Data Processing Agreement

1. Parties

This data processing agreement applies between:

• The Data Controller ("Customer"): the natural or legal person who has an account with Consentr and implements the consent widget on their website(s).
• The Data Processor ("Consentr"): Network-IT, operating under the name Consentr, located at Adegemstraat 88, 2800 Mechelen, Belgium (KBO: BE0553.500.113).

This agreement forms an integral part of the Terms & Conditions of Consentr and applies as soon as the Customer uses the Services.

2. Subject and duration

1. This data processing agreement governs the processing of personal data by Consentr on behalf of the Customer, in the context of providing the consent management platform.
2. The agreement is valid for the duration of the Customer's use of the Services and ends upon termination of the main agreement.

3. Nature and purpose of processing

Consentr processes personal data exclusively for the purpose of:

• Recording and storing consent records (proof of consent) of website visitors of the Customer
• Displaying the consent widget on the Customer's website(s)
• Generating analytics and reports on consent
• Scanning cookies on the Customer's website(s)
• Generating privacy and cookie policies on behalf of the Customer

4. Types of personal data

The following categories of personal data are processed:

5. Obligations of the Processor

Consentr undertakes to:

1. Process personal data exclusively on the basis of written instructions from the Customer, unless a legal obligation requires otherwise. In that case, Consentr will inform the Customer prior to processing, unless this is legally prohibited.
2. Ensure that persons authorized to process personal data are bound by confidentiality.
3. Take all appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including:
   • Encryption of data in transit (TLS) and at rest
   • Hashing of IP addresses and visitor IDs
   • Role-based access control
   • Regular backups
   • Monitoring and logging of system access
4. Not engage sub-processors without prior written consent of the Customer. The Customer hereby grants general consent, with the right to object within 30 days of notification of a new sub-processor.
5. Assist the Customer in fulfilling obligations regarding data subject rights (Art. 15-22 GDPR).
6. Assist the Customer in carrying out data protection impact assessments (DPIA) and prior consultation, where applicable.
7. Upon termination of the services, delete or return all personal data, at the Customer's choice, and delete existing copies unless storage is legally required.
8. Make available to the Customer all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR, and enable audits.

6. Sub-processors

Consentr uses the following sub-processors:

Changes to sub-processors will be communicated at least 30 days in advance. The Customer may object in writing within that period.

7. International transfers

Personal data is primarily stored and processed within the European Economic Area (EEA). If transfer to a country outside the EEA is necessary, appropriate safeguards will be implemented:

• Adequacy decision of the European Commission
• Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework (where applicable)

8. Data breach notification

1. Consentr will inform the Customer without undue delay, and in any case within 48 hours, after Consentr becomes aware of a personal data breach.
2. The notification will contain at least:
   • The nature of the breach
   • The categories and estimated number of data subjects and personal data records
   • The likely consequences
   • The measures taken or proposed
3. Consentr will provide the Customer with full cooperation in fulfilling their notification obligation to the supervisory authority (Art. 33 GDPR) and any communication to data subjects (Art. 34 GDPR).

9. Data subject rights

Consentr supports the Customer in handling requests from data subjects, including requests for access, rectification, erasure, restriction, data portability and objection. Consentr will refer requests received directly from data subjects to the Customer.

10. Audits

1. The Customer has the right to conduct or have audits conducted to verify compliance with this agreement.
2. Audits are conducted after reasonable prior notice (minimum 30 days), during business hours and in a manner that minimizes disruption to Consentr's operations.
3. The costs of the audit are borne by the Customer, unless the audit reveals a material deficiency.

11. Termination and data deletion

1. Upon termination of the main agreement, Consentr will delete all personal data within 30 days, unless:
   • The Customer requests return of the data (export)
   • Legal retention periods require longer storage
2. The Customer can request an export of consent records at any time via the platform or via support@consentr.io.

12. Liability

The liability of the parties under this data processing agreement is subject to the limitations set out in the Terms & Conditions. Both parties are responsible for their own compliance with applicable privacy legislation.

13. Applicable law

This data processing agreement is governed by Belgian law. Disputes will be submitted to the competent court in Antwerp, division Mechelen.

14. Contact

For questions about this data processing agreement, you can contact:

Consentr by Network-IT
Adegemstraat 88, 2800 Mechelen, België
E-mail: support@consentr.io
KBO: BE0553.500.113