Skip to content
Carsu – Garage and Car Shop Management Software Logo

Terms and Conditions

Effective Date: 3/10/2026
Last Updated: 3/13/2026

Company: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands

Chamber of Commerce (KvK): 92122167

Website: www.carsu.com

Last Updated: 10 March 2026

1. Introduction

These Terms and Conditions ("Terms") govern your access to and use of the software-as-a-service ("SaaS") platform operated by Carsu B.V. ("Carsu", "Company", "we", "our", or "us"), available at https://www.carsu.com and through our mobile applications ("Platform").

By registering for an account or using our Platform, you agree to be bound by these Terms, our Privacy & Cookie Policy (available at https://www.carsu.com/privacy), and any applicable order form or subscription agreement. If you do not agree, do not use our services.

These Terms apply to any subsidiaries, affiliates, or group companies of Carsu B.V. that provide services under the Carsu brand.

2. Definitions

Account — Meaning: Your unique account to access the Platform.

Controller — Meaning: The entity that determines the purposes and means of processing personal data (as defined in GDPR Art. 4(7)).

Credits — Meaning: Prepaid units purchased to use messaging and communication services on the Platform.

End-Consumer — Meaning: A customer of a User (e.g., a vehicle owner) whose data is processed through the Platform.

Effective Date — Meaning: The date your subscription begins, as specified in your order or account registration.

Platform — Meaning: The Carsu website, web application, mobile applications, APIs, and all related services.

Processor — Meaning: The entity that processes personal data on behalf of a Controller (as defined in GDPR Art. 4(8)).

Services — Meaning: All services provided by Carsu through the Platform, including SaaS, communications, and support.

Subscription — Meaning: Your chosen service tier (e.g., Free, Basic, or other paid plans).

User / You — Meaning: Any individual or business entity that registers for and uses the Platform.

3. Services Provided

Carsu provides a comprehensive SaaS platform designed for the automotive aftermarket, including:

  • Workshop Management: Customer relationship management (CRM), scheduling, invoicing, and service history tracking.
  • Communication Services: Integrated messaging via WhatsApp Business, SMS, and Viber, enabling Users to communicate with their End-Consumers.
  • Vehicle and Parts Information: Access to vehicle data, parts catalogues, and repair procedure information.
  • Payment Processing: Integrated payment processing through Stripe.
  • Customer Support: Support services including AI-assisted features such as automatic message translation.

4. Account Registration and Security

4.1 Registration

To access the Platform, you must register for an Account. You agree to provide accurate, current, and complete information during registration and to keep this information updated.

4.2 Account Security

You are responsible for maintaining the confidentiality of your login credentials and for all activities that occur under your Account. You must notify us immediately at [email protected] if you become aware of any unauthorised use of your Account.

4.3 Account Eligibility

The Platform is intended for business use (B2B). By registering, you represent that you are authorised to act on behalf of the business entity you register, and that you have the legal capacity to enter into these Terms.

5. Use of the Platform and Communication Services

5.1 Messaging Integration

Our Platform integrates with WhatsApp Business, SMS gateways, and Viber. Users must comply with the respective third-party terms and policies for each communication channel used. Carsu is not responsible for changes to third-party platform policies or availability.

5.2 Messaging Rates

Rates for sending messages are variable and depend on destination, message type, and your Subscription tier. Current rates are available in the Settings section of your Account dashboard. Carsu reserves the right to adjust messaging rates with 14 days' notice via your Account dashboard or email.

5.3 Consent and Compliance

Carsu provides tools and guidance to help Users obtain and manage consent for communications with End-Consumers, in compliance with the ePrivacy Directive and applicable national laws. However, as Controller of End-Consumer data, the User is ultimately responsible for ensuring:

  • Valid consent is obtained before sending marketing messages;
  • Messages comply with applicable anti-spam and electronic communications laws;
  • Opt-out requests from End-Consumers are honoured promptly.

6. Prepaid Credits and Usage

6.1 Prepaid Credit Model

Carsu operates on a prepaid credit basis for communication services. Credits must be purchased in advance to use messaging features.

6.2 Credit Expiration — Free Tier

For Users on the Free Tier, purchased Credits are valid for twelve (12) months from the date of purchase. Unused Credits expire automatically after this period without refund.

6.3 Credit Validity — Paid Tiers

For Users on the Basic Tier or any other paid Subscription, purchased Credits do not expire as long as the Subscription remains active and in good standing. If a paid Subscription ends (for any reason), remaining Credits become subject to the 12-month expiration rule from the date the Subscription ended.

6.4 Trial Credits

Carsu may provide new Users with complimentary trial Credits for testing purposes. Trial Credits:

  • Expire automatically three (3) months after issuance;
  • May be revoked at any time if we suspect misuse or violation of our Acceptable Use Policy (Section 11);
  • Have no cash value and are non-transferable.

7. Fees, Payment, and Invoicing

7.1 Pricing

Current pricing for Credits and Subscription tiers is available on our Website and in your Account Settings. All fees are exclusive of applicable taxes unless otherwise stated.

7.2 Payment Processing

Payments are processed through Stripe. By making a purchase, you agree to Stripe's terms of service. Carsu does not store your credit card details.

7.3 Invoicing and VAT

Invoices are issued at the time of Credit purchase or Subscription payment.

  • Dutch customers (B2B): 21% Dutch VAT applies.
  • EU customers outside the Netherlands (B2B): VAT reverse-charge mechanism applies. Invoices include the reference "VAT reverse-charged". You must provide a valid EU VAT number.
  • UK customers (B2B): Zero-rated for VAT where a valid UK VAT number is provided.
  • Non-EU/UK customers: No VAT charged; local tax obligations are the responsibility of the customer.

7.4 Pricing Changes

Carsu may adjust Subscription pricing or Credit rates with at least 30 days' written notice via email. Continued use after the effective date constitutes acceptance. If you do not agree to a price change, you may terminate your Subscription before the new pricing takes effect.

7.5 Refund Policy

All Credit purchases and Subscription fees are non-refundable, except where Carsu has materially breached its service obligations under these Terms or applicable law requires otherwise.

8. Service Levels

8.1 Platform Availability

Carsu will use commercially reasonable efforts to maintain Platform availability of at least 99.5% per calendar month, measured excluding scheduled maintenance windows.

8.2 Scheduled Maintenance

We will provide at least 48 hours' notice of planned maintenance that may affect availability, except in cases of urgent security patches where shorter notice may be necessary.

8.3 Remedies

If Platform availability falls below 99.5% in any calendar month (excluding scheduled maintenance and Force Majeure events), affected Users on paid Subscriptions may request a pro-rata service credit for the affected period. Service credits are applied to future invoices and do not constitute a cash refund. Claims must be submitted within 30 days of the affected month.

8.4 Third-Party Dependencies

Our communication services depend on third-party platforms (WhatsApp, Viber, SMS gateways). Carsu is not responsible for outages or limitations imposed by these third-party providers. Third-party downtime is excluded from SLA calculations.

9. Data Protection

9.1 Privacy & Cookie Policy

Carsu processes personal data in accordance with our Privacy & Cookie Policy, available at https://www.carsu.com/privacy. By using the Platform, you acknowledge that you have read and understood our Privacy & Cookie Policy.

9.2 Data Processing Agreement

Where Carsu processes personal data on your behalf (i.e., End-Consumer data), Carsu acts as a Processor and you act as the Controller. The Data Processing Agreement ("DPA") set out in Annex A of these Terms, or as separately executed, governs this processing relationship in accordance with GDPR Article 28.

9.3 Your Obligations as Controller

As the Controller of End-Consumer data processed through our Platform, you are responsible for:

  • Ensuring you have a valid legal basis for processing End-Consumer data;
  • Obtaining required consents for electronic communications (ePrivacy Directive compliance);
  • Responding to data subject rights requests from your End-Consumers (Carsu will assist upon request);
  • Notifying Carsu promptly of any data subject requests that require Carsu's assistance;
  • Maintaining your own privacy policy that covers your use of our Platform to process End-Consumer data.

9.4 Data Portability and Switching Rights

In accordance with GDPR Article 20 and the EU Data Act (Regulation (EU) 2023/2854), you have the right to data portability and switching:

  • Self-Service Export: You can export your data at any time from your Account Settings in CSV or JSON format.
  • Manual Export Request: You may also request a full data export by emailing [email protected]. Export requests will be fulfilled within 30 days.
  • Post-Termination Export: You may request data export within 12 months after termination of your Subscription.
  • Data Deletion: Data will be permanently deleted within 60 days after the 12-month post-termination export window, unless longer retention is required by law.
  • Switching Assistance: Under the EU Data Act, if you wish to switch to an alternative service provider, Carsu will provide reasonable technical assistance for a period of 30 days after you initiate the switching process. Switching charges, if any, will not exceed the cost directly incurred by Carsu in providing the switching assistance.

Carsu will not impose contractual, technical, or commercial barriers that inhibit switching or data portability beyond what is strictly necessary for security and data integrity purposes.

10. Intellectual Property

10.1 Carsu's IP

All content, software, technology, designs, trademarks, and materials on our Platform are the property of Carsu B.V. or its licensors and are protected by intellectual property laws. You are granted a limited, non-exclusive, non-transferable, revocable licence to use the Platform for its intended purpose during your Subscription.

10.2 Your Data and Aggregated Analytics

You retain all rights in the data you upload to the Platform. By uploading data, you grant Carsu a limited licence to process that data solely for the purpose of providing the Services.

Carsu may use and share anonymised, aggregated data (which cannot identify you, your End-Consumers, or individual transactions) for service improvement, industry analytics, market insights, research, and innovation purposes. Such data is aggregated at a level that ensures no individual workshop, end-consumer, or transaction can be identified.

Because the data is irreversibly anonymised before any external use or sharing, it falls outside the scope of GDPR (Recital 26). Recipients of aggregated insights are bound by written terms prohibiting re-identification. For full details, see Section 7.5 of our Privacy & Cookie Policy.

11. Acceptable Use Policy

You agree not to use the Platform to:

  • Send unsolicited marketing messages (spam) or messages without valid recipient consent;
  • Transmit content that is illegal, defamatory, threatening, harassing, or discriminatory;
  • Distribute malware, viruses, or other harmful code;
  • Attempt to gain unauthorised access to the Platform, other accounts, or connected systems;
  • Reverse engineer, decompile, or disassemble any part of the Platform;
  • Use the Platform for any purpose that violates applicable law, including data protection and anti-spam regulations;
  • Impersonate any person or entity, or misrepresent your affiliation;
  • Circumvent usage limits, rate limiting, or other technical restrictions.

Carsu reserves the right to suspend or terminate access for Users who violate this Acceptable Use Policy, in accordance with Section 13.

12. Indemnification

You agree to indemnify and hold harmless Carsu, its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising from:

  • Your breach of these Terms or the Acceptable Use Policy;
  • Your use of the Platform in violation of applicable law;
  • Messages sent through the Platform on your behalf, including claims by End-Consumers or third parties relating to consent, content, or compliance;
  • Any claim that data you provided infringes third-party intellectual property or privacy rights.

13. Term, Suspension, and Termination

13.1 Term

Your Subscription begins on the Effective Date and continues for the agreed term (monthly or annual, as applicable), automatically renewing unless cancelled before the end of the current period.

13.2 Cancellation by You

You may cancel your Subscription at any time through your Account settings. Cancellation takes effect at the end of the current billing period. No pro-rata refunds are provided for unused portions of a billing period.

13.2a Switching to Alternative Provider (EU Data Act)

In accordance with the EU Data Act, you may terminate your Subscription for the purpose of switching to an alternative service provider by providing at least 2 months' written notice to [email protected]. During the notice period and for 30 days after termination, Carsu will provide reasonable technical assistance to facilitate the transition, including data export in standard formats (CSV, JSON) and documentation of data structures. Switching charges, if any, will be limited to costs directly incurred and disclosed in advance.

13.3 Suspension by Carsu

Carsu may suspend your access to the Platform immediately if:

  • We reasonably believe you are violating the Acceptable Use Policy;
  • Your Account is involved in suspected fraudulent activity;
  • Required to comply with a legal obligation or court order;
  • Your payment is overdue by more than 14 days.

We will notify you of any suspension and the reason for it as soon as practicable. Suspension does not terminate these Terms; we will restore access once the issue is resolved.

13.4 Termination for Cause by Carsu

Carsu may terminate your Account and these Terms if:

  • A material breach remains uncured for 30 days after written notice;
  • You engage in repeated Acceptable Use Policy violations;
  • You become insolvent or enter bankruptcy proceedings.

13.5 Post-Termination

Upon termination:

  • All unused trial Credits are forfeited immediately;
  • Purchased Credits for paid tiers are subject to the expiration rules in Section 6;
  • You may request data export within 12 months after termination (see Section 9.4);
  • After the 12-month post-termination period, all your data will be permanently deleted, except where retention is required by law.

14. Limitation of Liability

14.1 Exclusion of Indirect Damages

To the maximum extent permitted by applicable law, neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business, or goodwill, regardless of the cause of action or theory of liability.

14.2 Liability Cap

Carsu's total aggregate liability under or in connection with these Terms shall not exceed the total fees paid by you to Carsu in the twelve (12) months immediately preceding the event giving rise to the claim.

14.3 Exceptions

Nothing in these Terms excludes or limits liability for:

  • Death or personal injury caused by negligence;
  • Fraud or fraudulent misrepresentation;
  • Any liability that cannot be excluded or limited under applicable law, including GDPR obligations.

15. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from events beyond its reasonable control, including but not limited to: natural disasters, pandemics, acts of government, war, terrorism, power failures, internet outages, third-party platform failures (WhatsApp, Viber, SMS gateways, Stripe), and cyberattacks.

The affected party must notify the other party promptly and use reasonable efforts to mitigate the impact. If a Force Majeure event continues for more than 60 days, either party may terminate the affected Services upon written notice.

16. Warranties and Disclaimers

16.1 Carsu Warranties

Carsu warrants that:

  • The Platform will perform substantially in accordance with its documentation;
  • Services will be provided with reasonable skill and care;
  • Carsu will comply with applicable data protection law in its role as Controller or Processor.

16.2 Security and Vulnerability Disclosure

Carsu maintains a responsible vulnerability disclosure policy in accordance with the Cyber Resilience Act and industry best practices. Security researchers and Users may report vulnerabilities via our security.txt file at https://www.carsu.com/.well-known/security.txt or by emailing [email protected]. Carsu commits to acknowledging reports within 5 business days and providing a resolution timeline within 30 days.

16.3 Disclaimer

Except as expressly stated in these Terms, the Platform is provided "as is" and "as available." Carsu makes no additional warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement. Carsu does not warrant that the Platform will be uninterrupted, error-free, or that all defects will be corrected.

17. Governing Law and Dispute Resolution

17.1 Governing Law

These Terms are governed by and construed in accordance with the laws of the Netherlands, without regard to conflict of law principles.

17.2 Dispute Resolution

The parties will first attempt to resolve any dispute through good-faith negotiation for a period of 30 days. If not resolved, disputes shall be submitted to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands.

17.3 Regulatory Complaints

Nothing in these Terms prevents you from exercising your rights under GDPR or filing complaints with the relevant supervisory authority (see our Privacy & Cookie Policy for details).

18. General Provisions

18.1 Entire Agreement

These Terms, together with the Privacy & Cookie Policy and any applicable order form or DPA, constitute the entire agreement between you and Carsu regarding the use of the Platform. They supersede all prior agreements, representations, and understandings.

18.2 Severability

If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

18.3 Assignment

You may not assign or transfer these Terms without Carsu's prior written consent. Carsu may assign these Terms in connection with a merger, acquisition, reorganisation, or sale of substantially all of its assets, provided the assignee agrees to be bound by these Terms.

18.4 Waiver

No failure or delay by either party in exercising any right under these Terms shall constitute a waiver of that right.

18.5 Notices

Notices to Carsu must be sent to [email protected] or by post to our registered address. Notices to you will be sent to the email address associated with your Account. Notices are deemed received upon delivery (email) or 5 business days after posting (mail).

18.6 Amendments

Carsu may amend these Terms with at least 30 days' written notice via email or Platform notification. Material changes will be highlighted. Continued use after the effective date constitutes acceptance. If you do not agree to an amendment, you may terminate your Subscription before the amendment takes effect.

19. Contact Us

Legal enquiries: [email protected]

General enquiries: [email protected]

Data Protection Officer: [email protected]

Security matters: [email protected]

Postal address: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands

By using our Platform, you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions.

ANNEX A

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms an integral part of the Carsu Terms and Conditions ("Agreement") between Carsu B.V. ("Processor") and the User ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Services.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK General Data Protection Regulation ("UK GDPR").

A1. Definitions

Terms not defined in this DPA have the meanings given in the Agreement and in the GDPR. In this DPA:

  • "Controller Personal Data" means personal data that the Processor processes on behalf of the Controller in connection with the Services.
  • "Data Protection Laws" means the GDPR, UK GDPR, the ePrivacy Directive 2002/58/EC, the Italian Codice Privacy (D.Lgs. 196/2003 as amended), the Dutch UAVG, and any other applicable data protection legislation.
  • "Sub-Processor" means any third party engaged by the Processor to process Controller Personal Data on behalf of the Controller.

A2. Scope and Purpose of Processing

A2.1 Subject Matter

The Processor processes Controller Personal Data solely for the purpose of providing the Services under the Agreement, including workshop management, customer communications (WhatsApp, SMS, Viber), payment processing, and customer support.

A2.2 Duration

Processing continues for the duration of the Agreement and for such additional period as required to fulfil post-termination obligations (data export, deletion) as set out in the Agreement.

A2.3 Categories of Data Subjects

  • End-Consumers (customers of the Controller/workshop);
  • Employees and staff of the Controller (where relevant to platform use).

A2.4 Types of Personal Data

  • Contact details (names, phone numbers, email addresses);
  • Vehicle data (licence plates, make, model, type);
  • Service and maintenance records;
  • Appointment data;
  • Communication content (messages sent via the Platform);
  • Payment transaction identifiers (card details are processed by Stripe, not retained by Carsu).

A2.5 Nature of Processing

Collection, storage, retrieval, use, transmission (messaging), organisation, structuring, and erasure of Controller Personal Data as necessary to provide the Services.

A2.6 Anonymised and Aggregated Data

The Processor may process Controller Personal Data to generate anonymised, aggregated insights for sharing with third parties. Such processing occurs only after data has been irreversibly anonymised and aggregated at a level that ensures no individual workshop, end-consumer, or transaction can be identified or reverse-engineered from the output.

Once irreversibly anonymised, the resulting data falls outside the scope of GDPR (Recital 26) and this DPA. This processing is supported by the Processor's legitimate interest (Art. 6(1)(f)) and does not extend or modify the service delivery purposes listed in A2.1, but represents a distinct use of the underlying data after anonymisation. Recipients are bound by written terms prohibiting re-identification.

A3. Obligations of the Processor

The Processor shall:

  • Process Controller Personal Data only on documented instructions from the Controller, including with respect to transfers of personal data outside the EEA or UK, unless required to do so by EU or Member State law (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so);
  • Ensure that persons authorised to process Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore access to personal data in a timely manner following an incident, and a process for regularly testing and evaluating the effectiveness of such measures;
  • Respect the conditions for engaging Sub-Processors as set out in Section A5;
  • Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to data subject requests;
  • Assist the Controller in ensuring compliance with data breach notification obligations (Articles 33 and 34 GDPR), data protection impact assessments (Article 35 GDPR), and prior consultation with supervisory authorities (Article 36 GDPR), taking into account the nature of processing and information available to the Processor;
  • At the choice of the Controller, delete or return all Controller Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage of the personal data;
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

A4. Obligations of the Controller

The Controller shall:

  • Ensure that it has a valid legal basis under Data Protection Laws for the processing of Controller Personal Data, including obtaining all necessary consents from Data Subjects where required;
  • Provide documented processing instructions to the Processor;
  • Be responsible for the accuracy, quality, and legality of Controller Personal Data provided to the Processor;
  • Comply with its obligations under Data Protection Laws, including maintaining its own privacy policy, responding to data subject requests (with Processor assistance), and notifying supervisory authorities of data breaches where required;
  • Ensure that messages sent to End-Consumers via the Platform comply with the ePrivacy Directive and applicable national electronic communications laws, including obtaining valid consent for marketing messages.

A5. Sub-Processors

A5.1 General Authorisation

The Controller grants the Processor a general written authorisation to engage Sub-Processors for the processing of Controller Personal Data, subject to the conditions in this Section A5.

A5.2 Current Sub-Processors

The current list of Sub-Processors is set out in Section 7.1 of the Privacy & Cookie Policy (available at https://www.carsu.com/privacy). As of the date of this DPA, the approved Sub-Processors are:

Microsoft Azure — Purpose: Cloud infrastructure and hosting — Location: EU (West Europe)

Stripe — Purpose: Payment processing — Location: EU / US (SCC)

WhatsApp Business API (Meta) — Purpose: Customer messaging — Location: EU / US (SCC)

Viber (Rakuten) — Purpose: Customer messaging — Location: EU / International (SCC)

Twilio — Purpose: SMS gateway — Location: EU / US (SCC)

Intercom — Purpose: Customer support and AI translation — Location: US (SCC)

Anthropic — Purpose: AI services — Location: US (SCC)

Mailchimp (Intuit) — Purpose: Email marketing — Location: US (SCC)

Mixpanel — Purpose: Product analytics — Location: US (SCC)

A5.3 Changes to Sub-Processors

The Processor shall notify the Controller via email or Platform notification at least 30 days before engaging a new Sub-Processor or replacing an existing one. Controllers on paid Subscriptions may subscribe to automatic sub-processor change notifications through their Account settings.

The notification shall include the identity and location of the proposed Sub-Processor, the nature of processing, and the categories of personal data involved. The Controller may object to the change within 14 days of receiving notice, providing written reasons on data protection grounds. If the Controller objects and the parties cannot resolve the objection within 30 days through good-faith discussion, the Controller may terminate the affected Services without penalty.

A5.4 Sub-Processor Obligations

The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less onerous than those set out in this DPA, including in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

A6. International Transfers

The Processor shall not transfer Controller Personal Data outside the EEA or UK unless:

  • The transfer is to a country recognised by the European Commission or UK Secretary of State (as applicable) as providing an adequate level of data protection; or
  • Appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) or, for UK transfers, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, supplemented by additional technical measures where required by a transfer impact assessment.

Where transfers to the United States are made, the Processor relies on SCCs (or UK IDTA where applicable) supplemented by technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and contractual restrictions on government access requests. The Processor shall conduct and maintain a transfer impact assessment for each transfer to a country not covered by an adequacy decision, and shall make such assessment available to the Controller upon request.

A7. Data Security

Without prejudice to Section A3, the Processor implements and maintains the following minimum security measures:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256);
  • Role-based access controls with principle of least privilege;
  • Multi-factor authentication for all administrative and platform access;
  • Regular vulnerability assessments and penetration testing;
  • Logging and monitoring of access to Controller Personal Data;
  • Incident response procedures with defined escalation paths;
  • Staff training on data protection and information security, conducted at least annually;
  • Business continuity and disaster recovery procedures.

A8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours, consistent with GDPR Article 33) upon becoming aware of a personal data breach affecting Controller Personal Data. Such notification shall include:

  • A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
  • The name and contact details of the Processor's Data Protection Officer or other contact point;
  • A description of the likely consequences of the breach;
  • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

A9. Data Subject Rights

The Processor shall promptly (and in any event within 5 business days) notify the Controller if it receives a request from a data subject to exercise any of their rights under Data Protection Laws in relation to Controller Personal Data. The Processor shall not respond directly to the data subject unless authorised by the Controller or required by law.

The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject requests, taking into account the nature of the processing and the information available to the Processor.

A10. Audit Rights

The Processor shall make available to the Controller, upon reasonable request (and no more than once per calendar year unless required by a supervisory authority or data breach), all information reasonably necessary to demonstrate compliance with this DPA.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to:

  • At least 30 days' written notice (unless required by a supervisory authority);
  • Reasonable scope and duration;
  • Confidentiality obligations regarding the Processor's proprietary information;
  • The auditor's compliance with applicable security policies.

If an audit reveals a material deficiency, the Processor shall remediate it within a reasonable timeframe agreed with the Controller, at the Processor's expense.

A11. Data Deletion and Return

Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election:

  • Return all Controller Personal Data in a structured, commonly used, machine-readable format (CSV or JSON) within 30 days of request; or
  • Securely delete all Controller Personal Data within 60 days of the end of the 12-month post-termination data export window set out in the Agreement.

The Processor shall certify deletion in writing upon the Controller's request. The Processor may retain Controller Personal Data only to the extent required by applicable law, and shall inform the Controller of any such retention requirement, including the legal basis and the duration of required retention.

A12. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement (Section 14). Nothing in this DPA excludes or limits either party's liability for obligations under Data Protection Laws that cannot be limited by contract.

A13. Governing Law

This DPA is governed by the laws of the Netherlands, consistent with the Agreement. For matters relating to Data Protection Laws, the supervisory authority of the Controller's establishment (or, where the Controller is established outside the EEA, the Dutch Autoriteit Persoonsgegevens) shall have jurisdiction.

A14. Precedence

In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Controller Personal Data. In all other respects, the Agreement governs.

This DPA takes effect on the date the Controller accepts the Agreement and remains in force for as long as the Processor processes Controller Personal Data.

Contact Information

Address:
Harderwijkerweg 145 3852 AB Ermelo The Netherlands
Carsu Technologies - Terms of Service & Legal Information | Carsu