Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Agreement (as defined below) between Supplied Technologies B.V. (“Supplied”, “Processor”, “we/us/our”) and the Customer (“Controller”, “you/your”) under which Supplied provides the Services. Capitalized terms not defined here have the meaning in the Agreement or the GDPR.

1. Definitions

• Agreement: the written or electronic agreement (including online Terms) governing the Services.
• Controller/Processor, Personal Data, Processing, Personal Data Breach, Supervisory Authority, Data Subject: as in the GDPR.
• EU SCCs: the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914.
• UK Addendum: ICO International Data Transfer Addendum to the EU SCCs (version in force at transfer).
• Swiss Addendum: adjustments required by the Swiss FADP.
• Sub-processor: a processor engaged by Supplied.
• TOMs: technical and organizational measures.

2. Scope; Roles; Instructions

2.1 Roles. For the Processing described in this DPA, Controller is the Controller and Supplied is the Processor.
2.2 Documented Instructions. Supplied shall Process Personal Data only on documented instructions from Controller (including via the Agreement, this DPA, order forms, and Controller’s written admin settings). If an instruction infringes Data Protection Law, Supplied will inform Controller.
2.3 Purpose & Subject Matter. Processing is limited to providing and supporting the Services for the term of the Agreement (see Annex I).
2.4 Controller Responsibilities. Controller determines the purposes and means of Processing, provides all notices, obtains and records any consents (if used as a legal basis), and ensures lawfulness of Personal Data provided to Supplied.

3. Confidentiality

Supplied ensures its personnel are bound by confidentiality and access Personal Data on a need-to-know basis.

4. Security

4.1 TOMs. Supplied implements and maintains TOMs appropriate to the risk, including at minimum the controls listed in Annex II (e.g., access control, encryption in transit/at rest, logging/monitoring, vulnerability management, secure development, BCP/DR).
4.2 Assessments & Certifications. Upon request once per year, Supplied will provide a summary of relevant audits/certifications (e.g., ISO/IEC 27001) or equivalent third-party assurance.

5. Sub-processors

5.1 Authorization. Controller authorizes the Sub-processors listed in Annex III and general authorization for Supplied to appoint new Sub-processors.
5.2 Flow-down. Supplied will impose GDPR-equivalent obligations on all Sub-processors and remains fully liable for their performance.
5.3 Notice & Objection. Supplied will notify Controller at least 15 days before replacing/adding Sub-processors (email or portal notice). Controller may object on reasonable data protection grounds; the parties will discuss in good faith. If unresolved, Controller may suspend the affected Service or terminate it for convenience (pro-rata refund of prepaid fees for the terminated portion).

6. International Data Transfers

6.1 Supplied will not transfer Personal Data outside the EEA/UK/Switzerland unless appropriate transfer mechanisms are in place (e.g., EU SCCs Module Two, UK Addendum, Swiss Addendum).
6.2 Where required, the parties enter into the EU SCCs (controller-to-processor, Module Two) incorporated by reference with Annexes from this DPA; the governing law and competent authority are as set out in Annex I(C).
6.3 Supplied will conduct transfer impact assessments (TIAs) where applicable and implement supplementary measures where necessary.

7. Assistance

7.1 DSR Assistance. Taking into account the nature of Processing, Supplied will assist Controller by appropriate technical and organizational measures in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Target response within 5 business days of a written request from Controller.
7.2 DPIAs & Consultations. Supplied will provide reasonably available information to support Controller’s DPIAs or consultations with Supervisory Authorities regarding the Services.
7.3 Costs. Where assistance is excessive, repetitive, or outside the Services’ standard scope, Supplied may charge reasonable costs.

8. Personal Data Breach

Supplied will notify Controller without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Controller Personal Data, and provide information reasonably available to assist Controller with notifications to authorities and Data Subjects. Notification is not an admission of fault or liability.

9. Audit & Compliance

9.1 Information & Reports. Supplied will make available information necessary to demonstrate compliance with this DPA (e.g., policy summaries, independent audit reports).
9.2 On-site Audit. Where such information is insufficient, Controller may conduct (or mandate a reputable independent auditor to conduct) an audit no more than once per 12 months with 15 business days’ prior notice, during business hours, limited to facilities and systems used to Process Controller Personal Data, and subject to confidentiality and security requirements.
9.3 Costs. Each party bears its own costs; if an audit reveals material non-compliance attributable to Supplied, Supplied will bear reasonable audit costs.

10. Return and Deletion

Within 30 days after termination or expiry of the Agreement, upon Controller request, Supplied will make available a reasonable export of Personal Data (e.g., CSV/JSON). After this export window, Supplied will delete Controller Personal Data from active systems and schedule deletion from backups per Annex II timelines, except as necessary to:

• comply with legal obligations or enforce rights, or
• retain limited, pseudonymized, or anonymized data for the exclusive purpose of improving Supplied’s own AI models, recommendation systems, and platform features, provided that such data no longer qualifies as Personal Data under the GDPR and cannot reasonably be reidentified.

Supplied ensures that any retained data under this section is segregated from live production systems and subject to appropriate technical and organizational measures.

‍

11. Liability; Precedence

11.1 Liability. Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except where prohibited by law.
11.2 Precedence. If there is conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict on data protection matters. If there is conflict between this DPA and the SCCs, the SCCs prevail.

12. Term

This DPA remains in force while Supplied Processes Personal Data on behalf of Controller under the Agreement.

Annex I — Description of Processing (SCCs, Annex I.A–C)

A. Parties

• Data Exporter (Controller): Customer identified in the Order Form / Admin Portal.
• Data Importer (Processor): Supplied Technologies B.V., Assendorperdijk 1, 8012 EG Zwolle, NL. Contact: support@supplied.eu, +31 6 86630404.

B. Details of Transfer

• Data Subjects: Controller’s authorized users; Controller’s customers/end-users whose data Controller uploads to or collects via the Services.
• Categories of Personal Data: Identification and contact data (name, email, phone, address), account identifiers (user ID/username), business identifiers (company name, tax IDs), usage and log data, uploaded documents/metadata needed for onboarding/verification/reporting. (Controller decides actual fields.)
• Special Categories: Not intended to be processed. If Controller uploads such data, it remains responsible for a lawful basis and instructions.
• Frequency: Continuous for the term.
• Nature & Purpose: Hosting, storage, computation, verification, enrichment, transformation, reporting, support, security, and related operations necessary to provide the Services.
• Duration: For the Agreement term plus deletion timelines in Section 10.
• Subject-matter of Processing by Sub-processors: Same as above, limited to what is necessary to provide the Services.
• AI & Analytics Use: Supplied may retain anonymized or pseudonymized usage and deleted data solely for the purpose of improving the accuracy, efficiency, and user experience of its AI-driven features and analytics systems. Such data is excluded from Personal Data under GDPR once anonymized.

C. Competent Supervisory Authority & Governing Law

• Supervisory Authority: Dutch AP (Autoriteit Persoonsgegevens) unless the SCCs dictate otherwise by establishment.
• SCC Governing Law & Forum: Netherlands.

Annex II — Technical and Organisational Measures (TOMs)

Supplied maintains an ISO-27001–aligned ISMS including, at a minimum:

1. Governance & Policies: documented security policies; risk assessments; security awareness training.
2. Access Control: unique user IDs, least-privilege, RBAC, MFA for admin access, timely de-provisioning.
3. Encryption: TLS for data in transit; industry-standard encryption for data at rest (e.g., AES-256); key management via managed KMS.
4. Network Security: segmentation, firewalls, DDoS protection provided by cloud providers; hardened endpoints.
5. Vulnerability & Patch Management: regular scanning, remediation SLAs; annual penetration testing.
6. Secure SDLC: code review, dependency scanning, secrets management, CI/CD controls.
7. Logging & Monitoring: centralized logs, audit trails for access and admin actions, alerting.
8. Business Continuity & Disaster Recovery: backups with cross-region redundancy; RTO ≤ 24h, RPO ≤ 24h targets unless otherwise agreed.
9. Data Retention & Deletion: production data deleted within 30 days after export window; backups overwritten on rolling cycles ≤ 12 months.
10. Incident Response: documented IR plan, breach notification workflow meeting Section 8.
11. Vendor Management: security due diligence and SCCs/transfer safeguards for relevant vendors; contractual flow-downs.
12. Physical Security: data centers managed by reputable cloud providers with industry certifications.

Annex III — Authorized Sub-processors

The Controller authorizes Supplied to use the following categories of Sub-processors: