Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) is entered into between Eagl, a private limited liability company established under the laws of Belgium, with registered office at Muishondstraat 2 box 303, 9000 Gent, Belgium, registered under company number 1022.611.909 (“Processor”), and the Customer as identified in the Agreement (“Controller”).

This DPA forms an integral part of the Terms and Conditions (the “Agreement”) and sets out the terms under which the Processor processes Personal Data on behalf of the Controller when providing the Software Service.

2. Definitions

All capitalised terms not defined in this DPA shall have the meaning as set forth in the Agreement. In addition:

• “Data Protection Legislation” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all other applicable EU data protection legislation;
• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Agreement;
• “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “Sub-processor” means any third party appointed by the Processor to process Personal Data on behalf of the Controller;
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

3. Scope and Purpose of Processing

3.1 Subject matter

The Processor will process Personal Data on behalf of the Controller for the purpose of providing the Software Service as described in the Agreement.

3.2 Nature and purpose

The nature of the processing includes the collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data necessary for the provision of the Software Service, including AI-driven financial controlling, anomaly detection, variance analysis, and smart financial workflows.

3.3 Types of Personal Data

The types of Personal Data processed may include:

• Names and contact details of end users
• Email addresses
• Account credentials (hashed)
• IP addresses and usage logs
• Financial data and transaction records as uploaded by the Controller
• Any other Personal Data contained in the Customer Data

3.4 Categories of data subjects

The categories of data subjects include:

• End Users of the Software Service
• Employees and representatives of the Controller
• Individuals whose Personal Data is contained in the Customer Data (e.g., employees, customers, vendors, or other business contacts of the Controller)

3.5 Duration

The duration of the processing shall be for the Term of the Agreement, unless otherwise specified.

4. Obligations of the Processor

4.1 General obligations

The Processor shall:

• process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject;
• ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• take all measures required pursuant to Article 32 of the GDPR;
• respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
• taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights;
• assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor;
• at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.2 Processing only on instructions

The Processor shall not process Personal Data other than on documented instructions from the Controller. If the Processor is required by Union or Member State law to process Personal Data, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5. Security Measures

5.1 Technical and organisational measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• the pseudonymisation and encryption of Personal Data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2 Industry standards

The Processor may adhere to recognized industry standards, such as ISO/IEC 27001 certification or equivalent information security frameworks, as evidence of compliance with the security requirements set forth in this DPA.

6. Sub-processors

6.1 General authorisation

The Controller grants the Processor general written authorisation to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes within fifteen (15) calendar days.

6.2 Sub-processor obligations

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract.

6.3 Liability

The Processor shall remain fully liable to the Controller for the performance of a Sub-processor’s obligations in accordance with this DPA.

7. Data Breach Notification

7.1 Notification to the Controller

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach. The notification shall at least:

• describe the nature of the Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the Data Breach;
• describe the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Assistance

The Processor shall cooperate with and assist the Controller in relation to any Data Breach notification obligations the Controller may have under Data Protection Legislation.

8. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests from data subjects exercising their rights under the GDPR.

If a data subject request is made directly to the Processor, the Processor shall promptly forward the request to the Controller and shall not respond to the request without the Controller’s prior written instructions, unless legally compelled to do so.

9. International Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) without the prior written consent of the Controller and without ensuring that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses approved by the European Commission.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and during normal business hours.

11. Term and Termination

This DPA shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies, unless applicable law requires the storage of the Personal Data.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Belgium. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Ghent, Belgium.

Contact

For any questions regarding this Data Processing Agreement, please contact us at dpo@geteagl.com or Muishondstraat 2 box 303, 9000 Gent, Belgium.