Data processing agreement

Article 1 / Definitions

In this Data Processing Agreement ("DPA"), the following terms shall have the following meanings. Terms not defined herein shall have the meaning ascribed to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

"Controller" means the natural or legal person that determines the purposes and means of the processing of personal data, being the Client;

"Processor" means 7Lab B.V., having its registered office at Danzigerbocht 39-G, 1013 AM Amsterdam, the Netherlands, registered with the Chamber of Commerce under number 84815515;

"Data Subject" means an identified or identifiable natural person whose personal data is processed;

"Personal Data" means any information relating to a Data Subject;

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction;

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller;

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed;

"Main Agreement" means the service agreement or other contractual arrangement between the Controller and the Processor to which this DPA is supplementary;

"Supervisory Authority" means the independent public authority established by an EU Member State pursuant to the GDPR, in particular the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Article 2 / Subject matter and duration

2.1 This DPA sets out the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller in connection with the services provided under the Main Agreement.

2.2 The duration of the processing shall correspond to the term of the Main Agreement, unless otherwise agreed in writing or required by applicable law.

2.3 This DPA is supplementary to and forms an integral part of the Main Agreement. In the event of any conflict between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.

Article 3 / Nature and purpose of processing

3.1 The Processor shall process Personal Data solely for the purpose of performing its obligations under the Main Agreement, including but not limited to:

(a) the development, testing, deployment, and maintenance of AI software solutions and related services;

(b) hosting and infrastructure management;

(c) providing customer support and technical assistance;

(d) data analysis and optimisation of services, solely as instructed by the Controller.

3.2 The types of processing operations include: collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction.

3.3 The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on important grounds of public interest.

Article 4 / Categories of personal data

4.1 The categories of Personal Data processed under this DPA may include, depending on the services provided:

(a) identification data (name, address, email address, telephone number);

(b) professional data (job title, employer, professional contact details);

(c) authentication data (usernames, hashed passwords, session tokens);

(d) usage data (log files, IP addresses, browser type, access times);

(e) content data (documents, images, text, and other data uploaded to or generated by the services);

(f) communication data (messages, correspondence records);

(g) any other categories of Personal Data as specified in the Main Agreement.

4.2 The Processor shall not process special categories of Personal Data (as defined in Article 9 GDPR) unless explicitly instructed by the Controller in writing and appropriate safeguards are in place.

Article 5 / Categories of data subjects

5.1 The categories of Data Subjects whose Personal Data may be processed under this DPA include:

(a) employees, contractors, and agents of the Controller;

(b) customers and end users of the Controller;

(c) suppliers and business partners of the Controller;

(d) any other Data Subjects whose Personal Data is provided to the Processor by or on behalf of the Controller.

Article 6 / Obligations of the Controller

6.1 The Controller warrants that it has a lawful basis for the processing of Personal Data and that all necessary consents, authorisations, and notices have been obtained or given as required under applicable data protection law.

6.2 The Controller shall provide processing instructions to the Processor in writing. The Controller is responsible for ensuring that the processing instructions comply with applicable data protection law.

6.3 The Controller shall promptly inform the Processor if, in the Controller's opinion, any instruction given by the Controller infringes the GDPR or other applicable data protection provisions.

6.4 The Controller shall implement appropriate technical and organisational measures to ensure the security of Personal Data prior to transmission to the Processor.

Article 7 / Obligations of the Processor

7.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation.

7.2 The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects.

7.4 The Processor shall not engage any Sub-processor without the prior specific or general written authorisation of the Controller, subject to the provisions of Article 8.

7.5 The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.

7.6 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

7.7 At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and shall delete existing copies unless EU or Member State law requires storage of the Personal Data.

7.8 The Processor shall not use the Controller's Personal Data for training or developing AI models or similar purposes, unless the Parties expressly agree otherwise in writing.

Article 8 / Sub-processors

8.1 The Controller provides general written authorisation for the Processor to engage Sub-processors. The Processor shall maintain a current list of Sub-processors and make it available to the Controller upon request.

8.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes within fourteen (14) days of being notified.

8.3 If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the Parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the affected services without penalty.

8.4 The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

Article 9 / International transfers

9.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or to an international organisation without the prior written consent of the Controller.

9.2 Any transfer of Personal Data to a third country or international organisation shall be subject to appropriate safeguards in accordance with Chapter V of the GDPR, including but not limited to EU Standard Contractual Clauses, an adequacy decision of the European Commission, or Binding Corporate Rules.

9.3 The Processor shall inform the Controller of any legal requirements in a third country that may affect its ability to comply with this DPA, to the extent permitted by applicable law.

Article 10 / Security measures

10.1 The Processor shall implement and maintain appropriate technical and organisational security measures, including but not limited to:

(a) encryption of Personal Data in transit and at rest;

(b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(c) measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

(e) access controls, including role-based access, multi-factor authentication, and logging of access to Personal Data;

(f) regular security assessments and vulnerability scanning.

10.2 The Processor shall review and, where necessary, update the security measures at regular intervals to ensure they remain appropriate to the risk.

Article 11 / Audit rights

11.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

11.2 Audits shall be conducted with reasonable prior notice (at least thirty (30) days), during normal business hours, and shall not unreasonably interfere with the Processor's business operations.

11.3 The Controller shall bear its own costs of conducting an audit. If an audit reveals a material non-compliance by the Processor, the Processor shall bear the reasonable costs of the audit.

11.4 The Processor may satisfy audit requests by providing relevant certifications (such as ISO 27001) or third-party audit reports, provided these adequately address the Controller's audit requirements.

Article 12 / Data subject rights

12.1 The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

12.2 The Processor shall not respond to any such request directly unless authorised to do so by the Controller.

12.3 The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests by providing appropriate technical and organisational measures, taking into account the nature of the processing.

Article 13 / Personal data breach notification

13.1 The Processor shall notify the Controller without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach.

13.2 The notification shall include, at a minimum:

(a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of the Processor's data protection officer or other contact point where more information can be obtained;

(c) a description of the likely consequences of the Personal Data Breach;

(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

13.3 Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

13.4 The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

Article 14 / Term and termination

14.1 This DPA shall enter into force on the date of execution by both Parties and shall remain in effect for the duration of the Main Agreement.

14.2 Upon termination or expiry of the Main Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires further storage. The Processor shall certify in writing that it has complied with this obligation.

14.3 The obligations of confidentiality contained in this DPA shall survive the termination or expiry of this DPA.

14.4 Provisions of this DPA that by their nature are intended to survive termination shall remain in full force and effect after termination, including but not limited to the obligations regarding confidentiality, data deletion, and liability.

Article 15 / Governing law and dispute resolution

15.1 This DPA shall be governed by and construed in accordance with the laws of the Netherlands.

15.2 Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent court in Amsterdam, the Netherlands.

15.3 Nothing in this DPA shall prevent either Party from lodging a complaint with a Supervisory Authority or seeking a judicial remedy where required by applicable data protection law.