Data processing agreement

Version 1.3 October 2025

This processing agreement is part of the agreement between Pluvo B.V. (“Processor”) and the customer (“Controller”), and will take effect on the date that you have accepted this processing agreement. You guarantee that you are allowed to conclude this processing agreement. If you do not have this authority, please do not accept this agreement.”

The parties consider the following:

  • Controller works in the field of trainings/courses and uses Processor in that context;
  • Processor provides the Controller with the Service as described in the Agreement, and, in that capacity, processes (special) personal data for the Controller;
  • With regard to the processing of personal data, the controller is considered to be the controller within the meaning of Article 4 introductory words and under 7 of the General Data Protection Regulation (“GDPR”);
  • Parties wish - also in implementation of the provisions of article 28, paragraph 3 of the GDPR - to lay down in the present Processing Agreement a number of conditions that apply to their relationship with regard to the (processing of personal data in the context of) the activities mentioned for and on behalf of the Controller.
  • With regard to the storage and processing of the personal data for the Controller, the Processor is regarded as a processor within the meaning of Article 4 introductory words and under 8 of the GDPR;

Agree as follows:

Article 1. Definitions

  1. In this Data Processing Agreement, the following terms, always written with a capital letter, have the following meaning regardless of whether they are used in plural or singular form:
    Annex    : appendix to the Processor Agreement, which forms an integral part of the Processor Agreement.
    Agreement: the Pluvo Customer Contract concluded between Controller and Processor;
    Personal Data    : all data that can be traced directly or indirectly to a natural person as referred to in article 4 introductory words and under 1 GDPR;
    Sub-processor    : the subcontractor engaged by Processor, who Processes Personal Data under this Processing Agreement on behalf of the Controller as referred to in article 28 paragraph 4 of the GDPR;
    Processing    : processing Personal Data as referred to in article 4 introductory words and under 2 of the GDPR;
    Data processing agreement    : the present agreement, which forms part of the Agreement.
  2. The provisions of the Agreement apply in full to the Processing Agreement. Insofar as the Agreement includes provisions concerning the processing of personal data, the provisions of this Processor Agreement prevail.

Article 2. Data Controller and Data Processor

  1. Under this Processing Agreement, Processor undertakes to Process Personal Data on behalf of the Controller. An overview of the type of Personal Data, the categories of data subjects and the purposes for which the Processing of Personal Data takes place is included in Annex 1.
  2. Controller is liable for the Processing of Personal Data under the Agreement and guarantees that the order to Process that Personal Data complies with all applicable laws and regulations. Controller indemnifies Processor against all claims from third parties, in particular from the supervisor, which in any way arise from non-compliance with this guarantee.
  3. Processor undertakes to Process personal data only for the activities mentioned in this Processor Agreement and/or the Agreement. Processor guarantees that, without the express written consent of the Controller, it will not make use of the Personal Data Processed under this Processor Agreement, unless a legal provision applicable to the Processor requires it to process. In that case, the Processor will inform the Controller of that legal requirement prior to Processing, unless that law prohibits such notice for important reasons of public interest.
  4. Free input fields and special personal data
    1. The Processor processes data entered via free input fields solely for the purpose of technically delivering, hosting, storing, securing, backing up and (deleting) that data. The Processor does not carry out a substantive review or active review of the content entered via free input fields.
    2. Unless expressly agreed in writing, the Data Controller is not allowed to process special categories of personal data within the meaning of Article 9 GDPR or a BSN via free input fields. If the Controller does so, he will ensure a valid legal basis and appropriate additional safeguards and inform the Processor in writing in advance.
    3. Data that is temporarily stored as part of system tasks (such as control, export, or deletion procedures) is stored encrypted, logged and automatically deleted after completion of the task in accordance with Annex 2.
    4. The Processor facilitates configurations and UI warnings that alert the Controller to the prohibition or conditions for entering special personal data via free fields.
    5. The Processor contractually imposes these obligations on any Sub-Processors who have access to this data.

Article 3. Technical and organisational provisions

  1. The Processor will, taking into account the nature of the processing and, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Taking into account the state of the art and the costs of implementation, these measures will guarantee an appropriate level of security, taking into account the risks associated with the Processing and the nature of the data to be protected. In any case, Processor will take measures to protect Personal Data against accidental or unlawful destruction, accidental and intentional loss, falsification, unauthorised distribution or access, or any other form of unlawful Processing.
  2. The technical and organisational measures taken by Processor are described in Annex 2. The Controller acknowledges having taken note of the measures concerned and by signing this Processor Agreement, the Controller agrees to the measures taken by Processor.

Article 4. Confidentiality

  1. Processor will let its employees, who are involved in the execution of the Agreement, sign a confidentiality agreement - whether or not included in the employment agreement with those employees - that at least states that these employees must maintain confidentiality with regard to the Personal Data.

Article 5. Data processing outside the Netherlands

  1. The transfer of Personal Data by Processor outside the European Economic Area is only permitted in compliance with the applicable legal obligations.

Article 6. Third parties and subcontractors  

  1. Processor is allowed to use Sub Processors, as included in Annex 3, under this Processor Agreement and the Agreement. If Processor wishes to engage another Sub Processor, Processor will inform the Controller about the intended changes. The controller must object to these changes within 5 working days. Processor will respond to the Controller's objection within 4 working days.
  2. Processor contractually obliges each Sub Processor to comply with the confidentiality obligations, reporting obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.

Article 7. Liability

  1. With regard to the liability of Processor under the Processor Agreement and with regard to the indemnification obligations for Processor included in the Processor Agreement, the regulation concerning the limitation of liability included in, among others, article 9 of the Agreement applies in full.
  2. Without prejudice to article 7.1 of this Processor Agreement, Processor is only liable for damage caused by the Processing if such Processing fails to comply with obligations specifically addressed to Processor under the GDPR or if the Controller's lawful instructions have been acted in violation of the Controller's lawful instructions.

Article 8. Incidents

  1. If Processor becomes aware of an incident that may have a (material) impact on the security of Personal Data, it will i) inform the Controller without unreasonable delay and ii) take all reasonable measures to prevent or limit (further) violation of the GDPR.
  2. Processor will, insofar as reasonable, cooperate with the Controller and support the Controller in carrying out its legal obligations with regard to the detected incident.
  3. Processor will, insofar as reasonable, support the Controller in its obligation to report the personal data breach to the Data Protection Authority (“AP”) and/or the data subject, as referred to in articles 33, paragraphs 3 and 34, paragraph 1 of the GDPR. Processor is never obliged to independently report a personal data breach to the AP and/or the person concerned.
  4. Processor is never liable for the (correct and/or timely execution of) the reporting obligation on the Controller as referred to in articles 33 and 34 of the GDPR.

Article 9. Assistance to the Data Controller

  1. Processor will, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to respond to requests to exercise a data subject's rights, in particular the right to access (art. 15 GDPR), rectification (art. 16 GDPR), data erasure (art. 17 GDPR), restriction (art. 18 GDPR), portability (art. 20 GDPR) and the right to object (art. 21 and 22 GDPR). Processor will forward a complaint or request from a data subject regarding the Processing of Personal Data to the Controller, who is responsible for processing the request, as soon as possible. Processor is entitled to charge the Controller for any costs associated with the cooperation.
  2. Processor will, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to carry out a data protection impact assessment (arts. 35 and 36 GDPR).
  3. Processor will provide the Controller with all information reasonably necessary to demonstrate that Processor complies with its obligations under the GDPR. Furthermore, at the request of the Controller, Processor will enable and contribute to audits, including inspections, by the Controller or an auditor authorised by the Controller. If the Processor believes that an instruction in connection with the provisions of this paragraph infringes the GDPR or other privacy laws applicable to it, the Processor will immediately notify the Controller.
  4. Processor is entitled to charge the Controller for any costs associated with the provisions of article 9.3.

Article 10. Termination & Miscellaneous

  1. With regard to cancellation and/or dissolution of this Processing Agreement, the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will delete or return all Personal Data to him at the Data Controller's first request, and delete existing copies, unless Processor is legally obliged to continue to store (parts of) the Personal Data.
  2. Controller will adequately inform Processor about (legal) retention periods that apply to the Processing of Personal Data for Processor.
  3. Controller declares that he is authorised to conclude this Data Processing Agreement.
  4. The obligations under this Data Processing Agreement, which by their nature are intended to survive termination, remain in force even after termination of this Data Processing Agreement.
  5. The choice of law and competent court are in line with the provisions of the Agreement.

----------------------------

Annex 1. Overview of Personal Data

Type of personal data

The following categories of personal data may be processed by the Processor on behalf of the Controller:

  1. Basic Identification Information: Name, Email Address, Profile PictureNameE-mail addressProfile image
  2. Custom User Fields: Fields added by the Data Controller, specific to their operational needs.Fields added by the Data Controller, specific to their operational needs. These may vary and include but are not limited to occupation, organisation, contact information, and other relevant information.
  3. Educational Data: Progress in course material, scores, and results of evaluations and tests

The Controller reserves the autonomy to determine which personal data is processed via the Processor's software. This includes both the basic identification information and the specific custom fields that are relevant to their purposes.

Free input fields — scope and limitations

Free input fields can be configured by the Data Controller.

The Data Controller ensures that no special categories of personal data (Article 9 GDPR) or BSN are processed unless there is a valid legal basis and additional guarantees and the Processor has been notified of this in advance.

In all cases, stay purpose limitation, data minimization and the ones laid down in this Data Processing Agreement retention and deletion periods applies unabridged.

Dynamic nature of data

Given the ability for the Controller to add custom fields, there is an inherently dynamic aspect to the types of personal data processed.

The Processor facilitates transparency by providing insight into the current set of processed personal data within the customer environment.

Access to data

An up-to-date and complete overview of the processed personal data is accessible to the Controller after logging into the account within the Processor's supplied software.

This access allows the Data Controller to regularly review the types of data collected and, if necessary, update them to ensure accuracy and relevance.

Transparency and CompliancePurposes of Processing

This personal data specification is drawn up in the spirit of transparency and compliance with the GDPR, with the privacy and protection of user data paramount.

Purposes of Processing

The processing of personal data by the Processor takes place for specific purposes as determined by the Controller. These purposes concern the personal data of natural persons (data subjects) who:

  • one relationship have with the Data Controller (such as customers, members, students, employees or participants);
  • participate in training courses or courses offered by the Data Controller.

These purposes include:

  • communication with stakeholders;
  • carrying out research or evaluations;
  • compliance with legal obligations;
  • execution of agreements with those involved.

Processing activities

The processing is carried out independently by the Controller or the data subject, using the Processor's systems. These activities include but are not limited to:

  • collecting, recording, organizing, segmenting, filtering, and structuring data;
  • storing data, including email communications and chat logs;
  • updating, modifying, synchronizing, enriching, and analyzing data;
  • requesting, consulting, using, sharing, disseminating or otherwise making data available;
  • aligning, combining, blocking, deleting or destroying data.

This list provides a complete overview of the possible interactions with personal data within the Processor's systems and the diversity of the processing operations.

Using AI functionality

When the Controller uses the AI lesson module creator within the Pluvo platform, text entered by him or his users (“prompts”) may be temporarily processed by the subprocessor OpenAI LLC to generate teaching materials. Pluvo hereby assumes the role of processor; the Controller remains fully responsible for the legality and content of the entered text, in particular if it includes personal data.

----------------------------

Annex 2 Security Specification

General Obligations

The Processor undertakes to take all necessary technical and organizational security measures as required by the General Data Protection Regulation (GDPR), in particular Article 32 GDPR.

These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, as well as the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons.

ISO/IEC 27001:2022 Compliance

In addition to the GDPR requirements, Processor acts in accordance with the ISO/IEC 27001:2022 standard for information security management.

Processor's Information Security Management System (ISMS) includes at least the following control measures:

  • Risk Management — Regular identification, assessment and treatment of information security risks.
  • Security policy — Maintaining a formal and documented information security policy
  • Information Security Organization — Established governance structure with roles and responsibilities.
  • Human Resource Security — Employees are trained and contractually bound to confidentiality.
  • Asset Management — Identification, classification and protection of information assets.
  • Access control — Least privilege principle; periodic review of access rights.
  • Cryptography — Application of appropriate encryption techniques for information confidentiality and integrity.
  • Physical and Environmental Security — Security of facilities and equipment.
  • Operational security — Secure process execution and log file maintenance.
  • Communication security — Protection of information in networks and communication services.
  • System development and maintenance — Integrating security into the design and development of IT systems.
  • Supplier relationships — Contractual guarantees and supervision of sub-processors.
  • Incident Management — Rapid detection, notification and follow-up of information security incidents.
  • Continuity Management — Protecting the continuity of business and IT processes.
  • observance — Regular review of legal, statutory, regulatory and contractual obligations.

Specific additional measures

  • Encryption — TLS encryption during transport and encryption-at-rest for databases, temporary buffers, and backups; periodic review of key management.
  • Logging & monitoring — Audit logging of all relevant personal data processing operations, including entry into free fields, temporary storage, export and deletion; log data is stored securely and periodically checked by the Security Officer.
  • Data Lifecycle Management — Automatic retention timers and automated deletion of temporary data upon completion of the process; periodic backup restore tests.
  • Access control (operational) — Separation of development, testing, and production environments; management accounts are logged and reviewed at least annually.
  • DLP Alerts — UI warnings and optional pattern filters discourage the entry of sensitive or special personal data via free fields.
  • Change Management — Changes to forms or field structures are covered by a formal change process including privacy impact assessment (DPIA).

----------------------------

Annex 3 Sub-Processor Specification

Processor can make use of the following categories and parties of sub-processors for Processing:

Message board

Identity:
https://messagebird.com

Processed Data:
First and Last Name
E-mail address
E-mail content information

Purpose of Processing: Messagebird is used to send email communication. This includes transactional emails, and other forms of communication via email.

Processing activities: Sending emails to users based on the lists provided.
Processing response data such as email open and click rates.
Maintenance of email lists and unsubscribe requests.

Location of Processing: The data is processed in SparkPost data centers, located in Europe.

Security measures: Messagebird implements industry-standard security protocols and encryption techniques to ensure data integrity and confidentiality.

Duration of Processing: The data is processed for as long as necessary to perform the email services, or until a user unsubscribes or requests the deletion of their data.

Compliance with Laws and Regulations: Messagebird complies with the GDPR and other relevant privacy laws for the protection of personal data.

Amazon AWS

Identity:
https://aws.amazon.com

Processed Data: User names and email addresss.User profile images.Additional fields added by the controller, which may vary depending on user requirements.User progress and scores in course materials and evaluations.Log files that record changes to the database.Files stored on AWS S3, including any user data or course materials.

Purpose of Processing: AWS is used to host and manage this data to provide a scalable, reliable, and secure infrastructure for our services.

Processing activities:
Storage and management of personal data and user profiles.
Hosting educational content and monitoring user performance.
Maintenance and management of log files for security and monitoring.
File storage and management on AWS S3.

Location of Processing: Data is processed and stored in AWS data centers located in Frankfurt, Germany.

Security measures: AWS implements comprehensive security measures including network security, encryption, access control, and regular security audits. Compliance with relevant industry standards and certifications such as ISO 27001, SOC 1, SOC 2, and GDPR

Duration of Processing: Data is stored and processed for as long as necessary to provide the services.

Compliance with Laws and Regulations: AWS complies with the GDPR and other relevant European and international privacy laws for the protection of personal data.

Rights and Obligations

Audit rights: We reserve the right to inspect data security and privacy compliance.

Data Breach Notification: The sub-processor must inform us immediately of any data breaches or security incidents that occur.

Sub-processors: The sub-processor is obliged to clarify any additional sub-processors and must confirm whether the data processing takes place within the European Union.

OpenAI (AI functionality within the lesson module maker)

Identity:

OpenAI LLC

Purpose of processing: Supporting the AI functionality within the lesson module maker in the Pluvo platform. Here, text (“prompt”) entered by the Data Controller can be temporarily forwarded to the OpenAI API environment to generate concept teaching material.

Data processed: Text input that is entered into the AI module by the user or Data Controller, including any personal data contained therein. Pluvo does not send or collect other identifying information (such as user IDs, email addresses, or IP addresses) outside of technical transmission.

Processing activities: Processing textual input, calculating model response, and returning generated text to the Pluvo environment. OpenAI does not store this data outside the duration of the API session, in accordance with their data processing policy.

Processing location: Processing takes place within data centers that are managed by OpenAI and are subject to adequate security and privacy guarantees in accordance with their Data Processing Addendum.

Security measures: In-transit encryption (TLS 1.2 or higher), authentication via secure API keys, limitation of log storage to the functional length of the session.

Responsibility of the Data Controller: The Data Controller is responsible for the nature and legality of the content entered. The entry of personal data or other sensitive information into the AI module should only take place if there is a valid legal basis under the GDPR. Pluvo does not access, nor does it review, the content of the prompts entered.

Compliance: OpenAI acts as a sub-processor of Pluvo within the meaning of Article 28 GDPR. Pluvo has concluded an agreement with OpenAI that states that the processing complies with applicable European data protection laws.

Quick menu
LoginFeaturesHelpdesk ContactVacancies
News
Blog PodcastCustomer Stories
Features
Online academyLearn management systemSocial learningAuthoring toolSafety & Reliability
Services
ServicesWorkshops & WebinarsCustomer serviceHelpdesk
About Pluvo
Branches
IndustriesTrainers & coachesEducation & trainersOrganisations & nonprofitsTransport & safety
Language
Nederlands
Deutsch
English
ISO 27001:2022
ISO 27001 2022 certificering
Social
Learning innovatorsFacebookInstagramLinkedin
Documentation
Status pageDeveloper docsPrivacy PolicyCookie ManagementData processing agreementCustomer Agreement
Address

Pluvo B.V.
Entrepotdok 63A
1018 AD Amsterdam
KvK 88899284
BTW NL864816789B01
+31(0)20 560 5002info@pluvo.com

Newsletter
Thank you, you will receive a newsletter soon.
Something went wrong, please try again.
Copyright Pluvo BV