Data Processing Agreement
Effective date: [date]
Moonlight Array B.V.
This Data Processing Agreement complies with Article 28 of Regulation (EU) 2016/679 (GDPR) and Commission Implementing Decision (EU) 2021/915 (Standard Contractual Clauses for controllers and processors).
Draft pending legal review
This document is a starting point for legal review, not legal advice. It should be reviewed by a qualified Dutch/EU technology lawyer before publication. Bracketed items [like this] must be completed before use.
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement ("Agreement") between Moonlight Array B.V., registered at [address], Chamber of Commerce number [KvK number] ("Processor"), and the customer identified in the Agreement ("Customer", "Controller"). This DPA applies to the processing of Personal Data by Processor on behalf of Controller in connection with the provision of AIDO (the "Service"). In this DPA, "Personal Data", "Controller", "Processor", "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
2. Roles and Responsibilities
For Personal Data that Processor processes on behalf of Controller through the Service ("Customer Personal Data"), Controller determines the purposes and means of processing. Processor processes Customer Personal Data only on documented instructions from Controller, as described in this DPA. Controller is responsible for ensuring that: (a) it has a lawful basis for providing Customer Personal Data to Processor; (b) it has provided required notices to data subjects; (c) it has obtained required consents where applicable; and (d) its instructions to Processor are lawful under applicable data protection law.
Where Controller acts as a processor on behalf of another controller (the "End Controller"), Controller warrants that it has obtained the End Controller's authorisation to appoint Processor as a sub-processor and that the processing instructions reflect the End Controller's requirements.
3. Processing Instructions
Controller instructs Processor to process Customer Personal Data to:
- provide, operate, secure, maintain, and support the Service;
- provision and manage Hosted Instances;
- enable Agents, workflows, integrations, APIs, and connected tools as configured by Controller;
- process inputs, outputs, logs, files, credentials, and configurations as directed by Controller through the Service;
- prevent, detect, and investigate abuse, security incidents, and policy violations;
- comply with applicable law and respond to lawful requests from competent authorities.
The Agreement, this DPA, Controller's use of the Service, Controller's support requests, and Controller's configuration of Agents, integrations, and settings constitute documented instructions. Additional instructions require written agreement between the parties. If Processor reasonably believes that an instruction infringes the GDPR or other applicable EU or Dutch data protection law, Processor will inform Controller without undue delay, unless prohibited by law from doing so.
4. Confidentiality
Processor will ensure that persons authorised to process Customer Personal Data are bound by contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Processor will ensure that access to Customer Personal Data is limited to personnel who need access to perform obligations under the Agreement.
5. Security Measures (Article 32 GDPR)
Processor will implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, as appropriate:
- pseudonymisation and encryption of Personal Data (including encryption in transit using TLS and encryption at rest where appropriate);
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Specific security measures are described in Annex 2. Controller acknowledges that security measures may evolve over time to reflect technological advances and changing threat landscapes, provided the overall level of protection is not materially reduced.
6. Sub-processors
Controller grants Processor general authorisation to engage sub-processors to process Customer Personal Data in connection with the Service. A current list of sub-processors is available at our Subprocessors page. Processor will: (a) impose data protection obligations on each sub-processor by contract that are no less protective than those in this DPA, to the extent applicable to the services provided by the sub-processor; and (b) remain liable to Controller for the acts and omissions of its sub-processors to the same extent Processor would be liable if performing the processing directly, subject to the limitation of liability in the Agreement.
Processor will notify Controller of any intended addition or replacement of sub-processors by email or dashboard notification at least [30] days before the new sub-processor begins processing Customer Personal Data, unless urgent replacement is necessary for security, continuity, or legal reasons, in which case Processor will provide notice as soon as practicable. Controller may object to a new sub-processor on reasonable and substantiated data-protection grounds by notifying Processor in writing within the notice period. The parties will discuss the objection in good faith. If no resolution can be reached, Controller may terminate the affected Service component by providing written notice, without penalty, effective from the date the new sub-processor would begin processing.
7. International Transfers
Processor may transfer Customer Personal Data outside the EEA only where permitted by Chapter V of the GDPR and subject to appropriate safeguards, which may include: (a) an adequacy decision by the European Commission (Article 45 GDPR); (b) Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), with the applicable module selected based on the roles of the exporter and importer; (c) supplementary technical and organisational measures where required by the Transfer Impact Assessment; (d) binding corporate rules approved by a competent supervisory authority (Article 47 GDPR); (e) the EU-U.S. Data Privacy Framework or successor framework, where the recipient is a certified participant.
Where Standard Contractual Clauses are required and not already incorporated, the parties agree that the applicable SCCs (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable) are hereby incorporated by reference. Annex 3 contains the SCC-specific details required to complete the SCCs.
8. Assistance to Controller
Taking into account the nature of processing and information available to Processor, Processor will provide reasonable assistance to Controller with: (a) responding to data subject requests to exercise their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and automated decision-making); (b) Controller's obligations under Articles 32 to 36 of the GDPR, including security obligations, Personal Data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities; (c) demonstrating compliance with the obligations set out in Article 28 of the GDPR.
If Processor receives a data subject request relating to Customer Personal Data, Processor will promptly redirect the data subject to Controller or notify Controller of the request, unless Processor is legally required to respond directly. Processor may charge reasonable fees for assistance beyond what is strictly necessary under the GDPR, based on documented time and materials, notified to Controller in advance.
9. Personal Data Breach Notification
Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Processor will use commercially reasonable efforts to provide initial notification within [48/72] hours of confirmed awareness. The notification will include, to the extent available at the time of notification:
- a description of the nature of the breach, including where possible the categories and approximate number of data subjects and Personal Data records concerned;
- the name and contact details of the Processor's point of contact;
- a description of the likely consequences of the breach;
- a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Where it is not possible to provide all information at the same time, information may be provided in phases without undue delay. Processor will cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. Processor's notification of a Personal Data Breach does not constitute an acknowledgement of fault or liability.
10. Audit Rights
Processor will make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by Controller or a qualified, independent auditor mandated by Controller. Controller or its auditor will: (a) provide at least [30] days' prior written notice of an audit; (b) conduct audits during normal business hours and in a manner that minimises disruption to Processor's operations; (c) comply with Processor's reasonable security and confidentiality requirements; and (d) bear the costs of the audit.
Processor may object to an auditor on reasonable grounds (for example, if the auditor is a competitor of Processor) and request that Controller appoint a different auditor. Where Processor has obtained relevant third-party certifications, audit reports (such as SOC 2 Type II or ISO 27001), or other compliance documentation, Processor may provide these to Controller as an alternative to on-site audits for routine compliance verification, provided that Controller retains the right to conduct or commission an on-site audit where it has specific, substantiated concerns. Audits are limited to [one] per calendar year unless Controller has specific, documented concerns about non-compliance or a Personal Data Breach has occurred.
11. Deletion and Return of Customer Personal Data
Upon termination of the Agreement, Processor will, at Controller's choice, delete or return all Customer Personal Data and delete existing copies, unless EU or Dutch law requires retention. Processor will provide Controller with a reasonable data-export period of at least [30] days after termination to retrieve Customer Personal Data through the Service's export functionality. After the data-export period, Processor will delete Customer Personal Data from active systems within [90] days and from backup systems according to Processor's backup rotation schedule, unless retention is required by law. Processor will certify deletion upon Controller's written request.
12. Duration
This DPA is effective for the duration of the Agreement and will automatically terminate when the Agreement terminates, subject to Processor's obligations regarding deletion and return of Customer Personal Data.
13. Governing Law and Jurisdiction
This DPA is governed by the laws of the Netherlands. Disputes arising from this DPA will be resolved in accordance with the dispute-resolution clause in the Agreement. This clause does not affect the competences of data protection supervisory authorities under the GDPR.
Annex 1: Details of Processing
Complete this annex for each customer or customer category.
- Subject matter of processing: Provision of AIDO, including hosted infrastructure, agent provisioning, workflow execution, integrations, and related services.
- Duration of processing: For the duration of the Agreement between Controller and Processor, plus any retention period required for deletion and backup rotation.
- Nature of processing: Storage, computation, transmission, retrieval, organisation, structuring, adaptation, erasure, and destruction as necessary to provide the Service and fulfil Controller's documented instructions.
- Purpose of processing: Enabling Controller to deploy and operate AI agents, automate workflows, connect third-party services, and process data through the Service.
- Categories of data subjects: [To be completed by Controller — may include: employees, customers, contacts, website visitors, end users, suppliers, business partners, or other individuals whose data is processed by Controller's Agents.]
- Categories of Personal Data: [To be completed by Controller — may include: names, email addresses, phone numbers, IP addresses, account identifiers, messages, files, calendar data, browsing data, financial data, health data, or other data depending on Controller's Agent configuration and connected services.]
- Special categories of data (Article 9 GDPR): [To be completed by Controller — identify whether special-category data will be processed. If yes, specify the categories and the lawful basis under Article 9(2) GDPR.]
Annex 2: Technical and Organisational Security Measures
Processor implements the following categories of security measures. Specific measures may be updated over time to reflect evolving standards and threats.
- Access control: Role-based access control, multi-factor authentication for administrative access, principle of least privilege, regular access reviews, and prompt deprovisioning of terminated personnel.
- Encryption: TLS 1.2+ for data in transit. Encryption at rest for storage systems containing Customer Personal Data, using industry-standard algorithms (AES-256 or equivalent).
- Network security: Firewalls, network segmentation, intrusion detection, DDoS mitigation, and secure configuration of Hosted Instances.
- Monitoring and logging: Centralised logging of security-relevant events, automated alerting for anomalous activity, and log retention for security investigations.
- Vulnerability management: Regular vulnerability scanning, timely patching of critical vulnerabilities, and penetration testing [annually / as appropriate].
- Incident response: Documented incident-response plan, designated incident-response team, regular testing of response procedures, and post-incident review.
- Business continuity: Regular backups, tested restoration procedures, and disaster-recovery planning.
- Personnel security: Background checks where permitted by law, confidentiality agreements, security awareness training, and separation of duties.
- Physical security: Reliance on data-centre providers' physical security measures (access control, surveillance, environmental controls). Processor selects data-centre providers with appropriate certifications (e.g., ISO 27001, SOC 2).
- Vendor management: Due diligence on sub-processors, contractual data protection obligations, and periodic review of sub-processor security posture.
Annex 3: Standard Contractual Clauses — Transfer Details
Complete this annex only if Customer Personal Data is transferred outside the EEA and Standard Contractual Clauses are required.
- Applicable SCC module: [Module 2: Controller to Processor / Module 3: Processor to Processor — select as applicable]
- Data exporter: Controller (identified in the Agreement).
- Data importer: Processor (Moonlight Array B.V.) or its sub-processors, as identified in the sub-processor list.
- Competent supervisory authority (Clause 13): The Autoriteit Persoonsgegevens (Dutch Data Protection Authority), or the supervisory authority of the Controller's establishment if different.
- Governing law of SCCs (Clause 17): The laws of the Netherlands.
- Forum for disputes (Clause 18): The courts of [Amsterdam / Arnhem], the Netherlands.
- Description of transfer: As described in Annex 1.
- Transfer Impact Assessment: The parties will conduct a Transfer Impact Assessment where required, taking into account the laws of the country of destination, the nature of the data transferred, and the supplementary measures in place.
[Attach or reference the full text of the applicable SCCs from Commission Implementing Decision (EU) 2021/914 as needed.]