personal data:

Organisational Measures

Security responsibility: Security and privacy responsibilities are assigned to designated personnel.

Risk assessment: Regular assessment of risks related to personal data processing.

Security policies: Documented information security policies, reviewed and updated regularly.

Staff training: All personnel with access to personal data receive privacy and security awareness training.

Confidentiality agreements: All personnel have signed confidentiality agreements covering personal data.

Access control policy: Access to personal data is granted on a need-to-know basis and regularly reviewed.

Technical Measures

Encryption in transit: All data transmitted over networks is encrypted using TLS 1.2 or higher.

Encryption at rest: Personal data stored in databases is encrypted at rest.

Authentication: Strong authentication required for all system access; multi-factor authentication where available.

Password policy: Passwords must meet complexity requirements; stored using secure hashing algorithms.

Access logging: Access to systems containing personal data is logged and monitored.

Firewall protection: Network services are protected by firewalls with default-deny configuration.

Backup and recovery: Regular automated backups; recovery procedures tested periodically.

Incident response: Documented incident management process including response plans and communication procedures.

Infrastructure Security

Google Cloud Platform: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3

Vercel: SOC 2 Type II

Stripe Payments Europe, Limited: PCI DSS Level 1

Data Segregation

Customer data is logically separated using tenant identifiers. Each customer's data is isolated and not accessible to other customers.

Changes to Security Measures

The Processor may update these measures from time to time to adapt to the evolving security landscape. Material changes will be communicated to customers.

This Data Processing Agreement is effective as of 1 January 2026.