This Data Processing Agreement (“DPA”) is part of the Terms and Conditions governing the relationship between Engyon B.V., with its principal place of business at [address], (“Processor” or “Engyon”), and the customer organization (“Controller”) that has entered into a service agreement with Engyon for the use of its Software-as-a-Service (SaaS) platform.

This DPA sets forth the terms under which Engyon processes personal data on behalf of the Controller in connection with the Controller’s use of the Engyon platform to support CSRD-related assurance work.

1. Introduction

1.1 Purpose and Scope

This DPA governs Engyon’s processing of personal data on behalf of the Controller, clarifying both parties’ rights and obligations. For the purposes of data protection laws, the Controller acts as the “Data Controller” and Engyon as the “Data Processor” when processing personal data as part of its services.

1.2 Definitions

For purposes of this DPA, the following terms apply:

• “Personal Data”: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
• “Data Subject”: An individual whose Personal Data is processed under this DPA.
• “Processing”: Any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, and deletion.
• “Data Controller”: The entity that determines the purposes and means of processing Personal Data.
• “Data Processor”: The entity that processes Personal Data on behalf of the Data Controller.
• “Data Protection Laws”: Any laws and regulations that apply to the processing of Personal Data under this DPA, including the General Data Protection Regulation (GDPR) and any relevant UK data protection laws.
• “EEA”: European Economic Area.

1.3 Liability

Nothing in this DPA changes either party’s exclusions or limitations of liability under the main agreement unless explicitly stated here. Liability limitations specified in the main agreement also apply to this DPA.

2. Processing of Personal Data

2.1 Processing Instructions

Engyon will process Personal Data only on documented instructions from the Controller. In cases where Engyon is legally required to process data otherwise, it will notify the Controller of such requirements unless prohibited by law.

2.2 Initial Instructions and Modifications

The initial scope, subject matter, and purpose of data processing are outlined in this DPA. Any changes to these instructions will require a documented and signed agreement by both parties.

2.3 Controller Warranties

The Controller warrants that:

• It has the legal right to supply all necessary data, including any required consents.
• All Personal Data provided is accurate and up to date, with responsibility for data reliability, integrity, and quality.
• It complies with all relevant data protection laws, including ensuring its instructions to Engyon also comply with applicable laws.

2.4 Data Processor Obligations

Engyon shall assist the Controller in fulfilling its legal obligations under applicable data protection laws, such as responding to Data Subject requests, at the Controller’s cost where applicable.

3. Data Subject Access and Requests

3.1 Handling of Data Subject Requests

If a Data Subject or authority requests access to Personal Data, Engyon will refer such requests to the Controller unless legally prohibited from doing so.

3.2 Responses to Data Subject Requests

Engyon may not respond to requests on behalf of the Controller without prior instruction. If legally required to disclose Personal Data, Engyon will promptly notify the Controller and request confidentiality, unless prohibited by law.

4. Sub-Processors and Data Transfers

4.1 Sub-Processor Engagement

Engyon may engage additional or replacement sub-processors. It will notify the Controller of new sub-processors and allow the Controller 30 days to raise any objections. If Controller objects and compliance cannot be assured, the Controller may suspend or terminate the agreement.

4.2 Sub-Processor Requirements

Engyon will:

• Limit sub-processor access to only what is necessary for the service.
• Ensure sub-processors comply with equivalent data protection standards as those in this DPA.
• Remain accountable to the Controller for any acts or omissions of sub-processors as if they were Engyon’s own.

4.3 Pre-Approved Sub-Processors

Appendix 1B lists all pre-approved sub-processors, including Engyon’s affiliates. The list may be updated by Engyon as necessary.

4.4 Data Transfers Outside the EEA

Engyon will not transfer Personal Data outside the EEA unless:

• The transfer is to a jurisdiction approved by the European Commission as providing adequate protection.
• Appropriate safeguards (e.g., Standard Contractual Clauses) are in place to ensure protection of Personal Data, on par with protection mandated by GDPR.

5. Data Security and Confidentiality

5.1 Security Measures

Engyon will implement technical and organizational security measures to protect Personal Data, meeting industry standards and applicable laws. This includes encryption, access control, MFA and regular security assessments.

5.2 Confidentiality Obligations

Engyon will ensure all personnel with access to Personal Data are bound by confidentiality agreements.

5.3 Information Security Documentation

Engyon maintains an Information Security Overview document, available on request, detailing specific security policies and practices. Changes to this document will not materially degrade security measures in place.

6. Personal Data Breach Notifications

6.1 Notification Requirements

Engyon will promptly inform the Controller of any breach that compromises Personal Data, including unauthorized access, disclosure, or loss.

6.2 Assistance with Breach Response

Engyon will provide relevant information to assist the Controller in meeting its breach notification obligations.

7. Audit Rights

7.1 Audit Scope

The Controller has the right to verify Engyon’s compliance with this DPA, including through audits and inspections. Engyon will provide access to information as necessary for such audits.

7.2 Objections to Instructions

If Engyon believes an audit instruction violates applicable laws or confidentiality obligations to third parties, it will notify the Controller.

8. Data Deletion or Return

Upon termination or expiration of the agreement, Engyon will, at the Controller’s request, securely delete all Personal Data within 90 days unless prohibited by law. Written confirmation of data deletion will be provided if requested.

9. Charges

9.1 Additional Charges

Where additional assistance or services are requested by the Controller (e.g., audit assistance, responding to Data Subject requests), Engyon reserves the right to charge fees based on its standard rates.

9.2 Charges for Changes

If a change to processing instructions results in additional costs for Engyon, it may charge the Controller for these costs, provided they are documented and agreed upon.

10. Liability

10.1 Notification of Claims

If a claim arises involving both parties, the affected party will notify the other without delay.

10.2 Liability Cap

The liability provisions of the main service agreement also apply to this DPA, limiting liability to the agreed cap.

Appendix 1A – Data Processing Instructions

Purposes of Processing
Data processing includes provisioning of CSRD audit services, professional services for data quality and improvement, and system testing.

Categories of Personal Data
This includes, but is not limited to, names, contact details, employment data, and any other categories provided by the Controller.

Categories of Data Subjects
Data subjects include employees, contractors, and customers.

Processing Operations
Processing includes data collection, storage, use, retrieval, and destruction.

Location of Processing Operations
Processing is based in the EU, with hosting provided by Amazon Web Services in Frankfurt and Microsoft Azure in the Netherlands. 

Appendix 1B – Approved Sub-Processors

List of Sub-Processors

1. Amazon Web Services – Hosting and infrastructure provider in the EU.
2. Confluent – Infrastructure provider in the EU
3. Langfuse – Observability provider in the EU

For any data protection inquiries, please contact Engyon at info@engyon.eu.