This Data Processing Agreement (“DPA”) forms an integral part of the End User License Agreement (“EULA”) between Panik Button B.V. (“Processor”) and the User (“Controller”). It governs the processing of personal data by Panik Button on behalf of the User in accordance with the General Data Protection Regulation (GDPR).

1. Subject and Duration

1.1 This DPA supplements the EULA and applies to all processing of personal data by Panik Button in the context of providing the Panik Button Services.

1.2 Processing is carried out for the term of the agreement between the parties.

2. Roles of the Parties

2.1 The User acts as Controller under the GDPR.

2.2 Panik Button acts as Processor and processes personal data solely on documented instructions from the User.

3. Purpose and Categories of Data

3.1 Processing is strictly limited to providing the Panik Button platform: crisis communication, fallback environments, and optional business continuity modules.

3.2 Categories of personal data may include: names, email addresses, phone numbers, account credentials, role assignments, log and audit data, and—where modules are activated—essential business datasets provided by the User.

3.3 Categories of data subjects may include employees, contractors, external stakeholders, suppliers, partners, regulators, and other individuals designated by the User.

4. Obligations of Panik Button

4.1 Panik Button shall not process personal data for its own purposes.

4.2 Panik Button shall implement appropriate technical and organizational measures in line with ISO/IEC 27001, including encryption, logical segregation, access controls, logging, and secure deletion.

4.3 Panik Button ensures confidentiality obligations for all personnel and sub-processors.

4.4 Panik Button shall assist the User, where reasonable, in fulfilling obligations regarding data subject rights, breach notifications, and data protection impact assessments.

4.5 Upon termination of the agreement, Panik Button shall delete or return personal data within 60 days, unless longer retention is required by law.

5. Sub-Processors

5.1 Panik Button may engage sub-processors, including Microsoft (Azure, Microsoft 365) and other essential service providers.

5.2 Panik Button remains fully responsible for the performance of sub-processors.

5.3 An up-to-date list of sub-processors is available upon request.

6. Data Breach Notification

6.1 In case of a personal data breach, Panik Button shall notify the User without undue delay, providing sufficient details to support the User’s reporting obligations to supervisory authorities and data subjects.

7. Data Subject Rights

7.1 If a data subject request is received directly by Panik Button, it will be forwarded to the User.

7.2 Panik Button will provide reasonable assistance in handling such requests.

8. Audits and Compliance

8.1 The User may, once per year or in case of justified suspicion, conduct an audit or have it conducted by an independent third party.

8.2 Panik Button shall provide relevant information, provided that such disclosure does not compromise the security or confidentiality of other customers.

9. Liability

9.1 The liability limitations set forth in the EULA also apply to this DPA.

10. Governing Law

10.1 This DPA is governed exclusively by Dutch law.

10.2 Any disputes shall be brought before the competent court in ’s-Hertogenbosch, The Netherlands.

Availability

This DPA is publicly available at [www.panikbutton.eu] and automatically applies as part of the EULA. By accepting the EULA, the User also accepts this DPA.