BridgekitBridgekit

Data Processing Agreement

This DPA governs how Greenmango (Processor) processes personal data on your behalf (Controller) when you use Bridgekit.

Last updated: May 2026

Parties and roles

This Data Processing Agreement (DPA) is between you (the Controller) and Greenmango (the Processor). You as Controller instruct Greenmango to process personal data on your behalf when using the Bridgekit service. Both parties agree to comply with their respective GDPR obligations (Regulation EU 2016/679) and applicable national data-protection laws.

Subject matter and duration

The Processor processes personal data solely to provide the Bridgekit service described in the Terms of Service, and for no other purpose. Processing continues for the duration of the active subscription and a 90-day post-termination data-retention window. After that window, all personal data is deleted or returned on request.

Processing instructions

The Processor processes personal data only on documented instructions from the Controller. Using the Bridgekit platform constitutes documented instructions; additional instructions should be sent to privacy@bridgekit.eu. If the Processor believes any instruction infringes GDPR, it will inform the Controller before processing.

Processor obligations

The Processor ensures that all persons authorised to process personal data are bound by confidentiality. The Processor implements appropriate technical and organisational security measures. The Processor assists the Controller in responding to data subject rights requests, DPIAs and prior-consultation obligations to the extent reasonably possible.

Sub-processors

The Controller authorises use of the following sub-processors: Hetzner Online GmbH (Germany) for compute and primary-database hosting; Scaleway SAS (France) for off-site backups and transactional email; Mollie BV (Netherlands) for payment processing. All sub-processors are bound by GDPR-compliant agreements. Greenmango will notify the Controller of any change to the sub-processor list with reasonable advance notice.

Technical and organisational security measures

The Processor maintains: AES-256-GCM authenticated encryption of all secrets; database volumes encrypted at rest; TLS 1.2+ for all data in transit; role-based access controls limiting internal access; automated security patching; and regular EU-jurisdiction off-site backups.

Data subject rights and assistance

The Processor will promptly notify the Controller of any data subject rights requests it receives relating to the Controller's data, and will assist in fulfilling those requests within statutory time limits. The Controller remains responsible for communicating with data subjects and making the final determination on each request.

Data breach notification

In the event of a personal data breach affecting the Controller's data, the Processor will notify the Controller without undue delay and within 72 hours of becoming aware, including: a description of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

Deletion and return of data

On termination of the subscription, the Processor provides a 30-day window to export data via the Bridgekit API. After that window, personal data is securely deleted from production systems and backups within 90 days, unless a longer retention period is required by law. Written confirmation of deletion is provided on request.

Audit rights

The Controller may, on 30 days' written notice and no more than once per year, commission an independent audit of the Processor's compliance with this DPA. Alternatively, the Controller may request a summary compliance report. Audit costs are borne by the Controller unless a breach is found.

Governing law

This DPA is governed by Dutch law and supplements the Terms of Service. In case of conflict, the DPA prevails in matters relating to personal data processing. To request a countersigned copy for your records, email privacy@bridgekit.eu.

Need a countersigned copy?

Email us at privacy@bridgekit.eu and we'll return a signed copy within two business days.

Contact us