evroc - Data Processing Addendum

Last updated: March 23, 2026

1 Introduction

1.1 This Data Processing Addendum ("DPA") supplements the evroc – General Terms and Conditions and forms an integral part of the Agreement (as defined in the evroc – General Terms and Conditions) between the Customer and evroc regarding the Customer's access to and use of the Services.

1.2 This DPA applies to the extent Customer Content contains personal data and such personal data is processed by evroc on behalf of the Customer. In this context, evroc will act as processor to the Customer, who can act either as controller or processor of personal data included in Customer Content.

1.3 Description of the data processing covered by this DPA:

Subject matter and nature of processing: Compute, storage and such other Services as described in the Agreement with respect to personal data included in Customer Content.

Categories of data subjects: Data subjects may include employees, customers, business contact persons and other data subjects whose personal data is included in Customer Content by the Customer.

Categories of personal data: Personal data may include name, contact details and other personal data included in Customer Content by the Customer.

Purpose of the processing: Provision of the Services to the Customer.

Duration of the processing: During the term of the Agreement.

2 Definitions

2.1 The terms used in this DPA shall have the same meaning as used in the Agreement, unless this DPA assigns a different meaning.

2.2 The term "Data Protection Laws" shall mean the EU General Data Protection Regulation (EU 2016/679) ("GDPR") and laws, rules and regulations issued pursuant to or under the GDPR and which are directly applicable to the processing of personal data within the scope of this DPA.

2.3 Expressions used in this DPA, e.g. 'controller', 'processor', 'data subject', 'personal data', 'processing', 'personal data breach' etc., shall be construed in accordance with the meaning given to them in the Data Protection Laws.

3 General obligations of the Customer

3.1 The Customer is responsible for ensuring that the processing of personal data takes place in accordance with the Data Protection Laws.

3.2 The Customer confirms that this DPA constitute all the Customer's documented instructions regarding evroc's processing of personal data on behalf of the Customer.

4 General obligations of evroc

4.1 evroc may process personal data for purposes necessary for the performance of its obligations under the Agreement and in accordance with the Customer's documented instructions set out in this DPA, unless otherwise provided by the Data Protection Laws.

4.2 If evroc considers that it has insufficient instructions for the processing of personal data according to this DPA or considers that an instruction infringes the Data Protection Laws, evroc shall notify the Customer and await further instructions. If the Customer provides additional instructions in addition to what is expressly stated in this DPA, evroc is entitled to compensation for costs and additional work performed in order to comply with such instructions.

4.3 evroc shall ensure that persons authorized to process personal data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and will process personal data in accordance with the instructions from the Customer set out in this DPA, unless otherwise provided by the Data Protection Laws.

5 Assistance

5.1 evroc shall, upon written request, taking into account the nature of the processing assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR.

5.2 evroc shall, upon written request, assist the Customer in ensuring compliance with the Customer's obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to evroc.

5.3 In relation to Article 33 of GDPR, evroc shall notify the Customer without undue delay and in any event within twenty-four (24) hours after becoming aware of any Security Incident or Personal Data Breach affecting Customer Content. Notifications shall include, to the extent available: nature of the incident, affected services/data categories, likely consequences, and mitigation steps taken/planned. evroc shall cooperate in good faith and provide reasonable assistance to support Customer's regulatory obligations (including timelines relevant for supervisory authority notification).

5.4 evroc shall be entitled to compensation for any assistance which evroc provides to the Customer in accordance with this Section 5.

6 Sub-processors and international data transfers

6.1 As of today, evroc has not engaged any sub-processor to provide processing activities on personal data on behalf of the Customer.

6.2 evroc will inform the Customer of any intended changes concerning an addition or replacement (if and when applicable) of sub-processors on evroc's Website, thereby giving the Customer thirty (30) days to object to such changes. evroc will provide the Customer with a mechanism to obtain notice of any changes regarding sub-processors. In case the Customer objects to such changes, the Parties shall discuss in good faith reasonable alternatives. If evroc cannot accommodate (in its sole discretion), the Customer shall either terminate the Agreement pursuant to its terms and subject to the notice of termination period which is set forth in the Agreement, or cease using the Service for which evroc has engaged the sub-processor.

6.3 If evroc engages any sub-processors to provide processing activities on personal data on behalf of the Customer, evroc shall ensure that such sub-processors: (i) are bound by written agreements that require them to comply with corresponding obligations to those contained in this DPA, and (ii) ensure that the personal data will be handled and stored within the EU/EEA by a natural or legal person who is established in the EU/EEA.

7 Security

The Parties shall implement appropriate technical and organisational measures to protect personal data taking into account the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. For evroc, this means that evroc shall maintain the technical and organizational measures set out in the Service Terms and on evroc's Website. The Customer confirms that the security measures fulfill the Customer's requirements and the requirements of the Data Protection Laws. In the event the Customer requests a change of the security measures, evroc shall be entitled to compensation for costs and additional work performed in order to comply with such request.

8 Audits

8.1 evroc shall upon written request and at the Customer's expense provide the Customer with all information necessary to demonstrate compliance with evroc's obligations under this DPA.

8.2 Upon thirty (30) day's written notice and at the Customer's expense, the Customer or any third-party auditor mandated by the Customer shall have the right to audit the processing of personal data under this DPA. Any on-site inspection will be conditional upon compliance with evroc's work rules, security requirements and confidentiality standards and must not interrupt evroc's day-to-day business activities.

9 Liability

Each Party shall be liable for any administrative fines imposed on it by supervisory authorities that are intended to punish that Party for its violations of the Data Protection Laws. Otherwise, evroc's liability shall be limited in accordance with the terms of the Agreement.

10 Term

This DPA will continue in force until the termination of the Agreement.

11 Effects of termination

Upon written request by Customer made within thirty (30) days after the effective date of termination of the Agreement, evroc shall at the Customer's expense return all personal data to the Customer in accordance with the General Terms. In the absence of any such request, evroc shall without undue delay delete all such personal data following termination of the Agreement, unless evroc is required to store the personal data under applicable law.

12 Miscellaneous

The provisions set forth in the Agreement regarding governing law and dispute resolution shall apply to this DPA.