Legal

Data Processing Agreement (DPA)

How PimLayer processes personal data on behalf of your organisation, in accordance with the GDPR.

Last updated: 13 November 2025

This Data Processing Agreement (“DPA”) forms an integral part of the agreement between PimLayer BV, with registered office at Emiel Clauslaan 21a, 9800 Deinze, Belgium, VAT BE 0793.569.173 (“Processor”), and the customer that uses the PimLayer platform (“Controller”).

This DPA describes the conditions under which PimLayer processes personal data on behalf of the customer, in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and relevant Belgian legislation.

1. Subject of the processing

PimLayer processes personal data solely on the instructions of the customer, for the performance of the agreement, and for the purposes determined by the customer. The personal data is processed within the PIM platform and all associated services (support, hosting, logging, integrations).

2. Duration of the processing

The processing takes place during the term of the collaboration. After termination, data is deleted or returned in accordance with article 11 of this DPA.

3. Types of personal data

The processing may, depending on the use by the customer, include among others the following data: contact details (name, email, phone), user accounts, login and access logs, product information linked to persons (if applicable), and internal notes, workflows or metadata. The customer remains responsible for the types of data that are entered into PimLayer.

4. Categories of data subjects

Employees of the customer, suppliers or partners of the customer, and other persons whose data the customer enters into the platform.

5. Purposes of the processing

PimLayer processes personal data only for: providing access to the PIM platform, technical maintenance, hosting and security, support and customer service, monitoring and logging, the performance of integrations and API traffic, and legal obligations (for example accounting, security). PimLayer never uses data for its own purposes.

6. Obligations of PimLayer (Processor)

PimLayer undertakes to: process only in accordance with the written instructions of the customer, treat personal data confidentially, take appropriate technical and organisational security measures, restrict access to employees who strictly need it, engage subprocessors only with contractual safeguards, inform the customer of data breaches without undue delay, provide assistance to the customer with GDPR requests, allow audits within reason, and not process data outside the EU without valid GDPR mechanisms.

7. Security measures

PimLayer implements security at various levels, including: encryption of data in transit and at rest, firewalls and network segmentation, strong authentication and RBAC (role-based access control), continuity and back-up policy, log registration and monitoring, and regular security updates and vulnerability scans. A detailed description is available to customers on request.

8. Subprocessors

PimLayer may engage recognised third parties for hosting and infrastructure, email delivery, logging and monitoring, back-ups, and support tools. For each subprocessor, a data processing agreement (SCCs or equivalent) is concluded. A current list is available on request.

9. Data breach notification obligation

PimLayer will inform the customer without delay of any confirmed data breach relating to the processed personal data. This notification contains the nature of the incident, the presumed impact, the measures taken, and recommendations for the customer.

10. Rights of data subjects

PimLayer supports the customer in responding to GDPR requests such as: right of access, right to rectification, right to be forgotten, right to restriction, objection, and data portability. PimLayer responds only to requests that go through the customer.

11. End of the processing

Upon termination of the agreement, PimLayer deletes all personal data of the customer, within 30 days after discontinuation, unless longer retention is legally required. On request, PimLayer can provide an export of the data before termination. Back-up copies are automatically overwritten in accordance with the internal retention policy.

12. International transfers

If data is processed outside the EEA (for example by cloud providers), PimLayer guarantees an adequacy decision, SCCs (Standard Contractual Clauses), or an equivalent level of protection.

13. Liability

The liability of PimLayer remains limited to what has been contractually agreed between both parties. PimLayer is not responsible for data that the customer enters unlawfully, incorrect instructions from the customer, or security risks caused by external integrations that the customer manages itself.

14. Applicable law and competent court

This DPA is governed by Belgian law. Disputes fall under the jurisdiction of the courts of Ghent, Ghent division.

15. Contact

For questions about this DPA: PimLayer BV, Emiel Clauslaan 21a, 9800 Deinze, Belgium. VAT BE 0793.569.173. info@pimlayer.be, +32 (0)9 391 87 52.