Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: The Operator/Client entity registered on the EUDR-X platform (hereinafter "Controller")
• Data Processor: GreenTrust Engineering Consulting, operating the EUDR-X platform (hereinafter "Processor")

This DPA supplements and forms part of the Terms of Service governing the Controller's use of the EUDR-X platform.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the platform.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or erasure.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

3. Scope and Purpose of Processing

3.1 Subject matter

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the EUDR-X compliance platform services, including:

• User account management and authentication
• Supplier registration and profile management
• Geolocation data collection and storage for EUDR due diligence
• Document storage and management
• Due Diligence Statement (DDS) case management and export
• Audit logging and traceability

3.2 Categories of data subjects

• Operators (clients) and their employees
• Suppliers and their employees
• Administrative users

3.3 Types of Personal Data

• Contact information (name, email, phone, address)
• Company information (company name, VAT number, country)
• Authentication data (email, login metadata)
• Geolocation data (coordinates, polygons of production plots)
• Activity logs (IP address, user agent, timestamps)
• Uploaded documents (certificates, permits, audit reports)

3.4 Duration

Processing shall continue for the duration of the service agreement. EUDR evidence data is retained for 5 years in accordance with regulatory requirements. Upon termination, data is handled as described in Section 10.

4. Obligations of the Processor

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
   • Encryption of data in transit (TLS 1.2/1.3) and at rest
   • Role-based access control with multi-factor authentication for admin accounts
   • Immutable audit logs with integrity hashing
   • Daily automated backups
   • Web application firewall with rate limiting
4. Not engage another processor without prior written authorization of the Controller. The current list of sub-processors is available at /subprocessors.
5. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
6. Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
7. At the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless retention is required by law.
8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.

5. Obligations of the Controller

The Controller shall:

1. Ensure that the processing of Personal Data through the platform has a lawful basis under GDPR.
2. Provide clear and documented instructions to the Processor regarding the processing of Personal Data.
3. Ensure that data subjects have been informed of the processing in accordance with Articles 13 and 14 GDPR.
4. Notify the Processor without undue delay if any data subject exercises their rights under GDPR.

6. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed at /subprocessors.

The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

7. Data Transfers

All Personal Data is processed and stored within the European Union / European Economic Area. No transfers to third countries are made. Should this change, the Processor will ensure appropriate safeguards under Chapter V GDPR (e.g., Standard Contractual Clauses).

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach. The notification shall include:

• The nature of the breach, including categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

9. Audits

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide at least 14 days written notice before any audit. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.

10. Termination and Data Return

Upon termination of the service agreement:

1. The Processor shall, at the Controller's choice, return or delete all Personal Data within 30 days, unless retention is required by EU or Member State law.
2. EUDR evidence data subject to the 5-year regulatory retention period shall be retained as required and deleted upon expiration.
3. The Processor shall provide written certification of data deletion upon request.

11. Governing Law

This DPA shall be governed by the laws of the Hellenic Republic (Greece) and the provisions of the GDPR. Any disputes shall be submitted to the competent courts of Athens, Greece.

12. Signatures

By signing below, both parties agree to the terms of this Data Processing Agreement.

← Back to Terms of Service