Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Customer ("Controller") and Capritora SRL ("Processor", "Redate"), a company registered in Belgium under enterprise number BE0786931405, with registered offices at 488 Chaussee de Louvain, 1380 Ohain, Belgium. This DPA supplements the Terms of Service and is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It applies when the Customer uses the Service to process personal data of its employees, clients, or other data subjects for whom the Customer acts as data controller. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Service.

For the purposes of this DPA: "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1). "Processing" means any operation or set of operations performed on personal data, as defined in GDPR Article 4(2). "Controller" means the Customer who determines the purposes and means of the processing of personal data. "Processor" means Capritora SRL (Redate), which processes personal data on behalf of the Controller. "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller. "Data Subject" means the identified or identifiable natural person to whom the personal data relates. "Supervisory Authority" means the Belgian Data Protection Authority (APD/GBA) or any other competent supervisory authority under the GDPR.

The Processor processes personal data on behalf of the Controller for the sole purpose of providing the email date correction service as described in the Terms of Service. The nature of the processing consists of: - Accessing email mailboxes connected by the Controller via Google Workspace API, Microsoft Graph API, or direct IMAP connection. - Scanning email headers to identify emails with corrupted dates. - Downloading emails, processing them in memory to correct date headers, and placing corrected emails back in the mailbox. - Moving original emails to a visible backup label/folder. - Storing mailbox metadata (email counts, scan results, fix status) for service delivery and reporting. The Processor does not determine the purposes or means of processing. The Controller instructs the Processor by connecting mailboxes and initiating scans and fixes through the Service interface.

The Processor shall process personal data for the duration of the service agreement between the Controller and the Processor, as defined in the Terms of Service. Upon termination of the agreement, the Processor shall delete or return all personal data in accordance with Section 13 of this DPA, subject to any legal retention obligations.

Types of personal data processed: - Email metadata: sender and recipient email addresses, subject lines, date headers, message IDs. - Email content: full email body and attachments (processed transiently in memory only, never stored). - Mailbox metadata: mailbox email addresses, email counts, scan results, fix status. Categories of data subjects: - Employees of the Controller whose mailboxes are connected to the Service. - Any individuals whose personal data appears in the emails processed (senders, recipients, persons mentioned in email content). The Controller acknowledges that email content may contain special categories of personal data (GDPR Article 9) depending on the nature of the emails. The transient nature of processing (seconds per email, no persistent storage) minimizes the risk associated with processing such data.

The Processor shall: (a) Process personal data only on documented instructions from the Controller, unless required to do so by EU or Belgian law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law. (b) Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (c) Implement appropriate technical and organizational security measures as described in Annex (Section 15). (d) Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller (see Section 8). (e) Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 15-22. (f) Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation). (g) At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Belgian law requires storage. (h) Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations and allow for and contribute to audits. (i) Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other EU/Belgian data protection provisions.

The Controller shall: (a) Ensure that it has a lawful basis under GDPR Article 6 (and, where applicable, Article 9) for the processing of personal data instructed to the Processor. (b) Ensure that it has provided appropriate notice to data subjects regarding the processing of their personal data by the Service, including the use of the Processor. (c) Ensure that it has the necessary authority and authorization to connect mailboxes to the Service and to instruct the Processor to process the personal data contained therein. (d) Be responsible for the accuracy, quality, and legality of the personal data provided to the Processor. (e) Comply with its obligations as a data controller under the GDPR, including responding to data subject requests (with the Processor's assistance as described in Section 10).

The Controller hereby grants the Processor general written authorization to engage sub-processors for the purposes of delivering the Service. The current list of sub-processors is: - Render.com (Render Services, Inc., United States) - hosting and infrastructure. - Stripe (Stripe, Inc., United States) - payment processing. - Google Cloud (Google LLC, United States) - email API access (Google Workspace connections). - Microsoft Azure (Microsoft Corporation, United States) - email API access (Microsoft 365 connections). - Resend (Resend, Inc., United States) - transactional email delivery. The Processor shall: (a) Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days. (b) Impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures. (c) Remain fully liable to the Controller for the performance of the sub-processor's obligations.

The Processor's sub-processors are located in the United States. To ensure GDPR-compliant transfers, the Processor has implemented the following safeguards: - Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914) are in place with all US-based sub-processors. - Where applicable, sub-processors are certified under the EU-US Data Privacy Framework. The Processor has conducted transfer impact assessments and concluded that, combined with the SCCs and supplementary measures, the transfers provide an essentially equivalent level of protection. The Controller authorizes the Processor to transfer personal data to these sub-processors under the conditions described in this DPA.

The Processor shall promptly notify the Controller if it receives a request from a data subject exercising their rights under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection). The Processor shall not respond to such requests directly unless authorized by the Controller, except to direct the data subject to the Controller. The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests by: (a) Providing the Controller with relevant information about the personal data processed. (b) Implementing technical measures to facilitate the exercise of data subject rights (e.g., data export, deletion). (c) Cooperating with the Controller in a timely manner.

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The notification shall include, to the extent available: (a) A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected. (b) The name and contact details of the Processor's contact point. (c) A description of the likely consequences of the breach. (d) A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Controller remains responsible for notifying the supervisory authority (within 72 hours under GDPR Article 33) and affected data subjects (under GDPR Article 34) where required.

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or by an independent third-party auditor mandated by the Controller. The Processor shall cooperate with audits and make available all information necessary to demonstrate compliance with GDPR Article 28. Audit conditions: (a) The Controller shall provide at least 30 days' written notice before conducting an audit. (b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. (c) The Controller shall bear the costs of the audit, unless the audit reveals material non-compliance by the Processor. (d) Audit results and any confidential information obtained shall be treated as confidential by the Controller. (e) Audits shall be limited to one per calendar year, unless a data breach or specific concern warrants an additional audit.

Upon termination of the service agreement or upon the Controller's request, the Processor shall, at the Controller's choice: (a) Return all personal data to the Controller in a structured, commonly used, machine-readable format within 30 days; or (b) Delete all personal data and certify such deletion in writing within 30 days. The Processor may retain personal data to the extent required by EU or Belgian law (e.g., payment records for accounting purposes). In such cases, the Processor shall inform the Controller of the legal basis for retention and shall ensure that the retained data is processed only for the purpose required by law. Email content is never stored by the Processor and therefore does not require return or deletion.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions (GDPR Article 82(2)). Where both the Controller and the Processor are involved in processing that caused damage, each party shall be liable for the entire damage in accordance with GDPR Article 82(4), without prejudice to the right of each party to seek contribution from the other.

The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32: Encryption: - All data in transit is encrypted using TLS 1.2 or higher. - Credentials and OAuth tokens are encrypted at rest using AES-256-GCM. - User passwords are hashed using bcrypt. Access control: - Access to production systems is restricted to authorized personnel. - Production access is logged and auditable. - User authentication is enforced for all Service access. Data minimization: - Email content is processed transiently in memory and is never written to persistent storage. - Only the minimum metadata necessary for service delivery is retained. Backup and recovery: - Original emails are moved to a visible backup folder before modification (not deleted). - Re-inserted emails are verified by size and content hash comparison. - Originals remain recoverable for at least 30 days. Incident management: - Incident detection and response procedures are in place. - Significant incidents are reported to the Centre for Cybersecurity Belgium (CCB) in accordance with the NIS2 Directive. Infrastructure: - The Service is hosted on Render.com, which provides managed infrastructure with built-in redundancy. - Database backups are maintained by the hosting provider. These measures are reviewed and updated periodically to address evolving threats and regulatory requirements.