LAST UPDATED AT: MAR 13, 2026
Data Processing Agreement (DPA)
Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between ProcuHelp B.V., a private limited liability company incorporated under Dutch law and established in the Netherlands (“Processor” or “ProcuHelp”), and the customer entity entering into the ProcuHelp Terms and Conditions (“Controller” or “Client”).
This DPA applies where ProcuHelp processes personal data on behalf of the Client in connection with the Client’s use of the ProcuHelp platform (the “Platform”), including where that use is on a free Trial basis as defined in clause 10 of the Terms and Conditions.
“Client Data” has the meaning given in the Terms and Conditions: all data, content, documents, records, and files uploaded, entered, transmitted to, or generated within the Platform by or on behalf of the Client, including any personal data therein.
1. Scope and Purpose
This DPA applies to the processing of personal data carried out by ProcuHelp on behalf of the Client under the Terms and Conditions.
The purpose of processing is to provide the Platform, including:
Vendor and contact management
Contract storage, organisation, and lifecycle tracking
Renewal tracking and reminders
Purchase request and approval workflows
Audit logs and change tracking
Optional AI-assisted features (see Section 5)
Notifications and reporting
ProcuHelp shall process personal data solely:
On documented instructions from the Client;
In accordance with this DPA; and
In compliance with the GDPR and applicable EU and Dutch data protection law.
2. Roles of the Parties
The Client acts as data controller. ProcuHelp acts as data processor.
The Client determines:
The purposes of processing;
The categories of personal data uploaded; and
The legal basis for processing.
ProcuHelp does not determine the purposes or legal basis of Client Data processing.
3. Categories of Data and Data Subjects
3.1 Categories of Personal Data
Categories of personal data may include, depending on the Client’s use of the Platform:
Names
Business email addresses
Organisation names
Roles and permissions
Contract metadata
License data
Audit logs
Uploaded document content
Technical identifiers (IP addresses, session data)
3.2 Categories of Data Subjects
Categories of data subjects may include:
Client employees
Vendor representatives
Contractors
Other individuals whose data is included in uploaded documents
The Client confirms that it has a valid legal basis under Article 6 GDPR for all personal data uploaded to the Platform, including data uploaded during a Trial or evaluation period.
4. Processor Obligations
ProcuHelp shall process personal data only on documented instructions from the Client.
Ensure that personnel authorized to process personal data:
Are bound by confidentiality obligations
Receive appropriate data protection awareness
ProcuHelp shall Implement appropriate technical and organizational measures under Article 32 GDPR, including:
Encryption in transit and at rest
Role-based access control
Logical separation of customer environments
Logging of administrative access
Monitoring for suspicious activity
Not use Customer Data for:
Advertising
Profiling
Model training
Commercial resale
5. AI-Based Processing
If the Client enables an AI-assisted feature, ProcuHelp will process the relevant document or record content solely to produce the requested output (for example, metadata extraction, summarisation, risk classification, or anomaly detection). AI processing is performed via a third-party AI provider operating within the European Economic Area. The current AI provider is identified in Annex A to this DPA, consistent with clause 6.3 of the Terms and Conditions.
In all cases, document and record content processed by an AI feature:
Is processed within the European Economic Area;
Is processed transiently for the purpose of generating the requested output;
Is not used to train or fine-tune any foundation model operated by ProcuHelp or its AI provider; and
Is not reused by the AI provider for any purpose unrelated to providing the requested output.
AI features are optional and may be disabled by the Client at any time in Platform settings. The Client remains solely responsible for reviewing and validating AI-generated output before relying on it, consistent with clause 6.9 of the Terms and Conditions.
6. Subprocessors
The Client provides general authorisation for ProcuHelp to engage the Subprocessors listed in Annex A, and any additional Subprocessors engaged in accordance with this Section.
ProcuHelp shall:
Enter into written agreements with Subprocessors;
Impose data protection obligations on Subprocessors that are no less protective than those in this DPA; and
Ensure Subprocessors maintain appropriate security measures.
ProcuHelp shall notify the Client of any addition or replacement of a Subprocessor by updating Annex A and providing reasonable notice (at least 14 days, save in urgent security circumstances) before the new Subprocessor begins processing Client Data. The Client may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, the Client may terminate the affected Service in accordance with the Terms and Conditions. A current Subprocessor list (Annex A) is available on request and is also referenced in clause 6.3 of the Terms and Conditions.
7. International Transfers
ProcuHelp does not transfer personal data outside the European Economic Area for the provision of the Platform. If a future transfer outside the EEA becomes necessary, ProcuHelp shall ensure appropriate safeguards under Chapter V GDPR, such as the European Commission’s standard contractual clauses or an applicable adequacy decision, before any such transfer takes place.
8. Security Measures
ProcuHelp maintains technical and organizational measures designed to protect personal data against:
Accidental or unlawful destruction
Loss
Alteration
Unauthorized disclosure
Unauthorized access
Measures include:
Encrypted backups
Access control policies
Infrastructure hosted in the EU (Frankfurt, Germany)
Network-level security controls
Incident response procedures
9. Assistance to Controller
Taking into account the nature of processing, ProcuHelp shall assist the Client by:
Providing information reasonably necessary to respond to data subject requests;
Supporting the Client’s compliance with Articles 32 to 36 GDPR where reasonably required; and
Providing breach notification without undue delay upon becoming aware of a personal data breach affecting Client Data.
10. Personal Data Breaches
In the event of a personal data breach affecting Client Data, ProcuHelp shall:
Notify the Client without undue delay;
Provide available information regarding the nature and impact of the breach; and
Cooperate in remediation.
The Client remains responsible for assessing its own notification obligations to supervisory authorities and data subjects.
11. Data Subject Requests
Where ProcuHelp receives a request from a data subject relating to Client Data, it shall:
Inform the Client without undue delay; and
Not respond directly to the data subject unless legally required to do so.
The Client is responsible for handling data subject requests relating to Client Data.
12. Audit and Compliance
ProcuHelp shall make available information reasonably necessary to demonstrate compliance with Article 28 GDPR. Audits shall:
Be conducted no more than once per calendar year, unless required more frequently by applicable law;
Be conducted at the Client’s expense;
Be limited to information directly relevant to the processing of Client Data;
Be subject to reasonable advance written notice of at least 30 days; and
Be conducted remotely unless otherwise required by law.
ProcuHelp may satisfy audit obligations by providing security documentation, compliance summaries, questionnaires, or third-party reports where appropriate. On-site audits are permitted only where legally required, subject to prior written agreement, strict confidentiality obligations, and safeguards to protect the security and confidentiality of other clients and the Platform.
13. Data Retention and Deletion
Upon termination, expiry, or non-renewal of the Client’s Subscription, or upon expiry or termination of a Trial in accordance with clause 10 of the Terms and Conditions:
The Client may request an export of Client Data within 14 days;
Client Data will be retained for a limited period, consistent with clause 6.8 of the Terms and Conditions (currently 30 days), to allow recovery; and
After that period, Client Data will be deleted or anonymised unless retention is required by law or necessary for the establishment, exercise, or defence of legal claims.
Backups are encrypted and retained for a limited rolling retention period, after which they are automatically overwritten or deleted in accordance with ProcuHelp’s infrastructure policies.
14. Liability
Each party’s liability under this DPA is subject to the limitation of liability provisions in the Terms and Conditions, including clause 13 (Limitation of Liability). For Trial accounts, the liability cap in clause 10.8 of the Terms and Conditions applies. Nothing in this DPA excludes liability that cannot be excluded under applicable law.
15. Term and Termination
This DPA remains in effect for as long as ProcuHelp processes personal data on behalf of the Client, including during any Trial period. Upon termination of the Terms and Conditions, this DPA automatically terminates, except for provisions that by their nature survive termination.
16. Governing Law
This DPA is governed by Dutch law and subject to the jurisdiction of the competent court in Rotterdam, the Netherlands.
17. Order of Precedence
In case of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to data protection matters.
Annex A — Subprocessors
Current Subprocessors
| Subprocessor | Function | Processing location | Category |
|---|---|---|---|
| Supabase | Database, file storage, and application hosting | EU — Frankfurt, Germany | Infrastructure |
| Mailjet | Transactional and notification email delivery | EU | Email delivery |
| Mistral AI | AI-assisted contract and document processing (optional features only) | EU | AI processing |
| Stripe | Payment processing and billing (paid Subscriptions only) | EU | Payment processing |
| DocuSign | eSignature workflow (where enabled by the Client) | EU | eSignature |
Last updated: June 2026 · Questions? privacy@procuhelp.com
Ready to take control of your procurement?
See how ProcuHelp gives your team complete visibility over every vendor, contract, license and renewal. Before anything costs you more than it should.
