Data Processing Agreement

Last Updated: June 9, 2026

1. Purpose

This Data Processing Agreement ("DPA") forms part of the contractual relationship between:

Customer (the organisation using VERDIO), acting as Data Controller,

and

VERDIO, acting as Data Processor,

in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This DPA applies where the Customer enters personal data into the VERDIO platform in the course of using regulatory readiness assessments.

2. Roles of the Parties

For account registration and billing data:

  • VERDIO acts as Data Controller.

For assessment responses and operational information entered by the Customer:

  • The Customer acts as Data Controller.
  • VERDIO acts as Data Processor.

The Customer determines:

  • The purposes of data processing.
  • The categories of personal data entered.
  • The data subjects concerned.

3. Subject Matter and Duration

Subject matter:

Processing of personal data entered into the VERDIO platform for the purpose of delivering regulatory readiness assessments.

Duration:

For the duration of the Customer's use of the platform, unless earlier deletion is requested or required by law.

4. Nature and Purpose of Processing

Processing activities may include:

  • Storage of assessment responses
  • Organisation of data into structured outputs
  • Generation of reports
  • Secure hosting
  • Transmission of data within platform infrastructure

The purpose of processing is solely to deliver the purchased assessment service.

VERDIO does not process assessment data for independent marketing or profiling purposes.

5. Types of Personal Data

Depending on Customer input, processing may include:

  • Business contact information
  • Organisational operational details
  • Limited personal data related to governance roles
  • Technical system information

Customers are responsible for ensuring that unnecessary or sensitive personal data is not entered unless legally permitted.

6. Categories of Data Subjects

Data subjects may include:

  • Employees
  • Contractors
  • Representatives
  • Customers (if voluntarily entered by the Customer)

VERDIO does not independently determine data subject categories.

7. Processor Obligations

VERDIO shall:

  • Process personal data only on documented instructions from the Customer
  • Ensure confidentiality of authorised personnel
  • Implement appropriate technical and organisational measures
  • Assist the Customer in responding to data subject rights requests where applicable
  • Notify the Customer without undue delay in case of a personal data breach
  • Delete or return personal data upon termination of services, unless retention is legally required

8. Technical and Organisational Measures

VERDIO implements measures including:

  • Secure authentication
  • Encrypted transmission (HTTPS)
  • Logical separation of customer data
  • Access control restrictions
  • System monitoring and logging
  • Regular infrastructure maintenance

Specific technical measures may evolve over time to reflect security best practices.

9. Subprocessors

VERDIO may engage subprocessors for:

  • Hosting services
  • Payment processing
  • AI-assisted summarisation
  • Infrastructure services

VERDIO ensures that subprocessors:

  • Are bound by written data protection agreements
  • Provide sufficient guarantees under Article 28 GDPR

A list of subprocessors may be provided upon request.

10. International Transfers

Where subprocessors are located outside the European Economic Area (EEA), transfers shall be conducted under:

  • Standard Contractual Clauses (SCCs), or
  • Other lawful GDPR transfer mechanisms

11. Data Subject Rights Assistance

Where VERDIO receives a request directly from a data subject relating to Customer-controlled data, VERDIO shall:

  • Inform the Customer without undue delay
  • Not respond directly unless legally required

The Customer remains responsible for handling data subject requests.

12. Personal Data Breach Notification

In the event of a personal data breach affecting Customer data, VERDIO shall:

  • Notify the Customer without undue delay
  • Provide available information necessary to meet GDPR reporting obligations

The Customer remains responsible for regulatory notifications where required.

13. Deletion and Return of Data

Upon termination of the service or upon written request:

  • Personal data shall be deleted or returned, unless retention is legally required.

Retention for documentation integrity may apply where contractually necessary.

14. Audit Rights

Where reasonably necessary, the Customer may request information demonstrating VERDIO's compliance with this DPA.

Formal audits shall require reasonable prior notice and must not disrupt platform operations.

15. Liability

Liability arising under this DPA is subject to the limitations set forth in the Terms of Use.

16. Governing Law

This DPA is governed by Dutch law.

Disputes shall be submitted to the competent court in the Netherlands.