Data Processing Agreement

This Data Protection Addendum ("Addendum") is entered into between Firstversionist B.V. (trading as Polypane), registered in the Netherlands (KVK 74263404), with address at Essehout 35, 2719MD Zoetermeer, The Netherlands ("Polypane") and the customer entity identified in the associated Order or Account ("Customer").

Note: This is a template document available upon request for enterprise customers. Contact us to receive a countersigned copy.

1. Background

Polypane provides a desktop browser application for developers and teams. In order to deliver its service, Polypane collects and processes certain personal data of the Customer's employees or contractors who are granted access to Polypane ("End Users").

Polypane acts as an independent data controller with respect to End User personal data: it determines the purposes and means of processing in the context of account management and licence delivery. This Addendum sets out the obligations of each party with respect to that data under Regulation (EU) 2016/679 ("GDPR").

2. Personal Data Processed

No special category data (Article 9 GDPR) is collected or processed. No Customer business data, client data, or data viewed within the Polypane application is transmitted to or stored by Polypane.

3. Roles and Responsibilities

3.1 Each party acts as an independent controller in respect of End User personal data. Neither party acts as a processor on behalf of the other.

3.2 Each party is independently responsible for compliance with applicable data protection law in respect of its own processing activities.

3.3 Where Customer instructs Polypane to provision, modify, or remove End User access, Customer warrants that it has the appropriate legal basis to share that End User's personal data with Polypane for that purpose.

4. Polypane's Data Protection Commitments

Polypane commits to the following with respect to End User personal data:

4.1 Legal basis. Polypane processes End User data on the basis of contract performance (Article 6(1)(b) GDPR) and, where applicable, legitimate interests (Article 6(1)(f) GDPR).

4.2 Purpose limitation. End User personal data is used only for account management and licence delivery. It is not sold, rented, or disclosed to third parties for marketing purposes.

4.3 Data minimisation. Only the data listed in Section 2 is collected.

4.4 Retention. Customer and End User data is deleted upon request. Backup copies are retained for up to 30 days, after which they are permanently deleted. Email addresses may be retained for up to six months to prevent abuse.

4.5 Security. Polypane implements appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.3)
• Access restricted to the data controller (founder)
• MFA on all administrative accounts
• Automated patch management
• Regular backups retained in multiple locations

4.6 Sub-processors. Polypane uses the following sub-processors that may process End User personal data:

Payment data is handled by Paddle. Polypane does not have access to full Customer or End User payment information.

Polypane will inform Customer of any intended changes to this list of sub-processors, giving Customer the opportunity to object.

4.7 Data subject rights. Polypane will assist Customer in responding to data subject rights requests (access, rectification, erasure, portability, objection) to the extent those requests concern data held by Polypane. Requests should be directed to support@polypane.app.

4.8 Breach notification. In the event of a personal data breach affecting End User data, Polypane will:

• Notify the Dutch supervisory authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, where required by GDPR Article 33.
• Notify Customer without undue delay once Polypane has established an overview of what data was affected, the timeframe involved, and has mitigations in place, providing sufficient information for Customer to meet its own notification obligations.

4.9 Data portability. Upon termination of service, Polypane will make available an export of End User personal data in CSV format upon request.

4.10 Transfers outside the EEA. Polypane uses providers that are EU-based where possible. Where transfers outside the EEA occur (e.g., AWS), such transfers are governed by Standard Contractual Clauses or equivalent safeguards under Chapter V GDPR.

5. Customer's Obligations

5.1 Customer shall ensure it has a valid legal basis for sharing End User personal data with Polypane.

5.2 Customer shall provide End Users with appropriate transparency about the processing of their data by Polypane (e.g., in its own privacy notice).

5.3 Customer shall promptly inform Polypane of any data subject requests, complaints, or regulatory enquiries it receives that relate to Polypane's processing.

6. Audit Rights

Upon reasonable notice (minimum 30 days) and no more than once per year, Customer may request written confirmation from Polypane that the security measures and commitments in this Addendum are being met. Polypane is not required to grant physical access to its premises or systems.

7. Term and Termination

This Addendum is effective for the duration of the Customer's active Polypane subscription and terminates automatically upon termination of that subscription. Obligations regarding data retention and deletion (Section 4.4) survive termination.

8. Governing Law

This Addendum is governed by the laws of the Netherlands. Any disputes shall be subject to the exclusive jurisdiction of the courts of The Hague, the Netherlands.

9. Contact

For data protection enquiries:

• Contact: Kilian Valkhof, Founder
• Email: support@polypane.app
• Address: Essehout 35, 2719MD Zoetermeer, The Netherlands

Last updated: March 2026. This is a template document. Contact us to initiate a countersigned agreement.

Note to Polypane: This template should be reviewed by a legal professional before use. In particular, the framing of both parties as independent controllers should be validated against your specific use case with customers.