LAST UPDATED AT: MAR 13, 2026

Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between ProcuHelp B.V., a private limited liability company incorporated under Dutch law and established in the Netherlands (“Processor” or “ProcuHelp”), and the customer entity entering into the ProcuHelp Terms and Conditions (“Controller” or “Client”).


This DPA applies where ProcuHelp processes personal data on behalf of the Client in connection with the Client’s use of the ProcuHelp platform (the “Platform”), including where that use is on a free Trial basis as defined in clause 10 of the Terms and Conditions.


“Client Data” has the meaning given in the Terms and Conditions: all data, content, documents, records, and files uploaded, entered, transmitted to, or generated within the Platform by or on behalf of the Client, including any personal data therein.

1. Scope and Purpose

This DPA applies to the processing of personal data carried out by ProcuHelp on behalf of the Client under the Terms and Conditions.

The purpose of processing is to provide the Platform, including:

  • Vendor and contact management

  • Contract storage, organisation, and lifecycle tracking

  • Renewal tracking and reminders

  • Purchase request and approval workflows

  • Audit logs and change tracking

  • Optional AI-assisted features (see Section 5)

  • Notifications and reporting


ProcuHelp shall process personal data solely:

  • On documented instructions from the Client;

  • In accordance with this DPA; and

  • In compliance with the GDPR and applicable EU and Dutch data protection law.

2. Roles of the Parties

The Client acts as data controller. ProcuHelp acts as data processor.


The Client determines:

  • The purposes of processing;

  • The categories of personal data uploaded; and

  • The legal basis for processing.


ProcuHelp does not determine the purposes or legal basis of Client Data processing.

3. Categories of Data and Data Subjects

3.1 Categories of Personal Data

Categories of personal data may include, depending on the Client’s use of the Platform:

  • Names

  • Business email addresses

  • Organisation names

  • Roles and permissions

  • Contract metadata

  • License data

  • Audit logs

  • Uploaded document content

  • Technical identifiers (IP addresses, session data)

3.2 Categories of Data Subjects

Categories of data subjects may include:

  • Client employees

  • Vendor representatives

  • Contractors

  • Other individuals whose data is included in uploaded documents


The Client confirms that it has a valid legal basis under Article 6 GDPR for all personal data uploaded to the Platform, including data uploaded during a Trial or evaluation period.

4. Processor Obligations

ProcuHelp shall process personal data only on documented instructions from the Client.

Ensure that personnel authorized to process personal data:

  • Are bound by confidentiality obligations

  • Receive appropriate data protection awareness


ProcuHelp shall Implement appropriate technical and organizational measures under Article 32 GDPR, including:

  • Encryption in transit and at rest

  • Role-based access control

  • Logical separation of customer environments

  • Logging of administrative access

  • Monitoring for suspicious activity


Not use Customer Data for:

  • Advertising

  • Profiling

  • Model training

  • Commercial resale

5. AI-Based Processing

If the Client enables an AI-assisted feature, ProcuHelp will process the relevant document or record content solely to produce the requested output (for example, metadata extraction, summarisation, risk classification, or anomaly detection). AI processing is performed via a third-party AI provider operating within the European Economic Area. The current AI provider is identified in Annex A to this DPA, consistent with clause 6.3 of the Terms and Conditions.


In all cases, document and record content processed by an AI feature:

  • Is processed within the European Economic Area;

  • Is processed transiently for the purpose of generating the requested output;

  • Is not used to train or fine-tune any foundation model operated by ProcuHelp or its AI provider; and

  • Is not reused by the AI provider for any purpose unrelated to providing the requested output.


AI features are optional and may be disabled by the Client at any time in Platform settings. The Client remains solely responsible for reviewing and validating AI-generated output before relying on it, consistent with clause 6.9 of the Terms and Conditions.

6. Subprocessors

The Client provides general authorisation for ProcuHelp to engage the Subprocessors listed in Annex A, and any additional Subprocessors engaged in accordance with this Section.


ProcuHelp shall:

  • Enter into written agreements with Subprocessors;

  • Impose data protection obligations on Subprocessors that are no less protective than those in this DPA; and

  • Ensure Subprocessors maintain appropriate security measures.


ProcuHelp shall notify the Client of any addition or replacement of a Subprocessor by updating Annex A and providing reasonable notice (at least 14 days, save in urgent security circumstances) before the new Subprocessor begins processing Client Data. The Client may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, the Client may terminate the affected Service in accordance with the Terms and Conditions. A current Subprocessor list (Annex A) is available on request and is also referenced in clause 6.3 of the Terms and Conditions.

7. International Transfers

ProcuHelp does not transfer personal data outside the European Economic Area for the provision of the Platform. If a future transfer outside the EEA becomes necessary, ProcuHelp shall ensure appropriate safeguards under Chapter V GDPR, such as the European Commission’s standard contractual clauses or an applicable adequacy decision, before any such transfer takes place.

8. Security Measures

ProcuHelp maintains technical and organizational measures designed to protect personal data against:

  • Accidental or unlawful destruction

  • Loss

  • Alteration

  • Unauthorized disclosure

  • Unauthorized access


Measures include:

  • Encrypted backups

  • Access control policies

  • Infrastructure hosted in the EU (Frankfurt, Germany)

  • Network-level security controls

  • Incident response procedures

9. Assistance to Controller

Taking into account the nature of processing, ProcuHelp shall assist the Client by:

  • Providing information reasonably necessary to respond to data subject requests;

  • Supporting the Client’s compliance with Articles 32 to 36 GDPR where reasonably required; and

  • Providing breach notification without undue delay upon becoming aware of a personal data breach affecting Client Data.

10. Personal Data Breaches

In the event of a personal data breach affecting Client Data, ProcuHelp shall:

  • Notify the Client without undue delay;

  • Provide available information regarding the nature and impact of the breach; and

  • Cooperate in remediation.


The Client remains responsible for assessing its own notification obligations to supervisory authorities and data subjects.

11. Data Subject Requests

Where ProcuHelp receives a request from a data subject relating to Client Data, it shall:

  • Inform the Client without undue delay; and

  • Not respond directly to the data subject unless legally required to do so.


The Client is responsible for handling data subject requests relating to Client Data.

12. Audit and Compliance

ProcuHelp shall make available information reasonably necessary to demonstrate compliance with Article 28 GDPR. Audits shall:

  • Be conducted no more than once per calendar year, unless required more frequently by applicable law;

  • Be conducted at the Client’s expense;

  • Be limited to information directly relevant to the processing of Client Data;

  • Be subject to reasonable advance written notice of at least 30 days; and

  • Be conducted remotely unless otherwise required by law.


ProcuHelp may satisfy audit obligations by providing security documentation, compliance summaries, questionnaires, or third-party reports where appropriate. On-site audits are permitted only where legally required, subject to prior written agreement, strict confidentiality obligations, and safeguards to protect the security and confidentiality of other clients and the Platform.

13. Data Retention and Deletion

Upon termination, expiry, or non-renewal of the Client’s Subscription, or upon expiry or termination of a Trial in accordance with clause 10 of the Terms and Conditions:

  • The Client may request an export of Client Data within 14 days;

  • Client Data will be retained for a limited period, consistent with clause 6.8 of the Terms and Conditions (currently 30 days), to allow recovery; and

  • After that period, Client Data will be deleted or anonymised unless retention is required by law or necessary for the establishment, exercise, or defence of legal claims.


Backups are encrypted and retained for a limited rolling retention period, after which they are automatically overwritten or deleted in accordance with ProcuHelp’s infrastructure policies.

14. Liability

Each party’s liability under this DPA is subject to the limitation of liability provisions in the Terms and Conditions, including clause 13 (Limitation of Liability). For Trial accounts, the liability cap in clause 10.8 of the Terms and Conditions applies. Nothing in this DPA excludes liability that cannot be excluded under applicable law.

15. Term and Termination

This DPA remains in effect for as long as ProcuHelp processes personal data on behalf of the Client, including during any Trial period. Upon termination of the Terms and Conditions, this DPA automatically terminates, except for provisions that by their nature survive termination.

16. Governing Law

This DPA is governed by Dutch law and subject to the jurisdiction of the competent court in Rotterdam, the Netherlands.

17. Order of Precedence

In case of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to data protection matters.

Annex A — Subprocessors

Current Subprocessors

Subprocessor Function Processing location Category
Supabase Database, file storage, and application hosting EU — Frankfurt, Germany Infrastructure
Mailjet Transactional and notification email delivery EU Email delivery
Mistral AI AI-assisted contract and document processing (optional features only) EU AI processing
Stripe Payment processing and billing (paid Subscriptions only) EU Payment processing
DocuSign eSignature workflow (where enabled by the Client) EU eSignature

Last updated: June 2026  ·  Questions? privacy@procuhelp.com

Ready to take control of your procurement?

See how ProcuHelp gives your team complete visibility over every vendor, contract, license and renewal. Before anything costs you more than it should.

Procurement, made simple


ProcuHelp B.V.
Registration Number:
42008064

Copyright © ProcuHelp All rights reserved

Procurement, made simple


ProcuHelp B.V.
Registration Number:
42008064

Copyright © ProcuHelp All rights reserved

Procurement, made simple


ProcuHelp B.V.
Registration Number:
42008064

Copyright © ProcuHelp All rights reserved

Procurement, made simple


ProcuHelp B.V.
Registration Number:
42008064

Copyright © ProcuHelp All rights reserved