Data Processing Agreement

Revision date: July 28th, 2025

This Data Processing Agreement (“DPA”) is entered into between:

• Eqolux (the “Controller”), and

• each third‑party service provider listed in Annex 1 (the “Processor”),

each a “Party” and together the “Parties”, in connection with the Controller’s use of the service provider for data processing.

This DPA is incorporated by reference into the applicable service agreement between Eqolux and the Processor. If there is any conflict between such service agreement and this DPA, this DPA will govern with respect to data protection.

1. Definitions

Defined terms in this DPA have the meanings set forth in the GDPR. Additional terms:

• Personal Data: any information relating to identified or identifiable natural persons that Controller provides or makes available to Processor.

• Processor: one of the listed third parties in Annex 1 acting on behalf of the Controller.

• Sub-processor: a third party to whom Processor subcontracts processing on behalf of Controller.

• Processing: any operation on Personal Data carried out by Processor for Controller’s purposes.

2. Roles of the Parties

• Eqolux is the Data Controller, determining the purposes and means of the processing.

• Each third-party provider is a Data Processor on behalf of Eqolux, processing Personal Data strictly in accordance with documented instructions and this DPA (similar to Mindee’s structure)      .

3. Subject Matter, Duration, Nature and Purpose of Processing

Annex 1 contains:

• Services provided by each Processor.

• Categories of Data Subjects.

• Types of Personal Data processed.

• Processing operations, duration (aligned with service term).

4. Controller Obligations

Controller shall:

1. Ensure lawfulness of processing (legal basis, transparency, data subject rights).

2. Provide only necessary and appropriate Personal Data for processing.

3. Maintain records of processing activities as required by GDPR.

5. Processor Obligations

Each Processor shall:

1. Process Personal Data only per Eqolux’s documented instructions, including Annex 1.

2. Ensure personnel handling Personal Data are under confidentiality obligations.

3. Implement appropriate technical & organisational measures (e.g. SOC 2 and ISO 27001 wherever certified) to ensure security of Personal Data (in line with GDPR Article 32) .

4. Assist Eqolux in meeting obligations under GDPR Articles 32–36 (e.g. data subject rights, breach notifications).

5. Notify Eqolux without undue delay on detection of any personal data breach.

6. At Controller’s choice, delete or return all Personal Data on termination of services, unless otherwise required by law, and certify deletion.

6. Sub‑processors

• Processor may engage sub‑processors only with Controller’s prior written consent.

• Processor remains liable for sub‑processor compliance.

• Processor shall inform Controller of any intended additions or replacements to its sub‑processors; Controller has 30 calendar days to object (absence of objection = deemed consent)  .

7. International Transfers

If processing involves transfers of Personal Data outside the EEA, Processor shall ensure appropriate safeguards (e.g. Standard Contractual Clauses or equivalent) are in place before transfer.

8. Audits and Inspections

• Controller or an appointed auditor may review Processor’s compliance with this DPA, upon reasonable notice.

• Processor shall cooperate and provide all relevant information, including audit reports or certifications (e.g. SOC 2, ISO 27001).

9. Liability

• The limitations on liability set out in the main service agreement apply, except that breaches of data protection obligations may give rise to Controller’s rights under GDPR.

• Processor is not liable for instructions provided by Controller or Controller’s failure to comply with data protection law.

10. Termination

Term of this DPA matches term of the underlying service agreement. Termination of such agreement, for any reason, terminates this DPA. Provisions about confidentiality, deletion/return of Personal Data, breach notification, security measures and liability survive termination.

Annex 1: Details of the Processing

This Annex provides the required details of processing in accordance with Article 28(3) of the GDPR.

Annex 2: Technical and Organisational Measures

Each Processor listed in Annex 1 represents and warrants that it implements the following (or materially equivalent) technical and organisational security measures, in line with Article 32 GDPR:

1. Physical Access Control

• Data centers managed by certified providers (e.g. AWS, Azure, GCP) with 24/7 surveillance, access logs, and badge-based entry.

• Restricted employee access based on job function.

2. Logical Access Control

• Multi-factor authentication (MFA) for all administrative access.

• Role-based access controls (RBAC) to enforce least privilege.

• Audit logs maintained for access to production systems.

3. Data Access and Separation

• Segregation of customer environments and datasets where applicable.

• Customer data logically isolated through application-level controls.

4. Encryption

• In Transit: TLS 1.2+ encryption for all data in motion.

• At Rest: AES-256 or stronger encryption at rest.

5. Backup & Disaster Recovery

• Daily backups of critical systems.

• Geographic redundancy and failover capabilities.

• Regular testing of disaster recovery procedures.

6. Vulnerability Management

• Regular internal security testing and external penetration tests.

• Patch management programs for OS and dependencies.

7. Personnel Security & Training

• Security training for all personnel.

• Access only granted to trained and authorized employees.

• NDA and confidentiality agreements in place.

8. Incident Management

• Breach detection and notification procedures.

• 24/7 monitoring of systems with defined escalation paths.

• Obligations to notify Eqolux without undue delay (per GDPR Article 33).

Annex 3: Assistance with Data Subject Rights and Breach Notifications

Processors agree to assist Eqolux in fulfilling its obligations under GDPR Chapter III (Rights of the Data Subject) and Article 33 (Notification of a Personal Data Breach), including:

1. Data Subject Rights Assistance

• Upon Eqolux’s written request, the Processor shall assist in responding to requests from Data Subjects, including:

• Right of access

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to data portability

• Right to restrict or object to processing

• Such requests will be handled promptly and within reasonable timeframes. Processors will not respond directly to any data subject request without prior written authorization from Eqolux, unless legally required.

2. Personal Data Breach Notification

• Processor will notify Eqolux without undue delay and within 24–48 hours of becoming aware of a breach.

• Notifications must include:

• Nature of the breach (what happened, categories of data affected)

• Number of data subjects and records affected

• Likely consequences and risks

• Mitigation and remedial measures taken

• Contact details for further information

• Processor shall assist Eqolux in communicating the breach to supervisory authorities and/or data subjects where required.