// LEGAL · B2B
Data Processing Agreement (DPA)
This Data Processing Agreement applies between AlfaNest Labs and business customers of WASTE.LAND who act as data controllers under applicable data protection law. Individual end users are covered by the Privacy Policy. The parties may sign a separate PDF that incorporates or amends these terms.
Parties. (1) AlfaNest Labs, entreprise individuelle, France, carried on by Marian George Grosu (SIRET 10303669500015, SIREN 103 036 695), registered office Saint-Fulgent, 85250, Vendée, France (“Processor”); and (2) the business entity identified as customer in the order form, quotation, or main service agreement for WASTE.LAND (“Controller”). Processor contact: contact@alfanestlabs.com, privacy@alfanestlabs.com.
1. Subject matter & duration
Processor provides the WASTE.LAND marketplace and related services as described in the agreement between the parties. This DPA applies for the term of that agreement and until deletion/return of data as below.
2. Nature & purpose
Processing includes hosting, authentication, messaging metadata, transaction records, and support — solely to deliver the service Controller subscribed to.
3. Type of personal data & categories of data subjects
Depending on how Controller uses WASTE.LAND, processing may involve: identification and contact data (name, email, username), account credentials (hashed passwords), marketplace content (listings, messages, transaction metadata), technical data (IP address, user agent, logs), and payment-related identifiers processed by payment providers. Data subjects may include Controller’s staff, sellers, buyers, or other users introduced by Controller.
4. Controller instructions
Processor processes personal data only on documented instructions from Controller, including this DPA and the main contract, unless law requires otherwise (in which case Processor informs Controller unless prohibited).
5. Confidentiality & security
Processor ensures that persons authorised to process personal data are bound by confidentiality. Processor implements appropriate technical and organisational measures, including access controls, encryption in transit (and where applicable at rest), separation of environments, logging, and backup procedures appropriate to the risk.
6. Sub-processors
Controller authorises Processor to engage sub-processors (such as hosting, email delivery, payment services, optional AI providers, and optional analytics) to deliver the service. Processor will make available on request an up-to-date list of material sub-processor categories or names via privacy@alfanestlabs.com. Processor will notify Controller of material changes where required by the main agreement or applicable law and will allow objection where those terms provide.
7. Data subject requests
Processor assists Controller, taking into account the nature of processing, in responding to data subject rights requests.
8. Breach notification
Processor notifies Controller without undue delay after becoming aware of a personal data breach affecting Controller’s data.
9. Return & deletion
At end of service, Processor deletes or returns personal data per Controller’s choice and contract, except where law requires retention.
10. Audits
Processor provides information reasonably necessary to demonstrate compliance with this DPA and allows for audits to the extent set out in the main contract, including completion of security questionnaires and provision of summaries of certifications where available.
11. International transfers
If personal data is transferred outside the European Economic Area or the United Kingdom, the parties implement appropriate safeguards under applicable law, such as the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum, as recorded in the executed agreement or order documentation.