Skip to Content

Data Processing Agreement

Effective from 4 July 2026

Article 1 - Subject Matter of the Processing


This Data Processing Agreement (“DPA”) governs the Processing of Personal Data by Innoverius BV (“Processor”) on behalf of the Customer (“Controller”) in connection with the provision of Innoverius’ Applications and Services.

The parties acknowledge that the Customer acts as the Controller and Innoverius acts as the Processor within the meaning of Regulation (EU) 2016/679 on the protection of Personal Data (“GDPR”), to the extent that Innoverius processes Personal Data on behalf of the Customer.

This DPA is concluded in accordance with Article 28 GDPR and sets out the rights and obligations of the parties with respect to such Processing of Personal Data.

This DPA forms an integral part of the agreement between the parties concerning the use of the Applications and Services of Innoverius. To the extent that this DPA relates to the Processing of Personal Data, it shall prevail over the Terms and Conditions and any other contractual documents in the event of a conflict.

This DPA applies exclusively to Processing activities carried out by Innoverius on behalf of the Customer as Processor. Processing activities for which Innoverius acts as Controller are governed by the Privacy Statement of Innoverius.

Article 2 - General Description of the Processing


2.1 Subject Matter of the Processing

The Processor processes Personal Data on behalf of the Controller in connection with the provision of the Applications and Services of Innoverius, including hosting, storage, security, support, maintenance, communication management, document management, case management, automation and other functionalities forming part of the agreed Services.

2.2 Duration of the Processing

The Processing shall take place for the duration of the agreement between the parties and, to the extent necessary, for the period required for the performance of the agreement, compliance with legal obligations, the management of backups and the handling of termination procedures in accordance with the agreement and this DPA.

2.3 Nature of the Processing

Depending on the Applications and Services used, the Processing may include, among other things:

  • collection;

  • recording;

  • organisation;

  • structuring;

  • storage;

  • retention;

  • adaptation;

  • consultation;

  • use;

  • disclosure by transmission;

  • making available;

  • combination;

  • restriction;

  • securing;

  • archiving;

  • deletion;

  • destruction.

2.4 Purposes of the Processing

The Processing of Personal Data shall take place solely for the execution of the instructions of the Controller and for the provision of the agreed Applications and Services, including, among others:

  • case management;

  • document management;

  • communication management;

  • user and access management;

  • authentication;

  • hosting;

  • storage;

  • backups;

  • security;

  • monitoring;

  • logging;

  • support;

  • maintenance;

  • automation;

  • AI Functionalities;

  • reporting;

  • legal and contractual obligations related to the Services.

2.5 Categories of Data Subjects

Depending on the use of the Applications and Services, Personal Data may relate to, among others:

  • clients;

  • former clients;

  • prospects;

  • counterparties;

  • employees;

  • directors;

  • shareholders;

  • suppliers;

  • contact persons;

  • job applicants;

  • judicial actors;

  • other natural persons whose Personal Data is processed by the Controller.

2.6 Categories of Personal Data

Depending on the use of the Applications and Services, the following categories of Personal Data may be processed, among others:

  • identification data;

  • contact data;

  • professional data;

  • financial data;

  • case data;

  • document data;

  • communication data;

  • contractual data;

  • billing data;

  • log data;

  • audit data;

  • technical data;

  • metadata;

  • other Personal Data entered into the Applications by the Controller.

To the extent that the Controller processes special categories of Personal Data or Personal Data relating to criminal convictions and offences through the Applications, such Processing shall take place solely under the responsibility of the Controller and in accordance with the applicable legislation.

2.7 Responsibilities of the Controller

The Controller shall remain responsible for:

  • determining the purposes and means of the Processing;

  • the lawfulness of the Processing;

  • having a valid legal basis for the Processing;

  • compliance with its information obligations towards Data Subjects;

  • the accuracy, quality and lawfulness of the Personal Data provided to the Processor;

  • compliance with the applicable data protection legislation.

Article 3 - Processing on Instructions


The Processor shall process Personal Data solely on behalf of and in accordance with the documented instructions of the Controller, unless the Processor is required to process Personal Data pursuant to a provision of Union law or applicable national law. In such case, the Processor shall inform the Controller prior to the Processing, unless the relevant legislation prohibits such notification on important grounds of public interest.

The Controller acknowledges that the use of the Applications, the configuration of the Applications, the allocation of access rights, the use of functionalities, the entry of data and other actions performed through the Applications shall be regarded as documented instructions within the meaning of this DPA.

The Processor shall process Personal Data solely for the provision of the agreed Applications and Services and shall not use Personal Data for its own purposes, except to the extent necessary to comply with a legal obligation to which the Processor is subject.

The Processor shall not sell, rent or otherwise make Personal Data available to third parties for their own purposes.

If the Processor reasonably considers that an instruction of the Controller infringes the GDPR, other applicable data protection legislation or other binding legal obligations, the Processor shall inform the Controller thereof without undue delay.

To the extent that AI Functionalities form part of the agreed Services, Personal Data shall be processed solely in accordance with the instructions of the Controller and the provisions of this DPA.

Article 4 - Confidentiality


The Processor shall ensure that all persons acting under its authority and having access to Personal Data process such Personal Data only to the extent necessary for the performance of their duties and in accordance with the instructions of the Controller.

The Processor shall ensure that all persons having access to Personal Data:

  • are bound by a statutory, contractual or professional duty of confidentiality;

  • receive appropriate instructions regarding data protection and confidentiality;

  • are granted access to Personal Data only to the extent necessary for the performance of their duties;

  • comply with appropriate security and confidentiality measures.

The Processor shall take reasonable measures to prevent unauthorised persons from gaining access to Personal Data or confidential information processed by the Controller through the Applications and Services.

The confidentiality obligations set out herein shall remain in force throughout the duration of the agreement and shall continue to apply after its termination for as long as the relevant Personal Data or confidential information has not lawfully entered the public domain.

Nothing in this DPA shall prevent the Processor from processing or disclosing Personal Data where it is required to do so pursuant to applicable Union law, national law, a court order or a binding decision of a competent public authority, provided that the applicable legal obligations are complied with.

Article 5 - Security


The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR.

In determining these measures, the Processor shall take into account:

  • the state of the art;

  • the costs of implementation;

  • the nature, scope, context and purposes of the Processing;

  • the likelihood and severity of the risks to the rights and freedoms of Data Subjects.

These measures are intended to ensure the confidentiality, integrity, availability and resilience of the Personal Data processed and the supporting systems.

Depending on the nature of the Processing and where appropriate, such measures may include, among other things:

  • pseudonymisation;

  • encryption;

  • access and authorisation management;

  • authentication and identification mechanisms;

  • logging and audit trails;

  • monitoring and detection of security incidents;

  • network and infrastructure security;

  • backup and recovery procedures;

  • patch and update management;

  • incident management;

  • physical security measures;

  • protection of data during storage and transmission;

  • periodic evaluation, review and updating of the security measures.

The Processor shall take reasonable measures to ensure the ongoing confidentiality, integrity, availability and resilience of the Processing systems and services.

The Processor shall maintain procedures aimed at restoring the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident.

The Processor shall regularly evaluate and update its technical and organisational measures, taking into account technological developments, evolving risks, the nature of the Services and applicable legal obligations.

The specific technical and organisational measures applicable to the Processor’s Services may be further described in a separate annex to this DPA or in the Processor’s security documentation.

Article 6 - Sub-processors


The Controller hereby grants the Processor a general prior authorisation to engage Sub-processors for the performance of the Services and the Processing activities covered by this DPA.

The Processor shall maintain an up-to-date overview of the categories or identity of the principal Sub-processors engaged for the provision of the Applications and Services. This overview shall be made available to the Controller upon request or through the Processor’s contractual documentation.

The Processor shall inform the Controller in advance of the appointment of a new Sub-processor or the replacement of an existing Sub-processor to the extent that such change is relevant to the Processing of Personal Data under this DPA.

The Controller may object in writing, with reasons, within thirty (30) calendar days following receipt of such notification if it can reasonably demonstrate that the proposed Sub-processor presents a material risk to the protection of Personal Data.

In such case, the parties shall consult in good faith in order to find a reasonable solution. If no reasonable solution can be reached, the Processor shall have the right not to engage the relevant Sub-processor or, where this is not reasonably possible, to terminate the relevant Processing activity or the agreement in accordance with the applicable contractual provisions.

The Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations that provide at least an equivalent level of protection as the obligations set out in this DPA, insofar as they relate to the Processing activities carried out by the Sub-processor.

The Processor shall remain fully responsible towards the Controller for the performance of the obligations of its Sub-processors insofar as these relate to the Processing of Personal Data under this DPA.

Nothing in this Article shall prevent the Processor from engaging multiple Sub-processors for hosting, infrastructure, security, communications, support, AI Functionalities or other services necessary for the provision of the Applications and Services.

Article 7 - Rights of Data Subjects


The Processor shall assist the Controller, taking into account the nature of the Processing, the information available and to the extent reasonably possible, in fulfilling its obligations relating to the rights of Data Subjects in accordance with Chapter III GDPR.

Such assistance may include, among other things:

  • the right of access;

  • the right to rectification;

  • the right to erasure;

  • the right to restriction of Processing;

  • the right to data portability;

  • the right to object;

  • rights relating to automated individual decision-making;

  • other rights arising under the applicable data protection legislation.

The Controller shall remain responsible for assessing, handling and responding to requests from Data Subjects.

If a request from a Data Subject is received directly by the Processor and relates to Personal Data processed by the Processor on behalf of the Controller, the Processor shall forward such request to the Controller without undue delay, unless the Processor is legally required to handle the request itself.

The Processor shall not respond directly to a request from a Data Subject without the prior instruction of the Controller, unless required to do so pursuant to applicable Union law or national law.

The assistance provided by the Processor shall be rendered to the extent that this is technically, organisationally and operationally reasonably possible, taking into account the nature of the Services and the available functionalities of the Applications.

Article 8 - Assistance with GDPR Compliance


The Processor shall assist the Controller, taking into account the nature of the Processing, the information available and to the extent reasonably possible, in complying with its obligations under the applicable data protection legislation.

Such assistance may include, among other things:

  • the security of Processing in accordance with Article 32 GDPR;

  • the notification and documentation of Personal Data Breaches in accordance with Articles 33 and 34 GDPR;

  • Data Protection Impact Assessments (“DPIAs”) in accordance with Article 35 GDPR;

  • prior consultations with supervisory authorities in accordance with Article 36 GDPR;

  • investigations of security incidents relating to Personal Data processed under this DPA;

  • the provision of information reasonably necessary to demonstrate compliance with the applicable data protection legislation.

To the extent that a Personal Data Breach relates to Personal Data processed by the Processor on behalf of the Controller, the Processor shall inform the Controller without undue delay in accordance with Article 9 of this DPA.

The Processor shall provide such assistance to the extent that this is technically, organisationally and operationally reasonably possible, taking into account the nature of the Services, the information available and the costs of implementation.

Nothing in this Article shall result in the Processor assuming the legal responsibilities of the Controller. The Controller shall remain responsible for its own compliance with the applicable data protection legislation, including the assessment of notification obligations, DPIA obligations and other legal requirements.

Article 9 - Personal Data Breaches


The Processor shall inform the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

The notification shall, to the extent that the information is reasonably available at that time, include:

  • a description of the nature of the Personal Data Breach;

  • the categories of Personal Data concerned;

  • the categories of Data Subjects concerned;

  • the likely consequences of the Personal Data Breach;

  • the measures already taken or proposed to address the Personal Data Breach;

  • the measures proposed to mitigate its possible adverse effects;

  • the contact details of a contact person at the Processor.

Where not all information is available at the same time, the Processor may provide the information in phases as additional information becomes available.

The Processor shall make reasonable efforts to investigate the cause, scope and consequences of the Personal Data Breach and shall keep the Controller informed of relevant developments.

The Processor shall take appropriate measures to mitigate the effects of the Personal Data Breach, prevent further damage and restore the security of the affected Personal Data to the extent reasonably possible.

Unless legally required to do so, the Processor shall not independently notify a Supervisory Authority or Data Subjects regarding Personal Data processed on behalf of the Controller. The decision whether to notify a Supervisory Authority or Data Subjects shall remain the responsibility of the Controller.

The Processor shall, to the extent reasonably possible, provide the necessary cooperation to the Controller in assessing the Personal Data Breach and complying, where applicable, with notification obligations under the applicable data protection legislation.

Article 10 - International Transfers


The Processor shall, in principle, process Personal Data within the European Economic Area (“EEA”).

Personal Data shall only be processed, made accessible or transferred outside the EEA to the extent necessary for the provision of the Services and to the extent permitted under the applicable data protection legislation.

Where Personal Data is processed outside the EEA or is accessible from outside the EEA, the Processor shall ensure that appropriate safeguards are implemented in accordance with Chapter V GDPR.

Such safeguards may include, among other things:

  • an adequacy decision of the European Commission;

  • the Standard Contractual Clauses (“SCCs”) approved by the European Commission;

  • Binding Corporate Rules;

  • other transfer mechanisms recognised under the applicable data protection legislation.

The Processor shall take reasonable measures to satisfy itself that recipients of Personal Data outside the EEA provide an adequate level of protection in accordance with the applicable data protection legislation.

Upon request of the Controller, the Processor shall provide information regarding the applicable transfer mechanisms to the extent reasonably possible and provided that this does not prejudice confidential information, security requirements or the rights of third parties.

Article 11 - AI Functionalities


The Applications and Services may make use of artificial intelligence, machine learning, retrieval augmented generation (RAG), generative AI, embeddings, semantic search functionalities and other similar technologies (hereinafter collectively referred to as the “AI Functionalities”).

For the provision of such AI Functionalities, the Processor may make use of its own technologies, third-party technologies or external AI service providers.

The Processor shall process Personal Data in connection with AI Functionalities only to the extent necessary for the provision, support, security, improvement and operation of the agreed Services and in accordance with the instructions of the Controller.

Unless the parties expressly agree otherwise in writing:

  • the Processor shall not use Personal Data processed on behalf of the Controller to train its own general-purpose AI models;

  • the Processor shall not use Personal Data for purposes that are incompatible with the provision of the agreed Services;

  • the Personal Data shall remain the property of the Controller or its Data Subjects in accordance with the applicable legislation.

Where external AI service providers are engaged for the provision of AI Functionalities, such providers shall be regarded as Sub-processors within the meaning of this DPA to the extent that they process Personal Data on behalf of the Controller.

The Processor shall ensure that such AI service providers are subject to appropriate contractual, technical and organisational safeguards in accordance with the applicable data protection legislation.

The Controller shall remain responsible for:

  • the lawfulness of the Personal Data processed through AI Functionalities;

  • the lawfulness of the instructions provided to the Processor;

  • assessing the suitability of AI Functionalities for the intended use.

The Processor does not warrant that AI Functionalities are error-free, complete, accurate or suitable for any specific purpose, and the Controller remains responsible for carrying out appropriate human review of AI-generated outputs.

To the extent that applicable legislation imposes additional obligations relating to artificial intelligence, the parties shall reasonably cooperate in supporting compliance with such obligations.

Article 12 - Deletion or Return of Data


Upon termination of the agreement and upon written request of the Controller, the Processor shall, at the choice of the Controller and to the extent technically feasible:

  • return the Personal Data to the Controller; or

  • delete the Personal Data.

To the extent that the Applications contain export functionalities, the Controller shall be deemed to use such functionalities to export Personal Data prior to the termination of the agreement.

Following the expiry of the agreed export or availability period, the Processor shall not be required to keep Personal Data available any further, except where this is required by law.

The Processor shall delete or anonymise Personal Data processed on behalf of the Controller as soon as further retention is no longer necessary for:

  • the performance of the agreement;

  • compliance with legal obligations;

  • the protection of legitimate interests;

  • the application of reasonable backup and recovery procedures.

The Processor shall also delete existing copies of Personal Data, unless further retention is required pursuant to applicable Union law, national law, a court order or another binding legal obligation.

To the extent that Personal Data is contained in backups, archives, log files or business continuity systems, such Personal Data may be retained in accordance with the Processor’s normal backup, archiving and rotation procedures, provided that it remains subject to appropriate technical and organisational security measures and is no longer actively processed.

Following the deletion of the Personal Data in accordance with this Article, the Processor’s obligations regarding the availability of such Personal Data shall cease, without prejudice to any obligations arising under applicable law.

Article 13 - Audits


The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and the applicable data protection legislation.

The Processor shall provide the Controller with reasonable cooperation in connection with audits, inspections or other verification activities necessary to demonstrate compliance with this DPA, to the extent required pursuant to Article 28 GDPR.

The Controller shall, in the first instance, make use of the documentation, audit reports, certifications, security statements and other information made available by the Processor.

If such information reasonably proves insufficient to demonstrate compliance with this DPA, the Controller shall have the right to conduct an audit or have an audit conducted by an independent and duly bound professional auditor.

Such audits shall:

  • be announced in writing in advance with reasonable notice;

  • take place during normal business hours;

  • be limited to the Processing activities falling within the scope of this DPA;

  • not unreasonably disrupt the Processor’s business operations, security measures or service delivery;

  • not provide access to Personal Data, confidential information, systems or environments of other customers of the Processor;

  • be conducted in accordance with the Processor’s reasonable security and confidentiality requirements;

  • be carried out at the Controller’s expense, unless the audit reveals a material non-compliance with this DPA.

The Processor may provide existing audit reports, certifications, security attestations, penetration test reports, compliance documentation or other comparable evidence where such evidence reasonably provides an equivalent level of assurance as the requested audit.

In carrying out audits, the parties shall at all times strive for a proportionate approach, taking into account the nature of the Services, the risks of the Processing, the confidentiality of the Processor’s systems and the interests of other customers.

Article 14 - Order of Precedence


In the event of any conflict between this DPA and other contractual documents between the parties relating to the Processing of Personal Data, the following order of precedence shall apply:

  1. the applicable data protection legislation, including the GDPR and other mandatory legal provisions;

  2. this DPA;

  3. the agreement, quotation, purchase order or other specific written arrangements between the parties;

  4. the Terms and Conditions of Innoverius;

  5. any other contractual documents.

To the extent that a provision of another contractual document relates to the Processing of Personal Data and conflicts with this DPA, this DPA shall prevail.

The Privacy Statement of Innoverius applies exclusively to Processing activities for which Innoverius acts as Controller and shall not affect the provisions of this DPA.