Last updated: 30-09-2025

Data Processing Agreement

1. This Agreement

Thank you for using Databeamer! Databeamer is currently a bootstrapped provider. While we as the Provider are committed to the highest level of data protection, the scope of our legal and technical support is proportionate to our current capabilities as a startup.

This Data Processing Agreement (“ DPA ”) is entered into by and between: —Full Join, a company established under the laws of the Netherlands, with its registered office at Philetelaan 57, Eindhoven, the Netherlands (“ Provider ”), and —the (business) customer who has accepted or signed the Provider’s Terms of Service or entered into a separate written agreement for the use of Databeamer (“ Customer ”).

The Provider and the Customer are hereinafter referred to individually as a “ Party ” and collectively as the “ Parties ”.

WHEREAS:

The Customer has entered into an agreement with the Provider for the use of Databeamer, a secure, end-to-end encrypted file sharing service (the “ __Service__ ”).
In the course of providing the Service, the Provider may process certain personal data on behalf of the Customer, within the meaning of the General Data Protection Regulation (GDPR) or other applicable privacy laws.
The Parties agree that:
- the Customer acts as the data controller (as defined in Article 4.7 GDPR),
- the Provider acts as the data processor (as defined in Article 4.8 GDPR), with respect to personal data processed by the Provider on behalf of the Customer through the Service.
This DPA sets out the roles, responsibilities, and terms governing the processing of personal data under Article 28.3 of the GDPR, including the required safeguards for lawful and secure data handling.
The DPA forms an integral part of the Agreement (including the [Terms of Service](/legal/terms-of-service)) between the Parties. In case of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail in relation to data protection matters.
Annex 1 of this document provides a description of definitions.

Therefore, the Parties agree as follows:

2. Obligations of the Customer

2.1 Compliance with Applicable Privacy Law

The Customer, acting as the Data Controller, shall ensure that all personal data provided to the Provider for processing via the Service is collected, processed, and transferred in full compliance with Applicable Privacy Law.

2.2 Legal Basis and Lawful Instructions

The Customer represents and warrants that it has a valid legal basis (such as consent, contractual necessity, or legitimate interest) for all personal data processing carried out through the Service, including the disclosure of such data to the Provider in its role as a Data Processor. The Customer shall only issue processing instructions to the Provider that are lawful, documented, and consistent with Applicable Privacy Law.

2.3 Responsibility for Processing

The Customer acknowledges that it is solely responsible for:

Determining the purposes and means of the processing of personal data;
Informing data subjects as required by Applicable Privacy Law;
Ensuring the accuracy, quality, and lawfulness of personal data submitted via the Service.

2.4 Written Instructions

Where the Provider processes personal data on behalf of the Customer (e.g. in a B2B context), such processing shall be carried out only on the documented instructions of the Customer, unless required to do so by law. Any verbal instruction given must be confirmed in writing within five (5) business days.

For the use of the Service by individual consumers, or where no custom data processing terms have been agreed, this DPA and the Terms of Service together constitute the full scope of documented instructions.

Where additional data processing arrangements are required, a separate written addendum may be established between the Parties.

2.5 Instructions and E2EE Limitations

The Customer acknowledges that due to the Provider’s end-to-end encryption architecture, the Provider does not have access to the content of files or messages transmitted through the Service. As such, the Provider is unable to monitor, validate, or modify Customer instructions related to the processing of such content. The Customer agrees to take this into account when issuing instructions.

2.6 Indemnity

The Customer shall indemnify and hold harmless the Provider from and against any claim, loss, damage, or liability arising from a breach by the Customer of its obligations under this DPA or Applicable Privacy Law, including but not limited to any unlawful processing of personal data or failure to obtain appropriate consent or legal basis.

2.7 Annexed Instructions

The initial scope of the processing, including categories of personal data and data subjects, is set out in Annex 1. Any additional or updated instructions must be submitted in writing and must not conflict with the technical design or security limitations of the Service.

3. Obligations of the Provider

3.1 General Compliance

The Provider shall process Personal Data on behalf of the Customer in accordance with the Agreement, this Data Processing Agreement (DPA), and all applicable privacy laws. The Provider acts solely as a Data Processor and shall not determine the purposes or means of the processing of Personal Data.

3.2 Instructions and Purpose Limitation

The Provider shall only process Personal Data on the instructions of the Customer, unless otherwise required by applicable law. In such cases, the Provider shall (unless prohibited by law) inform the Customer prior to processing. Processing shall be strictly limited to what is necessary for delivering the Service as described in the Agreement.

3.3 No Access to Content

Due to the design of the Service, which implements end-to-end encryption (E2EE), the Provider does not have access to the content of any files or messages exchanged between users. As a result, the Provider does not, and cannot, monitor, modify, or retain decrypted Personal Data. The Provider processes only metadata necessary for service functionality and support, in line with the Agreement.

3.4 Confidentiality

The Provider shall ensure that any personnel or sub-processors authorised to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

3.5 Data Subject Requests

Due to the end-to-end encrypted nature of the Service, the Provider does not have access to, and cannot retrieve, the content of any Personal Data processed on behalf of the Customer. As such, the Provider is unable to fulfill access, deletion, or correction requests directly on encrypted content.

If the Provider receives a request from a data subject that relates to Personal Data processed on behalf of the Customer, Provider shall refer request to Customer unless legally required to respond.

The Provider shall offer reasonable assistance in responding to such requests, where technically feasible and appropriate, taking into account the nature of the processing and the Provider’s available resources.

3.6 Assistance with Compliance

We’ll do our best to support you with legal obligations, including DPIAs or questions from regulators, within our technical limits. Questions can be:

conducting data protection impact assessments (DPIAs);
responding to requests from supervisory authorities;
cooperating, upon request, with the Customer in responding to questions or requests from external or internal auditors relating to the processing activities under this DPA.

3.7 Security Measures

The Provider shall implement and maintain appropriate technical and organisational measures to ensure the security of Personal Data, as required by Article 32 of the GDPR. These measures are outlined in Annex 2 - Security Measures of this DPA.

3.8 Data Breach Notification

The Provider shall, without undue delay, notify the Customer upon becoming aware of a Personal Data Breach involving Personal Data processed on behalf of the Customer. Such notification shall include available details to assist the Customer in fulfilling any obligations under Applicable Privacy Law.

3.9 Non-Compliance with Instructions

If, in the Provider’s opinion, an instruction from the Customer infringes Applicable Privacy Law, the Provider shall promptly inform the Customer and may suspend the execution of the instruction until the Customer confirms or modifies it.

3.10 Sub-processors

The Provider may engage sub-processors to carry out specific processing activities, subject to the terms outlined in Clause 4 of this DPA. The Provider shall ensure that such sub-processors are bound by data protection obligations substantially similar to those contained in this DPA.

3.11 Return or Deletion of Data

Upon termination of the Agreement, the Provider shall, at the choice of the Customer, return or securely delete all Personal Data processed on behalf of the Customer, unless applicable law requires continued retention. Due to the E2EE nature of the Service, the Provider does not retain decrypted content data and cannot return or access such data.

3.12 Supervisory Authority Communication

Where legally permitted, the Provider shall inform the Customer without undue delay of any direct communication from a data protection authority or other public body concerning the processing of Personal Data covered by this DPA.

3.13 Recordkeeping

The Provider shall maintain records of processing activities carried out on behalf of the Customer as required under Article 30(2) of the GDPR and shall make such records available to the Customer or supervisory authorities upon request.

3.14 Data Protection Officer

Where required by Applicable Privacy Law, the Provider shall appoint a Data Protection Officer (DPO) and provide relevant contact details to the Customer upon request.

4. Subprocessing

4.1 Authorization to Engage Subprocessors

The Customer grants Databeamer general authorization to engage Subprocessors for the purpose of delivering the services as described in the Agreement. A current list of authorized Subprocessors is available upon request. The Customer will be notified in advance of any intended changes concerning the addition or replacement of Subprocessors, giving them the opportunity to object on reasonable data protection grounds.

4.2 Right to Object

The Customer may reasonably object in writing to the engagement of a new Subprocessor within ten (10) calendar days of receiving the notice. Objections must be based on specific and reasonable grounds related to data protection. In such a case, both parties will work together in good faith to find a suitable resolution. If no resolution can be found, the Customer may choose to terminate the relevant service in accordance with the termination terms in the Agreement.

4.3 Subprocessor Obligations

Databeamer shall enter into an agreement with each Subprocessor that includes data protection obligations no less protective than those set out in this DPA. These obligations shall, at a minimum, require the Subprocessor to:

Process personal data only in accordance with Databeamer’s documented instructions and applicable data protection laws;
Implement appropriate technical and organizational security measures;
Ensure confidentiality and limit access to authorized personnel only.

5. Confidentiality

5.1 Obligation of Confidentiality

Databeamer shall maintain strict confidentiality regarding all Personal Data processed on behalf of the Controller. Personal Data shall not be shared with third parties or affiliated parties except:

where expressly permitted under the Agreement;
as required under applicable law;
with the explicit consent of the Controller; or
in the event of a legal obligation to disclose Personal Data to a third party.

If Databeamer is legally required to disclose Personal Data, it will notify the Controller prior to disclosure unless prohibited by law for important public-interest reasons.

5.2 Access Restrictions

Access to Personal Data is strictly limited to those Databeamer employees or subcontractors who need the information to perform their duties under the Agreement (“need-to-know” basis). All individuals with access are bound by confidentiality obligations, including contractual agreements and internal security policies.

5.3 Security Measures

Databeamer implements technical and organizational measures to protect the confidentiality of Personal Data. These include encryption, access controls, employee training, and regular monitoring of systems to prevent unauthorized access, disclosure, or misuse. See Annex 2 - Security Measures for an overview.

6. Personal Data Transfers outside the EEA

6.1 Scope of Transfers

Databeamer provides its services exclusively to customers in the EU, UK, Norway, and Switzerland. All Databeamer data is hosted within the EU by our hosting provider Scaleway, ensuring that personal data and transferred files remain within European jurisdictions.

6.2 Customer Transfers

While Databeamer allows users to share files with others, the service does not support or facilitate transfers of personal data outside the EU, UK, Norway, or Switzerland. Any customer-initiated sharing with recipients outside these regions is beyond the control of Databeamer and is not part of the service.

6.3 Compliance with Data Protection Laws

Databeamer and its Subprocessors process data in compliance with GDPR, the UK Data Protection Act, the Norwegian Personal Data Act, and the Swiss Federal Data Protection Act. No personal data or transferred files will be hosted or accessed by non-European systems. Given that all processing takes place within the EEA, UK, Switzerland, and Norway, no Standard Contractual Clauses or other transfer mechanisms are currently in use.

6.4 Subprocessor Transfers

If any Subprocessor located outside the EU, UK, Norway, or Switzerland is used (e.g., for development or monitoring purposes), Databeamer ensures that these services do not receive or store any personal data or transferred files. Databeamer remains fully responsible for compliance with applicable data protection laws and continues to safeguard all customer data within European borders.

6.5 Customer Consent

By using Databeamer, customers acknowledge that transfers outside the EEA, UK, Norway, or Switzerland are not supported by the platform. Databeamer will not be liable for any data sharing initiated by customers outside these regions.

7. Data Subject’s Rights

7.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, the Provider shall assist the Customer in fulfilling its obligations under applicable Data Protection Laws with respect to requests from data subjects seeking to exercise their rights (including rights of access, rectification, erasure, restriction, objection, or data portability). This assistance will be provided through appropriate technical and organizational measures, as available within the Services.

7.2 Cooperation and Additional Support

To the extent that the Customer does not have the ability to independently address a data subject request via the provided features of the Service, the Provider will, upon request, provide reasonable additional assistance to enable the Customer to respond to such requests in accordance with its obligations under applicable Data Protection Laws. Any such assistance beyond the standard features of the Service may be subject to reasonable fees, depending on the scope and complexity of the request.

7.3 Requests Received Directly by the Provider

If the Provider receives a data subject request directly and can identify the Customer as the relevant data controller, the Provider shall not respond directly (unless legally required to do so), but shall promptly notify the Customer and forward the request without undue delay. The Provider will act in accordance with the Customer’s lawful instructions when responding to such requests, unless prohibited by applicable law.

7.4 No Restriction on Provider’s Own Responsibilities

For the avoidance of doubt, nothing in this Agreement shall prevent the Provider from responding to data subject requests or inquiries from data protection authorities where the Provider acts as an independent data controller, for example in relation to its own business operations or support communications.

8. Right to Audit

8.1 Provision of Compliance Information

Upon written request, the Provider shall supply documentation reasonably necessary to demonstrate compliance with this Data Processing Agreement and applicable data protection laws. This may include summaries of internal policies, technical and organizational measures, or relevant third-party audit reports or certifications, as available.

8.2 Regulator-Only Audit Access

Due to the early-stage nature of our company and in order to protect operational stability, the Provider does not permit Customer-initiated physical or remote audits. Instead, the Provider will cooperate with audits or inspections initiated by a competent data protection authority, in accordance with applicable law.

8.3 Customer Assurance Through Documentation

Where concerns arise regarding the Provider’s data processing practices, the Provider will work with the Customer in good faith to address them via available documentation, virtual meetings, or other reasonable means, as appropriate.

8.4 Confidentiality of Shared Information

Any compliance-related information shared with the Customer shall be treated as strictly confidential and may not be disclosed to third parties without prior written permission from the Provider, unless legally required.

9. Personal Data Breaches

9.1 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures designed to ensure the security of Personal Data and to prevent any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such data. These measures are described in Annex 2 (Security Measures) and may be updated from time to time, provided the level of protection is not materially diminished.

9.2 Notification of Personal Data Breach

In the event of a Personal Data Breach affecting the Customer’s Personal Data, the Processor shall notify the Customer without undue delay after becoming aware of the breach. Where feasible, notification shall occur within 48 hours.

9.3 Contents of Notification

The breach notification shall include, to the extent known and reasonably available:

a description of the nature of the breach, including (where possible) the categories and approximate number of affected Data Subjects and records;
whether the Personal Data was encrypted, anonymized, or otherwise protected;
contact details of a relevant contact person at the Processor for further information;
the likely consequences of the breach; and
the corrective or mitigation measures taken or proposed by the Processor.

9.4 Breach Response and Cooperation

The Processor shall take immediate steps to contain and address the Personal Data Breach. Upon request, the Processor shall reasonably assist the Customer in complying with its obligations under applicable privacy law, including notifications to supervisory authorities or affected data subjects.

9.5 Customer’s Responsibility

The Customer remains responsible for fulfilling its legal obligations regarding breach notification to supervisory authorities and data subjects. The Processor will support the Customer in meeting these obligations to the extent reasonably possible and appropriate, given the nature of the breach and the information available.

10. General Provisions

10.1. Communication

All communications relating to this DPA and privacy matters should be directed to the DPO of Full Join. Each Party shall promptly notify the other of any changes to its contact information.

10.2. Term and Termination

This DPA remains in effect for the duration of the Agreement between the Parties, and in any case, for as long as the Processor processes Personal Data on behalf of the Customer. Termination of the Agreement automatically results in the termination of this DPA, subject to any continuing obligations under Clause 3.11 (Return and Deletion of Personal Data).

10.3. Survival

Some obligations, like confidentiality or deletion, will continue even after this agreement ends.

10.4. Modifications

Any amendments or deviations from this DPA shall be communicated to all Customers. A description of the changes will be added in Appendix 2 of this document.

10.5. Entirety and Precedence

This DPA forms an integral part of the Agreement. In the event of any conflict between the terms of this DPA and the [Terms of Service]/(/legal/terms-of-service), the provisions of this DPA shall prevail.

10.6. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid one that most closely reflects the original intent.

11. Governing Law and Jurisdiction

11.1 Governing Law

This DPA, and any agreements arising from or relating to them, shall be governed by and construed in accordance with the laws of the Netherlands. If you are a consumer residing within the European Union, you will also benefit from any mandatory provisions of the law of your country of residence.

11.2 Jurisdiction

Any disputes arising from or related to this DPA shall be exclusively submitted to the competent court of Rechtbank Oost-Brabant, locatie Eindhoven, the Netherlands.

If you are a consumer residing within the European Union, you may alternatively bring proceedings before the court of your place of residence or domicile, in accordance with applicable consumer protection laws.

11.3 Language of Proceedings

The official language for any legal proceedings or dispute resolution processes related to this DPA shall be Dutch or English, depending on the context and parties involved. If you are a consumer, you may request the use of the official language of your country of residence, where applicable and feasible.

11.4 Alternative Dispute Resolution

We are committed to resolving any complaints or disputes amicably and encourage you to contact us first to seek a solution.

In the event that a dispute cannot be resolved directly, you may have the option to use alternative dispute resolution (ADR) procedures or mediation before pursuing formal legal action. For consumers within the European Union, you can also find more information on the website of the European Union.

ANNEX 1 - Definitions

To ensure legal compliance and consistent service quality, we limit the availability of our Service to specific eligibility. This section outlines who may access and use the Service, from where, and under what conditions.

Adequacy Decision

A formal decision by the European Commission confirming that a third country offers an adequate level of protection for personal data under Article 45 of the GDPR.

Agreement

The underlying agreement between the Customer and the Provider for the use of the Service, including the Terms of Service or any other contract governing access to Databeamer.

Applicable Privacy Law

All relevant and applicable data protection laws and regulations, including but not limited to:

the General Data Protection Regulation (EU) 2016/679 (“GDPR”),
the UK GDPR and Data Protection Act 2018,
and other applicable laws in jurisdictions where the Provider operates or the Customer is established.

Content

Any files, messages, or data shared or transmitted by the Customer through the Provider’s end-to-end encrypted Service. Due to encryption, Content is not accessible to the Provider.

Data Controller

The entity (e.g., the Customer) that determines the purposes and means of the processing of personal data.

Data Processor

The entity (e.g., the Provider) that processes personal data on behalf of the Data Controller and in accordance with their documented instructions.

Data Subject

An identified or identifiable natural person to whom the personal data relates.

Data Subject Rights

The rights granted to data subjects under Applicable Privacy Law, including (where applicable): the right of access, rectification, erasure, restriction, objection, data portability, and the right to lodge a complaint with a supervisory authority.

EEA

The European Economic Area, which includes all EU member states, Iceland, Liechtenstein, and Norway.

Illegal Content

Any content that is:

unlawful under Applicable Privacy Law or criminal law (e.g. child sexual abuse material);
infringes intellectual property rights or the rights of others;
violates privacy or data protection laws;
is harmful, hateful, discriminatory, misleading, or otherwise prohibited under the Acceptable Use Policy.

Note: The Provider’s E2EE architecture prevents access to or monitoring of Content; reports of illegal activity are investigated where technically feasible and in accordance with legal obligations. Users remain solely responsible for ensuring content shared complies with applicable law.

Personal Data

Any information processed through the Service that can directly or indirectly identify a natural person, as defined under Applicable Privacy Law. The Provider does not access the content of such data due to the nature of end-to-end encryption.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, whether in transmission, storage, or otherwise processed.

Processing

Any operation performed on personal data, whether automated or not, including collection, storage, use, transfer, or deletion — excluding operations that the Provider is technically unable to perform due to end-to-end encryption.

Service

The secure file-sharing and communication services provided by the Provider under the Agreement, designed to enable E2EE transmission of data between known parties.

Sub-processor

Any third-party service provider engaged by the Provider to assist with the processing of personal data on behalf of the Customer, subject to the same data protection obligations as set out in this DPA.

Transfer Mechanisms

Legal mechanisms that allow for the lawful transfer of personal data outside the EEA or UK, including Adequacy Decisions, SCCs, or Binding Corporate Rules (BCRs), as applicable.

ANNEX 2 - Security Measures

The Processor implements and maintains the following technical and organizational security measures to ensure an appropriate level of protection for Personal Data, in accordance with Article 32 of the GDPR and other applicable data protection laws.

A1. Technical security practices

Our Databeamer service is designed with security and privacy at its core. By integrating technical safeguards at every level of our architecture, we ensure that data remains confidential, intact and available, both at rest and in transit. These measures form the foundation of our technical security strategy. Together with organizational safeguards and our incident response process, they ensure that customer data is protected against both internal and external threats.

A1.1 End-to-end encryption (E2EE)

All data traffic between sender and recipient is protected with end-to-end encryption. This ensures that files and messages are encrypted from the moment they are sent and can only be decrypted by the intended recipients. As a result, our organization and development team do not have access to any unencrypted customer data, guaranteeing maximum privacy and security.

AEAD streaming encryption

During transmission and storage, we use advanced AEAD streaming encryption (Authenticated Encryption with Associated Data), which ensures both confidentiality and integrity.

Streaming cypher

We rely on modern cryptographic techniques such as ChaCha20-Poly1305 in combination with HKDF-SHA256 for key derivation. This streaming cipher technology allows us to efficiently and securely encrypt and process arbitrarily large files without size limitations.

Multi-recipient

Databeamer also supports multiple recipient encryption, enabling one file to be securely shared with multiple recipients without creating separate encrypted copies for each.

Data Integrity with Checksum Validation

Data Integrity with checksum validation To ensure the integrity of files and messages during transfer Databeamer uses checksum validation. A cryptographic hash is generated on the sender’s side and verified on the recipient’s side, confirming that the file or message has not been altered, corrupted, or tampered with during transit. This mechanism complements our end-to-end encryption (E2EE) by not only securing the contents from unauthorized access but also ensuring the content received is exactly what was sent. This validation is performed automatically and transparently, requiring no user interaction.

Storage

For file, message and metadata storage, AES-256 encryption is used, with encryption keys securely managed via a dedicated Key Management System (KMS).

A1.2 Authentication and authorization

We enforce strict identity and access management measures to ensure that only authorized users can access our systems and services. All access is governed by the principles of least privilege and need-to-know, helping to reduce the risk of data exposure and account compromise.

Mandatory Multi-Factor Authentication (MFA)

MFA is enforced for all Databeamer accounts to strengthen login security.

Role-Based Access Control (RBAC)

Access to data and system functionalities is governed by predefined roles, ensuring users can only access what is necessary for their responsibilities.

Authentication monitoring

Login attempts are logged and monitored for anomalies such as brute-force attacks, repeated failed attempts, or access from suspicious IP addresses or geolocations.

Timely access revocation

Access is revoked immediately upon termination or plan change, and access rights are reviewed regularly.

A1.3 Logging and Monitoring

Continuous monitoring and secure logging are vital components of our operational security. These practices help us detect abnormal behavior, respond to incidents quickly, and ensure accountability across our systems.

Centralized logging

All significant system events and user actions are securely logged in a tamper-resistant, centralized system.

Retention and integrity

Logs are protected from modification and retained for the duration defined in our internal policies and legal obligations.

Real-time monitoring and alerting

We use automated systems to detect suspicious activity and raise alerts, enabling swift incident response.

Incident response readiness

All security incidents are handled according to a documented Incident Response Plan.

A1.4 Application security

We follow secure development practices to proactively minimize vulnerabilities and ensure the robustness of our platform. Our approach is grounded in the principles of the Secure Software Development Lifecycle (SSDLC).

Automated security scans

Source code is regularly scanned using Static and Dynamic Application Security Testing (SAST/DAST) tools.

Peer code reviews

All changes are reviewed with a focus on identifying and mitigating OWASP Top 10 risks.

Regular penetration testing

Security assessments are regularly conducted to validate our defenses against real-world threats.

Input validation and sanitization

All user-provided data is validated and sanitized to protect against injection attacks such as XSS or SQL injection.

Vulnerability management

Dependencies and libraries are kept up to date, and security patches are applied promptly as part of our regular update cycle.

These controls are designed to ensure our codebase remains resilient against both common and emerging threats.

A1.5 Network security

We implement robust network-level protections to defend our infrastructure and maintain the confidentiality and availability of customer data. This layer complements our infrastructure security controls (see §3.4) and focuses on isolating environments, restricting access, and protecting against external threats.

Environment segregation

Production systems are logically separated from development and testing environments to prevent accidental crossover or data leakage.

Secure access protocols

All infrastructure access is restricted through VPN and SSH connections secured by key-based authentication.

Firewall protections

Firewalls, Web Application Firewalls (WAF), and additional network filters are used to block unauthorized access and detect malicious traffic.

Abuse prevention

We enforce rate limiting, monitor for unusual patterns, and implement DDoS mitigation strategies to ensure service continuity and performance.

A1.6 Data minimization and redaction

Due to the end-to-end encrypted (E2EE) nature of the Service, we do not have access to the content of files or messages transferred between users. This means we cannot read, monitor, modify, or retain the decrypted contents of any personal data exchanged through the platform.

In addition to the encrypted customer content, we only collect the minimal data required to operate and support the Service. This includes:

Transfer metadata such as timestamps and file sizes, which are necessary for core functionality, diagnostics, and support, as outlined in our Terms of Service;
Automatic redaction and anonymization, built into the file transfer logic, to strip or mask sensitive values (e.g., account details, API tokens, or passwords) from any service-level logs or analytics;
Session Replay (optional and used only for troubleshooting), where sensitive input fields are automatically masked to protect personal or confidential information during session recording.

These measures ensure that only the strictly necessary data is processed, and that personal or sensitive information is never exposed unnecessarily, in line with data minimization principles under the GDPR.

A1.7 Backup and recovery

We have implemented backup and recovery practices to safeguard critical service data and maintain service continuity. Due to the end-to-end encryption (E2EE) nature of our platform, transferred content (files and messages) is never included in backups.

Service infrastructure and operational data (excluding transferred user content) are backed up daily;
Backups are encrypted and stored in a geographically separated, secure location within the EU;
Recovery procedures are tested regularly through documented disaster recovery exercises;
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined in line with the platform’s risk profile.

Note: Transferred customer content is not recoverable after deletion or expiry, by design.

A1.8 Retention and deletion

The following retention and deletion practices apply to the use of the Databeamer Services:

Transferred files and messages are retained for a maximum of three (3) days from the time of upload. After this period, the content is automatically and permanently deleted. Only minimal metadata related to the transfer (such as timestamps and file size) may be retained for operational, support, and compliance purposes;
Other service-related data (as described in §3.6 Data Minimization and Redaction) is retained only as long as necessary to fulfill business, contractual, or legal obligations;
When retention periods expire, data is irreversibly deleted from our systems using industry-standard deletion methods; End-to-end encryption (E2EE) ensures that we never store or access decrypted content. As such, once transferred files or messages are deleted or expired, they cannot be recovered or returned; — For any non-encrypted data collected in connection with account usage or metadata, customers may request deletion in accordance with applicable data protection laws.

Please refer to our Data Processing Agreement (DPA) for further guidance.

A1.9 Audit and compliance

We regularly evaluate the effectiveness of our security controls and compliance posture through internal and, where relevant, external assessments.

Internal audits are conducted to verify adherence to this Security Policy and related controls;
Logs of relevant system and user actions are retained to support auditability and accountability (see also §3.3 Logging and Monitoring);
Where required, independent audits or third-party assessments (e.g., ISO 27001, SOC 2) may be carried out to validate our practices;
Upon request, and where necessary, we may provide supporting technical documentation to assist with customer audit obligations (see also chapter 8 of this document);
Compliance with applicable regulations and security standards is monitored continuously.

A2. Organisational security practices

Information security is not treated as a standalone responsibility within our company, but as an integral part of how we operate. Both at a strategic and operational level, we have clear roles, responsibilities, and processes in place to safeguard the security of our platform and the data entrusted to us by our customers.

A2.1 Security responsibility

Ultimate responsibility for information security lies with the management. Day-to-day coordination and oversight of security measures is handled by our designated Security Officer, who works closely with all team members to embed security practices throughout our organisation and within the Databeamer application.

A2.2 Policies and governance

We maintain a formal internal Information Security Policy, which is reviewed and updated periodically. All employees are required to accept and adhere to this policy as part of their onboarding process.

A2.3 Employee Awareness

We invest in ongoing security awareness and training. New employees receive onboarding training covering our key security principles, procedures, and behavioral expectations. In addition, we conduct periodic (at least annual) training sessions to keep knowledge up to date, covering topics such as phishing, password management, and the secure handling of sensitive data.

A2.4 Access Management

Access to systems and data is granted based on the principle of least privilege and need-to-know. We implement the following controls across critical systems, including both our Databeamer platform and tools used to support our service operations (such as billing or analytics):

Multi-Factor Authentication (MFA) on all critical systems;
Role-Based Access Control (RBAC) to limit access to specific data and functions;
Regular reviews of employees access rights and permissions.
Former employees’ access is revoked immediately upon termination.

A2.5 Subprocessors and partners

We take a risk-based approach to working with third-party service providers and partners. Subprocessors are selected based on their security posture, and where applicable, we use Data Processing Agreements (DPAs) and conduct security assessments to ensure compliance with our standards.

Third parties that have access to customer data are subject to vetting and ongoing evaluation to ensure adherence to appropriate security and privacy practices. Wherever possible, subprocessors are selected based on their European presence and ownership structure. Preference is given to providers that are headquartered in Europe and have no non-European parent companies or investors, to ensure better alignment with EU data protection principles and sovereignty.

A current list of authorized subprocessors is available upon request. See also chapter 4 for more information.

About & Contact

Databeamer by Full Join

Databeamer is created and licensed by Full Join B.V. and is located in Eindhoven, The Netherlands. Full Join is a software and data development/consultancy agency. We develop applications and provide consultancy services, including advising organizations about data, privacy and development projects.

KVK: 71160620
BTW: NL 858 603 573 B01

Contact Us

For more information about this policy or other legal matters, contact us via our Contact Form