Log in

Data Processing Addendum

This Data Processing Addendum was last modified on May 5, 2026.

This Data Processing Addendum (including its appendices, the “Addendum”) forms part of the Underlying Agreement (as defined below) between Integer Technologies B.V. and the Customer.

This Addendum applies where one Party processes Personal Data on behalf of the other Party in connection with the Underlying Agreement

General Terms
Overview

This Addendum describes the parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of personal data. This Addendum will be effective on the Addendum Effective Date (as defined below), and will replace any terms previously applicable to the processing and security of Customer Data. Capitalized terms used but not defined in this Addendum have the meaning given to them in the Underlying Agreement.

Considerations
  1. The Processor performs certain activities on behalf of the Controller that result in the Processor processing personal data on behalf of the Controller. These activities are set forth in a separate agreement (hereinafter: the Underlying Agreement).
  2. The Controller and the Processor wish to set forth in this Data Processing Addendum the mutual rights and obligations regarding this processing of personal data by the Processor in accordance with the General Data Protection Regulation (“GDPR”).
  3. This Data Processing Addendum is limited to those aspects of the activities to be performed by the Processor that fall under the GDPR, and has been entered into to fulfill the obligations under Article 28 of the GDPR. Other aspects of the activities to be performed by the Processor, such as requirements set forth in other legislation, licensing aspects of software used or installed, commercial aspects such as payments and costs, etc., are not part of this Data Processing Addendum and are governed by other agreements.
1. Definitions

The words or phrases used in this agreement that are capitalized have the following meanings:

  • Addendum: this data processing addendum;
  • Addendum Effective Date: date on which parties agreed to this Addendum;
  • Underlying Agreement: the agreement describing the work to be performed by the Processor, including the terms and conditions applicable thereto;
  • Personal Data: any data relating to an identified or identifiable natural person that is processed by the
  • Processor in connection with the Underlying Agreement; regardless of whether the Processor is authorized to process such data;
  • Access Data: usernames, passwords, and other data that grant the Processor access to the Controller’s IT systems;
  • Board: the body of supervisory authorities in the European Union as referred to in Chapter VII, Section 2 of the GDPR, and known as the “European Data Protection Board” (EDPB);
  • Terms not defined in this Addendum shall have the meanings defined in Article 4 of the GDPR.
2. Responsibilities

With regard to the obligations arising from the processing of Personal Data and the GDPR, the following applies:

  1. The Controller is the controller of the processing of Personal Data within the meaning of Article 4(7) of the GDPR.
  2. The Processor is a subcontractor of the Controller and, for the processing of Personal Data, is a processor within the meaning of Article 4(8) of the GDPR.
3. Applicability and Scope of Processing
  1. Unless the Parties have agreed otherwise in writing, the provisions of this Addendum apply to any processing of Personal Data by the Processor.
  2. The scope of the processing of Personal Data by the Processor follows from the obligations of the Processor as defined in this Addendum, including the annexes.
  3. The Processor has the right, and the Controller grants the Processor the right, to further process Personal Data related to the products and systems provided by the Processor for purposes other than those for which it was collected. The following conditions apply:
    1. The Processor acknowledges that, for these further processing activities, it must be regarded not as a Processor but as a Controller within the meaning of Article 4(7) of the GDPR.
    2. The Processor undertakes to comply with all associated legal requirements, including but not limited to the obligations imposed by Article 6(4) of the GDPR.
4. Obligations of the Processor
  1. The Processor shall process the Personal Data solely on behalf of the Controller, subject to any contrary legal obligations and subject to the provisions of Article 3.3 of this Addendum. The Processor shall inform the Controller in advance of such deviating legal provisions, unless this is prohibited by law.
  2. The Processor processes data on behalf of the Controller, in accordance with the Controller’s instructions and under the Controller’s responsibility. Details regarding the work to be performed, the categories of Personal Data to be processed, and the categories of data subjects are set forth in Appendix 4, which forms an integral part of this Addendum.
  3. If, in the Processor’s reasonable judgment, Personal Data must be processed by the Processor for purposes not covered by Article 4.2, the Processor shall immediately notify the Controller. The Processor shall only carry out such processing after obtaining the Controller’s consent. This consent may be given in writing or by email.
  4. The Processor shall ensure compliance with the conditions imposed on the processing of Personal Data under the GDPR and other applicable laws and regulations. This includes instructing the Processor’s personnel regarding the proper processing of Personal Data in accordance with all applicable laws and regulations. This also includes the obligation for the Processor, its personnel, and all subcontractors—including their personnel—to maintain the confidentiality of the Personal Data. The Processor shall ensure that compliance with this obligation is demonstrable and documented.
  5. The Processor shall assist the Controller to the best of its knowledge and ability in all aspects of compliance with the requirements of the GDPR for which the Processor’s cooperation or information is required. This includes, but is not limited to, making available the documentation required by the Controller to comply with Article 5(2) of the GDPR. Should the documentation required for this purpose, or any part thereof, contain confidential information or know-how of the Processor, the Processor shall have the right to require that access to the confidential documentation be granted only subject to a written confidentiality agreement. This confidentiality agreement shall in any case include a liability provision in favor of the Processor in the event of a breach of the confidentiality obligation.
  6. The Parties agree that the obligations arising from Section 4.5 are limited to those aspects of compliance with the GDPR that are directly or indirectly related to the activities to be performed by the Processor under this Addendum and/or the Underlying Agreement.
  7. The Processor shall exercise the utmost care when processing the Personal Data. The Processor shall at all times ensure that the integrity and accuracy of the Personal Data processed by it is and remains guaranteed.
  8. The Processor shall not disclose or make Personal Data available to any third party.
    1. This prohibition does not apply if the Personal Data is disclosed to a third party:
      1. pursuant to an explicit written instruction from the Controller, or
      2. pursuant to a legal requirement, or
      3. by order of a judicial or administrative authority, provided that in such a case the Processor notifies the Controller within 24 hours of receiving such an order, thereby enabling the Controller to pursue any legal remedy available to it, or
      4. pursuant to Article 4.14.
    2. Personal data may be disclosed to third parties outside the European Union and the European Economic Area, provided that the Processor ensures a proper legal basis as referred to in Chapter 5 of the GDPR.
  9. If the Processor determines that it is legally required to make Personal Data available to a competent authority, it shall only do so after consultation with and approval by the Controller. The Processor shall notify the Controller in writing as soon as possible of the legal obligation to do so. In doing so, the Processor shall provide all relevant information that the Controller reasonably needs to determine whether disclosure may take place and, if so, under what conditions. The obligation to notify the Controller shall cease to apply if an applicable legal obligation prohibits this.
  10. The Processor is aware of and accepts that it has a reporting obligation, which must be fulfilled as follows:
    1. The Processor must immediately notify the Controller of any breach involving Personal Data as referred to in Article 33(1) of the GDPR.
    2. Reports of such breaches must be made within 48 hours of their discovery by the Processor; this timeframe also applies during weekends, vacations, and holidays. The Processor must provide the Controller with all necessary information and cooperation to enable the Controller to determine as soon as possible the cause and scope of the loss, unauthorized access, breach, or security issue, and to make the required notifications to the competent authorities.
    3. An extension of the 48-hour period is permitted provided that the notification also includes the reasons for the delay as referred to in Article 33(1), last sentence, of the GDPR and the notification is made as soon as possible, unless the consequences of exceeding the deadline are, in accordance with standards of reasonableness and fairness, to be borne by the Processor.
  11. A report of an incident as described above in 4.10 may be made by telephone, email, or in writing. A telephone report must be followed up with a report by email or in writing. A report by email must be followed up with a telephone or written report.
  12. The Processor must immediately notify the Controller of all requests received directly from a data subject that relate to the exercise of data subjects’ rights as defined in the GDPR. The Processor will only comply with such a request if the Controller has instructed the Processor to do so in writing. The Processor shall assist the Controller with appropriate technical and organizational measures in the execution of such a request.
  13. The Processor shall handle all requests and instructions from the Controller regarding the processing of Personal Data promptly and properly.
  14. By this Addendum, the Controller authorizes the Processor to engage third parties as subcontractors for the processing of Personal Data, subject to the following conditions:
    1. Before the Processor engages a third party as a subcontractor, the Processor shall notify the Controller of its intention to do so and shall grant the Controller a period of 14 days to raise a reasoned objection. This notification may be made in writing or by email.
      1. If the Data Controller has not raised a reasoned objection within this period, consent shall be deemed to have been granted.
      2. If the Controller raises a substantiated objection to the proposed subcontractor, the Controller and the Processor shall, in good faith, seek a solution that addresses the Controller’s objections and enables the Processor to continue to fulfill its obligations under this Addendum and the Underlying Agreement without incurring unreasonable costs or other disadvantages.
    2. The Processor shall ensure that all subcontractors are bound to comply with all obligations imposed on the Processor under this Addendum. This shall be set forth in writing in the agreement or agreements between the Processor and the subcontractor or subcontractors. The Processor shall provide this agreement or provide the Controller with these agreements upon the Controller’s first request. If any deficiencies are found in these agreements, the Controller has the right to require the Processor to correct such deficiencies or to terminate the collaboration with the relevant subcontractor(s).
    3. A list of subcontractors for whom consent was granted upon signing the Underlying Agreement is included in Appendix 2. The Processor shall ensure that this list is updated from time to time to reflect the current situation.
  15. The Processor shall ensure that it continues to comply with all of its obligations in the event of an EU Member State’s withdrawal from the EU. The Processor is aware that this also entails that, in the event of such a withdrawal, it must ensure that all Personal Data processed or to be processed in the withdrawing Member State is deleted in a timely manner and transferred to appropriately secured facilities in another EU Member State. This obligation does not apply if the withdrawing Member State remains part of the European Economic Area, or if the withdrawing Member State obtains the status referred to in Article 45(1) of the GDPR at the time of withdrawal.
  16. The Processor shall ensure that its personnel are bound to comply with the obligations imposed on the Processor under this Addendum. The Processor shall document this in writing.
  17. The Processor shall assist the Controller to the best of its ability in fulfilling the Controller’s obligations under Articles 32 through 36 of the GDPR.
5. Security Measures and Inspection
  1. The Processor shall take all necessary technical and organizational measures to protect the Personal Data against loss and any form of unlawful processing.
  2. The measures to be taken by the Processor must in any case meet the following requirements:
    1. Article 32 of the GDPR;
    2. Applicable mandatory legal requirements established by the Board regarding the nature of the personal data to be processed by the Processor and the nature of such processing;
    3. Applicable mandatory guidelines of the Board;
    4. Applicable mandatory specific regulations of the Dutch Data Protection Authority (AP) regarding the nature of the personal data to be processed by the Processor and the nature of such processing;
    5. Applicable mandatory guidelines of the AP and Appendix 1.
    6. In the event of any conflict between these standards and regulations, the order in which they are listed above shall apply, with the first-mentioned document taking precedence. Compliance with the aforementioned standards and regulations includes, but is not limited to, the audit and inspection obligations contained therein.
  3. The Processor agrees that, at the request of the Controller, the Processor’s data processing facilities may be inspected in connection with the processing activities covered by this Addendum (“the Inspection”). The Inspection shall be conducted by an investigative body designated by the Controller, which, in the reasonable opinion of the Parties, is neutral and competent. The Controller shall ensure that the investigative body is bound by confidentiality regarding its findings vis-à-vis third parties.
  4. The Inspection covers all obligations arising from this Addendum, the GDPR, and any subordinate laws and regulations based thereon. This includes, but is not limited to, the security measures required under Section 5.2.
  5. The Processor shall cooperate fully with the Inspectorate, including by providing access to all documentation necessary to demonstrate compliance with legal obligations and this Addendum. If this documentation or any part thereof contains confidential information or know-how of the Processor, the Processor shall have the right to require that access to the confidential documentation be granted only subject to a written confidentiality agreement. The Controller shall enter into the necessary written agreements with the investigating authority for this purpose and make these agreements available to the Processor. These agreements shall in any case include a liability provision in favor of the Processor in the event of a breach of the confidentiality obligation.
  6. If, in the reasonable opinion of the Processor, an instruction from the Controller or the investigating authority, given in connection with the Inspection, is in violation of applicable legal requirements, the Processor shall notify the Controller thereof without delay. Such notification may be made in writing or by email.
  7. The Controller shall pay all costs, fees, and expenses related to the Inspection, including reasonable internal costs incurred by the Processor. This obligation shall lapse if the Inspection reveals that the Processor fails to comply with or neglects essential obligations under the GDPR and/or this Addendum; this includes, but is not limited to, all obligations of the Processor pursuant to Articles 4.8, 4.10, 4.14, 5.1, and 5.2 of this Addendum. In that case, all costs incurred by the Inspectorate shall be borne by the Processor.
  8. The Controller shall provide the Processor with a copy of the Inspection report.
6. Obligations of the Controller
  1. The Controller shall handle all requests made by a data subject to exercise the rights of data subjects as defined in the GDPR. The Controller shall inform and instruct the Processor in a timely manner regarding all activities to be performed by the Processor in response to such requests.
  2. The Controller must immediately notify the Processor of any security breaches involving Personal Data that the Controller detects or becomes aware of. The Controller acknowledges and agrees that if this obligation is not fulfilled, the Controller shall be jointly liable with the Processor for any resulting damage to data subjects, pursuant to Article 82 of the GDPR. The Controller’s failure to comply with this obligation does not affect the Processor’s obligations under this Addendum and does not affect the Processor’s liability under Article 7.
  3. The Controller is responsible for its own compliance with Articles 32 through 36 of the GDPR, including, but not limited to, the obligation to ensure adequate security of its IT systems. This security must comply with current technical standards.
  4. The Data Controller shall assist the Processor to the best of its knowledge and ability in all aspects of compliance with the requirements of the GDPR that require the Data Controller’s cooperation or information.
  5. The Controller guarantees that the personal data to be processed has been lawfully obtained and is being lawfully processed. The Controller is liable for all damages arising from unlawful acquisition or processing. The Controller indemnifies the Processor against all claims, disputes, losses, damages, and costs incurred by the Processor that directly or indirectly result from or are related to a breach of this obligation.
7. Liability
  1. Each Party shall be responsible for its own compliance with applicable data protection laws, including the GDPR.
  2. Each Party shall be liable for damages arising from its own breach of this Addendum or applicable data protection laws.
  3. Where both Parties are responsible for the same damage, liability shall be allocated between the Parties in accordance with their respective responsibility for the damage, taking into account Article 82 GDPR.
  4. The Processor shall remain responsible for the performance of its subprocessors’ obligations under this Addendum to the extent required by Article 28(4) GDPR.
  5. Except where prohibited by applicable law, liability under this Addendum shall be subject to the exclusions and limitations of liability set out in the Underlying Agreement.
  6. Nothing in this Addendum shall exclude or limit either Party’s liability where such exclusion or limitation is prohibited by applicable law.
8. Termination
  1. The Addendum is entered into for an indefinite period.
  2. The Addendum automatically terminates upon the cessation of the Processor’s services. The Addendum may not be terminated in any other manner, unless it is replaced by another Data Processing Addendum covering the entire processing of Personal Data by the Processor.
  3. The Parties shall review this Addendum and, if necessary, amend it in the event of a significant change in the services provided by the Processor or a relevant change in applicable laws and regulations.
  4. Unless otherwise instructed in writing by the Controller and subject to the provisions of Article 3.3 of this Addendum, in the event of termination of the Addendum, the Processor shall:
    1. Return all Personal Data and Access Data to the Controller,
    2. Destroy all copies of the Personal Data and Access Data in its possession, and
    3. Notify the Controller that this destruction has been carried out.
  5. If, in the Processor’s reasonable judgment, an independent legal obligation of the Processor prohibits or restricts the Processor from returning or destroying the Personal Data in whole or in part, the following shall apply:
    1. The Processor shall notify the Controller in writing as soon as possible of this legal obligation and the Personal Data covered by it. The Processor shall provide all relevant information that the Controller reasonably needs to determine whether destruction can take place and, if so, under what conditions.
    2. If, in the reasonable judgment of the Controller, the legal obligation permits the destruction or partial destruction of the Personal Data by the Processor, the Processor shall proceed to do so immediately upon the Controller’s request.
    3. If the Controller determines that destruction may not take place, it shall notify the Processor thereof in writing. In that case, the Processor guarantees the confidentiality of the Personal Data vis-à-vis the Controller and shall not process the Personal Data except to comply with its aforementioned legal obligation or upon written instruction from the Controller.
    4. Notwithstanding the provisions of Article 8.6 below, the following articles of this Addendum shall remain in effect for as long as any independent legal obligation of the Processor prohibits or restricts the Processor from returning or destroying the Personal Data in whole or in part: those obligations which, by their nature, are intended to remain in effect after the termination of this Addendum
  6. The following provisions of this Addendum shall remain in force after termination: those obligations which, by their nature, are intended to remain in force after the termination of this Addendum
9. Severability

If one or more provisions of this Addendum prove to be invalid, the remainder of the Addendum shall remain in force. The parties shall consult regarding the provisions that are not legally valid in order to agree on a replacement provision that is legally valid and that, as far as possible, reflects the intent of the provision to be replaced.

10. Conflicting Laws

In the event of a conflict between this Addendum and other agreements relating to the Processor’s services, including but not limited to the Underlying Agreement, this Addendum shall prevail.

11. Notices

Where this Addendum requires a Party to provide the other Party with a notice or notification, the contact details set forth in Appendix 3 shall be used. Any change to these contact details must be communicated to the other Party in writing.

12. Governing Law, Disputes
  1. Dutch law shall govern this Addendum.
  2. All disputes arising out of or in connection with this Addendum shall be submitted exclusively to the competent court in the district where the Processor is located.

Processor maintains appropriate technical and organizational measures including access control, authentication, encryption in transit, logging, role-based access management, backup procedures, and incident response procedures.

The Controller grants permission under Article 4.14 to engage the following subprocessors:

Name
Address
Brief description of activities

HubSpot, Inc.

25 1st St, Cambridge, MA 02141-1801, United States

CRM

WeFact B.V.

Markt 50, 5521 AN Eersel, Netherlands

Invoicing and administration software

Exact MKB Software B.V.

Ptolemaeuslaan 70, 3528 BP Utrecht, Netherlands

Accounting and bookkeeping

Zenvoices B.V.

Stationsweg 19, 6711 PJ Ede, Netherlands

Automated invoicing and receipt processing

Notion Labs, Inc.

2300 Harrison St, San Francisco, CA 94110-2013, United States

Note-taking, documentation and project management

Google LLC

1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States

Email, productivity, and collaboration suite

Intuit Mailchimp

675 Ponce de Leon Ave NE, Atlanta, GA 30308, United States

Marketing

Timescale, Inc.

335 Madison Ave, New York, NY 10017-4611, United States

Database services

Twilio, Inc.

101 Spear St, San Francisco, CA 94105-1510, United States

Notification services

Supertokens, Inc.

95 3rd St, San Francisco, CA 94103-3103, United States

Authentication and session management services

Fly.io, Inc.

2261 Market St, San Francisco, CA 94114-1612, United States

Platform hosting service

Automattic, Inc.

60 29th St, San Francisco, CA 94110-4929, United States

Website hosting

All notifications and other communications to the Processor should be addressed to

Integer technologies B.V.
Markestrijp 50
5707DL Helmond
info@integer.energy

All notifications and other communications to the Controller shall be addressed to the email address associated with the Controller’s account or provided in the Underlying Agreement

Appendix 4.1 The Processing of Personal Data Concerns:

The process  involves a limited volume of personal data. This includes contact and identity details for users of the Platform, and contact person(s) to conduct business activities.

The processing consists of the following operations: Collection and Storage, Access and Consultation, Modification, and Communication.

Appendix 4.2 The Processing of Personal Data will take place during the following time

Company Contacts

Tax-related and/or financial data is retained for 7 years in accordance with applicable legal and tax retention obligations.

Other personal data is retained for the duration of the active commercial relationship and, where necessary, for a reasonable period thereafter to:

  • maintain business records;
  • manage customer relationships;
  • exercise or defend legal claims;
  • comply with legal obligations; and
  • safeguard the legitimate business interests of Integer Technologies B.V.


Retention during this period is based on Article 6(1)(f) GDPR (legitimate interests). The importance of this is described in the previous sentence.

For Platform users

Personal data is retained for the duration of the active user account.

Upon termination of the agreement with the employer of the user, or upon deactivation of the user account, personal data will be deleted or anonymized within 6 months, unless longer retention is necessary:

  • to comply with a legal obligation; or
  • for the establishment, exercise, or defense of legal claims pursuant to Article 6(1)(f) GDPR.

Appendix 4.3 The Following categories of Personal Data will be processed

Company Contact

  • Name
  • Address
  • Job title
  • Employer
  • City / Location
  • Phone number(s)
  • Email address
  • ID number (passport or similar, only if you have a contract with us that requires this)
  • IP address (when visiting our website or using the Platform)
  • Company IBAN

Platform User:

  • Name
  • Work email address
  • Phone number (Work)
  • Job position
  • Employer (Company name)
  • IP address (Technical log for access security)

Appendix 4.4 This Personal Data relates to the following categories of Data Subjects

  • Company Contact
  • Platform Users

Appendix 4.5 The following categories of the Processor's employees have access to the Personal Data:

Management, administrative staff, business developers and technical staff