Data Processing Agreement
Data Processing Agreement (DPA) pursuant to Article 28 of the GDPR
Last updated: May 2026 · Version 2.0
1. Introduction
This Data Processing Agreement (hereinafter, the "DPA") is entered into between:
The Data Controller (Customer)
The entity that contracts TraceWeave's services and determines the purposes and means of the processing of personal data.
The Data Processor (TraceWeave)
TraceWeave SL, with registered office in Seville, Spain, represented by Rafael Rodríguez (Sole Director), which processes personal data on behalf of the Controller.
This DPA supplements the Terms and Conditions and sets out TraceWeave's obligations as Data Processor pursuant to Article 28 of the General Data Protection Regulation (GDPR).
2. Definitions
Personal Data
Any information relating to an identified or identifiable natural person pursuant to Article 4(1) of the GDPR.
Processing
Any operation performed on personal data (collection, recording, organisation, structuring, storage, adaptation, retrieval, disclosure, etc.) pursuant to Article 4(2) of the GDPR.
Data Subject
A natural person whose personal data are subject to processing.
Personal Data Breach
Any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data, or the unauthorised disclosure of, or access to, such data.
Sub-processor
Another processor engaged by TraceWeave to carry out specific processing activities on behalf of the Controller.
3. Subject Matter and Duration
3.1 Subject Matter of the Processing
TraceWeave shall process personal data on behalf of the Controller solely for:
- •Provision of the SaaS platform for managing Digital Product Passports (DPP).
- •Storage and management of user, product, material and supplier data.
- •Technical support and customer service.
- •Service improvement through aggregated and anonymous analysis.
3.2 Nature and Purpose of the Processing
| Data Category | Purpose |
|---|---|
| Identification data (name, email) | User account management |
| Company data (tax ID, registered address) | Billing and contractual compliance |
| Browsing data (IP, cookies) | Security and web analytics |
| Product and supplier data | Provision of the DPP service |
3.3 Categories of Data Subjects
- •Employees and collaborators of the Controller (platform users)
- •Legal representatives and points of contact of suppliers
- •Website visitors (browsing data only)
3.4 Duration
This DPA remains in force for as long as the Controller uses TraceWeave's services and for the period necessary to fulfil the data return or deletion obligations (Section 11).
4. Processor Obligations
TraceWeave, as Data Processor, undertakes to:
4.1 Documented Instructions
Process personal data solely on the documented instructions of the Controller, including transfers of data to third countries. If TraceWeave considers that an instruction infringes the GDPR, it shall immediately inform the Controller.
4.2 Confidentiality
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security of Processing
Apply the appropriate technical and organisational measures pursuant to Article 32 of the GDPR (see Section 6).
4.4 Sub-processors
Not engage another processor without prior specific or general written authorisation from the Controller (see Section 5).
4.5 Assistance to the Controller
Assist the Controller, taking into account the nature of the processing, in ensuring compliance with the obligations relating to security, breach notification, impact assessments and prior consultations with the supervisory authority.
4.6 Records of Activities
Maintain a record of all categories of processing activities carried out on behalf of the Controller, pursuant to Article 30(2) of the GDPR.
5. Sub-processors
5.1 General Authorisation
The Controller grants TraceWeave general authorisation to engage sub-processors. TraceWeave shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
The Controller may object to such changes on justified grounds relating to data protection within 15 days of the notification. If the Controller objects, TraceWeave shall refrain from engaging the sub-processor or, where this is not possible, the Controller may suspend or terminate the contract in accordance with the Terms and Conditions.
5.2 List of Sub-processors
TraceWeave maintains an up-to-date list of sub-processors available at:
View List of Sub-processors→5.3 Contractual Obligations
TraceWeave shall impose on sub-processors, by means of a contract, the same data protection obligations as those set out in this DPA, in particular the provision of sufficient guarantees to implement appropriate technical and organisational measures. TraceWeave shall remain fully liable to the Controller for the sub-processor's performance.
6. Security Measures
TraceWeave implements the following technical and organisational measures pursuant to Article 32 of the GDPR:
6.1 Encryption
- •Encryption in transit via TLS for all client-server communications.
- •Encryption at rest at the infrastructure level for data stored in the database and object storage.
- •Key management delegated to the infrastructure providers in accordance with their documented rotation schedules.
6.2 Access Control
- •Role-based access control (RBAC) authorisation model with segregation by organisation.
- •Principle of least privilege for administrative accounts.
- •Multi-factor authentication available via the identity provider and enforceable by configuration at the organisation level on the plans that support it.
- •Traceability of administrative access in the infrastructure provider's logs.
6.3 Infrastructure Protection
- •Edge layer managed by the hosting provider with protection against anomalous traffic.
- •Logical multi-tenant isolation at the database level via row-level security (RLS) rules.
- •Continuous monitoring of errors and exceptions in production with personal data scrubbing.
6.4 Backups
- •Backups managed by the database provider according to the policy of its plan, with encryption at rest and point-in-time restore capability.
- •Restoration procedure documented internally and reviewed periodically.
6.5 Staff Training
Staff with access to personal data sign a confidentiality commitment and receive initial training on data protection and incident handling. Training is updated when there are material changes to internal policies, procedures or applicable regulations.
7. Data Subject Rights
TraceWeave shall assist the Controller, as far as possible, through appropriate technical and organisational measures, so that the Controller can respond to requests for the exercise of the data subject rights set out in Chapter III of the GDPR:
| Right | TraceWeave's Assistance | Timeframe |
|---|---|---|
| Access (Art. 15) | Export of the data subject's data | 5 business days |
| Rectification (Art. 16) | Modification of incorrect data | 3 business days |
| Erasure (Art. 17) | Permanent deletion of data | 5 business days |
| Restriction (Art. 18) | Temporary blocking of processing | 3 business days |
| Portability (Art. 20) | Export in CSV/JSON format | 7 business days |
| Objection (Art. 21) | Cessation of specific processing | 3 business days |
The Controller must channel data subject requests through hola@traceweave.eu. TraceWeave will not respond directly to data subject requests without the Controller's authorisation.
8. Personal Data Breach Notification
8.1 Notification Obligation
TraceWeave shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any event within 72 hours.
8.2 Content of the Notification
The notification shall include, as a minimum:
- 1.A description of the nature of the breach (categories and approximate number of data subjects and records affected)
- 2.Contact details of TraceWeave's data protection contact (hola@traceweave.eu)
- 3.A description of the likely consequences of the breach
- 4.Measures taken or proposed to remedy the breach and mitigate its possible adverse effects
8.3 Cooperation
TraceWeave shall cooperate fully with the Controller and provide all additional information reasonably necessary to enable the Controller to comply with its obligations to notify the supervisory authority and the data subjects pursuant to Articles 33 and 34 of the GDPR.
9. International Data Transfers
9.1 Location of the Data
Personal data are stored and processed primarily on servers located in the European Union (Frankfurt, Germany region). TraceWeave will not transfer personal data to third countries outside the EEA without:
- •Prior written consent of the Controller, AND
- •Appropriate safeguards pursuant to Article 46 of the GDPR (European Commission standard contractual clauses, adequacy decision, etc.)
9.2 Standard Contractual Clauses (SCCs)
In the event of authorised international transfers, TraceWeave shall enter into the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and carry out a Transfer Impact Assessment (TIA) where necessary.
9.3 International Sub-processors
Some sub-processors may operate from third countries (see List of Sub-processors). In these cases:
- •The sub-processors are certified under recognised frameworks (EU-US Data Privacy Framework, Swiss-US DPF)
- •SCCs have been entered into with all sub-processors outside the EEA
- •TraceWeave has carried out a TIA and no risks preventing the transfer have been identified
10. Audits and Inspections
10.1 Right to Audit
TraceWeave shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor authorised by it.
10.2 Evidence of Compliance
Upon the Controller's reasoned request, TraceWeave shall make available the following documentary evidence in line with the company's maturity level and the contracted plan:
- •Documented description of the technical and organisational measures applied (this Section 6 of the DPA, together with the internal documentation supporting it).
- •Up-to-date list of sub-processors with their own safeguards and certifications (SCCs, EU-US Data Privacy Framework, ISO 27001 / SOC 2 of the sub-processor where applicable).
- •Summary of the Record of Processing Activities (Art. 30 GDPR) as it relates to the service provided to the Controller.
- •TraceWeave's own certifications (e.g. ISO 27001, SOC 2, periodic third-party penetration testing) will be added to this list transparently once obtained, in accordance with the company's security roadmap. TraceWeave does not claim to hold certifications that have not yet been formally issued.
10.3 Audit Procedure
The Controller must:
- 1.Notify TraceWeave at least 30 days in advance
- 2.Limit the audit to a maximum of once a year (except in the event of serious security incidents or a requirement from a supervisory authority)
- 3.Sign a prior confidentiality agreement (NDA)
- 4.Conduct the audit during business hours and minimising operational disruption
- 5.Bear TraceWeave's reasonable costs in accordance with the contracted plan
11. Return and Deletion of Data
11.1 Upon Termination of the Contract
At the Controller's choice, TraceWeave shall:
Option A: Return
Provide all personal data in a structured, commonly used and machine-readable format (CSV, JSON) within 30 days of termination.
Option B: Deletion
Securely and irreversibly delete all personal data within 90 days of termination, subject to the Controller's written confirmation.
11.2 Certificate of Deletion
TraceWeave shall issue a certificate signed by the Sole Director confirming the complete deletion of personal data, including all backups, within 30 days of the effective deletion.
11.3 Legal Exceptions
TraceWeave may retain personal data only to the extent and for the period required by applicable law (e.g. tax, accounting or audit obligations). Such data shall be kept isolated, with restricted access, and shall be deleted at the end of the legal retention period.
12. Liability and Indemnification
12.1 Liability for Damages
Pursuant to Article 82 of the GDPR, TraceWeave shall be liable for the damage caused by the processing only where it has not complied with the obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.
12.2 Limitation of Liability
TraceWeave's total liability arising from this DPA (including fines, penalties or compensation for GDPR breaches) shall be limited in accordance with the specific terms of the contracted plan.
This limitation does not apply in the event of wilful misconduct or gross negligence on the part of TraceWeave.
12.3 Indemnification
The Controller shall indemnify TraceWeave against claims arising from: (a) the Controller's instructions that infringe the GDPR, (b) content uploaded by the Controller that violates the rights of third parties, or (c) the Controller's failure to comply with its obligations under the GDPR as data controller.
13. Duration and Termination
This DPA enters into force on the date of acceptance of the Terms and Conditions and shall remain in force for as long as TraceWeave processes personal data on behalf of the Controller.
Grounds for Termination
- •Termination of the main services contract (Terms and Conditions)
- •By either party, with 30 days' written notice, if the other party materially breaches this DPA and fails to remedy it within 15 days of notification
- •Immediately, by the Controller, if TraceWeave breaches the security obligations (Section 6) or breach notification obligations (Section 8)
Termination shall not release either party from the obligations accrued during the term of the DPA, nor shall it affect the sections that by their nature must survive (Sections 11, 12, 14).
14. Data Protection Contact
TraceWeave SL is not required to designate a Data Protection Officer pursuant to Article 37 of the GDPR or Article 34 of the LOPDGDD. For queries, requests or notifications relating to this DPA, please contact TraceWeave SL directly:
Data protection contact
TraceWeave SL
Postal Address
TraceWeave SL — Attn: Privacy, Seville, Spain
Committed response time: TraceWeave will respond to all communications from the Controller relating to this DPA within a maximum of 5 business days.
Need a signed copy of the DPA?
Enterprise plan customers can request a signed version of the DPA and the SCCs.
Request Signed DPA