Data processing agreement
This DPA Template illustrates the data-protection terms Reesure proposes for engagements with Operators under Article 28 of the GDPR. It describes how Reesure processes personal data when engaged as a Processor. The executable version is provided per engagement.
Last updated · 13 May 2026
Contents›
1.Parties and scope
This DPA Template sets out the data-protection terms Reesure proposes for engagements between:
- Reesure Operations B.V. ("Reesure", "Processor"), KvK 96207094, Orteliusstraat 116-1, 1057BG Amsterdam, Netherlands; and
- The Operator of Reesure's Platform ("Operator", "Controller").
The terms cover any processing of personal data carried out by Reesure on the Operator's behalf in connection with the Platform. Where executed alongside a Client Agreement, the signed DPA supplements the Terms of Service and any other agreement, and prevails over them in case of conflict on data-protection matters.
2.Definitions
Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service.
- GDPR means the EU General Data Protection Regulation.
- Personal data, processing, controller, processor, sub-processor, data subject and personal data breach have the meanings set out in the GDPR.
- Operator Data means personal data processed by Reesure on the Operator's behalf via the Platform.
- Sub-processor means any third party engaged by Reesure to process Operator Data.
3.Subject matter, nature, purpose and duration
| Item | Detail |
|---|---|
| Subject matter | Processing of personal data necessary to provide the Platform under the Terms of Service |
| Nature and purpose | Rent collection, payment initiation, messaging, reporting and related operational support |
| Duration | The term of the Operator's subscription, plus any retention periods under §11 |
| Categories of data subjects | Tenants, the Operator's personnel and authorised users |
| Categories of personal data | Contact details, payment-method tokens / IBAN, payment status, messaging delivery data, technical logs |
| Special categories | None processed by design |
4.Operator instructions
Reesure processes Operator Data only on documented instructions from the Operator, as set out in this DPA, the Terms of Service and the Operator's configured use of the Platform.
If Reesure is required to process Operator Data for any other purpose under EU or Member State law, it will inform the Operator beforehand unless that law prohibits such notice.
5.Confidentiality
Reesure ensures that personnel authorised to process Operator Data are bound by appropriate confidentiality obligations (contractual or statutory) and that access is limited to what is needed to perform the contract.
6.Security measures (Article 32)
Reesure implements appropriate technical and organisational measures to protect Operator Data, including:
- AES-256 encryption at rest; TLS 1.2+ in transit
- Multi-factor authentication for administrative access
- Role-based access with least-privilege
- Daily encrypted backups with off-site replication
- Quarterly vulnerability scans and annual external penetration testing
- API rate-limiting and automated anomaly detection
- Logging and monitoring of administrative access
Measures may evolve over time; current measures are also summarised in §7 of the Privacy Policy.
7.Sub-processors
Reesure may engage sub-processors to provide parts of the Platform. The current list is in Annex A below.
- Reesure has a written contract with each sub-processor imposing data protection obligations no less protective than this DPA.
- Reesure will notify the Operator of any intended addition or replacement of a sub-processor at least 30 days in advance, by email or by updating Annex A.
- The Operator may object on reasonable grounds related to data protection during that period. If the parties cannot agree on a solution, the Operator's sole remedy is to terminate the Client Agreement as a whole, without penalty for the unused portion of pre-paid fees.
- Reesure remains responsible for the performance of its sub-processors.
8.Assistance with data subject rights
Where technically feasible, Reesure will assist the Operator in responding to requests from data subjects to exercise their rights under Articles 12–22 of the GDPR.
Data subjects should contact the Operator (as controller) in the first instance. If a data subject contacts Reesure directly, Reesure will forward the request to the Operator and not respond on the Operator's behalf unless instructed to do so.
9.Personal data breach
Reesure will notify the Operator of any personal data breach affecting Operator Data without undue delay after becoming aware, and where feasible within 48 hours. The notification will include the information set out in Article 33(3) of the GDPR to the extent known.
Reesure will assist the Operator in fulfilling its breach notification obligations to supervisory authorities and data subjects.
10.International transfers
Operator Data is processed primarily within the European Economic Area. Where a sub-processor processes Operator Data outside the EEA, Reesure relies on:
- the EU Standard Contractual Clauses (Commission Decision 2021/914) as supplemented by appropriate safeguards; or
- an adequacy decision under Article 45 of the GDPR.
Details of the transfer mechanism for each sub-processor are in Annex A.
Note: Stripe Payments Europe Ltd. is based in Dublin (EEA) and processes EU payments via its EEA entity. The only sub-processors that may process data outside the EEA today are SendGrid (transactional email relay) and HubSpot (CRM, internal use), both under EU SCCs.
11.Return and deletion
On termination of the Operator's subscription, Reesure will, at the Operator's option:
- return Operator Data in a structured, machine-readable format (CSV/JSON); or
- delete Operator Data,
within a reasonable period, unless retention is required by EU or Member State law. If the Operator has not specified a preference within 30 days of termination, Reesure will delete Operator Data. Where retention is required (e.g. Dutch bookkeeping obligations of up to 7 years, or 10 years for immovable-property records), Reesure will continue to apply this DPA to the retained data.
12.Audits
Reesure will make available to the Operator information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, including:
- this DPA and any updates;
- summary reports of relevant certifications and audits (when available); and
- responses to reasonable written security questionnaires.
The Operator may, no more than once per year and on reasonable prior notice, request an on-site audit limited to data protection matters. Costs are borne by the Operator unless the audit reveals material non-compliance. Audits must be conducted in a manner that does not disrupt operations or compromise other Operators' data.
13.Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service and any Client Agreement.
14.Governing law and jurisdiction
This DPA is governed by Dutch law. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam, Netherlands.
15.Order of precedence
In case of conflict on data protection matters, this DPA prevails over the Terms of Service and any other agreement, except an explicit, signed Client Agreement that expressly amends this DPA.
A.Annex A — Sub-processors
| Provider | Function | Location | Transfer mechanism |
|---|---|---|---|
| Microsoft Azure | Hosting (app + database) | Europe | — |
| Stripe Payments Europe Ltd. | Payment processing and payout infrastructure (Stripe acts as its own controller for KYC) | EEA | — |
| MessageBird B.V. | Messaging (email/SMS/WhatsApp) | EEA | — |
| Google Workspace | Business email and productivity — internal use only | EU / USA | EU SCCs |
| SendGrid (Twilio Inc.) | Transactional email relay — status pending verification | USA | EU SCCs |
| HubSpot | CRM — internal use only | EU / USA | EU SCCs |
The current sub-processor list is published on this page. Updates are notified per §7.
B.Annex B — Technical and organisational measures
See §6 above.