Data Processing Agreement
GDPR-compliant data processing terms for business customers.
Last updated: February 14, 2026
1 Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between IP Market ™, statutory name PeaceWeb B.V. ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by the Processor on behalf of the Controller.
This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on personal data
- "Sub-processor" means any third party engaged by the Processor to process personal data
- "Data Subject" means the individual to whom personal data relates
2 Scope of Processing
2.1 Subject Matter
The Processor processes personal data on behalf of the Controller to provide the IP Market platform services, including account management, billing, customer support, and technical infrastructure services.
2.2 Categories of Data Subjects
- Customer employees and authorized users
- Technical and administrative contacts
- End-users of Customer's services (if applicable)
2.3 Types of Personal Data
- Contact information (name, email, phone, address)
- Account credentials and authentication data
- Billing and payment information
- Technical data (IP addresses, logs, device information)
- KYC/verification documents (identity documents, proof of address)
- Ultimate Beneficial Owner (UBO) data (name, date of birth, nationality, residential address for 25%+ owners)
- Bank account information (IBAN, account holder name for payouts)
2.4 Duration
Processing will continue for the duration of the service agreement and for such additional period as necessary to comply with legal obligations.
3 Processor Obligations
In accordance with Article 28(3) GDPR, the Processor shall:
Process Only on Instructions
Process personal data only on documented instructions from the Controller.
Confidentiality
Ensure persons authorized to process data are under confidentiality obligations.
Security Measures
Implement appropriate technical and organizational security measures.
Sub-processor Requirements
Engage sub-processors only with prior authorization and under written contract.
Data Subject Rights
Assist the Controller with data subject rights requests under GDPR.
Compliance Assistance
Assist with security, breach notification, and impact assessment obligations.
Data Return or Deletion
Delete or return all personal data upon termination of services.
Demonstrate Compliance
Make available information necessary to demonstrate compliance and allow audits.
4 Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
Encryption
TLS 1.3 encryption in transit, AES-256 encryption at rest, and encrypted backups with LZ4 compression.
Access Controls
Role-based access control (RBAC), multi-factor authentication, and secure password hashing (bcrypt).
Security Testing
Regular vulnerability assessments, third-party penetration testing, and security incident monitoring.
Incident Response
Detection and response procedures with documented incident response protocols and escalation paths.
Business Continuity
Disaster recovery procedures with documented RTO/RPO targets and geographic redundancy across EU datacenters.
Employee Training
Comprehensive security awareness and training programs for all personnel with data access.
5 Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors. The Processor will maintain a list of current sub-processors and notify the Controller of any intended changes, providing an opportunity to object.
The Processor ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA through written contracts in accordance with Article 28(4) GDPR.
5.1 Current Sub-processors
Stripe Connect (Stripe, Inc.)
Payment processing, KYC/KYB verification, UBO data collection, payout processing
Twilio Inc.
SMS verification services for account security
Google LLC
Analytics (Google Analytics), Advertising (Google Ads)
Microsoft Corporation
Advertising (Microsoft Ads)
PostHog Inc.
Product analytics and user behavior analysis
5.2 KYC Data Retention
KYC documents and UBO data collected through Stripe Connect are retained for 5 years after the business relationship ends, in accordance with Anti-Money Laundering (AML) regulations and the Dutch Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme).
6 International Transfers
Personal data is primarily processed within the European Economic Area (EEA). When transfers outside the EEA are necessary, the Processor ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.
7 Data Subject Rights
The Processor will assist the Controller in responding to data subject requests, including requests for access to personal data, rectification of inaccurate data, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing.
If the Processor receives a request directly from a data subject, it will promptly notify the Controller unless legally prohibited from doing so.
8 Data Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach. Notification will include the nature of the breach, categories and approximate numbers of affected data subjects, contact point for further information, likely consequences, and measures taken or proposed to address the breach.
9 Audits
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
Audits require at least 30 days advance notice, must be conducted during normal business hours, and are subject to confidentiality obligations. The Controller is responsible for audit costs unless the audit reveals material non-compliance.
10 Termination
Upon termination of the service agreement, the Processor will, at the Controller's choice, return all personal data or delete all personal data (unless retention is required by law). Certification of deletion will be provided upon request.
11 Contact
Data Protection Contact
IP Market ™ (statutory name: PeaceWeb B.V.)
Hedikhuizerweg 7F, 5222 BC 's-Hertogenbosch, Netherlands
Privacy Inquiries: privacy@ipmarket.io
DPA Requests: legal@ipmarket.io