eveAI/content/dpa/1.1/1.1.0.md

Data Protection Agreement

Ask Eve AI

Version 1.1.0
Effective Date: October 3, 2025

Ask Eve AI respects the privacy of its Customers, Partners, Users and End Users, and is strongly committed to keeping secure any information obtained from, for or about each of them. This Data Protection Agreement describes the practices with respect to Personal Data that Ask Eve AI collects from or about Customers, Partners, Users and End Users when they use the applications and services of Ask Eve AI (collectively, "Services").

---

1. Definitions

Data Controller and Data Processor: have each the meanings set out in the Data Protection Legislation.

Data Protection Legislation: means the European Union's General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") and all applicable laws and regulations relating to the processing of personal data and privacy, including the Belgian Data Protection Act of 30 July 2018, and any amendment or re-enactment of any of them.

Data Subject: has the meaning set out in the Data Protection Legislation and shall refer, in this Data Protection Agreement, to the identified or identifiable individual(s) whose Personal Data is/are under control of the Data Controller and is/are the subject of the Processing by the Data Processor in the context of the Services.

Personal Data: has the meaning set out in the Data Protection Legislation and shall refer, in this Data Protection Agreement, to any information relating to the Data Subject that is subject to the Processing in the context of the Services.

Processing: has the meaning given to that term in the Data Protection Legislation and "process" and "processed" shall have a corresponding meaning.

Purposes: shall mean the limited, specific and legitimate purposes of the Processing as described in this Agreement and as instructed by the Data Controller.

Regulators: means those government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the privacy matters dealt with in agreements and/or by the parties to the agreements (as the case may be).

Sub-Processor: shall mean the subcontractor(s) listed in Annex 1, engaged by the Data Processor to Process Personal Data on behalf of the Data Controller and in accordance with its instructions, the terms of this Data Processing Agreement and the terms of the written subcontract entered into with the Sub-Processor.

Third Country: means a country outside the European Economic Area that is not considered by the European Commission as offering an adequate level of protection in accordance with Article 45 of the GDPR.

Tenant / Customer: A tenant is the organisation, enterprise or company subscribing to the services of Ask Eve AI. The terms "Tenant" and "Customer" are used interchangeably. In the context of GDPR, the Tenant/Customer acts as Data Controller.

Partner: Any organisation, enterprise or company that offers services or knowledge on top of the Ask Eve AI platform. Partners may act as Data Controllers or Data Processors depending on the nature of their engagement with the Tenant/Customer.

Account / User: A user is a natural person performing activities such as configuration or testing in Ask Eve AI, working within the context of a Tenant. A user is explicitly registered within the system as a member of the tenant.

End User: An end user is every person making use of Ask Eve AI's services in the context of Ask Eve AI services exposed by the tenant (e.g., a chatbot). This user is not explicitly registered within the system and typically interacts with the Services anonymously until they provide consent for data collection.

Ask Eve AI Platform: The Ask Eve AI Platform (also referred to as "Evie" or "platform") is the combination of software components and products, code, configuration and prompts that allow Ask Eve AI to perform its activities.

Ask Eve AI Services: Is the collection of all services on top of the Ask Eve AI Platform offered to all users of the platform (Tenants, Partners, Users and End Users), including all services exposed by Partners on the Ask Eve AI platform.

Partner Services: Is the collection of all services and applications built on top of the Ask Eve AI Platform offered by Partners. This excludes services connected through APIs to the Ask Eve AI platform or services connected to the platform by any other means.

Management Service: A specific type of Partner Service where the Partner provides management, implementation, or support services on behalf of the Tenant's own customers, thereby acting as a Data Processor rather than a Data Controller.

---

2. Qualification of Parties

2.1 Standard Processing Relationship

As part of the provision of the Services, the Tenant/Customer engages Ask Eve AI to collect, process and/or use Personal Data on its behalf. In this standard relationship:

• The Tenant/Customer acts as the Data Controller: The Tenant/Customer determines the purposes and means of processing Personal Data.
• Ask Eve AI acts as the Data Processor: Ask Eve AI processes Personal Data on behalf of and according to the instructions of the Data Controller.

This is the default relationship model for all services provided by Ask Eve AI.

2.2 Sub-Processing Relationship

In certain circumstances, a Partner or Tenant/Customer may act on behalf of their own customers (third parties) through a Management Service arrangement. In this sub-processing scenario:

• The Tenant's customer (third party) acts as the Data Controller: This third party determines the purposes and means of processing.
• The Tenant/Customer or Partner acts as the Data Processor: They process Personal Data on behalf of the third-party Data Controller.
• Ask Eve AI acts as the Sub-Processor: Ask Eve AI processes Personal Data on behalf of the Tenant/Customer or Partner (who themselves act as Data Processors).

This sub-processing relationship is triggered when:

1. A Partner provides a Management Service (as defined in the Partner Service configuration); AND
2. The Partner or Tenant/Customer explicitly acts on behalf of a third-party customer.

The Parties agree that in this scenario, all obligations of the "Data Controller" in this Agreement apply to the Tenant/Customer or Partner (acting as Data Processor), and all obligations of the "Data Processor" apply to Ask Eve AI (acting as Sub-Processor).

---

3. Data Classification

Ask Eve AI classifies data into the following categories:

3.1 System Data

Ask Eve AI System Data is the data required to enable Ask Eve AI to:

• Authenticate and authorize accounts/users
• Authenticate and authorize automated interfaces (APIs, sockets, integrations)
• Invoice according to subscription and effective usage of Ask Eve AI's services
• Maintain audit trails and system integrity

The following personal information is gathered:

Account / User Information: This information enables a user to log into the Ask Eve AI systems or to subscribe to the system's services. It includes:

• Name
• Email address
• Secured password (hashed, never stored in plain text)
• Roles in the system
• Authentication metadata (login timestamps, login counts)
• IP addresses (when implemented for security purposes such as rate limiting or fraud prevention, based on legitimate interest)

Tenant / Customer Information: In order to subscribe to the services provided by Ask Eve AI, the following information is required:

• Organization name and details
• Financial details and VAT numbers
• Valid addresses and email information
• Payment information
• Billing and invoice data

3.2 Tenant Data

Tenant data is all information that is added to Ask Eve AI by:

• One of the tenant's registered accounts
• One of the automated interfaces (APIs, sockets, integrations) authorized by the tenant
• Interaction by end users who have access to Ask Eve AI's services exposed by the tenant

This data is required to enable Ask Eve AI to perform the tenant-specific functions requested or defined by the Tenant, such as enabling AI chatbots or AI specialists to work on tenant-specific information.

Personal data in this category includes:

End User Content: Ask Eve AI collects Personal Data that the End User provides in the input to our Services ("Content"). End Users typically interact anonymously with the Services until they provide explicit consent for the collection of their personal information. Personal Data is only collected after:

• The End User has been informed about the processing
• The End User has provided explicit consent
• The purpose of collection has been clearly communicated (e.g., to connect with a human recruiter)

Communication Information: If the Customer communicates with Ask Eve AI, such as via email, social media, chatbots, or other interfaces provided by our services, Ask Eve AI may collect Personal Data including:

• Name and contact information
• Contents of messages sent
• Support ticket information

End User personal information may be provided by End Users in interactions with Ask Eve AI's services and will be stored as provided.

3.3 User Data

Ask Eve AI collects information the User may provide to Ask Eve AI, such as when users participate in events, surveys, request contact, or provide information to establish identity or age.

3.4 Technical Data

When visiting, using, or interacting with the Services, Ask Eve AI receives the following information ("Technical Information"):

Log Data: Information that browsers or devices automatically send when using the Services, including:

• Internet Protocol addresses (when logged for security purposes)
• Browser type and settings
• Date and time of requests
• Interaction patterns with the Services

Usage Data: Information about the use of Services, such as:

• Types of content viewed or engaged with
• Features used and actions taken
• Time zone, country, dates and times of access
• User agent and version
• Type of computer or mobile device
• Computer connection details

Interaction Data: Data provided when interacting with services, such as chatbot interactions or use of AI specialists. Note that Business Event Logs contain only technical metrics (tokens, timings, event types) and do not contain personal data.

Device Information: Information about devices used to access the Services, including:

• Device name and operating system
• Device identifiers
• Browser information

Location Information: Ask Eve AI may determine the general area from which devices access Services based on IP addresses for security reasons and to improve the product experience, such as:

• Protecting accounts by detecting unusual login activity
• Providing more accurate responses

Some Services allow users to provide more precise location information from device GPS.

Cookies and Similar Technologies: Ask Eve AI uses cookies and similar technologies to operate and administer Services and improve user experience. For details, please read our Cookie Policy.

3.5 External Data

Information Ask Eve AI receives from other sources:

Ask Eve AI receives information from trusted partners, including:

• Security partners, to protect against fraud, abuse, and other security threats
• Marketing vendors providing information about potential customers

Ask Eve AI may also collect information from publicly available sources on the internet to develop models that power the Services (subject to opt-out provisions as described in Section 4.4).

---

4. Data Protection and Processing Principles

The Data Processor warrants, represents and undertakes to the Data Controller that it shall only process Personal Data as limited in the following sections.

4.1 Processing Instructions

Data Processor shall only Process Personal Data of Data Controller on behalf of the Data Controller and in accordance with this Data Processing Agreement, solely for the Purposes and according to the documented instructions of the Data Controller, and to the extent, and in such manner, as is reasonably necessary to provide the Services in accordance with the Agreement.

Data Controller shall only give instructions that comply with the Data Protection Legislation.

4.2 Lawful Processing Basis

Ask Eve AI may use Personal Data for the following purposes, based on the appropriate lawful basis:

Performance of Contract:

• To provide, analyze, and maintain the Services
• To respond to Customer questions and requests
• To process payments and fulfill contractual obligations

Legitimate Interest:

• To improve and develop the Services and conduct research (e.g., to develop new product features)
• To prevent fraud, illegal activity, or misuses of Services
• To protect the security of systems and Services
• When implemented: IP address logging for rate limiting and security purposes

Legal Obligation:

• To comply with legal obligations
• To protect the rights, privacy, safety, or property of users or third parties
• To maintain records as required by Belgian accounting law (7-year retention for financial records)

Consent (where applicable):

• To communicate with Customers about Services, events, and updates (where consent is required)
• For End Users: to collect personal information after automated assessments or interactions (explicit consent required before collection)
• For future model training purposes (opt-out available as described in Section 4.4)

4.3 Applicable Mandatory Laws

Data Processor shall only Process as required by applicable mandatory laws and always in compliance with Data Protection Legislation.

4.4 Future Use for Model Training

Ask Eve AI may aggregate or de-identify Personal Data so that it no longer identifies individuals and use this information to:

• Analyze how Services are being used
• Improve and add features to Services
• Conduct research and development
• Train or improve AI models that power the Services

Opt-Out Provisions: Customers and End Users will have the ability to opt out of having their data used for model training purposes. This opt-out mechanism will be:

• Clearly communicated in the Privacy Policy
• Accessible through account settings or by contacting Ask Eve AI
• Honored immediately upon request
• Maintained as a persistent preference

Ask Eve AI will maintain and use de-identified information in de-identified form and will not attempt to re-identify the information, unless required by law.

Current Status: As of the effective date of this Agreement, Ask Eve AI does not currently use Customer or Tenant data to train its own models. This provision establishes the framework for potential future use, subject to the opt-out rights described above and notification to Customers through Privacy Policy updates.

4.5 Automated Decision-Making and Profiling

Ask Eve AI may facilitate automated decision-making or profiling activities through its AI specialists, including but not limited to:

• Candidate assessment and job fit evaluation
• Content classification and routing
• Personalized recommendations
• Risk assessment and fraud detection

Data Controller Obligations: When the Data Controller uses Ask Eve AI Services for automated decision-making or profiling that produces legal effects or similarly significantly affects Data Subjects, the Data Controller must:

1. Obtain appropriate legal basis, which may include: 2. Explicit consent from the Data Subject 3. Necessity for entering into or performing a contract 4. Authorization by Union or Member State law

2. Inform Data Subjects about: 2. The existence of automated decision-making 3. The logic involved in the processing 4. The significance and envisaged consequences 5. Their right to obtain human intervention 6. Their right to express their point of view 7. Their right to contest the decision

3. Implement safeguards including: 2. The right for Data Subjects to obtain human intervention 3. The right to express their point of view 4. The right to contest the decision 5. Regular accuracy and fairness reviews of automated systems

4. Privacy-by-Design Approach: Wherever technically feasible, Ask Eve AI Services are designed to: 2. Process Data Subjects anonymously until explicit consent is obtained 3. Collect personal information only when necessary and after consent 4. Minimize data collection to what is strictly required

Ask Eve AI's Role: As Data Processor, Ask Eve AI provides the technical capability for automated decision-making but does not determine the purposes or essential means of such processing. The Data Controller remains responsible for ensuring GDPR compliance, including conducting Data Protection Impact Assessments (DPIAs) where required.

4.6 Special Categories of Personal Data

As of the effective date of this Agreement, Ask Eve AI does not intentionally process special categories of personal data as defined in Article 9 GDPR (health data, biometric data, genetic data, etc.).

If the Data Controller intends to process special categories of personal data through the Services, the Data Controller must:

1. Notify Ask Eve AI in writing in advance
2. Ensure an appropriate legal basis exists under Article 9(2) GDPR
3. Implement additional safeguards as required
4. Conduct a Data Protection Impact Assessment
5. Obtain written confirmation from Ask Eve AI regarding additional technical and organizational measures

4.7 Transfer to Third Parties

Data Processor uses functionality of third-party services (Sub-Processors as listed in Annex 1) to realize its functionality. For the purpose of providing Ask Eve AI's Services, and only for this purpose, information is sent to its Sub-Processors.

Data Processor shall not transfer or disclose any Personal Data to any other third party and/or appoint any third party as a Sub-Processor of Personal Data unless:

1. It is legally required; OR
2. The Data Controller has been notified and has provided consent

Sub-Processor Changes: Ask Eve AI will notify the Data Controller of any intended changes concerning the addition or replacement of Sub-Processors at least thirty (30) days in advance. The Data Controller has the right to object to such changes on reasonable grounds relating to data protection.

4.8 No Transfer to Third Countries

EU-Only Processing: All Personal Data processing by Ask Eve AI and its Sub-Processors occurs exclusively within the European Union. Ask Eve AI does not transfer Personal Data to any Third Country.

All Sub-Processors listed in Annex 1 are located within the EU and are subject to GDPR and European data protection regulations. Data sovereignty is maintained, with all customer data remaining within European jurisdiction.

This strategic decision ensures:

• Full compliance with GDPR without need for Standard Contractual Clauses or other transfer mechanisms
• Alignment with the EU AI Act requirements
• Enhanced data protection under strict European privacy laws
• Simplified compliance framework

If Ask Eve AI intends to engage Sub-Processors located outside the EU in the future, Ask Eve AI will:

1. Notify the Data Controller in writing at least sixty (60) days in advance
2. Obtain explicit written consent from the Data Controller
3. Implement appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions)
4. Conduct a Transfer Impact Assessment as required by GDPR and Schrems II jurisprudence
5. Document additional security measures to protect against third-country government access

---

5. Data Security and Confidentiality

5.1 Data Secrecy

The Data Processor shall maintain data secrecy in accordance with applicable Data Protection Legislation and shall take all reasonable steps to ensure that:

1. Only Data Processor personnel and Sub-Processor personnel that need access to Personal Data are given access, and only to the extent necessary to provide the Services.

2. Data Processor and Sub-Processor personnel entrusted with processing Personal Data or who may have access to Personal Data are: 2. Reliable and properly vetted 3. Familiar with the requirements of data protection 4. Subject to appropriate obligations of confidentiality and data secrecy in accordance with applicable Data Protection Legislation 5. Acting in compliance with data protection obligations at all times

5.2 Appropriate Technical and Organizational Measures

Data Processor has implemented (and shall maintain and update as necessary) all appropriate technical and organizational measures to ensure:

• The security of Personal Data
• Processing is performed in compliance with applicable Data Protection Legislation
• Protection against accidental or unauthorized access, alteration, destruction, damage, corruption, or loss
• Protection against any other unauthorized or unlawful processing or disclosure ("Data Breach")

Such measures shall:

• Ensure best practice security standards
• Be compliant with Data Protection Legislation at all times
• Comply with the Data Controller's applicable IT security policies (where communicated to Data Processor)
• Be regularly reviewed and updated to address evolving threats

Detailed technical and organizational measures are described in Annex 2.

5.3 Data Controller Responsibilities

The Data Controller has also introduced technical and organizational measures and will continue to maintain them to protect Personal Data. The Data Controller is responsible for:

• Access control policy for its Users
• Registration, de-registration, and withdrawal of access rights for Users
• Access control for automation access codes (API Keys)
• Registration, de-registration, and management of API credentials
• Physical security of its own environment
• Providing clear instructions to Data Processor regarding processing activities
• Ensuring its Users comply with security requirements

---

6. Data Processor Assistance Obligations

6.1 General Assistance and Cooperation

The Data Processor shall provide the Data Controller with such assistance and cooperation as the Data Controller may reasonably request to enable the Data Controller to comply with obligations imposed by Data Protection Legislation in relation to Personal Data processed by the Data Processor.

6.2 Technical and Organizational Measures Information

On request of the Data Controller, the Data Processor shall promptly provide written information regarding:

• Technical and organizational measures implemented to safeguard Personal Data
• Current security certifications and compliance status
• Relevant details from the most recent third-party security audits (subject to confidentiality obligations)

6.3 Government and Regulatory Access Requests

The Data Processor shall:

1. Disclose full and relevant details regarding government, law enforcement, or other access protocols or controls implemented, to the extent this information is available to the Data Processor.

2. Notify the Data Controller as soon as possible (and in any event within 48 hours), to the extent legally permitted, of any access request for disclosure of Personal Data by any Regulator, court, or authority of competent jurisdiction.

3. Not disclose or release any Personal Data in response to such requests served on the Data Processor without first consulting with and, to the extent legally permitted, obtaining the written consent of the Data Controller.

4. Provide reasonable assistance to the Data Controller in responding to such requests.

6.4 Instruction Impediments

The Data Processor shall notify the Data Controller as soon as possible of any legal or factual circumstances preventing the Data Processor from executing any instructions of the Data Controller, and shall propose alternative solutions where feasible.

6.5 Data Subject Rights Support

The Data Processor shall:

1. Notification of Data Subject Requests: Notify the Data Controller within five (5) business days of any request received directly from a Data Subject regarding the Processing of Personal Data, without responding to such request unless instructed by the Data Controller.

2. Support for Rights Exercise: Provide reasonable assistance to the Data Controller in responding to Data Subject requests to exercise their rights under Data Protection Legislation, including: 2. Right of access (Article 15 GDPR) 3. Right to rectification (Article 16 GDPR) 4. Right to erasure / "right to be forgotten" (Article 17 GDPR) 5. Right to restriction of processing (Article 18 GDPR) 6. Right to data portability (Article 20 GDPR) 7. Right to object (Article 21 GDPR) 8. Rights related to automated decision-making (Article 22 GDPR)

3. Response Timeframes: Provide requested information or take requested actions within thirty (30) calendar days of receiving the Data Controller's instruction, unless a shorter timeframe is required by law or agreed between the parties.

4. Data Portability Format: When supporting data portability requests, provide Personal Data in a structured, commonly used, and machine-readable format (such as JSON, CSV, or XML).

Data Controller Responsibility: The Data Controller remains solely responsible for:

• Verifying the identity of Data Subjects making requests
• Determining whether a request is valid under Data Protection Legislation
• Providing responses and decisions to Data Subjects
• Handling any appeals or complaints from Data Subjects

Channels for Data Subject Rights Requests:

• Primary: Email to security contact (pieter@askeveai.com)
• Alternative: Support helpdesk for logged-in users
• Future: In-application functionality as the platform scales

6.6 Data Breach Notification

The Data Processor shall:

1. Immediate Notification: Notify the Data Controller immediately upon becoming aware of any Data Breach, and in any event within twenty-four (24) hours of confirmation of the breach.

2. Detailed Information: Provide the Data Controller, as soon as reasonably possible, with detailed information relating to the Data Breach, including (to the extent this information is readily available to the Data Processor): 2. Nature of the Data Breach 3. Categories and approximate number of Data Subjects concerned 4. Categories and approximate number of Personal Data records concerned 5. Likely consequences and adverse effects of the Data Breach 6. Measures taken or proposed to address the Data Breach 7. Measures taken or proposed to mitigate possible adverse effects 8. Contact point for further information

3. Ongoing Updates: Provide timely updates to the Data Controller as additional information becomes available regarding the Data Breach.

4. Cooperation: Cooperate with the Data Controller and provide reasonable assistance in investigating and remediating the Data Breach.

5. Documentation: Maintain documentation of all Data Breaches, including facts, effects, and remedial actions taken.

Data Controller Obligations: The Data Controller acknowledges that under GDPR Article 33, the Data Controller (not Data Processor) is responsible for:

• Notifying the supervisory authority (Belgian Data Protection Authority) within seventy-two (72) hours of becoming aware of a breach that poses a risk to Data Subjects
• Notifying affected Data Subjects without undue delay if the breach poses a high risk to their rights and freedoms

6.7 Data Protection Impact Assessments

Where the Data Controller is legally required to conduct a Data Protection Impact Assessment (DPIA) regarding Processing activities performed by the Data Processor, the Data Processor shall provide reasonable assistance, including:

• Description of Processing operations and purposes
• Assessment of necessity and proportionality of Processing
• Information about technical and organizational measures
• Information about Sub-Processors and their security measures

6.8 Consultation with Supervisory Authority

If the Data Controller is required to consult with the supervisory authority under Article 36 GDPR (prior consultation), the Data Processor shall provide reasonable assistance and information as requested by the Data Controller.

---

7. Audit Rights

7.1 Information Provision

At the Data Controller's reasonable request, the Data Processor shall provide the Data Controller with all information needed to demonstrate compliance with this Data Processing Agreement and the obligations set out in Article 28 GDPR.

7.2 Audit and Inspection Rights

The Data Processor shall permit the Data Controller, or a third-party auditor acting under the Data Controller's direction, to conduct a data privacy and security audit concerning:

• The Data Processor's data security and privacy procedures relating to the processing of Personal Data
• Compliance with this Data Processing Agreement and Data Protection Legislation

Audit Conditions:

1. Frequency: Not more than once per contract year, unless: 2. Required by a supervisory authority 3. Following a Data Breach 4. The Data Controller has reasonable grounds to believe non-compliance has occurred

2. Notice: The Data Controller shall provide the Data Processor with at least thirty (30) days prior written notice of intention to perform an audit.

3. Audit Plan: The notification must include: 2. Name and credentials of the auditor 3. Description of the purpose and scope of the audit 4. Proposed dates and duration 5. Specific areas or systems to be examined

4. Auditor Restrictions: The Data Processor may reasonably object to a third-party auditor if: 2. The auditor is a competitor of the Data Processor 3. The auditor has not agreed to appropriate confidentiality obligations 4. The auditor does not have appropriate professional credentials

5. Minimal Disruption: The audit shall be carried out in such a way that inconvenience and disruption to the Data Processor's operations are kept to a minimum.

6. Confidentiality: The Data Controller shall impose sufficient confidentiality obligations on its auditors, including non-disclosure agreements covering: 2. The Data Processor's confidential information 3. Other customers' information 4. Security vulnerabilities discovered

7. Accompaniment: Every auditor conducting an inspection will be at all times accompanied by a dedicated employee of the Data Processor.

8. Cost: Audits shall be conducted at the Data Controller's cost (for both internal and external costs), except where an audit reveals material non-compliance by the Data Processor.

9. Audit Report: The Data Controller shall provide the Data Processor with a copy of any audit report and shall discuss any findings with the Data Processor before taking action.

7.3 Alternative Compliance Evidence

In lieu of an on-site audit, the Data Processor may provide:

• Current third-party security audit reports or certifications (SOC 2, ISO 27001, etc.)
• Completed security questionnaires
• Evidence of Sub-Processor certifications
• Detailed documentation of technical and organizational measures

The Data Controller shall reasonably consider whether such evidence is sufficient before exercising on-site audit rights.

---

8. Data Retention and Deletion

8.1 Retention Periods

The Data Processor shall retain Personal Data only for as long as necessary to fulfill the Purposes or as required by applicable law. Specific retention periods are:

System Data - User Accounts:

• Active Users: Retained for the duration of the Tenant relationship
• Inactive Users: User accounts are disabled (not deleted) to maintain audit trail integrity for change tracking and system logs
• Authentication Data: Retained while user account exists
• Audit Trail References: User identifiers in audit logs retained per billing/operational data retention requirements

System Data - Financial and Billing:

• Invoices and Payment Records: Seven (7) years from date of invoice (as required by Belgian Companies Code Article 6 and applicable tax law)
• License Agreements: Seven (7) years after expiration or termination
• Usage Data Linked to Billing: Seven (7) years (aligned with financial record retention)

Tenant Data - Content and Documents:

• Active Tenant Content: Retained while Tenant relationship is active
• Upon Tenant Termination:
  • Tenant-specific content (database schema, object storage) isolated and marked for deletion
  • Content deleted within ninety (90) days of termination unless extended by written agreement
  • Financial records retained per above schedule

Technical Data:

• Business Event Logs: Seven (7) years when linked to billing; ninety (90) days for non-billing operational logs
• Application Logs: Ninety (90) days for troubleshooting and security analysis
• Infrastructure Logs: Seven (7) days for metrics; thirty-one (31) days for logs (as per Scaleway Cockpit default retention)
• Translation Cache: Ninety (90) days (contains only static platform text translations, no user content)
• Security Logs: Two (2) years for incident investigation and compliance

Note on Business Event Logs: These logs contain only technical metrics (token counts, timing data, event types) and do not contain Personal Data. They are retained for billing verification and system performance analysis.

8.2 Tenant Data Isolation and "Deletion"

Due to the requirement to retain financial and billing records, Tenants cannot be fully deleted from the system. Instead, "tenant deletion" is implemented through:

1. Data Isolation: 2. Removal of tenant-specific database schema 3. Deletion of tenant-specific object storage folder 4. Removal of all tenant content and documents

2. Account Status: 2. All User accounts associated with the Tenant are disabled 3. Authentication is prevented for all disabled users 4. Personal details may be pseudonymized in audit trails where legally permissible

3. Retained Information (for legal/regulatory compliance): 2. Financial and billing records (7 years) 3. License and usage information linked to billing 4. Audit trail references (user IDs, timestamps) 5. Business event logs linked to billing

4. Timeframe: Content deletion occurs within ninety (90) days of Tenant termination request.

8.3 Data Deletion After Processing Completion

Upon termination of the Processing of Personal Data, or earlier upon written request of the Data Controller, the Data Processor shall:

1. Cease All Use: Immediately cease all use of Personal Data

2. Delete or Return: At the Data Controller's choice: 2. Delete: Securely delete all Personal Data and copies thereof 3. Return: Return all Personal Data in a structured, commonly used, and machine-readable format

3. Certification: Upon request, provide written certification of deletion or return

4. Exceptions: The Data Processor may retain Personal Data to the extent: 2. Required by applicable law (e.g., financial record retention) 3. Necessary for audit trail integrity 4. Technically infeasible to delete (provided such data is isolated and protected)

5. Deletion Method: Deletion shall be performed using industry-standard secure deletion methods appropriate to the storage medium.

8.4 Sub-Processor Data Deletion

The Data Processor shall ensure that Sub-Processors comply with equivalent data retention and deletion obligations, and shall provide evidence of Sub-Processor deletion upon request.

---

9. Liability

9.1 Mutual Liability

Each Party shall be liable for any suffered foreseeable, direct, and personal damages ("Direct Damages") resulting from any attributable breach of its obligations under this Data Processing Agreement.

9.2 Indemnification

If one Party is held liable for a violation of its obligations hereunder, it undertakes to indemnify the non-defaulting Party for any Direct Damages resulting from any attributable breach of the defaulting Party's obligations under this Data Processing Agreement or any fault or negligence in the performance of this Data Processing Agreement.

9.3 Exclusion of Indirect Damages

Under no circumstances shall the Data Processor be liable for indirect, incidental, or consequential damages, including but not limited to:

• Financial and commercial losses
• Loss of profit or revenue
• Increase of general expenses
• Lost savings or diminished goodwill
• Damages resulting from business interruption or interruption of operation
• Damages resulting from claims of customers of the Data Controller
• Disruptions of planning
• Loss of anticipated profit or capital
• Loss of customers or missed opportunities
• Loss of advantages
• Corruption and/or loss of files resulting from the performance of the Agreement

9.4 Shared Responsibility

If it appears that both the Data Controller and the Data Processor are responsible for damage caused by the processing of Personal Data, both Parties shall be liable and pay damages in accordance with their individual share in the responsibility for the damage caused by the processing, as determined by applicable law or by mutual agreement.

9.5 Liability Cap

In any event, the total aggregate liability of the Data Processor under this Agreement shall be limited to:

• The cause of damage; AND
• An amount that equals the total amount of fees paid by the Data Controller to the Data Processor for the delivery and performance of the Services for a period not exceeding twelve (12) months immediately prior to the cause of damages.

9.6 Proof of Non-Responsibility

In no event shall the Data Processor be held liable if the Data Processor can prove it is not responsible for the event or cause giving rise to the damage.

9.7 GDPR Liability Provisions

Nothing in this section shall limit or exclude liability to the extent such limitation or exclusion is prohibited by Data Protection Legislation, including Articles 82-84 GDPR.

---

10. Term and Termination

10.1 Term

This Data Processing Agreement shall be valid and remain in effect for as long as the Tenant/Customer uses the Services and Ask Eve AI processes Personal Data on behalf of the Tenant/Customer.

10.2 Survival

The following provisions shall survive termination of this Agreement:

• Data retention and deletion obligations (Section 8)
• Liability provisions (Section 9)
• Confidentiality obligations
• Audit rights for the period during which Personal Data was processed
• Any obligations required by applicable law

10.3 Effect of Termination

Upon termination of this Agreement:

1. The Data Processor shall cease all Processing of Personal Data (except as required by Section 8)
2. The provisions of Section 8 (Data Retention and Deletion) shall apply
3. Sub-Processors shall be instructed to cease Processing and delete or return Personal Data as appropriate

---

11. Governing Law and Jurisdiction

11.1 Governing Law

This Data Protection Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with Belgian Law.

11.2 Jurisdiction

Any litigation relating to the conclusion, validity, interpretation, and/or performance of this Data Processing Agreement or of subsequent contracts or operations derived therefrom, as well as any other litigation concerning or related to this Data Processing Agreement, without any exception, shall be submitted to the exclusive jurisdiction of the courts of Ghent (Gent), Belgium.

11.3 Supervisory Authority

The competent supervisory authority for data protection matters is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).

Contact Details:

• Website: https://www.gegevensbeschermingsautoriteit.be
• Address: Rue de la Presse 35, 1000 Brussels, Belgium
• Email: contact@apd-gba.be

---

12. General Provisions

12.1 Security Contact

For all matters relating to this Data Protection Agreement, including data subject rights requests, data breaches, and security inquiries, the Data Controller may contact:

Ask Eve AI Security Contact:

• Name: Pieter Moons
• Email: pieter@askeveai.com
• Role: Informal security contact (not formal Data Protection Officer)

The Data Processor will respond to inquiries within five (5) business days.

12.2 Amendment

This Data Processing Agreement may only be amended by written agreement signed by authorized representatives of both Parties, except that Ask Eve AI may update:

• The list of Sub-Processors (Annex 1) subject to the notification requirements in Section 4.7
• The technical and organizational measures (Annex 2) to improve security, provided such changes do not materially decrease the level of protection

12.3 Severability

If any provision of this Data Processing Agreement is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired thereby.

12.4 Entire Agreement

This Data Processing Agreement, together with its Annexes and the main Services Agreement, constitutes the entire agreement between the Parties concerning the processing of Personal Data and supersedes all prior agreements, understandings, and arrangements, whether written or oral.

12.5 Conflicts

In the event of any conflict between this Data Processing Agreement and the main Services Agreement, this Data Processing Agreement shall prevail with respect to data protection matters.

12.6 Language

This Agreement is executed in English. In case of any discrepancy between language versions, the English version shall prevail.

---

Annexes

The following annexes form an integral part of this Data Protection Agreement:

• Annex 1: List of Sub-Processors
• Annex 2: Technical and Organizational Measures

---

Annex 1: List of Sub-Processors

The Data Controller hereby agrees to the following list of Sub-Processors engaged by the Data Processor for the Processing of Personal Data under the Agreement:

Current Sub-Processors

Sub-Processor	Service Provided	Location	Purpose	Personal Data Processed	Certifications
Scaleway SAS	Cloud Infrastructure & Hosting	France (Paris)	Infrastructure hosting, Kubernetes orchestration, PostgreSQL database, Redis cache, Object Storage, Email delivery (TEM)	All categories of Personal Data processed through the Services	ISO/IEC 27001:2022, HDS (Health Data Hosting), GDPR compliant, pursuing SecNumCloud
Mistral AI	AI Language Model Services	France	Large Language Model processing, natural language understanding, AI specialist functionality	Tenant Content, End User interactions, communication information (text only)	SOC 2 Type II, ISO 27001, ISO 27701, GDPR compliant
BunnyWay d.o.o. (Bunny.net)	Content Delivery Network, Web Application Firewall, Static Storage	European Union (Slovenia)	CDN services, DDoS protection, WAF, rate limiting, static file hosting and delivery	Technical Data (IP addresses, request logs, access patterns), static content	ISO 27001, SOC 2 Type II, PCI compliant, GDPR compliant
Billit	Payment Processing & Invoicing	Belgium	Payment processing, invoice generation and management, billing services	Tenant/Customer financial information, contact details, VAT numbers, payment data	GDPR compliant

Sub-Processor Responsibilities

Each Sub-Processor is contractually bound to:

1. Process Personal Data only in accordance with Ask Eve AI's documented instructions
2. Maintain appropriate technical and organizational measures
3. Maintain confidentiality of Personal Data
4. Assist Ask Eve AI in responding to Data Subject rights requests
5. Notify Ask Eve AI of any Data Breaches
6. Delete or return Personal Data upon termination

Sub-Processor Changes

Ask Eve AI will notify the Data Controller at least thirty (30) days in advance of:

• Adding a new Sub-Processor
• Replacing an existing Sub-Processor
• Material changes to a Sub-Processor's role or data processing activities

The Data Controller may object to such changes on reasonable data protection grounds within the notice period. If Ask Eve AI cannot accommodate the objection, the Data Controller may terminate the affected Services without penalty.

Geographic Scope

All Sub-Processors operate exclusively within the European Union. No Personal Data is transferred to Third Countries (countries outside the EEA without an adequacy decision).

Sub-Processor Due Diligence

Ask Eve AI conducts due diligence on all Sub-Processors, including verification of:

• Security certifications and compliance status
• Data processing agreements
• Technical and organizational measures
• Data breach notification procedures
• Geographic location of data processing and storage

---

Annex 2: Technical and Organizational Measures

1. Purpose of this Document

This document contains an overview of the technical and organizational measures which are applicable by default within Ask Eve AI. The actual measures taken depend on the services provided and the specific customer context. Ask Eve AI guarantees it has for all its services and infrastructure the necessary adequate technical and organizational measures following a Data Protection Impact Assessment (DPIA) approach.

These measures are designed to:

1. Ensure the security and confidentiality of Personal Data and other data managed by Ask Eve AI
2. Protect against any anticipated threats or hazards to the security and integrity of Personal Data and infrastructure
3. Protect against any actual unauthorized processing, loss, use, disclosure, acquisition of, or access to any Personal Data or other business-critical information

Ask Eve AI ensures that all its Sub-Processors have provided the necessary and required guarantees on the protection of Personal Data they process on Ask Eve AI's behalf.

Ask Eve AI continuously monitors the effectiveness of its information safeguards and plans to organize regular compliance reviews as the organization scales.

2. Technical and Organizational Measures

Ask Eve AI has designed and implemented a multi-layered security architecture protecting its infrastructure, cloud services, and applications against cyberattacks including phishing, malware, intrusion, ransomware, and data loss/breach incidents.

This architecture combines automated proactive, reactive, and forensic measures with internal awareness to create an end-to-end chain of protection. Ask Eve AI uses an intent-based approach where activities are constantly monitored and analyzed.

2.1 General Governance and Awareness

As a product company, Ask Eve AI is committed to maintaining IT infrastructure that has robust security architecture, complies with data protection policies, and provides a secure platform for operations.

Cloud-First Strategy: Ask Eve AI has a cloud-first and cloud-native strategy and works exclusively with European vendors that are compliant with GDPR and European Data Protection Regulations.

Geographic Data Residence: All Personal Data processing and storage occurs exclusively within the European Union. All Sub-Processors are EU-based and subject to European data protection regulations.

Third-Country Transfers: Ask Eve AI does not transfer Personal Data to third countries. Any future third-country transfers would require:

• Prior written notice to customers (60 days minimum)
• Standard Contractual Clauses or other appropriate safeguards
• Transfer Impact Assessments
• Customer consent

IT Policies: Ask Eve AI has IT policies applicable to any employee or service provider using Ask Eve AI platforms or infrastructure, informing users of rights, duties, and monitoring mechanisms to enforce security and data compliance.

Application Security Requirements: Ask Eve AI has internal policies on minimum requirements before applications, platforms, or tools enter the application landscape, including:

• Encryption requirements
• Data Loss Prevention (DLP) requirements
• Transparent governance and licensing requirements
• Support contract procedures and certifications

Policy Enforcement: Policies are enforced through endpoint security and monitoring solutions. Infractions may result in restricted access or additional legal action.

2.2 Physical Security and Infrastructure

Data Center Security: All infrastructure is hosted with certified cloud providers (Scaleway) in European data centers with:

• Industry-standard physical access controls
• 24/7 surveillance and monitoring
• Environmental controls (fire suppression, temperature management)
• Redundant power and network connectivity
• ISO 27001 certified facilities

Office Security: Ask Eve AI office locations implement:

• Controlled physical access
• Visitor management procedures
• Secure storage for sensitive materials
• Clean desk policies

2.3 Network Security and Architecture

Private Network Architecture:

• Kubernetes cluster deployed in private network (Scaleway VPC)
• Internal services (PostgreSQL, Redis) isolated within private network
• No direct external exposure of backend infrastructure
• Administrative access via secure port-forwarding only

Perimeter Security:

• All external traffic routed exclusively through Bunny.net Shield
• Web Application Firewall (WAF) with cutting-edge threat detection
• Advanced rate limiting to prevent abuse
• Robust DDoS mitigation capabilities
• No direct internet exposure of application servers

Network Segmentation:

• Logical separation between platform infrastructure and management systems
• Firewall protections at infrastructure level (Scaleway)
• Separation of development, staging, and production environments

Encryption in Transit:

• TLS encryption for all external communications (browser to CDN to cluster)
• TLS 1.2 minimum, TLS 1.3 supported
• TLS encryption for internal service communications (PostgreSQL, Redis)
• Certificate-based authentication for database connections
• Let's Encrypt certificates with automatic renewal

2.4 Endpoint Security and Access Control

Endpoint Protection:

• All endpoints encrypted using enterprise-grade encryption
• Anti-malware protection (CleanMyMac X on macOS devices)
• Regular security updates and patches applied
• macOS built-in security features enabled (XProtect, Gatekeeper, FileVault)

User Authentication and Access Control:

• Multi-factor authentication (MFA) enforced on all critical platforms
• Strong password requirements via Proton Pass password manager
• Conditional access policies limiting access to specific regions
• Role-based access control (RBAC) principles implemented
• Access granted on need-to-know basis
• Production superuser access restricted to authorized founder only

Account Management:

• Centralized user account management
• Regular access reviews
• Immediate access revocation upon termination
• Audit logging of all user activities

API Security:

• API key authentication for service integration
• Credentials securely stored in Scaleway Secret Manager
• Secrets automatically imported into Kubernetes secrets
• No credentials stored in code or configuration files

2.5 Application Security

Secure Development Practices:

• Version control through GitHub
• GitFlow workflow for code management
• Code review processes
• Separation of development, test, and production environments

Security Controls:

• Security headers implemented across applications
• SQL injection prevention through parameterized queries and ORM
• Cross-Site Scripting (XSS) protection via input validation and DOM inspection
• Input validation and sanitization for all user-supplied data
• Standard Flask security frameworks deployed
• OWASP Top 10 awareness and ongoing verification

Authentication and Authorization:

• Password hashing (bcrypt or equivalent, never plain text)
• Secure session management
• API authentication using API keys and JWT tokens
• Multi-tenant architecture with strict data isolation

Data Isolation:

• Separate database schemas per tenant
• Separate object storage folders per tenant
• Middleware-enforced tenant boundary protection
• Prevention of cross-tenant data access

2.6 Data Protection Measures

Encryption:

• In Transit: TLS 1.2+ for all external and internal communications
• At Rest: Managed by cloud provider (Scaleway) with encryption enabled
• Database: PostgreSQL connections use TLS with certificate authentication
• Backups: Encrypted backups stored in geographically redundant locations

Data Minimization:

• Privacy-by-design approach: anonymous interactions until consent obtained
• Collection of only necessary Personal Data
• Regular review of data collection practices
• Pseudonymization where appropriate

Data Segregation:

• Logical separation between Ask Eve AI's own data, customer data, and supplier data
• Multi-tenant architecture ensuring customer data isolation
• Access controls preventing cross-contamination

Backup and Recovery:

• Automated multi-site encrypted backup process
• Daily integrity reviews of backups
• Managed backup services for PostgreSQL, Redis, and Object Storage
• Regular backup restoration testing
• Geographic redundancy for disaster recovery
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined

Data Retention:

• Defined retention policies per data category
• Automated deletion processes where appropriate
• Secure deletion methods for end-of-life data
• Records of processing activities maintained

2.7 Monitoring, Logging, and Incident Response

Centralized Logging:

• Scaleway Cockpit (Prometheus & Grafana) for log aggregation
• Application logs from all containerized services
• Infrastructure logs (PostgreSQL, Redis, Kubernetes)
• Security event logging
• Log retention: 7 days for infrastructure logs, 31 days for metrics

Security Monitoring:

• Real-time monitoring of security events
• WAF logs accessible via Bunny.net API
• Automated alerts for security incidents (planned implementation)
• Business event monitoring (Prometheus, Grafana)
• System monitoring for all infrastructure resources

Incident Response:

• Defined incident detection capabilities
• Root cause analysis using system logs and monitoring data
• Rapid patch and deployment capabilities via CI/CD
• Access to Sub-Processor support for infrastructure-level incidents
• Version control allowing rollback to previous stable versions
• 24-hour customer notification target for confirmed breaches

Vulnerability Management:

• Regular security updates and patches
• Quarterly review and update cycle for application dependencies
• Container image rebuilds using latest base images
• Planned implementation of automated vulnerability scanning (Harbor registry)

2.8 Change Management and Development Operations

Change Control:

• Changes managed through YouTrack issue tracking
• Kanban board for progress tracking
• GitFlow workflow for all code changes
• Official releases tagged in container registry
• Rollback capability maintained for all deployments

Development Pipeline:

• Standard deployment path: Development → Test (Podman) → Staging (Kubernetes) → Production
• Testing in non-production environments before production deployment
• Deployment scripts for consistent, repeatable deployments
• Release guide documentation maintained

Patch Management:

• Managed services automatically patched by Scaleway
• Quarterly Python dependency updates
• Weekly to monthly container image rebuilds
• Critical security patches applied immediately upon notification
• Testing of patches in non-production environments

2.9 Email Security

Proton Mail Business:

• Advanced spam and phishing protection (60% more accurate than SpamAssassin)
• PhishGuard protection against spoofing
• Link protection displaying full URLs
• Proton Sentinel 24/7 monitoring by security analysts
• AI-assisted threat detection
• Protection against account takeover

Email Authentication:

• SPF (Sender Policy Framework) configured
• DKIM (DomainKeys Identified Mail) configured
• DMARC (Domain-based Message Authentication) configured
• All authentication protocols verified for askeveai.com domain

Encryption:

• End-to-end encryption for Proton-to-Proton communications
• TLS 1.2+ encryption for external email providers
• Zero-access encryption for stored emails

2.10 Vendor and Sub-Processor Management

Due Diligence:

• Security certification verification for all Sub-Processors
• Review of data processing agreements
• Assessment of technical and organizational measures
• Regular review of Sub-Processor compliance status

Contractual Safeguards:

• Data processing agreements with all Sub-Processors
• Confidentiality obligations
• Security requirements in contracts
• Data breach notification requirements
• Right to audit Sub-Processors

Sub-Processor Monitoring:

• Active monitoring of security updates from Sub-Processors
• Review of Sub-Processor security advisories
• Response to Sub-Processor security notifications

2.11 Business Continuity and Disaster Recovery

Infrastructure Resilience:

• Kubernetes cluster with auto-scaling capabilities
• Geographic redundancy through cloud provider
• Managed services with built-in high availability

Backup Strategy:

• Automated daily backups of all critical data
• Multi-site backup storage
• Regular backup integrity testing
• Documented restoration procedures

Disaster Recovery:

• Ability to restore services from backups
• Container rollback capabilities
• Cloud infrastructure redundancy
• Recovery procedures documented

2.12 Compliance and Certification

Current Compliance:

• GDPR compliant (EU-based operations)
• Privacy Policy and Terms & Conditions published
• Data Processing Agreement available

Sub-Processor Certifications:

• Scaleway: ISO/IEC 27001:2022, HDS, pursuing SecNumCloud
• Mistral AI: SOC 2 Type II, ISO 27001, ISO 27701
• Bunny.net: ISO 27001, SOC 2 Type II, PCI compliant
• All Sub-Processors: GDPR compliant

Planned Enhancements:

• Formal security policy documentation as organization scales
• Regular third-party security audits
• Penetration testing program
• Enhanced security awareness training program
• SOC 2 Type II certification pursuit

2.13 Data Subject Rights Support

Technical Capabilities:

• Ability to identify and extract Personal Data for access requests
• Capability to rectify inaccurate Personal Data
• Secure data deletion processes
• Data portability export in structured formats (JSON, CSV)
• Ability to restrict processing through account disabling

Processes:

• Documented procedures for handling data subject requests
• 30-day response timeframe for standard requests
• Email and helpdesk channels for request submission
• Identity verification procedures

2.14 Personnel Security

Current Practice (2-person team):

• Founder's 30+ years IT and security experience
• Security-conscious architecture decisions
• Active monitoring of security updates

Planned Enhancements (as team scales):

• Formal pre-employment screening
• Professional reference checks
• Security awareness training program
• Confidentiality and data protection agreements
• Structured onboarding covering security practices
• Limited production access for new hires
• Progressive trust model for system access

2.15 Continuous Improvement

Ask Eve AI is committed to continuously improving its security posture through:

• Regular review and updates of security measures
• Monitoring of evolving threat landscape
• Implementation of new security technologies
• Response to security advisories from vendors
• Incorporation of security best practices
• Planned third-party security assessments
• Customer and partner feedback integration

---

End of Data Protection Agreement

---

Execution

This Data Protection Agreement is executed between:

Data Controller:
[Customer/Tenant Name]
[Address]
Authorized Representative: ________________
Date: ________________

Data Processor:
Ask Eve AI
[Address]
Authorized Representative: ________________
Date: ________________