Data Processing Agreement (DPA)
This DPA forms an integral part of the Tetrik Early-Adopter Terms of Service (the "Agreement") and is concluded to satisfy Article 28 GDPR. If there is any conflict between this DPA and the Agreement, this DPA prevails for matters relating to personal-data processing. Effective on the date the Agreement takes effect. Version 1.0.
Note on company status. Until KvK registration, the founders and AmPhi Labs B.V. i.o. are jointly liable for obligations under this DPA. Upon registration, AmPhi Labs B.V. ratifies and assumes those obligations exclusively.
1. Definitions
Terms in capitals not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor" and "Personal Data Breach" are used as defined in Art. 4 GDPR.
2. Subject matter, duration, nature and purpose
| Item | Detail |
|---|---|
| Subject matter | Processing of Personal Data contained in Customer Data uploaded to Tetrik for box-size optimisation |
| Duration | Term of the Agreement plus the post-termination period in clause 9 |
| Nature and purpose | Hosting, computation, optimisation, presentation back to Controller |
| Type of Personal Data | Business-contact data of Authorised Users (name, business email, log-in events). No consumer personal data is required to operate Tetrik. If Controller chooses to upload order data containing consumer Personal Data (e.g. shipping addresses), it is processed only to the extent technically necessary to run the optimisation. |
| Categories of Data Subjects | Authorised Users; — if Controller uploads order data — Controller's customers |
| Controller / Processor roles | Controller = Customer; Processor = AmPhi Labs |
3. Processor obligations
Processor shall:
a. process Personal Data only on documented instructions from Controller, including the Agreement, this DPA, and any written instructions Controller gives during the term. If Processor believes an instruction infringes the GDPR, it will inform Controller without delay;
b. ensure persons authorised to process the Personal Data are bound by confidentiality;
c. implement appropriate technical and organisational measures (TOMs) as set out in Annex II;
d. respect the conditions for engaging Sub-processors in clause 4;
e. assist Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests (Chapter III GDPR);
f. assist Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
g. at Controller's choice, delete or return all Personal Data after the end of the provision of services (see clause 9);
h. make available to Controller all information necessary to demonstrate compliance with Art. 28 GDPR, and allow and contribute to audits (clause 7);
i. notify Controller without undue delay and at the latest within 48 hours after becoming aware of a Personal Data Breach affecting Controller's data, including the information required by Art. 33(3) GDPR to the extent then known.
4. Sub-processors
4.1 Controller grants general authorisation for the engagement of Sub-processors, subject to this clause.
4.2 The current Sub-processors are listed in Annex III and on tetrik.ai/legal/sub-processors.
4.3 Processor shall notify Controller of any intended addition or replacement at least 30 days in advance, giving Controller the opportunity to object on reasonable data-protection grounds. If Controller objects and the parties cannot agree a solution within a further 30 days, Controller may terminate the Agreement without penalty in respect of services that cannot be provided without the Sub-processor.
4.4 Processor shall impose on each Sub-processor data-protection obligations no less protective than those in this DPA and remains fully liable to Controller for the Sub-processor's acts and omissions.
5. International transfers
5.1 Where Processor or a Sub-processor transfers Personal Data outside the EEA, UK or Switzerland, the transfer is governed by:
- the EU Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (Controller-to-Processor), which are hereby incorporated by reference; with
- the UK Addendum issued by the ICO where UK personal data is transferred; and
- the Swiss adaptations (FDPIC) where Swiss personal data is transferred;
or, where applicable, the EU-US Data Privacy Framework certification of the importer.
5.2 The parties complete the SCC annexes by reference to the corresponding Annexes I, II and III of this DPA.
6. Data-subject rights
If Processor receives a request from a Data Subject in respect of Personal Data processed under this DPA, Processor will:
a. not respond to the request itself (other than to acknowledge receipt and redirect to Controller); b. forward the request to Controller without undue delay; and c. provide reasonable technical assistance to enable Controller to respond within the GDPR's deadlines.
7. Audits
7.1 Once per calendar year, or following a Personal Data Breach, Controller (or an independent auditor mandated by it and bound by appropriate confidentiality) may audit Processor's compliance with this DPA, on 30 days' written notice, during normal business hours, in a manner that does not unreasonably disrupt Processor's operations.
7.2 Audits will, where possible, be satisfied by Processor providing recent third-party certifications (ISO 27001/27701, SOC 2) or by a written questionnaire response. On-site audits are reserved for material concerns or post-breach reviews.
7.3 Each party bears its own costs unless the audit reveals a material breach by Processor, in which case Processor bears reasonable costs.
8. Liability
The liability provisions of the Agreement apply to claims under this DPA, except that nothing in the Agreement limits either party's liability to a Data Subject under Art. 82 GDPR.
9. Return and deletion
On expiry or termination of the Agreement, Processor will, at Controller's written choice:
a. return all Personal Data in a commonly used machine-readable format; or b. securely delete all Personal Data,
within 30 days of termination, and certify deletion to Controller. Processor may retain Personal Data to the extent required by EU or Member-State law, for the duration and purpose of that requirement only.
10. Governing law
This DPA is governed by Dutch law. The courts of Amsterdam have exclusive jurisdiction, subject to mandatory data-protection rules of the Data Subject's country of residence.
ANNEX I — Description of processing
| Data exporter (Controller) | The Customer entity in the Order Form |
| Contact | The address and contact in the Order Form |
| Data importer (Processor) | AmPhi Labs B.V. i.o., hello@tetrik.ai |
| Categories of data subjects | Authorised Users; — if uploaded — Controller's customers |
| Categories of personal data | Business contact (name, email); log-in / usage events; optionally order data containing shipping addresses |
| Sensitive data | None |
| Frequency | Continuous during the term |
| Nature | Hosting, computation, optimisation, presentation |
| Purpose | Provide the Tetrik service per the Agreement |
| Retention | Term + 30 days (clause 9) |
ANNEX II — Technical and Organisational Measures (TOMs)
Access control - Single sign-on with mandatory 2FA for all personnel - Role-based access; least-privilege; quarterly access reviews - Production access restricted to named engineers via short-lived credentials
Pseudonymisation and encryption - TLS 1.2+ in transit - AES-256 at rest in sub-processor default configurations - Customer Data encrypted at rest within Google/Netlify-backed storage
Resilience and availability - Daily backups, 30-day retention - Disaster-recovery procedure tested annually - Logical separation of Customer Data per tenant
Verification, testing, evaluation - Annual third-party penetration test (planned post-pilot) - Vulnerability scanning on dependencies (Dependabot, Snyk) - Quarterly review of these TOMs
Personnel - All personnel under written confidentiality obligations - Annual data-protection training - Background checks where legally permissible
Incident response - 24/7 alerting on critical security events - Documented incident-response runbook - 72-hour supervisory-authority notification process per GDPR Art. 33 - Customer notification within 48 hours per clause 3(i)
Sub-processor management - DPAs with all Sub-processors imposing equivalent obligations - Sub-processor list maintained at tetrik.ai/legal/sub-processors
ANNEX III — Authorised Sub-processors (current at v1.0)
| Sub-processor | Service | Processing location | Transfer mechanism |
|---|---|---|---|
| Netlify, Inc. | Web hosting, CDN, form delivery | EU edge + US | SCCs / DPF |
| Google Ireland Ltd. / Google LLC | Workspace, Sheets, Apps Script, Gmail | EU primary, US fallback | SCCs / DPF |
| Google LLC (Gmail / Workspace) | Transactional email + early-adopter outreach (via Gmail) | EU primary, US fallback | SCCs / EU-US DPF |
A Sub-processor change-log is maintained at tetrik.ai/legal/sub-processors.
Signatures (electronic acceptance is sufficient)
For Controller: ___ Date: _ For Processor (AmPhi Labs B.V. i.o.): ___ Date: _