Data Processing Agreement

1. Roles and Responsibilities

For the purposes of this DPA:

• Controller: The customer who determines the purposes and means of processing personal data by using the Select27 platform.
• Processor: Haile Holding B.V. (trading as Select27), which processes personal data on behalf of the Controller in accordance with the Controller's instructions and the terms of this DPA.

2. Scope and Purpose of Processing

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject.

The purpose of processing is to provide the Select27 platform services, including but not limited to:

• Account management and authentication
• Business data storage and processing (CRM, ERP, HR, finance, supply chain)
• AI assistant functionality (Solomon AI, powered by Anthropic)
• Payment processing (via Stripe)
• Email notifications and transactional communications

Categories of Data Subjects

• Controller's employees and authorized users
• Controller's customers, contacts, and business partners
• Controller's employees (HR data, payroll)

Types of Personal Data

• Names, email addresses, phone numbers, job titles
• Account credentials (hashed passwords)
• Business data entered by the Controller (contacts, invoices, HR records, financial data)
• Usage data (IP addresses, browser information, activity logs)
• AI interaction data (messages sent to the AI assistant)

3. Processing Instructions

The Processor shall:

• Process personal data only in accordance with the Controller's documented instructions, including with regard to transfers of personal data to a third country or an international organization.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Not engage another processor without prior specific or general written authorization of the Controller.
• Assist the Controller in responding to requests for exercising data subject rights under the GDPR.
• Delete or return all personal data to the Controller after the end of the provision of services, unless Union or Member State law requires storage of the personal data.
• Make available to the Controller all information necessary to demonstrate compliance with obligations laid down in Article 28 of the GDPR.

4. Sub-processors

The Controller hereby grants general written authorization to the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

The following sub-processors are currently engaged:

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

5. Data Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) with 415 granular permissions, multi-factor authentication support, and principle of least privilege.
• Tenant Isolation: Each customer operates within a containerized, sandboxed environment with strict data isolation.
• Network Security: Firewall rules (UFW), disabled inter-container communication (icc:false), Docker user namespace remapping, and no-new-privileges security policy.
• Monitoring: Continuous monitoring via Prometheus and Grafana, with alerting for security events and anomalies.
• Backup: Regular encrypted backups of all data with tested restoration procedures.
• Vulnerability Management: Regular security assessments, dependency scanning, and timely patching of known vulnerabilities.
• Personnel: All personnel with access to personal data are bound by confidentiality obligations and receive data protection training.

6. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted under the following conditions:

• The Controller shall provide at least 30 days' written notice before conducting an audit.
• Audits shall be limited to once per calendar year, unless required by a supervisory authority or following a data breach.
• The Controller shall bear its own costs for the audit, unless the audit reveals material non-compliance by the Processor.
• Audit findings and reports shall be treated as confidential information by both parties.

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay and in any case within 72 hours after becoming aware of the breach.
• Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the breach under the GDPR.
• Include in the notification: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach.
• Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8. Data Deletion and Return

Upon termination or expiration of the Services agreement:

• The Controller may request an export of all personal data in a standard, machine-readable format (JSON or CSV) within 90 days of termination.
• After the 90-day data export period, the Processor shall permanently delete all personal data from its systems, including any copies and backups, unless Union or Member State law requires continued storage.
• The Processor shall provide written confirmation of deletion upon request.
• Data retained for legal compliance purposes shall continue to be protected in accordance with this DPA until deletion.

9. International Data Transfers

Primary data processing takes place within the European Union (Hetzner, Germany). When personal data is transferred outside the EU/EEA (e.g., to Anthropic or Stripe in the United States), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR.

The following transfer mechanisms are used:

• Standard Contractual Clauses (SCCs): As adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, for transfers to sub-processors in the United States.
• Supplementary Measures: Including encryption of data in transit and at rest, access controls, and contractual data protection obligations with each sub-processor.

The Processor shall inform the Controller before making any changes to the transfer mechanisms or transferring personal data to a new jurisdiction.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Processor's provision of Services to the Controller. The obligations of the Processor regarding the protection of personal data shall survive the termination or expiration of this DPA for as long as the Processor retains any personal data processed on behalf of the Controller.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to conflict of law principles. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, Netherlands.