Rijwind
Legal

Data Processing Agreement.

The contract under which Rijwind processes personal data on behalf of your business.

Last updated 14 May 2026 · Version 1.0

This DPA is offered as a click-through agreement to every paid customer. By using the API under a paid plan you accept it. If you require a signed copy on your own paper, email info@rijwind.com — we'll counter-sign within five business days.

1. Roles

For end-user data that flows through the API (addresses, coordinates, search queries), you (the customer) are the controller and Rijwind is the processor. We process this data only to deliver the response and to log the call for billing, abuse mitigation, and incident response.

2. Subject-matter and duration

Subject: provision of maps, geocoding, and routing API responses to the controller. Duration: for as long as the controller's account is active, plus the 30-day log retention described below.

3. Nature, purpose, and types of data

Each API call may include:

  • Geographic coordinates (latitude / longitude).
  • Address strings or place-name strings supplied as query.
  • The controller's API key (we store its SHA-256 hash, not the plaintext).
  • The IP address of the requesting client (controller's server or end-user).

These may indirectly identify an individual (e.g. a search for someone's home address). We treat them as personal data accordingly.

4. Retention and deletion

Per-request log lines are retained for 30 days, then deleted. Aggregated per-day counters (no end-user identifiers, only summed totals per controller account) are retained for billing reconciliation and product analytics.

Upon termination of the controller's account, all personal data is deleted within 30 days, except records we are legally required to retain (typically tax records — 7 years in the Netherlands).

5. Sub-processors

Rijwind currently uses the following sub-processors. New additions or replacements are announced at least 30 days in advance.

  • Worldstream (Netherlands) — dedicated hosting for the API, geocoding, routing, and Redis. End-user queries (addresses, coordinates, search strings) flow through this server during request processing.
  • Leaseweb (Netherlands) — VPS hosting for the marketing site, customer dashboard, and Cashier billing flow. Stores controller account details.
  • Bunny.net (Slovenia) — global CDN serving the vector basemap, font glyphs, and sprite atlases. Sees the IP address of the requesting browser. Slovenia is an EU member state with GDPR jurisdiction.
  • UpCloud (Netherlands) — object storage for the basemap and tile files. Hosted in the Amsterdam region. Origin behind Bunny.net — does not see customer requests directly.
  • Mollie (Netherlands) — payment processing for paid plans. Receives controller billing details. Does not receive end-user API data.
  • Lettermint (Netherlands) — transactional email delivery (account verification, two-factor codes, billing receipts, quota-threshold alerts). Receives the controller's email address and the body of each transactional message.
  • incident.io (United Kingdom) — status page + incident-notification service. Receives the email address of customers who subscribe to status updates, plus the public incident-timeline content we publish ourselves. The UK has an adequacy decision from the European Commission, so this transfer is permitted without additional safeguards.
  • PostHog (data hosted in Germany, on PostHog's EU instance) — first-party product analytics and error tracking. Sees the IP address of the visiting browser, session activity within the dashboard, and stack traces from backend errors. PostHog Inc. is incorporated in the United States, so the controller relationship is covered by Standard Contractual Clauses; the data itself does not leave the EU.

Apart from the UK transfer to incident.io and the SCC-covered US controller relationship with PostHog Inc., no sub-processor is located in or transfers data to a third country.

6. Security measures

  • TLS 1.2+ for all in-transit data.
  • API keys stored as SHA-256 hashes; plaintext shown once at issuance.
  • Two-factor authentication available on every account; required for staff access.
  • Operational access to production data is limited to named staff and audited via system logs.
  • Backups encrypted at rest, restored at least quarterly to verify recoverability.

7. Breach notification

We notify the controller without undue delay — and in any event within 72 hours — of becoming aware of a personal-data breach affecting the controller's data. The notification includes the nature of the breach, the data categories affected, the likely consequences, and the measures taken or proposed to address it.

8. Data subject requests

Where a data subject contacts Rijwind directly about their data, we forward the request to the relevant controller and assist with technical implementation as needed. End-user requests about data the controller submitted through the API should be directed to the controller in the first instance.

9. Audits

On reasonable written notice (at least 30 days) and no more than once per calendar year, the controller may audit Rijwind's compliance with this DPA. We may discharge the audit obligation by providing a recent independent compliance attestation when one is available.

10. Termination

This DPA terminates automatically when the underlying service contract ends. Surviving obligations (deletion, breach notification for breaches discovered after termination, audit cooperation for the audit window that was open at the time of termination) remain in force.

11. Governing law

This DPA is governed by Dutch law and forms part of the broader terms of service. In case of conflict between this DPA and the terms, this DPA prevails for the processing of personal data.