Data Processing Agreement

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR or the MSA. In particular:

• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", "Supervisory Authority" — as defined in Art. 4 GDPR.
• "Customer Data" — data loaded into PackR8 by or on behalf of Customer, including any Personal Data it contains.
• "SCCs" — the Standard Contractual Clauses approved by EU Commission Implementing Decision 2021/914 (Module 2: Controller-to-Processor).

2. Scope & roles

This DPA applies to all Processing of Personal Data carried out by Circular Vision as Processor on behalf of Customer as Controller, in the provision of PackR8 under the MSA. The Parties acknowledge that in most PackR8 deployments Customer acts as Controller of the Personal Data it loads into PackR8 (including employees, suppliers, contacts, Users). Where Customer determines Circular Vision to be a separate Controller for any limited activities, the scope is set out in the Privacy Policy at packr8.com/privacy.

3. Subject-matter of processing

Subject-matter, duration, nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects are set out in Annex A.

4. Processor obligations

Circular Vision shall:

1. Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law; in such a case, Circular Vision shall inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
2. Ensure that persons authorised to Process Personal Data are under a duty of confidentiality.
3. Take all security measures required pursuant to Article 32 GDPR (see Annex B).
4. Respect conditions for engaging Sub-processors set out in Section 7.
5. Taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures for the fulfilment of Customer's obligation to respond to requests for exercising Data Subject rights.
6. Assist Customer in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of Processing and the information available.
7. At Customer's choice, delete or return all Personal Data after the end of the provision of services and delete existing copies unless EU or Member State law requires storage.
8. Make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

5. Confidentiality

Circular Vision ensures that all personnel authorised to Process Personal Data are bound by confidentiality obligations (contractual or statutory) and are trained in data protection and information security.

6. Security of processing (Art. 32)

Circular Vision shall implement the technical and organisational measures described in Annex B, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

7. Sub-processors (Art. 28(2) & (4))

Customer grants Circular Vision general written authorisation to engage Sub-processors to Process Customer's Personal Data, on condition that Circular Vision:

1. Maintains a current list of Sub-processors at packr8.com/security and in Annex C.
2. Informs Customer in advance of any intended additions or replacements of Sub-processors with at least 30 days' prior notice, giving Customer the opportunity to object.
3. Imposes, by way of a written contract, the same data protection obligations as those set out in this DPA on each Sub-processor.
4. Remains fully liable to Customer for the performance of Sub-processor obligations.

If Customer reasonably objects to a new Sub-processor on data protection grounds, Circular Vision will either (a) not engage that Sub-processor for Customer's Personal Data, (b) take corrective steps to address the objection, or (c) allow Customer to terminate the MSA with pro-rata refund of pre-paid fees for the unused portion of the term.

8. Data subject rights (Art. 28(3)(e))

Taking into account the nature of Processing, Circular Vision shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). Where PackR8 provides self-service functionality for these rights within the platform (export, deletion), Customer is responsible for using it; Circular Vision will assist where self-service is insufficient.

9. Assistance with Art. 32–36

Circular Vision shall provide reasonable assistance to Customer in ensuring compliance with Art. 32 (security), Art. 33–34 (breach notification), Art. 35 (data protection impact assessment), and Art. 36 (prior consultation). Reasonable costs may be charged for substantial assistance beyond standard service levels.

10. Personal data breach (Art. 33)

Circular Vision shall notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification shall include (to the extent known):

• The nature of the breach (categories of Data Subjects, approximate number affected, categories and approximate number of Personal Data records concerned);
• The name and contact details of the designated privacy contact or DPO;
• The likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its possible adverse effects.

Circular Vision shall cooperate with Customer on onward notifications to the Supervisory Authority and, where required, to Data Subjects.

11. International transfers (Chapter V)

Circular Vision shall not transfer Personal Data outside the EEA to a country that does not benefit from an adequacy decision unless a transfer mechanism under Chapter V GDPR is in place. By default, the SCCs (Module 2: Controller-to-Processor) are incorporated by reference into this DPA for any transfer from Circular Vision (as data exporter acting as Processor on Customer's instructions) to a Sub-processor located outside the EEA. Where Customer itself is located outside the EEA, appropriate Module may apply (Module 1, 3, or 4).

Where the SCCs apply, the following are incorporated:

• Clause 7 (Docking clause): enabled.
• Clause 9(a) (Option 2): general written authorisation (30 days notice).
• Clause 11(a) (optional): not used.
• Clause 17 (Option 1): governed by Dutch law.
• Clause 18(b): courts of Utrecht, Netherlands.
• Annexes to the SCCs correspond to Annexes A, B, and C of this DPA.

12. Audit rights (Art. 28(3)(h))

Circular Vision shall, upon written request, make available all information reasonably necessary for Customer to demonstrate compliance with Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or an independent third-party auditor mandated by Customer.

The Parties agree that such audits shall:

• Occur no more than once per year (except where required to follow a Personal Data Breach or by a Supervisory Authority);
• Be conducted during normal business hours with at least 30 days' prior notice;
• Be subject to reasonable confidentiality obligations;
• Where available, be satisfied by providing Customer with the most recent SOC 2 Type II report, ISO 27001 certificate, and pen-test summary (as these become available under the Security roadmap).

Costs of audits beyond the provision of standard attestation documents are borne by Customer.

13. Return or deletion on termination

Upon termination or expiry of the MSA, Circular Vision shall, at Customer's choice:

• Return all Customer Data to Customer in a commonly-used, machine-readable format (CSV, JSON, PDF where applicable); or
• Delete all Customer Data and certify deletion in writing.

Unless Customer specifies otherwise, Circular Vision will provide a 30-day window for export, after which Customer Data is deleted from production systems. Backups rotate within 90 days of production deletion. Logs required for Circular Vision's own legal obligations (e.g. Dutch bookkeeping law) are retained for the statutory period and then deleted.

14. Liability

The Parties' liability under this DPA is governed by the limitation-of-liability provisions of the MSA, without prejudice to the liabilities of controllers and processors as regulated by Art. 82 GDPR.

15. Governing law & jurisdiction

This DPA is governed by the laws of the Netherlands, excluding its conflict-of-laws principles. Disputes arising out of or in connection with this DPA shall be resolved exclusively by the competent court of Utrecht, Netherlands.