Standard Data Processing Agreement

Preamble

This Standard Data Processing Agreement ("DPA") applies between Imageplus SRL/BV, with registered office at 19 avenue des Volontaires / Vrijwilligerslaan, 1160 Brussels, Belgium, BCE/KBO: BE0879.380.125 ("Processor"), and the client identified in the applicable engagement documentation ("Controller") where it is incorporated by reference into the applicable offer, order form, statement of work, service level agreement, general terms of work or other engagement documentation.

This DPA forms part of the contractual relationship between the parties and governs all processing of personal data carried out by the Processor on behalf of the Controller in connection with the services provided by the Processor. It is incorporated by reference into the general terms of work of Imageplus SRL/BV and, where applicable, into the service level agreement or other engagement documentation governing the services.

In the event of a conflict between this DPA and any other agreement between the parties, this DPA prevails with respect to the processing of personal data.

1. Definitions

"Applicable Data Protection Law" means Regulation (EU) 2016/679 (GDPR) and any national implementing legislation, as amended or replaced from time to time.

"Controller" means the client, being the natural or legal person who determines the purposes and means of the processing of personal data.

"Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.

"Personal Data" has the meaning given in Article 4(1) GDPR.

"Personal Data Breach" has the meaning given in Article 4(12) GDPR.

"Processing" has the meaning given in Article 4(2) GDPR.

"Processor" means Imageplus SRL/BV, processing personal data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

"Trust Center" means the Imageplus trust center published at imageplus.be/en/trust-center, containing current documentation on data processing commitments, sub-processors and security measures.

2. Roles and subject matter

2.1The Controller is the data controller within the meaning of Article 4(7) GDPR. The Processor is the data processor within the meaning of Article 4(8) GDPR.

2.2The Processor shall process personal data only on behalf of and on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.3The subject matter, nature, duration and purpose of the processing, and the categories of personal data and data subjects, are set out in Annex A to this DPA.

3. Processor obligations

The Processor shall:

3.1Process personal data only on documented instructions from the Controller, as set out in this DPA, the applicable service agreement, and any written instructions communicated through the engagement's official channels. If the Processor considers that an instruction infringes Applicable Data Protection Law, it shall inform the Controller without undue delay.

3.2Ensure that persons authorised to process personal data on behalf of the Controller are subject to appropriate confidentiality obligations.

3.3Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex C and the Imageplus Trust Center.

3.4Respect the conditions for engaging sub-processors as set out in section 5 of this DPA.

3.5Assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Articles 15 to 22 GDPR.

3.6Assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor.

3.7At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data.

3.8Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the conditions set out in section 11 of this DPA.

4. Controller obligations

The Controller shall:

4.1Ensure that it has a valid legal basis for the processing of personal data under Applicable Data Protection Law and that it has provided all necessary notices to Data Subjects.

4.2Provide the Processor with documented instructions for the processing of personal data.

4.3Ensure the accuracy, quality and legality of the personal data provided to the Processor for processing.

4.4Notify the Processor without undue delay of any changes to the personal data being processed or to the processing instructions that may affect the Processor's compliance obligations.

5. Sub-processors

5.1The Controller provides general authorisation for the Processor to engage sub-processors. The Processor's current sub-processors are listed in Annex B to this DPA and on the Imageplus Trust Center sub-processors page.

5.2The Processor shall inform the Controller of any intended addition or replacement of sub-processors by providing at least thirty (30) days prior written notice. The Controller may object to such changes on reasonable grounds relating to data protection within that notice period. If no objection is received within the notice period, the Controller is deemed to have accepted the change. Where a change is required urgently for security or legal reasons, the Processor shall give notice as soon as reasonably practicable and shall implement appropriate interim measures to protect personal data during the transition.

5.3Where the Processor engages a sub-processor, it shall impose data protection obligations on that sub-processor equivalent to those set out in this DPA, by way of a written contract.

5.4The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations to the extent that the sub-processor fails to fulfil its data protection obligations.

6. International transfers

6.1The Processor shall not transfer personal data to a third country or international organisation outside the European Economic Area unless an appropriate transfer mechanism under Chapter V GDPR is in place.

6.2Where sub-processors are established outside the EEA, the applicable transfer mechanisms are identified in Annex B and on the Imageplus Trust Center.

6.3The Processor maintains Transfer Impact Assessments where required by Applicable Data Protection Law. These are available to the Controller on request.

7. Data subject rights

7.1The Processor shall notify the Controller without undue delay upon receiving a request from a Data Subject exercising any right under Articles 15 to 22 GDPR that relates to personal data processed under this DPA.

7.2The Processor shall not respond directly to Data Subject requests relating to the Controller's personal data unless expressly instructed to do so by the Controller in writing.

7.3The Processor shall assist the Controller, insofar as possible and taking into account the nature of the processing, in responding to Data Subject requests within the timeframes required by Applicable Data Protection Law.

8. Security measures

8.1The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

8.2The security measures applied by the Processor are described in Annex C and documented in further detail in the Imageplus Trust Center. These measures include, without limitation, encryption in transit and at rest, access controls based on least privilege, multi-factor authentication for administrative access, security testing appropriate to the nature and risk of the engagement, and secure development practices.

8.3The Processor may update its security measures from time to time, provided that such updates do not result in a material degradation of the overall level of security.

9. Personal data breach notification

9.1The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting personal data processed under this DPA, in accordance with Article 33(2) GDPR.

9.2The notification shall include, to the extent available at the time of notification: the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.

9.3Where complete information is not available at the time of initial notification, the Processor shall provide further information as it becomes available without undue delay.

9.4The Controller shall remain solely responsible for notifying the competent supervisory authority and affected Data Subjects in accordance with Articles 33 and 34 GDPR.

9.5Specific notification timelines may be agreed in writing between the parties in the applicable service level agreement or engagement documentation, in which case those timelines shall prevail.

10. Return and deletion of personal data

10.1Upon termination of the services or upon written request from the Controller, the Processor shall, at the Controller's choice, either return all personal data to the Controller in a structured, commonly used and machine-readable format, or securely delete all personal data.

10.2Unless instructed otherwise, deletion shall be completed within a reasonable period, and in any event within sixty (60) days of the end of the engagement. Specific deletion timelines may be agreed in writing in the applicable service level agreement or engagement documentation, in which case those timelines shall prevail.

10.3Backup copies containing personal data are not selectively purged. They expire according to the Processor's standard backup retention cycles as described in Annex C. The maximum reconciliation period is bounded by the longest-lived backup tier.

10.4The Processor shall provide written confirmation of deletion to the Controller upon request.

11. Audit rights

11.1The Processor shall make available to the Controller, upon written request, all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. The Processor shall respond to such requests within a reasonable period.

11.2The Controller may conduct, or mandate an independent auditor to conduct, an on-site audit of the Processor's data processing activities, subject to the following conditions: at least thirty (30) days prior written notice; execution of a confidentiality undertaking by the auditor; a maximum frequency of once per year, unless a Personal Data Breach has occurred; and reasonable measures to avoid disruption to the Processor's operations and to the confidentiality of data belonging to other clients.

11.3Where the Processor provides documentation of its current security posture from its Trust Center or third-party security assessments, the Controller may, at its discretion, accept such documentation in lieu of an on-site audit.

12. Duration and termination

12.1This DPA enters into force on the date of acceptance as set out in the general terms of work or the applicable engagement documentation and remains in force for the duration of the services.

12.2The Processor's obligations under sections 10 and 11 survive termination of this DPA until all personal data has been returned or deleted and confirmed as such.

13. Governing law and jurisdiction

13.1This DPA is governed by Belgian law.

13.2Any dispute arising from or relating to this DPA shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium.

Annex A · Description of processing

A.1 · Parties

Controller: The client, being the natural or legal person who determines the purposes and means of the processing, as identified in the offer, order form, statement of work, service level agreement, general terms of work or other engagement documentation into which this DPA is incorporated by reference.

Processor: Imageplus SRL/BV, 19 avenue des Volontaires / Vrijwilligerslaan, 1160 Brussels, Belgium, BCE/KBO: BE0879.380.125

A.2 · Standard baseline processing description

This section describes the processing activities covered by the standard DPA. It applies to engagements involving standard processing activities carried out by the Processor on behalf of the Controller, unless supplemented or replaced by engagement-specific documentation as described in section A.4.

Subject matter of processing

The provision of digital advisory, engineering, hosting, support and maintenance services by the Processor on behalf of the Controller.

Nature of processing

Collection, storage, retrieval, structuring, transmission, display, deletion and other operations technically necessary for the provision of the services. The Processor accesses personal data only to the extent technically necessary for the provision of the services described in this Annex. Incidental access to personal data may occur during technical support, troubleshooting, quality verification or audit activities conducted by the Processor in connection with the services.

Purpose of processing

The purposes for which the Controller uses the services, which may include one or more of the following:

• Website development, hosting, support and maintenance
• Contact forms, request forms, landing pages and campaign forms
• Technical support and helpdesk interactions
• CRM, marketing, analytics, automation or integration workflows
• CMS administration and content management
• Logging, backup, monitoring, security and troubleshooting

Categories of personal data

The following categories of personal data are covered by the standard DPA:

• Identification data: name, username, employee or customer identifier
• Contact data: email address, phone number, postal address
• Professional data: company name, job title, function
• Message and request content: content of contact forms, support requests, helpdesk interactions
• Business communication data: email correspondence, meeting notes, project-related messages and support communications
• Technical and usage data: IP address, browser type, device identifiers, session data, access logs, error logs

Categories of data subjects

• Employees, contractors and representatives of the Controller
• Customers, prospects and end users of the Controller
• Visitors to the Controller's websites or digital platforms
• Third parties whose data is submitted to the Controller's systems in the ordinary course of business, where relevant to the services

Duration of processing

For the duration of the services and as required for the return or deletion of personal data under section 10 of this DPA.

Retention period

As instructed by the Controller and as set out in the engagement documentation, subject to the backup reconciliation period described in section 10.3 of this DPA.

A.3 · CV parsing services

Where the engagement includes CV parsing, the following additional description applies.

Nature of processing

The standard CV parsing service is limited to the following technical operations: uploading, receiving, reading, extracting, structuring, formatting, storing, transmitting and displaying information contained in CVs, cover letters or related recruitment documents.

The standard CV parsing service does not include candidate ranking, scoring, profiling, suitability assessment, background checks, psychometric analysis, automated decision-making, shortlisting or recruitment decision support, unless expressly agreed in writing and documented in the applicable engagement documentation. The Processor does not access, review or analyse the content of CVs for recruitment evaluation purposes, and any technical reading, extraction or structuring of CV content is limited to what is necessary to provide the CV parsing service. The standard CV parsing service does not include the use of CVs or candidate data to train, fine-tune or improve external AI models, unless expressly agreed in writing and documented in the applicable engagement documentation.

Special categories of personal data

CVs, cover letters and recruitment documents may incidentally contain special categories of personal data or other sensitive information where voluntarily included by the candidate or provided by the Controller. Such data is not intentionally requested by the Processor as part of the standard CV parsing service. Where the engagement requires intentional processing of special category data, criminal offence data, medical data, diversity data, background check data or similar sensitive recruitment data, this must be expressly agreed in writing and documented before such processing begins.

Categories of data subjects

Job applicants and candidates whose CVs or related documents are submitted to or processed by the Controller's systems.

Categories of personal data

Identification data, contact data, professional experience, educational background, skills, qualifications, and any other information voluntarily included by the candidate in a CV or cover letter. Special categories of personal data may be incidentally present as described above.

A.4 · Engagement-specific supplement

Where a specific engagement involves processing activities, categories of personal data, categories of data subjects, systems, integrations, retention periods or security requirements not covered by this Annex, the parties shall complete or supplement this Annex in the applicable offer, SLA, statement of work, written brief, project documentation or other engagement documentation. Such engagement-specific documentation supplements this Annex and prevails over it to the extent of any inconsistency.

Special categories of personal data (Article 9 GDPR)

Special category data is not processed in the normal course of a standard engagement. Any intentional processing of special category data requires explicit written agreement, a documented Article 9(2) legal basis provided by the Controller, and documentation in the applicable engagement documentation before processing begins. The Processor may refuse such processing where the required safeguards are not agreed, not documented or not technically available.

Annex B · Sub-processors

The Processor's current sub-processors, together with their role, location and applicable transfer mechanism, are published and maintained on the Imageplus Trust Center sub-processors page.

The Controller acknowledges that the sub-processor list is subject to change in accordance with section 5.2 of this DPA. The Controller may monitor the current list at any time via the Trust Center.

For engagement-specific sub-processors not listed on the Trust Center, the Processor shall notify the Controller at engagement start and document the applicable transfer mechanism in the engagement file.

Annex C · Security measures

The technical and organisational measures implemented by the Processor are described in the Imageplus Trust Center, which covers:

• Data processing commitments and access governance
• Security practices including access controls, encryption, monitoring and vulnerability management
• Secure development practices including security-by-design, code review, dependency management and AI-assisted development controls
• Breach notification procedures and timelines
• Business continuity and backup arrangements

The Trust Center is updated to reflect material changes to the Processor's security posture. The Processor shall notify the Controller of any material changes that may affect the level of protection afforded to the Controller's personal data.