This Data Processing Addendum ("DPA") forms part of the agreement between C4CI Group Belgium BV/SRL, enterprise number BE 1030.600.254, registered office at Nieuwstraat 41, 2260 Westerlo, Belgium ("C4CI"), and the customer identified in an order form, enterprise agreement, or authorised organisation acceptance record ("Customer").
This DPA applies when C4CI processes personal data on Customer's behalf as a processor in connection with C4CI Arch. It is designed to support the processor contract requirements in Article 28 of the GDPR and related data-protection laws. It does not replace a signed order form or any mandatory terms required by law.
1. Definitions
"Customer Personal Data" means personal data processed by C4CI as processor on behalf of Customer through the services.
"Controller", "processor", "personal data", "processing", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR.
"Services" means C4CI Arch, related tenant portal and Admin Hub surfaces, APIs, support services, and agreed enterprise workflows.
"Subprocessor" means a third party engaged by C4CI to process Customer Personal Data on behalf of Customer.
2. Roles
Customer is the controller of Customer Personal Data unless the parties agree otherwise in writing. C4CI is the processor of Customer Personal Data when it processes that data on Customer's documented instructions.
C4CI acts as an independent controller for account administration, security, billing, legal acceptance, product operations, and other data described as controller processing in the Privacy Policy.
3. Processing Details
The subject matter, duration, nature, purpose, data categories, data subjects, and processing operations are described in Annex A.
Customer controls which users, systems, repositories, subscriptions, projects, credentials, prompts, comments, reports, and files are connected to or submitted through the Services.
4. Customer Instructions
C4CI will process Customer Personal Data only on Customer's documented instructions, including this DPA, the agreement, order forms, product configuration, support requests, and lawful instructions submitted by authorised users.
C4CI will inform Customer if C4CI believes an instruction infringes applicable data-protection law, unless law prohibits C4CI from doing so.
Customer is responsible for ensuring that its instructions are lawful and that Customer has a valid legal basis for submitting Customer Personal Data to the Services.
5. Processor Obligations
C4CI will:
- process Customer Personal Data only as described in this DPA and the agreement;
- ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations;
- implement and maintain appropriate technical and organisational measures as described in Annex B and the Security Exhibit;
- assist Customer with data-subject requests where reasonably possible and where Customer cannot fulfil the request without C4CI's assistance;
- assist Customer with security, breach-notification, data-protection impact assessment, and supervisory-authority consultation obligations where the assistance relates to the Services and Customer Personal Data;
- make available information reasonably necessary to demonstrate compliance with this DPA;
- delete or return Customer Personal Data after termination as described in Section 12;
- maintain a current Subprocessor List.
6. Security Measures
C4CI will maintain technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
The baseline measures are described in Annex B and the Security Exhibit. C4CI may update measures over time, provided the updates do not materially reduce the overall protection of Customer Personal Data.
7. Personal Data Breach
C4CI will notify Customer without undue delay after becoming aware of a personal data breach and having enough information to reasonably identify that Customer Personal Data is affected. Where feasible and legally permitted, C4CI will aim to provide initial notice within 48 hours after that point.
The notice will include available information about the nature of the breach, affected data, likely consequences, mitigation steps, and C4CI contact point. C4CI may provide information in phases as investigation continues, and an initial notice may be updated or corrected as more facts become available.
C4CI's notice is not an admission of fault or liability.
8. Subprocessors
Customer authorises C4CI to use Subprocessors listed in the Subprocessor List. C4CI will impose written data-protection obligations on Subprocessors that are substantially no less protective than this DPA for the processing they perform.
C4CI remains responsible for Subprocessor performance to the extent required by applicable data-protection law.
C4CI will provide notice of material Subprocessor additions or replacements through the Subprocessor List, product notice, email, or another reasonable channel. Customer may object on reasonable data-protection grounds within 30 days of notice. The parties will work in good faith to resolve the objection.
9. International Transfers
C4CI is established in Belgium. Where Customer Personal Data is transferred outside the European Economic Area or another jurisdiction with transfer restrictions, C4CI will rely on an adequacy decision, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum where applicable, or another lawful transfer mechanism.
Where the EU Standard Contractual Clauses are required, the parties agree that Module Two (controller to processor) applies unless the parties agree another module in writing. The Annex A processing details and Annex B security measures serve as the processing and technical-measures annexes for those clauses where permitted.
10. Audit and Information Rights
On reasonable written request, C4CI will provide information necessary to demonstrate compliance with this DPA. C4CI may satisfy this obligation through security documentation, third-party audit reports, penetration-test executive summaries, certifications, trust-center materials, architecture summaries, or written responses.
If Customer reasonably requires an audit that cannot be satisfied through available documentation, the parties will agree a scope, timing, confidentiality terms, security conditions, and cost allocation. Audits must not compromise the security, confidentiality, availability, or privacy of C4CI or other customers.
11. Data Subject Requests
If C4CI receives a request from a data subject relating to Customer Personal Data, C4CI will direct the data subject to Customer where practicable and will not respond substantively unless required by law or authorised by Customer.
C4CI will provide reasonable assistance to Customer for requests that Customer cannot fulfil without C4CI's assistance.
12. Deletion and Return
On termination or expiry of the Services, C4CI will delete or return Customer Personal Data according to the agreement, product controls, backup cycles, and legal retention requirements.
C4CI may retain copies where required for legal, security, billing, audit, dispute, fraud-prevention, or compliance purposes, provided retained data remains protected under this DPA until deleted.
Backups and logs are deleted or overwritten according to scheduled retention cycles unless preserved for security, legal, or incident purposes.
13. Customer Responsibilities
Customer is responsible for:
- providing privacy notices and obtaining consents where required;
- ensuring connected systems and Customer Content are lawful to process through the Services;
- configuring roles, access, integrations, retention, exports, and deletion;
- avoiding submission of unnecessary personal data, secrets, special-category data, or regulated data;
- responding to data-subject requests where Customer is controller;
- keeping administrator and user credentials secure.
14. Conflict
If this DPA conflicts with the agreement on processing of Customer Personal Data, this DPA controls to the extent of the conflict. The agreement controls commercial, liability, payment, product, and non-data-protection matters unless this DPA states otherwise.
15. Liability
Liability under this DPA is subject to the liability limits and exclusions in the agreement unless applicable law requires otherwise or the parties agree a specific data-protection liability provision in an order form.
16. Contact
Data-processing questions should be sent to support@c4ci.io.
Annex A: Processing Details
| Item | Description |
|---|---|
| Subject matter | Provision, support, security, administration, and improvement of C4CI Arch and agreed enterprise services |
| Duration | The term of the agreement plus deletion, backup, audit, security, billing, and legal retention periods |
| Nature and purpose | Hosting, transmitting, storing, analysing, displaying, securing, debugging, supporting, metering, and generating product outputs from Customer-controlled data |
| Data subjects | Customer users, administrators, invited users, support contacts, individuals appearing in connected-system metadata, comments, reports, prompts, files, or audit evidence |
| Personal data categories | Identity data, account data, role and organisation data, authentication data, usage and audit data, support data, billing contact data, connected-system metadata, Customer Content, prompts, comments, reports, and technical logs |
| Sensitive data | The Services are not designed for intentional submission of special-category data or criminal-offence data unless agreed in writing with appropriate safeguards |
| Processing operations | Collection, receipt, storage, retrieval, consultation, analysis, generation, display, transmission, restriction, deletion, and export |
Annex B: Technical and Organisational Measures
The baseline measures include:
- tenant isolation and organisation-scoped access controls;
- role-based access control for user and administrator actions;
- encrypted transport using HTTPS/TLS for supported product routes;
- encrypted storage where supported by the hosting and database layers;
- secret-management controls for runtime credentials;
- audit logging for legal acceptance, billing, security, and product-control events where implemented;
- least-privilege integration design, including Reader-first cloud discovery where available;
- access review and operational controls for C4CI personnel and systems;
- vulnerability management and dependency review processes;
- backup and restore practices described in operational runbooks;
- incident triage, containment, remediation, and customer notification processes;
- product and infrastructure monitoring for availability and security signals.