Acordo de processamento de dados
Version 1.1, March 2026
This is a translation of the Dutch data processing agreement. In case of discrepancies, the [Dutch version](/nl/dpa) prevails.
This Data Processing Agreement ("Agreement") forms part of the Terms and Conditions between Screenbird and the Customer and governs the processing of personal data by Screenbird as a processor.
1. Definitions
- GDPR: the General Data Protection Regulation (EU) 2016/679
- Processor: Screenbird (Chamber of Commerce 50466542), which processes personal data on behalf of the Controller
- Controller: the Customer who determines the purposes and means of the processing of personal data
- Sub-processor: a third party engaged by the Processor for part of the processing
- Personal data: any data that can be directly or indirectly traced to a natural person
- Data subject: the natural person to whom the personal data relates
2. Scope and duration
This Agreement is in effect as long as Screenbird processes personal data on behalf of the Customer. The Agreement automatically terminates upon termination of the Subscription, subject to the retention periods in article 14.
3. Nature and purpose of processing
Screenbird processes personal data solely for the purpose of digital signage service delivery. This includes:
- Storing Content uploaded by the Customer
- Distributing and displaying Content on connected screens
- Processing playlists and schedules
- Technical support and debugging
4. Types of personal data
The processing may involve personal data that the Customer uploads as part of Content, including:
- Visual material featuring identifiable individuals (photos, videos)
- Names and contact information in displayed documents or presentations
- Other data that the Customer processes in Content
The nature and scope of personal data are determined by the Customer.
5. Categories of data subjects
Data subjects may include:
- Employees of the Customer
- Customers of the Customer
- Visitors to locations where the Customer's screens are installed
- Other individuals whose data the Customer processes in Content
6. Obligations of the Processor
Screenbird:
- Processes personal data solely based on written instructions from the Controller, unless a legal obligation requires otherwise
- Ensures that persons authorized to process personal data have committed to confidentiality
- Takes appropriate technical and organizational measures in accordance with article 32 GDPR (see article 9)
- Does not engage a sub-processor without prior consent of the Controller (see article 8)
- Provides assistance in fulfilling requests from data subjects (see article 11)
- Provides assistance in carrying out data protection impact assessments
- Reports data breaches within 48 hours (see article 10)
- Deletes or returns all personal data upon termination of the service (see article 14)
7. Obligations of the Controller
The Customer:
- Guarantees that the processing of personal data in Content is lawful
- Provides Screenbird with clear and lawful instructions for processing
- Informs data subjects about the processing of their personal data
- Is responsible for assessing whether Screenbird's security measures are appropriate for the risk of the processing
8. Sub-processors
Screenbird uses the following sub-processors:
| Sub-processor | Function | Location |
|---|---|---|
| Supabase | Database and authentication | EU (eu-west-3) |
| Cloudflare | Hosting, CDN, Workers and R2 storage | Global (edge) |
| Stripe | Payment processing | EU and US |
| Backblaze | Replicação de backup (armazenamento externo) | EU (eu-central-003, Amsterdam) |
Changes
Screenbird will inform the Customer at least 30 days in advance of the engagement of a new sub-processor or replacement of an existing sub-processor. The Customer may object in writing within this period. In case of a justified objection, the parties will jointly seek a solution. If no solution is reached, the Customer may cancel the Subscription.
Responsibility
Screenbird concludes an agreement with each sub-processor that imposes at least the same obligations as this Agreement. Screenbird remains responsible for compliance by sub-processors.
9. Security measures
Screenbird takes the following technical and organizational measures:
Technical
- TLS encryption for all data traffic
- AES-256 encryption for stored files (at rest)
- Row Level Security (RLS) at the database level for strict tenant isolation
- HMAC-SHA256 for screen authorization verification
- Short-lived JWT tokens for session management
- Automatic deletion of Content after termination
Organizational
- Access to production systems is restricted to authorized personnel
- Regular review of access rights
- Incident response process for security incidents
10. Data breaches
Notification obligation
Screenbird reports a data breach to the Customer within 48 hours of discovery, via email to the email address known to Screenbird.
Content of notification
The notification contains at minimum:
- The nature of the data breach
- The categories of data subjects and personal data involved
- The likely consequences
- The measures taken or proposed
Assistance
Screenbird provides assistance with notification to the Data Protection Authority and to data subjects, to the extent reasonably necessary.
11. Rights of data subjects
Screenbird provides the Customer with assistance in handling requests from data subjects under articles 15 to 22 GDPR, including requests for access, rectification, erasure and portability. Screenbird responds to assistance requests from the Customer within a reasonable timeframe.
12. Audits
The Customer has the right to conduct an audit to verify compliance with this Agreement, subject to the following conditions:
- Maximum once per 12 months
- At least 30 days' written notice in advance
- During business hours and without disproportionate disruption to operations
- Costs of the audit are borne by the Customer
- Screenbird may provide an independent audit report or certification as an alternative
13. Transfers outside the EEA
For transfers of personal data to countries outside the European Economic Area, the safeguards described in the Privacy Policy apply, including Standard Contractual Clauses and additional technical measures.
14. Termination and data return
Export window
After termination of the Subscription, the Customer has 30 days to export Content via the dashboard.
Deletion
After the export window, Screenbird deletes all personal data from production systems. Data in backups is overwritten within 90 days after deletion from production.
Exceptions
Screenbird may retain personal data longer if a legal obligation requires this. The Customer will be informed accordingly.
15. Governing law
This Data Processing Agreement is governed by Dutch law. Disputes shall be submitted to the competent court of the District Court of Noord-Nederland, location Groningen.
16. Contact
Screenbird
Email: privacy@screenbird.app
Address: Peizerweg 97, 9727 AJ Groningen, the Netherlands
Chamber of Commerce: 50466542