A. Processor operates, under the trading name ModbusCloud, a B2B SaaS IoT portal enabling installers (the Controller) to remotely monitor, analyse and control Modbus equipment of their end customers via the so-called MCG-1 gateway (the "Platform").
B. Controller has entered into an agreement with Processor governing the access to and use of the Platform, including the applicable general terms and conditions (hereinafter: the "Main Agreement").
Verwerkersovereenkomst ModbusCloud | ModbusCloud
C. In the context of the performance of the Main Agreement, Processor processes personal data on behalf of and by instruction of Controller, as a result of which Controller qualifies as "controller" and Processor as "processor" within the meaning of Article 4 of the General Data Protection Regulation (hereinafter: "GDPR").
D. Pursuant to Article 28(3) GDPR, the Parties are required to set out in writing, in a data processing agreement, their mutual rights and obligations regarding the processing of personal data.
E. This data processing agreement (hereinafter: "Data Processing Agreement" or "DPA") is intended to ensure careful, lawful and transparent processing of personal data by Processor, fitting within the framework of the GDPR and the relevant guidelines of the European Data Protection Board (EDPB Guidelines 07/2020 and Opinion 22/2024).
F. To the extent that personal data are transferred to countries outside the European Economic Area (EEA) that are not covered by an adequacy decision, the Parties apply the Standard Contractual Clauses of the European Commission (Implementing Decision (EU) 2021/914 of 4 June 2021) as an appropriate safeguard within the meaning of Article 46 GDPR.
G. Unless the Main Agreement provides otherwise, this Data Processing Agreement enters into force on the effective date of the Main Agreement and forms an integral part thereof.
H. The Parties intend this Data Processing Agreement to be separately executable, with the understanding that the Main Agreement continues to apply in full.
The terms used with a capital letter in this Data Processing Agreement have the following meaning. Terms that are not defined have the meaning assigned to them in the GDPR.
1.1 GDPR: the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
1.2 Personal Data: all information relating to an identified or identifiable natural person that Processor processes on behalf of Controller in the context of the Main Agreement, as further specified in Annex 1.
1.3 Special Categories of Personal Data: personal data as referred to in Article 9 GDPR (special categories) and Article 10 GDPR (data relating to criminal convictions and offences).
1.4 Data Subject: the identified or identifiable natural person to whom the Personal Data relate.
1.5 Processing: any operation or set of operations performed on Personal Data as referred to in Article 4(2) GDPR.
1.6 Controller: the party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, being in this Data Processing Agreement the installer.
1.7 Processor: the party that processes Personal Data on behalf of the Controller, being Avanta Systems (trading as ModbusCloud).
1.8 Sub-processor: any third party engaged by Processor that processes Personal Data on behalf of Controller by instruction of Processor.
1.9 Personal Data Breach: a breach in connection with Personal Data as referred to in Article 4(12) GDPR, being a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data that are processed.
1.10 SCC: the Standard Contractual Clauses set out in the annex to Implementing Decision (EU) 2021/914 of the European Commission of 4 June 2021, including Modules 2 and 3 for the transfer of data to third countries.
1.11 Main Agreement: the agreement concluded between the Parties concerning the supply and use of the Platform (ModbusCloud SaaS), including the general terms and conditions applicable thereto (the "GTC").
1.12 Platform: the ModbusCloud SaaS portal (accessible via, among others, modbuscloud.com and portal.modbuscloud.com), including the associated backend systems, APIs and the MCG-1 gateway.
1.13 TOMs: the technical and organisational measures within the meaning of Article 32 GDPR, as further described in Annex 2.
1.14 Transfer: any transfer of Personal Data to a party outside the EEA within the meaning of Chapter V GDPR.
1.15 EEA: the European Economic Area, being the Member States of the European Union together with Norway, Iceland and Liechtenstein.
1.16 DPF: the EU-U.S. Data Privacy Framework, adopted by Implementing Decision (EU) 2023/1795 of the European Commission of 10 July 2023, on the basis of which transfers to U.S. organisations certified under the DPF are permitted without additional safeguards.
2.1 This Data Processing Agreement governs the Processing of Personal Data by Processor in the context of the supply of the Platform to Controller pursuant to the Main Agreement.
2.2 The subject matter, the nature, the purpose, the duration of the Processing, the categories of Data Subjects and the categories of Personal Data are specified in Annex 1 (Specification of processing).
2.3 Processor processes Personal Data solely for the purpose of performing the Main Agreement and this Data Processing Agreement, and solely to the extent necessary to fulfil its obligations towards Controller.
3.1 The Parties acknowledge and confirm that, with respect to the Processing of Personal Data in the context of the Main Agreement, Controller acts as controller within the meaning of Article 4(7) GDPR, and that Processor, with respect to such Processing, acts as processor within the meaning of Article 4(8) GDPR.
3.2 This division of roles follows the EDPB Guidelines 07/2020 on the concepts of controller and processor, whereby Controller determines the purposes (the "why") and the essential means (the "how") of the Processing, and Processor acts solely on the basis of the instructions of Controller.
3.3 This Data Processing Agreement constitutes a further elaboration of Article 10 (or the corresponding privacy article) of the GTC to the Main Agreement.
3.4 For Processor's own processing activities (including invoicing, accounts receivable, account management of the installer, marketing towards users of the Platform and statutory tax retention obligations), Processor acts as an independent controller. Such processing is not governed by this Data Processing Agreement, but by the privacy statement of Processor, available at modbuscloud.com.
4.1 Processor processes Personal Data solely on the basis of written (including electronic) instructions from Controller, unless required to do so by a Union or Member State law applicable to Processor. In that case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.
4.2 The Main Agreement, the GTC, this Data Processing Agreement and the configuration of the Platform (including account settings, access rights and API configuration) constitute the written instructions of Controller. Additional instructions must be provided in writing (including by email to privacy@modbuscloud.com).
4.3 If Processor is of the opinion that an instruction of Controller infringes the GDPR or other applicable data protection legislation, Processor shall notify Controller thereof without undue delay and may suspend execution of the relevant instruction until Controller has confirmed, amended or withdrawn it.
4.4 Processor ensures that its Processing complies with the GDPR and other applicable laws and regulations regarding the protection of Personal Data.
5.1 Processor undertakes to maintain confidentiality of the Personal Data that it processes on behalf of Controller.
5.2 Processor ensures that the persons who process Personal Data under its authority (including employees, contractors and Sub-processors) are bound by a contractual or statutory duty of confidentiality.
5.3 The duty of confidentiality shall remain in force after termination of this Data Processing Agreement, to the extent that the Personal Data concerned retain their confidential character.
6.1 Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk within the meaning of Article 32 GDPR. These measures are further elaborated in Annex 2 (TOMs).
6.2 In assessing the appropriate level of security, Processor takes into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the likelihood and severity of the varying risks to the rights and freedoms of Data Subjects.
6.3 Processor evaluates the measures periodically (at least once per year) and adapts them where necessary to developments in the state of the art, the threat landscape and the nature of the Processing. Processor shall not amend the measures in such a way that the level of security falls substantially below the level at the time of conclusion of this Data Processing Agreement.
6.4 Controller agrees that the measures described in Annex 2 are appropriate for the Processing described in Annex 1.
7.1 Controller hereby grants Processor a general written authorisation (within the meaning of Article 28(2) GDPR) for engaging Sub-processors for the performance of the Main Agreement. The Sub-processors known as at the effective date of this Data Processing Agreement are listed in Annex 3 (Sub-processors).
7.2 Processor maintains an up-to-date list of Sub-processors, published at modbuscloud.com/dpa/subverwerkers. Processor shall notify Controller at least 30 days in advance of the engagement of a new Sub-processor or the replacement of an existing Sub-processor, by publication on the aforementioned webpage and, at Controller's request, additionally by email to the contact address provided by Controller.
7.3 Controller has the right, within 30 days of receipt of the notification, to object on substantiated grounds to the engagement of a new Sub-processor, if and insofar as the envisaged sub-processing is not in accordance with the GDPR. In that case, the Parties shall consult in good faith to reach an appropriate solution. If the Parties fail to reach agreement, Controller is entitled to terminate the Main Agreement and this Data Processing Agreement for the part relating to the disputed sub-processing, without being liable for consequential damages.
7.4 If Processor engages a Sub-processor, it shall impose on that Sub-processor by written agreement (flowdown) the same data protection obligations as those arising for Processor from this Data Processing Agreement and the GDPR, in particular with regard to the appropriate technical and organisational measures and the transfer of Personal Data outside the EEA.
7.5 Processor remains fully responsible towards Controller for the performance of the obligations by the Sub-processor, in accordance with Article 28(4) GDPR.
7.6 At Controller's request, Processor shall reasonably provide information to substantiate the sufficient guarantees offered by the Sub-processor, in line with EDPB Opinion 22/2024.
8.1 If a Data Subject contacts Processor directly with a request to exercise his or her rights pursuant to Articles 15 to 22 GDPR (including access, rectification, erasure, restriction, data portability and objection), Processor shall not handle such request substantively on its own, but shall forward it to Controller without undue delay, unless Processor is required to act independently under the GDPR.
8.2 Processor shall, taking into account the nature of the Processing, provide reasonable assistance to Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to requests from Data Subjects.
8.3 Standard functionality in the Platform (including export, access to account data, deletion of user accounts) is part of the regular service. For exceptional, burdensome or individual requests that require considerable effort from Processor, Processor is entitled to charge reasonable costs to Controller at its then applicable rates, after prior cost indication.
9.1 Processor shall, at Controller's request, provide reasonable assistance in carrying out a data protection impact assessment (DPIA) as referred to in Article 35 GDPR, to the extent that this relates to the Processing under this Data Processing Agreement.
9.2 Processor shall also provide reasonable assistance in any prior consultation of the supervisory authority as referred to in Article 36 GDPR.
9.3 Such assistance shall include, among other things, the provision of documentation concerning the Platform, the security measures and the engaged Sub-processors, insofar as this information is reasonably necessary for the DPIA or prior consultation and is also in Processor's possession.
9.4 Article 8.3 applies mutatis mutandis to the cost of assistance that substantially exceeds the regular service.
10.1 Processor shall inform Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach, providing all relevant information then known.
10.2 The notification shall contain at least the following elements, to the extent known at that time:
the nature of the Personal Data Breach, including, where possible, the categories and (estimated) number of Data Subjects and Personal Data records concerned;
the likely consequences of the Personal Data Breach;
the measures that Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures to mitigate any adverse effects;
the contact details of the officer or contact person from whom Controller can obtain further information.
10.3 If it is not possible to provide all information at the same time, Processor shall provide it in phases without undue delay.
10.4 Processor shall provide reasonable assistance to Controller in complying with its obligations under Articles 33 and 34 GDPR, including any notification to the Dutch Data Protection Authority (AP) and communication with Data Subjects.
10.5 Processor is not authorised to independently notify Personal Data Breaches to the supervisory authority or to Data Subjects on behalf of Controller, unless Controller has expressly instructed it in writing to do so.
10.6 Processor documents all Personal Data Breaches, the facts, the consequences and the corrective measures taken, in an internal data breach register.
11.1 Processor shall enable Controller to verify compliance with this Data Processing Agreement by means of an audit, and shall reasonably cooperate therein, in accordance with Article 28(3)(h) GDPR.
11.2 Controller is entitled to conduct, or have conducted, an audit not more than once per calendar year by an independent, qualified third party (not being a direct competitor of Processor), provided that such third party is bound by an appropriate non-disclosure obligation (NDA) in favour of Processor.
11.3 The audit shall be announced in writing at least 30 days in advance, shall take place during regular office hours and shall be conducted in such a way that Processor's business operations are not unnecessarily disrupted. Audits shall not target other customers of Processor nor the underlying source code of Processor.
11.4 The costs of the audit shall be borne by Controller. If the audit reveals that Processor is materially in breach of this Data Processing Agreement, the reasonable costs of the audit shall be borne by Processor and Processor shall take corrective measures at its own expense.
11.5 To limit the administrative burden, Processor is entitled to reasonably comply with its audit obligations by referring to recent (not older than 24 months) external audit reports, certifications or assurance reports of engaged suppliers or of Processor itself, such as ISO 27001, SOC 2 Type II or equivalent. If these reports sufficiently cover the subject matter, the audit obligation referred to in paragraph 1 shall thereby be deemed to have been fulfilled.
11.6 An additional (on-site) audit is possible if Controller can demonstrate with reasons that the reports referred to in paragraph 5 are insufficient to establish compliance, or if there is cause to do so in response to a Personal Data Breach.
11.7 The findings of the audit shall be presented to Processor in a draft report, on which Processor shall reasonably be given the opportunity to respond before the report is finalised.
12.1 Processor shall only have Personal Data processed outside the EEA to the extent that there is a valid transfer basis under Chapter V GDPR, including, where applicable, an adequacy decision (including the DPF), the Standard Contractual Clauses (SCC) or Binding Corporate Rules.
12.2 The specific transfer safeguards per Sub-processor are set out in Annex 3. The detailed conditions for transfers based on the SCC are set out in Annex 4 (SCC transfer), which forms an integral part of this Data Processing Agreement.
12.3 For transfers to U.S. recipients certified under the DPF, Processor relies primarily on the adequacy decision of the European Commission of 10 July 2023 (Implementing Decision (EU) 2023/1795). As a precaution, and in order to provide an additional safeguard in the event of any changes to the DPF, the Parties also conclude SCC Module 2 and Module 3 as set out in Annex 4.
12.4 Processor carries out a Transfer Impact Assessment where necessary and takes additional measures where appropriate (such as encryption and pseudonymisation) to ensure an essentially equivalent level of protection.
13.1 Upon termination of the Main Agreement or this Data Processing Agreement, and at the first request of Controller, Processor shall, at Controller's choice, either:
return all Personal Data to Controller in a commonly used and machine-readable format; or
destroy them, unless storage of the Personal Data is required under Union or Member State law.
13.2 The choice referred to in paragraph 1 must be communicated by Controller in writing within 30 days of termination. If Controller does not make a choice within that period, Processor shall, after a reasonable additional period (in principle a further 30 days), proceed with deletion, following a prior reminder.
13.3 Processor shall, upon request, provide written confirmation of the return or destruction, stating the date and the scope thereof.
13.4 Back-ups shall be phased out in accordance with the regular retention schedule of the engaged hosting providers (such as Supabase PITR). Until that moment, the Personal Data in the back-ups remain secured and inaccessible for active use.
13.5 The statutory retention periods imposed on Processor (such as the tax retention obligation for invoice and accounting data) take precedence over this article, whereby the Personal Data concerned are retained solely for that statutory purpose.
14.1 The liability of the Parties under this Data Processing Agreement is limited in accordance with the liability provisions in the GTC to the Main Agreement (including the liability caps and exclusions), to the extent permitted by mandatory law.
14.2 Without prejudice to the provisions of paragraph 1, Article 82 GDPR remains fully applicable. This means that the Parties may be jointly and severally liable vis-à-vis Data Subjects for the full damage, in order to ensure effective compensation for the Data Subject.
14.3 A Party that has paid more than corresponds to its share of responsibility for the damage has, in accordance with Article 82(5) GDPR, a right of recourse against the other Party for the portion owed by that other Party.
14.4 In the mutual relationship between the Parties, each Party is liable for the damage insofar as it is the result of its own act or omission in breach of the GDPR or this Data Processing Agreement.
14.5 Fines imposed by the supervisory authority on a specific Party for infringements that are solely attributable to that Party shall be borne by that Party, without prejudice to any right of recourse.
15.1 In the event of a serious, attributable breach by Processor of the core obligations under this Data Processing Agreement (including in particular the obligations under Articles 4, 6, 7, 10 and 12) that is not remedied within 30 days of written notice of default, Processor shall incur an immediately payable penalty of EUR 5,000 per breach, increased by EUR 500 per day the breach continues, up to a maximum of EUR 25,000 per breach and an overall maximum of EUR 50,000 per calendar year.
15.2 This penalty is without prejudice to Controller's right to additionally claim performance, dissolution or additional or substitute damages, with the understanding that the penalty shall be deducted from any awarded damages.
15.3 The total financial liability of Processor (including the penalty under this article and the damages under Article 14) is limited to the liability cap set out in the GTC, except in cases where no reliance can be placed on limitation by mandatory law (such as intent or wilful recklessness of Processor's management).
16.1 This Data Processing Agreement enters into force on the effective date of the Main Agreement (or, if this Data Processing Agreement is signed at a later time, on the date of last signature) and continues for as long as the Main Agreement is in force.
16.2 Termination of the Main Agreement, for whatever reason, shall automatically result in termination of this Data Processing Agreement, with the exception of those provisions which by their nature are intended to survive termination (including confidentiality, return or deletion of data, liability and governing law).
16.3 Termination of this Data Processing Agreement does not affect Processor's obligations to return or delete Personal Data (Article 13).
16.4 The Parties may dissolve this Data Processing Agreement in writing (in whole or in part) with immediate effect without judicial intervention if the other Party is attributably in breach of one or more core obligations under this Data Processing Agreement and the breach, following written notice of default and a reasonable period for remedy (of at least 30 days), has not been remedied.
17.1 In the event of any conflict between the documents in force between the Parties, the following order of precedence shall apply, whereby the higher-ranked document prevails:
insofar as it concerns the transfer of Personal Data to third countries without an adequacy decision: the SCC (Annex 4);
this Data Processing Agreement (including Annexes 1 to 3 and 5);
the GTC to the Main Agreement;
the privacy statement of Processor, solely insofar as it applies to the processing activities under this Data Processing Agreement, and never in deviation from the GDPR.
17.2 Amendments and additions to this Data Processing Agreement shall only be valid if agreed in writing by both Parties. However, Processor is entitled to unilaterally amend this Data Processing Agreement if necessary on the basis of mandatory law, a ruling by a competent supervisory authority or court, or an amendment to the SCC adopted by the European Commission. Processor shall notify Controller thereof in good time (at least 30 days in advance).
17.3 Rights and obligations under this Data Processing Agreement may not be transferred to a third party without the prior written consent of the other Party, except in the context of a reorganisation, merger or acquisition within Processor's group, provided that the level of protection for Data Subjects is not thereby reduced.
17.4 If any provision of this Data Processing Agreement is or becomes null and void or voidable, the remaining provisions shall remain in full force and effect. In that case, the Parties shall in good faith agree on a replacement provision that, as closely as possible, reflects the purport of the null or voided provision.
17.5 Notifications under this Data Processing Agreement shall be made in writing (including by email) to the contact persons listed in Annex 5 (Contact persons), or to an address subsequently provided in writing by a Party.
18.1 This Data Processing Agreement is governed exclusively by Dutch law.
18.2 All disputes arising between the Parties in connection with this Data Processing Agreement shall be submitted exclusively to the competent court of the District Court of Midden-Nederland, Utrecht location, without prejudice to the right of the Parties to seek interim relief.
18.3 This does not affect the right of a Data Subject, in accordance with Article 79 GDPR, to bring an action before another competent court (including that of the Data Subject's place of residence).
The subject matter of the Processing is the supply of the ModbusCloud SaaS service by Processor to Controller pursuant to the Main Agreement. The Platform enables Controller (the installer) to remotely monitor, analyse and (within pre-defined limits) control connected Modbus equipment on behalf of its end customers.
The Processing is carried out for the following purposes:
monitoring and visualisation of Modbus device data;
alerting (when thresholds are exceeded or not reached);
automation and control strategies;
reporting and data analysis;
command control to authorised equipment;
service and management by Controller in its role as installer;
invoicing, support, security and compliance with statutory obligations, insofar as this constitutes independent processing by Processor (see Article 3.4 of the DPA).
The Platform is not intended for processing Special Categories of Personal Data within the meaning of Article 9 GDPR (including health data, biometrics, political or philosophical data) or criminal data within the meaning of Article 10 GDPR.
Controller:
does not enter Special Categories of Personal Data or Article 10 data into the Platform, neither in free text fields, device names, reports nor otherwise;
does not enter data of Data Subjects under the age of 16 without a valid legal basis;
is responsible for ensuring that data entered by or on its behalf have been lawfully obtained and may be processed via the Platform.
This annex describes the technical and organisational measures that Processor has taken within the meaning of Article 32 GDPR. Processor may adapt the measures on the basis of the state of the art, provided that the level of security is not substantially reduced.
Processor prevents unauthorised access to Personal Data through a coherent set of technical measures.
Encryption in transit: all traffic between the Platform, the MCG-1 gateway and the user is conducted via TLS 1.2 or higher, with modern cipher suites and HSTS on the web portals.
Encryption at rest: data are stored encrypted with AES-256, both in the Supabase production database and in the back-ups at the hosting provider.
Row Level Security (RLS): in the PostgreSQL database, tenant isolation is enforced via Row Level Security policies, ensuring that data of different Controllers remain strictly separated.
Role Based Access Control (RBAC): access to (production) systems is granted on the basis of the least privilege principle, broken down by role (end customer, installer, administrator, developer).
Mandatory 2FA: two-factor authentication is mandatory for all production access by Processor's employees and administrators.
Password security: passwords are stored only as a hash using bcrypt or Argon2, with an appropriate work factor.
Federated authentication: end users can log in via OAuth 2.0 connections with Google or Microsoft (Entra ID), whereby the federated identity is linked to a platform account.
Audit trail: critical actions (such as login attempts, role changes, device commands and configuration changes) are recorded in an immutable log file with user, timestamp and action.
Processor applies pseudonymisation techniques where possible to limit direct traceability.
Field encryption: sensitive fields (including OAuth refresh tokens, API keys and external tokens) are additionally encrypted at application level before being stored in the database.
IP pseudonymisation: where possible, IP addresses in logs and analytics are masked or truncated.
Environment segregation: the production environment is strictly separated from test and development environments. In test and development environments, no production data are used in principle, and if this is exceptionally necessary, anonymised or pseudonymised datasets are used.
Processor ensures an appropriate level of availability and recovery after incidents.
Back-ups: daily back-ups are made, supplemented by Point In Time Recovery (PITR) via Supabase or equivalent facilities.
Geographical distribution: back-ups and production data remain stored within the EEA.
On-call availability: Processor keeps an on-call developer or operations employee available for serious incidents.
Monitoring and alerting: the Platform is automatically monitored 24/7 for availability, error rates and security indicators, with alerting to responsible employees.
RPO and RTO: the Recovery Point Objective is a maximum of 24 hours and the Recovery Time Objective a maximum of 72 hours for full recovery after a serious disruption.
Processor has organisational safeguards that support the technical measures.
Confidentiality: employees and suppliers are bound by a non-disclosure agreement (NDA) that also remains in force after termination of the employment relationship or assignment.
Security awareness training: all employees follow a security awareness programme upon commencement of employment, which is repeated annually and updated as necessary.
Incident response plan: Processor has a documented incident response plan with clear roles, escalation paths and communication lines.
Periodic access review: at least twice per year, it is assessed whether assigned access rights are still appropriate (principle of least privilege).
Onboarding and offboarding: when commencing and leaving employment, accounts are created or revoked in a timely manner, in accordance with a fixed protocol.
DPA register: Processor maintains a record of processing activities within the meaning of Article 30 GDPR.
No production data on personal devices: production data may not be stored on private equipment. The use of equipment managed by Processor is the default.
Clean desk and clear screen: a clean desk policy and an automatically locking screen saver on workstations apply at the office.
Processor does not itself operate physical data centres.
Certified data centres: data are hosted with suppliers whose underlying data centres are ISO 27001 and SOC 2 certified, including Vercel, Supabase, Railway and EMQX Cloud.
Supplier control: Processor verifies, prior to engagement, whether these suppliers offer appropriate physical security (including access control, fire prevention, redundant power and network facilities), and evaluates this periodically.
Secure coding: guidelines based on the OWASP Top 10, including protection against injection, cross-site scripting, insecure deserialisation and insufficient logging.
Dependency scanning: dependencies are automatically scanned for known vulnerabilities (via Dependabot, Snyk or equivalent), with remediation within a risk-dependent period.
Mandatory code review: every change to production code undergoes a code review by a second developer before merging to the main branch.
No hardcoded credentials: secrets are not stored in source code, but managed via a secrets manager and separated per environment via environment variables.
Environment separation: development, test, acceptance and production environments are strictly separated in terms of credentials and network access.
Processor subjects its environment to periodic independent control.
Annual penetration test or security review: Processor has a penetration test or equivalent security review carried out annually on the Platform.
External vulnerability scanning: the external attack surfaces are periodically scanned automatically, with findings followed up in accordance with an internal SLA.
Audit cooperation: Processor cooperates with audits by Controller in accordance with Article 11 of the DPA, with a maximum of once per year (except for good cause such as a Personal Data Breach).
Processor has a formal process for the detection, containment and notification of security incidents.
48-hour notification period: Controller is informed within 48 hours of discovery, in accordance with Article 10 of the DPA.
Fixed notification format: the notification contains at least the nature, scope, categories of Data Subjects and Personal Data, the likely consequences and the measures taken or proposed.
Logging and forensics: relevant logs are secured to enable investigation.
Post-incident review: after completion of an incident, an internal evaluation takes place to identify and record structural improvement measures.
Processor is preparing for the obligations under the European Cyber Resilience Act, in view of the obligation from 11 September 2026.
Vulnerability disclosure policy: Processor applies a publicly findable Responsible Disclosure procedure, so that vulnerabilities can be reported safely.
SBOM: a Software Bill of Materials is maintained for the firmware of the MCG-1 gateway.
Security patches: Processor undertakes to make security updates available for the MCG-1 firmware for an expected lifetime of at least 5 years.
ENISA notification obligation: Processor is preparing for the notification obligation to ENISA or the CSIRT arising from the CRA as from 11 September 2026 for actively exploited vulnerabilities and serious incidents in products with digital elements.
The table below provides an overview of the Sub-processors engaged by Processor as at the effective date of this Data Processing Agreement.
No
Sub-processor
Location
Role
Data
Transfer safeguard
1
Vercel Inc.
US, with execution in EU Frankfurt
Hosting frontend and marketing site
Account data, session data, technical logs
EU-US DPF + SCC Module 3 (fallback)
2
Supabase Inc.
US, with execution in EU (Ireland)
Database, authentication, storage
All categories of personal data from Annex 1
EU-US DPF + SCC Module 3 (fallback)
3
Railway Corp.
US, with execution in EU
Backend workers, cron jobs
All categories of personal data from Annex 1
SCC Module 3
4
EMQ Technologies Inc. (EMQX Cloud)
US, with execution in EU Central 1 Frankfurt
MQTT broker for MCG-1 communication
Device serial numbers, telemetry, gateway IP address
SCC Module 3
5
Stripe Payments Europe Ltd.
Ireland (EEA)
Payment processing
Payment and invoice data
Within EEA
6
Google Ireland Ltd.
Ireland (EEA)
OAuth 2.0 authentication and Analytics
Login ID, session data, analytics
Within EEA; any Google sub-processors in the US via EU-US DPF
7
Microsoft Ireland Operations Ltd.
Ireland (EEA)
OAuth 2.0 authentication via Entra ID
Login ID, session data
Within EEA; any Microsoft sub-processors in the US via EU-US DPF
8
Resend B.V.
Ireland (EEA)
Transactional email sending
Email address and content of system email
Within EEA
9
Moneybird B.V.
Netherlands
Accounting and invoicing
Invoice data (CoC number, VAT number, company name)
Within EEA
10
PostHog Inc.
US, with execution in EU Frankfurt
Product analytics (upon explicit consent)
Session, events, anonymised IP
SCC Module 3
Updates: Processor publishes the current list of Sub-processors at modbuscloud.com/dpa/subverwerkers. New or replacement Sub-processors are announced at least 30 days prior to engagement, whereby Controller has the right, in accordance with Article 7 of the Data Processing Agreement, to object on substantiated grounds.
This annex governs the application of the Standard Contractual Clauses of Implementing Decision (EU) 2021/914 of 4 June 2021 (hereinafter: "SCC") to transfers of Personal Data to Sub-processors or other recipients outside the EEA without an adequacy decision. The SCC are incorporated by reference in full into this Data Processing Agreement.
Module 2 (Controller to Processor): applies to transfers by Controller, as exporter, to Processor, as importer, to the extent that Processor acts as direct recipient outside the EEA.
Module 3 (Processor to Processor): applies to transfers by Processor, as exporter on behalf of Controller, to Sub-processors, as importers, outside the EEA.
Clause 7 (Docking clause): the Parties agree that this clause applies. Third parties may, with the consent of all existing parties, accede to the SCC at a later time by signing the annexes.
Clause 9 (Sub-processors), Option 2 "General written authorisation": Controller grants Processor the general authorisation to engage Sub-processors from the list set out in Annex 3. The period of prior notification for changes or replacement is 30 days.
Clause 11 (Redress): the Parties do not opt to have disputes resolved by an independent dispute resolution body. The optional passage under Clause 11(a) does not apply. The rights of Data Subjects under Clause 11 remain unaffected.
Clause 17 (Governing law), Option 1: Dutch law applies to the SCC.
Clause 18 (Choice of forum and jurisdiction): disputes arising under the SCC shall be settled exclusively by the District Court of Midden-Nederland, Utrecht location. This does not affect the rights of Data Subjects under Clause 18(c) and Article 79 GDPR.
Data exporter: the Controller as designated on the front page of the Data Processing Agreement and in Annex 5.
Data importer: Avanta Systems (trading as ModbusCloud), Ceintuurbaan 15, 8022 AW Zwolle, Netherlands, as well as the Sub-processors listed in Annex 3 that are located outside the EEA.
Contact details are set out in Annex 5.
Activities relevant to the transfer: as described in Annex 1.
Role under the SCC: for Module 2, Controller acts as exporter and Processor as importer. For Module 3, Processor acts as exporter and the relevant Sub-processor as importer.
Annex I.B, Description of the transfer
For the categories of Data Subjects, categories of Personal Data, any special categories (not applicable, see Annex 1 section 1.7), frequency, nature, purpose, retention periods and further processing by Sub-processors, reference is made to Annex 1 (Specification of processing).
Annex I.C, Competent supervisory authority
The competent supervisory authority is the Dutch Data Protection Authority (AP), established in The Hague.
For the description of the technical and organisational measures within the meaning of Annex II to the SCC, reference is made to Annex 2 (TOMs) of this Data Processing Agreement.
For the list of Sub-processors within the meaning of Annex III to the SCC, reference is made to Annex 3 (Sub-processors) of this Data Processing Agreement.
In the event of any conflict between the SCC and other parts of this Data Processing Agreement or the Main Agreement, the SCC shall prevail insofar as it concerns transfers outside the EEA, in line with Clause 5 of the SCC.
DPO of Controller: if appointed: [controller contact person], [controller email], [controller phone]. If not appointed: not applicable.
DPO of Processor: Processor has no statutory obligation under Article 37 GDPR to appoint a data protection officer and has not currently voluntarily chosen to appoint one. Contact regarding data protection takes place via privacy@modbuscloud.com.
Fill in all placeholders in the parties block, signature block and Annex 5 (name, CoC number, address, email, phone of the installer).
Designate a permanent contact person for privacy matters and Personal Data Breach notifications (may be the same person as the general contact).
If a Data Protection Officer (DPO) has been appointed: enter the name and contact details in Annex 5.3, or explicitly note "not appointed".
To be additionally reviewed by a lawyer:
Alignment of the liability cap and penalty clause under Articles 14 and 15 with the actual liability cap in the GTC to the Main Agreement, and alignment with any sector-specific requirements (for example NIS2, CRA, energy sector) and the audit approach under Article 11 (in particular the practical operation of certifications as an alternative to on-site audits).
