Data Processing Agreement

Version: 2026-05-15 Parties: Nordnether (Voorcast) — Processor; Customer — Controller

This Data Processing Agreement (the DPA) forms part of the agreement under which Nordnether (registered in the Netherlands, operating the Voorcast service — the Processor) provides the Voorcast service to the customer named in the underlying order or subscription (the Controller). It is concluded under Article 28 of the EU General Data Protection Regulation (the GDPR).

If the Controller has not signed a separate DPA, this document constitutes the Article 28 contract between the parties, accepted by the Controller's continued use of the Voorcast service after the version date above.

1. Definitions

Terms used in this DPA that are defined in the GDPR (such as personal data, processing, data subject, processor, controller, sub-processor, supervisory authority) have the meaning given in the GDPR.

Service means the Voorcast software-as-a-service product as documented at https://voorcast.com and made available at https://app.voorcast.com.

Sub-processor means any third party engaged by the Processor to process personal data on the Controller's behalf in the course of providing the Service.

2. Subject matter, nature, and purpose of processing

The Processor processes personal data on behalf of the Controller solely to provide the Service: ingesting product, sales, supplier, and purchasing data from systems the Controller connects (Picqer, Magento, Slack, and similar); computing forecasts, stockout risk scores, and purchasing recommendations; and presenting these to the Controller's users through the Service.

The processing is limited to the duration of the underlying service agreement and the post-termination data-retention windows set out in Section 9.

3. Categories of data subjects and personal data

Categories of data subjects are end users of the Controller's organization (employees, contractors) and limited third-party contact data (supplier contacts, end customer references) that the Controller's source systems contain.

Categories of personal data processed are:

Account identifiers and authentication metadata of the Controller's users.
Supplier and customer contact data present in the Controller's connected systems.
Activity logs (which user took which action inside the Service).
Support communications between the Controller's users and the Processor.

The Processor does not knowingly process special categories of personal data within the meaning of Article 9 GDPR.

4. Controller and Processor obligations

The Controller confirms it has a lawful basis under Article 6 GDPR for the processing it instructs the Processor to perform, and that any consent or notice required of the Controller's data subjects has been obtained or given.

The Processor shall:

Process personal data only on documented instructions from the Controller, including instructions communicated through the Service's configuration. The agreement and this DPA constitute the Controller's initial instructions.
Ensure that personnel with access to personal data are bound by appropriate confidentiality obligations.
Implement the technical and organizational measures (TOMs) described in Section 7 (and on https://voorcast.com/security) to protect personal data.
Assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligations to respond to data subject requests.
Make available to the Controller information necessary to demonstrate compliance with Article 28 obligations.

5. Sub-processors

The Controller grants a general written authorization for the Processor to engage sub-processors, subject to the following conditions:

The Processor maintains a current list of sub-processors at https://voorcast.com/security#sub-processors. As of the version date above, the sub-processors are:

Sub-processor	Purpose	Location
Sentry	Error and performance monitoring	EU
AWS SES	Transactional email	EU (eu-central-1)
EU hosting provider	Application and database hosting; automated snapshots	Germany
Mollie	Payment processing (no card data passes through Voorcast)	EU
Cloudflare	CDN, WAF, and HTTPS termination (processes IP addresses and request headers)	Global edge
OpenRouter	API routing for embedding requests (forwards to embedding model providers)	United States
OpenAI	Embedding model provider (text-embedding-3-large) for product similarity and semantic search; accessed via OpenRouter	United States
Klaviyo	Marketing automation and back-in-stock event syncing	EU / United States
Slack	Customer-configured workspace notifications; encrypted bot tokens stored	United States

The Processor notifies the Controller of intended additions or replacements of sub-processors at least 30 days in advance, by updating the security page and (for material additions) by email to the billing contact of record.
The Controller may object on reasonable grounds within the 30-day notice window. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the service for convenience.
The Processor enters into a written agreement with each sub-processor that imposes data protection obligations no less protective than this DPA.

6. International data transfers

The application database and backups are hosted within the European Union (Germany). Certain sub-processors listed in Section 5 are established outside the EU — notably OpenAI, OpenRouter, and Slack in the United States, and Cloudflare's global edge network — and their use involves limited transfers of personal data outside the EU. Such transfers are governed by the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914) or, where available, an applicable adequacy decision (including the EU–U.S. Data Privacy Framework).

The Processor will not engage additional non-EU sub-processors without prior notice to the Controller in accordance with Section 5.

7. Technical and organizational measures (TOMs)

The Processor implements the measures summarized below. The current operational summary is published at https://voorcast.com/security.

Hosting. Application and database run on a managed European hosting provider with servers in Germany. Backups remain in the EU.
Connections. External traffic to the application and marketing site is fronted by Cloudflare with HTTPS enforced; HTTP requests are redirected to HTTPS.
Production data segregation. Raw production data is not copied to development or staging environments. Anonymized derivatives of production data are used to train and regression-test the forecasting engine; anonymization is applied before any data leaves the production system.
Dependencies. Third-party dependencies are updated frequently; recent practice has been to deploy security patches within 24 to 48 hours of release.
Monitoring. Application errors and abnormal activity surface through Sentry.

8. Personal data breach notification

If the Processor becomes aware of a personal data breach affecting the Controller's data, the Processor will notify the Controller without undue delay. Notification will describe, to the extent then known:

The nature of the breach, including the categories and approximate number of data subjects and records concerned.
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its effects.

The Processor will provide reasonable assistance to the Controller in any notifications the Controller is required to make to supervisory authorities or data subjects under GDPR Article 33 or 34.

9. Data subject requests, deletion, and return of data

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR.

On termination of the underlying service agreement, the Processor will, at the Controller's choice and on written instruction, delete or return primary copies of all personal data processed on the Controller's behalf within 30 days. Automated server snapshots managed by the hosting provider are not selectively purged on individual data deletion; personal data within them ceases to be available once the relevant snapshot expires under the provider's retention configuration. Billing records and other data the Processor is required to retain by Dutch tax or accounting law are retained for the legally required period (currently 7 years) and access-restricted to authorized personnel.

10. Audit rights

The Controller has the right, at its own cost and on reasonable notice (at least 30 days), to audit the Processor's compliance with this DPA, no more than once per calendar year (or more often if required following a personal data breach or a supervisory authority instruction). Audit scope is limited to the Processor's facilities and records relevant to processing personal data under this DPA, conducted under reasonable confidentiality obligations and during business hours. The parties may agree to satisfy audit requests through a written summary of the Processor's TOMs, evidence of recent penetration tests, or an equivalent attestation.

11. Liability

Liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement (the Terms of Service).

12. Term

This DPA is effective from the date the Controller accepts the underlying service agreement and remains in force for the duration of the service agreement. Sections that by their nature should survive termination (notably Sections 8, 9, and 11) survive accordingly.

13. Governing law

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam.

14. Contact

DPA inquiries: [email protected].

To save this DPA for your records, use your browser's print function (Cmd/Ctrl + P) and select “Save as PDF”.