Data Processing Agreement

Effective Date: September 18, 2025

DATA PROCESSING AGREEMENT

Date:

Between / Parties
(1) APPNUMA UNIPESSOAL LDA, a private limited company (sociedade unipessoal por quotas) incorporated in Portugal, registered office Rua Principal nº 38, 2350-479 Torres Novas, Portugal, corporate ID 514 751 835, represented by Mr. Filipe Vieira – hereafter “Vendor.”
(2) [CUSTOMER LEGAL NAME], [nationality], Tax ID [__], address [__] – hereafter “Customer.”

Vendor and Customer together are the “Parties,” and each individually a “Party.”

Product

Product: Vendor’s “YourAgent24” cloud service – 24/7 AI chat-bot and web dashboard.

1. Definitions

Term	Meaning
Personal Data	Any information relating to an identified or identifiable natural person.
Processing	Any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, deletion, etc.).
Controller	The Customer – decides the purposes and means of Processing.
Processor	The Vendor – processes Personal Data on the Controller’s behalf.
Sub-processor	Any third party engaged by the Processor to process Personal Data for the Controller.

2. Subject-matter of this Addendum

This Data-Processing Addendum (“Addendum”) forms part of the main service agreement and sets the terms under which the Vendor processes Personal Data for the Customer when delivering YourAgent24.

3. Documented Instructions

Vendor shall process Personal Data only on documented instructions from the Customer, including with respect to international transfers, unless Union or Member-State law requires otherwise.

4. Confidentiality

Vendor ensures every person authorised to process Personal Data is bound by confidentiality.

5. Data-subject Rights

Taking into account the nature of the Processing, Vendor shall assist Customer—through appropriate technical and organisational measures—in responding to data-subject requests.

6. Security of Processing

Vendor shall implement technical and organisational measures ensuring a level of security appropriate to the risk, including:

Encryption of Personal Data.
Confidentiality, integrity, availability and resilience of systems.
Ability to restore availability in a timely manner.
Regular testing and evaluation of security measures.

The specific measures currently in place are described in Annex II – Technical & Organisational Measures, which forms an integral part of this Addendum.

7. Sub-processing

7.1 Authorised Sub-processors – see Annex I. Vendor will notify Customer 30 days before adding or replacing a sub-processor.

7.2 Liability – Vendor remains fully liable for each sub-processor’s performance.

8. Data Transfers

8.1 Data Storage – Personal Data is stored inside the EU/EEA.
8.2 Transfers to the United States – Vendor uses OpenAI (USA) for chat generation; SCC 2021 and OpenAI’s SOC 2 / ISO 27001 safeguards apply.
8.3 Other Transfers – All international transfers follow GDPR mechanisms (SCCs, adequacy, or equivalent).

9. Data-breach Notification

Vendor shall notify Customer without undue delay after becoming aware of a Personal-Data Breach and provide all information required for regulator / data-subject notices.

10. Deletion or Return

At termination, Vendor will—at Customer’s choice—delete or return all Personal Data (and delete remaining copies) unless law requires retention.

11. Audit & Inspection

Vendor will supply information needed to demonstrate compliance and allow one remote audit per year on 14 days’ notice.

12. Liability

Vendor is liable for damages caused by Processing that breaches this Addendum or GDPR, subject to any caps in the main agreement.

13. Governing Law & Jurisdiction

This Addendum is governed by EU law and, where applicable, Portuguese law. Courts of Portugal have exclusive jurisdiction.

14. Amendments

Any amendment must be in writing and signed by both Parties.

15. Miscellaneous

If any provision is invalid, the remainder stays in effect.

Signatures

Vendor (Processor)	Customer (Controller)
By: __	By: __
Name: __	Name: __
Title: ___	Title: ___
Date: __	Date: __

Annex I – Authorised Sub-processors

#	Name / Role	Primary processing location	Transfer / certification safeguard
1	Akamai Connected Cloud (Linode EU) – infrastructure host	EU DCs – Frankfurt & Paris	ISO 27001; data kept in EEA; SCCs if cross-border
2	Mailgun EU – transactional e-mail API	EU (Frankfurt) – corporate parent USA	SCC 2021 + EU-US DPF; data confined to EU
3	OpenAI, LLC – language-model API	United States	SCC 2021 + SOC 2 Type II + ISO 27001
4	Make.com (Integromat EU) – workflow automation platform	EU DCs – Frankfurt & Dublin	Data kept in EEA; SCC 2021 if cross-border
5	HubSpot – CRM & marketing automation	EU (Dublin) – corporate parent USA	SCC 2021 + SOC 2 + EU-US DPF

Vendor will give Customer 30 days’ notice before adding or replacing any sub-processor.

Annex II – Technical & Organisational Measures

Encryption in transit TLS 1.2+ for all public endpoints.
Encryption at rest AES-256 with an application-managed key stored in secure env vars; annual rotation.
Logical isolation multi-tenant relational database; every query restricted by tenant_id via framework-level row filters or native row-level security.
Role-based IAM; MFA for privileged accounts.
Encrypted daily backups replicated to a second EU region; 30-day retention.
Central audit log of data-access events kept 12 months; alerts piped to SIEM.
Independent penetration test at least once per year.

Acronym Glossary

Acronym	Meaning
GDPR	General Data Protection Regulation (EU 2016/679)
SCCs	Standard Contractual Clauses (EU 2021/914)
DPF	EU-US Data-Privacy Framework