This Data Processing Agreement (DPA) is part of the Terms of Service between you (the Customer, acting as the Data Controller) and Ormilon B.V. (the Processor). It explains how we handle personal data on your behalf, in full compliance with the GDPR and with our core principle of transparency. This DPA applies automatically when you use our services.
Parties
Controller: You, our dear client
Processor: Ormilon B.V.
We process personal data only when you ask us to, or when it naturally follows from our service: Cloud hosting, Cloud services, Storage, keeping apps and cloud infrastructure online, plus related support. Appendix 1 lists the exact data and people involved. The data always belongs to you.
Our promise is simple: you own your data. We process it only as agreed with you and we protect it as if it were our own.
Ormilon complies with both the GDPR and the new NIS2 Directive. We run continuous risk management, carry out supply-chain checks and maintain a formal business-continuity plan, as required by NIS2 Articles.
Every team member signs a strict confidentiality clause. If your instruction looks unlawful, we’ll say so straight away. When a change could raise high risks, we help you with a Data Protection Impact Assessment. We also run a public Vulnerability-Disclosure & bug-bounty programme to keep blind spots small.
We store and process all personal data exclusively inside the European Union and only in ISO 27001-certified data-centres.
Through your Ormilon dashboard you can choose the precise datacentre location that suits you best (for example NL → Amsterdam 1, DE → Frankfurt 2). Once selected, your data remains in that EU location; we do not copy or transfer data outside the EU under any circumstance.
Our secured platforms and trained crew perform the processing, but you set the purpose and legal basis for collecting the data. You guarantee your instructions are lawful; we carry them out exactly as agreed.
We work with a small number of trusted and specialist subprocessors (for example payment providers). They are all GDPR-compliant and bound by the same data protection standards. You can always view the up-to-date list on our Privacy Policy page. We will tell you at least 30 days in advance if a new name appears; if you raise a justified objection, you may cancel at no cost. Each sub-processor signs privacy duties identical to this DPA, and we stay fully liable for their work. Custom terms for subprocessors or exceptions may be negotiated for enterprise clients upon request.
We take appropriate technical and organisational measures to keep your data safe. This includes encryption, role-based access control, audit logs, and 24/7 monitoring. Our measures are reviewed regularly and updated when needed.
We protect data with strong technical and organisational measures, encryption (TLS 1.3 in transit, AES-256 at rest), MFA, role-based access, real-time intrusion detection, 24/7 monitoring, quarterly access reviews and regular penetration tests (see Appendix 2). You can Bring Your Own Key (BYOK) via your own HSM/KMS, so you remain master of your encryption keys.
If we hit an incident we follow NIS2 timings for data breach reporting:
A 24/7 Single Point of Contact (SPOC) coordinates with you, authorities and CSIRTs. You decide whether and how to notify regulators or data subjects; we’ll help where needed.
Customers can use our self-service data portal to download, move or erase their own data.
At any time, you can:
Ask what data we hold about you
Correct your data
Delete your data
Withdraw your consent
All personal data we process on your behalf is treated as strictly confidential. We will not share or reuse it for any other purpose without your permission, unless required by law.
You may audit our compliance with this DPA once per year, or more frequently if required by law. We may also provide independent audit reports (e.g. ISO 27001) to meet this need.
You may audit us once a year, or after a major incident, using an independent auditor bound by confidentiality. We provide logs, documents and staff. If you prefer, you can simply rely on our most recent ISO or SOC 2 reports. You pay for the audit. Our public Vulnerability-Disclosure policy stays open year-round.
For direct damage our total liability equals what you paid us in the 12 months before the event, capped at € 25,000. We never cover indirect loss like lost profit or brand damage. The cap vanishes only if our senior management acted with wilful misconduct or gross negligence. You must lodge any claim within 12 months of discovering the issue.
This DPA starts when you accept Ormilon’s Terms of Service and runs for as long as we work together. When we part ways you choose: we hand back your data securely, or we erase everything and confirm deletion in writing. All backups are wiped 7 days after contract end unless you ask for an extension beforehand. Our RPO/RTO guarantees remain active until final deletion.
If the law (for example NIS2 implementation rules) or our service changes in a way that affects this document, we’ll send you an update with 30 days’ notice. If you disagree you may object; if we cannot settle it, you may end the agreement.
| Data set | Typical examples | Data subjects | Retention rule |
|---|---|---|---|
| Client account data | name, job title, company name, contracts | Clients | Held for the full contract term. Deleted / returned within 30 days after termination (plus one extra 30-day backup window). |
| Contact data (leads) | name, email, phone, company | Prospects / leads | Removed 24 months after the last meaningful contact if no contract follows. |
| Behaviour & analytics | IP address, page paths, cookies | Website visitors | Raw data kept 12 months; afterwards only aggregated / anonymised stats are retained. |
| Security & access logs | login events, admin actions, firewall logs | All users | Stored 12 months. Extended if an incident is open. |
| Support tickets | chat, e-mail, attachments | Clients, suppliers and partners | Erased 2 years after the ticket is closed. |
| Financial & billing records | invoices, payment refs, VAT data | Clients and suppliers | 7 years (Dutch tax-law minimum). |
| Back-up copies | point-in-time snapshots | Same as source | Rotated on a 30-day rolling basis; final backups purged 7 days after contract end. |
Still unsure about something? Want more details about GDPR-compliance?
We’re happy to help, just email us at [email protected].