Data Processing Agreement

Name: Lazentis Object Storage
Brand: Lazentis
Availability: InStock

Last updated: January 29, 2026

This Data Processing Agreement, together with the Terms and Conditions, forms an integral part of every agreement regarding services between Lazentis B.V. and the Client, where personal data is processed.

Article 1. Definitions

Article 10. Auditing

10.1. The Controller may have an audit carried out once a year at most by an independent expert third party bound by confidentiality, on condition of a substantiated suspicion of violation of this Data Processing Agreement communicated in writing to the Processor.

10.2. If an audit by an independent third party has already been carried out in a year, the Processor may, contrary to what is regulated in the preceding paragraph, suffice with providing access to the relevant parts of the report, if another audit of compliance with the obligations of the Processor in the Data Processing Agreement is requested within the same year.

10.3. The Processor and Controller jointly decide on the date, time and scope of the audit.

10.4. The reasonable costs of cooperating with the audit shall be borne by the Controller, provided that the costs of the independent third party to be engaged shall always be borne by the Controller.

10.5. The audit and its results shall be treated confidentially by the Controller.

Article 11. Liability

11.1. The liability limitations from the Processor's Terms and Conditions apply in full to this agreement.

11.2. The Controller indemnifies the Processor against all claims from third parties and administrative fines resulting from the Controller's non-compliance with the GDPR.

Article 12. Duration and Termination

12.1. The duration of this agreement is linked to the duration of the service.

12.2. After the end of the services, the Processor will, without undue delay, delete or transfer the data, at the choice and expense of the Controller, unless legislation requires further retention.

1.1. In this agreement, terms such as 'Personal Data', 'Processor', 'Controller' and 'Data Subject' have the meaning attributed to them in the General Data Protection Regulation (GDPR).

1.2. The Client is designated as the Controller, regardless of whether they themselves are a processor towards their clients.

1.3. Lazentis B.V. is designated as the Processor.

Article 2. Purposes of processing

2.1. The Processor commits under the conditions of this Data Processing Agreement to process personal data on behalf of the Controller. This processing takes place exclusively in the context of the execution of the assignment and purposes reasonably related thereto.

2.2. The Processor primarily offers technical infrastructure. The Processor will in principle not access the personal data.

2.3. Due to the nature of the services, all data streams that the Controller places on the systems are processed in an automated manner.

Article 3. Obligations of the Processor

3.1. The Processor uses the personal data solely for the execution of the assignment as described in Article 2 and refrains from processing for its own commercial purposes.

3.2. The Processor carries out the work in accordance with the requirements of the GDPR and under the express (final) responsibility of the Controller. If a specific instruction is, in the opinion of the Processor, in conflict with the law, it shall consult the Controller without delay.

3.3. Insofar as technically and operationally possible, the Processor provides support with the legal privacy obligations of the Controller (such as a DPIA). The Processor is entitled to charge the hours involved at its applicable rates.

3.4. The Controller warrants that the content, use and instruction for processing of personal data, as intended in this Data Processing Agreement, is not unlawful and does not infringe any rights of third parties and indemnifies the Processor against all claims related thereto.

Article 4. Transfer and Location

4.1. The processing of data takes place within the borders of the European Economic Area (EEA).

4.2. Transfer outside the EEA is only permitted if the specific safeguards required by the GDPR for an adequate level of protection are met.

4.3. The Processor provides insight into the relevant regions upon request.

Article 5. Engagement of third parties

5.1. The Processor is authorized to engage specialized suppliers (sub-processors) for the (technical) execution of the agreement.

5.2. At the request of the Controller, the Processor shall inform the Controller as soon as possible about the sub-processors engaged by it. The Controller may, within a period of fourteen days, object in writing and with reasons to this change, after which the parties shall enter into consultation.

5.3. The Processor ensures that agreements are made with sub-processors that offer at least the same level of data protection as this agreement.

Article 6. Confidentiality

6.1. The Processor has a duty of confidentiality regarding personal data provided by the Controller in the context of this Data Processing Agreement.

6.2. The duty of confidentiality does not apply insofar as the Controller expressly gives permission to provide the information to third parties, providing the information to third parties is logically necessary for the execution of the assignment or if the information is provided pursuant to a legal obligation.

Article 7. Security

7.1. The Processor shall endeavor to take appropriate technical and organizational measures to protect processed personal data of the Controller against loss or against any form of unlawful processing.

7.2. At the request of the Controller, the Processor shall provide information about the security measures taken. The Processor has at least taken the following measures:

Logical access control (authentication and authorization)
Physical measures for access security

7.3. The Processor does not guarantee that the security is effective under all circumstances. The Processor will endeavor to ensure that the security meets a level that, in view of the state of technology, the sensitivity of the personal data and the costs associated with taking security measures, is not unreasonable.

7.4. The Controller shall only make personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken. The Controller is responsible for compliance with the measures agreed by the Parties.

Article 8. Data breach notification obligation

8.1. In the event of a detected breach involving personal data, as referred to in Article 4(12) of the GDPR, the Processor shall notify the Controller without undue delay.

8.2. The Processor provides all relevant details about the nature and scope of the incident, insofar as known, so that the Controller can timely fulfill its legal notification obligation to supervisory authorities.

8.3. The notification obligation includes at least:

The nature of the breach
The (known or expected) consequences of the breach
The proposed and already undertaken measures to limit the consequences
Contact details for follow-up of the notification

Article 9. Rights of Data Subjects

9.1. Requests from data subjects who wish to exercise their rights are forwarded by the Processor to the Controller for further handling. The Processor informs data subjects of this.

9.2. If it appears that the Controller needs help from the Processor for the execution of a request from a data subject, the Processor will cooperate as far as possible and reasonable and may charge reasonable costs to the Controller for this.