ContactLogin
10ops
The Opportunity FlowOpportunity Readiness LevelDigital Twin10ops & Partners

Legal

On this page

  • Master Terms & Conditions
  • Terms of Use
  • Privacy Notice
  • Data Processing Agreement

10ops Master Terms and Conditions

Version 01 — Effective date: 1 September 2024

Integrated B2B terms for consultancy services, Software / Opportunity Management Tool (OMT), and SampX managed commerce operations.

Party Details

10 ops B.V., trading as 10ops, registered with the Dutch Chamber of Commerce under number 94854742, VAT number NL866914572B01, having its registered office at De Lirp 8, 6419 EW Heerlen, the Netherlands with notice email legal@10-ops.com. Effective date: 01/09/2024.

1. Definitions

Agreement: the agreement between 10ops and Client consisting of the proposal, order form, statement of work, service schedule, DPA, SLA, these Terms, and any amendments.

Client: the legal entity acting in the course of business that contracts with 10ops.

Consultancy Services: advisory, implementation, training, research, facilitation, project execution, opportunity management, and related professional services.

Software / OMT: the Opportunity Management Tool and any related portal, dashboard, API, documentation, configuration, or hosted environment made available by 10ops.

SaaS Services: access to and use of the Software as a hosted or cloud-based service.

SampX Services: managed e-commerce, marketplace, data, order, fulfilment, logistics, and customer support services performed by 10ops on behalf of Client.

Deliverables: reports, analyses, presentations, configurations, implementation outputs, training materials, and other agreed work product expressly identified as deliverables.

Third-Party Services: software, hosting, cloud tools, payment providers, marketplaces, carriers, warehousing, fulfilment, and other services not owned and operated by 10ops.

Confidential Information: all non-public commercial, technical, financial, legal, operational, and strategic information disclosed by one party to the other.

Personal Data, Controller, Processor, Data Subject, and Processing have the meanings given in the GDPR.

Business Day: a day other than a Saturday, Sunday, or public holiday in the Netherlands.

Force Majeure Event: any event beyond a party's reasonable control, including internet outages, cyber incidents, utility failures, war, strikes, emergency government measures, supplier failures, pandemics, sanctions, or carrier disruptions.

2. Applicability and Contractual Structure

These Terms apply to all offers, quotations, order forms, statements of work, services, Software, and SampX Services provided by 10ops.

Any terms and conditions of Client are expressly rejected unless expressly accepted in writing by 10ops.

Precedence: (i) these Terms; (ii) signed order form or statement of work; (iii) signed schedule or SLA; (iv) signed DPA; (v) purchase order for administrative purposes only.

Notwithstanding the foregoing, the provisions relating to fees and payment, intellectual property, confidentiality, data protection, warranties and disclaimers, indemnities, limitation of liability, suspension, termination, governing law and dispute resolution shall prevail over any order form, statement of work, schedule, purchase order, procurement portal terms, email or other Client document unless the relevant document expressly identifies the clause being amended and expressly states that it overrides that specific clause.

Electronic acceptance, including e-signature, click acceptance, emailed approval, and procurement portal acceptance, is binding.

These Terms may only be varied by a written agreement signed by authorized representatives of both parties.

3. Offers, Formation, and Change Control

All quotations and proposals are non-binding unless expressly stated otherwise.

The Agreement is formed when a proposal or order is signed, accepted electronically, or when 10ops starts performance at Client's request.

Scope, timelines, budgets, and staffing are based on assumptions known at the time of contracting and may be adjusted if inputs, dependencies, or scope change.

Any change request may lead to revised fees, milestones, acceptance criteria, and resource commitments.

4. Nature of the Services

Unless expressly agreed otherwise, all services are performed on a best-efforts basis and not as a result obligation. No obligation of 10ops shall be interpreted as an obligation to achieve a specific result unless the Agreement expressly states: "this obligation is a result obligation." Any deadlines, estimates, forecasts, business cases, opportunity assessments, market analyses, sales expectations, implementation plans, or commercial projections are indicative only unless expressly agreed otherwise in writing.

10ops does not guarantee any specific strategic, commercial, financial, operational, deal, sales, margin, or efficiency result.

10ops may use subcontractors, affiliates, and Third-Party Services in performing the Agreement.

10ops may refuse instructions that are unlawful, unsafe, non-compliant, unethical, or materially outside the agreed scope.

4.5 Advisory, Analytical and Automated Outputs

Analyses, reports, recommendations, forecasts, market assessments, business cases, opportunity assessments, rankings, scores, dashboards, models, financial projections, commercial projections and other outputs provided by 10ops are based on information available at the time, Client inputs, assumptions, third-party information, public sources, professional judgement and, where applicable, automated or AI-assisted tools.

Such outputs are intended solely as decision-support information and shall not be construed as guarantees, commitments or predictions of future results.

10ops does not warrant that any such output is complete, accurate, current, error-free or suitable for a specific business, commercial, investment, legal, regulatory or operational purpose.

Client remains solely responsible for independently validating all outputs and for all business, investment, commercial, operational, legal and strategic decisions made based upon them.

5. Consultancy Services

Consultancy Services may include advisory work, market analysis, training, workshops, implementation support, project execution, and business development support.

Deliverables, configurations, reports, analyses, workshops, training materials, data outputs, dashboards, implementation outputs, and other work products are deemed accepted upon the earliest of: a. written approval by Client; b. use in business operations; c. sharing with third parties; d. publication, implementation, upload, or deployment; or e. expiry of 10 Business Days after delivery without a substantiated written rejection.

Rejection is only valid if Client identifies a material non-conformity against expressly agreed written specifications. General dissatisfaction, changed business priorities, internal disagreement, or comments on style, format, assumptions, or commercial conclusions do not constitute valid rejection.

Minor defects or comments do not justify rejection and will be addressed through reasonable clarification or correction where applicable.

10ops retains the right to reuse general know-how, methods, templates, models, and experience developed during the performance of services, provided no Client Confidential Information is disclosed.

6. Software / OMT

6.1 License and Use Rights

Subject to timely payment and compliance with the Agreement, 10ops grants Client a limited, non-exclusive, non-transferable, non-sublicensable right during the term to access and use the OMT for its internal business purposes.

Client shall not copy, modify, reverse engineer, decompile, lease, sublicense, resell, or use the OMT to build a competing service, except to the extent mandatory law expressly permits such limitations to be overridden.

Client must keep credentials secure and ensure that access is limited to authorized users.

6.2 Availability and Support

Unless stated in a signed SLA, 10ops does not guarantee uninterrupted or error-free operation, feature permanence, or specific uptime levels.

Planned maintenance, emergency patching, updates, and security actions may temporarily affect availability.

10ops may change, enhance, replace, or discontinue features, provided the core contracted functionality is not materially withdrawn without reasonable notice.

6.3 Third-Party Integrations

10ops is not responsible for the availability, pricing, legality, security, or continuity of Third-Party Services or APIs, including changes imposed by those providers.

If a Third-Party Service materially changes, 10ops may adjust dependent functionality without liability, subject to good-faith change management.

7. SampX Managed Commerce and Logistics Services

SampX Services may include webshop operations, marketplace support, order administration, content operations, fulfilment coordination, logistics coordination, returns coordination, reporting, and customer support operations.

Unless expressly agreed otherwise, 10ops acts only as service provider and/or disclosed agent on behalf of Client and not as seller of record, merchant of record, importer of record, exporter of record, manufacturer, or owner of the goods.

Client remains solely responsible for product quality, product safety, conformity, labeling, product claims, recalls, warranties, destination-country permissibility, CE marking where relevant, and all sector-specific legal compliance.

If 10ops coordinates warehousing, transport, customs, or fulfilment services, it may do so via Third-Party Services and subcontractors selected by 10ops.

All freight, storage, fulfilment, customs, packaging, duties, taxes, and return costs are for Client's account unless explicitly agreed otherwise in writing.

Visible loss, shortages, or transport discrepancies must be reported within 2 Business Days after delivery; hidden damage or stock discrepancies within 5 Business Days after discovery, without prejudice to shorter mandatory time limits imposed by carriers or subcontractors.

Refunds, chargebacks, fraud losses, product liability claims, and consumer claims remain at Client's risk unless a written schedule expressly reallocates them.

8. Client Obligations

Client shall provide timely, accurate, complete information, decisions, materials, data, approvals, and access reasonably required for performance.

10ops may rely on information and instructions supplied by Client and is not obliged to independently verify their completeness, accuracy, or legality.

Client is responsible for its internal systems, network security, user access controls, endpoint security, back-ups, and lawful use of the Services and Software.

Any delay, cost increase, loss of productivity, resource reallocation, remobilization, schedule impact or service interruption caused wholly or partially by Client acts or omissions shall entitle 10ops to adjust timelines, milestones, delivery dates, resource commitments and fees.

Where Client delays provision of information, access, approvals, decisions, feedback, systems, personnel or other dependencies required for performance, all affected deadlines and delivery dates shall automatically be extended by at least the duration of the delay.

If a Client-caused delay exceeds ten (10) Business Days, 10ops may reallocate personnel and resources and revise schedules, availability and fees accordingly.

9. Fees, Invoicing, and Payment

Fees are as specified in the applicable order form, statement of work, subscription schedule, or price schedule.

All prices are exclusive of VAT and other taxes, withholding taxes, duties, customs charges, levies, bank costs, and pass-through Third-Party charges unless expressly stated otherwise.

10ops may invoice subscriptions in advance, time-and-materials monthly in arrears, projects by milestone, and pass-through charges as incurred.

Invoices are payable within 14 days of invoice date unless explicitly agreed otherwise.

Client shall not withhold, delay, suspend, reduce or set off any payment due to alleged disputes, counterclaims, internal approval processes, procurement procedures, purchase order requirements, vendor onboarding delays, procurement portal issues, invoice-routing errors or administrative matters.

The absence of a purchase order number, procurement system approval or similar administrative requirement shall not relieve Client from its obligation to pay invoices when due.

If Client requires specific invoicing or procurement procedures, Client remains solely responsible for ensuring such procedures are completed in time to allow payment by the due date.

If Client fails to pay on time, 10ops may charge statutory commercial interest and reasonable collection costs and may suspend access and services until outstanding amounts are paid.

10ops may index or adjust recurring fees annually to reflect inflation, wage growth, supplier cost increases, or expanded compliance obligations upon at least 30 days' prior notice.

10. Intellectual Property

All intellectual property rights in the Services, Software, templates, methods, models, documentation, improvements, and generic know-how remain vested in 10ops or its licensors.

Except where expressly stated otherwise, payment of fees does not transfer ownership of intellectual property rights to Client.

Subject to full payment, Client receives a non-exclusive right to use Deliverables and the Software solely for its internal business purposes under the Agreement.

Feedback, ideas, and suggestions supplied by Client may be used by 10ops without restriction or additional compensation.

11. Confidentiality

Each party shall keep the other party's Confidential Information confidential and use it only for the purposes of the Agreement.

This obligation does not apply to information already lawfully known, independently developed, lawfully received from a third party without duty of confidence, or that becomes public without breach.

Disclosure required by law, court order, stock exchange rules, or regulatory requirement is permitted, provided prior notice is given where legally allowed.

12. Data Protection and Security

Each party shall comply with applicable data protection law, including the GDPR.

Where 10ops processes Personal Data on behalf of Client, the parties shall enter into a Data Processing Agreement; if no standalone DPA is signed, the fallback DPA in the package shall apply as incorporated by reference.

Client warrants that it has a lawful basis for all Personal Data made available to 10ops and that its instructions are lawful.

10ops will apply commercially reasonable technical and organizational measures proportionate to the nature of the relevant Services and risks.

Internet-based systems can never be guaranteed fully secure; 10ops does not warrant absolute security.

13. Warranties and Disclaimers

10ops warrants that it will perform services with reasonable skill and care expected from a professional service provider in its field.

Except as explicitly stated, the Services, Deliverables, Software, and SampX Services are provided "as is" and "as available".

10ops disclaims implied warranties to the maximum extent permitted by law, including fitness for a particular purpose, merchantability, non-infringement, uninterrupted operation, or suitability for a result not expressly agreed in writing.

Client remains responsible for verifying outputs, recommendations, configurations, and operational decisions before use in production or business-critical decisions.

14. Indemnities

Client shall indemnify and hold harmless 10ops, its affiliates, directors, employees, and subcontractors against third-party claims, losses, damages, fines, costs, and expenses arising from Client products, product defects, labeling, warranty claims, recalls, product content, product compliance, export/customs issues, sanctions issues, tax/VAT issues, chargebacks, fraud, consumer claims, or Client's breach of law or third-party rights.

10ops shall defend Client against a third-party claim that the unmodified OMT, as delivered by 10ops and used in accordance with the Agreement, directly infringes a third party's intellectual property right in the EU or U.S., subject to prompt notice, control of defense by 10ops, and Client's cooperation.

10ops has no liability for infringement claims caused by Client specifications, Client data, Client instructions, third-party combinations, customizations not made by 10ops, or continued use after notice to stop.

If an infringement claim appears likely, 10ops may procure continued use rights, modify or replace the affected functionality, or terminate the relevant affected part and refund prepaid unused fees for that affected part. This is Client's exclusive remedy for such claims.

15. Limitation of Liability

Nothing in the Agreement excludes or limits liability to the extent prohibited by applicable law, including liability for wilful misconduct or gross negligence of 10ops management where such exclusion is not legally permitted.

Subject to the previous sentence, the aggregate liability of 10ops, its affiliates, directors, officers, employees, contractors and subcontractors arising out of or in connection with the Agreement shall not exceed the lower of: (i) the fees actually paid to 10ops by Client under the affected Agreement during the twelve (12) months immediately preceding the event giving rise to the claim; or (ii) EUR 50,000.

For purposes of calculating the liability cap, fees exclude VAT, taxes, customs duties, pass-through charges, media spend, marketplace fees, payment provider fees, fulfilment costs, logistics costs, software license costs, hosting costs, reimbursed expenses and any other third-party costs.

If a claim relates only to a specific project, schedule, statement of work, or subscription, the liability cap is limited to the fees paid for that specific part in the twelve months preceding the event.

To the maximum extent permitted by law, 10ops is not liable for indirect or consequential loss, loss of profits, loss of revenue, loss of opportunities, loss of savings, business interruption, loss of goodwill, loss or corruption of data, or third-party claims except where expressly covered by an indemnity or DPA.

For SampX Services, 10ops is not liable for product liability, recall costs, tax or customs assessments, fraud, chargebacks, counterfeit claims, destination-country restrictions, or delay/non-performance of carriers, warehouses, customs agents, payment providers, and marketplaces.

Client must notify 10ops of any claim in writing as soon as reasonably possible and, in any event, within 30 days after becoming aware of the event. Any claim lapses if not brought within 12 months after Client became aware, or reasonably should have become aware, of the damage and 10ops' possible liability.

16. Force Majeure

Neither party is liable for delay or non-performance caused by a Force Majeure Event.

The affected party shall inform the other party as soon as reasonably practicable.

If the Force Majeure Event continues for more than 60 days, either party may terminate the affected part of the Agreement by written notice without liability for damages.

17. Term, Suspension, and Termination

10ops may suspend services or access immediately if Client fails to pay undisputed invoices, materially breaches the Agreement, exposes 10ops to compliance or security risk, or issues unlawful instructions.

Either party may terminate for material breach not cured within 30 days of written notice.

Either party may terminate immediately if the other party enters insolvency, liquidation, cessation of business, or a similar procedure.

Upon termination, accrued payment obligations remain due, Client must cease use of the Software, and 10ops may disable access after a reasonable offboarding period.

Unless otherwise agreed in writing, 10ops may delete Client data 30 days after termination, subject to legal retention, evidence preservation, archival backups, and security obligations.

18. Publicity, Assignment, and Subcontracting

Unless Client objects in writing, 10ops may identify Client's name and logo in general client reference lists. Press releases require prior written consent unless disclosure is mandated by law or stock exchange rules.

Client may not assign the Agreement without 10ops' prior written consent, except to an affiliate as part of an internal reorganization where the assignee remains creditworthy.

10ops may assign the Agreement to an affiliate or in connection with a merger, sale, or reorganization and may use subcontractors and Third-Party Services.

Non-Solicitation

During the term of the Agreement and for a period of twelve (12) months thereafter, Client shall not directly or indirectly solicit, hire, engage, employ or contract with any employee, contractor, consultant, advisor, freelancer or subcontractor of 10ops who was involved in the performance of the Agreement.

In the event of breach of this clause, Client shall immediately pay 10ops liquidated damages equal to twelve (12) months of the relevant individual's gross annual compensation or, for contractors and consultants, twelve (12) months of their average fees charged to 10ops.

This shall not affect 10ops' right to recover additional damages to the extent permitted by law.

19. Governing Law and Disputes

The Agreement and all non-contractual obligations connected with it are governed by Dutch law, excluding the CISG.

All disputes shall be submitted exclusively to the competent court in [competent court in the Netherlands, e.g., Amsterdam or Limburg], unless 10ops elects another competent forum permitted by law.

20. Miscellaneous

If any provision is invalid or unenforceable, the remaining provisions remain in force and the parties shall replace the invalid provision with one that most closely reflects the original commercial intent.

Failure or delay to enforce a right does not constitute waiver.

The English version prevails unless another language version is expressly agreed to prevail.

Updated versions of these Terms may apply to renewals, new orders, and recurring services upon prior notice, provided no already vested rights are impaired.

10ops Opportunity Management Tool (OMT) – Terms of Use

Version 01 — Effective date: 1 September 2024

1. Introduction

These Terms of Use ("Terms of Use") govern access to and use of the Opportunity Management Tool (OMT) provided by 10 ops B.V. ("10ops").

These Terms apply to all individual users ("User") accessing the OMT on behalf of a client organization ("Client"). By using the OMT, Users agree to comply with these Terms.

2. Relationship with Master Agreement

These Terms complement the agreement between 10ops and the Client, including the Master Terms & Conditions, SaaS Schedule, and DPA. In case of conflict, the client agreement prevails.

3. User Access and Accounts

Users must use individual credentials, keep them confidential, and report unauthorized access. The Client is responsible for granting and revoking access.

4. Permitted Use

Users may use the OMT only for internal business purposes of the Client and in a lawful and professional manner.

5. Prohibited Use

Users shall not misuse the system, including reverse engineering, unlawful data use, system disruption, unauthorized sharing, or using the tool for competing products.

6. User Responsibilities

Users are responsible for accurate data entry, compliance with law, and proper use of outputs.

7. Data Handling and Client Content

The Client and its Users remain solely responsible for all information, content, documents, data, files, records, personal data and materials uploaded, entered, imported, processed or stored within the OMT ("Client Content").

10ops is not responsible for verifying the legality, accuracy, completeness, ownership or reliability of Client Content.

Client warrants that it possesses all rights, permissions, licenses, consents and legal bases necessary to upload and use Client Content within the OMT.

Client shall not upload any content that infringes intellectual property rights, confidentiality obligations, privacy rights, export restrictions, sanctions regulations or other applicable laws.

Client shall indemnify and hold harmless 10ops against any third-party claim arising from Client Content, Client instructions or Client's use of the OMT.

8. Security Obligations

Users must protect credentials, follow security practices, and report incidents. 10ops may enforce security actions.

9. Intellectual Property

All IP rights remain with 10ops. Users receive no ownership rights and must not alter IP notices.

10. Availability and Changes

The OMT is provided as available. Features and availability may change due to maintenance or updates.

11. Monitoring, Security and Platform Protection

10ops may monitor use of the OMT for security, compliance, capacity planning, maintenance, misuse prevention and service improvement purposes.

10ops may investigate suspected misuse, security incidents, fraud, excessive usage, unlawful behavior, intellectual property infringement or violations of these Terms.

Users shall cooperate with reasonable investigations relating to platform security or misuse.

12. Suspension and Termination

10ops may immediately suspend, restrict, disable or terminate access to the OMT, without prior notice and without liability, where 10ops reasonably believes that:

(a) these Terms have been violated;

(b) the security, integrity or availability of the OMT may be affected;

(c) unlawful, fraudulent or abusive activity may be occurring;

(d) a legal, regulatory, sanctions, compliance or reputational risk exists;

(e) continued access could expose 10ops, other users or third parties to risk.

10ops may remove, quarantine or restrict access to data, content or accounts where reasonably necessary to protect the security, integrity or lawful operation of the OMT.

13. Third-Party Integrations

Third-party services may be used and are not controlled by 10ops.

14. Disclaimers and Limitation of Responsibility

The OMT is a decision-support platform only.

Information, dashboards, analytics, reports, rankings, opportunity scores, recommendations, forecasts, assessments, workflows and other outputs generated by or through the OMT are provided for informational purposes only.

Such outputs may depend on User input, Client input, assumptions, third-party information, imported data, algorithms, configurations or automated processes and may be incomplete, inaccurate or outdated.

10ops does not warrant that any output, recommendation, score, analysis, report or assessment generated by the OMT is accurate, complete, error-free, fit for a particular purpose or suitable for any business, commercial, investment, operational, legal, regulatory or strategic decision.

Users and Clients remain solely responsible for independently verifying all information and for all decisions, actions and omissions taken based on the OMT.

Use of the OMT does not constitute professional, legal, financial, tax, technical, investment or regulatory advice.

15. Updates to Terms

10ops may update these Terms. Continued use implies acceptance.

16. Contact

For questions: legal@10-ops.com

Privacy Notice

Version 01 — Effective date: 1 September 2024

Your Privacy Matters

At 10 ops BV, we are committed to safeguarding your personal information and ensuring your privacy is protected. This Privacy Notice explains how we collect, use, share, and protect your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant legislation.

1. Information We Collect

We collect personal data that you voluntarily provide to us when you:

  • Visit our website or use our services
  • Subscribe to newsletters or other communications
  • Request information or customer support
  • Apply for job opportunities

The types of personal data we may collect include:

  • Name, email address, phone number, and company details
  • Billing and payment information
  • IP address, browser type, and device information
  • Any other personal information you choose to provide

2. How We Use Your Information

We use your personal data for the following purposes:

  • To provide services: Deliver the products, services, or information you request.
  • Communication: Respond to inquiries, send updates, and provide customer support.
  • Marketing: Send you promotional materials, newsletters, or offers if you have opted in.
  • Improvement: Analyze usage patterns to enhance our website and services.
  • Legal compliance: Meet legal obligations and respond to government authorities when required.

3. Sharing Your Information

We do not sell your personal data. We may share your information with third parties under the following circumstances:

  • Service Providers: To trusted partners who help us operate our website and provide services, such as payment processors, hosting providers, or marketing platforms.
  • Legal Requirements: When we are legally obligated to disclose information to government authorities or other relevant third parties.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business, your information may be transferred.

4. Data Security

We implement reasonable technical and organizational measures to protect your personal data from unauthorized access, loss, or misuse. Despite our efforts, no security measures are 100% secure, and we cannot guarantee the absolute security of your data.

5. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request corrections to any inaccurate or incomplete information.
  • Deletion: Request that we delete your personal data, subject to legal requirements.
  • Opt-out: Withdraw consent for marketing communications at any time.
  • Data portability: Request a copy of your data in a structured, machine-readable format.

To exercise any of these rights, please contact us at Privacy@10-ops.com.

6. Retention of Data

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Once data is no longer needed, we securely delete or anonymize it.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website and analyze usage. You can manage your cookie preferences through your browser settings.

8. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be posted on this page, and the "Effective Date" at the top will reflect the date of the latest revision. We encourage you to review this notice periodically to stay informed of how we protect your personal data.

9. Contact

For questions: legal@10-ops.com

10ops Data Processing Agreement (DPA)

Version 01 — Effective date: 1 September 2024

Article 28 GDPR compliant companion agreement.

Drafting note: This document is a commercially robust template starting point for B2B use by 10ops. It is not legal advice and should be reviewed by Dutch counsel before first use, especially for listed companies, U.S. customers, public procurement, regulated products, and cross-border data transfers.

1. Parties and Relationship

This Data Processing Agreement is entered into between 10 ops B.V. as Processor and the Client identified in the relevant order form or master agreement as Controller, unless the parties expressly agree another role allocation in writing.

2. Purpose and Priority

This DPA governs the Processing of Personal Data by Processor on behalf of Controller under the principal agreement.

If there is a conflict between this DPA and the principal agreement regarding Personal Data Processing, this DPA prevails to the extent of the conflict.

3. Details of Processing

Subject matter: provision of consultancy services, OMT SaaS services, and/or SampX managed commerce and logistics support as described in the principal agreement.

Duration: for the term of the principal agreement plus the period required for return, deletion, backup retention, legal retention, and any agreed transition support.

Nature and purpose: hosting, support, administration, analytics, communication, reporting, project delivery, workflow handling, e-commerce operations support, fulfilment coordination, and related service delivery activities as instructed by Controller.

Categories of data subjects may include Controller personnel, prospects, customers, suppliers, business contacts, site users, marketplace contacts, or other individuals whose data Controller instructs Processor to handle.

Types of Personal Data may include names, business contact details, account identifiers, transactional metadata, opportunity records, order information, support correspondence, and other data supplied by Controller. Special categories of data should not be processed unless expressly agreed in writing and supported by an adequate legal basis and security plan.

4. Processor Obligations

Processor shall process Personal Data only on documented instructions from Controller unless required by Union or Member State law.

Processor shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

Processor shall implement appropriate technical and organizational measures under Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.

Processor shall assist Controller, taking into account the nature of the Processing and information available to Processor, with responding to requests from Data Subjects and with Controller's obligations under Articles 32 to 36 GDPR, insofar as legally required and reasonably possible.

If Processor believes an instruction infringes applicable data protection law, Processor may inform Controller and may suspend the relevant Processing until clarified.

5. Controller Obligations

Controller warrants that it has a valid legal basis for the Processing and for providing the Personal Data to Processor.

Controller is responsible for the accuracy, quality, and legality of the Personal Data and the means by which Controller acquired the data.

Controller is responsible for notices, consents where applicable, legal assessments, records of processing, DPIAs, transfer assessments, and internal governance unless expressly agreed otherwise.

Controller shall not instruct Processor to process Personal Data in a manner that violates applicable law.

6. Subprocessors

Controller grants Processor a general authorization to engage subprocessors for hosting, infrastructure, support tooling, communications, analytics, security, fulfilment support, and other legitimate service delivery needs.

Processor shall impose data protection obligations on subprocessors that are not less protective than those in this DPA, to the extent required by Article 28 GDPR.

Processor remains responsible for the performance of subprocessors as required by GDPR.

Processor shall maintain a current list of material subprocessors on its website or provide such list upon request.

Processor shall provide at least thirty (30) days' notice of any addition or replacement of a material subprocessor.

Controller may object within thirty (30) days on reasonable and documented data-protection grounds.

If the parties cannot resolve the objection, either party may terminate the affected services without liability.

7. International Data Transfers

Where Personal Data is transferred outside the EEA, Processor shall ensure an appropriate transfer mechanism is in place, such as adequacy regulations or the European Commission's standard contractual clauses, as applicable.

The parties shall cooperate in good faith if supplementary transfer measures or transfer impact assessments are reasonably required.

8. Security

8.1 Security Measures

Processor shall maintain technical and organizational measures appropriate to the risks, which may include access control, MFA/SSO options where available, least-privilege principles, encryption or pseudonymization where appropriate, secure development and change practices, logging as reasonably appropriate, vulnerability management, backup routines, and incident response procedures.

Controller acknowledges that no measure can guarantee absolute security and that security obligations are obligations of means, not strict guarantees of result.

8.2 Shared Security Responsibility

Controller acknowledges that security is a shared responsibility. Controller remains responsible for:

  • (a) user access management;
  • (b) password policies;
  • (c) endpoint security;
  • (d) lawful configuration and use of the Services;
  • (e) accuracy and minimization of uploaded Personal Data;
  • (f) management of permissions granted to its users.

Processor shall not be responsible for security incidents resulting from Controller's systems, devices, credentials, networks, users or configurations.

9. Personal Data Breaches

Processor shall notify Controller without undue delay and, where reasonably possible, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.

Such notice will include, to the extent available, the nature of the breach, likely consequences, and measures taken or proposed to address the breach.

Processor's notification of a Personal Data Breach is not an admission of fault or liability.

10. Audit and Compliance Information

Processor shall make available to Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR.

Audits by Controller or its auditor are limited to once per year, during normal business hours, with at least 30 days' notice, subject to confidentiality safeguards, no access to other clients' information, and reimbursement of reasonable costs where legally permissible.

Processor may satisfy audit requests by providing certifications, reports, policies, summaries, or independent assurance artifacts where appropriate.

11. Assistance and Additional Charges

Assistance beyond Processor's standard obligations, including bespoke legal questionnaires, excessive audit support, legacy data exports, regulator interactions, or extensive Data Subject request handling, may be charged at Processor's then-current professional services rates unless the need arose from Processor's proven breach of this DPA.

Processor may satisfy security, compliance and audit requests through provision of certifications, security summaries, policies, reports, questionnaires or other reasonable compliance documentation.

Controller shall not require Processor to disclose confidential security information, source code, penetration test reports, information relating to other customers or security information that may increase security risk.

12. Return and Deletion

Upon termination of the principal agreement, Processor shall, at Controller's choice, delete or return Personal Data after the end of the provision of services relating to Processing, unless Union or Member State law requires storage.

Processor may retain Personal Data in archival backups, legal hold systems, security logs, and evidential records for the period reasonably required under applicable law, security practice, or legitimate defense of claims, provided such retained data remains protected and is not actively processed for other purposes.

Unless otherwise agreed, customer data shall be deleted within thirty (30) days after termination, subject to backup cycles, legal retention obligations and legitimate claim-preservation requirements.

13. Liability

Except where prohibited by applicable law, all exclusions, limitations and caps of liability contained in the principal agreement shall apply equally to this DPA and any claims arising from processing of Personal Data.

No party limits liability where such limitation is prohibited by applicable law.

14. Business contact data

The parties acknowledge that the Services are primarily designed for business-to-business use.

The parties expect that the majority of Personal Data processed consists of business contact information, professional profile information, customer relationship information and other low-risk business data.

Controller shall not intentionally upload special category personal data, health data, biometric data, genetic data, criminal records data, children's data or other highly sensitive personal data unless expressly agreed in writing.

15. Annex A – Processing Description Template

Business purpose(s):

  • Provision, operation, support and maintenance of the 10ops Opportunity Management Tool (OMT);
  • Provision of consultancy, business development, implementation, project execution, training, research and related professional services;
  • Opportunity identification, qualification, assessment, prioritization, tracking and reporting;
  • Customer relationship and stakeholder management;
  • Project management, workflow management and collaboration;
  • User administration, authentication and access management;
  • Customer support, service delivery and issue resolution;
  • Generation of dashboards, reports, analytics and business insights;
  • Operation of SampX managed commerce services, including webshop support, marketplace support, fulfilment coordination, logistics coordination, order administration and customer support;
  • Security monitoring, incident management, service improvement, compliance management and business continuity activities.

Systems / modules used:

  • 10ops Opportunity Management Tool (OMT)
  • Microsoft Azure platform services
  • Microsoft 365 services
  • Microsoft SharePoint
  • Microsoft Teams
  • Microsoft Entra ID (Azure Active Directory)
  • Microsoft Power Platform components where applicable
  • Customer-specific integrations approved by Client
  • Data storage, backup, monitoring, logging and security systems required for operation and protection of the Services

Categories of data subjects:

  • Client employees
  • Client officers, directors and representatives
  • Authorized users of the Services
  • Prospects and leads managed by Client
  • Customers and customer contacts of Client
  • Suppliers and supplier contacts of Client
  • Business partners, distributors and agents
  • Website visitors where applicable
  • Marketplace users where applicable
  • Service providers acting on behalf of Client
  • Other business contacts entered into the Services by Client

Types of personal data:

  • Name
  • Business email address
  • Business telephone number
  • Job title
  • Department
  • Company name
  • Business address information
  • User account identifiers
  • Authentication and login information
  • System access logs
  • IP addresses
  • Device and browser information
  • Communication records
  • Meeting notes
  • Project records
  • Opportunity records
  • Customer relationship records
  • Support tickets and correspondence
  • Transaction metadata
  • Order information
  • Marketplace interaction records
  • Workflow data
  • Uploaded files and documents containing personal data as determined by Client
  • Other personal data voluntarily entered by Client into the Services

Special categories data:

Processing of special category personal data, criminal records data, health data, biometric data, genetic data, data relating to children and similar sensitive personal data is not intended and is prohibited unless expressly agreed in writing between the parties.

Where such processing is expressly approved, the parties shall document appropriate safeguards, security measures and legal bases prior to processing.

Retention logic:

Personal Data shall be retained during the term of the Agreement.

Upon termination or expiry of the Agreement, Personal Data shall be returned or deleted in accordance with the Agreement and applicable law.

Processor may retain Personal Data in archival backups, security logs, disaster recovery systems, legal hold systems and evidential records for the period reasonably necessary to satisfy legal, regulatory, security, audit and claim-preservation requirements.

Unless otherwise agreed, active Customer Data shall be deleted within thirty (30) days following termination of the Services, subject to backup cycles and legal retention obligations.

International transfers:

Personal Data may be processed within the European Economic Area.

Where Personal Data is transferred outside the EEA, Processor shall ensure that an appropriate transfer mechanism is in place, including an adequacy decision, Standard Contractual Clauses or another lawful transfer mechanism recognized under applicable data protection law.

International transfers may occur through approved subprocessors, support services, cloud infrastructure providers and security service providers engaged by Processor.

Approved subprocessors specific to this client:

Unless otherwise agreed in writing, the following categories of subprocessors may be engaged:

  • Cloud hosting providers
  • Identity and access management providers
  • Business productivity and collaboration providers
  • Email and communications providers
  • Backup and disaster recovery providers
  • Monitoring and security providers
  • Customer support and ticketing providers
  • Analytics providers
  • Fulfilment, logistics and marketplace support providers where applicable to SampX Services

Non-exhaustive list: Microsoft Azure, Microsoft 365, SharePoint, Teams, Outlook, Dify.

The parties acknowledge that 10ops generally acts as Processor where it processes Personal Data on behalf of Client through OMT or managed services.

For certain consultancy engagements, strategic advisory services, business development activities or independent analyses, the parties may act as independent Controllers. The specific role allocation shall be determined by the nature of the relevant Processing activity.

16. Annex B – Minimum Technical and Organizational Measures (TOMs)

  • Access control and identity management
  • Confidentiality obligations for personnel and contractors
  • Patch and change management processes
  • Backups and resilience measures proportionate to service risk
  • Incident response and escalation procedures
  • Vendor / subprocessor risk management
  • Data minimization and retention controls where feasible
  • Secure offboarding and deletion procedures
  • Multi-factor authentication for privileged accounts
  • Role-based access controls
  • Encryption in transit (TLS)
  • Encryption at rest where supported
  • Centralized logging
  • Quarterly vulnerability management reviews
  • Secure software development practices
  • Annual access-right reviews
  • Documented incident management process
  • Business continuity and disaster recovery procedures
  • Employee security awareness training
  • Subprocessor due diligence procedures

Turning opportunities into ventures — structured innovation from idea to scale.

Explore

The Opportunity FlowOpportunity Readiness LevelDigital Twin10ops & Partners

Legal

Master Terms & ConditionsTerms of UsePrivacy Statement

Newsletter

Sign up for our newsletter to discover opportunities.

2026 © 10 ops BV. All rights reserved.
ImprintAll legal documents