This Data Processing Agreement (DPA) applies whenever Next Shape processes personal data on behalf of a client in the context of its services.
A. Client purchases services from Next Shape (including AI agents, automations, integrations, custom software, and support). B. For the execution thereof, Next Shape may process personal data on behalf of Client. C. Parties wish to lay down their agreements in accordance with Article 28 GDPR.
Parties agree as follows.
1.1 GDPR: Regulation (EU) 2016/679. 1.2 Personal Data, Processing, Data Subject, Personal Data Breach (Data Breach): as defined in the GDPR. 1.3 Main Agreement: the agreement (incl. SOW/quote/work arrangements) between Parties to which this DPA relates. 1.4 Sub-processor: third party engaged by Next Shape for (part of) the Processing. 1.5 Project Data: data (incl. personal data) provided by Client or processed within the services, including CRM/sales/operational data, client communication, support tickets, AI logs, and automation data.
2.1 This DPA applies to all Processing by Next Shape as Processor in the context of the Main Agreement. 2.2 The duration of this DPA runs parallel to the Main Agreement and/or as long as Next Shape processes personal data on behalf of Client. 2.3 Details on categories of data subjects, types of personal data, purposes, and processing operations are set out in Annex 1 (Processing Details).
3.1 Client is (usually) the data controller and determines the purpose and means of the Processing; Next Shape processes solely on behalf of Client. 3.2 Next Shape processes personal data solely based on documented instructions from Client, including transfers to a third country, unless required by Union or Member State law to which Next Shape is subject; in such a case, Next Shape informs Client beforehand (unless prohibited by law). 3.3 If Next Shape believes an instruction violates the GDPR or other data protection legislation, Next Shape informs Client and may suspend execution until Parties reach written agreement.
4.1 Next Shape ensures that persons authorized to process personal data (i) are bound by confidentiality or (ii) have an appropriate statutory obligation of confidentiality. 4.2 Access to personal data is restricted to what is necessary (“least privilege”).
5.1 Next Shape takes appropriate technical and organizational measures (TOMs) to secure personal data against loss and unlawful processing, taking into account the state of the art, costs of implementation, and risks. 5.2 The TOMs are described in Annex 2 (Security Measures) and can be adjusted if reasonably necessary for security, stability, or compliance, provided the level of protection is not materially reduced.
6.1 Client gives Next Shape general permission to engage Sub-processors for the execution of the services, provided Next Shape (i) applies appropriate due diligence and (ii) enters into written obligations with the Sub-processor that are materially no less protective than this DPA. 6.2 Next Shape maintains an (up-to-date) list of Sub-processors in Annex 3 (Sub-processor List). Next Shape informs Client in advance of material changes (addition/replacement) where reasonably possible. Client may object with grounds within 14 days; if Parties find no solution, Client may terminate the part of the services dependent on the new Sub-processor, with compensation for work already performed. 6.3 Next Shape remains fully responsible to Client for performance by Sub-processors.
7.1 Some service providers may use Sub-processors or process data outside the European Economic Area (EEA). 7.2 If personal data is processed outside the EEA or is accessible there, Next Shape ensures appropriate safeguards, such as Standard Contractual Clauses (SCCs) and, where necessary, additional measures (e.g., encryption, data minimization, access restrictions). 7.3 Upon request, Next Shape provides Client with reasonable information about the safeguards applied, to the extent available and without disclosing confidential security information.
8.1 Next Shape notifies a Data Breach to Client without undue delay after becoming aware of it, and strives to do so as soon as possible, and where reasonably feasible within 48 hours. 8.2 The notification contains, as far as known: nature of the incident, (likely) affected categories and numbers, potential consequences, taken/proposed measures, and contact point. 8.3 Next Shape maintains an incident log and provides reasonable cooperation so that Client can meet reporting obligations to the Data Protection Authority and data subjects.
9.1 Next Shape will, taking into account the nature of the Processing, assist Client with appropriate technical and organizational measures in handling requests from data subjects (access, rectification, erasure, restriction, portability, objection). 9.2 If Next Shape directly receives a request, it forwards it immediately to Client and does not handle it substantively independently unless Client instructs so in writing.
10.1 Next Shape reasonably assists Client with: (i) security obligations, (ii) DPIAs, and (iii) prior consultation with supervisors, for as far as the requested information relates to the Processing carried out by Next Shape. 10.2 This assistance may be billed as additional work at the applicable rate, unless otherwise agreed in the Main Agreement.
11.1 Next Shape makes available to Client all information reasonably necessary to demonstrate compliance with this DPA. 11.2 Client may have an audit performed at most once per calendar year, announced in advance with at least 30 days, by an independent auditor bound by confidentiality. The audit must not unreasonably disrupt business operations and is limited to systems/processes relevant to the Processing. 11.3 Costs of the audit are for the account of Client, unless the audit demonstrates a material shortcoming of Next Shape; then Next Shape bears reasonable costs of remedial measures.
12.1 After termination of the services, Next Shape deletes or returns (at Client's choice, if practical) the personal data, unless storage is legally required. 12.2 Backups may still contain personal data for a limited period; permanent deletion follows the backup cycle. 12.3 Next Shape confirms deletion in writing upon request, as far as reasonably demonstrable.
13.1 The liability arrangement from the Main Agreement/General Terms and Conditions applies to this DPA, unless mandatory law dictates otherwise. 13.2 Each Party is responsible for fines/damages that are the direct result of its own attributable violation of the GDPR or this DPA. Next Shape is not responsible for the lawfulness of the data, grounds, or instructions provided by Client. 13.3 Nothing in this DPA limits liability to the extent that limitation is not legally permitted.
14.1 In the event of conflict between this DPA and the Main Agreement, this hierarchy applies: (1) DPA for as far as personal data processing is concerned, then (2) SOW/main agreement, (3) other annexes, (4) general terms and conditions.
15.1 Dutch law applies to this DPA. 15.2 Disputes will be submitted exclusively to the competent court as determined in the Main Agreement (for Next Shape: District Court of Limburg, location Maastricht), unless mandatory law prescribes otherwise.
Next Shape applies measures appropriate to the risk and service, including where applicable: access management (least privilege), MFA where possible, TLS encryption during transport, logging/monitoring, patch management, separation of environments (dev/test/prod where relevant), secrets management, backup procedures, incident response process, contractual security agreements with Sub-processors, and data minimization.
This list may vary per client project (depending on stack and agreements). Next Shape may use, among others:
Next Shape | KvK 88315215 | BTW NL004396481B81
Get in touchTell us what's currently slowing down your sales or operations. Whether it's an AI agent, automation, or a custom system, we'll reply fast and outline clear next steps.
A first reply or a suggested call within 24 hours.
You'll receive a concrete plan with scope, approach, and timeline.
Founder
at Next Shape
