suPlayPoll

Data Processing Agreement

Version 1.0 · April 2026

This Data Processing Agreement (“DPA”) sets out the terms under which suPlay B.V.(“Processor”) processes Personal Data on behalf of the Customer (“Controller”) in connection with the suPlayPoll service. It is designed to meet the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

How to sign: download the PDF version linked below, fill in Annex A with your company’s details, sign, and email the signed copy to privacy@suplay.nl. We will counter-sign within five business days. For Enterprise-tier customers we can also sign via DocuSign on request.

Getting a signed copy: email privacy@suplay.nl with your company’s legal name, registered address, and signing contact. We will return a pre-filled PDF for signature (plain email or DocuSign) within five business days. Alternatively, you can print this page, complete Annex A by hand, and send the signed copy back to the same address.

1. Definitions

  • “Personal Data”, “Processing”, “Controller”, “Processor”, “Subprocessor”, “Data Subject” have the meanings given in the GDPR.
  • “Services” means the suPlayPoll service as described in our Terms of Service.
  • “Main Agreement” means the contractual terms under which the Controller uses the Services (our Terms of Service plus any signed order form).

2. Subject matter and duration

This DPA applies to all Processing of Personal Data carried out by suPlay B.V. on behalf of the Controller under the Main Agreement. It is in force for the duration of the Main Agreement and survives until all Personal Data processed hereunder has been deleted in accordance with §10.

3. Nature and purpose of processing

The Processor processes Personal Data solely to provide the Services: to operate presenter accounts, run live polls, deliver transactional email, handle billing, and maintain the Services. A description of the Processing activities, categories of Data Subjects, and categories of Personal Data is set out in Annex B.

4. Documented instructions

The Processor processes Personal Data only on documented instructions from the Controller, including regarding transfers to a third country. The Main Agreement, this DPA, and the use of the Services through their user interfaces and APIs constitute such documented instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.

5. Confidentiality of personnel

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security (Art. 32)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described on our Security Summary page. The measures include, at minimum:

  • TLS 1.2+ for all external traffic; HSTS enforced.
  • Encryption of backups at rest.
  • bcrypt password hashing (cost 12) and SHA-256 token hashing.
  • Rate limiting on authentication, signup, and email-resend endpoints.
  • Application runs as an unprivileged system user.
  • Quarterly security-incident tabletop exercises and monthly restore tests.
  • Error-monitoring PII scrubbing (sendDefaultPii: false).
  • Audit logging of administrative impersonation.

7. Subprocessors

The Controller authorises the Processor’s engagement of the Subprocessors listed on our Subprocessors page as of the Effective Date. The Processor will:

  • Impose contractual obligations on each Subprocessor that are no less protective than this DPA.
  • Give the Controller at least 30 days’ written notice before adding or replacing any Subprocessor.
  • Allow the Controller to object on reasonable grounds within that 30-day period; if the objection cannot be resolved, the Controller may terminate the affected subscription on a pro-rata basis.

8. Assistance (Arts. 28(3)(e), (f))

Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights (Chapter III GDPR), data breach notification, data protection impact assessments, and prior consultation with the supervisory authority.

  • Presenter accounts: self-service via the /settings page and documented endpoints.
  • Participant data: on request via privacy@suplay.nl within 30 days.

9. Personal-data breach notification (Art. 33)

The Processor notifies the Controller without undue delay, and in any case within 72 hoursof becoming aware, of any Personal Data breach affecting the Controller’s data. The notification describes the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and remediation measures taken or proposed.

10. Return or deletion of Personal Data

On termination of the Main Agreement, the Controller may export its Personal Data for 30 days. After that period, the Processor deletes all Personal Data processed under this DPA within 90 days, including from database backups on their next rotation, unless Union or Member State law requires longer storage (for example, Dutch tax law requires billing records to be retained for seven years).

11. Audit (Art. 28(3)(h))

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, including this DPA, the Subprocessors page, the Security Summary, and our internal processing inventory on request. Where the Controller reasonably requires further evidence, the Processor will support remote, questionnaire-based audits at no cost, and on-site audits at the Controller’s reasonable expense. The Controller will provide at least 30 days’ notice and will not disrupt operations.

12. International transfers

Where Personal Data is transferred outside the European Economic Area to a Subprocessor, the transfer is made on the basis of the European Commission’s Standard Contractual Clauses (Decision 2021/914 or any successor), unless the recipient country has an adequacy decision under Art. 45 GDPR.

13. Liability and order of precedence

Each party’s liability under this DPA is subject to the liability limits of the Main Agreement. In case of conflict between this DPA, the Main Agreement, and the GDPR, the GDPR prevails, then this DPA, then the Main Agreement.

14. Governing law and jurisdiction

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts in Overijssel, the Netherlands, without prejudice to a Data Subject’s statutory rights of complaint to a supervisory authority.

Annex A — Parties (to be completed by the Customer)

Processor: suPlay B.V., Ruwerstraat 9, 7545 SM Enschede, The Netherlands. KvK: 70176264. VAT: NL858175691B01. Represented for signature by Holger Schiele, Managing Director. Data Protection contact: Frederik Vos (Co-founder, Head of Development), privacy@suplay.nl.

Controller:

  • Legal name: ____________________________________
  • Registered address: ____________________________
  • Company registration (KvK / trade register / equivalent): ___________
  • VAT ID: ___________________________________________
  • Represented by (name, title): ____________________
  • Privacy contact (name, email): ____________________
  • Effective date: ____________________________________

Annex B — Processing description

Subject matter and duration: operation of the suPlayPoll service, for the duration of the Main Agreement.

Nature and purpose: delivering a live-polling platform for presenters and their audiences, with associated transactional email, billing, and error monitoring.

Categories of Data Subjects: presenters (the Controller’s users) and participants (the audience members joining events).

Categories of Personal Data: presenter name, email address, hashed password, IP address (transient, not stored); optional participant display name and email; session identifiers; billing identifiers (PayPal payer ID, subscription ID).

Special categories of data: none are knowingly processed. The Controller is responsible for ensuring no special-category data is introduced through free-text poll responses unless a separate lawful basis applies.

Processing operations: collection, storage, use (display to authorised parties), transmission to Subprocessors for email/error-monitoring/payments, erasure on request or schedule.

Annex C — Subprocessors

The current list of Subprocessors is maintained on our Subprocessors page and incorporated into this DPA by reference.