Hey there! This Data Processing Agreement ("DPA"), including its Annexes, is made between Planet VG ("Processor"—that’s us) and the Controller—that’s you. By agreeing to this DPA, both Parties are meeting the documentation requirements of Article 28(3) GDPR, ensuring transparency, accountability, and data protection for all the vegans involved. This DPA supplements the main agreement and forms an integral part of the main agreement.
Throughout this document, we’ll refer to ourselves and you collectively as “Parties” and individually as a “Party.”
You (the Controller) decide why and how data is processed. We (the Processor) handle it based on your instructions and stick to the rules.
You’re in charge of determining what happens with the data and why (that’s GDPR Article 4, paragraph 7).
We’re here to make it happen securely and responsibly (as outlined in GDPR Article 4, paragraph 8).
You’ve given us the go-ahead to process personal data under the main agreement, and this DPA forms an essential part of that setup.
We’re ready to fulfill our GDPR responsibilities, from securing data to supporting your compliance needs.
We’re here to process personal data on your behalf. Everything we do with your data is tied to the services outlined in the main agreement; nothing more, nothing less.
Got extra needs? If there are processing purposes not already covered in this DPA, it’s your responsibility to keep us in the loop.
Need the full details about the processing purposes? Check out Annex 1 for more specifics on what data we process and why.
We (and anyone working with us, including third parties) treat personal data like a secret (vegan) recipe: strictly confidential. The only exceptions? If you give us written consent to share it or if the law says we have to.
Everyone on our team who handles personal data signs confidentiality agreements or follows strict legal rules to keep your data safe.
We’ve got your back! If a data subject wants to access, delete, or update their data, we’ll help you handle it. We don’t respond directly to a request from a data subject. We’ll forward requests to you within 3 working days, so you stay in control.
Security is non-negotiable. Encryption, two-factor authentication (2FA), IP allowlist for database access and regular backups, we’ve got it covered.
We stay on top of tech. As things evolve, we’ll adapt our security to stay ahead. Double-check us. You’re in charge of deciding if these security measures meet your specific needs. If you need something extra, just ask, and we’ll explore how we can help.
We don’t process personal data alone. We’ve teamed up with a few trusted tech pros, based on your general authorization. You’ll find the current list of sub-processors in Annex 2.
If we plan to add or change a sub-processor, we’ll update the list and notify you via email at least two weeks in advance. You can object within those two weeks if you have a good reason; just send us an email, and we’ll work with you to sort it out.
Every sub-processor we work with is required to follow the same data protection rules as outlined in this DPA. If they don’t, it’s still on us. We remain fully accountable to you.
If you want to check the contract we have with a sub-processor, let us know. We’ll provide you with a copy so you can confirm they meet the same standards.
We process personal data mostly within the European Economic Area (EEA), but sometimes we may need to transfer it beyond EEA borders. Rest assured, we only do this if those countries meet GDPR-level protection standards. We’ll set up rock-solid safeguards—like standard contractual clauses—so your data stays safe and individual rights of data subjects are protected. By accepting this DPA, you’re giving us the green light to handle these arrangements for you. Curious about where your data might end up? Check out Annex 2 for the full list of locations.
If you need to verify that we’re ticking all the GDPR boxes, we’re here to help. At your request, we’ll share the necessary info and documents to prove we’re compliant with Article 28 of the GDPR. Want a closer look? No problem, you can carry out an audit yourself using an authorized auditor. We’ll give you access to relevant systems, infrastructure, and documentation, and we’ll work with you to make the process smooth and efficient.
Here’s how the audit works:
If we’ve already had an independent audit in the past year, we can share the relevant parts of that report instead.
Costs? If the audit reveals issues that are our fault, we’ll cover the reasonable costs of the audit. If everything’s good or the problem lies elsewhere, the cost is on you. Either way, we’ll be upfront about any reasonable fees for our time and effort.
And of course, all audit findings stay confidential.
If something goes wrong and there’s a data breach, here’s how we’ll handle it:
This DPA is valid for as long as the main agreement is active. Even after the agreement ends, any obligations that naturally continue (like confidentiality or data protection) will still apply.
When the main agreement ends, this DPA automatically ends with it.
Within 30 days of termination, we’ll either return or delete all personal data (and copies) based on your preference, unless the law requires us to keep it. Any costs for this process are your responsibility.
If deletion isn’t possible: Don’t worry, we’ll block the data from further use and take steps to anonymize it to make sure it’s no longer identifiable.
Things change, whether it’s our services, new regulations, or other circumstances that affect how we process personal data. If that happens, Parties work together to update this DPA as needed to make sure everything stays clear, compliant, and in line with the latest rules.
We take responsibility for how personal data is processed under this DPA. When it comes to liability, the terms in the main agreement apply.
This DPA is governed by Dutch law.
Any disagreements will be handled by the court in our place of establishment.
| Category | Details |
|---|---|
| Name and Contact Information of Processor | Planet VG Jan Pietersz. Coenstraat 7, 2595 WP, The Hague Email: privacy@almostlevel5.com |
| Data Protection Officer of the Processor | Not applicable |
| Representative of the Processor | Not applicable |
| Duration of Processing | Processing begins on the effective date of the main agreement and ends upon its expiration or termination |
| Nature of Processing and Purpose | Planet VG processes personal data to provide its services as outlined in the main agreement |
| Data Subjects | Consumers (e.g., end-users of services) |
| Categories of Personal Data | Name, email, contact and communication data |
| Technical and Organizational Security Measures | Daily backups, IP allowlist for database access, Two-Factor authentication, data encryption |
| Sub-Processors | See Annex B for a detailed list of sub-processors, their roles, and security measures |
| Retention Period | Data is anonymized immediately upon account deletion unless required otherwise by law |
| Special Categories of Data | None |
| Frequency of Transfer | Continuous throughout the main agreements |
| Partner | What they do |
|---|---|
| NetCup GmbH | Data storage & hosting |
| Scaleway SAS | Hosting infrastructure |
| Google Ireland, Ltd. | Tools |
| Piwik PRO SA | Analytics |
| HubSpot Inc. | Customer services & marketing |
| Railsware Products Studio LLC | Email processing |
| Stripe Payments Europe, Limited | Payment processing |
Want the most up-to-date list? Just ask us at privacy@almostlevel5.com.
Shoot us a message at privacy@almostlevel5.com.