Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into between LeoPulse B.V., a company incorporated under the laws of the Netherlands, KvK 97814997 ("Processor", "LeoPulse", "we", "us"), and the customer using the ELIAN platform ("Controller", "you").

This DPA governs the processing of personal data by LeoPulse on your behalf in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws. It constitutes the agreement required under Article 28 GDPR between you (Controller) and LeoPulse (Processor).

This DPA applies regardless of whether you access the ELIAN Service directly through a contract with LeoPulse or through an authorized reseller. If you were provisioned via a reseller, the data protection relationship between you and LeoPulse is governed by this DPA directly — the reseller has no role in the processing of your personal data and is not a party to this agreement. The relationship between LeoPulse and the reseller is governed by a separate Reseller Data Processing Agreement.

1.1 Acceptance

You accept this DPA by any of the following means:

• Clicking "Accept" or equivalent confirmation during the ELIAN onboarding process
• Signing a service agreement with LeoPulse that references or incorporates this DPA
• Entering into a commercial agreement with an authorized reseller that incorporates this DPA by reference
• Using the ELIAN Service after this DPA has been made available to you

1.2 Controller and Processor Roles

For the purposes of this DPA:

• You are the Controller — you determine the purposes and means of processing personal data through the Service
• LeoPulse is the Processor — we process personal data on your behalf and on your documented instructions
• Any reseller in the commercial chain has no data protection role with respect to your personal data and does not access, receive, store, or process it

2. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

"Processing"

Any operation or set of operations performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, and destruction.

"Data Subject"

The identified or identifiable natural person whose personal data is processed.

"Sub-processor"

Any third party engaged by LeoPulse to process personal data on behalf of the Controller. LeoPulse itself is not a sub-processor under this DPA.

"Service"

The ELIAN platform, including all cloud infrastructure, edge software, and related services provided by LeoPulse.

"Reseller"

An authorized partner that commercially resells access to the Service. A Reseller has no data protection role under this DPA and does not process personal data on behalf of the Controller or LeoPulse.

3. Scope of Processing

We process personal data only:

• As necessary to provide the ELIAN Service
• In accordance with your documented instructions
• In compliance with applicable data protection laws

3.1 Categories of Personal Data

Depending on your deployment, the following categories of personal data may be processed:

• User account data: Name, email address, hashed password, language preference, login history, and role assignments
• Video and image data: Camera recordings and snapshots that may incidentally contain recognizable individuals (if applicable to your deployment)
• Data protection contact details: Name, email address, and phone number of your designated data protection or security contact, used for breach notification and compliance communications

3.2 Non-Personal Operational Data

The following categories of data are typically non-personal and processed as part of the Service:

• IoT telemetry: Sensor readings (temperature, humidity, pressure, soil moisture, etc.) from edge devices — not linked to identifiable individuals
• AI detection events: Object detection results (e.g., "person detected", "vehicle detected") with timestamps and zone information — anonymous by design, no identification or tracking of individuals
• Device metadata: Device IDs, IP addresses, hardware specifications, health metrics, and connectivity status
• Asset tracking data: GPS coordinates and movement data for equipment and vehicles (not linked to identifiable individuals)

3.3 Edge AI Processing and Cloud Video Storage

AI video analytics (object detection) runs on edge hardware deployed at the Controller's premises. Detection metadata (event type, timestamp, zone) is generated locally and synchronized with the cloud platform.

Video recordings and live video streams are also transmitted to and stored in the cloud platform to enable remote viewing, playback, and evidence retention through the ELIAN portal. Video data is stored in the Microsoft Azure West Europe region (Netherlands) and is subject to the security measures described in Section 7 and the retention configuration set by the Controller.

3.4 Special Categories of Data

If your deployment involves processing special categories of data (e.g., biometric data), additional safeguards must be agreed upon in writing before processing begins.

4. Processor Obligations

LeoPulse shall:

• Process personal data only on your documented instructions, unless required to do so by applicable EU or Member State law, in which case LeoPulse shall inform you of that legal requirement before processing (unless prohibited from doing so)
• Ensure that personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 7
• Assist you, by appropriate technical and organizational measures, in fulfilling your obligation to respond to data subject requests (see Section 9)
• Assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to LeoPulse
• At your choice, delete or return all personal data upon termination of services, and delete existing copies unless applicable law requires storage (see Section 10)
• Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections (see Section 11)
• Immediately inform you if, in LeoPulse's opinion, an instruction from you infringes the GDPR or other applicable data protection provisions

5. Sub-processors

5.1 General Authorization

You hereby grant LeoPulse general written authorization to engage sub-processors for the processing of personal data. LeoPulse shall ensure that all sub-processors are bound by data protection obligations equivalent to those set out in this DPA.

5.2 Current Sub-processors

5.3 Changes to Sub-processors

LeoPulse shall notify you of any intended addition or replacement of sub-processors with at least thirty (30) days' prior notice. You may object to the change on reasonable data protection grounds within fifteen (15) days of receiving notice. If LeoPulse cannot reasonably accommodate the objection, you may terminate the affected portion of the service agreement without penalty.

5.4 Resellers Are Not Sub-processors

For the avoidance of doubt, authorized resellers are not sub-processors of LeoPulse. Resellers do not process personal data on behalf of LeoPulse or on behalf of you. The reseller's role is limited to commercial distribution of the Service.

6. International Data Transfers

6.1 Data Location

Personal data is primarily processed and stored within the European Economic Area (EEA), specifically in the Microsoft Azure West Europe region (Netherlands).

6.2 Transfer Safeguards

If personal data is transferred outside the EEA, LeoPulse shall ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, including:

• EU Standard Contractual Clauses (2021 SCCs), using Module Two (Controller to Processor) as applicable
• Adequacy decisions by the European Commission under Article 45 GDPR
• Binding Corporate Rules where applicable

6.3 Transfer Impact Assessment

Where reliance is placed on the 2021 SCCs, LeoPulse shall conduct and document a transfer impact assessment for the relevant transfer, taking into account the legal framework of the destination country and any supplementary measures implemented to ensure an essentially equivalent level of protection for the transferred data.

7. Security Measures

We implement technical and organizational measures including but not limited to:

• Encryption of data in transit (TLS) and at rest
• End-to-end encrypted VPN tunnels between edge devices and cloud infrastructure
• Access controls and role-based authentication
• Multi-tenant data isolation at application and storage levels
• Network security and firewalls
• Regular security assessments and monitoring
• Incident response procedures

8. Data Breach Notification

8.1 Notification to You

In the event of a personal data breach affecting your data, LeoPulse shall notify you directly without undue delay, and in any case within forty-eight (48) hours after becoming aware of the breach. LeoPulse will use the contact details you have provided in the platform (data protection contact or account administrator).

"Becoming aware" means the moment LeoPulse has a reasonable degree of certainty that a security incident has resulted in a compromise of personal data. Initial suspicion of an incident does not trigger the notification obligation; confirmed breach does.

8.2 Content of Notification

The breach notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects affected
• The name and contact details of LeoPulse's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

8.3 Direct Communication

LeoPulse communicates breach notifications directly to you as the Controller. If you were provisioned through a reseller, LeoPulse will still notify you directly — resellers are not in the notification chain for breaches affecting your personal data. A reseller may receive a courtesy notification that a breach has occurred, without disclosure of your data or breach details.

9. Data Subject Rights

LeoPulse shall assist you, by appropriate technical and organizational measures, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

If LeoPulse receives a data subject request directly, it shall promptly forward the request to you and shall not respond to the data subject without your instructions, unless required to do so by applicable law.

Resellers have no role in handling data subject requests relating to your data. If a reseller receives such a request, the reseller is obligated to forward it to LeoPulse, who will in turn coordinate with you. You should direct data subjects to contact you or LeoPulse directly.

10. Retention and Deletion

10.1 Upon Termination

Upon termination of our service agreement, LeoPulse shall, at your choice, delete or return all personal data within thirty (30) days, and delete any remaining copies unless retention is required by applicable EU or Member State law.

10.2 Independence from Reseller Agreements

If you were provisioned through a reseller and the reseller's agreement with LeoPulse is terminated, your data and service continuity are not affected. You will transition to a direct contractual relationship with LeoPulse or to another authorized reseller. Your personal data retention and deletion rights under this DPA remain fully in effect regardless of the status of any reseller relationship.

11. Audit Rights

You have the right to audit LeoPulse's compliance with this DPA. Audits shall be conducted subject to the following conditions:

• At least thirty (30) days' prior written notice to LeoPulse
• During normal business hours and without unreasonable disruption to the Service
• You shall bear your own costs. If the audit requires significant LeoPulse personnel time, the parties shall agree on a fair cost allocation in advance
• LeoPulse may satisfy audit requests by providing relevant third-party audit reports, certifications (such as SOC 2 or ISO 27001, when available), or other documentation that reasonably demonstrates compliance
• All information obtained during an audit shall be treated as confidential

12. Limitation of Liability

The total aggregate liability of the Processor under or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, shall be limited to the total fees paid by the Controller to the Processor (whether directly or via a reseller) in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation applies to direct damages only.

In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, data, or business opportunity.

The limitations set out in this section shall not apply to liability arising from willful misconduct or gross negligence, or to liability that cannot be limited or excluded under applicable law.

13. Indemnification

The Processor shall indemnify and hold harmless the Controller against any claims, damages, or losses arising directly from the Processor's breach of its obligations under this DPA or applicable data protection laws, subject to the limitation of liability set out in Section 12.

The Controller shall indemnify and hold harmless the Processor against any claims, damages, or losses arising from (a) processing instructions provided by the Controller that are unlawful or not in compliance with applicable data protection laws, or (b) personal data collected or provided by the Controller without a valid legal basis.

14. Term and Termination

This DPA enters into force upon your acceptance (see Section 1.1) and remains in effect for the duration of your use of the Service. Upon termination, the obligations in Section 10 (Retention and Deletion), Section 11 (Audit Rights, for twelve months after termination), and Section 15 (Confidentiality) shall survive.

15. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws principles.

In the event of any dispute arising out of or in connection with this DPA, the parties shall first seek to resolve the matter amicably through good faith negotiation within thirty (30) days of written notice of the dispute. If the dispute cannot be resolved through negotiation, it shall be submitted to the competent court in The Hague, the Netherlands.

16. Version Control

This DPA is published as a dated version. LeoPulse may update this DPA to reflect changes in applicable data protection laws, supervisory authority guidance, or operational practices. Material changes will be communicated to you with at least thirty (30) days' prior notice via the contact details on file in the platform.

17. Contact and Related Documents

For questions about this DPA or data protection matters, please contact our Data Protection contact at [email protected].

Related documents:

• Reseller Data Processing Agreement — governs the relationship between LeoPulse and authorized resellers
• Privacy Policy
• Terms of Service