Caddey

Data Processing Agreement

Data Processing Agreement between JQP Holding B.V. and its Customers

Last Updated: April 4th, 2025

This Data Processing Agreement (“DPA”) forms part of JQP Holding B.V.’s Terms and Conditions and Privacy Policy. It governs the processing of personal data by JQP Holding B.V. (“Processor”) on behalf of its customers (“Controller” or “Customer”) when they use the Caddey AI tool integration platform (“Service”). By using the Service, you agree to the terms of this DPA.

Roles & Definitions

  • Controller: The party that determines the purposes and means of processing personal data. When you upload or connect any personal data to the Service, you act as Controller.
  • Processor: JQP Holding B.V., which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law (e.g., GDPR).
  • Processing: Any operation performed on Personal Data—collection, storage, use, disclosure, or deletion.
  • Customer Data: All Personal Data you upload or provide to the Service—either directly (e.g., OpenAPI specification files) or indirectly (e.g., through connected third-party APIs).
  • Sub-processor: Any third party engaged by JQP Holding B.V. to assist in processing Customer Data (e.g., Microsoft Azure, Cloudflare).

Scope of Processing

JQP Holding B.V. will process Customer Data solely to provide, maintain, and improve the Service, and strictly according to the Controller’s documented instructions. Processing activities may include:

  • Storing uploaded OpenAPI specification files and any contained data.
  • Executing API calls on third-party services (e.g., Google Calendar, Shopify) using credentials you provide, then returning results to your AI assistant.
  • Logging basic usage metrics (timestamps, tool names, success/failure) for billing and troubleshooting.
  • Generating anonymized or aggregated analytics to improve the platform.

All processing is limited to what is necessary to fulfill these purposes and comply with applicable law.

Controller Obligations

  • Lawful Basis: You are responsible for ensuring you have a valid legal basis under applicable data protection law (e.g., consent, contract) to upload or process any Personal Data through the Service.
  • Accuracy & Integrity: You warrant that all Customer Data you upload is accurate and up-to-date, and that you have obtained any required consents or permissions from Data Subjects.
  • Instructions: You must provide clear, documented instructions to JQP Holding B.V. regarding how Customer Data should be processed. JQP Holding B.V. will not deviate from those instructions, unless required by law.
  • Data Subject Requests: If a Data Subject exercises any right (access, rectification, deletion, portability), you are responsible for handling that request. JQP Holding B.V. will assist upon request but will not respond directly to Data Subjects without your prior written instructions.
  • Security of Credentials: You must keep your Service credentials, API keys, and any third-party credentials secure. Notify JQP Holding B.V. immediately if you suspect unauthorized access.

Processor Commitments

  • Processing on Instructions: JQP Holding B.V. will only process Customer Data on the Controller’s documented instructions.
  • Confidentiality: JQP Holding B.V. will ensure that any person authorized to process Customer Data is under confidentiality obligations.
  • Use of Sub-processors: JQP Holding B.V. may engage Sub-processors (e.g., Microsoft Azure, Cloudflare) for hosting, storage, and CDN services. All Sub-processors are bound by written contracts requiring them to implement data protection measures at least as stringent as those in this DPA. JQP Holding B.V. remains fully liable for Sub-processors’ performance.
  • Notification of Changes: If JQP Holding B.V. needs to add or replace a Sub-processor, we will publish notice at caddey.ai/legal and email you at least 7 days prior. If you object on reasonable data protection grounds, you may terminate the affected portion of the Service with a pro-rata refund.

Sub-processors

JQP Holding B.V. currently uses:

  • Microsoft Azure (Hosting & Storage)
  • Cloudflare (CDN, DDoS Protection, Web Application Firewall)
  • Stripe (Payment Processing—limited to non-sensitive payment confirmation data)

JQP Holding B.V. may add or replace Sub-processors over time. If you object on reasonable grounds, notify us in writing within 7 days of notice. We will use reasonable efforts to address your concerns. If no resolution is possible, you may terminate the affected Service by written notice within 30 days and receive a pro-rata refund for any prepaid fees covering the unused portion.

Security Measures

JQP Holding B.V. implements reasonable safeguards to protect Customer Data, including:

  • Encryption in Transit: All communications use TLS (HTTPS).
  • Encryption at Rest: Customer Data stored on Microsoft Azure is encrypted.
  • Access Controls: Access to production systems is restricted to authorized personnel with unique credentials.
  • Basic Monitoring: We maintain logs of system access and key events for troubleshooting and security reviews.

While JQP Holding B.V. makes reasonable efforts to safeguard Customer Data, no security measures are perfect, and some risk of unauthorized access remains.

International Data Transfers

Customer Data processed by JQP Holding B.V. may be transferred to or accessed from countries outside the EEA (e.g., the Netherlands, the United States). To safeguard such transfers, JQP Holding B.V. relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • Other lawful transfer mechanisms under GDPR.

Copies of executed SCCs are available upon request.

Data Subject Rights & Assistance

  • Notification of Requests: If JQP Holding B.V. receives any request directly from a Data Subject (e.g., to access or delete their data), we will promptly notify you.
  • Assistance: Upon your written request, JQP Holding B.V. will provide reasonable assistance to help you respond to Data Subject requests, including exportable copies of Customer Data in a structured, machine-readable format.
  • Direct Response When Required: If local law requires JQP Holding B.V. to respond directly to a Data Subject request, we will do so to the extent legally mandated and will inform you unless prohibited by law.

Personal Data Breach Notification

  • Notification: JQP Holding B.V. will notify you without undue delay—and, to the extent reasonably possible, within 72 hours—of becoming aware of a confirmed Personal Data Breach affecting Customer Data. The notification will include:
    • A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected.
    • The likely consequences of the breach.
    • Measures taken or proposed to address and mitigate the breach.
    • Any other information reasonably required for you to fulfill your obligations under applicable data protection law.
  • Cooperation: JQP Holding B.V. will cooperate with you in any required notification to supervisory authorities or Data Subjects. You remain responsible for deciding whether notification is legally required.

Data Retention & Deletion

  • Retention During Service: JQP Holding B.V. retains Customer Data only as long as necessary to provide the Service or as instructed by you.
  • Return or Deletion on Termination: Upon termination or expiration of your account, you may instruct JQP Holding B.V. to:
    • Return all Customer Data in a structured, commonly used, machine-readable format (e.g., JSON) within 30 days; or
    • Delete all Customer Data from JQP Holding B.V.’s systems. Any residual backups will be purged in accordance with our routine backup-and-retention policy (within 90 days).
  • Legal Retention Obligations: JQP Holding B.V. may retain certain data to comply with legal obligations (e.g., tax records). In such cases, we will isolate and protect that data from further processing and notify you of any exception.

Audit Rights

  • Customer Audit: Instead of on-site audits, you may request at least 30 days’ notice and we will provide a self-attested security questionnaire or any recent third-party penetration test report. Reasonable written documentation is sufficient; we are not obligated to host in-person auditors.
  • Audit Records: JQP Holding B.V. will maintain records of processing activities, security measures, and Sub-processor agreements and make summaries available to you upon request.

Liability & Indemnification

  • Liability Cap: Our liability under this DPA is capped at the total fees you paid Caddey in the 12 months preceding the claim.
  • Indemnification: You agree to indemnify and hold JQP Holding B.V. harmless from any claims, fines, or penalties arising from your breach of applicable data protection law (e.g., failing to obtain necessary consents from Data Subjects).

Changes to this DPA

JQP Holding B.V. may update this DPA from time to time to reflect changes in legal requirements or our practices. We will notify you of any material changes by posting a notice at caddey.ai/legal or sending an email. Changes become effective 30 days after notice unless you object in writing. If you object, you may terminate the applicable Service by providing written notice before the revised DPA takes effect.

Governing Law

This DPA is governed by the laws of the Netherlands. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in the Netherlands.

Contact Us

If you have any questions, concerns, or requests regarding this DPA or our processing of Customer Data, please contact:

JQP Holding B.V.
Oostendesedijk 9
3255 LM Oude-Tonge
The Netherlands
[email protected]