Appendix 1 to Cobuilder Platform General Terms and Conditions: Data Processing Agreement (“DPA”)

1. Purpose

This DPA, inc. any annexes, alterations and updates regulates the relations between the Parties in light of the GDPR (i.e. the EU’s General Data Protection Regulation (EU) 2016/679) where the Customer acts as the Data Controller (per the meaning of the GDPR) and Cobuilder acts as the Data Processor (per the meaning of the GDPR).

The DPA aims to specify under which terms Cobuilder, as the Data Processor of personal data provided by the Customer, may process such data and to give Cobuilder a legal basis for any processing according to the General T&C or the Customer’s explicit requests.

The Data Processor and any person acting on behalf of the Data Processor, which has access to personal data, shall process said data only on documented instructions from the Data Controller. The Parties agree that this DPA constitutes such instructions from the Customer. The Customer warrants that it shall ensure that new purposes/processing activities shall be documented in writing prior to being implemented by Cobuilder.

The personal data that may be processed by Cobuilder pursuant to the General T&C includes the personal data made available by the Customer to Cobuilder through the use of the Cobuilder Platforms and includes Customer Employees’ names, email addresses, phone numbers, passwords, and job title.

Cobuilder processes personal data of Customer Employees only to the extent such processing is required for Cobuilder to fulfill their obligations according to the General T&C, Specific T&C, Customer’s instructions and applicable laws.

2. Data Processor’s Obligations

The Data Processor shall comply with Data Controller’s requested procedures and instructions for any personal data processing. The Data Controller hereby requests that the Data Processor keep the Customer and the Customer Employees updated, with email and text message correspondence, on the products and services delivered according to the Agreement, including new features, manuals, technical developments, campaigns, and similar information. Any individual who does not wish to receive such updates must be able to unsubscribe from these. The Data Processor shall assist the Data Controller with complying with their responsibilities under applicable personal data legislation, hereunder the GDPR, including the Data Controller’s duty to respond to requests from data subjects to exercise his/her rights as a data subject and ensure compliance with the GDPR articles 32 through 36.

Unless otherwise agreed upon or provided by law, the Data Controller has the right to access and inspect the personal data processed and the systems used for this purpose. The Data Processor is obliged to provide necessary assistance to this.

The Data Processor shall keep the Data Controller’s documentation and personal data confidential. This provision also applies after the DPA’s termination. The Data Processor shall ensure that persons authorized to process the personal data are contractually obligated to process the information confidentially if such person is not subject to an appropriate statutory duty of confidentiality.

The Data Processor shall undertake necessary technical and organizational measures to achieve a level of security appropriate to the risks associated with the processing of personal data and to ensure that the processing meets the requirements of applicable data protection legislation, including the requirements of the GDPR, and the protection of the rights of the data subject. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes the GDPR or other statutory provisions on the protection of personal data.

3. Use of Sub-Processor

The Data Processor shall not engage a sub-processor without obtaining a prior specific or general written permission for this from the Data Controller. If Cobuilder has received general written permission, Cobuilder shall inform the Customer of plans to use other sub-processors, thereby giving the Customer the opportunity to object. All of Cobuilder’s sub-processors shall be familiar with the terms in this DPA and comply with the same conditions. An overview of the Data Processor’s sub-processors is available in Annex A to this DPA. The Annex A shall be updated if there are changes to the use of sub-processors.

4. Data Controller’s Rights And Obligations

The Data Controller has the rights and obligations that applicable law at any given time requires of the Data Controller for the processing of personal data. In the event of violations of this DPA or the GDPR, the Data Controller may require of the Data Processor to stop further processing of the data with immediate effect.

5. Security and Audits

An overview of the Data Processors’ technical and organizational security measures are available in Annex B to this DPA. The Data Processor shall notify the Data Controller of any security breaches without undue delay. The Controller is responsible for forwarding the notification to the relevant authority.

The Data Controller may, at their own cost, carry out audits of the Data Processor’s processing of the personal data. The Data Processor shall, upon request, enable and contribute to audits, including inspections, carried out by the Data Controller or another inspector, authorized by the Data Controller. Upon request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate that the requirements set out in this DPA are met, hereunder security documentation.

6. Duration and Termination

The DPA applies as long as the Data Processor is processing personal data on behalf of the Data Controller, and the DPA follows the same rules for termination as the Agreement.

Subject to the Data Controller’s decision, the Data Processor shall delete or return all personal data received on behalf of the Data Controller to the Data Controller after the end of the provision of the services relating to processing (upon the termination of this DPA). The Data Processor shall delete existing copies of such personal data, documents, and data unless laws require the personal data or such documents/data to be stored. This also applies to any backups.

7. Notices And Disputes Resolution

Notices according to this DPA shall be sent by email to the Parties’ contact persons according to the Agreement. The DPA shall be regulated by the same national legislation and disputes shall be settled by the same courts of law as agreed upon in the Agreement.

Cobuilder, 1 April 2025.

Annex A to the DPA: Data Processor’s Subprocessors

The Data Processor shall inform the Customer in advance of each supplier that the Data Processor wishes to use to assist with the processing of personal data on behalf of the Customer.

Name Subcontractor Processing of data Country Website
Paraflow Communications Ltd. Cloud Service Provider for Microsoft Azure Sofia, Bulgaria https://www.paraflow.bg/
Microsoft Azure IT Infrastructure The Netherlands https://azure.microsoft.com/en-us/overview/what-is-azure/
Cobuilder International Ltd. (fully owned subsidiary of Cobuilder AS) Development, support, marketing, accounting Sofia, Bulgaria This document

Annex B to the DPA: Data processor’s general processing security

The Data Processor warrants that appropriate technical and organisational security measures are in place at all times to ensure adequate information security so that personal data is protected against unlawful or involuntary destruction, loss, damage, alteration, unauthorised access. This applies in particular where the processing involves the transmission of data over a network and for all other unlawful forms of transmission of data.

Such technical and organisational security measures include, but are not limited to: Physical access control, digital access control such as password protection, access control, transmission control, restriction of availability. The Supplier follows the guidelines for information security in accordance with ISO/IEC 27001: 2022. See also the Supplier’s privacy policy on the website https://cobuilder.com/en/privacy-policy/.

This means that the Processor shall implement measures to ensure that the Controller’s personal data is kept confidential, and ensure that personal data is not made available illegally or lost. Furthermore, the Processor shall implement measures to prevent unauthorised manipulation or destruction of personal data, and measures to stop viruses and other harmful programs. The Processor is obliged to keep the Controller’s personal data separate from any third party data in order to reduce the risk of damage and/or unauthorised access to the personal data. Segregation means all technical measures necessary to ensure that the personal data is protected from unauthorised access and destruction, and that these are implemented and maintained. If the Processor’s employees, who do not have a business need for access, have access to the Controller’s personal data, this is considered unauthorised access. The Processor shall ensure that service providers of third party solutions implement necessary and sufficient security measures to secure the Controller’s personal data.

The Processor shall, at the request of the Controller, make available all information necessary to demonstrate fulfilment of the obligations set out in this Data Processing Agreement.

1. Definitions

Organisational security measures

  1. Security management
      1. Roles and responsibilities: The Processor has implemented an information security and data protection management system with regard to the processing of personal data. Roles and responsibilities:
        • Roles and responsibilities related to the processing of personal data are clearly defined and allocated in accordance with the security policy.
        • In the event of internal reorganisations or terminations and changes to employment relationships, revocation of rights and obligations with respective handover procedures are clearly defined.
      2. Access control policy: Specific access control rights are assigned to each role involved in the processing of personal data, on a need-to-know basis.

In addition to access control and time-outs (policy based) when a user is not active on their workstation, employees are regularly undergoing security awareness training.

      1. Resource/asset management: The Processor maintains a register of the IT resources used for processing personal data (hardware, software and networks). A specific person is assigned the responsibility of maintaining and updating the register (e.g. IT Director).
      2. Change management: The Processor ensures that all changes to the IT system are recorded and monitored by a designated person (e.g. IT or Security Officer). Regular monitoring of this process takes place.
  2. Incident response and business continuity
    1. Handling of incidents/breaches of personal data:
      • An incident response plan with detailed procedures has been defined to ensure effective and orderly response to incidents related to personal data.
      • The Processor will without undue delay report to the Controller any security incident that has resulted in the loss, misuse or unauthorised acquisition of personal data.
    2. Business continuity: Processor establishes the main procedures and controls to be followed to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
  3. Human resources
    1. Confidentiality of personnel: The Processor ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
    2. Training: The Processor ensures that all employees are adequately informed about the security controls of the IT system related to their everyday work. Employees involved in the processing of personal data are also well informed about relevant data protection requirements and legal obligations through regular awareness campaigns.

Technical security measures

  1. Access control and authentication

An access control system that applies to all users who have access to the IT system has been implemented. The system makes it possible to create, approve, review and delete user accounts.

    • The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the shared account have the same roles and responsibilities.
    • When granting access or assigning user roles, the “need-to-know principle” is followed to limit the number of users who have access to personal data only to those who need it to fulfil the Processor’s processing purposes.
    • Where authentication mechanisms are based on passwords.
    • The authentication credentials (such as user ID and password) should never be transmitted unprotected over the network.
  2. Logging and monitoring:

Log files are activated for each system/application used to process personal data. They include all types of access to data (viewing, modification, deletion)

  1. Security for data at rest
    1. Server/database security

Database and application servers are configured to run with a separate account, with minimum OS privileges to function correctly.

Database and application servers only process the personal data that is actually necessary to process in order to fulfil the processing purposes.

    1. Workstation safety:
      • Users cannot disable or bypass security settings.
      • Anti-virus applications and detection signatures are configured on a regular basis.
      • Users do not have the right to install or disable unauthorised programs.
      • The system times out when the user has not been active for a certain period of time.
      • Critical security updates released by the operating system developer are installed regularly.
      • All workstations have encrypted hard drives
  2. Network/communication security:
    • Whenever access is made via the Internet, the communication is encrypted through cryptographic protocols.
    • Traffic to and from the IT system is monitored and controlled through firewalls and intrusion detection systems.
  3. Back up:
    • Backup and data recovery procedures are defined, documented and clearly linked to roles and responsibilities.
    • Backups are given an appropriate level of physical and environmental protection in accordance with the standards applied to the original data.
    • Execution of backups is monitored to ensure completion.
  4. Mobile/portable devices:
    • Procedures for managing mobile and wearable devices are defined and documented, establishing clear rules for proper use.
  5. Application lifecycle security:

During the development lifecycle, best practices, state-of-the-art and well-recognised safe development practices or standards are followed.

  1. Deletion/disposal of data:

Software-based overwriting or physical destruction is performed on the media before it is disposed of. In cases where this is not possible (CDs, DVDs, etc.) physical destruction is performed.

    • Shredding of paper and portable media used to store personal data is performed.
  2. Physical security:

The physical perimeter of the IT system infrastructure is not accessible to unauthorised personnel. Appropriate technical measures (e.g. intrusion detection system, locking systems based on code access cards) or organisational measures (e.g. security guard) are put in place to protect security areas and their access points from unauthorised entry.