1. Background and Scope

1.1 Purpose

This Data Processing Agreement ("DPA") sets out the terms under which Eco Heroes International SL ("Processor", "we", "us") processes personal data on behalf of the Customer ("Controller", "you") in the course of providing the Service described in the Terms of Service.

1.2 Relationship to other agreements

This DPA is incorporated by reference into the Terms of Service at assessment.eco-heroes.org/legal/terms.php. Where a Customer enters into a separate Memorandum of Understanding or commercial agreement with Provider (for example, a federation-level or DMO-level agreement), this DPA continues to apply and its terms prevail in the event of conflict regarding data protection matters, except where the separate agreement contains stricter Controller protections.

1.3 Governing legal framework

This DPA is designed to meet the requirements of:

• Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), in particular Article 28
• Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
• Commission Implementing Decision (EU) 2021/914 on Standard Contractual Clauses (SCCs)
• Regulation (EU) 2023/2854 (EU Data Act), Chapter VI, for data portability and switching

1.4 Scope of application

This DPA applies to all processing of personal data performed by Processor on behalf of Controller in connection with the Service, including data entered into the Double Materiality Assessment tool, account data, and authentication data.

2. Definitions

Terms defined in the GDPR (including "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Sub-processor") have the meanings given in Article 4 GDPR.

Additional terms specific to this DPA:

• "Assessment Data" — information entered by Data Subjects acting on behalf of the Controller into the Platform during the self-assessment process.
• "Registry Data" — the subset of Controller data published on the public European Registry with explicit authorisation at the time of certification.
• "Sub-processor" — any third party engaged by Processor to process Personal Data on Controller's behalf.
• "TOMs" — Technical and Organisational Measures, as described in Annex II.

3. Roles and Responsibilities

3.1 Controller / Processor determination

• When the Customer is an organisation entering data about its employees, consultants, suppliers, or other individuals, the Customer is the Data Controller and Provider acts as Data Processor under this DPA.
• When the Customer is an individual professional (freelancer, sole proprietor, self-employed operator) entering their own personal data, Provider is the Data Controller for the limited purpose of identity verification, account management, billing, and Certification issuance. This DPA does not apply to that relationship; the Privacy Policy governs it.

3.2 Controller responsibilities

Controller warrants and confirms that:

• It has a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the processing instructed under this DPA.
• It has provided the information required by Articles 13 and 14 GDPR to Data Subjects whose data is entered into the Platform.
• Its instructions to Processor comply with applicable data protection laws.
• The categories of data entered do not include special categories under Article 9 GDPR unless Controller has secured an explicit Article 9(2) legal basis and has notified Processor in advance.

3.3 Processor responsibilities

Processor shall:

• Process Personal Data only on documented instructions from Controller, as specified in this DPA and the Terms of Service.
• Ensure that persons authorised to process Personal Data have committed to confidentiality or are under statutory confidentiality obligations.
• Implement the Technical and Organisational Measures set out in Annex II.
• Assist Controller in fulfilling its obligations under Articles 32–36 GDPR.
• Comply with the sub-processor rules in Section 6.

4. Subject Matter, Duration, Nature, and Purpose of Processing

Pursuant to Article 28(3) GDPR:

4.1 Subject matter

The processing of Personal Data entered into the Eco Heroes Double Materiality Assessment Platform for the purpose of producing a Certification aligned with the EFRAG VSME framework.

4.2 Duration

The processing lasts for the duration of the Terms of Service between Controller and Processor, plus the applicable retention periods set out in Section 10 and the Terms of Service Section 9.5.

4.3 Nature and purpose

• Provision of the DMA online self-assessment tool
• Issuance of verifiable Certifications with QR codes
• Publication of Registry Data on the public European Registry (with consent)
• Delivery of personalised ESG roadmaps
• Account management, authentication, and billing
• Communications related to the Service (transactional email)

4.4 Type of Personal Data

Specified in detail in Annex I (Description of Processing).

4.5 Categories of Data Subjects

Specified in detail in Annex I (Description of Processing).

5. Processing Instructions

5.1 Documented instructions

Processor processes Personal Data only on documented instructions from Controller. The Terms of Service, this DPA, and any configuration choices made by Controller through the Platform constitute Controller's documented instructions.

5.2 Additional instructions

Controller may issue additional reasonable instructions in writing (including by email to privacy@eco-heroes.org). Processor will notify Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other data protection law.

5.3 Unlawful instructions

Processor is not obligated to follow instructions that it reasonably believes to be unlawful. Processor will notify Controller of such instructions and cooperate in identifying a lawful alternative.

6. Sub-processing

6.1 General authorisation

Controller grants Processor general authorisation to engage sub-processors, subject to the conditions in this Section 6.

6.2 Authorised Sub-processors

As of the Effective Date, Processor engages the following Sub-processors, detailed in Annex III:

| Sub-processor | Role | Location | |---|---|---| | Hetzner Online GmbH | Infrastructure hosting (VPS, MySQL database) | Germany | | Stripe Payments Europe, Ltd. | Payment processing | Ireland | | Resend, Inc. | Transactional email delivery | United States (EU DPA + SCCs in place) |

6.3 Conditions applicable to Sub-processors

Before engaging any Sub-processor, Processor shall:

• Conduct reasonable due diligence on the Sub-processor's security and data-protection practices.
• Enter into a written agreement with the Sub-processor imposing data protection obligations substantially equivalent to those in this DPA, pursuant to Article 28(4) GDPR.
• For Sub-processors located outside the EEA, put in place valid transfer mechanisms (Standard Contractual Clauses, adequacy decision, or other Article 46 GDPR safeguard).

6.4 Changes to Sub-processors

Processor will notify Controller at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, via email to the Controller's registered contact and via notice at assessment.eco-heroes.org/legal/dpa.php.

6.5 Objection right

Controller may object to the engagement of a new Sub-processor on reasonable data-protection grounds within the 30-day notice period. If the objection cannot be resolved, Controller may terminate the Service in accordance with Terms of Service Section 9.1 and recover any prepaid fees for the unused portion of the Certification period.

6.6 Liability for Sub-processors

Processor remains fully liable to Controller for the performance of Sub-processors' obligations under this DPA.

7. Data Subject Rights

7.1 Assistance to Controller

Processor shall provide reasonable assistance to Controller in responding to requests from Data Subjects to exercise their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making).

7.2 Direct contact from Data Subjects

If a Data Subject contacts Processor directly to exercise a right, Processor shall (a) acknowledge receipt, (b) forward the request to Controller without undue delay, and (c) not respond substantively unless authorised by Controller or required by law.

7.3 Response times

Processor will assist Controller to meet the one-month response deadline under Article 12(3) GDPR. Where Processor's assistance requires significant engineering work (for example, bulk data export in non-standard formats), Processor may charge reasonable fees, disclosed to Controller in advance.

8. Security of Processing

8.1 Technical and Organisational Measures

Processor implements and maintains the Technical and Organisational Measures set out in Annex II. These include encryption in transit and at rest, access controls, backup and recovery procedures, and secure software-development practices.

8.2 Continuous review

Processor reviews the TOMs at least annually and updates them as needed to reflect changes in technology, threat landscape, and legal requirements. Material changes are reflected in updated versions of this DPA.

8.3 Confidentiality obligations

All Processor personnel and contractors with access to Personal Data are bound by written confidentiality obligations that survive the termination of their engagement.

8.4 Insurance

Processor maintains cyber liability and professional indemnity insurance consistent with industry standards for EU SaaS providers of comparable scale. Evidence of coverage is available to enterprise Controllers upon request, subject to a mutual non-disclosure agreement.

9. Personal Data Breach Notification

9.1 Processor notification to Controller

Processor shall notify Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Controller's data. The notification will, to the extent then available, include:

• The nature of the breach, including categories and approximate number of Data Subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• Contact details of the Processor's Data Protection contact

9.2 Ongoing updates

Where not all information is available at the time of initial notification, Processor will provide it in phases as it becomes available, without further undue delay.

9.3 Controller's notification to supervisory authorities

Controller is responsible for notifying the relevant supervisory authority (where required under Article 33 GDPR) and affected Data Subjects (where required under Article 34 GDPR). Processor shall provide reasonable assistance.

9.4 Contact channel

All breach notifications and related correspondence are sent to and from privacy@eco-heroes.org.

10. Retention, Return, and Deletion

10.1 Retention during the contract

Processor retains Personal Data for the duration of the Service and as set out in Terms of Service Section 9.5:

• Assessment Data: retained during the 12-month Certification period and for three (3) years thereafter for audit, legal, and statistical purposes.
• Registry Data: removed from the public European Registry within fourteen (14) days of Certification termination or expiry, unless Controller requests continued listing.
• Account and billing records: retained for six (6) years as required by Article 30 of the Spanish Código de Comercio.

10.2 Return or deletion on termination

Upon termination of the Service and expiry of applicable retention periods, Processor shall, at Controller's choice:

• Return all Personal Data to Controller in a structured, commonly used, machine-readable format (JSON, CSV, or PDF); or
• Delete all Personal Data and certify deletion in writing.

10.3 EU Data Act compliance

In accordance with Article 25 of Regulation (EU) 2023/2854, Controller may export Personal Data at any time during the Service, free of charge, in a structured, commonly used, machine-readable format. Export is available through the Platform user interface or, for bulk export, by written request to privacy@eco-heroes.org with a response time of no more than fifteen (15) business days.

10.4 Legal retention obligations

Notwithstanding Controller's deletion request, Processor may retain Personal Data where and for as long as required by applicable law (for example, tax, accounting, or anti-money-laundering obligations). Such retained data remains subject to the confidentiality and security obligations of this DPA.

11. International Data Transfers

11.1 Default location

Personal Data processed under this DPA is stored and processed primarily within the European Economic Area (EEA), in data centres operated by Hetzner Online GmbH in Germany (Falkenstein and Nuremberg regions).

11.2 Transfers outside the EEA

Where Personal Data is transferred outside the EEA (for example, to Resend, Inc. for transactional email delivery from servers located in the United States), Processor relies on:

• Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914
• Supplementary measures where required by the CJEU Schrems II judgment, including encryption in transit and at rest and contractual restrictions on government access requests
• Transfer impact assessments documented and available to Controller upon request

11.3 Controller notification

Processor will notify Controller before initiating any new transfer of Personal Data to a country outside the EEA, and will not rely on derogations under Article 49 GDPR for routine transfers.

12. Audit Rights

12.1 Information provision

Processor shall make available to Controller, on written request, information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR, including:

• Current list of Sub-processors (in Annex III)
• Current TOMs description (in Annex II)
• Third-party certifications or audit reports held by Processor or its Sub-processors (for example, ISO 27001 certifications held by Hetzner and Stripe)
• Results of internal audits relevant to the Controller's data

12.2 On-site audits

Controller may, no more than once per calendar year (except following a confirmed Personal Data Breach), conduct an on-site audit of Processor's facilities and processes relevant to this DPA. Conditions:

• At least thirty (30) days' advance written notice
• Conducted during normal business hours
• At Controller's expense unless the audit reveals a material breach of this DPA by Processor
• Subject to reasonable confidentiality arrangements
• Auditor is a qualified independent third party, approved by Processor (approval not to be unreasonably withheld)

12.3 Audit scope limits

Audits shall not extend to data of other Controllers, commercially sensitive information unrelated to the Controller's data, or facilities of Sub-processors (for which Sub-processor audit arrangements apply).

13. Liability

13.1 Article 82 GDPR allocation

Each party is liable for damages caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR or where it has acted outside or contrary to lawful instructions of the Controller, consistent with Article 82 GDPR.

13.2 Contractual cap

Except for breaches of confidentiality, wilful misconduct, gross negligence, and non-excludable liability under applicable law, each party's aggregate liability under this DPA is subject to the liability cap in the Terms of Service Section 11.

14. Term and Termination

14.1 Term

This DPA enters into force on the Effective Date and remains in effect for as long as Processor processes Personal Data on behalf of Controller.

14.2 Termination

This DPA terminates automatically upon termination of the Terms of Service. Provisions that by their nature survive termination (including Sections 9, 10, 11, 12, 13, and 16) continue in effect after termination.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the Kingdom of Spain, consistent with the Terms of Service Section 15. The choice of Spanish law does not deprive Data Subjects of the protection of mandatory provisions of the law of their country of habitual residence.

16. Miscellaneous

16.1 Order of precedence

In case of conflict, the order of precedence is: (1) mandatory provisions of applicable data protection law, (2) this DPA, (3) the Terms of Service, (4) any separate commercial agreement.

16.2 Modifications

Processor may update this DPA to reflect changes in applicable law, Sub-processors, TOMs, or operational practice. Material changes follow the notification process in Terms of Service Section 14 (30-day advance notice).

16.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in effect.

16.4 Entire agreement on data protection

This DPA, together with the Terms of Service and the Privacy Policy, constitutes the entire agreement between the parties on data protection.

16.5 Contact for data protection matters

All communications regarding this DPA, including Sub-processor notifications, breach notifications, Data Subject rights requests, and audit requests, shall be addressed to:

Eco Heroes International SL — Data Protection Email: privacy@eco-heroes.org Registered office: Girona, Spain

Annex I — Description of Processing

A. Categories of Data Subjects

• Employees of Controller organisations who complete the DMA self-assessment on behalf of the organisation
• Contact persons designated by Controller for billing, technical administration, and data protection
• Where Controller is a federation or DMO, employees of associated member organisations who use the Service under a coupon arrangement

B. Categories of Personal Data

| Category | Examples | Source | |---|---|---| | Identification data | First name, last name, professional email, job title | Provided at registration | | Organisation-linked data | Company name, CIF/VAT number, role within the organisation | Provided at registration | | Authentication data | Hashed password, session tokens, multi-factor authentication secrets | Generated by Platform | | Assessment responses | Answers to DMA questionnaire, ESG priority declarations | Provided by Controller's user | | Billing data | Billing address, invoicing contact, VAT identification | Provided at purchase | | Usage data | Login timestamps, IP addresses, user-agent strings, feature usage | Generated by Platform | | Communications | Email correspondence with Provider support team | Exchanged during Service |

C. Special Categories

Processor does not request or knowingly process special categories of Personal Data under Article 9 GDPR. Controller shall not enter such data into free-text fields. If special-category data is inadvertently entered, Controller shall notify Processor immediately for secure deletion.

D. Purposes of Processing

• Delivery of the DMA self-assessment service
• Issuance and verification of Certifications
• Publication of Registry Data (with explicit consent at the time of Certification)
• Billing, payment processing, and tax compliance
• Account security and fraud prevention
• Customer support and service communications
• Regulatory and legal compliance
• Aggregated, anonymised statistics for research and benchmarking (no individual identification)

Annex II — Technical and Organisational Measures (TOMs)

1. Pseudonymisation and Encryption

• Encryption in transit: All connections to the Platform use TLS 1.2 or higher. TLS configuration rated A+ by Qualys SSL Labs, with HSTS enforcement and modern cipher suites only.
• Encryption at rest: Database storage encrypted at rest by Hetzner's infrastructure. Backup encryption using AES-256.
• Password hashing: User passwords hashed using bcrypt or Argon2id with appropriate work factors.
• Payment data: Not stored by Processor. Stripe tokenisation used throughout; Provider's systems never see full card data.

2. Confidentiality, Integrity, and Availability

Confidentiality

• Role-based access control (RBAC) with principle of least privilege
• Individual accounts for all personnel; no shared credentials
• Multi-factor authentication required for administrative access
• Automated session timeouts

Integrity

• Database transaction logging
• File integrity monitoring on critical server components
• Code review and change management processes for deployments

Availability

• Target 99.5% monthly uptime (Terms of Service Section 7)
• Daily automated backups retained for 30 days
• Documented disaster recovery procedures
• Infrastructure monitoring with 24/7 alerting

3. Resilience of Systems

• Infrastructure: Hetzner CX22 VPS with managed MySQL, located in Germany
• CDN and edge: Content delivery through the hosting provider's EU infrastructure
• Security headers: Content Security Policy, HSTS, X-Frame-Options, Mozilla Observatory rating A+
• DDoS protection: Provided by Hetzner at the network level

4. Regular Testing and Evaluation

• Internal security reviews at least quarterly
• Vulnerability scanning on the Platform's public-facing surface
• Dependency auditing for known CVEs in software components
• Annual review of this DPA and the TOMs

5. Access Management and Deletion

• Onboarding and offboarding procedures for personnel with access to Personal Data
• Access reviews quarterly
• Secure deletion of Personal Data following retention expiry (Section 10)
• Certification of deletion available on request

6. Incident Response

• Documented incident response plan
• 24-hour on-call rotation for critical security incidents
• 48-hour notification commitment to Controllers (Section 9.1)
• Post-incident root-cause analysis and corrective actions

7. Privacy by Design

• Data minimisation: only data necessary for the DMA is collected
• Purpose limitation: separate authorisation for Registry Data publication
• Storage limitation: defined retention schedules (Section 10)
• Default privacy settings favour restricted disclosure

Annex III — Sub-processors

As of the Effective Date, Processor engages the following Sub-processors:

1. Hetzner Online GmbH

| Attribute | Detail | |---|---| | Legal entity | Hetzner Online GmbH | | Role | Infrastructure-as-a-Service provider (VPS, MySQL database, storage, DDoS protection) | | Location | Germany (Falkenstein and Nuremberg data centres) | | Transfer mechanism | No transfer outside the EEA required | | Data categories | All categories in Annex I (data at rest) | | Certifications | ISO 27001 certified | | DPA | Hetzner Data Processing Agreement in place | | Contact | support@hetzner.com | | URL | https://www.hetzner.com |

2. Stripe Payments Europe, Ltd.

| Attribute | Detail | |---|---| | Legal entity | Stripe Payments Europe, Limited | | Role | Payment processing, invoice generation | | Location | Ireland (EU entity); some processing by affiliated entities in the United States | | Transfer mechanism | Standard Contractual Clauses (SCCs) for transfers outside the EEA | | Data categories | Billing data, payment card tokens (Provider does not receive full card data), transaction metadata | | Certifications | PCI-DSS Level 1 Service Provider; SOC 1, SOC 2; ISO 27001 | | DPA | Stripe Data Processing Agreement (public) | | Contact | dpo@stripe.com | | URL | https://stripe.com/legal/dpa |

3. Resend, Inc.

| Attribute | Detail | |---|---| | Legal entity | Resend, Inc. | | Role | Transactional email delivery (registration confirmations, receipts, service notifications) | | Location | United States | | Transfer mechanism | Standard Contractual Clauses (SCCs); EU DPA | | Data categories | Recipient email address, email subject and content metadata, delivery status | | Certifications | SOC 2 Type II | | DPA | Resend Data Processing Agreement | | Contact | legal@resend.com | | URL | https://resend.com/legal/dpa |

Sub-processor list updates

The current list of Sub-processors is always available at assessment.eco-heroes.org/legal/dpa.php. Changes follow the notification process in Section 6.4.

Annex IV — Vendor Chain and Data Residency Map

Data residency at a glance

``` Customer (Controller) ↓ ↓ (HTTPS/TLS 1.2+) ↓ ┌──────────────────────────────────────┐ │ assessment.eco-heroes.org (EU) │ │ Hosted on Hetzner CX22, Germany │ │ Region: Falkenstein / Nuremberg │ └──────────────────────────────────────┘ │ │ ┌───────────────────┼───────────────────┐ ↓ ↓ ↓ ┌─────────┐ ┌─────────┐ ┌──────────┐ │ Hetzner │ │ Stripe │ │ Resend │ │ DE │ │ IE │ │ US │ │ │ │ │ │ (SCCs) │ │ Storage │ │ Payments│ │ Email │ └─────────┘ └─────────┘ └──────────┘ EEA EEA Third Country ```

Vendor chain summary

| Tier | Entity | Role | Jurisdiction | Transfer mechanism | |---|---|---|---|---| | Processor | Eco Heroes International SL | Provider of DMA Service | Spain (EU) | N/A | | Sub-processor | Hetzner Online GmbH | Infrastructure hosting | Germany (EU) | Intra-EEA | | Sub-processor | Stripe Payments Europe Ltd. | Payments | Ireland (EU) | Intra-EEA; SCCs for affiliate processing | | Sub-processor | Resend, Inc. | Transactional email | United States | SCCs + supplementary technical measures |

Data minimisation in the vendor chain

• Hetzner receives all Personal Data at rest but in encrypted form; has no application-layer access.
• Stripe receives only billing and payment data; does not receive Assessment Data, authentication data, or usage data.
• Resend receives only the recipient email address and the content of transactional messages; does not receive Assessment Data.

This DPA was last updated on 21 April 2026 (version 1.0). The current version is always available at assessment.eco-heroes.org/legal/dpa.php.