Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement ("DPA") is an integral part of the Terms of Use (or any other similarly titled written or electronic agreement addressing similar matters) (“Agreement”) between the Customer (as defined in the Agreement) and Accqrate ERP & E-invoicing Solutions, a product of ITERON. Under this Agreement, the Processor provides the Customer ("Controller") with services and software (the “Services”). The Controller and Processor are individually referred to as a "Party" and collectively as the "Parties. "This DPA is implemented to ensure compliance with the EU General Data Protection Regulation ("EU GDPR") regarding the Processor’s handling of Personal Data (as defined under the GDPR) as part of its service obligations. The terms outlined in this DPA shall govern the Processor’s processing of Personal Data shared by the Controller in connection with the Agreement. All other provisions of the Agreement remain in full force and effect unless explicitly modified herein.

1. Definitions

Unless otherwise defined herein, capitalized terms shall have the meanings assigned to them under the EU GDPR or the Agreement.

1. Data Transfer
2. Any transfer of Personal Data from the Controller to the Processor, between establishments of the Processor, or from the Processor to a Sub-processor.
3. EU GDPR
4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
5. Standard Contractual Clauses
6. The contractual clauses attached as Schedule 1 pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
7. Controller
8. The entity determining the purposes and means of the Processing of Personal Data.
9. Processor
10. The entity Processing Personal Data on behalf of the Controller.
11. Sub-processor
12. Any third-party processor engaged by the Processor to Process Personal Data on behalf of the Controller.

2. Purpose of this DPA

This DPA sets out the obligations of the Processor concerning the Processing of Personal Data under the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes the Processor to Process Personal Data strictly in accordance with the Controller’s instructions. The categories of Personal Data and Data Subjects are specified in Annex I of Schedule 1.

4. Purpose of Processing

The Processor shall Process Personal Data solely for the purpose of providing the Services to the Controller and/or its clients in accordance with the Agreement.

5. Duration of Processing

The Processor shall Process Personal Data for the duration of the Agreement unless otherwise agreed in writing or required by applicable law.

6. Controller Obligations

6.1 The Controller warrants that it has a valid legal basis under applicable Data Protection Laws to disclose Personal Data to the Processor, including obtaining all required Data Subject consents.

6.2 The Controller shall provide Data Subjects with all required privacy notices.

6.3 The Controller may instruct the Processor to delete Personal Data unless retention is required by law.

6.4 The Controller shall promptly notify the Processor of any:

1. Data Subject requests
2. Regulatory inquiries
3. Complaints or alleged violations
4. Legal demands for Personal Data

7. Processor Obligations

7.1 The Processor shall Process Personal Data only on documented instructions from the Controller.

7.2 The Agreement and related documentation constitute the Controller’s instructions.

7.3 The Processor shall assist the Controller with Data Subject requests and regulatory obligations.

7.4 The Processor shall ensure lawful data sharing and notification obligations under applicable laws.

7.5 International transfers shall be protected by equivalent safeguards.

7.6 The Processor shall inform the Controller if an instruction violates Data Protection Laws.

7.7 The Processor shall assist with Data Protection Impact Assessments where required.

8. Confidentiality

The Processor shall ensure that all authorized personnel:

1. Are bound by confidentiality obligations
2. Are trained in data protection and security

9. Audit Rights

9.1 The Processor shall make information available to demonstrate compliance.

9.2 Audits require fifteen (15) days’ prior written notice.

9.3 Audit costs shall be borne by the Controller.

10. International Data Transfers

Transfers outside the EEA shall occur only in compliance with Schedule 1 and applicable SCCs.

11. Sub-processors

11.1 The Processor may engage Sub-processors listed in Annex III of Schedule 1 and remains fully liable for their compliance.

11.2 The Controller may object on reasonable GDPR-related grounds.

12. Personal Data Breach

12.1 The Processor shall notify the Controller without undue delay.

12.2 The Processor shall assist with mitigation and notification obligations.

12.3 Notification does not constitute admission of liability.

13. Return and Deletion

13.1 Upon termination, Personal Data shall be returned or deleted within thirty (30) days unless legally required otherwise.

13.2 All copies shall be securely deleted.

14. Technical and Organisational Measures

The Processor shall implement appropriate technical and organisational safeguards as detailed in Annex II of Schedule 1

EU representative:

1. Name: Senthil Ananthan
2. Email: senthil.a@accqrate-erp.com
3. Address: ITERON AG, Picassopl. 4, 4052 Basel, Switzerland
4. Phone: +41 764214429

SCHEDULE 1

(Standard Contractual Clauses – Annexes)

ANNEX I

A. LIST OF PARTIES

Data Exporter(s)

1. Name: Customer (as set forth in the applicable Order Form)
2. Address: As set forth in the applicable Order Form
3. Contact Person: As set forth in the applicable Order Form
4. Activities Relevant to the Transfer: Recipient of Services provided by Iteron AG pursuant to the Agreement
5. Signature and Date: As set forth in the Agreement
6. Role: Controller

Data Importer(s)

1. Name: Iteron AG
2. Address: Picassopl. 4, 4052 Basel, Switzerland
3. Contact Person: Data Protection Officer
4. Contact Email: Siva G, DPO, dpo@accqrate-erp.com
5. Activities Relevant to the Transfer: Provision of Services to the Customer in accordance with the Agreement
6. Signature and Date: As set forth in the Agreement
7. Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects

1. Authorized users of the Services
2. Customer personnel and business contacts
3. End users whose data is processed via the Services

Categories of Personal Data

1. Identification data (name, username, user ID)
2. Contact data (email address, phone number, address)
3. Professional data (job title, employer, education)
4. Demographic data (age, gender, language)
5. Online identifiers (IP address, related URLs, images if uploaded by user)

Special Categories of Personal Data

1. None processed

Frequency of Transfer

1. Continuous and ongoing for the duration of the Agreement

Nature of the Processing

1. Collection
2. Storage
3. Structuring
4. Retrieval
5. Use
6. Transmission
7. Deletion

Purpose of Processing

Processing is performed solely to enable the delivery, operation, maintenance, support, and improvement of the Services as described in the Agreement and applicable Order Forms.

Retention Period

Personal Data is retained for the duration specified in the Agreement and deleted or returned in accordance with Section 13 of the DPA unless retention is required by applicable law.

Processing by Sub-processors

The subject matter, nature, and duration of processing by Sub-processors correspond to the Services provided under the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the EU Standard Contractual Clauses.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Iteron AG implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing.

1. Security Governance

1. Designated information security leadership responsible for the Information Security Management System (ISMS)
2. Annual review and approval of security and privacy policies
3. Regular independent risk assessments and penetration testing
4. Formal risk treatment, vulnerability, and patch management programs
5. Incident response and root cause analysis procedures
6. ISMS aligned with ISO/IEC 27001:2022

2. Personnel Security

1. Confidentiality obligations for all personnel
2. Background verification where legally permissible
3. Mandatory privacy and security training
4. Role-based access authorization
5. No access to Personal Data without explicit authorization

3. Access Controls

1. Role-based access control (RBAC)
2. Principle of least privilege and need-to-know
3. Multi-factor authentication and/or single sign-on
4. Periodic access reviews
5. Unique user IDs and strong password enforcement
6. Audit logs for access and changes

4. Infrastructure & Network Security

1. Cloud infrastructure hosted on AWS
2. Multi-Availability Zone redundancy
3. Hardened operating systems
4. Disaster recovery and business continuity testing
5. Centralized security logging and monitoring
6. Regular vulnerability scanning and remediation

5. Data Transmission & Encryption

1. TLS/HTTPS encryption for data in transit
2. Network firewall protections
3. Secure API communication channels

6. Data Storage, Isolation & Deletion

1. Logical tenant isolation
2. Encrypted backups
3. Secure deletion processes aligned with industry standards
4. Data destruction upon termination in accordance with the DPA