In the delivery of the Services and the Platform, and through the Customer’s use of the Services, Dealside may have access to some data which qualifies as Personal Data and for which Dealside acts as a Processor. This Data Processing Agreement, entered into between Dealside and the Customer, governs the Processing of Personal Data in this context.
This Data Processing Agreement applies in addition to the other provisions as set out in the Contract which shall continue to apply also to the activities as contemplated herein.
Capitalized notions used throughout this Data Processing Agreement shall have the meaning attributed to them as set out in the Terms and Conditions, unless as otherwise expressly specified in this Data Processing Agreement.
1. Additional definitions
1.1. “Data Protection Legislation” means any applicable legislation in force regarding the processing and protection of Personal Data, including the European GDPR Regulation 2016/679 and the Belgian implementation thereof.
1.2. “Data Controller", "Data Processor", "Data Subject", "Personal Data”, "Data Breach", “Transfer”, and "Processing" / ”Processed” / ”Process” shall have the same meanings as set out in the Data Protection Legislation.
1.3. “Customer Personal Data” means Personal Data Processed (such as stored, uploaded, accessed, sent, communicated, amended, etc.) through use of the Platform / Services, including CDS Data, but excluding Platform Usage Data and data as referred to in clause 2.1 of this Data Processing Agreement (including without limitation customer contact information, business details and transaction details).
2. Processing as a Data Controller
2.1. Any Personal Data in relation to which Dealside acts as a Data Controller (such as Platform Usage Data and Customer business representative Personal Data, including addresses, email, telephone number and other information which is shared generally and necessarily as a result of the (potential) business relationship between Dealside and the Customer and their respective representatives) shall be Processed in accordance with the Privacy Statement. Please refer to this document for further information.
3. Processing as a Data Processor
3.1. Nature and purposes of Processing the Personal Data
(a) As a result of the nature of the Platform and Services supplied, Dealside may have access to and Process certain Customer Personal Data which are stored on or are connected to the Platform / Services. Dealside will only process Customer Personal Data on behalf of and under the documented and lawful instructions of Customer, for the purposes of the Contract and as set out herein.
(b) Dealside may Process these Customer Personal Data for purposes of providing the Platform and Services, hence for the performance of the Contract. The parties acknowledge that the execution and performance of the Contract and the use of the Platform and the Services constitute the documented instructions of Customer. The Processing activities are further described in Schedule 1 below.
(c) Any additional Processing of Customer Personal Data requires the written consent of the Customer, and Dealside may evaluate (and refuse) such additional Processing activities. Dealside may also inform the Customer in the event any Processing instruction may constitute a breach of Data Protection Legislation.
3.2. Roles of the Parties
In respect of what is set out in clause 3.1:
(a) Dealside shall in such capacity act solely as a Data Processor, not as a Data Controller, and respect the obligations imposed on it as set out in Data Protection Legislation.
(b) The Customer agrees and acknowledges that the Processing activities referred to in this clause 3 are an integral part of the standard Services offering of Dealside and are thus performed on the instruction of the Customer, who wishes to make use of the same. The Contract (including this Data Processing Agreement) and its provisions are Customer’s documented instructions to Dealside for Processing Customer Personal Data. Additionally, where Dealside is obliged by applicable law to Process Personal Data, it shall have the right to do so.
(c) The Customer shall at all times act as a Data Controller in relation to Customer Personal Data. As a result, the Customer shall comply with all of its obligations as a Data Controller under Data Protection Legislation, including without limitation obtaining and maintaining all necessary and valid consents and providing sufficient transparency. Without limiting the generality of the foregoing, the Customer shall (i) have sole responsibility for the accuracy, quality, integrity, legality and reliability of Customer Personal Data and of the means by which it acquired Customer Personal Data and (ii) comply with all applicable Data Protection Legislation in collecting, compiling, storing, sharing, transferring, accessing and using Customer Personal Data when making use of the Services.
4. Duration
4.1. This Data Processing Agreement enters into force together with the Contract and shall remain in force during the term of the Contract.
4.2. After termination of the Contract, Dealside shall have no right to Process Customer Personal Data, unless (a) where anonymised or aggregated and/or in statistical form, (b) except for Processing necessary for compliance with its own legal, regulatory, accounting and tax obligations, or (c) as required to facilitate the return or deletion of Customer Personal Data in accordance with clause 4.3.
4.3. Without prejudice to clause 4.2:
(a) The Customer has the right to request the return or deletion of any Customer Personal Data in Dealside’s standard data format within sixty (60) days after the termination of the Contract. Any such request must be submitted to Dealside in writing.
(b) If no such request is received, Dealside will automatically delete any remaining Customer Personal Data sixty (60) days after the termination of the Contract.
(c) Any Customer Personal Data retained on Dealside’s backup systems will be automatically deleted ninety (90) days after the termination effective date, unless retention is required to comply with applicable legal or regulatory obligations.
5. Sub-processors
5.1. Dealside maintains an up-to-date list of its sub-Processors, which it updates from time to time. A list of Dealside's current sub-Processors is available to the Customer at
https://trust.askdonna.com/subprocessors. In addition, Dealside will provide a mechanism to subscribe to notifications of any changes to the above list of sub-Processors at
https://trust.askdonna.com (Click on the bell icon in the top right corner of the page, enter your email address and click Subscribe). The Customer, if it wishes, will subscribe to such notifications where available. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to sub-Processors. Any changes to the list of sub-Processors shall deemed to be accepted by Customer within fifteen (15) working days after notification.
5.2. Dealside will ensure that all sub-Processors engaged in processing Customer Personal Data comply comply with Data Protection Legislation.
6. Data Subject rights and Customer assistance
6.1. During the term of the Contract, Dealside shall, to the extent possible for Dealside and to the extent the Customer (who shall at all times be the first contact point of its own customers or business relations) has no other means to meet its obligations under Data Protection Legislation, provide the Customer with reasonable assistance to meet its obligations under Data Protection Legislation and as provided for in Data Protection Legislation (particularly to assist the Customer in ensuring compliance with the obligations resulting from Articles 32 to 36 of the European GDPR Regulation 2016/679). The Customer shall reimburse Dealside for any reasonable costs incurred as a result of such assistance.
6.2. In the event Dealside would receive any request from a Data Subject (of whom Customer Personal Data is Processed under this Contract) or business relation of the Customer to access, delete, correct, block or otherwise Process Personal Data Processed under the Contract, the Parties agree that Dealside shall inform the Customer of the same and hand over all relevant communications to the Customer without first responding to it directly.
7. Security
7.1. With respect to Processing Customer Personal Data and to minimize risks of any misuse thereof, and more in general in relation to the Processing of Personal Data: (i) Dealside shall ensure that access to Customer Personal Data by personnel of Dealside is limited to that of its personnel who require such access to perform the Contract and that such personnel to whom it grants access to such Customer Personal Data are directed to keep such Customer Personal Data confidential; (ii) Dealside shall maintain appropriate administrative, physical, technical and organizational safeguards for protection of Customer Personal Data having regard its role, as set forth in Schedule 2 below; (iii) to the extent relevant, and unless notification is delayed by the actions or demands of a law enforcement agency, Dealside shall report to the Customer the unauthorized acquisition, access, use, disclosure or destruction of Personal Data, (a “Breach”) within 48 hours following determination by Dealside that a Breach occurred on its systems and Dealside shall reasonably assist the Customer with the investigation and mitigation of the impact of any such Breach as well as any notification obligation towards a supervisory authority that may be necessary.
8. Transfers
8.1. The Parties agree that it is their intention to predominantly process Customer Personal Data within the EEA (European Economic Area). In the event of a Transfer of Customer Personal Data to a third country outside the EU and outside the EEA (each a “Third Country”), the Parties acknowledge that steps must be taken to ensure that such data transfers comply with Data Protection Legislation. In this sense, Dealside shall notify Customer of data transfers outside the EU via the notification mechanism described in section 5.1 of this DPA. If Customer does not subscribe to notifications, Customer waives any right it may have to receive notice of changes to data transfers outside the EU. Dealside shall comply with the provisions of Data Protection Legislation allowing Transfers, such as Transferring to a Third Country offering an adequate level of protection, use of the European Commission’s standard contractual clauses, etc.
9. Audit
9.1. Upon the Customer’s reasonable request, Dealside shall provide such information to the Customer necessary to demonstrate its compliance with Data Protection Legislation and the technical and organizational measures, as set forth in schedule 2 below. The Customer can also request an independent third-party auditor, to be approved in writing by Dealside, to conduct an audit. The contract with such auditor shall require the auditor to respect Dealside’s confidentiality obligations, trade secrets and confidential information and shall solely relate to compliance with Data Protection Legislation. Notwithstanding the foregoing and for the avoidance of doubt, the foregoing may in no way materially impede the Customer, or a third party auditor, from conducting an audit as described herein.
9.2. An audit can only be required taking into account reasonableness and for a maximum of once (1) per two (2) years unless Data Protection Legislation or guidance by a competent supervisory authority would dictate otherwise. Audits shall be conducted at a time agreed with Dealside in writing, and in each event during normal business hours and without interruption to Dealside’s normal business operations.
9.3. The audit report shall be provided to Dealside by the auditors before it is finalised, so that Dealside can make any comments it may have, and the final report should take account of and respond to these comments. The audit report will then be sent to Dealside and discussed in a meeting between the Parties.
9.4. In the event the final audit report reveals breaches of the commitments made in the performance of this Data Processing Agreement, Dealside shall propose, at its own expense, a corrective action plan within a maximum of twenty (20) working days from the meeting between the Parties.
9.5. The Customer shall bear all costs related to such audits, unless a substantial breach of Data Protection Legislation attributable to Dealside results from such audit.
10. Costs
10.1. Services and assistance rendered by Dealside to the Customer hereunder shall be charged at Dealside’s then-current hourly rates, unless where stated otherwise in this Data Processing Agreement.
11. Notice of default
11.1. When Dealside fails to comply with its obligations under this Data Processing Agreement, the Customer shall first send a registered notice of default. This notice shall clearly mention the defaults that occurred, and, if redress is possible, a proposal of remedial measures and a reasonable term for their implementation.
12. Liability
12.1. The provisions in relation to liability as set out in the Terms and Conditions are applicable to this Data Processing Agreement and all services provided by Dealside in respect of this Data Processing Agreement.
12.2. Dealside shall in any event only be liable for direct damages caused by a Processing activity of Dealside which breaches this Data Processing Agreement and subject to the terms as set out herein.
13. General
13.1. The provisions of the Terms and Conditions shall also apply mutatis mutandis to this Data Processing Agreement, unless explicitly stated otherwise herein.
Schedule 1. Description of the Processing activities
Subject matter of the Processing: The processing activities may include, based on the features of the Platform and the Services utilized, but are not limited to, providing pre-meeting briefings, recording meetings, generating meeting summaries, automating follow-ups, logging meeting notes, and updating CRM systems automatically through the Platform and the Services.
Nature of the Processing: Collection, organization, structuring, storage, consultation, use, disclosure by transmission, alignment or combination, restriction, modification and amendment, erasure or destruction
Purpose of the Processing: Dealside will process Customer Personal Data for purposes of providing the Platform and Services, hence for the performance of the Contract. Dealside does not sell Customer Personal Data and does not share such data with third parties for compensation or for those third parties' own business interests. Dealside does not use Customer Personal Data to train, retrain, or improve AI models.
Duration of the Processing: Prior to the termination of the Contract, Dealside will process Customer Personal Data until Customer elects to delete such Customer Personal Data via the Platform and Customer agrees that it is solely responsible for deleting Customer Personal Data via the Platform. After the termination of the Contract, the Customer has the right to request the return or deletion of any Customer Personal Data in Dealside’s standard data format within sixty (60) days. Any such request must be submitted to Dealside in writing. If no such request is received, Dealside will automatically delete any remaining Customer Personal Data sixty (60) days after the termination of the Contract. Any Customer Personal Data retained on Dealside’s backup systems will be automatically deleted ninety (90) days after the termination effective date, unless retention is required to comply with applicable legal or regulatory obligations.
Categories of Personal Data: Categories of Personal Data may include, based on the features of the Platform and the Services utilized, but is not limited to
Identification data (first name, last name, email)
Contact data (first name, last name, email, physical address)
Meeting data (participant first name, participant last name, participant email, recording, transcript, summary, debrief)
Prospects, customers and business partners interaction data
Categories of Data Subjects: Categories of Data Subjects may include, based on the features of the Platform and the Services utilized, but is not limited to
Employees or contact persons of Customer’s prospects, customers and business partners
Prospects, customers and business partners of Customer (who are natural persons)
Employees, agents, advisors, freelancers of Customer (who are natural persons)
Customer’s Users authorized by Customer to use the Platform and the Services
Schedule 2. Technical and Organizational Measures
Dealside’s technical and organizational measures include the following:
1. Access control
Measures to prevent access to data processing systems for unauthorized persons and to prevent unauthorized activities, which are not included in the given user authorizations.
(a) Authentication: Dealside uses secure access protocols. Access to production infrastructure requires the use of multi-factor authentication.
(b) Authorization: Dealside restricts access to Customer Personal Data to authorized personnel with a defined need-to-know or a role requiring such access, using role-based access control (RBAC).
(c) Review: Access rights to Customer Personal Data are regularly reviewed.
2. Encryption of personal data and pseudonymization
Measures for the protection of data during storage and during transmission.
(a) Encryption at rest: Customer Personal Data stored in databases and file systems is encrypted at rest using secure encryption algorithms.
(b) Encryption in transit: Customer Personal Data is encrypted in transit using secure cipher suites and protocols for transmission over public networks.
(c) Pseudonymization: Customer Personal Data is pseudonymized or anonymized where relevant and feasible.
3. Physical security
Measures for ensuring physical security of locations at which personal data are processed.
(a) Customer Personal Data is hosted in ISO27001-certified and SOC2-compliant data centers at leading cloud infrastructure providers. Facilities have 24/7 security monitoring, access controls, and CCTV surveillance.
4. Backup and disaster recovery
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
(a) Backup: Production database backups are created automatically on a daily basis and are redundantly stored for 7 days.
(b) Disaster recovery: A disaster recovery plan outlines the steps to take to perform backup recovery and is tested regularly.
(c) Redundancy: Redundant infrastructure prevents single points of failure. Systems use automated failover and load balancing.
5. Logging and monitoring
Measures for ensuring event logging and monitoring.
(a) Logging: Dealside logs events and captures and stores logs that include all interactions and relevant modifications.
(b) Monitoring: Logs and events are monitored and investigated when necessary and escalated appropriately.
6. Retention and secure deletion
Measures for ensuring data retention and secure deletion.
(a) Retention: Customer Personal Data is stored only as long as necessary.
(b) Secure deletion: Secure deletion of Customer Personal Data is performed using industry-standard methods when retention periods expire or upon request.
7. Sub-processors
Technical and organizational measures of sub-processors
(a) Agreements: Dealside enters into Data Processing Agreements with its authorized sub-processors with data protection obligations substantially similar to those contained in this Data Processing Agreement.
(b) Review: Sub-processors are regularly reviewed to ensure ongoing compliance with security measures and GDPR requirements.
Dealside BV - Last revised on 21 Mar 2025