Verwerkingsovereenkomst

This data processing agreement (the "DPA") governs the processing of Personal Data in the course of the provision of the Services provided by the Provider (Ontos B.V., operating as Doc2iXBRL) to the Customer, and forms part of the Agreement between the Parties.

This DPA regulates the Customer's rights and obligations in its capacity as data controller or data processor, as well as the Provider's rights and obligations in its capacity as data processor or sub-processor when the Provider processes Personal Data on behalf of the Customer under the Agreement.

The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).

In case of any conflict between the rest of the Agreement and this DPA (including the documents specified under Clause 1.5), the wording of this DPA shall prevail.

Capitalised terms that are used but not defined in this DPA shall have the meaning set out in the Agreement, the applicable Order Form, or the Doc2iXBRL General Terms and Conditions ("GTCs").

The Provider undertakes to process Personal Data for the purposes set forth in this DPA (including the Specification of Data Processing) and in accordance with the Customer's documented written instructions, unless otherwise required by Applicable Data Protection Laws. The Customer's instructions to the Provider regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the types of Personal Data, and the categories of data subjects, together with the rights and obligations of both Parties, are set forth in this DPA and in the Specification of Data Processing referenced in Clause 1.5(a).

As data processor, the Provider undertakes to: (a) comply with all Applicable Data Protection Laws that apply to it in its capacity as a processor of the Personal Data; (b) cooperate with audits conducted by the Customer in accordance with Clause 9; and (c) inform the Customer promptly, and in any event within five (5) business days, if the Provider determines that an instruction from the Customer violates Applicable Data Protection Laws.

Any transfer of Personal Data to the Provider using the Services shall be made using secure, reasonable, and appropriate mechanisms, including encryption in transit.

The Provider shall, without undue delay, inform the Customer of any communication with any Data Protection Authority that relates to the Provider's processing of Personal Data under this DPA, and the Provider will provide reasonable assistance to the Customer if the Customer receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities, or any other third parties request information from the Provider regarding the processing of Personal Data covered by this DPA, the Provider shall refer such requests to the Customer to the extent permissible under applicable law.

The Provider shall provide reasonable assistance to the Customer, through appropriate technical and organisational measures, with the Customer's compliance obligations including implementing reasonable security procedures and practices appropriate to the nature of the Personal Data.

The Provider's assistance to the Customer under Clauses 2.4 and 2.5 will be provided at the Customer's reasonable expense, unless the reason for the assistance is a direct result of an act or omission by the Provider or its Affiliates.

The Provider certifies that it will not: (a) retain, use, or disclose Personal Data outside the context of the relationship between the Provider and the Customer, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws; (b) sell or share Personal Data; or (c) combine Personal Data the Provider obtains in the performance of the Services with any personal information that the Provider collects from other sources, except as strictly necessary to provide the Services or as permitted by Applicable Data Protection Laws.

Without prejudice to the generality of Clause 2.7, and consistent with Clause 8.3.3 of the GTCs, the Provider shall not use Customer Data (including any Personal Data contained therein) to train, retrain, fine-tune, or otherwise improve any artificial-intelligence or machine-learning model, whether its own or that of any third party, except to the extent that the Customer has given specific prior written consent for a defined purpose.

The Customer shall ensure that it has a valid legal basis under Applicable Data Protection Laws, and all necessary rights, consents, and authorisations, to provide the Personal Data to the Provider and to authorise the Provider to process that Personal Data in accordance with this DPA, the Agreement, and any other processing instructions provided by the Customer to the Provider.

The Customer shall comply with all Applicable Data Protection Laws that apply to it in its capacity as controller (or, where relevant, as processor vis-à-vis its own clients) of the Personal Data.

The Customer shall limit the provision of Personal Data to the Provider to what is necessary for the purpose of the Agreement.

The Provider is, subject to Clauses 4.2 and 5, entitled to engage subcontractors acting as sub-processors, provided that they are bound by a written agreement which imposes on them materially the same data-protection obligations as those to which the Provider is bound under this DPA in respect of data protection.

The Provider shall inform the Customer of any new sub-processor by updating the Sub-processor List referenced in Clause 1.5(b), and shall give the Customer the opportunity to object to such changes. The Provider shall provide such notice by: (i) publishing the updated Sub-processor List on the page referenced in Clause 1.5(b) with a clear indication of the change; and (ii) where the Customer has subscribed to update notifications (or has otherwise provided a notification email address to the Provider for this purpose), notifying the Customer by email. Any objection by the Customer shall be based on reasonable grounds relating to the proposed sub-processor's ability to comply with Applicable Data Protection Laws and shall be made in writing within thirty (30) days from the date of the notification.

If, despite the Customer's objection, the Provider continues to engage the sub-processor, the Parties shall in good faith discuss and attempt to find an alternative solution that is reasonably acceptable to both Parties. If no such solution can be found and the Customer's objection would, in the Provider's reasonable opinion, result in costs or operational consequences that are not commercially reasonable, the Provider may terminate the Agreement upon reasonable written notice.

The Customer acknowledges that it may transfer Personal Data, or make Personal Data available by remote access, to the Provider in the EU in order for the Provider to provide the Services. The Provider shall not process Personal Data outside the EU/EEA, and shall not engage sub-processors processing the Personal Data outside the EU/EEA, without the Customer's prior approval, which shall be deemed given if the Customer has not objected to a new sub-processor within the time set out in Clause 4.2.

To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, the Provider shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Customer to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.

If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows: (a) the Provider shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses, provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection; and (b) the Parties acknowledge and agree that the Provider or its sub-processor, as applicable, shall apply Module 3 of the Standard Contractual Clauses.

The Provider represents and warrants that it has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA, or its obligations in the Standard Contractual Clauses. In the event the Provider is unable to fulfil its obligations in this Clause 5.4, the Provider agrees to immediately notify the Customer.

To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information-security and confidentiality obligations otherwise set out in the Agreement, the Provider commits to the appropriate technical and organisational measures described in Security Measures.

The Provider shall protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.

The Provider shall ensure that only staff and other representatives who require access to Personal Data to fulfil the Provider's obligations under the Agreement have access to such information. The Provider shall ensure that all persons authorised to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Provider shall notify the Customer without undue delay and at latest within 72 hours after becoming aware of a Personal Data breach affecting Customer Personal Data.

The Provider shall assist the Customer with any information reasonably required to fulfil the Customer's data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.

The Customer shall have the right to perform audits of the Provider's processing of the Customer's Personal Data to verify the Provider's compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period, unless the Customer has clear reasons to believe that the Provider has materially breached its obligations under this DPA.

The Provider undertakes to make available to the Customer all information and other assistance reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and to allow for, and contribute to, audits, conducted by an authorised and independent reputable auditor mandated by the Customer, provided that the individuals performing the audit enter into confidentiality agreements or are bound by statutory confidentiality obligations.

In this context, it is noted that among the Provider's customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, accountancy firms etc.). Hence, the Customer acknowledges that audits under this DPA shall not include access to information pertaining or belonging to the Provider's other customers.

The Customer is responsible for all costs associated with audits, save where an audit concludes that the Provider has materially breached its obligations under this DPA or under Applicable Data Protection Laws, in which case the Provider shall reimburse the Customer for reasonable and verified costs associated with the audit.

Before the expiration of this DPA, the Provider shall, at the choice and instruction of the Customer, securely delete or return all Personal Data to the Customer, unless Applicable Data Protection Laws require the Processor to store the Personal Data. In which case the obligations set out in Clause 11.4(a)–(c) shall apply.

If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, the Provider shall take measures to inform the Customer and to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Dutch or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. Where any authorised sub-processor continues to possess Personal Data, the Provider shall require the sub-processor to take the same measures as would be required of the Provider itself.

Upon request by the Customer, the Provider shall provide written notice of the measures taken in respect of the Personal Data upon completion of the processing as set out in Clause 11.1.

If the Processor is legally required to retain archival copies of any specific data belonging to the Customer for tax or similar regulatory purposes, the Processor shall: (a) inform the Customer thereof in writing specifying the legal obligation and the affected Customer data; (b) not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and (c) remain bound by its obligations under the Agreement, including this DPA, including its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Customer of any security incident involving the information.

Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorised representatives of both Parties.

Notwithstanding Clause 12.1, the Customer is entitled to make updates to its written instructions regarding the processing as set out in the Specification of Data Processing. The Provider shall be entitled to remuneration for any reasonable and verified additional costs that it incurs as a result of the Customer's amended instructions. No remuneration shall be payable for amendments directly required by, or directly based on, regulatory requirements under Applicable Data Protection Laws.

Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the General Terms and Conditions.

Any dispute, controversy, or claim arising out of or in connection with this DPA, or its breach, termination, or invalidity, shall be finally settled in accordance with the dispute-resolution provision set out in the General Terms and Conditions.