Data Processing Agreement
Last updated: June 10, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between MoodMonkey B.V. ("MoodMonkey", "processor") and the customer ("Customer", "controller") for the use of the MoodMonkey service, as required by article 28 of the General Data Protection Regulation (GDPR). By using the Service under our Terms & Conditions, the Customer also agrees to this DPA.
1. Roles and Scope
The Customer is the controller of the personal data processed in the Service; MoodMonkey is the processor. MoodMonkey processes personal data only on documented instructions from the Customer, including with regard to transfers, unless required to do otherwise by EU or member state law. The use of the Service in accordance with its documentation constitutes the Customer's complete instruction.
2. Subject Matter, Duration, Nature and Purpose
- Subject matter: the provision of the MoodMonkey employee wellbeing service.
- Duration: the term of the Customer's subscription, plus the export and deletion window described in section 9.
- Nature and purpose: collecting daily wellbeing check-ins from the Customer's employees and presenting aggregated dashboards and insights to the Customer.
3. Categories of Data Subjects and Personal Data
| Category | Description |
|---|---|
| Data subjects | Employees and other staff of the Customer; Customer users with dashboard access |
| Account data | Name, work email address, role, login data of dashboard users |
| Check-in data | Daily mood scores, optional free-text comments, timestamps |
| Usage data | Log data needed to operate and secure the Service |
The Service is designed for data minimization: check-ins are reported at team and organization level, and free-text comments should not be used to share special categories of data. The Customer instructs its employees accordingly.
4. Confidentiality
MoodMonkey ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to what is necessary for their role.
5. Security
MoodMonkey implements appropriate technical and organizational measures as required by article 32 GDPR, including: encryption of data in transit, encryption of data at rest, role-based access control on a need-to-know basis, logical separation of customer data, hosting within the European Union, regular backups, and security testing of changes before release. MoodMonkey may update these measures provided the overall level of protection is not reduced.
6. Sub-processors
The Customer grants a general authorization for the use of sub-processors. The current sub-processors for the Service are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting of the Service | European Union (North Europe) |
| EU-based infrastructure and email providers | Website hosting, transactional email | European Union |
MoodMonkey will inform the Customer at least 30 days before adding or replacing a sub-processor, giving the Customer the opportunity to object on reasonable grounds. MoodMonkey imposes data protection obligations on each sub-processor equivalent to those in this DPA and remains responsible for their performance.
7. International Transfers
Personal data is processed and stored within the European Union. If a transfer outside the European Economic Area should ever be necessary, MoodMonkey will ensure appropriate safeguards in accordance with chapter V GDPR, such as the EU Standard Contractual Clauses, and inform the Customer.
8. Assistance and Breach Notification
Taking into account the nature of the processing, MoodMonkey assists the Customer with appropriate technical and organizational measures in fulfilling data subject requests (articles 12 to 23 GDPR) and in complying with the obligations of articles 32 to 36 GDPR, including data protection impact assessments.
MoodMonkey notifies the Customer without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting the Customer's data, and provides the information reasonably needed for the Customer to meet its own notification obligations.
9. Return and Deletion
After the end of the subscription, the Customer can export Customer Data for 30 days. After this period, MoodMonkey deletes all personal data processed on behalf of the Customer, including copies in backups within the regular backup rotation, unless EU or member state law requires longer storage.
10. Audits
MoodMonkey makes available all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits take place at most once per year, during business hours, with at least 30 days notice, and without unreasonable disruption to MoodMonkey's operations. Each party bears its own audit costs.
11. Liability and Final Provisions
The liability arrangements of the Terms & Conditions apply to this DPA. In the event of conflict between this DPA and the Terms & Conditions regarding the processing of personal data, this DPA prevails. This DPA is governed by Dutch law.
12. Contact
Privacy questions or breach notifications: [email protected]. MoodMonkey B.V., Keizersgracht 520-H, 1017 EK Amsterdam, the Netherlands, KvK 97383392.