Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Maecos BV ("Processor") and the customer ("Controller") for the use of the Maecos platform (the "Agreement"). By using the Maecos platform, the Controller accepts the terms of this DPA.

Processor: Maecos BV, Kerkstraat 127, 2060 Antwerpen, Belgium (BE 0769.475.264).

Controller: The entity identified in the Agreement.

In this DPA, unless the context requires otherwise:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Maecos platform.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
• "Data Protection Laws" means Regulation (EU) 2016/679 (GDPR) and any applicable national implementing legislation.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

The Processor processes Personal Data solely to provide the Maecos connected operator platform and related services as described in the Agreement. The details of the processing are as follows:

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. In such case, the Processor shall inform the Controller before processing, unless prohibited by law.
2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain the technical and organisational security measures described in Section 6.
4. Respect the conditions for engaging Sub-processors as set out in Section 5.
5. Assist the Controller, taking into account the nature of the processing, with appropriate technical and organisational measures for fulfilling data subject requests under Chapter III of the GDPR.
6. Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
7. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, as described in Section 10.
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.

The Controller shall:

1. Ensure that any instructions given to the Processor regarding the processing of Personal Data comply with Data Protection Laws.
2. Ensure a lawful basis exists for the processing of Personal Data by the Processor.
3. Be solely responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
4. Inform the Processor without undue delay if the Controller becomes aware of any data protection issues that may affect the processing.

5.1 General authorisation

The Controller provides general authorisation for the Processor to engage Sub-processors. The current list of Sub-processors is available at maecos.com/legal/subprocessors.

5.2 Notification of changes

The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-processor, giving the Controller the opportunity to object. The notification will include the identity of the Sub-processor, the processing it will perform, and its location.

5.3 Right to object

If the Controller has reasonable grounds to object to a new Sub-processor, the Controller shall notify the Processor in writing within 14 days of receiving the notification. The Parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.

5.4 Sub-processor obligations

The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor.

The Processor shall implement and maintain technical and organisational measures appropriate to the risk, including:

• Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access control: Role-based access, multi-factor authentication for administrative access, principle of least privilege.
• Tenant isolation: Each customer environment is fully isolated with separate compute containers, storage, and database schemas.
• Network security: Private networking, firewalls, intrusion detection, and regular vulnerability scanning.
• Monitoring: Continuous infrastructure and application monitoring with automated alerting.
• Backup: Automated daily and monthly backups stored in a geographically separate location within the EU.
• Personnel: Background checks, mandatory security training, and confidentiality agreements for all staff with access to customer data.

Full details of the security program are described at maecos.com/security.

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

7.2 Content of notification

The notification shall include, to the extent available:

1. A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
2. The name and contact details of the Processor's contact point for further information.
3. A description of the likely consequences of the breach.
4. A description of the measures taken or proposed to address the breach and mitigate its effects.

7.3 Ongoing cooperation

The Processor shall cooperate with the Controller and provide additional information as it becomes available. The Processor shall not notify any supervisory authority or data subject on behalf of the Controller unless explicitly instructed to do so.

The Processor stores and processes all customer data within the European Economic Area (EEA). The primary data centre is located in the EU (AWS eu-west-1, Ireland).

If a Sub-processor processes Personal Data outside the EEA, the Processor shall ensure that an adequate transfer mechanism is in place, such as:

• An adequacy decision by the European Commission.
• Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• Binding Corporate Rules approved by the relevant supervisory authority.

The Sub-processor list at maecos.com/legal/subprocessors indicates the location of each Sub-processor.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

The Controller (or a mandated third-party auditor bound by confidentiality) may conduct an audit of the Processor's processing activities, subject to the following conditions:

1. The Controller provides at least 30 days' written notice.
2. Audits are conducted during normal business hours and no more than once per year, unless required by a supervisory authority or following a Data Breach.
3. The Controller bears its own costs. If the audit requires material effort from the Processor beyond making information available, the Parties shall agree on reasonable compensation.
4. The auditor shall not access data belonging to other customers of the Processor.

10.1 During the Agreement

The Processor retains Personal Data for as long as necessary to provide the services under the Agreement and as instructed by the Controller.

10.2 After termination

Upon termination or expiry of the Agreement, the Processor shall:

1. Data export: Make the Controller's data available for export in a standard machine-readable format for a period of 30 days. Data export is available as a paid service.
2. Deletion: After the 30-day export window, or upon written request from the Controller, delete all Personal Data from production systems within 30 days. Copies in backups will be overwritten in accordance with the regular backup rotation cycle.

10.3 Certification

Upon request, the Processor shall provide written confirmation that deletion has been completed.

If the Processor receives a request from a data subject to exercise their rights under the GDPR (access, rectification, erasure, restriction, portability, or objection), the Processor shall:

1. Promptly notify the Controller of the request.
2. Not respond to the request directly unless authorised by the Controller.
3. Assist the Controller with fulfilling the request, taking into account the nature of the processing.

The Controller can fulfil most data subject requests directly through the platform's administrative interface.

Each Party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either Party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.

This DPA takes effect on the date the Agreement is executed and remains in force for as long as the Processor processes Personal Data on behalf of the Controller. Sections that by their nature should survive termination (including Sections 7, 10, and 12) shall survive.

This DPA may be amended by the Processor to reflect changes in Data Protection Laws or supervisory authority guidance. Material changes will be communicated to the Controller at least 30 days before they take effect. Continued use of the services after the effective date constitutes acceptance of the updated DPA.

This DPA is governed by the laws of Belgium. Any disputes arising from this DPA shall be submitted to the courts of Antwerpen, Belgium, unless mandatory provisions of Data Protection Laws require otherwise.

Questions about this DPA or data processing? Contact us at privacy@maecos.com.