Data Sharing and Data Processing Agreement

Last updated: 1st March, 2026

This Data Sharing and Data Processing Agreement ("Agreement") forms part of the agreement between RFQmatch.com and the organization using the RFQmatch platform ("Customer"). This Agreement governs the processing and sharing of personal data in connection with the RFQmatch platform and is intended to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

Personal Data
Any information relating to an identified or identifiable natural person as defined in Article 4 GDPR.

Processing
Any operation performed on personal data including collection, storage, transmission, organization, or deletion.

Controller
The entity determining the purposes and means of processing personal data.

Processor
An entity processing personal data on behalf of a controller.

Data Subject
The identified or identifiable individual to whom personal data relates.

Sub-processor
A third party engaged by RFQmatch to assist in processing personal data.

2. Role of the Parties

2.1 Independent Controllers

RFQmatch and the Customer generally operate as independent data controllers with respect to personal data exchanged through the platform. Each party independently determines the purposes and means of processing personal data within its own systems and business operations.

2.2 Platform Infrastructure Role

RFQmatch operates a digital platform that enables businesses to publish Requests for Quotation (RFQs), submit supplier proposals, exchange documentation, and communicate with other platform users. RFQmatch processes personal data necessary to operate, maintain, and secure the platform infrastructure.

2.3 Platform Transaction Records

RFQmatch maintains records of sourcing activities conducted through the platform ("RFQmatch Transaction Records"). These records may include RFQs, proposals, communications, timestamps, specifications, and system logs.

RFQmatch processes and retains such records as an independent controller for purposes including: platform operation, dispute resolution, fraud prevention, marketplace integrity, and legal compliance.

2.4 Limited Processor Activities

To the extent RFQmatch processes personal data solely to provide technical platform services on behalf of the Customer, RFQmatch acts as a data processor.

3. Purpose of Data Sharing

Personal data may be shared between platform users for the purpose of: facilitating RFQs, identifying potential suppliers or buyers, enabling commercial communication between businesses, evaluating procurement opportunities, and establishing and managing business relationships. The platform is intended solely for legitimate B2B commercial use.

4. Use of Shared Contact Data

Where personal data is shared between platform users, the receiving party may use such data for legitimate business purposes including: responding to RFQs, evaluating potential suppliers or buyers, negotiating commercial relationships, and managing procurement or supplier relationships.

The receiving party may store such contact information in internal systems including: CRM systems, ERP systems, procurement management tools, and internal contact databases.

Once personal data is obtained through the platform and stored in internal systems, the receiving party acts as an independent data controller responsible for its own compliance with applicable data protection laws.

Personal data obtained through the platform may not be used for: unlawful marketing practices, unauthorized data harvesting, reselling personal data, or creating independent databases unrelated to legitimate business relationships.

5. Types of Personal Data

Personal data processed through the platform may include: name, business email address, phone number, job title, company name, RFQ-related communications, supplier proposals and attachments, and technical identifiers such as IP address or device information.

The Customer determines what personal data it chooses to submit to the platform.

6. Categories of Data Subjects

Personal data may relate to: employees of buyers, employees of suppliers, platform users, and professional contacts involved in procurement processes.

7. Legal Basis for Processing

Each party shall ensure that personal data is processed on a valid legal basis under applicable data protection laws.

Legal bases may include: performance of a contract, legitimate interests in conducting B2B sourcing activities, compliance with legal obligations, and consent where required.

Each party remains responsible for lawful processing within its own organization.

8. Security Measures

RFQmatch implements appropriate technical and organizational measures designed to protect personal data, including: secure cloud infrastructure, authentication and access controls, encryption where appropriate, logging and monitoring of platform activity, and periodic security reviews.

Each party remains responsible for maintaining appropriate security measures within its own systems.

9. Sub-processors

RFQmatch uses trusted infrastructure providers to operate the platform. Current sub-processors include:

  • Vercel - Cloud hosting and platform infrastructure
  • Supabase - Database and backend services

These providers may process personal data outside the European Economic Area. RFQmatch ensures that sub-processors are subject to contractual data protection obligations.

10. International Data Transfers

Personal data processed through the platform may be transferred to countries outside the European Economic Area. Where such transfers occur, RFQmatch ensures appropriate safeguards including: Standard Contractual Clauses approved by the European Commission, and additional contractual and technical safeguards where appropriate.

11. Data Subject Rights

Each party is independently responsible for responding to requests from data subjects exercising their rights under applicable data protection laws.

These rights may include: access, rectification, erasure, restriction of processing, data portability, and objection to processing.

Where appropriate, the parties shall reasonably cooperate in handling such requests.

12. Personal Data Breaches

Each party shall notify the other without undue delay if it becomes aware of a personal data breach affecting personal data exchanged through the platform. Each party remains responsible for regulatory notifications required under applicable law.

13. Data Retention

Each party shall retain personal data only for as long as necessary for legitimate business purposes or legal obligations.

RFQmatch may retain RFQmatch Transaction Records where necessary to: maintain platform history, ensure marketplace transparency, resolve disputes, prevent fraud or abuse, and comply with legal obligations.

14. Liability

Each party remains responsible for its own compliance with applicable data protection laws. Liability between the parties shall be governed by the main platform agreement or Terms of Service.

15. Governing Law

This Agreement shall be governed by the law applicable to the main service agreement between the parties.

16. Contact

RFQmatch.com
Email: [email protected]
Address: Goudenregen 12, 8141 XA, Heino