Data Processing Agreement
Article 28 GDPR processor agreement between WORQABLE BV (processor) and the Customer (controller).
Data Processing Agreement (DPA)
This Data Processing Agreement (the "DPA") is concluded between:
WORQABLE BV, a private limited company incorporated under Belgian law, with registered seat at Kerkstraat 120, 2060 Antwerp, Belgium, registered with the Crossroads Bank for Enterprises under number 0746.698.674, VAT BE 0746.698.674 (the "Processor"),
and
the Customer (the "Controller") who has accepted these terms by signing an Order Form, accepting the Algemene Voorwaarden via online sign-up, or otherwise contracting with WORQABLE BV.
This DPA forms part of the Agreement between the Parties as defined in §1.3 of the Algemene Voorwaarden ("AV") and governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the QRabl Service. In case of conflict, the order of precedence in §1.3 AV applies.
1. Definitions
Capitalised terms not defined here have the meanings set out in the AV and in Article 4 GDPR (Regulation (EU) 2016/679).
- Annex 1 (TOMs): the Technical and Organisational Measures, available at /legal/dpa-annex-1-toms.
- Annex 2 (SCCs): the Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2: controller-to-processor), available at /legal/dpa-annex-2-sccs.
- Annex 3 (Sub-processors): the live list of Sub-processors, available at /legal/subprocessors. Annex 3 also contains a Transfer Impact Assessment template.
2. Subject matter, duration, nature and purpose of the processing
Subject matter. The Processor processes Personal Data on behalf of the Controller solely as necessary to provide the Service.
Duration. For the term of the Agreement, plus the data-export window of §3.5 AV (30 days, or 90 days for active T&T supply chains on written request).
Nature. Hosting; storage; processing in the SaaS platform; transmission to and from the Controller's authorised Users; on the Controller's instructions, transmission to AI sub-processors for inference; transmission to email sub-processor for transactional notifications.
Purpose. Providing the QRabl product label, DPP, QR-code, supply-chain traceability, AI-assistance, and analytics features as configured by the Controller.
3. Categories of Data Subjects and Personal Data
| Category of Data Subject | Categories of Personal Data |
|---|---|
| Controller's authorised Users (employees, contractors, team members) | Name, email, role, login timestamps, IP address |
| End consumers scanning QR codes on the Controller's products | Anonymised IP, country (from CDN header), device type, browser category, scan timestamp, optional chat-message content |
| Track & Trace supply-chain participants | Name, role, hashed PIN, scan timestamps, scan-event parameters (incl. optional GPS, optional photos), device fingerprint |
| Controller's customers / business contacts (if uploaded by Controller) | Whatever the Controller chooses to upload (e.g., contact name + email for warranty registrations) — under Controller's responsibility per §5.1 AV |
The Processor does not knowingly process special categories of Personal Data (Art. 9 GDPR) other than as instructed by the Controller. The Controller must notify the Processor in writing under §3.2 AV before uploading special-category data.
4. Controller's instructions
The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject (in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
The Controller's documented instructions include: the Agreement; the configuration of the Service by the Controller (including AI features on/off, BYOK choice, sub-processor consent); and any subsequent instructions communicated in writing.
If the Processor reasonably believes an instruction infringes the GDPR or other Union or Member State data-protection law, the Processor will inform the Controller without delay.
5. Confidentiality
The Processor ensures that all persons authorised to process Personal Data on its behalf are bound by a contractual or statutory duty of confidentiality.
6. Security (Article 32 GDPR)
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The detailed measures are set out in Annex 1 (TOMs). Annex 1 is updated by the Processor as the technical posture of the Service evolves; material changes are notified per §6.7 AV.
Highlights: TLS 1.3 in transit, full-disk encryption at rest on EU-resident infrastructure, Row-Level Security on multi-tenant tables, AES-256-GCM encryption of sensitive secrets, append-only audit logs anchored daily into the Bitcoin blockchain via OpenTimestamps, role-based access controls, regular internal security review.
7. Sub-processing
General authorisation. The Controller grants the Processor general authorisation to engage Sub-processors, subject to the safeguards in this Article 7.
Notification of changes. The Processor notifies the Controller of any intended changes (additions or replacements) to the list of Sub-processors at least 30 days before implementation, via email and via the live Subprocessors page (Annex 3). Within those 30 days, the Controller may object on reasonable, GDPR-related grounds. If no agreement is reached, the Controller may terminate the affected portion of the Service per §4.4 AV.
Sub-processor flow-down. The Processor imposes by written contract on each Sub-processor obligations equivalent in substance to those imposed on the Processor by this DPA — in particular, obligations to implement appropriate TOMs and to assist with data-subject rights and breach notification. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
Current Sub-processor list. Available at /legal/subprocessors (Annex 3).
8. Data Subject Rights
Taking into account the nature of the processing, the Processor assists the Controller — by appropriate technical and organisational measures, insofar as possible — for the fulfilment of the Controller's obligation to respond to requests for the exercise of Data Subject rights under Articles 15-22 GDPR.
In-platform tools. The Processor provides:
- Right of access / portability: the in-product Data Export at Settings → Privacy & Data, returning the Data Subject's data in JSON.
- Right of rectification: in-product editing at Settings → Profile and via API.
- Right to erasure: scheduled deletion (30-day grace) and immediate deletion. Subject to the audit-log retention position in §11.
- Right to object: in-product opt-out for marketing communications.
DSAR routing. If a Data Subject contacts the Processor directly, the Processor will (i) acknowledge to the Data Subject and direct them to the Controller, (ii) forward the request to the Controller without undue delay. The Processor does not respond to a Data Subject directly except where it acts as Controller (account data, scan analytics).
9. Personal Data Breach
The Processor notifies the Controller of any Personal Data Breach within the meaning of Article 4(12) GDPR without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification includes, to the extent known:
- the nature of the breach;
- categories and approximate number of Data Subjects and records concerned;
- likely consequences;
- measures taken or proposed to address the breach and mitigate adverse effects;
- the contact for follow-up.
The Processor cooperates with the Controller in the Controller's notification obligations to the supervisory authority (Art. 33 GDPR) and to Data Subjects (Art. 34 GDPR) where applicable. The Processor maintains an internal Breach Response Playbook (see /docs/compliance/breach-response-playbook).
10. Data Protection Impact Assessments and prior consultations
Taking into account the nature of the processing and the information available, the Processor assists the Controller with:
- carrying out Data Protection Impact Assessments (Art. 35 GDPR);
- prior consultation with the supervisory authority (Art. 36 GDPR).
The Processor maintains its own DPIAs for the AI-features bundle and for Track & Trace + geolocation, available on request to enterprise Customers under NDA.
11. Audit rights
The Controller may, no more than once per calendar year and on at least 30 days' written notice, audit the Processor's compliance with this DPA. Audits are conducted by a mutually agreed independent auditor, at the Controller's expense, under confidentiality, in a manner that does not unduly disrupt the Processor's operations. The Processor's assistance is capped at three (3) man-days per calendar year (additional time at the Processor's published hourly rate, currently EUR 110 excl. VAT). If the auditor identifies a serious or grossly negligent breach of the GDPR by the Processor, the Processor bears its own costs and the reasonable audit costs.
In lieu of an on-site audit, the Processor may provide an up-to-date third-party attestation (SOC 2, ISO 27001, ISAE 3000) where available; the Controller agrees that such attestation discharges the Processor's audit obligation for the period covered.
The Processor responds to security questionnaires once per year per Customer.
12. Cross-border transfers
The Processor's data plane is EU-resident (Hetzner, Germany). For specific functions (AI inference, embeddings), the Processor transfers data to US Sub-processors. Such transfers are made under one or more of the following Article 46 GDPR mechanisms:
- the EU-US Data Privacy Framework adequacy decision (Decision (EU) 2023/1795), where the recipient is DPF-certified;
- the Standard Contractual Clauses in Annex 2 (Implementing Decision (EU) 2021/914, Module 2);
- supplementary measures as documented in Annex 1 (TOMs) and the Transfer Impact Assessment in Annex 3.
The Processor maintains a Transfer Impact Assessment for each non-EEA transfer; the live TIA is provided on request to enterprise Customers under NDA.
13. Return and deletion of data
On termination of the Agreement, the Processor will, at the Controller's election:
(a) make all Personal Data available for export by the Controller for 30 days (90 days for active T&T supply chains on written request); or
(b) on written instruction, return the Personal Data to the Controller in a structured, machine-readable format.
After the export window, the Processor permanently deletes the Personal Data from its systems and certifies the deletion to the Controller on request, except for:
- billing and tax-related data retained for 7 years (Belgian tax legal obligation);
- audit-log records retained per §14 below.
14. Audit-log retention as a legal obligation
The Processor maintains a tamper-evident audit log of significant Service operations. This log is required for compliance with sectoral regulations the platform serves and is grounded in GDPR Article 17(3)(b) (compliance with a legal obligation).
On a Data Subject's erasure request: business data is erased within 30 days; audit-log records are retained for the regulator-required period (typically 10 years). The Controller is informed of this position in advance through this DPA and the Privacy Policy. A manual purge of audit-log records is available on request via the procedure at /legal/privacy-policy §11.
15. Liability
The Parties' liability is governed by §8 of the AV. Nothing in this DPA limits any rights or remedies a Data Subject may have against the Processor under Articles 79 or 82 GDPR.
16. Hierarchy
This DPA prevails over the AV and the Product Terms only with respect to GDPR processing matters. For all other matters (term, IP, payment, governing law, jurisdiction, confidentiality), the AV and the Product Terms govern. The order of precedence in §1.3 AV applies.
17. Governing law and jurisdiction
Belgian law governs. The Dutch-language Enterprise Court of Antwerp, Antwerp division (Ondernemingsrechtbank Antwerpen, afdeling Antwerpen) has exclusive jurisdiction over disputes arising from this DPA.
18. Annexes
- Annex 1 — Technical and Organisational Measures (TOMs)
- Annex 2 — Standard Contractual Clauses (Module 2)
- Annex 3 — Sub-processor list and Transfer Impact Assessment template
19. Contact
Data-protection inquiries: privacy@qrabl.eu.
DPO: appointment in progress; interim contact privacy@qrabl.eu.