Data Processing Agreement

1. Introduction and scope

This Data Processing Agreement (DPA) sets out how Code2b processes personal data on your behalf when we provide our services. It forms part of, and is governed by, the Master Services Agreement between you and Code2b. It is written to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR). Where we process personal data only on your instructions, you are the controller and Code2b is the processor.

2. Definitions

Terms such as controller, processor, personal data, processing, data subject, and personal data breach have the meanings given in the GDPR. In addition:

• Customer Personal Data means personal data contained in or accessed through the systems and data you make available to us under an SOW.
• Sub-processor means a third party we engage to process Customer Personal Data on your behalf.
• Applicable Data Protection Law means the GDPR and any national data protection laws that apply to the processing.

3. Roles of the parties

You determine the purposes and means of processing Customer Personal Data and act as the controller. Code2b processes Customer Personal Data on your documented instructions and acts as the processor. Where Code2b independently determines the purposes of processing (for example, billing and account administration), Code2b acts as a controller for that limited processing, which is described in our Privacy Policy.

4. Subject matter, duration, nature, and purpose

The processing we carry out on your behalf is described as follows:

• Subject matter: the personal data we process to design, build, and run the automations described in your SOW.
• Duration: for the term of the engagement, plus any retention period agreed in writing or required by law.
• Nature and purpose: building, operating, and monitoring automated workflows and AI agents, and providing support, strictly to deliver the services.
• We process Customer Personal Data only for these purposes and only on your instructions, unless required to do otherwise by EU or member state law, in which case we will tell you first unless the law prohibits it.

5. Categories of data subjects and personal data

The categories of data subjects and personal data depend on the systems your engagement touches and are specified in your SOW. They typically include your employees and your customers or contacts, and identifiers such as names, business contact details, and records held in the platforms we connect to.

You are responsible for ensuring you have a lawful basis to process this data and to instruct us to process it. You must not provide us with special category data unless it is agreed in the SOW and the appropriate safeguards are in place.

6. Processor obligations

Code2b will:

• Process Customer Personal Data only on your documented instructions, including for international transfers.
• Ensure that people authorized to process the data are bound by an obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in section 8.
• Assist you, taking into account the nature of the processing, in meeting your GDPR obligations.
• Tell you promptly if, in our opinion, an instruction infringes Applicable Data Protection Law.

7. Confidentiality of personnel

Access to Customer Personal Data is limited to the people who need it to deliver the services. At Code2b that is a small, named team. Everyone with access is bound by confidentiality obligations and is briefed on their data protection responsibilities.

8. Security measures

We are built to SOC 2 controls and apply technical and organizational measures appropriate to the risk, including:

• Encryption of Customer Personal Data in transit and at rest.
• Role-based access control, with least-privilege access and individual credentials.
• Audit logging of access to, and changes within, the systems we operate for you.
• Network and environment segregation between clients, so one client's data is isolated from another's.
• Secrets management for credentials and API keys, with regular rotation.
• Backup, recovery, and monitoring processes, and a documented incident response procedure.
• Regular review of access rights and of the measures themselves, so they keep pace with the risk.

Where an engagement uses the Private AI option, Customer Personal Data and any models stay on your own infrastructure and are not sent to shared or third-party model providers.

9. Sub-processors

You give Code2b general authorization to engage sub-processors to help deliver the services, such as cloud hosting, infrastructure, and the AI model and platform providers required by your automation. We impose data protection obligations on every sub-processor that are no less protective than those in this DPA, and we remain responsible to you for their performance.

We will keep an up to date list of sub-processors and provide it on request. We will give you reasonable prior notice of any intended change, addition, or replacement of a sub-processor, and you may object on reasonable data protection grounds, in which case we will work with you to find a solution.

10. Assistance with data subject rights

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, so far as possible, to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection. If we receive a request directly, we will not respond to it ourselves but will forward it to you without undue delay.

11. Personal data breach notification

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay, and in any case within 72 hours of becoming aware. The notification will describe the nature of the breach, the likely consequences, and the measures we have taken or propose to take. We will cooperate with you and take reasonable steps to contain and remediate the breach, so you can meet your own notification obligations to supervisory authorities and data subjects.

12. Data protection impact assessments

We will provide reasonable assistance with any data protection impact assessment and any prior consultation with a supervisory authority that you are required to carry out, where this relates to our processing of Customer Personal Data and taking into account the information available to us.

13. International transfers

We process and store Customer Personal Data within the European Economic Area wherever possible. If a transfer of Customer Personal Data outside the EEA is required to deliver the services, we will ensure an appropriate transfer mechanism is in place, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with any supplementary measures needed to protect the data.

14. Return and deletion of data

On termination or expiry of the engagement, and at your choice, we will return Customer Personal Data to you or delete it, along with existing copies, unless EU or member state law requires us to keep it. We will confirm deletion in writing on request. Routine operational backups are deleted in line with our standard backup cycle.

15. Audit rights

We will make available to you the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits are carried out on reasonable notice, no more than once a year unless a regulator requires otherwise or a breach has occurred, during business hours, and in a way that does not compromise the security of our other clients.

16. Liability and governing law

Liability under this DPA is subject to the limitations and exclusions set out in the Master Services Agreement. This DPA is governed by the laws of Greece and the applicable law of the European Union. If any provision of this DPA conflicts with the Master Services Agreement on matters of data protection, this DPA prevails.

17. Contact

For data protection matters, contact Code2b at alex@code2b.co, Athens, Greece. We will respond to genuine requests from controllers, data subjects, and supervisory authorities without undue delay.