Van urenregistratie tot facturatie — PrikKlokPlus houdt uw team productief en uw bedrijf draaiende.
© 2026 PrikKlokPlus
This Data Processing Agreement ("DPA") forms part of the Agreement between PrikKlokPlus B.V. ("Processor", "we") and the customer ("Controller") and governs the processing of personal data on behalf of the Controller within the PrikKlokPlus SaaS platform. This DPA fulfils the requirements of GDPR art. 28.
| Controller | The organisation that has subscribed to PrikKlokPlus (the Tenant account holder). Identified in the account registration. |
| Processor | PrikKlokPlus B.V., Netherlands, KvK [number — pending], privacy@prikklokplus.nl |
The Processor processes personal data on behalf of the Controller for the purpose of delivering the PrikKlokPlus service: time tracking, scrum planning, project management, CRM, and invoicing.
| Item | Detail |
|---|---|
| Nature of processing | Storage, retrieval, display, modification, deletion, and transmission of personal data in the course of providing the SaaS service |
| Purpose | Operational delivery of the PrikKlokPlus platform as described in the General Terms and Conditions |
| Duration | For the duration of the subscription agreement, plus 90 days post-termination (read-only retention period) |
| Categories of data subjects | Employees, contractors, and managers of the Controller; clients and contacts in the CRM |
| Types of personal data | Name, email address, work hours, task assignments, project memberships, billing details, IP addresses, session identifiers |
| Special categories | None processed; Controller must not store sensitive categories (art. 9 GDPR) in PrikKlokPlus without explicit written agreement |
The Processor shall:
The Controller shall:
| Category | Measure |
|---|---|
| Encryption in transit | TLS 1.2+ (HTTPS) enforced on all connections |
| Encryption at rest | Database server disk encryption at Contabo infrastructure level |
| Authentication | bcrypt password hashing; TOTP 2FA and passkeys available; rate-limited login |
| Access control | Role-based access per Tenant; staff access on need-to-know basis with MFA required |
| Tenant isolation | All queries scoped by Tenant ID via global Eloquent scope; cross-tenant data access architecturally prevented |
| Monitoring | Error monitoring via self-hosted Grafana/Loki/ Tempo; audit log of all user actions for 90 days |
| Backups | Daily automated database backups; retained for 14 days; stored in encrypted form |
| Breach response | Notification to AP within 72 hours; Controller notified without undue delay |
The Controller grants general written authorisation for the use of the following sub-processors. PrikKlokPlus will inform the Controller of intended additions or replacements at least 30 days in advance, giving the Controller the opportunity to object.
| Sub-processor | Service | Location | Transfer basis |
|---|---|---|---|
| Contabo GmbH | Server infrastructure, database hosting; self-hosted error tracking and performance monitoring (Grafana, Loki, Tempo, Prometheus); self-hosted analytics (Plausible); self-hosted source code hosting and CI/CD (Forgejo) — all on the same server | Germany | EEA — no transfer |
| Hetzner Online GmbH | Backup storage | Germany / Netherlands | EEA — no transfer |
| Upstash / Redis | Session storage, queue, cache | EU region | EEA — no transfer |
| Postmark (ActiveCampaign) | Transactional email delivery | EU / US | SCCs (EU 2021/914) where applicable |
| Mollie B.V. | Payment processing | Netherlands | EEA — no transfer |
Where personal data is transferred to countries outside the European Economic Area (EEA), the Processor shall ensure adequate protection through one of the following mechanisms:
The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures to fulfil obligations to respond to data subject requests:
The Processor shall make available all information necessary to demonstrate compliance with this DPA and GDPR art. 28. The Controller may request an audit of the Processor's data processing activities with at least 30 days advance notice and no more than once per 12-month period. Costs of audits are borne by the Controller unless the audit reveals a material breach by the Processor.
This DPA is effective from the date the Controller accepts the General Terms and Conditions and remains in force for the duration of the subscription agreement. Upon termination, the Processor will retain data in read-only mode for 90 days to allow the Controller to export data, after which all personal data is permanently deleted, except where retention is required by law (e.g. invoice data under the Dutch VAT Act — 7 years).
| Privacy contact | privacy@prikklokplus.nl |
| DPA requests | A signed PDF copy of this DPA is available on request at privacy@prikklokplus.nl |
| Supervisory authority | Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl |
Deze Verwerkersovereenkomst ("VOK") maakt onderdeel uit van de Overeenkomst tussen PrikKlokPlus B.V. ("Verwerker") en de Klant ("Verwerkingsverantwoordelijke") en regelt de verwerking van persoonsgegevens conform AVG art. 28.
Verwerkingsverantwoordelijke: de Klant die het PrikKlokPlus-abonnement heeft afgesloten.
Verwerker: PrikKlokPlus B.V., Nederland, KvK [nummer — pending], privacy@prikklokplus.nl.
De Verwerker verwerkt persoonsgegevens namens de Verwerkingsverantwoordelijke ten behoeve van de levering van het PrikKlokPlus-platform: urenregistratie, scrumboard, projectbeheer, CRM en facturatie.
De Verwerker verwerkt uitsluitend op gedocumenteerde instructie van de Verwerkingsverantwoordelijke; borgt geheimhouding; treft passende beveiligingsmaatregelen (§5 EN-versie); hanteert goedgekeurde subverwerkers (§6 EN-versie); assisteert bij rechtenverzoeken, meldplicht datalekken en DPIA's; verwijdert of retourneert gegevens na afloop; en staat audits toe overeenkomstig AVG art. 28(3).
Goedgekeurde subverwerkers: Contabo GmbH (Duitsland — hosting, database, self-hosted monitoring/foutopsporing, self-hosted Plausible-analytics, self-hosted Forgejo broncode/CI, alles op dezelfde server), Hetzner Online GmbH (EU — back-ups), Mollie B.V. (NL), Postmark/ActiveCampaign (EU/VS — SCC's). Wijzigingen worden minimaal 30 dagen van tevoren aangekondigd.
Vragen of verzoeken om een ondertekend exemplaar: privacy@prikklokplus.nl. Klachten: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl.