Data Processing Agreement

According to Article 28 (3) in Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) for the purpose of regulating the Data Processors processing of personal data, this Data Processing Agreement (DPA) is an appendix to the Terms of Service between Shine Platform and the Subscriber.

The DPA is considered signed by the Data Controller when signing the Terms of Service.

“Data processor” means the Shine Platform as defined in the Terms of Service, meaning the company within the Shine Group with which the Customer has entered into the Terms of Service.

“Data controller” means the customer of the Shine Platform.

The current version of this document is applicable from 2025-10-07. Previous versions can be viewed here.

1. Introduction

By using the Services and any of the available additional functions or integration in relation to the platform (hereinafter referred to as the “Services”), the Data Processor will be responsible for the processing of personal data on the Platform.

The Data Processor processes personal data solely on the documented instructions of the Data Controller and in accordance with the Data Processor’s Personal Data Policy, provided that such policy does not conflict with the instructions of the Data Controller under this Agreement or the GDPR.

This Data Processing Agreement is entered into by the Parties for both Parties to comply with national data protection legislation, including the GDPR, as well as the protection of the private life and physical persons fundamental rights. The Data Processing Agreement outlines the instructions on which the Data Processor processes personal data on behalf of the Data Controller.

The Data Processing Agreement uses the definitions as stated in the national data protection legislation and the GDPR.

2. The responsibilities and obligations of the Data Controller

The Data Controller is responsible for ensuring the processing of personal data happening in accordance with the GDPR, cf. article 24, and the national data protection rules.

The Data Controller is entitled and obligated to make decisions regarding the purpose(s) for which, and the technical tools used for the processing of personal data. Furthermore, the Data Controller is responsible for ensuring a legal basis for the processing and transfer of personal data that the Data Processor is instructed to conduct.

As the Data controller, they must fulfil all information obligations towards the data subjects regarding the processing of their personal data, as well as providing the relevant guarantees in relation to all technical and safety measures to protect the data subjects’ personal data.

By using the Platform, the Data Controller is solely responsible for providing the personal data that is specified in Appendix A, and to limit the processing of data outside the specification within, including special categories of personal data as specified in article 9 in the GDPR.

The Data Controller provides explicit consent to the Data Processor to act as an Account Information Service Provider (AISP), in accordance with applicable national legislation implementing Directive (EU) 2015/2366 on payment services in the internal market (PSD2).

This consent is necessary for the Data Processor to access and process personal data retrieved from the Data Controller’s payment accounts, solely for the purpose of providing the requested services, such as account aggregation, transaction history, and financial automation functionalities.

The Data Controller may withdraw this consent at any time. Upon such withdrawal, the related Account Information Services shall be automatically terminated, and the Data Processor shall cease all associated processing activities unless otherwise permitted or required under applicable law.

The Data Processor shall ensure that access to account information is limited to what is strictly necessary for the performance of the requested service and that all processing is conducted in accordance with the GDPR and relevant national payment regulations.

3. The responsibilities and obligations of the Data Processor

The Data Processor may only process personal data on documented instructions from the Data Controller, and processes this on behalf of the Data Controller. The Data Controller instructs the Data Processor to process personal data i) in accordance with applicable legislation, ii) to fulfil its obligations stated in the agreement between the Data Controller and the Data Processor, and iii) as described in this Agreement.

The Data Processor is responsible for notifying the Data Controller if an instruction, in the Data Processor’s opinion, is in breach of the GDPR or national data protection legislation.

In case the Data Processor assesses that an instruction from the Data Controller is illegal or in breach of applicable legislation, the Data Processor is obliged to inform the Data Controller who must rectify the instruction in due time. If the Data Controller is not able to rectify the instruction, the Data Processor is entitled to cease the service agreement between the Parties.

The Data Processor assists the Data Controller in implementing appropriate technical and security measures, considering the nature of the processing and the category of personal data.

Furthermore, the Data Processor assists the Data Controller with requests from data subjects regarding the exercise of their rights in the GDPR. The Data Processor does not respond to these requests unless authorised by the Data Controller.

Upon request from the Data Controller regarding information or assistance in respect of the Data Controller’s safety measures or processing of personal data in general, and if such request exceeds what is necessary in accordance with applicable data protection legislation, the Data Processor is entitled to claim payments for such further services.

The Data Processor ensures confidentiality regarding the processing of personal data, including the Data Controller’s employees. This applies after the termination of the Data Processing Agreement.

The Data Processor shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, or data, even if advised of the possibility of such damages.

The total aggregate liability of the Data Processor arising out of or in connection with this Agreement, whether in contract, tort or otherwise, shall be limited to the total amount paid by the Data Controller to the Data Processor under the Terms of Service during the twelve (12) months preceding the event giving rise to the claim.

This limitation shall apply regardless of the number or nature of claims, and regardless of the cause of action, except in the event of willful misconduct or gross negligence by the Data Processor proven in a court of competent jurisdiction.

4. The use of Sub-Processors

The Data Processor must fulfil the conditions stated in article 28 (2) and (4) in the GDPR in order to use another data processor (sub-processors).

The Data Processor uses sub-processors, including entities within the Shine Group and third-party providers inside or outside the EU/EEA, to deliver its Services.

The Data Processor has data processing agreements with all sub-processors, and an exhaustive list of these may be found in Appendix B. The Data Processor ensures that all sub-processors comply with the corresponding obligation and requirements in this Data Processing Agreement and the data protection legislation.

This Agreement shall be deemed the Data Controller’s general written authorisation for the use of sub-processors, in accordance with Article 28(2) GDPR.

The Data Processor transfers data to partners as a part of the provided service to the Data Controller. By accepting the terms of the service agreement, the Data Controller is informed that partners of the Data Processor will receive the personal data in order to provide an offer to the request of service from the Data Controller.

At the transfer of personal data outside the EU/EEA, the Data Processor ensures that such transfers are carried out in accordance with Chapter V of the GDPR and that an adequate level of protection is guaranteed.

The Data Processor may rely on various legal transfer mechanisms provided under the GDPR, including but not limited to:

the European Commission’s adequacy decisions,

the EU Commission’s Standard Contractual Clauses (SCCs),

binding corporate rules (BCRs) where applicable, or

other appropriate safeguards as set out in Article 46 GDPR.

Where required, the Data Processor shall implement supplementary technical, organisational, and contractual measures to ensure that the transferred personal data receives a level of protection essentially equivalent to that guaranteed within the EU/EEA.

If the Data Processor changes the sub-processors, the Data Controller will be notified, and has the right to oppose such a change of sub-processors if the new sub-processor does not process personal data in accordance with the applicable data protection legislation.

If the Data Controller objects to the use of a new sub-processor on reasonable and documented data protection grounds, the Parties shall enter into good faith discussions to resolve the matter. If no resolution is achieved within thirty (30) days, the Data Processor reserves the right to continue using the sub-processor, unless the Data Controller elects to terminate the relevant part of the services impacted by the objection.

Termination shall not give rise to any compensation, damages, or liability on the part of the Data Processor.

The Data Processor is responsible for requiring the sub-processors' compliance with the Data Processor’s obligation as stated in this Data processing Agreement, as well as the GDPR.

Upon reasonable request, the Data Processor shall provide the Data Controller with relevant information demonstrating that the sub-processors are subject to equivalent data protection obligations, including a summary or extract of the data protection clauses of the sub-processing agreements, where necessary to demonstrate compliance. Full copies of sub-processing agreements shall not be required unless mandated by applicable law or supervisory authority.

In case of one of the sub-processors' breach of the data protection rules, the Data Processor is fully responsible for ensuring that the sub-processor fulfils its obligations towards the Data Controller.

5. Access by Group Entities

The Data Controller acknowledges and accepts that the Data Processor may allow access to the personal data processed under this Agreement to other entities within the Shine Group, including affiliates, parent companies, and subsidiaries, to the extent necessary for the performance, maintenance, security, and improvement of the Services.

These group entities may operate in or outside the EU/EEA. In such cases, the Data Processor ensures that all data transfers comply with Chapter V of the GDPR and that appropriate safeguards are in place. A list of relevant group entities and their roles may be made available to the Data Controller upon request.

Access by group entities shall not be considered the use of new sub-processors requiring separate notification.

6. Confidentiality

The Data Processor may only grant access to the personal data being processed on behalf of the Data Controller to persons under the Data Processor’s authority that have committed themselves to confidentiality.

Upon request from the Data Controller, the Data Processor must demonstrate confidentiality measures for the persons concerned.

7. Security of processing

The Data Controller is responsible for defining the overall security requirements, and the Data Processor shall implement measures accordingly.

The Data Processor shall implement appropriate technical and organisational measures as required by Article 32, taking into account the state of the art, the costs of implementation, and the specific risks associated with the processing operations it performs on behalf of the Data Controller.

Upon documented request, the Data Processor shall assist the Data Controller, within the scope of the processing activities under this Agreement and to the extent reasonably possible, in ensuring compliance with the obligations under Article 32 GDPR.

8. Transfer of personal data to third countries or international organisations

The Data Processor shall only transfer personal data to a third country or an international organisation based on documented instructions from the Data Controller, and always in compliance with Chapter V of the GDPR.

The Data Processor may carry out such transfers where required by Union or Member State law to which the Data Processor is subject. In such cases, the Data Processor shall inform the Data Controller of the legal requirement prior to processing, unless such disclosure is prohibited for reasons of public interest under applicable law.

The Data Processor shall maintain documentation of the Data Controller's instructions in the following situations:

transfers of personal data to a Data controller or processor in a third country or international organisation;
engagement of a sub-processor located in a third country;
processing activities conducted in a third country.

The Data Controller acknowledges and accepts, through signature of this Agreement, the Data Processor’s use of sub-processors located in third countries as listed in Appendix B. The Data Processor shall ensure that all such transfers rely on a valid transfer mechanism under Chapter V of the GDPR, which may include:

an adequacy decision by the European Commission;
Standard Contractual Clauses (SCCs) adopted by the Commission;
Binding Corporate Rules (BCRs); or
other appropriate safeguards as permitted under Article 46 GDPR.

Where required, the Data Processor shall implement supplementary technical, organisational, or contractual measures to ensure that the level of protection of personal data is essentially equivalent to that within the EU/EEA, in line with applicable legal guidance (e.g. EDPB Recommendations and national regulator expectations).

The Data Processor shall not be held liable for transfers carried out in accordance with the Data Controller’s instructions and the requirements of Chapter V of the GDPR, unless the Data Processor has failed to implement the agreed safeguards. Any obligations relating to the assessment of the legal framework in the destination country or the performance of a transfer impact assessment (TIA) shall be jointly coordinated by the Parties, with the Data Controller bearing primary responsibility for the decision to proceed.

The Data Processor has entered into written data processing agreements with all sub-processors and has ensured that all relevant safeguards and contractual commitments are in place to guarantee compliance with applicable data protection legislation in the context of data transfers outside the EU/EEA.

9. Assistance to the Data Controller

The Data Processor shall assist the Data Controller, to the extent reasonably possible and taking into account the nature of the processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable data protection laws, including the GDPR and relevant national legislation in France, Germany, the Netherlands, and Denmark.

Such assistance may include, upon written and documented request from the Data Controller:

assisting with handling data subjects’ requests to exercise their rights (access, rectification, erasure, restriction, objection, and portability);

supporting the performance of data protection impact assessments (DPIAs);

providing information necessary to cooperate with the competent supervisory authority in connection with high-risk processing activities or personal data breaches.

The Data Processor shall not respond directly to data subjects or communicate with a supervisory authority unless explicitly instructed to do so in writing by the Data Controller. Any assistance exceeding the scope required by Article 28 of the GDPR may be subject to additional compensation agreed between the Parties.

10. Notification of data protection breaches

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach affecting the personal data processed under this Agreement.

The notification shall include, to the extent known at the time, relevant information to assist the Data Controller in fulfilling its obligations under Article 33 and, where applicable, Article 34 of the GDPR.

The Data Processor shall provide reasonable cooperation and assistance to the Data Controller in the investigation and mitigation of the breach and in the preparation of any required notifications to supervisory authorities or data subjects, taking into account the nature of the processing and the information available to the Data Processor.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Processor shall assist the Data Controller in preparing any communication to the affected data subjects, as required by applicable data protection law.

11. Erasure and return of personal data

At termination of the service that includes the processing of personal data, the Data Processor is obligated to erase all personal data processed on behalf of the Data Controller, and to confirm to the Data Controller that the personal data has been erased.

The above does not apply if EU or national legislation requires storage of personal data after termination of the service. Furthermore, the above does not apply to personal data processed by the Data Processor as a Data controller in the customer relationship between the Parties. This includes storage in accordance with special legislation, including the Danish bookkeeping legislation.

12. Revision and inspection

The Data Processor shall provide the Data Controller, upon request, with the information strictly necessary to demonstrate compliance with the obligations set out in this Agreement and under applicable data protection law, including the GDPR.

The Data Processor shall also grant access to competent supervisory authorities to its facilities or documentation, where required by applicable law.

13. Modification

The Data Processor reserves the right to amend this DPA at any time. The Data Controller shall be informed of such amendments by email or via the platform.

Except for changes relating to sub-processors governed by Appendix B of the DPA, amendments to this DPA shall apply to the Data Controller, even if its engagement predates the amendments, fifteen (15) days after notification is provided.

If the amendments materially prejudice the Data Controller and are not required by applicable laws, regulations, directives, guidance or decisions of a European data protection authority, or by a court ruling, the Data Controller may object in writing within fifteen (15) days of being informed, providing the reasons for such objection.

If the Parties are unable to reach an agreement within thirty (30) days following the receipt of the Data Controller’s objection, the Data Controller may terminate the affected Service without penalty by sending written notice to the Data Processor.

Any continued use of the Service after the notification shall be deemed as acceptance by the Data Controller of the updated DPA.

14. Other agreements between the Parties

The Parties may agree on other provisions regarding the service provided by the Data Processor to the Data Controller provided that such provisions do not, directly or indirectly, contradict the provisions in this Data Processing Agreement regarding the processing of personal data, or in any other way deteriorate the fundamental rights of the data subjects stipulated in the data protection legislation.

15. Entry into force and termination

The provisions in this Data Processing Agreement enter into force on the date of signature of the Terms of Service between the Parties.

The Data Processing Agreement is applicable for the duration of the service agreement. In this period, the Agreement cannot be terminated by any of the Parties, unless the service agreement is terminated simultaneously. Termination of the service agreement may happen in accordance with the provision regarding termination in the service agreement.

This Agreement is governed by Danish law and any dispute will be subject to Danish prosecution.

Appendix A – Categories of Personal Data and Data Subjects

A.1. Categories of Data Subjects

The Data Controller’s Contact Person(s)
The Data Controller’s Employees
The Data Controller’s Customers and Suppliers (when using accounting functionality, if the functionality is available in the country of the customer) and their Contact Person(s)

A.2. Categories of Personal Data

First and last name
Job title
Phone number
E-mail address
Address
IP addresses
Payment information on invoice
Bank statement information (when using bank integration functionality, if the functionality is available in the country of the customer)
Professional life data
Payroll data (when using the payroll functions , if the functionality is available in the country of the customer)
Employees’ personal ID-numbers (confidential personal data) (when using the payroll functions or personal tax calculations, if the functionality is available in the country of the customer)

The Data Processor does not process special categories of personal data unless specifically instructed to do so by the Data Controller.

In case processing of special categories of personal data would not be a natural part of the above-mentioned categories, the Data Controller is urged to anonymize the data before providing access for the Data Processor as stated in this Agreement.

A.3. The purposes for which personal data is processed

The processing purposes described in this Agreement are pursued consistently across all countries where the Processor operates. However, certain processing activities may only be carried out in jurisdictions where the corresponding services or technical capabilities are available.

Sending invoices to the Data Controller’s customers
Sending reminders to the Data Controller’s customers
Keep an overview of suppliers and keep balance with these (when using accounting functionality, if the functionality is available in the country of the customer)
Keep stock of sold products
Keep stock of bought products (when using accounting functionality, if the functionality is available in the country of the customer)
Provide a historical overview of invoices and payments for the Data Controller’s business
Provide automatic reminder procedures
Offer different reports and insights into the Data Controller’s business
Receive payments from the Data Controller’s customers
Initiate payments of the Data Controller’s received invoices (when using accounting and banking functionality, if the functionality is available in the country of the customer)
Integrate third party systems
Keep books of expenses (when using accounting functionality, if the functionality is available in the country of the customer)
Automating the drafting of the annual account (when using tax calculation functionality, if the functionality is available in the country of the customer)
Prepare VAT reports (when using accounting functionality, if the functionality is available in the country of the customer)
Integrate expenses account to keep books (when using accounting functionality, if the functionality is available in the country of the customer)
Store accounting records (when using accounting functionality, if the functionality is available in the country of the customer)
Tax calculations (when using tax calculation & accounting functionality, if the functionality is available in the country of the customer)
Prepare tax reports (when using tax calculation & accounting functionality, if the functionality is available in the country of the customer)
General banking functions (when using banking functionality, if the functionality is available in the country of the customer)
Administrating monthly salary slips and payments (when using payroll functionality, if the functionality is available in the country of the customer)
Monthly tax and social security reporting and payments (when using payroll functionality, if the functionality is available in the country of the customer)
Marketing accountant services (when using accounting functionality, if the functionality is available in the country of the customer)

The nature of the processing includes collection, storage, structuring, retrieval, use, analysing, disclosure by transmission, erasure and destruction.

The personal data will be processed for the duration of the customer relationship, until termination of the Terms of Service by either the Data Controller or the Data Processor. After termination of the Terms of Service, personal data will be stored in accordance with the Data Processor’s Retention Period.

Appendix B – The Data Processor’s Sub-Processors

In addition to the Shine Group companies, the Data Processor have the following sub-processors that processes data on behalf of the Data Controller:

Sub-processor	Address	Purpose
ActiveCampaign LLC	1 North Dearborn St., 5th Floor Chicago, IL 60602, United States	Sends marketing emails to customers.
Aiia A/S	Artillerivej 86, 2300 Copenhagen S, Denmark	Connects bank accounts to the Services for automatic transfer of information.
Amazon Web Services EMEA SARL	38 Avenue John F. Kennedy, L-1855 Luxembourg	The cloud infrastructure supporting the Services, stores customer data, backups and provides service.
Cluvio GmbH	Friedrichstrasse 79 Berlin, 10117, Germany	Visualising data and is used for internal reporting.
Datadog Inc.	620 8th Avenue, 45th floor New York, NY 10018	Provides supervision of critical systems, reporting system errors.
Google Limited Ireland	Gordon House, Barrow Street Dublin 4, Ireland	Document creation and synchronisation, cloud storage, marketing campaigns and analysing functions.
Hotjar Ltd.	Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta	Analysing customer behaviour in the platform.
Intercom Inc.	55 Second Street, Suite 400 San Francisco, CA 94105, United States	Handles customer support requests, communication with customers.
Iterable Inc.	71 Stevenson St., Suite 300 San Francisco, CA 94105, United States	Sends e-mails to customers, primarily marketing communications and updates to the service.
Mixpanel International Inc.	One Front Street, 28th Floor San Francisco CA 94111, United States	Provides analyses on events in the platform, e.g. tracking number of users of specific functions.
Postmark by ActiveCampaign, LLC	1 North Dearborn St, 5th Floor, Chicago, IL 60602, United States	Automated service e-mails to customers, e.g. confirmation of submitted material, invoices etc.
Sentry	45 Fremont Street, 8th Floor San Francisco, CA 94105, United States	Monitors the platform for errors and safety.
Userflow Inc.	548 Market St PMB 69598, San Francisco, CA 94104-5401, USA	Enables communication with customers directly on the platform.
Cookie Information A/S	Købmagergade 19 1150 Copenhague, Denmark	Consent management on the website.
Meta Platforms Ireland Limited	Merrion Road, Dublin 4, D04 X2K5, Ireland	Advertisement on Facebook for the purpose of building audiences of users that might be interested in the services we provide
Microsoft Ireland Operations Limited	One Microsoft Place South County Business Park Leopardstown, Dublin 18 D18 P521, Ireland	Advertisement on Bing & LinkedIn for the purpose of building audiences of users that might be interested in the services we provide
Basware Inc.	Linnoitustie 2, 02600 Espoo, Finland.	Delivers the infrastructure for sending and receiving electronic invoices.
Stripe Inc.	354 Oyster Point Boulevard, South San Francisco, California, 94080, United States	Payment Processing
Aircall.io Inc.	44 W 28th Street, 14th Floor, New York, NY 10001, United States	Cloud-based phone system designed for businesses to manage their calls and enhance their customer support and sales operations through integrated communication features.
Snowflake Inc.	Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, United States	Snowflake is a Data Storage Technology used mainly to generate internal financial reporting.
Segment by Twilio Inc.	101 Spear Street, 5th Floor, San Francisco, California, 94105, United States	Segment is an internal event system. We have defined a series of user actions, where we send events to Segment. Segment ensures that these events are routed to other parts of our system.
Zapier Inc.	548 Market St. #62411, San Francisco, CA 94104, United States	Automation tool that connects different web applications to automate repetitive tasks without needing to write code
MongoDB Inc. Atlas	1633 Broadway, 38th Floor New York, NY 10019, United States	NoSQL hosted environment, document-oriented database designed for high performance, high availability, and easy scalability used to store company settings data
Mailgun by Sinch Sweden AB	Lindhagensgatan 112, 112 51 Stockholm, Sweden	Automated service e-mails to customers, e.g. confirmation of submitted material, invoices etc.
Fivetran Inc.	1221 Broadway Street, Floor 20, 2400 Oakland, CA 94612, United States	Data Integration Platform to streamline the process of data integration, enabling more efficient data analysis and business intelligence activities
FusionAuth	11080 Circle Point Rd. Suite 405 Westminster, CO 80020	Identity Provider for handling secure login to our platform
Weld Technologies ApS	Weld, Danneskiold-Samsøes Allé 41 1434 Copenhagen, Denmark	Weld is just to transfer data from our service into Snowflake
Chargebee Inc	909 Rose Avenue, Suite 950, North Bethesda, MD 20852	Payment Processing
Braze Inc.	Braze, Inc. 63 Madison Building 28 East 28th Street, Floor 12 New York, New York 10016 USA	Sends e-mails to customers, primarily marketing communications and updates to the service.
Hubspot Ireland Limited	HubSpot Ireland Limited, HubSpot House, One Sir John Rogerson's Quay, Dublin 2, Ireland	Marketing tool for managing new customers
AppsFlyer Inc	AppsFlyer Inc 100 1st St 25th floor San Francisco, CA 94105	Creating links in emails that works for both web browsers and mobile
Cookie Information	Købmagergade 19 1150 Copenhagen K, Denmark	Consent management on the website.
Omni Analytics	Omni Analytics Inc. 375 Alabama St, Unit 350 San Francisco, CA 94110	Visualising data and is used for internal reporting.
Klippa	Klippa App B.V. in Groningen, The Netherlands	Data extraction for uploaded receipts to our accounting product
Letregnskab.dk ApS	C/O Woiremose & Partner ApS, Pilestræde 52, 2., 1112 Copenhagen K, Denmark	Drafting annual accounts through questionnaires to the customer, providing the final annual account.
Relatel A/S	Teglværksgade 18, 2100 Copenhagen Ø, Denmark	Provides telephony for customer support.
Sproom by VISMA e-conomic	Gærtorvet 1-5, 1799 Copenhagen V, Denmark	Delivers the infrastructure for sending and receiving electronic invoices in Denmark.
Årsregnskabet ApS	Pilestræde 52, 2, 1112 Copenh agen K, Denmark	Supports drafting of annual accounts, provides access to accounting material.
Apple Inc.	One Apple Park Way, Cupertino, CA 95014, USA	Payment Processing

Appendix C – Instructions for Processing Personal Data

C.1 – Nature and Purpose of Processing

The Data Processor processes personal data solely based on documented instructions from the Data Controller, as defined below or communicated separately in writing and approved by both Parties.

The processing activities carried out by the Data Processor include:

The provision of a financial management platform enabling, among other things, invoicing, accounting, banking operations, and payroll;
The operations necessary for the performance of the services selected by the Data Controller under the General Terms of Service;
The use of software components and integrations selected by the Data Processor to deliver said services.

The Data Controller is solely responsible for determining the legal basis for the processing operations, including under Articles 6 and 9 of the GDPR.

Any processing beyond this scope must be subject to a separate documented instruction from the Data Controller.

C.2 – Categories of Data and Data Subjects

The categories of personal data and data subjects are detailed in Appendix A.

Special categories of data (Article 9 GDPR) must not be processed unless explicitly and formally authorized by the Data Controller. The Data Controller is advised to anonymize or pseudonymize such data whenever possible.

C.3 – Security Measures

The Data Processor shall implement, maintain, and, where necessary, adapt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

These measures take into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, as well as the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

In particular, the Data Processor ensures that:

Individuals authorized to process the data are bound by confidentiality obligations or a suitable legal confidentiality duty;
Access to the data is restricted to authorized personnel strictly within the scope of their responsibilities;
Systems are protected against unauthorized access through physical, logical, and organizational security measures;
Procedures are in place to regularly test, assess, and evaluate the effectiveness of these security measures.

Without prejudice to the above obligations, the details of the specific security measures implemented may be provided separately upon request, subject to applicable confidentiality restrictions.

C.4 – Data Retention and Deletion

The Data Processor deletes or returns the personal data at the end of the contractual relationship, in accordance with the documented instructions of the Data Controller, unless otherwise required under Union or Member State law, in particular for accounting or tax purposes.

C.5 – Sub-processors

The Data Processor has the general authorization of the Data Controller to engage the sub-processors listed in Appendix B.

The Data Processor may also engage other sub-processors, provided that it informs the Data Controller in advance within a reasonable timeframe before implementing the change.

The Data Controller may raise a reasoned objection in writing within thirty (30) days of the notification, solely on legitimate and documented grounds relating to the protection of personal data. If no objection is received, the change shall be deemed accepted.

In the event of a justified objection, the Parties agree to cooperate in good faith to find a mutually acceptable solution. If no solution is found within a reasonable timeframe, the Data Processor reserves the right to proceed with the designated sub-processor, in which case the Data Controller may terminate only the affected services, without compensation or liability for the Data Processor.

C.6 – Data Transfers outside the EEA

Data is processed by the Data Processor within the European Economic Area (EEA) and by its authorized sub-processors listed in Appendix B.

Transfers of personal data outside the EEA may occur in connection with the use of international service providers. The Data Controller expressly authorizes such transfers, provided that the Data Processor complies with Chapter V of the GDPR and implements appropriate safeguards, such as:

Adequacy decisions by the European Commission;
Standard Contractual Clauses (SCCs);
Binding Corporate Rules (BCRs);
Or other GDPR-compliant safeguards.

C.7 – Cooperation and Compliance Instructions

The Data Processor agrees to:

Assist the Data Controller, upon written request, in managing data subject rights requests (Articles 12–22 of the GDPR);
Support the performance of data protection impact assessments (Article 35 GDPR), where relevant;
Cooperate with competent supervisory authorities, where required by applicable law.

The Data Processor will not communicate directly with data subjects or supervisory authorities without the express written instructions of the Data Controller.

Any assistance beyond what is strictly required under Article 28 of the GDPR may be subject to additional remuneration as agreed between the Parties.

C.8 – Access and Audit

At the request of the Data Controller and where there is credible evidence of non-compliance, the Data Processor shall allow and contribute to audits of the processing activities covered by these clauses. Such an audit may be conducted once per calendar year, subject to sixty (60) days’ prior written notice to the Data Processor.

The audit must be carried out in a manner that preserves the security and confidentiality of the Data Processor’s documentation and procedures. It shall not exceed one (1) business day and must take place during regular business hours at the Data Processor’s premises.

The Data Controller may choose to carry out the audit itself or appoint an independent auditor, mutually agreed upon by both Parties and bound by a confidentiality obligation. The Data Processor may reject the proposed auditor if there is a clear conflict of interest or insufficient qualification.

Notwithstanding any provision to the contrary, the Data Controller shall bear all costs and/or expenses incurred as a result of such an audit.