Data Processing Agreement
Last updated: March 13, 2026
1. Scope and Applicability
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Widgets PRO B.V. ("Processor") and the customer ("Controller") and applies when the Processor processes personal data on behalf of the Controller in the course of providing the Service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given to them in the GDPR. "Service" refers to the Widgets PRO platform and related services as described in the Terms of Service.
3. Subject Matter and Duration
The Processor processes Personal Data for the purpose of providing the Service to the Controller. Processing will continue for the duration of the Terms of Service and will cease upon termination, subject to any legal retention obligations. The types of Personal Data processed include: user names, email addresses, IP addresses, dashboard content, usage data, and any other data uploaded by the Controller to the Service.
4. Obligations of the Processor
The Processor shall: • Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. • Ensure that persons authorized to process Personal Data have committed to confidentiality. • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR). • Not engage another processor without prior written authorization of the Controller. A list of approved sub-processors is available at widgets.pro/subprocessors. • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability). • Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR. • Delete or return all Personal Data to the Controller at the end of the service, unless retention is required by law. • Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-processors
The Controller authorizes the Processor to engage the sub-processors listed at widgets.pro/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. International Transfers
The Processor shall not transfer Personal Data outside the EEA unless adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient country has received an adequacy decision.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.
9. Termination
Upon termination of the Terms of Service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless EU or Member State law requires storage. The Controller may export their data at any time during the term of the Service.
10. Contact
For questions regarding this DPA, contact our Data Protection Officer at [email protected] or write to Widgets PRO B.V., Attn: DPO, Keizersgracht 520, 1017 EK Amsterdam, Netherlands.