Effective Date: March 28, 2026
Date: March 28, 2026
Between / Parties
(1) APPNUMA UNIPESSOAL LDA, a private limited company (sociedade unipessoal por quotas) incorporated in Portugal, registered office Rua Principal nº 38, 2350-479 Torres Novas, Portugal, corporate ID 514 751 835, represented by Mr. Filipe Vieira – hereafter “Vendor.”
(2) [CUSTOMER LEGAL NAME], [nationality], Tax ID [__], address [__] – hereafter “Customer.”
Vendor and Customer together are the “Parties,” and each individually a “Party.”
Product: Vendor’s “YourAgent24” cloud service – 24/7 AI chat-bot and web dashboard.
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing | Any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, deletion, etc.). |
| Controller | The Customer – decides the purposes and means of Processing. |
| Processor | The Vendor – processes Personal Data on the Controller’s behalf. |
| Sub-processor | Any third party engaged by the Processor to process Personal Data for the Controller. |
This Data-Processing Addendum (“Addendum”) forms part of the main service agreement and sets the terms under which the Vendor processes Personal Data for the Customer when delivering YourAgent24.
Vendor shall process Personal Data only on documented instructions from the Customer, including with respect to international transfers, unless Union or Member-State law requires otherwise.
Vendor ensures every person authorised to process Personal Data is bound by confidentiality.
Taking into account the nature of the Processing, Vendor shall assist Customer - through appropriate technical and organisational measures - in responding to data-subject requests.
Vendor shall implement technical and organisational measures ensuring a level of security appropriate to the risk, including:
The specific measures currently in place are described in Annex II – Technical & Organisational Measures, which forms an integral part of this Addendum.
7.1 Authorised Sub-processors – see Annex I. Vendor will notify Customer 30 days before adding or replacing a sub-processor.
7.2 Liability – Vendor remains fully liable for each sub-processor’s performance.
8.1 Data Storage – Production Personal Data for the Service is primarily stored and processed in the United States, unless otherwise agreed in writing for a specific deployment.
8.2 Transfers from the EEA/UK – Where Customer or data subjects are in the EEA or UK, transfers to the United States rely on GDPR Chapter V mechanisms (including Standard Contractual Clauses and, where applicable, vendor certifications such as the EU-US Data Privacy Framework).
8.3 Sub-processors – Additional transfers to sub-processors listed in Annex I follow the same principles.
8.4 Other Transfers – All international transfers follow applicable GDPR (or UK equivalent) mechanisms.
Vendor shall notify Customer without undue delay after becoming aware of a Personal-Data Breach and provide all information required for regulator / data-subject notices.
At termination, Vendor will - at Customer’s choice - delete or return all Personal Data (and delete remaining copies) unless law requires retention.
Vendor will supply information needed to demonstrate compliance and allow one remote audit per year on 14 days’ notice.
Vendor is liable for damages caused by Processing that breaches this Addendum or GDPR, subject to any caps in the main agreement.
This Addendum is governed by EU law and, where applicable, Portuguese law. Courts of Portugal have exclusive jurisdiction.
Any amendment must be in writing and signed by both Parties.
If any provision is invalid, the remainder stays in effect.
| Vendor (Processor) | Customer (Controller) |
|---|---|
| By: __ | By: __ |
| Name: __ | Name: __ |
| Title: ___ | Title: ___ |
| Date: __ | Date: __ |
| # | Name / Role | Primary processing location | Transfer / certification safeguard |
|---|---|---|---|
| 1 | Akamai Connected Cloud (Linode) – infrastructure host | United States (primary production region) | ISO 27001; SCC 2021 / DPF as applicable; supplementary measures per Vendor assessment |
| 2 | Mailgun – transactional e-mail API | United States (sending region as configured) | SCC 2021 + EU-US DPF (Mailgun/Sinch); configuration-dependent |
| 3 | OpenAI, LLC – language-model API | United States | SCC 2021 + SOC 2 Type II + ISO 27001 |
| 4 | Make.com – workflow automation (customer-configured webhooks) | Varies by customer scenario (may include US / EEA) | Customer’s transfer posture; Vendor SCCs where Vendor processes |
| 5 | HubSpot – CRM & marketing automation (optional integration) | Varies by HubSpot account region (often US or EU) | HubSpot DPA + SCC 2021 + SOC 2 + EU-US DPF as applicable |
| 6 | Stripe, Inc. – payment processing | United States and other Stripe processing locations | Stripe DPA + SCC 2021 + certifications as per Stripe |
| 7 | Twilio Inc. – SMS / messaging | United States and other Twilio processing locations | Twilio DPA + SCC 2021 / DPF as applicable |
| 8 | Google LLC – Google Analytics (marketing site) | United States and other Google locations | Google Ads Data Processing Terms + SCCs / DPF as applicable |
| 9 | Cookie-Script – cookie consent management | EU / US (per Cookie-Script) | Vendor DPA + SCCs as applicable |
| 10 | YourAgent24 application engine – AI/NLP processing service (operated by or on behalf of Vendor) | United States (primary) — region as deployed | Same safeguards as Vendor processing; technical controls per Annex II |
Vendor will give Customer 30 days’ notice before adding or replacing any sub-processor.
tenant_id via framework-level row filters or native row-level security.| Acronym | Meaning |
|---|---|
| GDPR | General Data Protection Regulation (EU 2016/679) |
| SCCs | Standard Contractual Clauses (EU 2021/914) |
| DPF | EU-US Data-Privacy Framework |