This agreement is entered into between WEBOOM BV (UltimaBot.ai), a private limited company with registered office at Kroonstraat 58, 3020 Herent, registered with the Crossroads Bank for Enterprises (CBE) under number 0768.359.467 (hereinafter referred to as "the service provider" or "the processor") and the client in accordance with the concluded service agreement (hereinafter referred to as "the client" or "the controller").
The controller and the processor are individually referred to as "the Party" or jointly as "the Parties";
WHEREAS:
a) The controller (client) holds personal data, the processing of which it wishes to entrust to the processor (service provider) by using the services offered by the processor, specifically the scraping of (personal) data for the purpose of scheduling appointments with the client, using an AI tool. The processor provides these services independently.
b) This agreement establishes the rights and obligations between the Parties regarding the processing of personal data of the controller by the processor in the context of the performance of the service agreement or assignment as agreed between the Parties;
c) This agreement aims to regulate the performance and organization of such processing by the processor and to provide sufficient guarantees with regard to the protection of personal data;
d) That it specifically concerns the technical and organizational measures – as referred to in Article 32 of the General Data Protection Regulation (GDPR) – aimed at ensuring that the processing meets the requirements of the regulation and that the protection of the rights of the data subject is guaranteed;
e) That, when assessing the appropriate level of security, particular account is taken of the risks posed by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
IT IS AGREED THAT:
In this Data Processing Agreement, the following definitions apply:
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Service Agreement: the agreement between the Parties that sets out their mutual rights and obligations regarding the performance of services by the service provider to the client.
- Assignment: the services to be provided by the service provider to the client, as agreed between the Parties in the form of an accepted quotation or any other package offered by the service provider, outside of any service agreement.
- Subprocessor: another processor engaged by the processor for the processing of personal data under this data processing agreement and the service agreement or assignment. This does not include any independent employees of the processor.
- Processor, third parties, personal data, processing, controller, data subject, pseudonymization, personal data breach: the terms as defined in Article 4 of the GDPR.
The processor shall act solely on the basis of written instructions from the controller. This provision is literally imposed by Article 28, paragraph 3, of the GDPR. In accordance with the instructions of the controller and the provisions of this agreement, the processor shall process personal data on behalf of the controller only in accordance with the provisions described in Article 3.
The parties expressly and in principle undertake to comply with the provisions of European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The processor's task will be to collect personal data using an AI tool developed by the processor and then further process this data for the following purposes:
1. Analyzing (personal) data, websites, and social media profiles of companies;
2. Automatically generating personalized emails using an AI tool developed by the service provider. These emails are generated based on the analyzed (personal) data;
3. Managing follow-up communication with the recipients of the personalized emails, for the purpose of scheduling appointments or having forms provided by the client completed.
The processor does not process special categories of personal data within the meaning of Article 9 GDPR.
To enable the processor to process personal data, that data must be made available to them. This data is provided to them by an AI tool developed by the processor. The controller will, based on its legitimate interest or any other legal basis, instruct the processor on which data can be scraped. It is entirely up to the controller to provide appropriate instructions in this regard, as well as to properly assess whether it can rely on legitimate interest or any other legal basis for processing the personal data
Only the personal data that are strictly necessary for the purposes described in Article 3 may and can be processed by the processor. The processing of the relevant data, as well as the method of making it available, must always be carried out in a secure manner.
In this context, the controller undertakes not to allow any personal information to be processed without a legal basis for processing within the meaning of Article 6 of the GDPR.
The controller shall not instruct the processor to collect or process data from non-public sources, data of children under 16 years of age, or special categories of personal data within the meaning of Article 9 of the GDPR. The processor explicitly prohibits the use of its services for such data.
The data may be processed by the processor solely for the purposes described in Article 3 of this agreement. This includes the fundamental obligation to use the data solely internally. However, the use of subprocessors is permitted provided the controller has given prior written consent and provided the processor can guarantee its secure use and takes the necessary measures to prevent any breaches.
Disclosure to other third parties, in any manner whatsoever (by forwarding, dissemination, or otherwise), is prohibited, unless required by law. Any legally required disclosure of the personal data subject to this agreement to third parties must be notified by the processor to the controller, if possible in advance.
The processor is prohibited from making copies of the data provided, except for backup purposes, if this is necessary for the performance of the assignment as described in this agreement. The processor will not retain or access the data for longer than is necessary to perform the service for which it is provided and for at least three months after termination of the collaboration with the client/controller.
If the data is no longer needed after this period, the processor will destroy it or return it to the controller, unless the law applicable to the processor prohibits it from securely returning or destroying all or part of the personal data transferred. In that case, the processor guarantees that it will respect the confidentiality of the personal data transferred and that it will not actively process the personal data transferred.
If the processor is instructed by the controller to retrieve, modify, or correct personal data, it will perform this task in accordance with the provisions of this agreement and the instructions given by the controller.
If the processor receives a direct request from a data subject to access, modify or correct their personal data, the processor will forward the request to the controller, who will comply with it in accordance with its Privacy Policy.
Upon request by the controller, the processor shall delete specific personal data or all retained data earlier than the default retention period. The processor will comply with such requests without undue delay, unless legal obligations prevent immediate deletion.
The processor is entitled to employ other sub-processors provided it has obtained the prior written consent of the controller. It is the responsibility of the first processor to conclude a data processing agreement with the second (or third party, etc.) processor, with the obligation to provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures.
If the other processor fails to comply with its data protection obligations, the first processor remains fully liable to the controller for fulfilling the obligations of that other processor.
If requested, the processor will provide the controller with a list of the sub-processors it uses or may use.
The controller and the processor shall both implement appropriate technical and organizational measures to ensure an adequate level of security. The controller shall ensure that the processor implements all the necessary measures (as listed in Article 32 of the GDPR), in particular:
- where possible, the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for securing the processing.
In particular, the processor shall protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The processor will always inform the controller of the technical and organizational measures it has implemented to protect personal data against destruction, loss, falsification, and unauthorized disclosure or access.
The processor will also ensure that the locations where personal data are processed on behalf of the controller are not accessible to unauthorized persons. To this end, it will implement the necessary organizational measures, such as:
Role-Based Access Control (RBAC):
Only authorized staff members (e.g., backend devs, system admins) have access to systems that process personal data. Access is granted strictly based on necessity.
Two-Factor Authentication (2FA):
All internal tools, admin panels, and access points (e.g., CRM, scraping system, outreach manager) are protected with mandatory 2FA.
Employee GDPR best practices:
All team members and contractors must follow best practices for GDPR data handling and security.
Data Minimization by Design:
UltimaBot only collects and stores personal data that is strictly necessary for the outreach campaign (e.g., scraped business contact info). No sensitive or excessive personal data is stored.
Physical Access Restrictions (if applicable):
Servers are hosted via cloud providers that are GDPR-compliant (e.g., AWS EU region).
Internal Logging & Monitoring:
Access to customer data is logged and monitored. Suspicious activities trigger automatic alerts and are reviewed manually.
User Permissions for Clients:
Clients using UltimaBot have access only to their own leads, messages, and campaign data. No cross-access between accounts is possible.
Subprocessor Oversight:
All subprocessors (e.g., email providers, scraping APIs, hosting partners) are vetted for GDPR compliance.
Incident Response Policy:
A formal incident response procedure is in place. Any breach is reported to the controller within 48 hours, per Article 8.
In addition to the organizational measures, the processor (UltimaBot) implements the following technical measures to protect personal data:
Secure HTTPS Everywhere:
All web traffic, including admin and client dashboards, is served over HTTPS with valid SSL certificates to ensure secure communication.
Data Isolation Per Client:
Each client’s data is logically separated in the database to prevent data leakage or unauthorized access between accounts.
Automated Backups with Redundancy:
Daily automated backups are performed and stored securely across multiple redundant locations in the EU. Backup access is limited and encrypted.
Firewall and IP Restriction Policies:
Internal systems are protected using firewalls, and sensitive admin systems can be further restricted by IP address where required.
API Access Control:
All APIs are protected by authentication tokens. Rate limiting and logging are enabled to detect abuse.
Codebase Security & Dependency Monitoring:
Regular codebase reviews and automated vulnerability scanning (e.g., for open-source dependencies) are performed to detect and patch known threats.
Session Management & Token Expiry:
User sessions are securely managed using short-lived access tokens and refresh tokens with expiration policies and revocation mechanisms.
Fail-Safe Architecture:
Infrastructure is deployed using fault-tolerant components, ensuring service continuity in the event of partial outages.
Penetration Testing & Vulnerability Assessments:
Regular external penetration testing and internal vulnerability assessments are conducted to identify and address security weaknesses.
The processor undertakes to report all (attempts at) unlawful or otherwise unauthorized processing or access to personal data or other confidential information. The processor shall notify the controller immediately, no later than 48 hours after discovering the incident. In addition, the processor shall take all reasonably necessary measures to prevent or mitigate (further) breaches of the security measures.
In this notification, the processor shall indicate at least the following:
The controller shall report data breaches subject to a statutory reporting obligation to the relevant supervisory authority within the legally stipulated timeframe. In this context, the processor undertakes to provide the necessary and timely cooperation.
The processor is obligated to maintain the confidentiality of the personal data it receives from the controller. Exceptions to this rule are only possible if the processor is required to disclose the data by law or court order, or if the data is provided at the request of the controller.
The confidentiality obligation remains in effect after the transfer or termination of this agreement.
The processor undertakes to inform persons who have access to the data in accordance with this agreement of the provisions of the General Data Protection Regulation. The processor ensures that any persons authorized to process the personal data have committed themselves to confidentiality or are bound by an appropriate statutory confidentiality obligation.
The controller has the right to verify compliance with this agreement.
Upon simple request from the controller, the processor is obligated to provide, within a reasonable period of 15 days, all information necessary to demonstrate compliance with the obligations laid down and to enable and contribute to inspections by the controller or an auditor authorized by the controller.
The controller will implement the necessary technical and organizational measures to the best of its ability. It is liable for any damage caused by processing that infringes applicable privacy regulations, unless the controller is not in any way responsible for the event that caused the damage, for example, in the case of force majeure, being an unusual event that could not have been avoided by taking reasonable measures.
The processor shall be solely and fully liable for any damage resulting from non-compliance with the provisions of this agreement and/or if it has carried out processing operations outside the instructions of the controller, unless it, nor any of its subprocessors, are in no way responsible for the event that caused the damage, for example, in the event of force majeure, being an abnormal event that could not have been avoided by taking reasonable measures.
However, the processor shall in no way be liable for damage resulting from instructions given by the controller.
This agreement is inextricably linked to the service agreement or assignment between the Parties and enters into force on the date of its signature.
This agreement shall automatically terminate upon termination of the service agreement or assignment between the processor/service provider and the controller/client, with the exception of the obligations set out in Article 9.
In the event of a conflict between the provisions of this Data Processing Agreement and the provisions of the Service Agreement between the Parties or the applicable general terms and conditions of the service provider/processor, the provisions of this Data Processing Agreement shall prevail.
The invalidity of any provision of this Data Processing Agreement, and more generally of the provisions governing the legal relationship between the Parties, shall in no way affect the validity of the other clauses, despite the invalidity of the disputed clause. The parties shall make every effort to replace, by mutual agreement, the void clause with a valid clause having the same or substantially the same economic impact as the void clause.
All disputes arising between the client/controller and the service provider/processor arising from the formation, performance, and/or interpretation of this agreement will be submitted to the courts of Leuven.
This agreement is governed by Belgian law.
The controller confirms having read and accepted this agreement by checking the corresponding checkbox during account registration. This agreement is deemed accepted upon creation of the account and forms an integral part of the service agreement.