DeltaBlue

Data Processing Agreement

Data Processing Agreement

DeltaBlue hosting

Version 1.1

Effective from: 25 September 2025

Data Processing Agreement (the "DPA")

BETWEEN:

I. DeltaBlue NV, a limited liability company incorporated under Belgian law, having its registered office at Kempische steenweg 305 postal box 203, 3500 Hasselt (Belgium) and registered with the Belgian Crossroads Bank of Enterprises under company number 0543.425.375 (RLE Antwerp, section Hasselt), hereinafter the "Processor";

AND

II. The legal entity of the "Customer" as referred to in the contractual documentation between the Customer and Processor, hereinafter the "Controller".

Processor and Controller are hereinafter referred to collectively as "Parties" and individually as a "Party".

IT HAS BEEN SET OUT:

A. The Controller and the Processor have entered into an Agreement (hereinafter the "Underlying Agreement"), pursuant to which the Parties agreed that the Processor will carry out certain processing activities (hereinafter the "Processing") on behalf of the Controller, as further set out in Appendix I to this DPA; B. In this DPA, Controller and Processor wish to determine their respective rights and obligations as to the Processing of Personal Data by the Processor, in accordance with Data Protection Legislation (as defined in article 1.3 of this DPA).

THE PARTIES HERETO HAVE AGREED AS FOLLOWS:

1. Definitions

Words and expressions used in this DPA are to be interpreted to have the following meaning:

1.1. DPA: this Data Processing Agreement entered into between the Parties;

1.2. Sub-processors: the processors that are engaged by the Processor in accordance with article 7 of this DPA for the Processing of the Personal Data within the framework of the Underlying Agreement and who agree to receive and Process Personal Data on behalf of the Controller;

1.3. Data Protection Legislation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR") together with the (national) implementing or supplementary legislation;

1.4. Data Subject: the identifiable natural person to whom the Personal Data relates and who can be identified, directly or indirectly, by that Personal Data;

1.5. Underlying Agreement: the Agreement according to which the Controller instructs the Processor to perform the Processing on the Controller's behalf;

1.6. Personal Data: any information relating to an identified or identifiable natural person that the Processor receives and Processes on the basis of the Underlying Agreement. The relevant categories of Personal Data, that are provided to the Processor by or on behalf of the Controller within the framework of the Underlying Agreement, are identified in Appendix I;

1.7. Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Processor within the framework of the Underlying Agreement;

1.8. Process/Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

1.9. Purposes: the purposes for which the Personal Data are Processed by the Processor within the framework of the Underlying Agreement as set out in Appendix I;

1.10. Standard Contractual Clauses: the standard contractual clauses of which the European Commission on the basis of Article 26 (4) of Directive 95/46/EC decided that they offer sufficient safeguards for the transfers of personal data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship.

In any event, the (uncapitalized) terms that are defined in this DPA shall be interpreted to have the meaning as set forth in Data Protection Legislation (in particular, the GDPR).

2. Scope of application

2.1. Unless Parties agree otherwise in writing, the provisions of this DPA are applicable to every Processing of Personal Data performed by the Processor on behalf of the Controller.

2.2. In case of any contradiction or inconsistency between this DPA and the Underlying Agreement, the provisions of this DPA shall prevail.

3. Information relating to the Processing

3.1. Parties agree that Processor, in the context of the performance of the Underlying Agreement, Processes Personal Data on behalf of the Controller, strictly in accordance with the nature of the Processing, the Purposes, the duration of Processing, the categories of Personal Data and for the categories of Data Subjects as set out in Appendix I.

3.2. Processor Processes the Personal Data on behalf of the Controller and only on the basis of the written instructions of the Controller, save for diverging legal requirements and diverging requests from a competent authority on the basis of European Union legislation or the legislation of a Member State of the European Union. In such event, the Processor informs the Controller of that legal requirement or request prior to the Processing and without undue delay, unless such legislation or request prohibit such notification on important grounds of general interest.

3.3. Controller acknowledges and agrees that Processor does not have power of control over the Purposes and the means for the Processing of Personal Data. Processor ensures compliance with the conditions that are imposed on the basis of Data Protection Legislation and other legislation with regard to the Processing of Personal Data.

3.4. The Processor shall inform the Controller if, in its opinion, an instruction violates the GDPR or other European Union or Member State data protection provisions.

3.5. Taking into account the nature of the Processing and the information made available to the Processor, the Processor shall provide reasonably necessary assistance and cooperation to the Controller in fulfilling the obligations pursuant to Articles 32 up to and including 36 GDPR.

4. Personnel and confidentiality

Without prejudice to the existing contractual arrangements between the Controller and the Processor, Processor ensures that its members of personnel that are authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Data Subjects' rights

5.1. Processor shall inform the Controller without undue delay when the Processor receives a request from a Data Subject with regard to the exercise of rights relating to the Processing of Personal Data in the context of the Underlying Agreement.

5.2. Processor assists the Controller by appropriate technical and organizational measures, insofar as this is possible and taking into account the nature of the Processing, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects' rights laid down in Chapter III of the GDPR.

5.3. The Processor shall not respond to a request from a Data Subject without prior written approval of the Controller.

6. Technical and organizational measures

Processor shall implement appropriate technical and organizational measures in accordance with Article 32 GDPR in order to protect Personal Data against loss or any form of unlawful Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and Purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons in order to ensure a level of security appropriate to the risk. A list of technical and organizational measures implemented by the Processor is included in Appendix II.

7. Sub-processors

7.1. Processor shall be generally authorized, given compliance with this DPA and Data Protection Legislation, to engage a Sub-processor in the performance of this DPA. The Processor informs the Controller of intended changes regarding the addition or replacement of Sub-processors, whereby the Controller is given the opportunity to object to these changes in writing, within seven (7) calendar days. In the event of objection by the Controller, the Processor shall use all reasonably necessary and useful efforts to change the affected Processing activities or to recommend a commercially reasonable alternative to avoid the Processing of Personal Data by the Sub-processor concerned. A list of the Processor's current Sub-processors can be consulted via its website https://www.delta.blue/.

7.2. Before the Processor engages a Sub-processor to perform specific processing activities on behalf of the Controller, the Processor shall, by means of an agreement, impose at least equivalent data protection obligations on that Sub-processor as those that are included in this DPA.

7.3. Subject to the provisions of this DPA, Processor shall remain liable to the Controller for any failure by any Sub-processor to fulfil its obligations in relation to the processing of Personal Data.

8. Audits and inspections

At the request of the Controller, the Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Data Protection Legislation. The Processor shall one (1) time per calendar year facilitate and contribute to audits, including inspections, which shall be conducted by the Controller or an auditor authorized by the Controller, given prior written notification of the Controller's intention to perform an audit at least thirty (30) days in advance. The Processor shall allow the Controller or its authorized auditor to inspect, verify and copy the relevant records, processes and systems in order to ensure that the Processor complies with the provisions of the DPA and Data Protection Legislation. The Processor shall reasonably cooperate with the Controller in respect of such audits and shall, upon request, provide the Controller with information to demonstrate that the obligations have been fulfilled. The costs related to such audits, including inspections, shall be borne by the Controller. In the event that the Controller authorizes an auditor to perform an audit or inspection in accordance with this article 8 of the DPA, the Controller shall in any event impose confidentiality obligations at least as stringent as those set forth in article 4 of this DPA on the authorized auditor.

9. Transfers of Personal Data

The Processor may only Process the Personal Data outside of the European Economic Area insofar as such Processing complies with Data Protection Legislation, which implies either that the country of Processing is recognised as offering an equivalent level of protection as Data Protection Legislation or that another mechanism is in place in accordance with Chapter V of the GDPR.

10. Personal Data Breaches

Processor shall without undue delay inform Controller of a Personal Data Breach, and shall provide Controller insofar as possible with information about the following: (i) the nature of the Personal Data Breach; (ii) the (potentially) affected Personal Data; (iii) the established and expected consequences of the Personal Data Breach for the Processing of Personal Data and the persons involved; and (iv) the measures that the Processor has taken and shall take to limit/mitigate the negative consequences of the Personal Data Breach.

11. Data protection impact assessments and prior consultation

Processor shall provide assistance and cooperation to Controller related to any data protection impact assessment required under Article 35 GDPR and in any prior consultation of Controller's competent supervisory authority required under Article 36 GDPR in relation to the Processing of Personal Data by Processor.

12. Record of Processing activities

In accordance with Article 30 GDPR, the Processor shall maintain a record of all categories of Processing activities carried out in the performance of the Underlying Agreement, containing at least following information:

12.1.1. the name and contact details of the Processor, the Processor's data protection officer (if applicable) and of the Controller;

12.1.2. the respective Processing activities carried out on behalf of the Controller in the performance of the Underlying Agreement;

12.1.3. where applicable, information detailing the transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1) of the GDPR, the documentation of suitable safeguards,

12.1.4. a description of the technical and organizational measures taken by the Processor.

13. Obligations of the Controller

Controller agrees and guarantees that the Processing of the Personal Data in accordance with this DPA complies with Data Protection Legislation.

14. Termination

14.1. The DPA commences on the signing date of this DPA and shall continue for the duration of the Underlying Agreement. The provisions of this DPA that may be reasonably deemed to survive the termination of this DPA, shall remain in effect after termination of the DPA.

14.2. The Processor shall in the event of the termination of the Underlying Agreement or at the request of the Controller, at the choice and expense of the Controller, delete or return all Personal Data made available to the Processor and destroy and confirm in writing the destruction of all digital copies of the Personal Data. The Processor is however entitled to retain one (1) copy of the Personal Data to comply with mandatory EU or national law and for the purpose of its legal defense.

15. Liability

In the event that claims, penalties (including fines), disputes, losses, damages and costs arise in the performance of or related to this DPA, the liability provisions of the Underlying Agreement shall apply.

16. Entire agreement

This DPA represents the entire understanding and agreement between the Parties with respect to the subject matter thereof and, unless expressly provided otherwise, shall supersede any prior agreements and undertakings between the Parties with respect to that subject matter.

17. Amendments

This DPA may not be amended, supplemented or otherwise modified, except by a written instrument executed by all Parties directly or indirectly affected by such amendment, supplement or modification.

18. Independent Parties

The Parties are independent contractors and this DPA cannot be construed as giving rise to any other relationship (joint venture, agency, trust or partnership).

19. Transfer of rights and obligations

This DPA and the rights and obligations under this DPA cannot be transferred to third parties by either Party without the prior written consent of the other Party.

20. Severability

In case one or more provisions of this DPA prove(s) to be legally invalid, the DPA shall remain in force for the remainder. The Parties shall consult each other on the provisions that are not legally valid, in order to make a substitute arrangement that is legally valid and as much as possible in line with the original scope and intentions of the arrangement to be substituted.

21. Compensation

The Processor shall be entitled to reasonable and equitable compensation for providing assistance to the Controller under this DPA in accordance with the fee arrangement set out in the Underlying Agreement.

22. Applicable law and jurisdiction

22.1. Belgian law is applicable to this DPA. 22.2. All disputes arising from or in connection with this DPA shall be submitted exclusively to the courts of Antwerp, section Hasselt (Belgium).

List of Appendices

Appendix I - Details of the Processing of Personal Data
Appendix II - Technical and organisational measures

Appendix I - Details of the Processing of Personal Data

A Categories of Personal Data

The Processor Processes the following categories of Personal Data:

  • Identification data: name, address, telephone number, email address.

  • Digital identifiers: IP address, login details, cookies.

  • Financial data: bank account numbers, billing details.

  • Personnel or customer data: depending on the service provided.

  • Application data used within the Controller software

B Purposes and Nature of the Processing

DeltaBlue processes personal data exclusively for the benefit of and on behalf of the Controller. The processing mainly concerns the following activities:

  • Storage and hosting of personal data in IT and cloud environments

  • Security, encryption and access management

  • Backup, recovery and archiving

  • Monitoring and logging for availability and security purposes

  • Technical management, maintenance and support

  • Transmission and provision of data via networks and applications

These processing operations are primarily technical and supportive in nature and are carried out solely for the purpose of providing the agreed services. DeltaBlue does not carry out any processing for its own purposes and will not use personal data for purposes other than those specified in the processing agreement.

C Categories of Data Subjects

Depending on the service provided, personal data may relate to the following categories of data subjects:

  • Employees of the Data Controller

  • Customers and end users of the Data Controller

  • Suppliers and business partners of the Data Controller

  • Potential customers (prospects) and leads, insofar as this data is processed via the systems

Duration of the Processing

The personal data will be processed for the duration of the agreement between DeltaBlue and the Controller. After termination of the agreement, the personal data will be deleted or returned in accordance with the agreed retention period and instructions of the Controller, unless there is a legal obligation to store it further.

Appendix II - Technical and organisational measures

Organizational security measures

  1. Security Management

  • a. Security policy and procedures: Processor must document a security policy with regard to the processing of personal data.

  • b. Roles and responsibilities:

    • i. Roles and responsibilities related to the processing of personal data is clearly defined and allocated in accordance with the security policy.

    • ii. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.

  • c. Access Control Policy: Specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.

  • d. Resource/asset management: Processor has a register of the IT resources used for the processing of personal data (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).

  • e. Change management: Processor makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.

  1. Incident response and business continuity

  • a. Incidents handling / Personal data breaches:

    • i. An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining personal data.

    • ii. Processor will report without undue delay to Controller any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.

  • b. Business continuity: Processor establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).

  1. Human resources

  • a. Confidentiality of personnel: Processor ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.

  • b. Training: Processor ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.

  1. Technical security measures

4.1. Access control and authentication

  • a. An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.

  • b. The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.

  • c. When granting access or assigning user roles, the "need-to-know principle" shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the Processor's processing purposes.

  • d. Where authentication mechanisms are based on passwords, Processor requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.

  • e. The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.

4.2. Logging and monitoring: Log files are activated for each system/application used for the processing of personal data. They include all types of access to data (view, modification, deletion).

4.3. Security of data at rest

  • a. Server/Database security

    • i. Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
    • ii. Database and applications servers only process the personal data that are actually needed to process in order to achieve its processing purposes.

  • b. Workstation security

    • i. Users are not able to deactivate or bypass security settings.
    • ii. Anti-virus applications and detection signatures is configured on a regular basis.
    • iii. Users don't have privileges to install or deactivate unauthorized software applications.
    • iv. The system has session time-outs when the user has not been active for a certain time period.
    • v. Critical security updates released by the operating system developer is installed regularly.

4.4. Network/Communication security:

  • a. Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.

  • b. Traffic to and from the IT system is monitored and controlled through Firewalls and Intrusion Detection Systems.

4.5. Back-ups:

  • a. Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.

  • b. Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.

  • c. Execution of backups is monitored to ensure completeness.

4.6. Mobile/Portable devices:

  • a.Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.

  • b. Mobile devices that are allowed to access the information system is pre-registered and pre-authorized.

4.7. Application lifecycle security: During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards is followed.

4.8. Data deletion/disposal:

  • a. Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD's, DVD's, etc.) physical destruction will be performed.

  • b. Shredding of paper and portable media used to store personal data is carried out.

4.9. Physical security: The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. Intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) or organizational measures (e.g., security guard) shall be set in place to protect security areas and their access points against entry by unauthorized persons.