Summary — full DPA on request
This page summarises the key terms under which Proximus NV/SA ("processor") processes personal data on behalf of a customer ("controller") in the course of providing the Proximus NXT platform, in line with GDPR Article 28. It forms part of, and is subject to, the signed customer agreement. A full, signable DPA is available on request via our contact form.
Roles & subject matter
For personal data the customer submits to, or generates within, its workspace, the customer is the controller and Proximus is the processor. Proximus processes that data only to provide and support the platform, on the controller’s documented instructions (these terms and the agreement being such instructions).
Nature, purpose & duration
- Nature & purpose: hosting, storage, transmission and processing of workspace data to deliver the contracted service (quoting, documentation, channels, customer portal and related features).
- Duration: for the term of the agreement, plus the retention windows in the privacy policy.
- Data subjects: the controller’s staff, contacts and end users represented in the workspace.
- Data categories: identity/contact details, account/role data, workspace content, and usage/audit metadata — no special-category data is required by the platform.
Processor obligations
- process personal data only on the controller’s documented instructions, including for transfers, unless required by EU/Member-State law (in which case we inform the controller, unless the law prohibits it);
- ensure persons authorised to process the data are bound by confidentiality;
- implement the security measures in clause 4;
- assist the controller (clauses 6–7) and make available the information needed to demonstrate compliance (clause 9);
- engage sub-processors only per clause 5.
Security (Art. 32)
Proximus maintains appropriate technical and organisational measures, including encryption in transit (TLS 1.3) and at rest (Cloud SQL CMEK), access control and tenant isolation, audit logging, rate-limiting, and an ISO 27001-aligned security posture. The specific measures are detailed in the signed DPA and may evolve provided protection is not lowered.
Sub-processors
The controller authorises Proximus to engage the EU-established sub-processors listed in the privacy policy (Google Cloud, Google Identity Platform / Firebase, Resend, Cloudflare), each bound by data-processing terms consistent with this DPA. We inform the controller of intended changes to the sub-processor list and give a reasonable opportunity to object.
Data-subject requests
Taking account of the nature of the processing, Proximus assists the controller with appropriate technical and organisational measures to respond to data-subject requests (access, rectification, erasure, portability, objection, restriction). Self-service access, portability and erasure are available in the platform; other requests are supported via our contact form.
Personal-data breach
Proximus notifies the controller without undue delay after becoming aware of a personal-data breach affecting the controller’s data, with the information the controller reasonably needs to meet its own notification obligations.
Return & deletion
On termination, Proximus deletes or returns the controller’s personal data per the agreement and the retention schedule in the privacy policy, unless EU/Member-State law requires storage.
Audits & information
Proximus makes available the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates, on reasonable notice and subject to confidentiality, as further specified in the signed DPA.
International transfers
All processing and storage take place within the EU (see the privacy policy). No transfers outside the EEA are intended; should any arise, they will be covered by an appropriate transfer mechanism (e.g. the European Commission’s Standard Contractual Clauses).
Order of precedence & contact
In case of conflict, the signed DPA and customer agreement prevail over this summary. To request the signable DPA or ask a question, use our contact form.
Talk to a human.
For access, correction, erasure or any question about this document, reach us through our contact form — we respond within one month.
© 2026 Proximus NV/SA · Boulevard du Roi Albert II 27, 1030 Brussels, Belgium · VAT BE 0202.239.951. This document is governed by Belgian law.