Data processing agreement
Version 1.3 – 19 August 2025
Disclaimer: This English version of the Data Processing Agreement is provided for convenience only. In the event of any inconsistency, ambiguity, or dispute between this English version and the Dutch original, the Dutch version shall prevail and be legally binding.
1. Introduction
This Data Processing Agreement (“Agreement”) is a legally binding document that forms an integral part of, and supplements, the existing agreement between Catcher24 B.V. (“Catcher24”) and the Client.
This Agreement concerns the services in which Catcher24, in the performance of its services, processes personal data on behalf of the Client (“Services”).
2. Definitions
The terms used in this Agreement shall have the same meaning as in the General Data Protection Regulation (GDPR) and in the existing agreement.
In the event of any conflict between this Agreement and the existing agreement, this Agreement shall prevail, unless mandatory legal provisions require otherwise.
3. Subject of Processing
Catcher24 shall process personal data solely on behalf of the Client (the organization receiving the Services) and in accordance with the purposes set out in this Agreement and in Annex 1.
Catcher24 acts as the Processor, while the Client acts as the Controller.
The nature, purposes, duration, and categories of processing are specified in Annex 1.
Processing shall take place only on the basis of the (written and/or digital) agreement with the Client, unless a legal obligation requires otherwise. In such case, Catcher24 shall inform the Client in advance, unless prohibited by law.
The personal data provided by the Controller (Client) to Catcher24 must:
a. be lawfully obtained and lawfully shared with Catcher24;
b. be accurate and up to date;
c. be sufficiently communicated to data subjects regarding the processing activities.
4. Obligations of Catcher24
Catcher24 shall implement appropriate technical and organizational measures to protect personal data against loss, destruction, alteration, or unauthorized access (see also Annex 2).
Data Breaches:
Catcher24 shall notify the Client without undue delay, and no later than 72 hours, of any personal data breach and shall fully cooperate in handling such incident, including any notifications to supervisory authorities and/or data subjects.
Data Subject Rights:
Catcher24 shall assist the Client in handling requests from data subjects regarding access, rectification, erasure, or portability of their data.
Sub-processors:
Catcher24 shall inform the Client as soon as possible of the engagement of any new sub-processor. The Client has the right to object within a reasonable period. Catcher24 shall ensure that sub-processors are bound by the same obligations as those set out in this Agreement.
Processing on Instruction Only:
Catcher24 shall process personal data solely in accordance with the written instructions and purposes agreed with the Client.
Confidentiality:
Catcher24 shall ensure that employees and third parties who have access to personal data are bound by an appropriate duty of confidentiality.
Audits:
Catcher24 shall allow the Client (or an independent third party appointed by the Client) to carry out audits to verify compliance with this Agreement.
Support with DPIAs:
Catcher24 shall, upon request, assist the Client in carrying out a Data Protection Impact Assessment (DPIA) and, if necessary, in consultations with the supervisory authority.
5. International Transfers of Personal Data
If personal data are processed outside the European Economic Area (EEA), Catcher24 shall ensure that an adequate level of protection is guaranteed in accordance with Chapter V GDPR.
This may include the use of Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful transfer mechanisms.
Catcher24 shall inform the Client if such transfer takes place or is intended to take place.
6. Use of Sub-processors
The Client grants Catcher24 permission to engage the sub-processors listed in Annex 1.
If Catcher24 intends to engage a new sub-processor or replace an existing one, it shall notify the Client in a timely manner via the usual (digital) communication channels. The Client has the right to object within a reasonable period.
Catcher24 shall ensure that each sub-processor is bound by the same obligations as set out in this Agreement, particularly regarding data protection and security.
If no resolution is reached following an objection, the Client shall have the right to terminate the agreement for that part of the Services involving the sub-processor concerned.
7. Termination and Deletion of Data
Upon termination of the Services or at the Client’s request, Catcher24 shall securely delete all personal data, unless a legal obligation requires the data to be retained.
The obligations of this Agreement shall remain in effect after termination insofar as necessary to ensure compliance with the GDPR.
8. Governing Law and Disputes
This Agreement shall be governed by and construed in accordance with the laws of the Netherlands.
Any disputes arising from or in connection with this Agreement shall be submitted to the competent court in Amsterdam.
Annex 1: Description of Processing
Catcher24 processes personal data solely for the purpose of delivering the agreed Services to the Client and for no other purpose.
Types of Personal Data: Name, email address, language, IP address, location data, and payment details.
Retention Period: Data are retained for as long as required by the Client under the agreement and shall be deleted only upon the Client’s written request.
Categories of Data Subjects: Employees of Catcher24 and its group companies, as well as third parties authorized by the Client.
Service | Sub-processor | Description | Country |
Network | PeakFactory | Secure network connections | NL |
Hosting | Triplinq | Virtual server infrastructure | NL |
Endpoint Security | Triplinq | Endpoint security services | NL |
Phishing Services | Phished | Phishing simulation and training | BE |
Payment Processing | Stripe | Invoicing and payment | IE |
CRM | Odoo | CRM / ERP | NL |
Accounting Software | Exact | Accounting and reporting | BE |
Annex 2 – Security Measures
Catcher24 has implemented the following security measures:
Encryption: SSL encryption on all interfaces and connections.
Access Control: Password policy, multi-factor authentication (MFA), and role-based user authorization models.
Network Security: Firewall rules and intrusion detection mechanisms.
Backup: On-site and off-site backups.
Incident Management: Log registration and procedures for reporting security incidents.
Physical Security: Data centers certified under ISO 27001 and SOC 2 Type II.
For requests to exercise data subject rights, please clearly indicate which right you wish to exercise.
Questions regarding this Agreement: legal@catcher24.com