Data Processing Agreement

1. Purpose and acceptance

This Data Processing Agreement (“DPA”) governs the processing of personal data by Stalwart Consulting Ltd (“Processor,” “EUDAPrep,” “we”) on behalf of the customer organisation (“Controller,” “you”) under Article 28 of Regulation (EU) 2016/679 (“GDPR”). It forms part of the EUDAPrep Terms of Service and is binding on both parties from the moment the Controller begins to use the service.

Where the Controller, in turn, processes personal data on behalf of a third party (for example, a regulatory consultant processing documents on behalf of a manufacturer), the Controller represents that it has the authority to instruct EUDAPrep to perform the processing described in this DPA on the third party’s behalf, and that any onward sub-processing arrangement is permitted by its own agreement with the third party.

2. Definitions

Terms not otherwise defined have the meanings given in the GDPR. “Customer Personal Data” means any personal data the Controller submits to or processes through EUDAPrep. “Sub-processor” means any third party engaged by the Processor to process Customer Personal Data.

3. Subject matter, duration, nature, and purpose

No special-category data (GDPR Article 9) is intentionally processed. The Controller undertakes not to upload special-category personal data through the service except where strictly necessary for a specific EUDAMED field that requires it.

4. Controller obligations

The Controller:

• Determines the purposes and means of the processing carried out via the service;
• Is responsible for the lawfulness of the processing it instructs, including establishing the appropriate Article 6 (and where applicable Article 9) lawful basis for the data it submits;
• Provides any notices to data subjects required by Articles 13–14 of the GDPR;
• Ensures that documents uploaded to the service do not contain content the Controller is not lawfully permitted to disclose to a processor;
• Issues lawful and documented instructions to the Processor through the configuration of the service and through the in-application interface (the use of the service is itself such an instruction).

5. Processor obligations

The Processor shall:

• Process only on documented instructions from the Controller, including with regard to international transfers, except where required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations;
• Security (Article 32). Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, segregated production and development environments, row-level security in the application database, and append-only audit-trail tables for compliance-relevant events;
• Sub-processors. Engage only the sub-processors listed in our Privacy Policy Section 5 or otherwise notified to the Controller. The Processor will give the Controller at least 30 days’ prior notice of any new sub-processor; the Controller may object during that period and, if the parties cannot reach a reasonable accommodation, the Controller may terminate this DPA and the related Terms of Service for the affected service. Each sub-processor is bound by data-protection terms that meet the standard of Article 28(4);
• Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under GDPR Articles 15–22;
• Breach notification (Articles 33–34). Notify the Controller without undue delay (and where feasible within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data, providing the information required by Article 33(3);
• DPIA assistance (Articles 35–36). Provide reasonable assistance to the Controller with data-protection impact assessments and prior-consultation requests to supervisory authorities, taking into account the nature of the processing and the information available to the Processor;
• Deletion or return. At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of services relating to processing, save that the Processor may retain Customer Personal Data to the extent required by Union or Member State law and may retain the disclaimer-acknowledgement and audit-trail records for the period stated in Section 9 below for the establishment, exercise, or defence of legal claims;
• Audits (Article 28(3)(h)). Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, on reasonable notice, no more than once per calendar year (except where required by a supervisory authority), at the Controller’s expense, and subject to appropriate confidentiality obligations.

6. Sub-processors (current list)

The current list of sub-processors used in the provision of the service is maintained in our Privacy Policy Section 5. The list will be updated as sub-processors are added or replaced; material changes are notified per Section 5 above.

7. International transfers

The Processor’s primary application infrastructure is hosted in the European Union. Where Customer Personal Data is transferred to a sub-processor outside the European Economic Area, the parties rely on:

• The European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), as incorporated by reference into this DPA, with the Processor acting as data exporter and the relevant sub-processor as data importer;
• Any supplementary technical or organisational measures identified in the Processor’s Transfer Impact Assessment as necessary to ensure an essentially equivalent level of protection.

The Controller acknowledges that AI-extraction processing currently involves a transfer to Google’s Gemini API under Google’s Standard Contractual Clauses for international data transfers; a Transfer Impact Assessment is maintained for this transfer. The Processor’s data-residency roadmap includes migration to an EU-hosted LLM provider, and this DPA and the Privacy Policy will be updated on completion.

8. Security measures

The Processor implements the following security measures (Annex II of the SCCs is incorporated by reference where applicable):

• Encryption in transit (TLS 1.2+) for all client-server communication and between sub-processors;
• Encryption at rest for the application database and storage bucket;
• Role-based access controls; service-role keys are scoped to server runtime and never exposed to client code;
• Row-level security on multi-tenant tables; audit-log writes restricted to service-role code paths;
• Segregated production and development environments;
• Append-only audit-trail tables (immutable records of disclaimer acknowledgements, model and prompt versions, mapping decisions, final XML hashes);
• Backup and restore procedures; periodic integrity checks against the disclaimer hash chain;
• Incident-response procedure with an external on-call channel for breach notification.

The Processor reviews these measures regularly and updates them in line with the evolving threat landscape and the state of the art.

9. Retention and deletion

The Processor retains Customer Personal Data only for as long as necessary to perform the service, comply with the Controller’s instructions, and meet legal obligations. The retention periods set out in our Privacy Policy Section 6 are incorporated by reference. In summary:

• Document content uploaded for processing — deleted on instruction of the Controller, subject to any statutory retention obligation;
• Submission audit trail and disclaimer acknowledgements — 10 years from the date of each event, anchored on the long-stop period for civil claims under the Revised Product Liability Directive (EU) 2024/2853 Article 16(1) and German BGB §199(3);
• Account-level metadata — for the lifetime of the account plus 90 days after closure;
• Billing records — as required by applicable tax and companies legislation (typically 7 years).

10. Liability

Liability of the parties under this DPA is governed by the limitation-of-liability provisions of the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot lawfully be limited or excluded, including liability for fraud, gross negligence, wilful misconduct, or any liability that cannot be excluded under Articles 82 and 83 of the GDPR.

11. Term and termination

This DPA remains in force for the duration of the Controller’s subscription and for any period during which Customer Personal Data is retained by the Processor. Termination of the underlying Terms of Service does not relieve the parties of obligations regarding Customer Personal Data that survive termination by their nature (security, confidentiality, retention, deletion, audit support).

12. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, the DPA prevails with respect to processing of Customer Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated under Section 7, the SCCs prevail.

13. Contact

Stalwart Consulting Ltd, Hong Kong
Privacy / DPA contact: privacy@eudaprep.com
Sub-processor and audit enquiries: privacy@eudaprep.com
EU Article 27 representative: being arranged — see Privacy Policy Section 1.