What's Next
|
Legal

Data Processing Agreement

Last updated: 3 July 2025

This Data Processing Agreement (“DPA”) binds the Controllerthe natural person or legal entity procuring services from What’s Next B.V. and qualifying as a GDPR controller, and What’s Next B.V. (Hanzeweg 1C, 7418 AW Deventer, Dutch Chamber of Commerce #97668222), acting as the Processor. It forms part of the main agreement between the parties.

Article 1: Definitions

  • Personal Data: information relating to identified or identifiable persons.
  • Processing: any operation performed on Personal Data, whether automated or otherwise.
  • Data Subject: the natural person to whom the Personal Data relates.
  • Sub-processor: a third party engaged by the Processor to process Personal Data.
  • Data Breach: a security breach causing destruction, loss, alteration, or unauthorised disclosure of or access to Personal Data.
  • AI Systems: the technical systems, models and automation solutions developed by the Processor.

Article 2: Assignment & Scope

The Processor handles Personal Data solely in accordance with the Controller’s written instructions and for the purposes of the main agreement. The Processor has no independent authority over the purposes or means of processing, disclosure to third parties, or retention decisions.

Article 3: Processing Purposes

Data processing supports performance of the agreement: AI services, technical support, automation and optimisation of processes, and compliance with legal obligations.

Article 4: Personal Data Categories

  • Contact details (name, address, email, phone)
  • Technical data (IP addresses, browser information)
  • Login credentials
  • AI log data

Article 5: Sub-processors & Transfers

Sub-processors must be located within the EEA. Transfers outside the EEA require the Controller’s written consent and adequate protection (an adequacy decision or standard contractual clauses). The Processor provides an overview of sub-processors on request.

Article 6: Security Measures

The Processor shall take appropriate technical and organisational security measures to protect Personal Data against loss or any form of unlawful processing. Measures include encryption, access controls, and pseudonymisation, and are evaluated periodically.

Article 7: Data Breach Notification

The Processor notifies the Controller within 24 hours after discovery of a breach, providing its nature, the affected data and individuals, the consequences, and the remedial measures taken. A breach register is maintained and shared on request.

Article 8: Data Subject Rights

The Processor promptly forwards GDPR rights requests (access, rectification, deletion, portability) to the Controller and cooperates with the Controller’s reasonable instructions in responding to them.

Article 9: Inspection & Audits

The Controller may audit compliance once a year via an independent third party. Audits are announced in advance, non-disruptive, and subject to confidentiality. The Controller bears the costs of the audit.

Article 10: Liability

The Processor’s liability for direct damages is capped at the amount paid by the Controller to the Processor in the twelve (12) months preceding the event. The Processor is not liable for indirect damages, lost profits, data loss, regulatory fines, or reputational harm.

Article 11: AI Systems Ownership

After full payment, the AI Systems transfer to the Controller. Prior to payment, the Controller holds a temporary, non-transferable right of use. The Processor retains its generic components and methodologies. Source code, documentation and configurations transfer within thirty (30) days after completion.

Article 12: Confidentiality

The parties maintain confidentiality for information shared between them, except where disclosure is legally required or consented to. This obligation persists for three (3) years after termination.

Article 13: Term & Termination

This DPA runs from the start of the assignment for as long as the Processor provides services. On termination, the Processor deletes or returns Personal Data unless a legal retention obligation applies.

Article 14: Governing Law

Dutch law governs this DPA exclusively. Disputes shall be submitted to the competent court in Amsterdam.

Contact

For questions about this Data Processing Agreement, email us at hello@whatsnext-ai.com. What’s Next AI is part of Eager and based in the Netherlands.

Data Processing Agreement | What's Next