Template This is our standard template. The final data processing agreement is drawn up per client and signed after an intake conversation.

legal · gdpr art. 28

Standard Data Processing Agreement

When your organisation deploys Murmur | Works for a platform (such as UrbanStakes), you are the controller for the personal data processed within it. We are the processor. Per GDPR art. 28 this requires a data processing agreement.

Our standard template is based on the standard contractual terms of the Dutch Data Protection Authority and tuned to our infrastructure (data residency NL/EU, L0-L3 classification, audit logs, chain erasure). That typically saves your legal counsel 5 to 10 hours of editing.

Request standard DPA (PDF)

For final signing we adapt the template to your specific use case. After an intake conversation you receive the client-specific version.

section b

Contents of the template

Summary. The full text is in the PDF template.

1. Parties

  • Controller: [your organisation]
  • Processor: Murmur Works B.V. (trade name Murmur | Works), CoC 42094950

2. Subject and duration

Processing takes place under the main agreement (SaaS contract). This DPA applies for the duration of the main agreement plus any statutory retention periods.

3. Nature and purpose of processing

Signal collection, taxonomy linking, interpretation and action proposals in support of your policy domain. No decisions about individuals by the platform itself — humans always decide (see Act positioning).

4. Categories of personal data

Depending on deployment — specified per project:

  • Public statements by public figures (L0)
  • Internal files without direct PII (L1)
  • Complaint files with PII (L2, where applicable)
  • Special-category personal data (L3, only with explicit use case, always air-gapped)

5. Categories of data subjects

Depending on deployment — typically:

  • Citizens (reporters, parties involved in casework)
  • Employees of your organisation
  • Stakeholders appearing in media or policy (public figures)

6. Processor obligations (GDPR art. 28(3))

  • Process only on written instructions from the controller
  • Confidentiality by employees
  • Appropriate technical and organisational security (see Trust Center)
  • Assist in exercise of data subject rights (access, erasure, etc.)
  • Notify data breaches within 24 hours
  • Assist with DPIA (see DPIA template)
  • Upon termination: erasure or return of data (including derived data — embeddings, indices)
  • Make audit information available

7. Sub-processors

Current list (changes only with prior notice):

  • Hetzner Online GmbH (Germany, EEA) — hosting and processing
  • Anthropic (Claude) and Azure OpenAI in EU regions, per data class; local models for sensitive classes
  • Postmark (United States, with EU standard contractual clauses) — transactional email
  • Key management within own infrastructure (AES-256 at-rest encryption)

Full list with locations in Annex A of the PDF template.

8. International transfers

  • Primary: no transfer outside EEA
  • Fallback: EEA-guaranteed providers. On incidental transfer (e.g. support by vendor EU support team): on the basis of Standard Contractual Clauses + Transfer Impact Assessment

9. Security measures (Annex B)

Full detail in the PDF. See also the Trust Center for a public version.

10. Applicable law

Dutch law; court of Amsterdam.

section c

Frequently asked questions

Do you adapt the template to our specific situation?

Yes. The public template is a baseline. Per client we fill in specific categories, retention periods and sub-processor list.

How long does DPA review take on our side typically?

Clients typically report 2 to 5 hours of editing time — substantially less than building from scratch.

Do you accept our own DPA template?

In principle yes, provided the obligations are at least equivalent to those in our template. After comparison we align.