Data processing agreement
Draft version — not yet legally reviewed. This text may change.
This data processing agreement (draft) describes the arrangements between your organisation (data controller) and Bayana (data processor) regarding the processing of members' personal data within the platform.
Roles
Your organisation determines the purpose and means of the data processing and is the data controller. Bayana processes personal data solely on behalf of your organisation, to deliver the membership administration and contribution service, and not for its own purposes.
Purpose and duration
Processing is limited to what is necessary for member administration, contribution management, bank import and matching, communication and export, as described in the product documentation. The agreement runs for as long as your organisation uses Bayana and ends when the account is closed.
Subprocessors
Bayana uses subprocessors for database, storage, network, email and payment services (see the privacy policy for the current list). Your organisation will be informed if a new subprocessor is engaged.
Security measures
Technical and organisational measures include: schema-per-tenant separation between organisations, password hashing with Argon2, short-lived access tokens, restrictive default permissions (deny-default), and an unchangeable (append-only) audit log of every write action.
Data breach notification
Bayana notifies your organisation without undue delay of a suspected data breach that may affect your members' personal data, so your organisation can assess whether notification to the Dutch Data Protection Authority and/or data subjects is required.
Assistance with data subject rights
Bayana supports your organisation, as far as reasonably possible, in handling member requests concerning access, correction, deletion or portability of their data.
Return or deletion at end of agreement
When an account is closed, your organisation can export its data (including via the .xlsx export). After the agreed retention period, the data is deleted, unless a legal retention obligation requires otherwise.
Audit
Your organisation may request reasonable information about compliance with this agreement. The precise audit arrangements will be further defined in the final, legally reviewed version.