Data Processing Agreement (DPA)

Last updated: 12 nov. 2025

1. Parties

This Data Processing Agreement (“Processing Agreement”) is concluded between:

BRBX BV, operating under the name Recommand, established at Nieuwdorp 5, 3990 Peer, Belgium, registered with the Crossroads Bank for Enterprises under number 1012.081.766, hereinafter referred to as the “Processor”,

and

the customer using the services of Recommand, hereinafter referred to as the “Controller”,

together the “Parties”, and each individually a “Party”.

2. Subject and Duration

2.1. This agreement governs the processing of personal data by the Processor on behalf of the Controller in the context of the use of the Recommand API, the accompanying portal, and support services.

2.2. The processing aims to exchange, send, receive, validate, and archive electronic documents via the Peppol network (such as invoices, credit notes, orders, and related message types).

2.3. The duration of this processing agreement equals the term of the main agreement between the Parties. Upon termination, the provisions of Article 11 (Deletion of Data) shall apply.

3. Roles and Responsibility

3.1. The Controller determines the purpose and means of the processing of personal data and remains responsible for compliance with the GDPR and other applicable legislation.

3.2. The Processor processes personal data solely on written instructions from the Controller, unless required otherwise by law.

3.3. The Processor will not use personal data for its own purposes, disclose it to third parties, or otherwise process it beyond what is necessary for the performance of the agreed services.

4. Types of Personal Data and Data Subjects

4.1. The processing may include the following categories of personal data:

  • Identification and contact details: name, address, email address, telephone number
  • Company information: enterprise number, VAT number, Peppol ID
  • Delivery and payment information: IBAN, references, delivery addresses
  • Free text fields or attachments containing personal data
  • User and account information within the Recommand platform (name, email address, role, API keys, log data)

4.2. Categories of data subjects include, among others:

  • Customers, suppliers, and contact persons of the Controller
  • Employees or authorised representatives of these organisations
  • Users with access to the Recommand platform or API

5. Processing Activities

The Processor will process personal data solely for the following purposes:

  • Sending, receiving, and routing electronic documents via the Peppol network
  • Validating, logging, and archiving these documents
  • Providing the API, portal, and support functionalities
  • Performing security and control mechanisms (audit trail, logging, abuse detection)
  • Complying with legal obligations or Peppol network rules set by OpenPeppol AISBL

6. Security Measures

The Processor implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, loss, or destruction.

These measures include at a minimum:

  • Encryption of data in transit (TLS/mTLS) and at rest
  • Hashed passwords and secure key and certificate rotation
  • Role- and team-based access control (“least privilege”)
  • Structured logging, audit trails, and monitoring
  • Regular backups and recovery tests
  • Secure hosting within the European Economic Area
  • Continuous software updates and dependency management
  • Limitation of personal data to what is strictly necessary

Upon request, the Processor provides a summary of its security policy.

7. Subprocessors

7.1. The Processor may engage subprocessors for the performance of its services, provided they are bound by equivalent privacy and security obligations.

7.2. The current list of subprocessors is available at recommand.eu/subprocessors. This list may include hosting and infrastructure providers, payment processors, email services, and analytics services.

7.3. The Controller will be informed in advance of changes to the list of subprocessors and may object within a reasonable period on justified grounds related to data protection. If such an objection is valid, the Parties will seek a suitable solution in good faith. If no solution is possible, the Controller may terminate the affected service without entitlement to compensation.

8. Data breaches and incidents

8.1. The Processor shall notify the Controller of any confirmed personal data breach without undue delay.

8.2. The notification shall include, where known:

  • a description of the nature of the incident
  • the categories and numbers of affected data
  • the likely consequences
  • the measures taken or proposed

8.3. The Processor will provide reasonable assistance in investigating, mitigating, and reporting the incident to supervisory authorities or data subjects, where required.

9. Data Subject Rights

9.1. If a data subject contacts the Processor directly with a request for access, correction, or deletion of personal data, the Processor shall forward the request to the Controller.

9.2. The Processor will provide reasonable technical assistance to enable the Controller to handle such requests in a timely manner.

10. Audit and Inspection

10.1. The Controller has the right to conduct an audit, at most once per year, to verify compliance with this agreement.

10.2. Audits shall occur with reasonable prior notice (at least 15 working days), without disrupting operations, and under confidentiality of sensitive information.

10.3. The Processor may, instead of an on-site audit, provide recent security reports or certifications (e.g., Peppol Access Point certification, internal audit reports).

11. Return and deletion of data

11.1. Upon termination of the main agreement, the Processor shall, at the Controller’s request, either:

  • return all personal data in a commonly used format; or
  • securely delete it within 90 days after termination, unless statutory retention requirements (such as accounting or network logs) require longer storage.

Operational data in the portal remains available for export for up to 30 days after termination, in accordance with the Terms and Conditions and Privacy Policy.

11.2. The Processor shall confirm the deletion or return in writing.

12. Confidentiality

12.1. All persons acting under the Processor’s authority who have access to personal data are contractually or legally bound to strict confidentiality.

12.2. This obligation continues after termination of the agreement.

13. International Data Transfers

13.1. For any Restricted Transfer of Personal Data, the Processor and Controller shall apply the EU Standard Contractual Clauses (EU Commission 2021/914): Module 2 (C→P) or Module 3 (P→Sub-P), as applicable.

13.2. For the EU SCCs:

  • Clause 7 (Docking) applies;
  • Clause 9 (Subprocessors) Option 2 – prior notification;
  • Clause 17: Belgian law;
  • Clause 18(b): courts of Belgium.

13.3. Annex I shall be completed with (A) parties/roles; (B) description of the processing as included in Annex A; (C) competent authority: Belgian Data Protection Authority. Annex II: technical and organisational measures as set out in Annex B.

13.4. For transfers under UK law, the UK Addendum to the EU SCCs applies. Should regulations change, the Parties will implement appropriate safeguards in good faith.

14. Liability

14.1. The Processor’s liability is limited to the liability provisions in the main agreement or applicable general terms.

14.2. Nothing in this agreement excludes liability for intent or gross negligence.

15. Applicable Law and Disputes

15.1. This processing agreement is governed exclusively by Belgian law.

15.2. Disputes fall under the jurisdiction of the courts of Antwerp, Hasselt division, unless otherwise agreed.

16. Final Provisions

16.1. This processing agreement forms an integral part of the main agreement between the Parties and enters into force automatically upon acceptance of the Recommand terms and conditions.

16.2. Amendments to this agreement may only be made in writing and with mutual consent.