Data Processing Agreement

This Data Processing Agreement (“DPA”) applies between LOBI-SYSTEMS SRL (“Processor”), a company registered in Belgium, and the customer (“Controller”) that has subscribed to a senga plan or signed a Master Subscription Agreement with LOBI-SYSTEMS.

This DPA forms part of the agreement between the parties and governs the processing of personal data carried out by the Processor on behalf of the Controller.

Capitalized terms have the meaning given in Article 4 of Regulation (EU) 2016/679 (the “GDPR”) unless defined otherwise in this DPA.

• Personal Data — any information processed by the Processor on behalf of the Controller through the senga Services that relates to an identified or identifiable natural person.
• Subprocessor — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Services — the senga product as provided under the Master Subscription Agreement.

The Processor processes Personal Data only for the purpose of providing the Services to the Controller, in accordance with the Controller's documented instructions.

The duration of the processing is the term of the Master Subscription Agreement, plus the time required to return or delete the Personal Data after termination (see § 11).

The nature, purpose, types of Personal Data, and categories of data subjects are described in the Master Subscription Agreement and the Controller's configuration of the Services.

The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject.

If the Processor believes that an instruction infringes the GDPR or other applicable data protection law, it will inform the Controller before carrying out the instruction.

The Processor ensures that personnel authorized to process Personal Data are bound by enforceable confidentiality obligations and have received appropriate training.

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256).
• Hardware-backed key management, with rotation policies.
• Role-based access control with the principle of least privilege.
• Comprehensive audit logging of administrative actions.
• Network segmentation and firewalls.
• Regular vulnerability scans and annual third-party penetration tests.
• Secure development practices, code review, and dependency monitoring.
• Documented business continuity and disaster-recovery plans.
• Encrypted backups with a 30-day rolling retention.

The Controller authorizes the Processor to engage Subprocessors for the provision of the Services. The current list of Subprocessors is below; the Processor will inform the Controller of any intended changes (addition or replacement) at least 30 days in advance, giving the Controller the opportunity to object.

The Processor remains fully liable to the Controller for the performance of any Subprocessor's obligations under this DPA.

Taking into account the nature of the processing, the Processor assists the Controller — through appropriate technical and organizational measures, insofar as possible — in fulfilling its obligation to respond to requests for exercising data-subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).

The Processor notifies the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting the Controller's Personal Data.

The notification includes, to the extent reasonably possible: (a) the nature of the breach, (b) the categories and approximate number of data subjects and records concerned, (c) the likely consequences, (d) the measures taken or proposed to address the breach and mitigate its effects.

The Processor makes available to the Controller all information necessary to demonstrate compliance with this DPA. Once per year and on reasonable notice, the Controller may conduct an audit (or mandate a third-party auditor bound by confidentiality) of the Processor's compliance with this DPA, at the Controller's cost. Audits will not unduly disrupt the Processor's operations.

On request, the Processor provides current third-party audit reports (e.g. ISO 27001 / SOC 2) in lieu of an on-site audit where they cover the matters at issue.

The Processor processes Personal Data within the European Economic Area. Where Personal Data is transferred to a country outside the EEA — for example, where a Subprocessor operates there — the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2 or 3 as appropriate) plus supplementary measures where required by case law (e.g. Schrems II).

On termination of the Master Subscription Agreement, the Processor will, at the Controller's choice, return all Personal Data to the Controller in a commonly-used machine readable format, or delete it from all live systems within 30 days. Backups containing Personal Data are deleted on the next rotation cycle (maximum 30 days).

For DPA-related questions or requests under this agreement: [email protected].