Data Processing Agreement

Effective date: February 13, 2026

For data protection inquiries: support@boei.help

R. Buijs operating under the name Boei (hereinafter: Boei) is registered at the Dutch Chamber of Commerce with number 20145923 and is located at Mulderstraat 35 (3581GP) in Utrecht (The Netherlands), hereinafter referred to as "Processor".

Article 1 - Definitions

For the purpose of this agreement, the following terms have been given the following meaning:

1. Controller: the customer entity that has entered into an Agreement with Boei for the provision of Services and that determines the purposes and means of the processing of Personal Data within the meaning of Article 4(7) of the GDPR.

2. Service: the provision of software by Boei.

3. Agreement: this document, including any annexes, containing the terms and conditions for cooperation between the Parties.

4. Offer: any offer or quotation to the Controller for the provision of Services by Boei

5. Services: the services offered by Boei, including the provision of software and related support.

6. Parties: Boei and Controller hereinafter jointly referred to as: "Parties".

Taking into account that:

Controller has instructed Processor to process the personal data of its company in the context of the Main Agreement which is an integral part of this processor agreement;
Controller designates the purposes and means to which the conditions stated herein apply;
Processor is willing to carry out the processing and is also willing to comply with obligations regarding security and other aspects of the General Data Protection Regulation (“GDPR”), insofar as this is within its power;
Processor does not process the personal data for its own purposes;
The Controller can be regarded as a controller within the meaning of Article 4(7) of the GDPR;
Processor can be regarded as a processor within the meaning of Article 4(8) of the GDPR;
Where this agreement refers to Personal Data, this refers to personal data within the meaning of Article 4(1) of the GDPR;
The parties, also in view of the requirement from Article 28 paragraph 3 of the GDPR, wish to record their rights and obligations in writing by means of this Processor Agreement (hereinafter (“Processing”).

Article 2 - Applicability

1. This Agreement applies to every Offer from Boei, every Agreement between Boei and the Controller and to every Service offered by Boei.

2. Before a (distance) Agreement is concluded, the Controller will be provided with this data processing agreement. If this is not reasonably possible, Boei will indicate to the Controller how the Controller can view the data processing agreement.

3. Deviation from this Agreement is not possible. In exceptional situations it is possible to deviate from this Agreement, if and insofar explicitly agreed upon in writing by Boei.

4. This Agreement also applies to additional, amended and follow-up orders from the Controller.

5. The data processing agreements of the Controller are excluded.

6. If one or more provisions of this Agreement are partially or wholly invalid or are annulled, the other provisions of this Agreement will remain in force, and the invalid/nullified provision(s) will be replaced by a provision with the same purport as the original provision.

7. Uncertainties about the content, explanation or situations that are not regulated in this Agreement must be assessed and explained in the spirit of these general terms and conditions. The agreements in the Agreement are leading and take precedence over these general terms and conditions.

8. The rights and obligations under the Agreement between the Parties cannot be transferred by the Controller to a third party unless Boei grants the Controller explicit and prior permission. Boei is free to attach further conditions to this.

Article 3 - Purpose of the processing

1. Processor undertakes to process Personal Data on behalf of Controller under the conditions of this Processor Agreement. Processing will only take place in the context of the execution of the Main Agreement and this Processor Agreement within the meaning of Article 28 paragraph 3 GDPR.

2. The Processor is prohibited from processing the Personal Data for a purpose other than the purpose established by the Controller. The purpose of the processing is to provide the services requested by the Controller as described and recorded in the Main Agreement. To this end, the following activities are performed, among other things, the storage of (personal) data by means of hosting and cloud storage as well as the security thereof, making a VPS available, setting up and keeping a network available, and other related activities.

3. The category of data subjects from whom the Personal Data is collected concerns the personal data of the (potential) customers of the Controller, visitors to the website or web application, suppliers, account holders and/or other persons or relations of the Controller with whom the Processor comes into contact insofar as they are processed on behalf of the Controller.

4. The category of personal data that can be processed are: contact and name and address details, customer or identification number(s), IP address and other location data, content of e-mails, chat messages, contact forms and other (personal) data that are stored or processed via the services of the Processor.

5. Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in this Processor Agreement.

6. Processor has no control over the means for processing and storing the personal data. The Controller is responsible for determining the purpose of the processing and must clearly record this.

7. Processing will take place manually as well as (semi)automatically.

8. The personal data to be processed on behalf of the Controller remain the property of the Controller and/or the relevant data subjects.

Article 3a - Purpose Limitation and Restrictions on Data Use

1. The Processor shall process Personal Data solely for the purpose of providing the Services as documented in this Agreement and in accordance with the Controller's written instructions. The Processor shall not process Personal Data for any other purpose, including for the Processor's own commercial benefit.

2. The Processor may review chat interactions processed on behalf of the Controller for the purposes of quality assurance, troubleshooting, and optimising the configuration and performance of the Service as provided to the Controller. Such review is considered part of the provision of the Service and shall not constitute processing for the Processor's own independent purposes.

3. The Processor shall not use chat content, interaction data, or any other Personal Data processed on behalf of the Controller for:

a) training, fine-tuning, or improving the Processor's own AI models or software;
b) analytics, benchmarking, or product development for the Processor's own purposes beyond the quality assurance activities described in Article 3a.2;
c) profiling, scoring, or automated decision-making beyond the chatbot functionality as instructed by the Controller;
d) any form of advertising, marketing, or commercial exploitation.

4. Where the Processor uses third-party AI model providers (as listed in Annex 1) to deliver the Services, the Processor confirms that:

a) such providers are engaged under API/business terms that exclude the use of input and output data for model training;
b) the Processor has disabled any optional data sharing or model improvement settings offered by the AI providers;
c) data submitted via the API is processed transiently for the purpose of generating a response and is not retained by the AI provider for training purposes.

5. The Processor shall promptly inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law.

Article 4 - Term of the agreement

1. This Agreement applies to every Offer from Boei, every Agreement between Boei and the Controller and to every Service offered by Boei.

2. Changes to this agreement as a result of changes in any underlying agreement for services, legislation or regulations or other relevant circumstances are only legally valid if they are added to the Processor Agreement after consultation and with the explicit permission of the parties.

3. This agreement ends by operation of law if the Main Agreement ends.

4. As soon as the agreement has been terminated for any reason and in any way whatsoever, the Processor – at the discretion of the Controller – will return all Personal Data that it holds in original or copy form to the Controller and/or delete these original Personal Data and any copies within a maximum period of 28 days. Any costs associated with this will be borne by the Controller.

5. Confidentiality, liability and dispute resolution provisions shall remain in full force and effect after termination of this Agreement.

Article 5 - Obligations of the Processor

1. The Processor is obliged to comply with the conditions imposed on the processing of Personal Data on the basis of applicable laws and regulations, in particular the GDPR and the GDPR Implementation Act.

2. The Processor is prohibited from enriching its own database(s) and/or files with any (personal) data from the database(s) of the Controller, except in the event that the Processor provides temporary database(s) and/or files for the proper processing of the Personal Data. The temporary files are deleted immediately from the moment that these temporary files are no longer needed for processing.

3. The Processor will inform the Controller at its first request about the measures it has taken with regard to its obligations under this Processor Agreement.

4. If the Controller gives instructions to the Processor with regard to the processing of Personal Data, the Processor must follow these instructions if this is necessary for correct processing, except in the event that these instructions are contrary to laws and regulations and any applicable professional and behavioral rules. Only the Controller is authorized to give its exclusive opinion in this regard.

5. All obligations resting on the Processor also apply to persons who process Personal Data under the authority of the Processor (after explicit permission from the Controller), including employees and third parties engaged by the Processor.

6. Processor is responsible for ensuring that only employees and/or third parties have access to the personal data for which access is necessary for the execution of the agreement. The employees and/or third parties work under the responsibility of the Processor.

7. The Controller has access to Personal Data through the Processor's application interface as part of the normal use of the Service. For access to Personal Data beyond what is available through the application interface, or for the purpose of verifying compliance with this Agreement, the Processor shall cooperate with reasonable inspection and audit requests from the Controller. The Controller shall provide at least fourteen (14) days' prior written notice for any audit, which shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations. Any audit shall be subject to the Processor's confidentiality requirements and shall not compromise the security or privacy of other customers' data. The Controller shall bear its own costs in connection with any audit. If an audit requires significant involvement of the Processor's personnel beyond providing standard documentation and access, the Controller shall reimburse the Processor's reasonable costs, agreed in advance.

8. This agreement is not transferable, unless expressly agreed otherwise.

Article 6 - International Data Transfers

1. The Processor shall process Personal Data within the European Economic Area (EEA) as its primary processing location. All primary hosting and storage takes place within the EEA (DigitalOcean Amsterdam, AWS EU-West Ireland, Weaviate EU).

2. Certain sub-processors, as identified in Annex 1, are established in the United States and process Personal Data outside the EEA. At the time of this Agreement, the following categories of processing involve transfers to the United States:

a) AI language model processing by OpenAI, Anthropic, and/or Google (depending on Controller's configuration);
b) transactional email delivery by Mailgun;
c) website crawling by Firecrawl.

3. Transfers of Personal Data to the United States are made in reliance on one or more of the following legal bases, as applicable:

a) the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (DPF), where the recipient is certified under the DPF;
b) Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented by a Transfer Impact Assessment where required.

4. The Processor implements the following supplementary technical and organisational safeguards for international transfers:

a) encryption in transit (TLS) for all data transmitted to sub-processors outside the EEA;
b) encryption at rest where supported by the sub-processor;
c) use of API-based processing where data is processed transiently and not stored permanently by the sub-processor; AI providers do not retain input or output content beyond short-term operational logging as required for service reliability, subject to their enterprise API terms;
d) contractual prohibitions on sub-processors using Personal Data for their own purposes, including model training.

5. The Processor shall inform the Controller without undue delay of any material changes to the international transfer arrangements described in this Article, including changes to the legal basis relied upon.

6. Upon request, the Processor shall provide the Controller with copies of the relevant transfer mechanisms (e.g., SCCs) and any associated Transfer Impact Assessments.

Article 7 - Responsibility of the Processor

1. The Processor will perform the activities for the Controller in the context of this agreement as referred to in Article 3.2 of this agreement, as well as other activities as laid down in the Main Agreement.

2. The Processor is responsible only for the processing of Personal Data carried out on behalf of the Controller under this Agreement and in accordance with the Controller's documented instructions. The Processor is not responsible for: (a) the collection of Personal Data by the Controller; (b) processing for purposes not documented in this Agreement or not instructed by the Controller; (c) processing by third parties not engaged by the Processor as sub-processors under Article 8.

Article 8 - Sub-Processors

1. Controller grants Processor general written authorisation to engage the sub-processors listed in Annex 1 to this Agreement.

2. Processor shall maintain an up-to-date list of sub-processors in Annex 1, which shall include the company name, registered office, description of services provided, and location of data processing.

3. The Processor shall publish any intended addition or replacement of a sub-processor by updating the sub-processor list in Annex 1 on its website at least thirty (30) days prior to the change taking effect, including the date of the update. The Processor shall also use reasonable efforts to notify the Controller by email of any intended changes to the sub-processor list. It is the Controller's responsibility to periodically review the sub-processor list. Controller may object to the intended change within fourteen (14) days of the published update, provided that such objection is based on reasonable, documented grounds relating to data protection.

4. If Controller raises a reasonable objection and the parties are unable to resolve the matter within thirty (30) days, Controller may terminate the Agreement on written notice without penalty.

5. Processor shall impose the same data protection obligations as set out in this Agreement on any sub-processor by way of a contract. Processor remains fully liable to Controller for the performance of the sub-processor's obligations.

6. The current list of sub-processors is set out in Annex 1 to this Agreement.

Article 9 - Security Measures for Personal Data

1. Processor makes every effort to take sufficient and appropriate organizational and technical measures against any form of unlawful processing with regard to the processing of Personal Data to be carried out by it. The measures that the Processor has taken are:

a. Personal data is sent encrypted (Encryption In-Transit);
b. Personal data is stored encrypted on the server (Encryption At-Rest);
c. Making regular backups;
d. Processor provides an authentication and password policy to prevent unauthorized login and ensure strong password use;
e. Processor ensures that the production environment is well secured, and that access can only be obtained by authorized and trained personnel to prevent unauthorized access.

2. The security level of the measures must at least meet a level that is not unreasonable in the context of the associated costs, sensitivity of the Personal Data concerned as well as the state of the art and risks. Processor does not guarantee that the security measures it has taken are effective at all times, under all circumstances. In consultation, the parties can take other additional or further security measures.

3. The Processor has its own responsibility to inform itself and/or its employees and third parties to be engaged of all protocols, the (security) policy and other instructions that enable and promote safe processing.

4. Processor is responsible and liable for its part of the processing.

5. If there is a breach in the security of the Personal Data, which can cause damage or have adverse consequences for the protection of the Personal Data, the Processor shall inform the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of the personal data breach. The Controller will then inform the Dutch Data Protection Authority and any data subjects as soon as possible about the infringement. The Processor's obligation to report only applies if a data breach has occurred.

6. Pursuant to the Processor's notification obligation, the notification of a breach must consist of at least the following components:

the nature of the personal data breach, where possible stating the categories of data subjects and personal data concerned and, approximately, the number of data subjects and personal data registries concerned;
the name and contact details of the data protection officer or other contact point where more information can be obtained;
the likely consequences of the personal data breach, as well as the possible cause of the data breach;
the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to limit any adverse consequences thereof.

7. The Controller must keep a register of all infringements (including incidents) in accordance with article 33 paragraph 5 GDPR.

8. If a breach of the security of the Personal Data has occurred at the Processor, the Processor is obliged to take appropriate measures at its own expense to prevent future incidents and/or breaches.

Article 10 - Confidentiality

1. Processor and its employees, as well as third parties engaged by Processor, are obliged to maintain the confidentiality of all personal data, sensitive information and/or company data obtained through this agreement. The duty of confidentiality does not apply if the Controller has given explicit and written permission to the Processor to share this data and information with third parties, or if there is a legal obligation to provide the data and information to a third party. After the expiry of this agreement, the parties remain obliged to adhere to this confidentiality obligation. If a party is required to provide information to a third party on the basis of a legal obligation, the providing party is obliged to inform the other party about this in writing without delay, at least within 24 hours.

2. If and insofar as possible, the Processor can refer the relevant (government) body that requests information directly to the Controller. Processor can provide contact information of the Controller in this regard to this (government) body.

Article 11 - Rights of data subjects

1. In the event that the Processor receives a request for inspection from a data subject or an authorized body, the Processor will process this request as soon as possible, but at the latest within 5 working days. If it is not possible to handle the request yourself, the request will be forwarded to the Controller within 5 working days. If requested to do so, the processor must cooperate in the execution of the request. The (reasonable) costs that the Processor must incur for the benefit of the cooperation are for the account of the Controller.

2. The provisions of Article 11.1 apply mutatis mutandis if a data subject wishes to assert other rights such as the right to rectification, erasure, right to restriction of processing, right to data portability, right to object and rights in the case of automated individual decision-making, as laid down in sections 3 and 4 of the General Data Protection Regulation.

Article 12 - Liability

1. The Processor's total aggregate liability to the Controller for all claims arising out of or in connection with this Agreement, whether in contract, tort (including negligence), or otherwise, shall be limited to the total fees paid by the Controller to the Processor in the three (3) months immediately preceding the event giving rise to the claim.

2. The limitation set out in Article 12.1 shall not apply to:

a) liability arising from the Processor's wilful misconduct or gross negligence;
b) liability that cannot be limited or excluded under applicable law, including mandatory liability under Article 82 GDPR.

3. In respect of claims under Article 82 GDPR, each party shall be liable for damage caused by processing that infringes the GDPR to the extent attributable to its own acts or omissions. Where both parties are involved in the same processing that caused damage, each party shall bear liability in proportion to its responsibility for the damage, in accordance with Article 82(2) and (5) GDPR.

4. Neither party shall be liable to the other for any indirect, incidental, special, or consequential damages, including but not limited to loss of profit, revenue, or goodwill, except where such exclusion is not permitted under mandatory applicable law.

5. The Controller shall notify the Processor in writing of any claim under this Article without undue delay, and in any event within six (6) months of becoming aware of the event giving rise to the claim. Failure to notify within this period shall result in forfeiture of the claim, unless the Controller demonstrates that timely notification was not reasonably possible.

6. Each party shall use reasonable efforts to mitigate any loss or damage for which the other party may be liable under this Agreement.

Article 13 - Indemnification

1. The Controller indemnifies the Processor against claims, fines and/or periodic penalty payments from or on behalf of the Dutch Data Protection Authority and/or other authorities, where it has been established that the violations fall under the responsibility of the Controller.

2. The Processor can recover the fines and/or periodic penalty payments imposed from the Controller if and insofar as the Processor can be held responsible for the violations of the Controller.

Article 14 - Other

1. If any provision of this agreement is found to be invalid or void, the remaining provisions will remain in full force and effect. The parties will then enter into consultation in order to agree on a new provision with regard to the void or voided provision, whereby the purpose and intent of the void or voided provision will be taken into account as much as possible.

2. The parties will cooperate fully with each other to adjust this agreement and make it suitable for any new or amended privacy legislation.

Article 15 - Dispute resolution

1. This agreement is governed by Dutch law.

2. All disputes that arise between parties that arise from or are related to or relate to this Processor Agreement will be settled by the competent court of the Processor's place of business, namely the Midden-Nederland District Court (location Utrecht).

Annex 1 - List of Sub-Processors

Sub-Processor	Registered Office	Services	Processing Location
OpenAI, Inc.	San Francisco, CA, USA	AI language model processing for chatbot functionality (configurable per customer)	USA
Anthropic, Inc.	San Francisco, CA, USA	AI language model processing for chatbot functionality (configurable per customer)	USA
Google LLC	Mountain View, CA, USA	AI language model processing via Gemini for chatbot functionality (configurable per customer)	USA
DigitalOcean, LLC	New York, NY, USA	Primary hosting infrastructure (servers located in Amsterdam, NL)	Amsterdam, Netherlands (EEA)
Amazon Web Services EMEA SARL	Luxembourg	Backup data storage	EU-West (Ireland) (EEA)
Weaviate B.V.	Amsterdam, Netherlands	Vector database for AI chatbot knowledge base	EU (Amsterdam/Frankfurt) (EEA)
Mailgun Technologies, Inc.	San Antonio, TX, USA	Transactional email delivery (notifications, chat transcripts)	USA
Firecrawl (Mendable, Inc.)	San Francisco, CA, USA	Website crawling for AI chatbot knowledge base ingestion	USA

The AI model provider used for a specific Controller's chatbot is configurable and determined by the Controller's settings. Not all AI model providers listed above necessarily process data for each Controller.

Annex 2 - Processing Details

Element	Description
Subject matter of processing	The provision of the Boei customer communication widget and AI chatbot service, including the receipt, storage, processing, and delivery of chat messages and other communications between the Controller's website visitors and the Controller.
Duration of processing	For the duration of the Agreement between the Controller and the Processor. Upon termination, Personal Data shall be deleted or returned in accordance with Article 4.
Nature and purpose of processing	The processing consists of receiving, storing, transmitting, and displaying chat messages and related communications submitted by website visitors through the Boei widget. Where AI chatbot functionality is enabled, processing includes submitting message content to AI model providers to generate automated responses on behalf of the Controller. Processing also includes sending notifications and chat transcripts via email, and crawling the Controller's website to build a knowledge base for AI chatbot functionality.
Categories of data subjects	Website visitors, prospective clients, existing clients, and other individuals who interact with the Controller's website through the Boei widget.
Categories of personal data	Name, email address, phone number, IP address, browser and device information, geographical location data, chat message content, contact form submissions, and any other personal data voluntarily provided by data subjects through the widget.
Special categories of personal data	The Service is not designed or intended for the processing of special categories of personal data within the meaning of Article 9 GDPR (e.g., health data, biometric data, data concerning political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation). The Controller shall not intentionally collect or submit special categories of personal data through the Service.