Data Processing Agreement

Last updated on October 30, 2025

DATA PROCESSING AGREEMENT (the “Agreement”), between

  1. [Controller], FN [], [Address] (the “Controller”); and
  •  
  1. Fresh Labs FlexCo GmbH, Praterstrasse 17/1/2, 1020 Vienna, Austria (“Processor” and, together with the Controller, the “Parties”), as the provider of the SaaS platform MyPaperwork AI.

Preamble

  1. Processor. The Processor operates a cloud-based application that enables users to upload, manage, and process documents and related information. Data is transmitted to the Processor’s servers, where it is securely stored and processed to provide the Services, which include automated assistance, document management, and AI-powered features tailored to the Controller’s use case (the “Services”).
  2. Principal Contract. The Parties made an agreement over the use of the Services (the “Principal Contract”). This contract amends the Principal Contract.
  3. Subject. In fulfillment of the Principal Contract, the Processor processes personal data of the Controller and of the Controller’s customers, employees, freelancers, and similar contributors of content, in each case at the Controller’s order. This Agreement regulates rights and obligations of the Parties concerning the fulfillment of the Principal Contract.
  4. Processor. This Agreement is a contract according to Art 28 of the GDPR.  Additionally, this Agreement adheres to the requirements of the California Consumer Privacy Act (CCPA) in relation to the processing of personal information of California residents. The Processor agrees to comply with all applicable obligations under the CCPA and assist the Controller in meeting its CCPA obligations with respect to the personal information processed on behalf of the Controller.

I. Definitions

    • In this Agreement, except where a different interpretation is necessary in the context, capitalized terms shall have the meaning assigned to them in the section entitled “Definitions” set forth in Schedule  1.1.

II. Details of the Processing

  • Subject. The subject of this Agreement is the provision of the Services.
  • Categories of Data. For the provision of the Services, the categories of data listed in Schedule  2.2 (the “Data“) are processed.
  • Type and Purpose. The Processing is performed in the way and for the purposes described in Schedule  2.3.
  • Categories of Data Subjects. The Processing concerns categories of Data Subjects as set forth in Schedule  2.4.
  • Duration. This Agreement is binding for the duration of the Principal Contract. During the duration of the Principal Contract this Agreement can only be terminated for good reason. If the Principal Contract is terminated by a Party, this Agreement ends automatically. The obligation pursuant to V.2 continues to exist even in case of termination.

III. Place of Processing

  • The Processing of Data takes place, in part, outside the EU and the EEA. Countries, in which the Processing takes place, and the basis for an appropriate level of data security are listed in Schedule  3.1.

IV. Rights and Obligations of the Controller

  • Assignment. The Controller is a Controller within the meaning of Art. 4 sec 7 GDPR and has instructed the Processor with the Processing of Data.
  • Right to Information. The Controller has the right to receive all information required to prove compliance with the Processor’s obligations listed in Art. V and to perform reviews, including inspections, by himself or through an assigned investigator.

V. Rights and Obligations of the Processor

  • Processing.
    • The Processor will process Data solely in accordance with the Principal Contract and the Controller’s additional written instructions, if any. This also applies to the transfer of Data to a third country or to an international organization.
    • 5.1(a) does not apply to the Processing of Data, if the Processor is legally obliged to process the Data in a certain way. In these cases, the Processor informs the Controller about its obligation before Processing, if no important public interest prohibits such information.
  • Data Confidentiality. The Processor and his coworkers are obliged to maintain data confidentiality pursuant to Art 6 of the Austrian Data Protection Act in the version of May 25, 2018. The Processor must contractually bind his employees to maintain data confidentiality if they are not legally obliged to do so already. This obligation has to remain in effect even if the employment relationship is terminated. The Processor declares to comply with these obligations.
  • Technical and Organisational Measures.
    • The Processor declares explicitly to have taken the necessary measures to obtain security of Processing of Data according to Art. 32 GDPR. A complete list of those measures can be found in Schedule 5.3(a) (the “Measures”).
    • Should any change of the Measures reduce the safety standard regarding the Processing of Data, the Processor will coordinate these changes with the Controller.
    • The Controller has the right to be informed about the actuality of the Measures and to obtain a copy of the current version of those Measures by the Processor.
  • Support of the Controller.
    • The Processor will support the Controller as far as possible, by taking appropriate technical and organizational measures, to fulfill the Controller’s obligation of responding to the requests of data subjects according to Art. 3 GDPR. Should such a request have been sent to the Processor instead of the Controller by accident, the Processor shall forward it to the Controller immediately and inform the applicant about this proceeding.
    • The Processor shall, considering the nature of the processing and information available, support the Controller to fulfill its obligations under Art. 32 to 36 GDPR (guaranteeing the security of Processing, notifications or communications to the supervisory authority or data subjects, data protection impact assessment including prior consultation).
  • Processing after Termination. When the Processing of Data is finished, the Processor shall, depending on the Controller’s decision, either return to it or delete all Data. This does not apply, if the Processor is legally obliged to store the Data.
  • Obligation to Inform. The Controller ensures the execution of the right to information pursuant to IV.2.
  • Unlawful Instructions. The Processor will inform the Controller promptly, if it considers an instruction to be unlawful under the data protection legislation of the EU or applicable law of member states.
  • Record of Processing Activities. The Processor keeps a record of Processing activities pursuant to Art. 30 GDPR.

VI. Sub-Processor

  • Right to Engage Sub-Processors. The Processor has the right to engage another Processor for the operation of the Product (a “Sub-Processor”), including the Processing of Data, without the Controller’s previous consent. In the case of an intended change regarding the Sub-Processor, the Processor will inform the Controller in due time.
  • List of Sub-Processors. A list of all currently engaged Sub-Processors can be found in Schedule  6.2.
  • Obligations. In case a new Sub-Processor is engaged, the Processor concludes all required agreements according to Art. 28 sec 4 GDPR with the Sub-Processor. These agreements must bind the Sub-Processors to the same data safety obligations as determined in this Agreement, especially concerning guarantees for appropriate technical and organizational measures.
  • Liability. If a Sub-Processor does not comply with its data safety obligations, the Processor is fully responsible for the compliance with these duties to the Controller.

VII. Final Provisions

  • The clauses in Schedule 7.1 concerning governing law, form, and other regulations stated therein are applicable.

Schedule I

Definitions

GDPR

GDPR means the EU-regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Processing

Processing means Processing of Data according to Art. 4 Z2 GDPR.

Schedule § 2.2

Categories of Data

  1. Customers: contact details, contractual details, invoicing details, communication details
  2. Authorized users: email address, password, name, address (optional), date of birth (optional), telephone number (optional), plan and configuration data, user preferences, login country, last access, anonymised IP, information about system usage, any data included in uploaded files or submitted through the Services, statistical data about uploaded files.

Schedule § 2.3

Type and Purpose

  1. Types of Processing:
    • collection and storage
    • organization
    • transmission
    • destruction
  2. Purposes of Processing:
    • Fulfillment of the Principal Contract

Schedule § 2.4

Categories of Data Subjects

  1. Customers, Authorized Users

Schedule § 3.1

List of Countries for Data Processing incl. Foundations

  1. European Union

Schedule § 5.3(a)

Measures

    • Electronic access control: all computers and access points are password -protected. Access to our cloud infrastructure providers is granted to individual, clearly defined employees on a need-to-know basis. As soon as a user leaves the company, their account and all other access options are deactivated.
  2. Deletion periods.
    • User data & customer data uploaded to our system: all data are automatically deleted within 30 days after cancellation of the account/contract.
    • Logs: semi-automatic deletion after 90 days.
    • Customer records are deleted 7 years after the last transaction with the customer.
  3. Testing, Assessment and Evaluation.
    • Network architecture and designs shall always be peer reviewed.
    • The four eyes-principle shall be applied when medium and high impact network changes take place.

Schedule § 6.2

List of Sub-Processors

  1. GCP
  2. AWS
  3. Clickhouse Cloud
  4. Cloudamqp
  5. Google Workspace
  6. Slack

[TP Note – Sub-processors listed here are examples only and must be confirmed, supplemented, or replaced by the client.]

Schedule § 7.1

Final Provisions

  1. Confidentiality. The Parties agree to handle all information received in relation to this Agreement in a confidential way for an indefinite period of time and use this information for the fulfillment of this Agreement This information shall be used for the referred purposes only and must not be disclosed to third parties. This does not apply, if (a) the obligated Party obtains information demonstrably form a third party, to which it is not obliged to confidentiality, (b) if the information was publicly available or (c) the disclosure was legally required or demanded by the authorities.
  2. Entry into Force. This Agreement enters into force with signing by both Parties and is binding for an indefinite period of time.
  3. Written Form. Any adjustments, amendments or a revocation of the contract requires written form. or, if this Agreement was entered into via electronic means, a similar form to the conclusion of this Agreement. This also applies to any regulation intending to change the written form requirement.
  4. Severability. In the event that individual provisions of this Agreement shall be or become invalid or unenforceable, all other terms and conditions shall remain in full force and effect. The parties agree to replace the invalid or unenforceable clause with a valid and enforceable clause, that has the same economic sense. This rule also applies in case a regulatory gap occurs.
  5. Legal Foundation. Only the provisions of this Agreement and, additionally, the legal regulations shall apply.
  6. Governing Law. This Agreement and all correlating contractual relations and litigation shall be governed by Austrian law, excluding the conflict of law-provisions of the United Nations Convention on Contracts for the International Sale of Goods.
  7. Court of Jurisdiction. The courts of Vienna, Austria, shall have exclusive court of jurisdiction for any legal disputes with regards to this Agreement shall be, to the extent legally permissible.