This Data Processing Agreement (the “DPA”) forms part of the principal agreement governing the provision of the Loonar platform and related services between:

• Controller: The customer entity that has entered into a contract for the use of Loonar (the “Principal Agreement”)
  Processor: Loonar ApS, CVR 46064933, registered office at Vesterbrogade 192, 2.10., 1800 Frederiksberg, Copenhagen, Denmark (the “Processor”)

Controller and Processor are each a “Party” and together the “Parties”.

1. Purpose, scope and precedence

1.1 This DPA sets out the rights and obligations of the Parties when Processor processes Personal Data on behalf of Controller in connection with the provision of the Loonar platform and related services under the Principal Agreement.

1.2 The DPA is intended to meet the requirements of Article 28 of Regulation (EU) 2016/679 (the GDPR) for contracts between controllers and processors.

1.3 The subject matter, nature and purpose of the processing, the categories of data subjects and personal data, and the duration of the processing are described in Appendix A (Description of Processing).

1.4 In case of conflict between this DPA and the Principal Agreement on matters relating to data protection, this DPA prevails.

1.5 This DPA applies for as long as Processor processes Personal Data on behalf of Controller under the Principal Agreement.

2. Roles of the Parties and instructions

2.1 Controller is the data controller with respect to the Personal Data and determines the purposes and means of the processing.

2.2. Controller is responsible for ensuring that the processing of Personal Data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions, and this DPA.

2.3 Controller shall be responsible for ensuring that the processing of Personal Data, which the Processor is instructed to perform, has a legal basis in accordance with the GDPR.

2.4 Processor is the data processor and shall only process Personal Data on documented instructions from Controller, as described in this DPA, in the Principal Agreement and in Appendix C (Instructions and Technical and Organisational Measures), unless required to do so by applicable law. In that case, Processor shall inform Controller of that legal requirement before processing, unless the law prohibits such information.

2.5 If Processor considers that an instruction from Controller infringes the GDPR or other applicable data protection laws, Processor shall inform Controller without undue delay and may suspend the relevant processing until the instruction is confirmed, amended or withdrawn.

3. Confidentiality

3.1 Processor shall ensure that persons authorised to process Personal Data on its behalf are subject to an appropriate duty of confidentiality, whether contractual or statutory.

3.2. Processor shall ensure that such persons only have access to Personal Data to the extent strictly necessary to perform their tasks for Processor and Controller, in accordance with the principle of least privilege. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access shall be withdrawn if access is no longer necessary.

3.3. Processor shall at the request of the Controller demonstrate that the concerned persons under the Processor’s authority are subject to the duty of confidentiality specified in Clause 3.1.

4. Security of processing

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR.

4.2 Processor’s minimum technical and organisational measures, including measures related to hosting, EU data residency, tenant isolation, authentication, logging, backups, and business continuity, are described in Appendix C (Instructions and Technical and Organisational Measures) and align with the cybersecurity principles described in the Loonar security documentation, including an architecture designed in line with ISO 27001 information security management principles.

4.3 Processor shall regularly review and update its technical and organisational measures to address changes in risks, technology and regulatory expectations. Any material reduction in the overall level of protection shall not be implemented without Controller’s prior written consent.

5. Use of Sub-processors

5.1 Controller grants Processor general authorisation to engage third parties as sub-processors for the processing of Personal Data on behalf of Controller (each a “Sub-processor”), subject to the conditions in this section and in Appendix B (Sub-processors).

5.2 Processor shall enter into a written contract with each Sub-processor that imposes data protection obligations which are no less protective than those set out in this DPA, including appropriate technical and organisational measures.

5.3 Processor shall remain fully liable to Controller for the performance of each Sub-processor’s obligations regarding the processing of Personal Data.

5.4 Processor shall maintain an up-to-date list of Sub-processors and make it available to Controller as described in Appendix B.

5.5 Processor shall notify Controller in advance of any intended addition or replacement of a Sub-processor. The notice shall include the Sub-processor’s name, the location(s) where the relevant Processing will be performed, and a brief description of the Processing activities the Sub-processor will carry out. Notice may be given by email or other written means, including posting an update to a website or portal provided Controller has a mechanism to receive notice of the update.

5.6 Processor shall ensure each Sub-processor is bound by written terms imposing data protection obligations no less protective than those in this DPA, including as applicable confidentiality, security measures, restrictions on onward transfers, assistance obligations, and deletion/return.

5.7 Controller may object in writing within fourteen (14) days of receiving notice. Any objection must be limited to reasonable grounds related to data protection, including the Sub-processor’s demonstrable failure to provide the same or a reasonably comparable level of protection for Controller’s Personal Data as that provided under this DPA and applicable data protection law (a “Reasonable Objection”).

5.8 If Controller raises a Reasonable Objection, Processor shall use reasonable efforts to address the objection or propose an alternative Sub-processor. If the Parties cannot resolve the objection within thirty (30) days of Processor’s receipt of it, Controller may terminate the affected Services on written notice, without penalty, as its sole and exclusive remedy.

6. Data residency, data flow and international transfers

6.1 By design, Controller data is stored and backed up in data centres located in the European Union, unless otherwise agreed in writing.

6.2 Documents such as RFQs, proposals and technical attachments are uploaded to Loonar and stored in encrypted form within Controller’s logical tenant. Indexing and internal processing for search and analysis take place within this environment.

6.3 When a user initiates a query or workflow that uses AI capabilities, Loonar selects only the minimum relevant excerpts from the stored content and uses these excerpts to build the prompt to the AI models. Full documents are not sent to external AI providers.

6.4 These excerpts are transmitted over encrypted connections to AI model providers that operate under Zero Data Retention commitments. This means prompts and outputs are processed only to generate the response, are not stored as content by the provider beyond transient processing, and are not used to train or improve general purpose models.

6.5 Processor does not use Controller’s data, prompts or outputs to train or improve any general purpose AI models, either its own or those of third parties. Any use of data for monitoring, debugging or improving the Loonar service is restricted to aggregated or de-identified information, or is limited to Controller’s own tenant without re-use for other customers.

6.6 International transfers (EEA, UK, Switzerland). To the extent any Processing involves (i) a transfer of Personal Data to, or (ii) access to Personal Data from, a country outside the EEA, Switzerland, or the United Kingdom (a “Restricted Transfer”), Processor shall ensure such Restricted Transfer complies with Chapter V GDPR and other applicable transfer rules, including (as applicable) an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses (“EU SCCs”).

6.6.1 UK transfers. Where a Restricted Transfer is subject to UK data protection law, the EU SCCs shall apply as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (in force 21 March 2022), or any successor mechanism.

6.6.2 Swiss transfers. Where a Restricted Transfer is subject to Swiss data protection law, the EU SCCs shall apply with the following modifications: (a) references to the GDPR are construed as references to the Swiss Federal Act on Data Protection (“FADP”); (b) references to the “competent supervisory authority” are construed as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC); (c) where the transfer is subject to both the GDPR and the FADP, supervisory authority references apply accordingly; (d) “personal data” includes data of legal entities to the extent protected under the FADP; and (e) Clause 18(c) is construed to permit data subjects in Switzerland to bring proceedings in Switzerland.

7. Assistance to Controller

7.1 Taking into account the nature of the processing and the information available to Processor, Processor shall assist Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling Controller’s obligations to respond to requests from data subjects to exercise their rights under Chapter III GDPR.

7.2 Processor shall promptly notify Controller if Processor receives a request from a data subject that appears to relate to Personal Data processed on behalf of Controller. Processor shall not respond directly to such a request unless authorised or required by law, in which case Processor shall inform Controller, unless prohibited by law.

7.3 Processor shall, taking into account the nature of the processing and the information available to Processor, assist Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR, including obligations relating to security, data protection impact assessments and prior consultation with supervisory authorities.

8. Personal data breaches

8.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.

8.2 The notification shall include sufficient information to enable Controller to meet its obligations under Articles 33 and 34 GDPR, to the extent such information is available to Processor, including at least:

• a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned

• a description of the likely consequences of the Personal Data Breach

• a description of measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects
  
  
  

8.3 Processor shall cooperate with Controller and take reasonable steps as directed by Controller to assist in the investigation, mitigation and remediation of the Personal Data Breach.

9. Return and deletion of data

9.1 Upon termination or expiry of the Principal Agreement, or upon written request from Controller at any time, Processor shall, at Controller’s choice, delete or return to Controller all Personal Data processed on behalf of Controller and shall delete existing copies, unless applicable law requires storage of the Personal Data.

9.2 Deletion shall include removal of Personal Data from active systems and, after the end of the applicable retention period, from backups, in line with Processor’s data retention and deletion policies described in Appendix C.

9.3 Processor shall provide Controller with written confirmation upon completion of the requested deletion, upon request by Controller.

10. Audit and inspection

10.1 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA and shall allow for, and contribute to, audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable prior notice, at reasonable intervals and during normal business hours.

10.2 Audits shall be conducted in a manner that does not unreasonably interfere with Processor’s business operations and shall be subject to customary confidentiality protections. Controller shall bear its own costs and any third party auditor costs.

10.3 Processor may satisfy audit obligations under this section by providing third party audit reports, certifications or summaries of security assessments that are relevant to the services, where these provide a level of assurance that is at least equivalent to on site inspections.

11. Liability and indemnity

11.1 Each Party’s liability arising from or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA excludes or limits either Party’s liability where such exclusion or limitation is not permitted under applicable law.

11.2 This DPA does not create any additional indemnity obligations beyond those set out in the Principal Agreement, unless expressly stated otherwise.

11.3. Unlawful Instructions. The Parties acknowledge and have considered the consequences which may arise from potentially unlawful instructions given by the Controller, as referenced in Section 2.3. Any liability arising from Processor’s processing performed under confirmed instructions that the Processor had informed the Controller contravened the GDPR shall be governed by the terms of the Principal Agreement.

12. Term and termination

12.1 This DPA enters into force upon signature by both Parties or upon the effective date of the Principal Agreement, whichever is earlier, to the extent Processor processes Personal Data on behalf of Controller.

12.2 This DPA remains in force for as long as Processor processes Personal Data on behalf of Controller under the Principal Agreement.

12.3 Termination of the Principal Agreement automatically results in termination of this DPA, except for provisions which by their nature are intended to survive, including obligations regarding confidentiality, data deletion and liability.

13. Governing law and jurisdiction

13.1 This DPA is governed by the same law that governs the Principal Agreement.

13.2 Any disputes arising from or in connection with this DPA shall be subject to the same jurisdiction and dispute resolution mechanism as set out in the Principal Agreement.

14. Contact points

14.1 Each Party shall designate contact points for data protection matters, including, where applicable, the contact details of any data protection officer. These may be updated by either Party by written notice.

Appendix A

Description of Processing

1. Subject matter, nature and purpose of processing

Processor provides a hosted SaaS platform, Loonar, which supports Controller’s RFQ and proposal processes by storing, indexing and analysing Controller’s documents and related data, including through AI supported features such as requirement extraction, deviation analysis and technical clarifications.

2. Categories of data subjects

Depending on Controller’s use of the services, Personal Data may concern the following categories of data subjects:

• Employees, contractors and other staff of Controller

• Employees and representatives of Controller’s customers, suppliers and other business partners

• Other individuals whose Personal Data appears in documents that Controller uploads to the platform

3. Categories of Personal Data

Personal Data processed may include:

• Identification and contact details such as name, job title, role, email address, phone number, employer

• Business related information contained in RFQs, proposals, contracts and correspondence, where such information relates to an identified or identifiable natural person

• Technical and project related comments or annotations linked to users or other individuals

• Authentication and usage related data such as login identifiers, roles, activity logs and audit trails

Special categories of data are not intended to be processed. Controller is responsible for avoiding the upload of sensitive personal data unless necessary and lawfully justified. If special categories of data are processed, this will be under Controller’s responsibility and instructions.

4. Processing operations

Processing may include:

• Collection, receiving and uploading of data into the platform

• Storage, organisation and structuring

• Indexing, searching and retrieval

• Use of AI models on selected text excerpts for analysis and content generation

• Display of results, reports and exports

• Transmission of limited prompts and excerpts to AI providers under Zero Data Retention mode

• Backup, restoration, logging and security monitoring

5. Duration

Processing takes place for the term of the Principal Agreement and any data retention period agreed between the Parties, after which Personal Data is returned or deleted in accordance with section 9 of this DPA.

Appendix B

Sub-processors

Processor currently uses or may use the following categories of Sub-processors:

• Infrastructure and hosting providers operating EU based data centres

• Managed database and storage providers in the EU

• AI model providers that process limited text excerpts under Zero Data Retention and no training commitments

• Monitoring, logging and alerting service providers

• Email and notification service providers

A detailed list of current Sub-processors, including legal entities, roles and locations, is maintained by Processor and made available to Controller on request or via a dedicated URL indicated by Processor. Changes to this list are notified to Controller in advance in accordance with section 5.

Appendix C

Instructions and Technical and Organisational Measures

1. General instructions

Controller instructs Processor to:

• Process Personal Data only to provide, maintain and support the Loonar services and related technical operations described in the Principal Agreement and this DPA

• Store and back up Personal Data in data centres located in the European Union, unless otherwise agreed in writing

• Use AI models only on minimal necessary text excerpts and under Zero Data Retention and no training commitments

• Not use Personal Data to train or improve general purpose AI models or to provide insights to other customers

• Implement and maintain the technical and organisational measures described below

2. Technical and organisational measures

At a minimum, Processor shall implement the following measures, consistent with the security description already provided to Controller:

• Governance and risk management: security policies and procedures, risk based approach, access control and change management for the production environment

• EU data residency and tenant isolation: storage of Personal data in EU data centres, logical tenant isolation at application, database and object storage level

• Encryption: encryption of data in transit and at rest using industry standard protocols and algorithms

• Network security: private by default networking, restricted inbound access, controlled outbound connectivity, use of firewalls, traffic filtering and protections such as DDoS mitigation and web application firewalls

• Authentication and access control: platform managed authentication, support for multi factor authentication, role based access control with least privilege, periodic review of privileged accounts, session management with timeouts and revocation on logout or credential change

• Logging and monitoring: logging of security relevant events including authentication attempts, document access, configuration changes, exports and AI calls, centralised log storage with access controls and integrity protections, monitoring and alerting for suspicious activity

• Backups and business continuity: regular backups of core data and metadata, encrypted backups, documented restoration procedures, basic disaster recovery and business continuity plans to address major incidents

• Vulnerability management: regular scanning of infrastructure, containers and dependencies, remediation based on severity and risk, secure handling of secrets and keys using dedicated secret management services

• Data retention and deletion: policies and mechanisms for retaining Personal Data only as long as necessary and for securely deleting it from active systems and backups in line with agreed retention and legal obligations

3. International transfers

Any transfers or access from third countries shall follow the requirements in section 6, including the use of appropriate safeguards where required.

📧 matteo@coosmo.co
📧 gianlorenzo@coosmo.co