This agreement is entered into between WEBOOM BV (UltimaBot.ai), a private limited company with registered office at Kroonstraat 58, 3020 Herent, registered with the Crossroads Bank for Enterprises (CBE) under number 0768.359.467 (hereinafter referred to as "the service provider" or "the processor") and the client in accordance with the concluded service agreement (hereinafter referred to as "the client" or "the controller").
The controller and the processor are individually referred to as "the Party" or jointly as "the Parties";
WHEREAS:
a) The controller (client) holds personal data, the processing of which it wishes to entrust to the processor (service provider) by using the services offered by the processor, specifically the scraping of (personal) data for the purpose of scheduling appointments with the client, using an AI tool. The processor provides these services independently.
b) This agreement establishes the rights and obligations between the Parties regarding the processing of personal data of the controller by the processor in the context of the performance of the service agreement or assignment as agreed between the Parties;
c) This agreement aims to regulate the performance and organization of such processing by the processor and to provide sufficient guarantees with regard to the protection of personal data;
d) That it specifically concerns the technical and organizational measures – as referred to in Article 32 of the General Data Protection Regulation (GDPR) – aimed at ensuring that the processing meets the requirements of the regulation and that the protection of the rights of the data subject is guaranteed;
e) That, when assessing the appropriate level of security, particular account is taken of the risks posed by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
IT IS AGREED THAT:
In this Data Processing Agreement, the following definitions apply:
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Service Agreement: the agreement between the Parties that sets out their mutual rights and obligations regarding the performance of services by the service provider to the client.
- Assignment: the services to be provided by the service provider to the client, as agreed between the Parties in the form of an accepted quotation or any other package offered by the service provider, outside of any service agreement.
- Subprocessor: another processor engaged by the processor for the processing of personal data under this data processing agreement and the service agreement or assignment. This does not include any independent employees of the processor.
- Processor, third parties, personal data, processing, controller, data subject, pseudonymization, personal data breach: the terms as defined in Article 4 of the GDPR.
The processor shall act solely on the basis of written instructions from the controller. This provision is literally imposed by Article 28, paragraph 3, of the GDPR. In accordance with the instructions of the controller and the provisions of this agreement, the processor shall process personal data on behalf of the controller only in accordance with the provisions described in Article 3.
The parties expressly and in principle undertake to comply with the provisions of European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The processor's task will be to collect personal data using an AI tool developed by the processor and then further process this data for the following purposes:
1. Analyzing (personal) data, websites, and social media profiles of companies;
2. Automatically generating personalized emails using an AI tool developed by the service provider. These emails are generated based on the analyzed (personal) data;
3. Managing follow-up communication with the recipients of the personalized emails, for the purpose of scheduling appointments or having forms provided by the client completed.
4. The processor confirms that any scraping functionality provided as part of the Services is designed to access only publicly available business information. The processor does not permit the collection of special categories of personal data, sensitive data, or data from non-public sources. The controller is solely responsible for ensuring that the processing of any scraped data complies with applicable data protection laws and that a valid legal basis exists when personal data is processed.
The processor does not process special categories of personal data within the meaning of Article 9 GDPR.
To enable the processor to process personal data, that data must be made available to them. This data is provided to them by an AI tool developed by the processor. The controller will, based on its legitimate interest or any other legal basis, instruct the processor on which data can be scraped. It is entirely up to the controller to provide appropriate instructions in this regard, as well as to properly assess whether it can rely on legitimate interest or any other legal basis for processing the personal data
Only the personal data that are strictly necessary for the purposes described in Article 3 may and can be processed by the processor. The processing of the relevant data, as well as the method of making it available, must always be carried out in a secure manner.
In this context, the controller undertakes not to allow any personal information to be processed without a legal basis for processing within the meaning of Article 6 of the GDPR.
The controller shall not instruct the processor to collect or process data from non-public sources, data of children under 16 years of age, or special categories of personal data within the meaning of Article 9 of the GDPR. The processor explicitly prohibits the use of its services for such data.
The data may be processed by the processor solely for the purposes described in Article 3 of this agreement. This includes the fundamental obligation to use the data only internally and not for its own purposes. The use of subprocessors is permitted, provided the controller has given prior written consent and the processor ensures secure use and implements the necessary measures to prevent data breaches.
Disclosure to other third parties, in any form (e.g., forwarding, dissemination, or otherwise), is prohibited unless required by law. Any legally required disclosure of personal data to third parties must be notified by the processor to the controller in advance, where legally permitted.
The processor may not make copies of the personal data provided, except for secure backups required for service performance. The processor shall not retain or access the data for longer than necessary to deliver the agreed services and, in any case, for no longer than three (3) months after termination of the collaboration with the controller.
After this three-month period, all personal data will be permanently deleted, unless legal obligations require limited retention (e.g., tax, accounting, or fraud prevention purposes).
If the controller instructs the processor to retrieve, modify, or correct specific personal data, the processor shall carry out such instructions in accordance with this agreement.
If the processor receives a direct request from a data subject to access, correct, or delete their personal data, the processor shall forward the request to the controller, who will respond in accordance with its own privacy policy and legal obligations.
The controller has the option to manually delete all or part of its personal data at any time before the end of the retention period via the account interface.
Upon cancellation of the account or early deletion by the controller, the processor shall confirm the deletion and, if applicable, inform the controller if any data must be temporarily retained for legal or regulatory purposes.
The Processor is entitled to engage other sub-processors, provided it has obtained the prior written consent of the Controller. The Processor shall enter into a legally binding data processing agreement with each sub-processor, which imposes data protection obligations at least equivalent to those set out in this Agreement and includes sufficient guarantees for the implementation of appropriate technical and organizational measures in accordance with applicable Data Protection Laws.
The Processor shall remain fully liable to the Controller for the performance of any sub-processor’s obligations, including where such sub-processor fails to fulfill its data protection responsibilities.
Upon written request, the Processor shall provide the Controller with an up-to-date list of all sub-processors currently in use or intended to be used. The Processor shall also notify the Controller in writing of any intended changes regarding the addition or replacement of sub-processors, thereby giving the Controller the opportunity to reasonably object.
The controller and the processor shall both implement appropriate technical and organizational measures to ensure an adequate level of security. The controller shall ensure that the processor implements all the necessary measures (as listed in Article 32 of the GDPR), in particular:
- where possible, the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for securing the processing.
In particular, the processor shall protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The processor will always inform the controller of the technical and organizational measures it has implemented to protect personal data against destruction, loss, falsification, and unauthorized disclosure or access.
The processor will also ensure that the locations where personal data are processed on behalf of the controller are not accessible to unauthorized persons. To this end, it will implement the necessary organizational measures, such as:
Role-Based Access Control (RBAC):
Only authorized staff members (e.g., backend devs, system admins) have access to systems that process personal data. Access is granted strictly based on necessity.
Two-Factor Authentication (2FA):
All internal tools, admin panels, and access points (e.g., CRM, scraping system, outreach manager) are protected with mandatory 2FA.
Employee GDPR best practices:
All team members and contractors must follow best practices for GDPR data handling and security.
Data Minimization by Design:
UltimaBot only collects and stores personal data that is strictly necessary for the outreach campaign (e.g., scraped business contact info). No sensitive or excessive personal data is stored.
Physical Access Restrictions (if applicable):
Servers are hosted via cloud providers that are GDPR-compliant (e.g., AWS EU region).
Internal Logging & Monitoring:
Access to customer data is logged and monitored. Suspicious activities trigger automatic alerts and are reviewed manually.
User Permissions for Clients:
Clients using UltimaBot have access only to their own leads, messages, and campaign data. No cross-access between accounts is possible.
Subprocessor Oversight:
All subprocessors (e.g., email providers, scraping APIs, hosting partners) are vetted for GDPR compliance.
Incident Response Policy:
A formal incident response procedure is in place. Any breach is reported to the controller within 48 hours, per Article 8.
In addition to the organizational measures, the processor (UltimaBot) implements the following technical measures to protect personal data:
Secure HTTPS Everywhere:
All web traffic, including admin and client dashboards, is served over HTTPS with valid SSL certificates to ensure secure communication.
Data Isolation Per Client:
Each client’s data is logically separated in the database to prevent data leakage or unauthorized access between accounts.
Automated Backups with Redundancy:
Daily automated backups are performed and stored securely across multiple redundant locations in the EU. Backup access is limited and encrypted.
Firewall and IP Restriction Policies:
Internal systems are protected using firewalls, and sensitive admin systems can be further restricted by IP address where required.
API Access Control:
All APIs are protected by authentication tokens. Rate limiting and logging are enabled to detect abuse.
Codebase Security & Dependency Monitoring:
Regular codebase reviews and automated vulnerability scanning (e.g., for open-source dependencies) are performed to detect and patch known threats.
Session Management & Token Expiry:
User sessions are securely managed using short-lived access tokens and refresh tokens with expiration policies and revocation mechanisms.
Fail-Safe Architecture:
Infrastructure is deployed using fault-tolerant components, ensuring service continuity in the event of partial outages.
Penetration Testing & Vulnerability Assessments:
Regular external penetration testing and internal vulnerability assessments are conducted to identify and address security weaknesses.
The Processor undertakes to report all (attempted) unlawful or otherwise unauthorized processing or access to Personal Data or other confidential information. The Processor shall notify the Controller without undue delay, and no later than 48 hours after discovery of such an incident. The Processor shall also take all reasonably necessary measures to prevent or mitigate (further) breaches of security.
The notification shall include, at a minimum:
The nature of the incident
The time of discovery
The categories of impacted data
Immediate measures taken to limit additional damage
The time of resolution of the incident (if known)
Structural measures taken to prevent recurrence
The Controller remains responsible for reporting Personal Data Breaches that are subject to a statutory notification obligation to the relevant supervisory authority within the applicable legal timeframe. In this context, the Processor undertakes to provide all necessary and timely cooperation to support the Controller in fulfilling this obligation.
The Processor is obligated to maintain the confidentiality of the personal data it receives from the Controller. Exceptions to this rule are only possible if the Processor is required to disclose the data by law or court order, or if the data is provided at the request of the Controller.
The confidentiality obligation remains in effect after the transfer or termination of this Agreement.
9.1 The Processor shall implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
9.2 These measures shall include, but are not limited to, encryption of personal data, access control, data integrity safeguards, and regular system monitoring.
9.3 The Processor conducts regular external penetration tests and internal vulnerability assessments to identify and mitigate security risks.
9.4 Test results are reviewed by the Processor’s security team, and high-risk vulnerabilities are prioritized and resolved within industry-standard timelines.
9.5 Upon written request by the Controller, the Processor will provide a summary of penetration test results or attestations to demonstrate security compliance.
The processor undertakes to inform persons who have access to the data in accordance with this agreement of the provisions of the General Data Protection Regulation. The processor ensures that any persons authorized to process the personal data have committed themselves to confidentiality or are bound by an appropriate statutory confidentiality obligation.
The controller has the right to verify compliance with this agreement.
Upon simple request from the controller, the processor is obligated to provide, within a reasonable period of 15 days, all information necessary to demonstrate compliance with the obligations laid down and to enable and contribute to inspections by the controller or an auditor authorized by the controller.
The controller will implement the necessary technical and organizational measures to the best of its ability. It is liable for any damage caused by processing that infringes applicable privacy regulations, unless the controller is not in any way responsible for the event that caused the damage, for example, in the case of force majeure, being an unusual event that could not have been avoided by taking reasonable measures.
The processor shall be solely and fully liable for any damage resulting from non-compliance with the provisions of this agreement and/or if it has carried out processing operations outside the instructions of the controller, unless it, nor any of its subprocessors, are in no way responsible for the event that caused the damage, for example, in the event of force majeure, being an abnormal event that could not have been avoided by taking reasonable measures.
However, the processor shall in no way be liable for damage resulting from instructions given by the controller.
This agreement is inextricably linked to the service agreement or assignment between the Parties and enters into force on the date of its signature.
This agreement shall automatically terminate upon termination of the service agreement or assignment between the processor/service provider and the controller/client, with the exception of the obligations set out in Article 9.
In the event of a conflict between the provisions of this Data Processing Agreement and the provisions of the Service Agreement between the Parties or the applicable general terms and conditions of the service provider/processor, the provisions of this Data Processing Agreement shall prevail.
The invalidity of any provision of this Data Processing Agreement, and more generally of the provisions governing the legal relationship between the Parties, shall in no way affect the validity of the other clauses, despite the invalidity of the disputed clause. The parties shall make every effort to replace, by mutual agreement, the void clause with a valid clause having the same or substantially the same economic impact as the void clause.
All disputes arising between the client/controller and the service provider/processor arising from the formation, performance, and/or interpretation of this agreement will be submitted to the courts of Leuven.
This agreement is governed by Belgian law.
The controller confirms having read and accepted this agreement by checking the corresponding checkbox during account registration. This agreement is deemed accepted upon creation of the account and forms an integral part of the service agreement.