Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") governs the processing of personal data by Clear Solutions BV (the "Processor"), with registered office at Bosdreef 8, 2910 Essen, registered in the Belgian Crossroads Bank for Enterprises under number 0668.982.670, on behalf of the customer (the "Controller") in connection with use of the XyloSnap application (the "App").

This DPA forms an integral part of the Terms of Use between the parties and is drafted in accordance with the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/915 of 4 June 2021, pursuant to Article 28(3) and (7) of Regulation (EU) 2016/679 ("GDPR").

Note on this document. This DPA contains the binding standard clauses (Clauses 1 to 10) followed by three annexes specifying the concrete processing details (Annex I), the technical and organisational measures (Annex II) and the list of sub-processors (Annex III). By using the App you accept this DPA in its entirety.

01Purpose and scope

(a) These Standard Contractual Clauses (the "Clauses") seek to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 (GDPR) and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

(b) The Controllers and Processors are listed in Annex I.

(d) These Clauses do not, by themselves, ensure compliance with the obligations relating to international transfers under Chapter V of the GDPR.

02Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except to add information to or update information in the Annexes.

(b) This does not prevent the Parties from including the Standard Contractual Clauses in a wider contract, or from adding further clauses or additional safeguards, provided that they do not directly or indirectly contradict these Clauses or undermine the fundamental rights or freedoms of data subjects.

03Interpretation

(a) Where these Clauses use terms defined in the GDPR, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be interpreted in light of the provisions of the GDPR.

(c) These Clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in the GDPR or that prejudices the fundamental rights or freedoms of the data subjects.

04Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

05Description of the processing

The specific aspects of the processing — including the categories of personal data, the categories of data subjects, the purposes, the nature and the duration of the processing — are set out in Annex I.B.

06Obligations of the Parties

6.1 Instructions

(a) The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller may also issue further documented instructions throughout the duration of the processing. Such instructions shall always be documented.

(b) The Processor shall immediately inform the Controller if it considers that instructions given by the Controller infringe the GDPR or applicable Union or Member State data-protection provisions.

6.2 Purpose limitation

The Processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I.B, unless it receives further instructions from the Controller.

6.3 Duration of the processing

The Processor shall process the personal data only for the duration specified in Annex I.B.

6.4 Security of processing

(a) The Processor shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (a "personal data breach"). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks involved for the data subjects.

(b) The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring the contract. The Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.5 Special categories of personal data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, or data relating to criminal convictions and offences (the "sensitive data"), the Processor shall apply specific restrictions and/or additional safeguards.

The Processor does not in principle process any sensitive data. App verification consists of two steps: (i) the delivery of an SMS containing a verification link via AWS SNS (through AWS Pinpoint) as the primary route, with Twilio as a geo-failover, and (ii) the actual identity check (selfie + passport + biometric comparison) performed by a specialised sub-processor under its own processor responsibility. The Processor only receives the limited result (passed/failed) and no biometric data.

6.6 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The Processor shall deal promptly and adequately with enquiries from the Controller about the processing of data in accordance with these Clauses.

(c) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in these Clauses and stemming directly from the GDPR. At the Controller's request, the Processor shall also allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on an audit or inspection, the Controller may take into account relevant certifications held by the Processor.

(d) The Controller may choose to conduct the audit itself or to mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority on request.

6.7 Use of sub-processors

(a) GENERAL WRITTEN AUTHORISATION: The Processor has the Controller's general authorisation to engage the sub-processors set out in an agreed list. The Processor shall specifically inform the Controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise its right to object. The current list of sub-processors is set out in Annex III.

(b) Where the Processor engages a sub-processor to carry out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data-protection obligations as those imposed on the Processor under these Clauses. The Processor shall ensure that the sub-processor complies with the obligations to which the Processor is subject pursuant to these Clauses and to the GDPR.

(c) At the Controller's request, the Processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing a copy.

(d) The Processor shall remain fully responsible to the Controller for the performance of the sub-processor's obligations under its contract with the Processor. The Processor shall notify the Controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The Processor shall include a third-party beneficiary clause in favour of the Controller in the contract with the sub-processor whereby — in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent — the Controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

6.8 International transfers

(a) Any transfer of data by the Processor to a third country or an international organisation shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of the GDPR.

(b) The Controller agrees that where the Processor engages a sub-processor in accordance with Clause 6.7 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR.

(c) At the time of drafting this DPA, no routine transfers take place to third countries outside the European Economic Area (EEA). All current sub-processors (see Annex III) process personal data exclusively within the EEA. For sub-processors headquartered outside the EEA (Twilio, Stripe, Sentry and Freshworks), only their EU-hosted infrastructure is used; the European Commission's Standard Contractual Clauses (Decision 2021/914) and/or the EU-US Data Privacy Framework apply as additional safeguards.

07Assistance to the Controller

(a) The Processor shall promptly notify the Controller of any request it has received from a data subject. It shall not respond to the request itself, unless authorised to do so by the Controller.

(b) The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects' requests for the exercise of their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the Processor shall comply with the Controller's instructions.

(c) In addition to the Processor's obligation to assist the Controller pursuant to this Clause, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:

The obligation to carry out a data protection impact assessment ("DPIA") where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
The obligation to consult the competent supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.
The obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated.
The obligations under Article 32 GDPR.

08Notification of personal data breach

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller in complying with its obligations under Articles 33 and 34 GDPR, taking into account the nature of the processing and the information available to the Processor.

8.1 Breach concerning data processed by the Processor

In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach. Such notification shall contain, at least:

a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
the contact details of a contact point where more information about the personal data breach can be obtained;
the likely consequences of the breach and the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide all the information at the same time, the initial notification shall contain the information then available, and further information shall be provided as it becomes available, without undue delay.

8.2 Assistance with the notification duty

The Processor shall assist the Controller in fulfilling its obligation to notify the competent supervisory authority and the data subjects, taking into account the nature of the processing and the information available to the Processor.

09Non-compliance and termination

(a) Without prejudice to any provisions of the GDPR, the Controller shall have the right to instruct the Processor to suspend the processing of personal data in the event of non-compliance by the Processor with these Clauses. The Processor shall promptly inform the Controller in case it is unable, for whatever reason, to comply with these Clauses.

(b) The Controller shall be entitled to terminate the contract with the Processor insofar as it concerns the processing of personal data in accordance with these Clauses, if:

the processing of personal data by the Processor has been suspended pursuant to point (a) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of the suspension;
the Processor is in substantial or persistent breach of these Clauses or its obligations under the GDPR;
the Processor fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses or under the GDPR.

(c) The Processor shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these Clauses where, after having informed the Controller that its instructions infringe applicable legal requirements in accordance with Clause 6.1 point (b), the Controller insists on compliance with the instructions.

(d) Following termination of the contract, the Processor shall, at the Controller's choice, delete all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with these Clauses.

10Annex I — Specifications of the processing

This annex contains the concrete description of the processing activities as required by Article 28(3) GDPR.

I.A — Parties

Controller: the natural or legal person who installs, activates or uses the XyloSnap application via their Freshdesk or Freshworks environment. The Controller is identified by the Freshdesk account through which the App is used and the company details provided at activation.

Processor: Clear Solutions BV, Bosdreef 8, 2910 Essen, Belgium. CBE number 0668.982.670. Contact for data-protection matters: privacy@xylosnap.com.

I.B — Description of the processing

Categories of data subjects whose personal data is processed:

End users / customers of the Controller who submit a request to the Controller's helpdesk and are asked to complete an identity verification.
Helpdesk agents of the Controller who use the App to trigger verifications and view the results.
Any other persons whose data forms part of a Freshdesk ticket for which verification is requested.

Categories of personal data processed:

Identifiers: first name, last name, email address.
Contact details: mobile phone number (used for SMS delivery).
Verification output: result (passed / failed), timestamp of the verification, identification method.
Location indicators: country (derived from phone country code), masked IP address (last octet/segment replaced) on all customer-facing surfaces — i.e. in Freshdesk private notes, customer portal and reports. Full IP addresses remain accessible only in internal security logs for incident response.
Ticket metadata: Freshdesk ticket ID, agent ID, organisation ID — solely to link the verification to the correct ticket.

Sensitive data: None. Biometric data (selfie, passport scan) is not received or stored by the Processor — it is processed exclusively by a specialised sub-processor (see Annex III) under its own responsibility.

Nature of the processing: storage, transmission, automated verification orchestration, and display of results within the Controller's Freshdesk interface.

Purpose(s) for which the personal data is processed on behalf of the Controller:

verifying the identity of helpdesk requesters before sensitive actions (password resets, access to confidential data, contact changes);
preventing social-engineering attacks against the Controller's helpdesk;
supporting the Controller in complying with its NIS2 and GDPR obligations on strong authentication.

Frequency of the processing: continuous, on-demand at the initiative of a helpdesk agent of the Controller. No automatic or bulk processing outside of the ticket context.

Duration of the processing: for the duration of the agreement between the parties (see Terms of Use). Verification results are kept in the Processor's database for the duration of the agreement, subject to statutory retention obligations. Upon termination of the agreement, all personal data shall be deleted or returned to the Controller within 30 days, at the Controller's choice, in accordance with Clause 9(d).

Sub-processors: see Annex III.

I.C — Competent supervisory authority

Data Protection Authority (Belgium) Drukpersstraat 35
1000 Brussels, Belgium
Tel: +32 (0)2 274 48 00
www.dataprotectionauthority.be

The competent supervisory authority is the Belgian Data Protection Authority (GBA / APD), given that the Processor's main establishment is in Belgium. If the Controller is established in another Member State, the supervisory authority competent in that Member State may also act as the lead supervisory authority for the Controller.

11Annex II — Technical and organisational measures

Measures implemented by the Processor to ensure an appropriate level of security in accordance with Article 32 GDPR. These measures are periodically reviewed and adjusted.

Description of the technical and organisational measures

1. Measures of pseudonymisation and encryption of personal data

Encryption of personal data in transit (TLS 1.2 or higher) between all system components and with external parties.
Encryption of personal data at rest on DynamoDB with AWS-managed AES-256.
IP addresses are pseudonymised by masking the last octet/segment before being shown on customer-facing surfaces (Freshdesk private notes, customer portal, reports). Full IP addresses remain accessible only in internal security logs for incident response.

2. Measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services

Hosting in AWS eu-central-1 (Frankfurt) with geographic redundancy within the EEA.
Access control on the principle of least privilege: AWS IAM roles with multi-factor authentication (MFA) mandatory for all administrative access.
The production database (DynamoDB) is accessible only via IAM-authenticated requests with per-Lambda least-privilege roles; no public endpoint.
Central logging via AWS CloudWatch with a retention of 1 month for operational and incident-response purposes.
Error monitoring and alerting via Sentry for real-time detection of abnormal behaviour.

3. Measures for restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident

DynamoDB point-in-time recovery (PITR) with a 35-day recovery window on all tables holding personal data.
Cross-AZ redundancy within the eu-central-1 region (AWS-managed): personal data is synchronously replicated across multiple availability zones within Frankfurt.
Recovery procedures documented within the internal incident-response policy. Concrete RTO/RPO targets will be established as part of a dedicated disaster-recovery test (planned).

4. Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures

Periodic review of access rights and audit logs by the data-protection lead.
Automated dependency scans for vulnerabilities in third-party software on every release.
Changes to PII-touching code are fully documented in the Git commit history and auditable on request by the Controller.

5. Measures for user identification and authorisation

Multi-factor authentication mandatory for all staff of the Processor with access to production systems.
Single sign-on with session timeout of maximum 8 hours.
No shared accounts; every administrative action is traceable to an individual user.

6. Measures for the protection of data during storage and transmission

SMS delivery runs primarily via AWS SNS (AWS Pinpoint) in the eu-central-1 region; if that route is temporarily unavailable, traffic automatically fails over to Twilio (EU infrastructure) as a geo-failover. Both channels are listed in Annex III.
No storage of passwords in plain text; use of industry-standard hashes (Argon2id or bcrypt) where passwords apply.

7. Measures for the protection of data during transmission

All communication between client, Processor and sub-processors runs over encrypted HTTPS (TLS 1.2+).
API endpoints secured via per-installation secret keys (generated when the App is installed, stored in DynamoDB, rotated on re-installation) combined with a shared API Gateway key for request authentication.

8. Measures for the protection of data during storage

Production database (DynamoDB) encrypted at rest with AWS-managed AES-256.
Logs and backups (PITR snapshots) encrypted at rest within the same AWS facility.

9. Measures for ensuring physical security of locations where personal data is processed

The Processor does not operate its own data centres; all production processing takes place within AWS facilities in Frankfurt, Germany, with ISO 27001, SOC 1, SOC 2 and SOC 3 certifications.
Office locations of the Processor are secured with access control and alarm systems.

10. Measures for ensuring events logging

All access to personal data is logged with user ID, masked IP address (in customer-facing surfaces), timestamp and action performed.
Logs are centralised in AWS CloudWatch with a 1-month retention for incident response and audit purposes.

11. Measures for ensuring system configuration, including default configuration

Infrastructure as Code (IaC) via AWS CDK — all infrastructure changes flow through versioned code in Git and are auditable via commit history.
Automated tests for configuration drift; deviations generate automatic alerts.

12. Measures for internal IT and IT-security governance and management (including ISO 27001)

Data-protection, security and incident-response policies are documented and accessible to all staff.
When the team is expanded, a mandatory security-awareness training programme will be put in place for all new staff.
Designated internal lead for data protection: privacy@xylosnap.com.

13. Measures for certification / assurance of processes and products

The primary infrastructure sub-processor (AWS) holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 and C5 certifications.
The identity-verification sub-processor holds ISO/IEC 27001 certification and is eIDAS-compliant.

14. Measures for ensuring data minimisation

The Processor receives only the minimum dataset needed for verification: name, phone number, and the result (passed/failed).
Biometric data (selfie, passport scan) is never transmitted to the Processor and remains at the identity sub-processor.

15. Measures for ensuring data quality

Verification results are linked to the ticket immediately upon receipt; no later modification of results is possible.
The Controller can report inaccurate data via support for correction.

16. Measures for ensuring limited data retention

Verification results are retained for the duration of the agreement, subject to legal retention obligations.
Upon termination of the agreement, all personal data is erased within 30 days (automated TTL purge in DynamoDB), in accordance with Clause 9(d).

17. Measures for ensuring accountability

The records of processing activities (Art. 30 GDPR) are kept current and available on request to the Controller and the supervisory authority.
Audit trail of all policy and configuration changes via versioned IaC.

18. Measures for allowing data portability and ensuring erasure

On Controller request, an export of all verification results in a structured, machine-readable format (CSV or JSON) can be provided.
Full erasure within 30 days of contract termination, with written confirmation.

For sub-processors: The Processor contractually imposes on each sub-processor appropriate technical and organisational measures that ensure at least the protection level of this Annex. Specific measures applied by sub-processors can be requested by the Controller.

12Annex III — List of sub-processors

List of sub-processors engaged by Clear Solutions BV for the execution of the processing activities. Intended changes are notified in advance in accordance with Clause 6.7(a).

The Controller has provided the Processor with general written authorisation, in accordance with Clause 6.7, to engage the following sub-processors:

Name & VAT	Activity	Processing location	Transfer outside EEA
Amazon Web Services EMEA SARL BE0684612340	Cloud hosting of the application and database infrastructure (compute, storage, network) and primary SMS delivery via AWS SNS (AWS Pinpoint) for sending the verification link to the end user.	eu-central-1 (Frankfurt, Germany)	No
iDenfy (UAB iDenfy) LT100011161819	Identity verification service: generation of the verification link, document OCR, biometric selfie–passport comparison. iDenfy does not send the SMS itself — that is done by AWS SNS — but performs the actual ID check after the end user clicks the link.	European Union (Lithuania / Ireland)	No
Twilio Inc. (US-headquartered — EU infrastructure used)	SMS delivery exclusively as a geo-failover when the primary SMS route (AWS SNS via Pinpoint) is temporarily unavailable. Twilio's EU region is used; data does not leave the EEA.	EU (Twilio EU region, Ireland/Germany)	No — EU infrastructure only. SCC (Decision 2021/914) as additional safeguard.
Brevo SAS (Sendinblue, France)	Communications platform: sending of transactional and marketing emails to the Controller (e.g. activation confirmation, newsletters). Processes name + email address + company details.	France (EU)	No
Stripe, Inc. (US-headquartered — EU entity: Stripe Payments Europe Ltd, Ireland)	Payment processing for subscriptions and invoicing. Processes billing details, company name and payment data. Does not process verification results or end-user data.	EU (Stripe EU infrastructure, Ireland)	No — EU infrastructure only. SCC (Decision 2021/914) and/or EU-US Data Privacy Framework as additional safeguards.
Functional Software, Inc. (Sentry) (US-headquartered)	Error monitoring and alerting for the backend Lambdas. Processes stack traces, request context and masked IP addresses for incident response. No verification results or biometric data.	EU — Sentry's infrastructure runs on AWS eu-central-1 (Frankfurt) via the de.sentry.io region	No — EU infrastructure only. SCC (Decision 2021/914) as additional safeguard.
Freshworks Inc. (US/India-headquartered — EU region for our account)	Helpdesk platform the App integrates with. The private note containing the verification result is written into the Controller's Freshdesk environment. Freshworks processes this data under its own terms with the customer.	EU region (depending on the Controller's Freshdesk account configuration)	No — EU infrastructure only. SCC (Decision 2021/914) as additional safeguard.

All sub-processors listed above process personal data exclusively within the European Economic Area. For sub-processors headquartered outside the EEA (Twilio, Stripe, Sentry, Freshworks) only their EU-region infrastructure is used; the European Commission's Standard Contractual Clauses (Decision 2021/914) and/or the EU-US Data Privacy Framework apply as additional safeguards. The Processor has concluded written agreements with each sub-processor imposing at least the same data-protection obligations as those imposed on the Processor under this DPA.

13Contact

For questions, audits, requests for assistance or notifications regarding this DPA, please contact us at:

Data protection lead: privacy@xylosnap.com
Legal affairs: legal@xylosnap.com
Registered office: Clear Solutions BV
Bosdreef 8, 2910 Essen
Belgium
Company number (CBE): 0668.982.670

Need a signed copy?

On request we will provide a version of this DPA signed by both parties. Request a copy at privacy@xylosnap.com with your company name and CBE number.

Get in touch →