Master Data Processing Agreement (Controller to Processor)

Preamble and Parties

This Master Data Processing Agreement (the “DPA”) is designed to establish a single, governing agreement for all data processing activities undertaken by the Processor across its entire suite of services. Its purpose is to create a comprehensive and scalable framework that ensures long-term compliance with data protection laws and fosters operational efficiency for both Parties. This DPA forms part of the applicable Master Services Agreement or other main commercial agreement (the “Main Agreement”) between:

● Soufiane Boudarraja, acting as an independent business transformation consultant established in Frankfurt am Main, Germany (the “Processor”), and

● The business customer that is a party to the applicable Main Agreement (the “Controller”).

The Processor and the Controller are each referred to as a “Party” and collectively as the “Parties.” This document details the respective obligations of the Parties concerning the processing of Personal Data in connection with the services provided.

1. Subject Matter and Duration

This clause fulfills the primary documentation requirement of GDPR Article 28(3) by defining the foundational scope of the agreement. It contractually links all data processing activities to the commercial services provided under the Main Agreement and establishes the DPA's lifecycle in relation to that commercial engagement.

1.1. This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of all Services under the Main Agreement.

1.2. The subject matter, nature, purpose, and duration of the Processing, as well as the categories of Data Subjects and types of Personal Data, are set out in Annex 1 (Details of Processing).

1.3. This DPA enters into force on the date the Controller first enters into the Main Agreement and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Main Agreement.

The following section will provide precise definitions for the legal roles of each Party and for key terms used throughout this agreement, ensuring clarity and mutual understanding.

2. Roles of the Parties and Definitions

In any legal agreement, clear definitions are critical to prevent ambiguity and ensure all parties understand their precise obligations. This section establishes the legal roles of the Controller and Processor as defined under the GDPR and provides definitions for key capitalized terms that are essential for interpreting this DPA correctly.

2.1. For the purposes of applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”):

(a) The Controller determines the purposes and means of the Processing of Personal Data in connection with the Services.

(b) The Processor processes Personal Data on behalf of the Controller in accordance with the Controller’s Instructions and this DPA.

2.2. Unless defined otherwise in this DPA, capitalized terms have the meaning given in the Main Agreement. In addition:

(a) “Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR and national implementing laws.

(b) “Instructions” means the written instructions issued by the Controller to the Processor and directing the Processor to perform specific Processing of Personal Data.

(c) “Personal Data Breach” has the meaning given in the GDPR.

(d) “Services” means any software, proprietary algorithms, API integrations, consulting workflows, or automated tools provided by the Processor under the Main Agreement or applicable Statement of Work (SOW).

(e) “Subprocessor” means any third party engaged by the Processor as a processor to perform specific Processing activities on behalf of the Controller.

With these roles and terms clearly defined, we now turn to the core mandate governing the Processor's actions: the requirement to act solely on the Controller's documented instructions.

3. Processing on Documented Instructions

This section forms the core of the Processor's mandate. It codifies the principle that the Processor acts only upon the Controller's explicit and documented instructions, a cornerstone of the Controller-Processor relationship under Article 28 of the GDPR. This ensures the Controller maintains ultimate authority and control over its data.

3.1. The Processor shall process Personal Data only on documented Instructions from the Controller, unless Processing is required by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

3.2. The Main Agreement, this DPA, and the Controller’s use of the Services constitute the Controller’s initial Instructions to the Processor. The Controller may issue additional reasonable Instructions in writing, including by email, provided such Instructions are consistent with the scope of the Main Agreement.

3.3. The Controller acknowledges that by inputting, uploading, or otherwise providing data into the user interface of any application or tool provided as part of the Services, it is issuing a specific, documented instruction to the Processor to process that data via the underlying functionalities and integrations of the Service, including any necessary third-party APIs listed in Annex 3.

3.4. If the Processor considers that an Instruction infringes Data Protection Law, the Processor shall promptly inform the Controller. The Processor may suspend the execution of the relevant Instruction until the Controller confirms, amends, or withdraws the Instruction.

The following section provides specific details on the types of individuals and data that are subject to these processing instructions.

4. Categories of Data Subjects and Personal Data

Clearly defining the categories of data subjects and the types of personal data to be processed is essential for effective risk assessment, ensuring purpose limitation, and demonstrating compliance with data minimization principles. This section, in conjunction with Annex 1, fulfills this critical documentation requirement.

4.1. The categories of Data Subjects and types of Personal Data processed under this DPA are described in Annex 1.

4.2. The Controller shall ensure that the Personal Data supplied to the Processor is adequate, relevant, and limited to what is necessary for the purposes described in Annex1.

4.3. The Controller shall not instruct the Processor to process special categories of Personal Data within the meaning of Article 9 GDPR (for example data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning sex life or sexual orientation) or Personal Data relating to criminal convictions and offences, unless this is expressly agreed in writing in a revised Annex1 and appropriate additional safeguards are implemented.

Having established the scope of the data, the agreement now outlines the specific contractual obligations of the Processor.

5. Obligations of the Processor

This clause codifies the Processor's core responsibilities under GDPR Article 28, transforming legal requirements into actionable contractual commitments. These obligations ensure that the Processor handles the Controller's data with the required level of confidentiality, security, and adherence to lawful instructions. The Processor shall:

5.1. Process Personal Data only within the scope of the Controller’s Instructions and this DPA and not for its own purposes.

5.2.  Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Annex 2 (Technical and Organizational Measures).

5.4. Keep, to the extent required by Data Protection Law, records of Processing activities carried out on behalf of the Controller.

5.5. Inform the Controller without undue delay if the Processor receives:

○ (a) a request from a data subject relating to Personal Data processed on behalf of the Controller.

○ (b) a request from a supervisory authority or other public body relating to such Personal Data.

5.6. Not disclose Personal Data to third parties unless:

○ (a) such disclosure is authorized by the Controller.

○ (b) such disclosure is to a Subprocessor in accordance with section 7; or

○ (c) such disclosure is required by law, in which case the Processor shall, where legally permitted, inform the Controller prior to disclosure.

These duties are complemented by the corresponding obligations of the Controller, which are detailed next.

6. Obligations of the Controller

This section outlines the Controller's fundamental responsibilities. It emphasizes that as the primary owner and decision-maker regarding the data, the Controller is ultimately accountable for ensuring that there is a lawful basis for processing and for verifying the accuracy, quality, and lawfulness of the data provided to the Processor.

The Controller shall:

6.1. Ensure that it has a valid legal basis under Data Protection Law for the Processing of Personal Data in connection with the Services, including for the transmission of Personal Data to the Processor.

6.2. Comply with its transparency, information and notification obligations towards data subjects and supervisory authorities, as required by Data Protection Law.

6.3. Ensure that its Instructions to the Processor are lawful and comply with Data Protection Law.

6.4. Not instruct the Processor to process Personal Data in a way that would cause the Processor to breach Data Protection Law.

6.5. Be responsible for the accuracy, quality and lawfulness of the Personal Data and the means by which the Controller acquired the Personal Data.

A key aspect of modern service delivery involves leveraging third-party specialists; the following section addresses the use of such subprocessors.

7. Use of Subprocessors

This section establishes the legal and operational framework for the use of subprocessors. It provides the Controller with transparency and control over the engagement of third parties, ensuring that the high standards of data protection established in this DPA are maintained throughout the entire processing chain, as required by the GDPR.

7.1. The Controller authorizes the Processor to engage Subprocessors for the Processing of Personal Data on behalf of the Controller, provided that the Processor complies with this section 7.

7.2. The Processor shall enter into a written contract with each Subprocessor that imposes obligations on the Subprocessor which are at least as protective of Personal Data as those set out in this DPA.

7.3. The Processor currently uses categories of Subprocessors as described in Annex3 (Subprocessors). The Controller acknowledges that specific Subprocessors may change over time, particularly where the Controller elects to use particular data or infrastructure providers.

7.4. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Subprocessors that process Personal Data on behalf of the Controller, by providing reasonable prior written notice (for example by email or via an agreed communication channel).

The Controller may object to such changes on reasonable grounds relating to data protection within fourteen (14) calendar days of receiving the notice.

7.5. If the Controller reasonably objects to a new Subprocessor and the Parties cannot agree on a solution within a reasonable time, the Controller may terminate the affected part of the Services that requires the use of that Subprocessor, without penalty, by giving written notice to the Processor. Other Services that are not affected shall continue.

7.6. The Processor remains fully liable to the Controller for the performance of its obligations under this DPA, including where a Subprocessor fails to fulfil its data protection obligations.

We now shift focus from the processing chain to the geographical location of processing and the rules governing international data transfers.

8. International Transfers

This section addresses the requirements of Chapter V of the GDPR, which governs the transfer of personal data outside the European Economic Area (EEA). It ensures that any such transfer is protected by appropriate legal safeguards, thereby maintaining a level of data protection equivalent to that afforded within the EU.

8.1. The Processor stores and processes Personal Data primarily within the European Economic Area (EEA) or in other jurisdictions deemed to provide an adequate level of protection under an adequacy decision of the European Commission.

8.2. Where the Processor or a Subprocessor processes Personal Data outside the EEA or outside a jurisdiction subject to an adequacy decision, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, such as:

(a) the use of standard contractual clauses adopted by the European Commission;

(b) binding corporate rules; or

(c) other mechanisms recognized by Data Protection Law.

8.3. On request, the Processor shall provide the Controller with information on the relevant transfer mechanism used for international transfers of Personal Data relating to the Controller.

Beyond the legal mechanisms for transfers, the next section details the technical and organizational measures for securing the data itself.

9. Security of Processing

As mandated by GDPR Article 32, this clause details the commitment to implementing risk-based technical and organizational measures. It demonstrates a proactive approach to protecting personal data against unauthorized access, loss, or destruction, moving beyond mere compliance to active risk management.

9.1. The Processor shall implement and maintain appropriate technical and organizational measures as described in Annex 2 to ensure a level of security appropriate to the risk, taking into account:

(a) the state of the art;

(b) the costs of implementation;

(c) the nature, scope, context and purposes of Processing;

(d) the risk of varying likelihood and severity for the rights and freedoms of natural persons.

9.2. In assessing the appropriate level of security, the Processor shall take into account the risks presented by Processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

9.3. The Controller is responsible for implementing appropriate technical and organizational measures in its own environment, including for systems under its control, such as email infrastructure, CRM systems and data provider accounts.

The following section outlines the reactive procedures required in the event of a security failure, linking proactive security to a robust incident response plan.

10. Personal Data Breach Notification and Management

Timely and transparent communication following a data breach is a legal mandate under the GDPR and is essential for mitigating damage. This clause establishes the critical procedures for notification, enabling the Controller to meet its own reporting obligations to regulators and affected individuals, thereby helping to maintain trust and manage risk effectively.

10.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data that the Processor processes on behalf of the Controller.

10.2. The notification shall contain at least the information required by Article 33(3) GDPR to the extent such information is reasonably available at the time, including:

(a) a description of the nature of the Personal Data Breach;

(b) the categories and approximate number of data subjects concerned;

(c) the categories and approximate number of Personal Data records concerned;

(d) the likely consequences of the Personal Data Breach;

(e) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

10.3. Where and to the extent it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.

10.4. The Processor shall cooperate with the Controller and provide reasonable assistance to enable the Controller to comply with its own obligations under Data Protection Law in relation to the Personal Data Breach, including any notification to supervisory authorities and data subjects where required.

This duty to assist extends beyond breach scenarios to other general compliance matters, which are addressed next.

11. Assistance to the Controller

This section details the Processor's obligation to support the Controller in fulfilling its duties, reflecting the cooperative partnership required for effective data protection. This includes providing assistance in handling data subject rights requests and conducting Data Protection Impact Assessments (DPIAs), which are core components of the Controller's accountability framework.

11.1. Taking into account the nature of Processing and the information available to the Processor, the Processor shall assist the Controller, at the Controller’s cost where appropriate, in fulfilling the Controller’s obligations under Data Protection Law, including:

(a) responding to requests from data subjects exercising their rights under Data Protection Law;

(b) complying with obligations relating to security of Processing;

(c) notifying Personal Data Breaches to supervisory authorities and data subjects;

(d) conducting data protection impact assessments and prior consultations with supervisory authorities, where required.

11.2. If a data subject contacts the Processor directly with a request relating to Personal Data processed on behalf of the Controller, the Processor shall, where possible, promptly inform the data subject that the request should be addressed to the Controller and shall forward the request to the Controller without undue delay.

To verify that these and other obligations are being met, the agreement provides for audits and inspections.

12. Audits and Inspections

This section provides the Controller with the necessary rights to verify the Processor's compliance with its contractual and legal obligations. The right to audit serves as a critical tool for accountability, allowing the Controller to demonstrate its own due diligence to regulators and stakeholders.

12.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.

12.2. The Processor shall allow for and contribute to reasonable audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

(a) Audits may take place no more than once in any twelve (12) month period, unless there are reasonable grounds to suspect a material breach of this DPA or where a supervisory authority requires additional audits.

(b) The Controller shall provide the Processor with reasonable prior written notice of any audit request, including a description of the scope and purpose of the audit.

(c) Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor’s business operations.

(d) The Controller and any appointed auditor shall be bound by appropriate confidentiality obligations.

12.3. The Processor may satisfy its obligations under this section by providing:

(a) up to date audit reports or certifications (for example, independent security assessments or relevant ISO certifications); or

(b) other information demonstrating compliance, provided that such information reasonably addresses the Controller’s audit needs.

The next section transitions from the operational lifecycle of the agreement to the procedures for its conclusion, focusing on the return and deletion of data.

13. Return and Deletion of Personal Data

This clause ensures that personal data does not remain with the Processor indefinitely, thereby enforcing the principle of storage limitation. By outlining clear procedures for the return or deletion of data upon termination of the services, it formally concludes the data processing lifecycle and returns full control of the data to the Controller.

13.1. Upon termination or expiry of the Main Agreement or upon the Controller’s written request, the Processor shall, at the choice of the Controller:

(a) return to the Controller all Personal Data processed on behalf of the Controller; or

(b) delete such Personal Data, unless Data Protection Law requires storage of the Personal Data.

13.2. Return may be provided in a commonly used, machine-readable format agreed between the Parties.

13.3. The Processor may retain copies of Personal Data to the extent required by law or for the establishment, exercise or defense of legal claims. In such cases, the Processor shall continue to ensure the confidentiality and security of the retained Personal Data and shall process such Personal Data only for the limited purposes for which retention is necessary.

With the data lifecycle concluded, the agreement now addresses the allocation of legal and financial responsibility between the Parties.

14. Liability

This section integrates the liability framework from the Main Agreement into this DPA, ensuring consistency across the commercial relationship. Crucially, it also explicitly preserves the rights and remedies granted directly to data subjects under GDPR Article 82, ensuring that this agreement does not diminish their legal protections.

14.1. The liability provisions set out in the Main Agreement apply to this DPA. Nothing in this DPA shall be interpreted as limiting or excluding any rights or remedies of data subjects or obligations of either Party under Data Protection Law.

14.2. Where a Party has paid full compensation for damage suffered as a result of a breach of Data Protection Law, that Party shall be entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s responsibility for the damage, in accordance with Article 82 GDPR.

Having defined the allocation of liability, the final clauses establish the legal framework that will govern the interpretation and enforcement of this DPA itself.

15. Governing Law and Jurisdiction

This clause is essential for providing legal certainty to both Parties. It establishes the specific legal system that will be used to interpret the DPA and designates the courts that will have exclusive authority to resolve any disputes, preventing ambiguity in legal proceedings.

15.1. This DPA is governed by and shall be construed in accordance with the laws of the Federal Republic of Germany, without prejudice to mandatory provisions of Data Protection Law.

15.2. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Frankfurt am Main, Germany, as specified in the Main Agreement.

Finally, the agreement clarifies how this DPA interacts with the main commercial contract between the Parties.

16. Relationship to the Main Agreement

This section establishes the DPA as an integral part of the Main Agreement and sets a clear rule for resolving any conflicts between the two documents. By stipulating that data protection-specific terms in this DPA prevail, it ensures that compliance with Data Protection Law is always prioritized.

16.1. This DPA forms an integral part of the Main Agreement. In the event of a conflict between this DPA and the Main Agreement concerning the Processing of Personal Data, this DPA shall prevail to the extent of the conflict.

16.2. Except as expressly modified by this DPA, the terms of the Main Agreement remain in full force and effect.

Annex 1 – Details of Processing

This Annex provides the specific, factual details of the processing activities undertaken by the Processor on behalf of the Controller. It is a critical component for fulfilling the mandatory documentation requirements set out in Article 28(3) of the GDPR.

1. Subject Matter Processing of Personal Data in connection with the design, provision, and operation of the Processor’s Business Automation Solutions, including but not limited to data setup, API integration, content generation, and related reporting.

2. Duration of Processing For the duration of any Active Subscription or Engagement Term for any of the Services used by the Controller, plus any additional period required for the return and deletion of Personal Data in accordance with this DPA.

3. Nature and Purpose of Processing The Processor will carry out the following Processing activities on behalf of the Controller:

● Importing, cleansing, normalizing and structuring Customer Data and data sourced via Data Providers.

● Building and maintaining account and contact lists for outbound campaigns.

● Applying segmentation, scoring and tiering logic to accounts and contacts.

● Configuring and operating outbound email campaigns using the Controller’s email infrastructure and, where applicable, any proprietary software provided as part of the Services.

● Tracking campaign activity and responses at contact and account level.

● Preparing analytics, reports and recommendations relating to outbound performance.

● Processing via Artificial Intelligence (AI) and Machine Learning (ML) models for the purpose of content generation, data enrichment, or sentiment analysis.

● The Controller acknowledges and provides instruction that, as strictly necessary to deliver the results of a Service, Personal Data may be processed by Large Language Models (LLMs) or similar generative technologies, subject to the safeguards outlined in this DPA.

The purpose of the Processing is to enable the Controller to identify, contact and manage potential and existing business customers and decision makers in a structured and compliant way.

4. Categories of Data Subjects Personal Data processed may relate to the following categories of Data Subjects:

● Employees, owners, directors, founders and other representatives of the Controller’s existing customers.

● Employees, owners, directors, founders and other representatives of prospective customers and target accounts identified by or for the Controller.

● Other business contacts of the Controller relevant to the Controller’s outbound and sales activities.

5. Types of Personal Data Personal Data processed may include the following types, to the extent provided by the Controller or obtained via Data Providers selected by the Controller:

● Identification and contact details (for example name, job title, role, business email address, business telephone number, business postal address, LinkedIn profile URL).

● Employer and role information (for example company name, company website, department, seniority, responsibility area, reporting line where publicly available).

● Professional background where publicly available (for example previous employers, education, professional profile as visible on public networks).

● Commercial data relating to interactions with the Controller (for example email engagement, meeting history, notes on conversations, opportunity stage).

● Technical data related to outbound execution where necessary (for example timestamps, sending status, open and reply indicators as used for reporting).

Special categories of Personal Data as defined in Article 9 GDPR and Personal Data relating to criminal convictions and offences are not intended to be processed under this DPA.

Annex 2 – Technical and Organizational Measures

This Annex details the specific security measures implemented by the Processor to protect Personal Data. These measures provide the Controller with the necessary assurance that its data is handled securely, enabling the Controller to meet its own security obligations under the GDPR. The Processor maintains the following categories of technical and organizational measures (“TOMs”) to protect Personal Data processed on behalf of the Controller. Specific implementations may evolve over time, but the overall level of protection shall not be materially reduced.

● Organization of Information Security

○ Information security responsibilities assigned to the Processor.

○ Internal guidelines on handling of Customer Data and Personal Data.

○ Confidentiality obligations in contracts with staff and subcontractors.

● Access Control

○ Logical access to systems and data limited to authorized persons based on role and need to know.

○ Use of strong authentication mechanisms (for example long passwords and, where supported, multi-factor authentication).

○ Regular review of access rights and prompt revocation of access when no longer required.

● Physical Security

○ Use of secure facilities for devices used to process Personal Data (for example home office with controlled access).

○ Protection of devices by locking mechanisms and secure storage where appropriate.

● Device and Endpoint Security

○ Use of up-to-date operating systems and applications on devices used to process Personal Data.

○ Use of endpoint protection (for example anti-malware and firewall).

○ Encryption of portable devices and disks where supported.

● Data Storage and Encryption

○ Use of reputable infrastructure and storage solutions for data at rest.

○ Encryption of Personal Data during transmission over public networks using industry-standard protocols (for example TLS).

○ Limiting local storage of Personal Data to what is necessary for the Services.

● Separation and Segregation

○ Logical separation of data processed on behalf of different Controllers, including separate workspaces or file structures per Controller.

○ No reuse of Personal Data from one Controller for another Controller.

● Backup and Recovery

○ Regular backups of critical data and configurations used for the Services.

○ Procedures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

● Change and Configuration Management

○ Controlled introduction of changes to tools and configurations used for Processing.

○ Testing of significant changes before deployment where practicable.

● Incident Management

○ Procedures for identifying, assessing and managing potential security incidents and Personal Data Breaches.

○ Documentation of incidents and remediation actions.

○ Notification to Controllers of Personal Data Breaches in accordance with this DPA.

● Subprocessor Management

○ Due diligence on Subprocessors, including review of their security posture.

○ Written contracts imposing data protection and security obligations on Subprocessors.

○ Ongoing monitoring of Subprocessors’ performance where relevant.

● Awareness and Training

○ Awareness activities for the Processor on data protection and information security principles.

○ Instructions to any personnel involved in Processing regarding secure handling of Personal Data.

● AI and Automation Safeguards

● Model Isolation and Input Sanitization: Customer Data provided as input to AI/ML models is processed in logically isolated instances. Such data is not used to train or improve any public, foundational AI models shared with other customers, unless a separate, explicit agreement for such a purpose is concluded.

Annex 3 – Subprocessors

This Annex provides transparency regarding the categories of third-party processors engaged to support the delivery of the Services. This fulfills the notification and authorization requirements outlined in Section 7 of this DPA. The Processor uses or may use the following categories of Subprocessors to support the Services and Process Personal Data on behalf of the Controller. Specific providers within these categories may vary depending on the Controller’s choices and SOWs.

● Business to Business Data and Market Intelligence Platforms

● Function: Sourcing, enrichment and verification of professional contact and account data, as configured with and on behalf of the Controller.

● Location: Primarily EEA or jurisdictions with appropriate safeguards in place.

● Email and Communication Infrastructure

● Function: Sending and receiving business communications, including email used in the Managed Outbound Service, where the Controller elects to use the Processor’s own infrastructure.

● Location: As specified in the Controller’s SOW or as agreed in writing.

● Cloud Storage and Productivity Tools

● Function: Storage of working documents, reports and configuration files related to the Services; productivity and collaboration.

● Location: Primarily EEA or jurisdictions with appropriate safeguards in place.

● Artificial Intelligence & LLM Providers

● Function: Processing text inputs and other data to generate outputs such as emails, reports, summaries, or enriched data points as part of an automated Service.

● Location: United States and/or EEA. Where processing occurs in the United States, it is subject to appropriate safeguards such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).

● Professional Advisors and Administrative Service Providers

● Function: Legal, accounting and administrative services where access to limited Personal Data cannot be entirely excluded (for example in the context of audits or dispute resolution).

● Location: EEA.

The Processor shall provide more detailed information on specific Subprocessors engaged for the Controller upon request and shall update the Controller regarding any material changes to this list in accordance with section 7 of this DPA.