Data Processing Agreement
Effective date: 28 May 2026 Last updated: 28 May 2026 Binding language: English. Translations are for information only.
About Firestarter B.V. (in oprichting) Firestarter B.V. is currently in formation (in oprichting) under Dutch law. Once registration with the Dutch Chamber of Commerce (KvK) is complete, KvK and VAT details will be added to this page. Until then, this Agreement is entered into on behalf of Firestarter B.V. i.o., to be ratified by the B.V. upon registration in line with Article 2:203 of the Dutch Civil Code.
This Data Processing Agreement (the “DPA”) forms part of, and is incorporated by reference into, the agreement between Firestarter and the Customer for the use of the Firestarter platform (the “Agreement”, including the General Terms and Conditions). It governs the processing of personal data that Firestarter carries out on behalf of the Customer when the Customer uses the Service.
This DPA reflects the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”). Where this DPA conflicts with the General Terms and Conditions in respect of the processing of personal data, this DPA prevails. Capitalised terms not defined here have the meaning given in the General Terms and Conditions.
1. Roles of the parties
For personal data processed through the Service on the Customer’s behalf, the Customer is the Controller and Firestarter is the Processor, within the meaning of Article 4(7) and 4(8) GDPR. Firestarter processes such personal data only on the documented instructions of the Customer, including as set out in this DPA and the Agreement.
Where Firestarter processes personal data as a Controller in its own right (for example, account and billing data, website data, or marketing data), that processing is governed by Firestarter’s Privacy Policy, not by this DPA.
2. Subject matter, nature and purpose
Subject matter: the processing of personal data contained in or accessed through the Customer’s Connected Systems (such as CRM platforms, email providers, analytics, advertising accounts, and outreach tools), for the purpose of providing the Service.
Nature and purpose of the processing:
- reading data from Connected Systems via integrations authorised by the Customer;
- analysing data to generate insights, recommendations, and draft content;
- executing commercial actions approved by the Customer, on the Customer’s own connected accounts;
- storing processed data and Outputs for the duration of the Agreement.
Duration: processing continues for the term of the Agreement and ceases in accordance with Section 9 (Return and deletion) on termination.
3. Categories of data subjects and personal data
| Categories of data subjects | Categories of personal data |
|---|---|
| Employees and authorised users of the Customer; the Customer’s leads, prospects, customers, and business contacts present in Connected Systems. | Identification and contact data (name, business email, telephone, job title, employer); communication metadata (email subject lines, send / open / reply timestamps); commercial activity data (deal stages, pipeline values, campaign performance); and account data of the Customer’s users. |
The Customer shall not submit, and shall not configure the Service to access, special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) without first notifying Firestarter and agreeing appropriate additional safeguards in writing.
4. Obligations of Firestarter as Processor
Firestarter shall:
- process personal data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Firestarter will inform the Customer, unless legally prohibited);
- ensure that persons authorised to process personal data are bound by an appropriate duty of confidentiality;
- implement the technical and organisational measures set out in Section 6;
- respect the conditions in Section 5 for engaging sub-processors;
- assist the Customer, by appropriate technical and organisational measures and insofar as possible, in responding to requests from data subjects exercising their rights under Chapter III GDPR;
- assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Firestarter;
- inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other data protection law.
Firestarter does not use personal data processed on the Customer’s behalf to train, fine-tune, or improve any artificial intelligence model, whether its own or that of a third party.
5. Sub-processors
The Customer grants Firestarter general written authorisation to engage sub-processors to support the provision of the Service. Firestarter shall impose on each sub-processor data protection obligations substantially the same as those set out in this DPA, and remains fully liable to the Customer for the performance of each sub-processor’s obligations.
The current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting and storage | European Union |
| Anthropic | AI model inference (Claude) | USA — EU SCCs in place |
Firestarter will give the Customer at least 30 days’ prior notice of any intended addition or replacement of a sub-processor. The Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service. The current list is available on request at hallo@fire-starter.ai.
6. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Firestarter implements appropriate technical and organisational measures under Article 32 GDPR, including:
- encryption of personal data in transit (TLS 1.2 or higher) and at rest;
- access controls based on least-privilege principles, with multi-factor authentication for administrative access;
- logging and monitoring of access to Customer personal data;
- automated backups within EU hosting infrastructure;
- a strict human-in-the-loop model: no external action (such as sending an email or updating a record) is executed without explicit approval by an authorised user of the Customer;
- staff confidentiality undertakings and data-protection awareness.
7. Personal data breaches
Firestarter shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Customer’s personal data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Firestarter will cooperate with the Customer and take reasonable steps to mitigate the breach.
8. Audits and information
Firestarter shall make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA. On reasonable prior written notice, and no more than once per twelve-month period (unless required by a supervisory authority or following a personal data breach), the Customer may audit Firestarter’s compliance, subject to reasonable confidentiality and security conditions. Firestarter may satisfy audit requests by providing relevant certifications, reports, or written responses where these reasonably address the Customer’s queries.
9. Return and deletion of personal data
On termination or expiry of the Agreement, the Customer may export its data via standard export functionality for a period of 30 days. Following that period, and at the Customer’s choice, Firestarter shall delete or return all personal data processed on the Customer’s behalf and delete existing copies, within 90 days of termination, unless applicable law requires continued storage. Anonymised and aggregated data that can no longer be linked to the Customer or any data subject is not subject to this Section.
10. International transfers
Customer personal data is hosted within the European Union. Where a sub-processor processes personal data outside the EEA (in particular for AI inference), Firestarter ensures that such transfers are protected by a valid transfer mechanism under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses (SCCs) or, where applicable, the EU–US Data Privacy Framework.
11. Liability and term
The liability of each party under this DPA is subject to the limitations and exclusions set out in the General Terms and Conditions. This DPA takes effect on the effective date of the Agreement and remains in force for as long as Firestarter processes personal data on the Customer’s behalf.
12. Governing law
This DPA is governed by the laws of the Netherlands. Disputes are subject to the jurisdiction set out in the General Terms and Conditions.
Contact
For any questions or requests regarding this DPA or our processing of personal data on your behalf, please contact us:
Firestarter B.V. (in oprichting) Keizersgracht 127, 1015 CJ Amsterdam, the Netherlands Email: hallo@fire-starter.ai