Data processing agreement
Last updated: 01.01.2026
This Data Processing Agreement ("DPA") forms part of the agreement between BoxCase Besloten Vennootschap (B.V.) ("Processor", "BoxCase") and the customer organisation ("Controller", "Customer") for BoxCase's processing of personal data on Customer's behalf.
This DPA applies where BoxCase processes personal data subject to UK GDPR, EU GDPR or equivalent data protection laws. Capitalised terms not defined here have the meaning given in the main service agreement.
Governing entity: BoxCase Besloten Vennootschap (B.V.), KVK 58992545, Doldersestraat 39, 2574 TB 's-Gravenhage, Netherlands. Questions: contact.
Parties
Controller: the Customer entity that determines the purposes and means of processing personal data within its BoxCase workspace.
Processor: BoxCase Besloten Vennootschap (B.V.) (KVK 58992545), registered at Doldersestraat 39, 2574 TB 's-Gravenhage, Netherlands, which processes personal data only on documented instructions from Controller except where required by law.
Contact points for data protection matters are available via /contact and the data protection route listed there.
Subject matter and duration
Subject matter: provision of the BoxCase client operations platform, including storage, workflow execution, notifications, audit logging, support and related technical operations.
Duration: for the term of the service agreement and until deletion or return of personal data in accordance with this DPA.
Nature and purpose: hosting, organising, transmitting and otherwise processing personal data submitted by Controller's authorised users and client participants as configured in the platform.
Categories of data subjects: Controller's staff, contractors, client contacts and other individuals whose data Controller chooses to process through the service.
Types of personal data: identification and contact details, professional information, workflow status, communications metadata, document filenames and content uploaded by Controller, payment references and audit events. Sensitive categories are processed only if Controller uploads them.
Processing instructions
BoxCase will process personal data only on Controller's documented instructions, including those set out in the service agreement, workspace configuration, support tickets and documented change requests.
BoxCase will inform Controller if an instruction appears to infringe applicable data protection law. Controller is responsible for providing required privacy notices to data subjects and for establishing a lawful basis for processing.
BoxCase will assist Controller, taking into account the nature of processing, with data subject requests, security notifications and consultations with supervisory authorities where applicable and proportionate.
Security measures
BoxCase implements appropriate technical and organisational measures, including tenant isolation, role-based access control, encryption in transit, private object storage, audit logging, vulnerability management and staff access controls.
Security measures are described at a high level on the BoxCase security page and in customer security documentation available on request. Measures may evolve as threats and standards change, provided overall protection is not materially reduced.
Controller is responsible for configuring roles, retention and client access appropriately, maintaining strong credentials and notifying BoxCase promptly of suspected unauthorised access.
Subprocessors
Controller authorises BoxCase to engage subprocessors to support the service. The current list is published at /legal/subprocessors.
BoxCase will impose data protection obligations on subprocessors substantially similar to those in this DPA and remains responsible for subprocessors' performance of processing obligations.
BoxCase will provide notice of intended additions or replacements of subprocessors, allowing Controller a reasonable period to object on documented data protection grounds. If the parties cannot resolve a substantiated objection, Controller may terminate the affected service component in accordance with the main agreement.
Contact
For DPA questions, subprocessors updates or security documentation requests, contact BoxCase via /contact.
On termination of the service, BoxCase will delete or return personal data in accordance with the service agreement, subject to backup cycles and legal retention requirements. BoxCase will certify deletion on request where commercially reasonable.