Get Started

Rozuro Data Processing Agreement

Last updated: 19 May 2026

This Data Processing Agreement (“DPA”) governs the processing of personal data by Atypisch in connection with the provision of Rozuro to the Customer, to the extent that Atypisch acts as a processor within the meaning of Article 4(8) of the General Data Protection Regulation (GDPR).

This DPA forms an integral part of the Terms of Service and applies to all Customers who enter or process personal data of third parties (such as clients, suppliers, contacts) in Rozuro.

The Dutch version of this DPA is binding. In case of conflict, the Dutch version prevails.

1. Parties and roles

Controller: the Customer as defined in the Terms of Service. The Customer determines the purposes and means of processing of personal data entered into Rozuro.

Processor: Atypisch (sole proprietorship), Europalaan 2b, 3526 KS Utrecht, KvK 08092524. Atypisch processes personal data exclusively on instruction and on behalf of the Customer.

2. Subject and duration

  1. Subject: the processing of personal data by Atypisch in the context of the Rozuro service, insofar as Atypisch processes data on behalf of the Customer.
  2. Duration: this DPA is in force for as long as the Agreement between the Customer and Atypisch is in force, plus the period in which Atypisch holds personal data of the Customer after termination.

3. Nature and purpose of processing

Atypisch processes personal data only for the following purposes:

  • providing the Services as described in the Terms of Service;
  • storing, accessing, modifying, and exporting data on behalf of the Customer;
  • generating, sending, and retaining invoices on behalf of the Customer;
  • performing VAT and ICP calculations based on data entered by the Customer;
  • providing Customer Data via the API on behalf of the Customer;
  • making back-ups and ensuring continuity of the Services;
  • security monitoring and incident response.

Atypisch does not process personal data for its own purposes, nor for commercial, analytical, or marketing purposes concerning data subjects.

4. Categories of data subjects and data

Categories of data subjects (depending on what the Customer enters):

  • Clients/customers of the Customer
  • Suppliers of the Customer
  • Contacts at the Customer’s business relations
  • Employees, freelancers, or team members of the Customer (for time tracking/projects)
  • Other data subjects entered by the Customer

Categories of personal data (depending on what the Customer enters):

  • Name, surname
  • Email address
  • Phone number
  • Address details
  • Company name, job title
  • KvK number, VAT number
  • Bank account number (if on invoice)
  • Invoice data (amounts, descriptions, projects, hours)
  • Other data entered by the Customer

The Customer does not process special categories of personal data (Art. 9 GDPR) or criminal data through Rozuro. If the Customer wishes to do so, prior written contact with Atypisch is required; Atypisch may restrict or refuse such use.

5. Processor obligations

Atypisch undertakes:

  1. Process only on instruction — only on documented instruction from the Customer (these Terms, the DPA, and Rozuro’s functionality).
  2. Confidentiality — persons processing personal data under Atypisch’s authority are bound by a duty of confidentiality.
  3. Security (Art. 32 GDPR) — appropriate technical and organisational measures, as described in Annex A.
  4. Sub-processors — engagement of sub-processors in accordance with Article 6.
  5. Cooperation with data subject rights — reasonable assistance with Customer requests to fulfil data subject rights. The Customer remains responsible for handling.
  6. DPIA and AP consultation — reasonable assistance on request for Data Protection Impact Assessments or consultations with the Dutch Data Protection Authority.
  7. Data breaches — notification of any data breach affecting Customer’s personal data without undue delay, and no later than 48 hours after discovery, in writing. The notification includes the nature of the breach, affected data, possible consequences, and measures taken or planned.
  8. Audits — on reasonable request, additional information about compliance with this DPA. At the Customer’s cost and with at least 30 days’ notice, and no more than once per calendar year (unless there is a legitimate reason for an interim audit), Atypisch permits independent audits. Auditors must sign a non-disclosure agreement.
  9. No transfer outside the EEA — no transfer of personal data outside the EEA without appropriate safeguards under Chapter V GDPR.

6. Sub-processors

  1. The Customer hereby grants Atypisch general authorisation to engage sub-processors, provided that Atypisch imposes the obligations of this DPA on the sub-processor through a written agreement.
  2. A current list of sub-processors is available at rozuro.com/legal/sub-processors. As of the effective date of this DPA, these are:
Sub-processorRoleEstablishment
NefosHosting and data storageEindhoven, NL
SimezuAuthentication and payment processingEindhoven, NL
Mollie B.V.Payment provider (via Simezu)Amsterdam, NL
Stripe Payments Europe Ltd.Payment provider (via Simezu)Dublin, Ireland
PayPal (Europe) S.à r.l. et Cie, S.C.A.Payment provider (via Simezu)Luxembourg
  1. Atypisch announces intended changes to the list of sub-processors at least 30 days in advance via email or notification in Rozuro.
  2. The Customer may object within 14 days on reasoned privacy grounds. If parties do not reach agreement, the Customer may terminate the Agreement with immediate effect.
  3. Sub-processor liability: Atypisch is liable to the Customer for the acts and omissions of its sub-processors only to the same extent as it is liable for its own acts and omissions under Article 9 of the Terms of Service, including the per-event and per-calendar-year caps (and the absolute cap of €5,000 per calendar year) and the exclusion of indirect and consequential damages set out in that Article. Where the breach by a sub-processor is independently attributable to that sub-processor under the GDPR, the Customer may pursue a direct claim against the sub-processor under Article 82(2) GDPR; in that case, Atypisch will, at the Customer’s reasonable cost, cooperate with the Customer’s documented requests for information and joinder of proceedings. Nothing in this Article 6.5 limits liability for damages caused by intent or wilful recklessness of Atypisch, or to the extent mandatory law does not permit limitation.

7. Controller obligations

The Customer warrants that:

  1. it has a lawful basis (Art. 6 GDPR, and where applicable Art. 9 GDPR) for processing the personal data it enters into Rozuro;
  2. data subjects have been properly informed of the processing;
  3. it complies with its own GDPR obligations, including maintaining a record of processing activities (Art. 30 GDPR) where applicable;
  4. it instructs Atypisch in a timely and correct manner; it indemnifies Atypisch against claims from data subjects or supervisory authorities arising from a lack of legal basis, insufficient information, or other deficiencies;
  5. it does not use Rozuro to process special or criminal personal data without prior coordination with Atypisch.

8. Termination and return/deletion of data

  1. On termination of the Agreement, the regime in Article 12 of the Terms of Service applies:
    • 90-day soft-delete with data export possibility;
    • then anonymisation or deletion, except for invoice data retained under the seven-year fiscal retention obligation (Art. 52 AWR), in anonymised read-only form.
  2. Atypisch provides free access to the data export function up to 90 days after termination.
  3. On written request, Atypisch provides written confirmation of deletion or anonymisation.

9. Liability

  1. Liability of Atypisch under this DPA is subject to the liability limitations of Article 9 of the Terms of Service, except where mandatory law (including the GDPR) does not permit limitation.
  2. Administrative fines imposed by the Dutch Data Protection Authority are borne by the party on whom they are imposed, unless they are the direct result of an attributable breach by the other party.

10. Governing law and disputes

This DPA is governed exclusively by Dutch law. Disputes are submitted to the District Court of Central Netherlands, location Utrecht.

Annex A — Security measures

Technical measures

  • Encryption in transit: all traffic between user and Rozuro, and between Rozuro and its sub-processors (Nefos, Simezu, payment providers), is encrypted using TLS 1.2 or higher. HSTS is enforced on all production hostnames to prevent protocol downgrade. Internal service-to-service traffic within the Nefos infrastructure runs on the private network.
  • Encryption at rest: secrets (API keys, webhook secrets, OAuth client secrets, password reset tokens) are encrypted using AES-256 before being written to the database. Passwords are never stored in reversible form — they are hashed by Simezu using argon2id with per-user salt. Customer Data (invoices, accounting records, time entries, attachments) is stored on encrypted block storage provided by Nefos in the Netherlands; daily back-ups are stored encrypted-at-rest on the same Nefos infrastructure.
  • Access control: role- and organisation-based; all endpoints protected against IDOR (cross-tenant access) by an organisation-scoped guard layer.
  • Authentication: password authentication via Simezu with brute-force protection via rate limiting; session cookies marked HttpOnly, Secure, SameSite=Lax; session lifetime capped at 24 hours and revoked on logout or password change.
  • API security: organisation-scoped API keys; rate limits on authentication endpoints; per-key audit log.
  • Security headers: HSTS (preload-eligible), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CORS allowlist.
  • Logging: security-relevant events logged and retained for 12 months; logs stored on Nefos in the Netherlands.
  • Immutability: sent and paid invoices cryptographically protected against modification (versioned, audit-trailed).
  • Back-ups: daily back-ups at hosting provider Nefos in the Netherlands, retained for 30 days, encrypted at rest.

Organisational measures

  • Confidentiality: all persons with access to personal data bound by confidentiality;
  • Need-to-know access: only where necessary for service delivery;
  • Sub-processors: all bound by written DPAs with equivalent obligations;
  • Security audits: periodic internal audits;
  • Data breach procedure: documented procedure for detection, notification, and mitigation.

Contact

Atypisch Europalaan 2b, 3526 KS Utrecht, the Netherlands Email: info@atypisch.nl