Data Processing Agreement

Effective Date: March 28, 2026

DATA PROCESSING AGREEMENT

Date: March 28, 2026

Between / Parties
(1) APPNUMA UNIPESSOAL LDA, a private limited company (sociedade unipessoal por quotas) incorporated in Portugal, registered office Rua Principal nº 38, 2350-479 Torres Novas, Portugal, corporate ID 514 751 835, represented by Mr. Filipe Vieira – hereafter “Vendor.”
(2) [CUSTOMER LEGAL NAME], [nationality], Tax ID [__], address [__] – hereafter “Customer.”

Vendor and Customer together are the “Parties,” and each individually a “Party.”


Product

Product: Vendor’s “YourAgent24” cloud service – 24/7 AI chat-bot and web dashboard.


1. Definitions

Term Meaning
Personal Data Any information relating to an identified or identifiable natural person.
Processing Any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, deletion, etc.).
Controller The Customer – decides the purposes and means of Processing.
Processor The Vendor – processes Personal Data on the Controller’s behalf.
Sub-processor Any third party engaged by the Processor to process Personal Data for the Controller.

2. Subject-matter of this Addendum

This Data-Processing Addendum (“Addendum”) forms part of the main service agreement and sets the terms under which the Vendor processes Personal Data for the Customer when delivering YourAgent24.


3. Documented Instructions

Vendor shall process Personal Data only on documented instructions from the Customer, including with respect to international transfers, unless Union or Member-State law requires otherwise.


4. Confidentiality

Vendor ensures every person authorised to process Personal Data is bound by confidentiality.


5. Data-subject Rights

Taking into account the nature of the Processing, Vendor shall assist Customer - through appropriate technical and organisational measures - in responding to data-subject requests.


6. Security of Processing

Vendor shall implement technical and organisational measures ensuring a level of security appropriate to the risk, including:

The specific measures currently in place are described in Annex II – Technical & Organisational Measures, which forms an integral part of this Addendum.


7. Sub-processing

7.1 Authorised Sub-processors – see Annex I. Vendor will notify Customer 30 days before adding or replacing a sub-processor.

7.2 Liability – Vendor remains fully liable for each sub-processor’s performance.


8. Data Transfers

8.1 Data Storage – Production Personal Data for the Service is primarily stored and processed in the United States, unless otherwise agreed in writing for a specific deployment.
8.2 Transfers from the EEA/UK – Where Customer or data subjects are in the EEA or UK, transfers to the United States rely on GDPR Chapter V mechanisms (including Standard Contractual Clauses and, where applicable, vendor certifications such as the EU-US Data Privacy Framework).
8.3 Sub-processors – Additional transfers to sub-processors listed in Annex I follow the same principles.
8.4 Other Transfers – All international transfers follow applicable GDPR (or UK equivalent) mechanisms.


9. Data-breach Notification

Vendor shall notify Customer without undue delay after becoming aware of a Personal-Data Breach and provide all information required for regulator / data-subject notices.


10. Deletion or Return

At termination, Vendor will - at Customer’s choice - delete or return all Personal Data (and delete remaining copies) unless law requires retention.


11. Audit & Inspection

Vendor will supply information needed to demonstrate compliance and allow one remote audit per year on 14 days’ notice.


12. Liability

Vendor is liable for damages caused by Processing that breaches this Addendum or GDPR, subject to any caps in the main agreement.


13. Governing Law & Jurisdiction

This Addendum is governed by EU law and, where applicable, Portuguese law. Courts of Portugal have exclusive jurisdiction.


14. Amendments

Any amendment must be in writing and signed by both Parties.


15. Miscellaneous

If any provision is invalid, the remainder stays in effect.


Signatures

Vendor (Processor) Customer (Controller)
By: __ By: __
Name: __ Name: __
Title: ___ Title: ___
Date: __ Date: __

Annex I – Authorised Sub-processors

# Name / Role Primary processing location Transfer / certification safeguard
1 Akamai Connected Cloud (Linode) – infrastructure host United States (primary production region) ISO 27001; SCC 2021 / DPF as applicable; supplementary measures per Vendor assessment
2 Mailgun – transactional e-mail API United States (sending region as configured) SCC 2021 + EU-US DPF (Mailgun/Sinch); configuration-dependent
3 OpenAI, LLC – language-model API United States SCC 2021 + SOC 2 Type II + ISO 27001
4 Make.com – workflow automation (customer-configured webhooks) Varies by customer scenario (may include US / EEA) Customer’s transfer posture; Vendor SCCs where Vendor processes
5 HubSpot – CRM & marketing automation (optional integration) Varies by HubSpot account region (often US or EU) HubSpot DPA + SCC 2021 + SOC 2 + EU-US DPF as applicable
6 Stripe, Inc. – payment processing United States and other Stripe processing locations Stripe DPA + SCC 2021 + certifications as per Stripe
7 Twilio Inc. – SMS / messaging United States and other Twilio processing locations Twilio DPA + SCC 2021 / DPF as applicable
8 Google LLC – Google Analytics (marketing site) United States and other Google locations Google Ads Data Processing Terms + SCCs / DPF as applicable
9 Cookie-Script – cookie consent management EU / US (per Cookie-Script) Vendor DPA + SCCs as applicable
10 YourAgent24 application engine – AI/NLP processing service (operated by or on behalf of Vendor) United States (primary) — region as deployed Same safeguards as Vendor processing; technical controls per Annex II

Vendor will give Customer 30 days’ notice before adding or replacing any sub-processor.


Annex II – Technical & Organisational Measures


Acronym Glossary

Acronym Meaning
GDPR General Data Protection Regulation (EU 2016/679)
SCCs Standard Contractual Clauses (EU 2021/914)
DPF EU-US Data-Privacy Framework