Last Updated: August 14, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between Mixconix SRL, a company registered in Romania (CUI: RO 31654250), with registered office at Str. Brândușelor 74, Green Centre, Brașov, Romania ("Processor" or "Mixconix"), and the customer identified in the Order Form ("Controller" or "Customer"), collectively the "Parties". It governs the processing of Personal Data in connection with the Business Partner Validator (BPV) application provided on or integrated with SAP Business Technology Platform (SAP BTP) and related services.

"Applicable Data Protection Law" means the GDPR and any applicable local data protection laws.

"GDPR" means Regulation (EU) 2016/679.

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.

"Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

"Services" means the BPV application and any related support, maintenance, or professional services.

Controller determines the purposes and means of Processing. Processor processes Personal Data only on documented instructions from Controller, including with respect to data categories, purposes, retention, and transfers.

This DPA applies for the term of the underlying Agreement and any period during which Processor retains Personal Data on behalf of Controller, including limited retention for evidence, audit, or legal obligations.

Providing and operating the BPV application within SAP BTP and customer environments.

Validating VAT numbers via VIES and IBANs via OpenIBAN, and optionally validating addresses via third-party APIs.

Providing customer support, troubleshooting, monitoring, and security (e.g., logs, backups).

Improving and maintaining the Services, strictly as instructed and without combining Controller data with other clients’ data.

Data Subjects: customer personnel and business partners (e.g., suppliers, customers, contractors).

Personal Data categories (as applicable to BPV): identification and professional data (name, role), contact data (email, phone), VAT numbers, IBAN, address, and technical/usage data (logs, IP, device/browser).

Process Personal Data only on documented instructions from Controller, including with respect to transfers. Ensure persons authorised to process Personal Data are bound by confidentiality obligations. Implement and maintain appropriate technical and organisational measures (TOMs) as set out in Annex II (including, without limitation, access controls, encryption in transit, vulnerability management, logging/monitoring, backup and recovery). Assist Controller, insofar as possible, with Data Subject requests and with Controller’s compliance with Articles 32–36 GDPR (security, DPIA, consultation). Notify Controller without undue delay after becoming aware of a Personal Data Breach and provide timely information to support Controller’s notifications. At Controller’s choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by law. Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits in accordance with Section 11.

Controller authorizes Processor to engage Sub-processors listed in Annex III and any additional Sub-processors used for hosting or delivering the Services, provided that Processor: (a) imposes data protection terms no less protective than those set out in this DPA; (b) remains liable for Sub-processor performance; and (c) provides advance notice of changes, allowing Controller to object on reasonable grounds.

Where Processing involves transfers of Personal Data outside the EEA/UK to a country without an adequacy decision, Processor shall ensure appropriate safeguards under Chapter V GDPR, including the European Commission Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor and/or Module 3: Processor-to-Processor, as applicable), supplemented by transfer impact assessments and additional measures where required.

Processor implements security measures appropriate to the risk as described in Annex II (TOMs). Mixconix operates under a certified Quality Management System (ISO 9001) and an Information Security Management System (ISO/IEC 27001). Evidence of certification can be provided upon request.

Notify Controller without undue delay upon becoming aware of a Personal Data Breach.

Provide details on the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Cooperate with Controller in fulfilling any notification obligations towards Supervisory Authorities and Data Subjects.

Upon reasonable prior notice and no more than once per 12 months (unless required by a Supervisory Authority or following a breach), Controller may conduct an audit (including reviews of independent certifications) limited to materials necessary to verify compliance with this DPA.

Audits shall be conducted in a manner that minimizes disruption and preserves confidentiality and security. Processor may satisfy audit requests by providing recent certifications, summaries of audit reports, or equivalent assurances.

Processor maintains records of Processing activities carried out on behalf of Controller and shall, upon request, provide reasonable assistance to Controller in demonstrating compliance with Applicable Data Protection Law.

Within 30 days after termination or expiry of the Agreement (or such other period agreed in writing), Processor shall, at Controller’s option, securely delete or return Personal Data and delete existing copies, unless retention is required by EU or Member State law.

Processor ensures that persons authorized to process Personal Data are subject to appropriate confidentiality obligations and receive regular training regarding data protection and information security.

The Parties’ liability under this DPA shall be governed by the limitations and exclusions of liability set forth in the underlying Agreement, to the maximum extent permitted by law.

If any provision of this DPA is held to be invalid, the remaining provisions shall remain in full force and effect. In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. This DPA is governed by the laws of Romania and the competent courts of Brașov, Romania, unless otherwise agreed in the Agreement.

1. SCCs Incorporated. Where required by GDPR Art. 46, the Parties agree that the European Commission’s Standard Contractual Clauses of 4 June 2021 (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA as follows:
   
   • Module 2 (Controller → Processor) for transfers from Controller (data exporter) in the EEA/UK/CH to Processor (data importer) located in a third country without an adequacy decision; and
   • Module 3 (Processor → Sub-processor) for onward transfers from Processor (exporter) to its Sub-processor (importer) in such third countries.

1. Annex Mapping. The DPA’s Annex I serves as Annex I of the SCCs (Description of transfer); Annex II serves as Annex II of the SCCs (TOMs); and Annex III serves as Annex III of the SCCs (List of Sub-processors).
2. Precedence. In case of conflict between this DPA and the SCCs, the SCCs prevail to the extent of the conflict (SCCs, Clause 5).

• Data exporter (Module 2): the Controller identified in Annex I.
• Data importer (Module 2): Mixconix SRL (Processor).
• Data exporter (Module 3): Mixconix SRL (Processor).
• Data importer (Module 3): the Sub-processor identified/listed in Annex III.

The Parties enable Clause 7 (Docking): additional controllers/processors may accede to the SCCs by executing an adherence document referencing this DPA and Annexes.

The elements required by SCCs Annex I(A)–(C) are set out in DPA Annex I and incorporated here by reference, including: identities and contact details of exporter/importer, categories of data subjects and data, frequency, nature and purpose of processing, duration of processing and retention, and competent supervisory authority (see Section I below).

The importer implements the TOMs described in DPA Annex II (encryption in transit (TLS 1.2+), encryption at rest where platform-supported, key management, access control/MFA, logging & monitoring, secure development, BCM/backup, third-party due diligence, privacy by design). For Module 3, each Sub-processor must implement TOMs not less protective than Annex II.

1. General authorisation applies. Current Sub-processors are listed in Annex III.
2. The importer will notify exporter of intended changes (additions/replacements) to Sub-processors at least 10 business days before engagement via a standard notice channel (e.g., email to the contact in Annex I).
3. Exporter may object on reasonable data-protection grounds; Parties will discuss in good faith. If unresolved within a reasonable period, exporter may suspend/terminate the affected processing (without penalty) and receive a prorated refund for prepaid unused fees for the impacted functionality.

1. Transfer Impact Assessment (TIA). The importer has assessed, to the best of its knowledge and experience, the laws and practices of the destination country relevant to Clause 14. The importer will re-assess periodically or upon a material change.
2. Transparency & Challenge. If the importer receives a legally binding request from a public authority for personal data:
   
   • it will notify the exporter without undue delay (unless legally prohibited), and seek to lift any prohibition;
   • it will review the legality of the request and challenge it where reasonable;
   • it will disclose only the minimum data strictly required and keep records of the request and response;
   • it will provide aggregate transparency reporting where permitted (e.g., counts of requests).

1. Supplementary Measures. The importer maintains encryption in transit, access controls, data minimisation, and logging, and will apply additional case-by-case measures where needed to maintain an essentially equivalent level of protection (per CJEU II).

The importer will assist the exporter in handling data-subject requests and complaints in accordance with SCCs and GDPR. Third-party beneficiary rights under the SCCs are upheld; copies of the SCCs may be provided to data subjects on request with commercially sensitive information redacted.

1. Supervisory Authority (Clause 13): the competent authority is the authority of the exporter’s main EU establishment; where the exporter is established in Romania, the competent authority is ANSPDCP (Romanian Supervisory Authority).
2. Governing Law (Clause 17): the Parties select the laws of Romania (an EU Member State allowing third-party beneficiary rights).
3. Jurisdiction (Clause 18): disputes shall be brought before the courts of Romania; where appropriate and permitted, the courts of Brașov have jurisdiction.

1. United Kingdom. For transfers subject to UK GDPR, the Parties incorporate the ICO International Data Transfer Addendum (IDTA) Addendum to the EU SCCs (version B.1.0 or latest).
   
   • Part 1 Tables: (i) Parties & contacts: as per DPA Annex I; (ii) Selected SCCs: EU 2021/914, Module 2 and/or 3; (iii) Appendix information: DPA Annexes I–III; (iv) Mandatory Clauses: as per ICO template.
   • Governing law & courts (UK): England and Wales.

1. Switzerland. For transfers subject to Swiss FADP, the Parties incorporate the SCCs with the following adaptations: references to “EU GDPR” shall be read to include the Swiss FADP; references to the “competent supervisory authority” include the Swiss FDPIC; the place of jurisdiction is Switzerland in accordance with Clause 18.

Upon termination of the SCCs-governed processing, the importer will delete or return the personal data at the exporter’s choice within 30 days, unless retention is legally required. Backups are overwritten on the next scheduled cycle.

The Parties will make current copies of the executed SCCs (including this Annex and referenced Annexes I–III) available to supervisory authorities upon request. Data subjects may receive a copy on request, with redactions of confidential information.

If any term of this DPA (including other annexes) conflicts with the SCCs as incorporated herein, the SCCs control. If the UK Addendum or Swiss adaptations conflict with the SCCs, the local addendum/adaptation controls for the respective transfer.