← Back to tetrik.ai

Data Processing Agreement (DPA)

This DPA forms an integral part of the Tetrik Early-Adopter Terms of Service (the "Agreement") and is concluded to satisfy Article 28 GDPR. If there is any conflict between this DPA and the Agreement, this DPA prevails for matters relating to personal-data processing. Effective on the date the Agreement takes effect. Version 1.0.

Note on company status. Until KvK registration, the founders and AmPhi Labs B.V. i.o. are jointly liable for obligations under this DPA. Upon registration, AmPhi Labs B.V. ratifies and assumes those obligations exclusively.


1. Definitions

Terms in capitals not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor" and "Personal Data Breach" are used as defined in Art. 4 GDPR.

2. Subject matter, duration, nature and purpose

Item Detail
Subject matter Processing of Personal Data contained in Customer Data uploaded to Tetrik for box-size optimisation
Duration Term of the Agreement plus the post-termination period in clause 9
Nature and purpose Hosting, computation, optimisation, presentation back to Controller
Type of Personal Data Business-contact data of Authorised Users (name, business email, log-in events). No consumer personal data is required to operate Tetrik. If Controller chooses to upload order data containing consumer Personal Data (e.g. shipping addresses), it is processed only to the extent technically necessary to run the optimisation.
Categories of Data Subjects Authorised Users; — if Controller uploads order data — Controller's customers
Controller / Processor roles Controller = Customer; Processor = AmPhi Labs

3. Processor obligations

Processor shall:

a. process Personal Data only on documented instructions from Controller, including the Agreement, this DPA, and any written instructions Controller gives during the term. If Processor believes an instruction infringes the GDPR, it will inform Controller without delay;

b. ensure persons authorised to process the Personal Data are bound by confidentiality;

c. implement appropriate technical and organisational measures (TOMs) as set out in Annex II;

d. respect the conditions for engaging Sub-processors in clause 4;

e. assist Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests (Chapter III GDPR);

f. assist Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);

g. at Controller's choice, delete or return all Personal Data after the end of the provision of services (see clause 9);

h. make available to Controller all information necessary to demonstrate compliance with Art. 28 GDPR, and allow and contribute to audits (clause 7);

i. notify Controller without undue delay and at the latest within 48 hours after becoming aware of a Personal Data Breach affecting Controller's data, including the information required by Art. 33(3) GDPR to the extent then known.

4. Sub-processors

4.1 Controller grants general authorisation for the engagement of Sub-processors, subject to this clause.

4.2 The current Sub-processors are listed in Annex III and on tetrik.ai/legal/sub-processors.

4.3 Processor shall notify Controller of any intended addition or replacement at least 30 days in advance, giving Controller the opportunity to object on reasonable data-protection grounds. If Controller objects and the parties cannot agree a solution within a further 30 days, Controller may terminate the Agreement without penalty in respect of services that cannot be provided without the Sub-processor.

4.4 Processor shall impose on each Sub-processor data-protection obligations no less protective than those in this DPA and remains fully liable to Controller for the Sub-processor's acts and omissions.

5. International transfers

5.1 Where Processor or a Sub-processor transfers Personal Data outside the EEA, UK or Switzerland, the transfer is governed by:

or, where applicable, the EU-US Data Privacy Framework certification of the importer.

5.2 The parties complete the SCC annexes by reference to the corresponding Annexes I, II and III of this DPA.

6. Data-subject rights

If Processor receives a request from a Data Subject in respect of Personal Data processed under this DPA, Processor will:

a. not respond to the request itself (other than to acknowledge receipt and redirect to Controller); b. forward the request to Controller without undue delay; and c. provide reasonable technical assistance to enable Controller to respond within the GDPR's deadlines.

7. Audits

7.1 Once per calendar year, or following a Personal Data Breach, Controller (or an independent auditor mandated by it and bound by appropriate confidentiality) may audit Processor's compliance with this DPA, on 30 days' written notice, during normal business hours, in a manner that does not unreasonably disrupt Processor's operations.

7.2 Audits will, where possible, be satisfied by Processor providing recent third-party certifications (ISO 27001/27701, SOC 2) or by a written questionnaire response. On-site audits are reserved for material concerns or post-breach reviews.

7.3 Each party bears its own costs unless the audit reveals a material breach by Processor, in which case Processor bears reasonable costs.

8. Liability

The liability provisions of the Agreement apply to claims under this DPA, except that nothing in the Agreement limits either party's liability to a Data Subject under Art. 82 GDPR.

9. Return and deletion

On expiry or termination of the Agreement, Processor will, at Controller's written choice:

a. return all Personal Data in a commonly used machine-readable format; or b. securely delete all Personal Data,

within 30 days of termination, and certify deletion to Controller. Processor may retain Personal Data to the extent required by EU or Member-State law, for the duration and purpose of that requirement only.

10. Governing law

This DPA is governed by Dutch law. The courts of Amsterdam have exclusive jurisdiction, subject to mandatory data-protection rules of the Data Subject's country of residence.


ANNEX I — Description of processing

Data exporter (Controller) The Customer entity in the Order Form
Contact The address and contact in the Order Form
Data importer (Processor) AmPhi Labs B.V. i.o., hello@tetrik.ai
Categories of data subjects Authorised Users; — if uploaded — Controller's customers
Categories of personal data Business contact (name, email); log-in / usage events; optionally order data containing shipping addresses
Sensitive data None
Frequency Continuous during the term
Nature Hosting, computation, optimisation, presentation
Purpose Provide the Tetrik service per the Agreement
Retention Term + 30 days (clause 9)

ANNEX II — Technical and Organisational Measures (TOMs)

Access control - Single sign-on with mandatory 2FA for all personnel - Role-based access; least-privilege; quarterly access reviews - Production access restricted to named engineers via short-lived credentials

Pseudonymisation and encryption - TLS 1.2+ in transit - AES-256 at rest in sub-processor default configurations - Customer Data encrypted at rest within Google/Netlify-backed storage

Resilience and availability - Daily backups, 30-day retention - Disaster-recovery procedure tested annually - Logical separation of Customer Data per tenant

Verification, testing, evaluation - Annual third-party penetration test (planned post-pilot) - Vulnerability scanning on dependencies (Dependabot, Snyk) - Quarterly review of these TOMs

Personnel - All personnel under written confidentiality obligations - Annual data-protection training - Background checks where legally permissible

Incident response - 24/7 alerting on critical security events - Documented incident-response runbook - 72-hour supervisory-authority notification process per GDPR Art. 33 - Customer notification within 48 hours per clause 3(i)

Sub-processor management - DPAs with all Sub-processors imposing equivalent obligations - Sub-processor list maintained at tetrik.ai/legal/sub-processors


ANNEX III — Authorised Sub-processors (current at v1.0)

Sub-processor Service Processing location Transfer mechanism
Netlify, Inc. Web hosting, CDN, form delivery EU edge + US SCCs / DPF
Google Ireland Ltd. / Google LLC Workspace, Sheets, Apps Script, Gmail EU primary, US fallback SCCs / DPF
Google LLC (Gmail / Workspace) Transactional email + early-adopter outreach (via Gmail) EU primary, US fallback SCCs / EU-US DPF

A Sub-processor change-log is maintained at tetrik.ai/legal/sub-processors.


Signatures (electronic acceptance is sufficient)

For Controller: ___ Date: _ For Processor (AmPhi Labs B.V. i.o.): ___ Date: _