Legal

Data Processing Addendum

Last updated: 15 July 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between:

  • Flowstate Solutions, the operating entity for Ragtime AI, incorporated in the Netherlands (KVK 42080916), which holds exclusive licence rights to Ragtime AI from De Cloe Advies BV ("Ragtime", "we", "us"); and
  • the entity that is a counterparty to the Agreement (the "Customer"),

together the "Parties" and each a "Party". This DPA governs Ragtime's processing of Customer Personal Data on the Customer's behalf in connection with the Services.

1. Definitions

Terms such as "Controller", "Processor", "Personal Data", "Process", and "Data Subject" have the meanings given to them in the GDPR. "Applicable Data Protection Laws" means the privacy and data-protection laws applicable to Ragtime's processing of Customer Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) and Dutch implementing legislation. "Customer Personal Data" means any Personal Data within Customer content processed by Ragtime or its sub-processors on the Customer's behalf to provide the Services. "Sub-Processor" means any third party appointed by Ragtime to process Customer Personal Data. Capitalised terms not defined here have the meaning given in the Agreement.

2. Processing of Customer Personal Data

Ragtime shall process Customer Personal Data only (a) on the Customer's documented instructions, including as set out in the Agreement and this DPA, or (b) as required by applicable law, in which case Ragtime will inform the Customer of that requirement in advance unless prohibited by law. The Customer instructs Ragtime to process Customer Personal Data to provide the Services in accordance with the Agreement. Where Ragtime reasonably considers that an instruction infringes Applicable Data Protection Laws, it shall notify the Customer.

Ragtime shall ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality.

3. Security

Ragtime shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against Personal Data Breaches, as further described in the Security Measures below. Ragtime may update these measures from time to time, provided the updates do not materially reduce the overall level of protection.

4. Data subject rights

Taking into account the nature of the processing, Ragtime shall provide the Customer with reasonable and technically feasible assistance to help the Customer fulfil its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws. If Ragtime receives such a request directly, it shall promptly notify the Customer and shall not respond other than to direct the individual to the Customer, unless required by law.

5. Personal data breach

Ragtime shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide information reasonably available to it to help the Customer meet its own breach-notification obligations. Such notification is not an acknowledgement of fault or liability.

6. Sub-processing

The Customer generally authorises Ragtime to engage Sub-Processors to process Customer Personal Data. Ragtime shall maintain a list of its Sub-Processors and shall give the Customer prior notice of the addition of any new Sub-Processor, giving the Customer the opportunity to object on reasonable grounds. Ragtime shall impose data-protection obligations on each Sub-Processor that offer at least an equivalent level of protection as those in this DPA, and shall remain liable for any breach caused by a Sub-Processor.

7. Audits

Ragtime shall make available to the Customer, on request, information reasonably necessary to demonstrate its compliance with this DPA. Where such information is insufficient, Ragtime shall allow for and contribute to audits conducted by the Customer or a mandated auditor, subject to reasonable notice, confidentiality, and scheduling restrictions. A third-party certification or audit report (for example, SOC 2 or ISO 27001) may be accepted in lieu of an on-site audit.

8. Return and deletion

Following expiry or termination of the Agreement, Ragtime shall return and/or delete Customer Personal Data in its control in accordance with the Customer's instructions, except to the extent retention is required by applicable law or is not technically feasible for back-ups, in which case Ragtime shall continue to protect the data and put it beyond use.

9. Data protection impact assessments

Taking into account the nature of the processing and the information available to it, Ragtime shall provide the Customer with reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities that the Customer reasonably considers required under Articles 35 and 36 of the GDPR.

10. Customer responsibilities

The Customer is responsible for its use of the Services, including ensuring there is a valid legal basis for the processing of Customer Personal Data and that all required notices and consents are in place in respect of Data Subjects, and for securing the systems and devices it uses in connection with the Services.

11. International transfers

Where Ragtime transfers Customer Personal Data outside the European Economic Area, it shall do so in reliance on an appropriate transfer mechanism under Chapter V of the GDPR, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required.

12. General

This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement in relation to the processing of Customer Personal Data, this DPA prevails. Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Security Measures

Ragtime implements and maintains technical and organisational measures including, at a minimum:

  • Organisational security — defined roles and responsibilities for information security.
  • Risk assessment — periodic review of risks and monitoring of compliance with internal policies.
  • Data security controls — logical segregation, role-based access, monitoring, and industry-standard encryption of Customer Personal Data in transit and at rest.
  • Access & password controls — electronic access management based on authority levels and job function, with password strength and lifecycle controls.
  • Monitoring & logging — audit and event logging to record user access and system activity.
  • Physical security — maintained by our hosting sub-processors, whose facilities provide appropriate physical and environmental safeguards.
  • Change & incident management — controlled change processes and defined incident response, investigation, and notification procedures.
  • Network security & vulnerability management — firewalls, intrusion detection, and scheduled vulnerability assessment.
  • Business continuity — resiliency and disaster-recovery procedures designed to maintain and restore service.

Contact

For questions about this DPA or to exercise data-protection rights, contact us at legal@ragtime-ai.com.

Let's talk

Request a demo

Tell us a little about your context. We'll show you a working assistant grounded in your own content.