Data Processing Agreement 

Originally issued: 24 May 2025
Version: 2.0
Effective Date: 19 February 2026
Last Updated: 19 February 2026

This Agreement replaces all previous versions from its Effective Date onward.

For The People B.V.
Registered office: Amersfoort, The Netherlands
Chamber of Commerce (KvK) number: 94210020
VAT number: NL866681504B01
Email: support@startwithftp.com

1. Introduction

This Data Processing Agreement ("Agreement") is entered into between For The People B.V. ("Controller") and the undersigned Processor in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), governing the protection and processing of personal data.

2. Definitions

Unless otherwise defined herein, terms used in this Agreement shall have the meaning assigned to them under the GDPR.

- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, such as collection, use, storage, or erasure.
- Data Controller: The party that determines the purpose and means of processing personal data.
- Data Processor: The party that processes personal data on behalf of the Data Controller.

3. Purpose and Scope

This DPA applies to the processing of personal data for the provision of digital education services, subscription management, customer support, and related operations by the Data Processor.

4. Obligations of the Data Processor

The Data Processor agrees to:
- Process personal data only on documented instructions from the Data Controller;
- Ensure personnel confidentiality;
- Implement technical and organizational security measures;
- Notify the Data Controller of any personal data breach without undue delay;
- Cooperate in fulfilling data subject rights;
- Delete or return personal data upon contract termination;
- Not engage sub-processors without prior written authorization.

5. Obligations of the Data Controller

The Data Controller will:
- Provide clear and lawful processing instructions;
- Ensure the lawfulness of processing and legal basis;
- Respond to data subjects' requests in accordance with GDPR.

6. Sub-Processors

The Data Processor may not subcontract processing activities without prior written approval from the Data Controller. Approved sub-processors shall be contractually bound by obligations equivalent to this DPA.

7. Security Measures

The Data Processor shall implement industry-standard security measures, including encryption, access control, pseudonymization, and disaster recovery protocols.

8. Data Subject Rights

The Data Processor shall promptly assist the Data Controller in responding to data subject requests, including access, rectification, erasure, restriction, portability, and objection.

9. Breach Notification

Any personal data breach must be reported to the Data Controller immediately upon becoming aware, with relevant details and remediation efforts without undue delay and, where feasible, no later than 24 hours after becoming aware of the breach.

10. Audit and Inspection

The Data Controller or a designated auditor may, upon reasonable notice, audit the Data Processor’s compliance with this DPA during normal business hours.

11. Liability and Indemnification

Both parties shall remain liable for damages resulting from their own breach of applicable data protection laws, including the GDPR. The Data Processor shall indemnify the Controller for losses caused by unauthorized processing.

12. Governing Law

This Data Processing Agreement shall be governed by Dutch law.

Any disputes arising out of or in connection with this Agreement shall be submitted to the competent court in the Netherlands.

13. Contact

For data protection-related inquiries:
General: info@startwithftp.com
Support: support@startwithftp.com
Complaints: complaints@startwithftp.com