Skip to Content
Go back
BAS-IP / DATA PROCESSING ADDENDUM

Last updated: [10.12.2025]

This Data Processing Addendum (hereinafter ‘DPA’) is entered into between you (hereinafter the ‘Client’, ‘you’, ‘your’) and BAS-IP DISTRIBUTION LTD (hereinafter the ‘Company’, ‘BAS-IP’, ‘we’, ‘us’ or ‘our’), hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’. This DPA supplements the Terms and Conditions (hereinafter the ‘Agreement’), concluded between the Parties.

This DPA governs the processing of personal data that the Client provides to BAS-IP in connection with the use of BAS-IP’s products and services (together the ‘Services’), as well as any personal data that BAS-IP obtains in the course of performing the Services for the Client.

Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in the Agreement. This DPA shall remain in force until the termination of the Agreement between you and us governing your use of the Services. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the processing of personal data.

  1. Definitions

For the purposes of this DPA, the following definitions shall apply:

Client Data” means any personal data that the Client uploads, transmits, or otherwise provides to BAS-IP in connection with the Services, as well as any personal data that BAS-IP processes in the course of performing the Services.

Data Protection Laws” means all applicable laws and regulations relating to the processing of Client Data, including those of the European Union, the European Economic Area and its member states, the United Kingdom, such as:

  • the EU General Data Protection Regulation (EU GDPR);
  • the UK General Data Protection Regulation (UK GDPR); 
  • the Data Protection Act 2018;
  • the Data (Use and Access) Act 2025 (DUAA);
  • any other applicable data protection laws and regulations, to the extent applicable to the Parties and the processing activities under this DPAany other applicable laws and regulations.

Data Transfer Mechanism” means any legally recognised mechanism, instrument or framework that permits the transfer of Client Data from one jurisdiction to another in compliance with applicable Data Protection Laws, including, without limitation, the EU Standard Contractual Clauses and the UK Addendum.

EU SCCs” means EU Standard Contractual Clauses for the transfer of  Client Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

International Data Transfer” means any transfer of Client Data from a country in which the data is collected to a country outside of that jurisdiction, where the applicable Data Protection Laws require appropriate safeguards for such transfer.

Public Authority” means a government agency or law enforcement authority, including judicial authorities.

Sensitive Client Data” means Client Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences. 

Services” means the services provided by the Company to the Client.

Supervisory Authority” means an independent public authority responsible for monitoring the application of the data protection legislation.

Technical and Organisational Security Measures” mean the measures aimed at the protection of personal data against unintentional destruction or unintentional loss, alteration, unauthorised disclosure or access, particularly where the processing involves the transmission of data via a network, and against all other unlawful forms of processing.

UK GDPR” means the retained version of the EU General Data Protection Regulation as it forms part of UK law, together with any amendments made by the Data Protection Act 2018 and any other applicable UK legislation governing the processing of personal data.

UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

controller”, “processor”, “sub-processor”, “data subject”, “personal data”, and “processing” have the meanings given in the Data Protection Laws.

  1. Roles and Responsibilities

Where BAS-IP processes Client Data on your behalf in connection with Services, you acknowledge and agree that with regard to the processing of Client Data, you are a controller or processor, and we are a processor or sub-processor (as defined by the Data Protection Laws) acting on your behalf. A description of such processing is set out in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles and not apply to situations where we act as a controller in accordance with BAS-IP’s Privacy Policy.

If the Client is a processor, the Client warrants to BAS-IP that Client’s instructions and actions in respect to personal data, including appointing BAS-IP as sub-processor and, where applicable, concluding the EU SCCs or any other Addenda under Section 9 of this DPA (including as they may be amended in Section 9 below), have been (and will, for the duration of this DPA, continue to be) authorised by the relevant third-party controller.

  1. Instructions

The Parties agree that this DPA and the applicable Agreement constitute the Client’s complete and final documented instructions regarding the processing of Client Data (hereinafter the ‘Instructions’) where the Client acts as a controller or processor and BAS-IP acts as a processor or sub-processor under Data Protection Laws.

Any additional or alternative instructions must be agreed in writing by the Parties and shall be consistent with this DPA and the Agreement.

  1. Description of processing

The processing of Client Data on Client’s behalf in connection with Services is described in Schedule 1 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality that is part of the Services.

  1. Client’s obligations

5.1. Controller’s obligations

Within the scope of the DPA, when the Client acts as a controller, the Client shall be responsible for complying with all requirements that apply to the Client as a controller under the Data Protection Laws.

When acting as a controller, you must:

(a) maintain the accuracy, quality, confidentiality, and security of the Client Data;

(b) comply with and perform your obligations under Data Protection Laws, including with regard to data subject rights, data security, and confidentiality, and ensure you have an appropriate legal basis for the processing of personal data; 

(c) provide BAS-IP only with Client Data that has been lawfully obtained and ensure such data is adequate, relevant, and proportionate to the intended purposes;

(d) ensure that your Instructions to BAS-IP regarding the processing of Client Data comply with the Data Protection Laws, including the principles of data minimisation, purpose limitation, and storage limitation.

5.2. Processor’s obligations

Within the scope of the DPA, when the Client acts as a processor, the Client shall be responsible for complying with all requirements that apply to the Client as a processor under the Data Protection Laws.

When acting as a Processor, you must:

(a) provide BAS-IP only with processing instructions that accurately reflect the documented instructions of the respective controller;

(b) provide BAS-IP only with Client Data that has been lawfully obtained from the respective controller and that is adequate, relevant, and limited to what is necessary for the permitted purposes;

(c) maintain transparency with the respective controller regarding the engagement of BAS-IP and any sub-processors;

(d) comply with all obligations under applicable Data Protection Laws in your capacity as a processor;

(e) ensure that your personnel or any third party accessing Client Data comply with this DPA and the Agreement.

  1. BAS-IP obligations

6.1. General Obligations

When BAS-IP acts as a processor/sub-processor, we must:

(a) process Client Data according to your Instructions and exclusively for the specified purposes;

(b) inform you if, in BAS-IP’s reasonable opinion:

(i) your Instructions violate or may violate applicable Data Protection Laws; or

(ii) BAS-IP is unable to comply with your Instructions;

(c) implement and maintain appropriate technical and organizational measures to ensure the confidentiality of Client Data;

(d) comply with all applicable Data Protection Laws, including obligations relating to data subject rights, data security, and confidentiality;

(e) ensure, through written contracts or other legally binding means, that any sub-processor engaged to process Client Data on behalf of BAS-IP is subject to equivalent data protection obligations as set out in this DPA and the Agreement;

(f) maintain accurate records of all processing activities carried out on your behalf under this DPA and provide such records to you upon request;

(g) without undue delay notify you if BAS-IP becomes aware that any Client Data provided by you is inaccurate, incomplete, or outdated;

(g) apply appropriate and necessary safeguards or restrictions when processing Sensitive Client Data, as required by Data Protection Laws or the Instructions;

(h) provide you with all information reasonably necessary to demonstrate BAS-IP’s compliance with its obligations under applicable Data Protection Laws.

6.2. Notices to a Client

Upon becoming aware, we shall inform you of any legally binding request for disclosure of Client Data by a Public Authority, unless we are otherwise forbidden by law to inform the Client, for instance, to preserve the confidentiality of an investigation by a Public Authority. We will inform you if BAS-IP becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Client Data under this DPA conducted between you and us.

6.3. Confidentiality 

We will not access, use, or disclose to any third party any Client Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with contractual and legal obligations or a binding order of a public body (such as a subpoena or court order). 

We shall ensure that any employee/contractor whom we authorise to access Client Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Client Data. 

6.4. Security measures 

We shall implement and maintain appropriate technical and organisational measures to protect Client Data from any data breaches such as actual or suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Client Data transmitted, stored or otherwise processed (hereinafter the ‘Security Incidents’) in accordance with our security standards set out in Schedule 2 of this DPA. 

You acknowledge that security measures are subject to technical progress, so that we may modify or update Schedule 2 of this DPA at our sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA. 

6.5. Security Incident 

Upon becoming aware of a Security Incident, we shall: 

  • notify you without undue delay after we become aware of the Security Incident; 
  • provide timely information relating to the Security Incident (the type of personal data, the categories and potential number of individuals or records affected) as it becomes known or as is reasonably requested by you; and 
  • promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. 

Our notification of or response to a Security Incident shall not be construed as an acknowledgment by us of any fault or liability regarding the Security Incident. 

6.6. Return or deletion of Client Data 

Upon termination or expiration of the Agreement concluded between you and us, we shall delete or return all Client Data in our possession or control. This requirement shall not apply to the extent we are required by applicable law or respective contractual obligations to retain some or all of the Client Data. 

6.7. Reasonable Assistance

We agree to provide reasonable assistance to the Client regarding: 

(a) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking, or deletion of Client Data that we process on behalf of Client. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;

(b) the investigation of the Security Incident and communication of necessary notifications regarding such Security Incidents, subject to Section 6.5 of this DPA;

(c) preparation of data protection impact assessments (the ‘DPIAs’) and, where necessary, consultation of the Client with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8 Audit and Certification

6.8.1 Supervisory Authority Audit

If a Supervisory Authority requires an audit of our data processing facilities, we use to process the Client Data to ascertain or monitor the Client’s compliance with the Data Protection Laws, we will cooperate with the audit. The Client is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

6.8.2 Audits

The Client may, prior to the commencement of processing and at regular intervals, thereafter, audit the technical and organisational measures taken by us. If the Client is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide the Client with all information necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client with respect to such processing. 

We shall, upon the Client’s written request and within a reasonable period, provide the Client with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

  1. Data subject requests

In the event that a data subject contacts us with regard to the exercise of their rights under the Data Protection Laws (in particular, requests for access to, rectification, or deletion of Client Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so. 

  1. Sub-processors

BAS-IP has the general written authorisation from the Client for the engagement of sub-processors from an agreed list. BAS-IP agrees to inform the Client of any intended changes to that list concerning the addition or replacement of sub-processors at least 10 days prior to the engagement of the sub-processor in question, thereby giving the Client the opportunity to object to such changes. BAS-IP shall provide the Client with the information necessary to enable the Client to exercise the right to object.

If Section 9 of this DPA applies, the procedure for engaging sub-processors shall be governed by the relevant provisions of Section 9 of this DPA. In such a case, the provisions of Section 9 shall prevail.

The agreed list of Sub-processors is set out in Schedule 3 of this DPA.

  1. Transfers of Client Data

9.1. General

You acknowledge and agree that using BAS-IP Services may involve transferring Client Data to other jurisdictions, in compliance with applicable Data Protection Laws.

Where such transfers require appropriate safeguards, the applicable Data Transfer Mechanisms shall be used, such as the EU SCCs and the UK Addendum. These Data Transfer Mechanisms are incorporated into and form an integral part of this DPA, as further described in Sections 9.2. and 9.3.

In the event of any conflict between the provisions of this DPA and the applicable Data Transfer Mechanisms, the provisions of the relevant Data Transfer Mechanism shall prevail solely to the extent of such conflict.

9.2. Transfers under the GDPR

When the processing of Client Data on your behalf in connection with Services constitutes a “transfer” under the GDPR, Standard Contractual Clauses shall apply. 

When you are a controller, and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply.

For the purpose of the EU SCCs, BAS-IP is a “Data Importer”, and you are a “Data Exporter”. 

The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs are deemed to be completed as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing the Data Exporter shall be 10 days;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, a particular option shall apply depending on the specific case;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Federal Republic of Germany;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Federal Republic of Germany;

(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;

(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.

9.3. Transfers under the UK Data Protection Framework 

When the processing of Client Data on your behalf in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, the UK Addendum shall apply. 

When you are a controller and BAS-IP is a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2. of this DPA.  

For the purpose of the UK Addendum, BAS-IP is an “Importer”, and you are an “Exporter”.

The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum are deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA, and the official registration number of the Importer is 328138502, and the official registration number of the Exporter is contained in the Client’s account, if any;

(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2. of this DPA;

(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2, and 3 of this DPA;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.

SCHEDULE 1 – DESCRIPTION OF PROCESSING

  1. LIST OF PARTIES

Client (Data Exporter)

Name: You, ‘Client’

Address: the relevant information is contained in the Client’s account.

Contact person’s name, position, and contact details: the relevant information is contained in the Client’s account.

Activities relevant to the data transferred under these Clauses: provision of the Services.

Signature and date: the Parties agree that execution of the Agreement by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: controller or processor

BAS-IP DISTRIBUTION LTD (Data Importer)

Name: BAS-IP DISTRIBUTION LTD

Address: Crown House 27 Old Gloucester Street, London, England

Contact person’s name, position, and contact details: [please, insert name, position, and contact details, e.g., email]

Activities relevant to the data transferred under these Clauses: provision of the Services.

Signature and date: the Parties agree that execution of the Agreement by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: processor or sub-processor

  1. DESCRIPTION OF TRANSFER 
  2. Categories of data subjects whose personal data is transferred:
  • Client’s Customers;
  • other data subjects whose personal data is transferred during the services provided by the Company to the Client.
  1. Categories of personal data transferred:
  • personal data related to Client’s Customers;
  • other personal data which may be transferred during the services provided by the Company to the Client.
  1. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

The Data Importer may obtain access to sensitive data only where such sensitive data is provided by the Client and solely to the extent necessary for the performance of Services. In such cases, the Data Importer implements the technical and organisational measures set out in Schedule 2, together with any other appropriate and necessary safeguards or restrictions, taking into account the nature of the sensitive data and risks associated with its processing, in compliance with applicable laws and regulations.

  1. The frequency of the transfer:

The personal data is transferred on a continuous basis.

  1. Nature of the processing:

Personal data processing consists of the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

  1. Purpose(s) of the data transfer and further processing:

The purpose of the data processing under these Clauses is the performance of the services for the Data Exporter by the Data Importer under the Agreement concluded between the Data Importer and the Data Exporter.

  1. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The personal data shall be stored for the duration of this DPA concluded between the Data Importer and the Data Exporter unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data. 

  1. For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing:

subject matter: the performance of services 

nature: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction. 

duration: the performance of the services for the Data Importer by the (sub-) processor under the service agreement concluded between the Data Importer and (sub-) processor.

  1. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, the competent supervisory authority under these Clauses is determined depending on which version of Clause 13(a) applies to the Data Exporter.

SCHEDULE 2 – TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the Data Importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons:

  • Data Importer is committed to preserving the confidentiality, integrity, availability, and resilience of all personal data in question throughout its processing activities and ensuring that personal data is protected against loss and destruction by implementing appropriate internal information security policies, procedures, and other appropriate measures.
  • Data Importer grants access to personal data strictly on a need-to-know basis, and such data is accessible only to authorised personnel. 
  • Data Importer has implemented role-based access control and access control lists to enforce strict separation of user access rights.
  • Data Importer’s information security procedures are subject to regular reviews. 
  • Data Importer uses reliable service providers and monitors what technical and organisational measures they have in place to ensure that personal data is protected at all times. 
  • Data Importer has implemented measures designed to protect the confidentiality and integrity of personal data during data transfers. 
  • Data Importer has implemented technical and organisational measures designed to contain security incidents and prevent further data loss and damage.

SCHEDULE 3 – SUB-PROCESSORS

The controller has authorised the use of the following sub-processors: 

Sub-processor 1

Name: Hetzner Online GmbH / Hetzner Finland Oy

Address: Industriestr. 25, 91710 Gunzenhausen, Germany / Huurrekuja 10, 04360 Tuusula (Helsinki / Tuusula), Finland

Contact person’s name, position, and contact details: [email protected] 

Description of processing: hosting of the data on the servers of Hetzner Online GmbH / Hetzner Finland Oy

Sub-processor 2

Name: DigitalOcean, LLC

Address: 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, United States

Contact person’s name, position, and contact details: [email protected] 

Description of processing: hosting of the data on the servers of DigitalOcean, LLC