Reseller Data Processing Agreement

1. Definitions

In this Data Processing Agreement ("Reseller DPA"), the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Reseller Master Service Agreement ("Reseller MSA") or in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

"End Customer"

The entity that uses the ELIAN Service via the Reseller and acts as the Controller of Operational Data processed through the Service.

"End Customer DPA"

The data processing agreement between LeoPulse and each End Customer, available at eliandata.com/dpa, governing the processing of Operational Data.

"Reseller Personal Data"

The narrow category of personal data for which the Reseller is the Controller under this Reseller DPA, specifically: Reseller staff account data, Reseller administrator contact details, and support correspondence submitted by Reseller personnel.

"Operational Data"

Personal data processed through the Service in End Customer deployments, including but not limited to video and image data, IoT telemetry, AI detection events, and user account data created by End Customers. Operational Data is governed exclusively by the End Customer DPA.

"Provisioning"

The act of granting an End Customer access to the ELIAN Service, including the creation of tenant environments and user accounts.

"Service"

The ELIAN platform, including all cloud infrastructure, edge software, and related services provided by LeoPulse.

2. Parties and Roles

This Reseller DPA is entered into between:

• LeoPulse B.V., a company incorporated under the laws of the Netherlands, KvK 97814997 ("LeoPulse", "Processor", "we", "us"); and
• The Reseller identified in the Reseller MSA ("Reseller", "you").

2.1 Three-Party Data Relationship

The ELIAN reseller model involves three distinct parties with different data protection roles:

2.2 Reseller as Controller

The Reseller is the Controller exclusively for Reseller Personal Data as defined in Section 1. For this narrow scope, this Reseller DPA constitutes the Article 28 GDPR agreement between the Reseller (Controller) and LeoPulse (Processor).

2.3 Reseller Has No Role in End Customer Data

The Reseller is not the Controller, Processor, or Sub-processor of any Operational Data processed through the Service on behalf of End Customers. The Reseller does not access, receive, store, or process Operational Data at any point. All processing of Operational Data is governed exclusively by the End Customer DPA between LeoPulse and each End Customer.

2.4 End Customer DPA Requirement

This Reseller DPA does not, by itself, satisfy the Article 28 GDPR requirement between End Customers and LeoPulse. That requirement is satisfied by the End Customer DPA, which the Reseller is obligated to ensure is accepted by each End Customer before Provisioning (see Section 4).

3. Scope and Purpose

3.1 Scope of This Reseller DPA

This Reseller DPA applies only to personal data processed in the context of the Reseller's own use of the Service, specifically for the following purposes:

• Administration of the Reseller's partner account
• Demonstration and training activities conducted by Reseller staff
• Billing and commercial correspondence between the Reseller and LeoPulse
• Support tickets submitted by Reseller personnel

3.2 Categories of Personal Data Covered

The following categories of personal data fall within the scope of this Reseller DPA:

• Reseller staff account data: Name, email address, hashed password, language preference, login history, and role assignments of Reseller personnel
• Reseller administrator contacts: Name, email address, phone number, and job title of designated Reseller contacts
• Support correspondence: Content of support tickets submitted by Reseller personnel, including any personal data contained therein

3.3 Exclusions

The following categories of data are expressly excluded from the scope of this Reseller DPA and are governed by the End Customer DPA:

• Video and image data from End Customer deployments
• IoT telemetry data from End Customer sensors and devices
• AI detection events generated in End Customer environments
• End Customer user account data
• Any other Operational Data processed through the Service on behalf of End Customers

4. Reseller Obligations

The Reseller shall comply with the following obligations, which are essential to maintaining the integrity of the data protection chain between LeoPulse and End Customers.

4.1 End Customer DPA Acceptance

• The Reseller must ensure that each End Customer accepts the End Customer DPA before being Provisioned with access to the Service.
• Acceptance may be achieved through either: (a) the clickwrap mechanism provided during the Service onboarding flow, or (b) a pass-through clause in the Reseller's commercial agreement with the End Customer that incorporates the End Customer DPA by reference and obligates the End Customer to comply with its terms.
• The Reseller must maintain records of End Customer DPA acceptance and provide them to LeoPulse on reasonable request.
• The Reseller must not modify, abridge, or contractually override any terms of the End Customer DPA in its dealings with End Customers.

4.2 Data Subject Requests and Regulatory Inquiries

• The Reseller must promptly forward to LeoPulse (within five (5) business days of receipt) any data subject requests or regulatory inquiries it receives that concern End Customer Operational Data.
• The Reseller has no standing to respond to data subject requests on behalf of End Customers and must not do so.

4.3 End Customer Lifecycle Management

• The Reseller must promptly notify LeoPulse of any End Customer that is no longer authorized to use the Service, so that deprovisioning can be performed in a timely manner.
• The Reseller must not represent to End Customers that LeoPulse provides any data protection guarantees beyond those set out in the End Customer DPA.

4.4 Reseller Liability for End Customer Compliance

The Reseller is liable for End Customer breaches of the End Customer DPA to the extent that such breaches are caused by the Reseller's failure to: (a) ensure End Customer DPA acceptance before Provisioning, (b) properly inform End Customers of their data protection obligations, or (c) comply with any other obligation set out in this Section 4. The Reseller shall indemnify LeoPulse against claims arising from such failures.

5. LeoPulse Obligations as Processor

With respect to Reseller Personal Data, LeoPulse shall:

• Process Reseller Personal Data only on documented instructions from the Reseller, unless required to do so by applicable EU or Member State law, in which case LeoPulse shall inform the Reseller of that legal requirement before processing (unless prohibited from doing so)
• Ensure that personnel authorized to process Reseller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 8
• Assist the Reseller, by appropriate technical and organizational measures, in fulfilling the Reseller's obligation to respond to data subject requests relating to Reseller Personal Data
• Assist the Reseller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to LeoPulse
• At the Reseller's choice, delete or return all Reseller Personal Data upon termination of the Reseller MSA, and delete existing copies unless applicable law requires storage
• Make available to the Reseller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, as set out in Section 10
• Immediately inform the Reseller if, in LeoPulse's opinion, an instruction from the Reseller infringes the GDPR or other applicable data protection provisions

6. Sub-processors

6.1 Authorized Sub-processors

The Reseller hereby grants LeoPulse general written authorization to engage sub-processors for the processing of Reseller Personal Data. The current list of sub-processors is:

6.2 Changes to Sub-processors

LeoPulse shall notify the Reseller of any intended addition or replacement of sub-processors with at least thirty (30) days' prior written notice. The Reseller may object to the change on reasonable data protection grounds within fifteen (15) days of receiving notice. If LeoPulse cannot reasonably accommodate the objection, the Reseller may terminate the affected portion of the Reseller MSA without penalty.

6.3 Sub-processor Changes for End Customer Data

Changes to sub-processors that affect End Customer Operational Data are governed by the notification mechanism in the End Customer DPA, not this Reseller DPA.

6.4 Reseller Is Not a Sub-processor

For the avoidance of doubt, the Reseller is not a sub-processor of LeoPulse. The Reseller does not process End Customer Operational Data on behalf of LeoPulse or on behalf of End Customers.

7. International Data Transfers

This section applies to transfers of Reseller Personal Data only. International transfers of End Customer Operational Data are governed by the End Customer DPA.

7.1 Data Location

Reseller Personal Data is primarily processed and stored within the European Economic Area (EEA), specifically in the Microsoft Azure West Europe region (Netherlands).

7.2 Transfer Safeguards

If Reseller Personal Data is transferred outside the EEA, LeoPulse shall ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, including:

• EU Standard Contractual Clauses (2021 SCCs), using Module Two (Controller to Processor) as applicable
• Adequacy decisions by the European Commission under Article 45 GDPR
• Binding Corporate Rules where applicable

7.3 Transfer Impact Assessment

Where reliance is placed on the 2021 SCCs, LeoPulse shall conduct and document a transfer impact assessment for the relevant transfer, taking into account the legal framework of the destination country and any supplementary measures implemented to ensure an essentially equivalent level of protection for the transferred data.

8. Security Measures

LeoPulse implements platform-wide technical and organizational measures to protect all personal data processed through the Service, including Reseller Personal Data. These measures include but are not limited to:

• Encryption of data in transit (TLS) and at rest
• End-to-end encrypted VPN tunnels between edge devices and cloud infrastructure
• Access controls and role-based authentication
• Multi-tenant data isolation at application and storage levels
• Network security and firewalls
• Regular security assessments and monitoring
• Incident response procedures

The security measures described herein apply uniformly across the ELIAN platform and are the same measures referenced in the End Customer DPA.

9. Data Breach Notification

9.1 Breaches Affecting Reseller Personal Data

In the event of a personal data breach affecting Reseller Personal Data, LeoPulse shall notify the Reseller without undue delay, and in any case within forty-eight (48) hours after becoming aware of the breach. "Becoming aware" means the moment LeoPulse has a reasonable degree of certainty that a security incident has affected personal data (confirmed breach, not initial suspicion).

The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects affected
• The name and contact details of LeoPulse's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

9.2 Breaches Affecting End Customer Operational Data

For breaches affecting End Customer Operational Data, LeoPulse shall notify the affected End Customers directly, using the contact details on file in the platform, in accordance with the notification procedures set out in the End Customer DPA. LeoPulse shall provide the Reseller with a courtesy notification that a breach affecting one or more of the Reseller's End Customers has occurred, without disclosing Operational Data or breach details that the Reseller has no standing to receive.

9.3 Reseller Obligations in Breach Response

• The Reseller shall cooperate with LeoPulse on breach response if reasonably requested, including facilitating End Customer contact verification.
• The Reseller shall not communicate breach information to End Customers ahead of or independently from LeoPulse's official notification, to avoid contradictory or incomplete messaging.

10. Audit Rights

10.1 Scope

The Reseller has the right to audit LeoPulse's compliance with its obligations under this Reseller DPA with respect to the processing of Reseller Personal Data only. Audit rights relating to End Customer Operational Data are governed by the End Customer DPA.

10.2 Audit Procedures

• Audits shall be conducted with at least thirty (30) days' prior written notice.
• Audits shall take place during normal business hours and shall not unreasonably disrupt the Service.
• The Reseller shall bear its own costs of the audit. If the audit requires significant LeoPulse personnel time beyond what is reasonably necessary, the parties shall agree on a fair allocation of costs in advance.
• LeoPulse may satisfy audit requests by providing relevant third-party audit reports, certifications (such as SOC 2 or ISO 27001, when available), or other documentation that reasonably demonstrates compliance.

10.3 Confidentiality

All information obtained during an audit shall be treated as confidential and shall only be used for the purpose of verifying compliance with this Reseller DPA.

11. Data Subject Rights

11.1 Reseller Staff Data Subject Requests

LeoPulse shall assist the Reseller, by appropriate technical and organizational measures, in responding to data subject requests from Reseller staff whose personal data is processed as Reseller Personal Data under this Reseller DPA.

11.2 End Customer Data Subject Requests

The Reseller has no standing to receive or respond to data subject requests relating to End Customer Operational Data. If the Reseller receives such a request:

• The Reseller must forward the request to LeoPulse within five (5) business days of receipt.
• The Reseller must not respond to the data subject on behalf of the End Customer.
• LeoPulse will handle the request in accordance with the procedures set out in the End Customer DPA.

12. Retention and Deletion

12.1 Reseller Personal Data

Upon termination of the Reseller MSA, LeoPulse shall, at the Reseller's choice, delete or return all Reseller Personal Data within thirty (30) days, and delete any remaining copies unless retention is required by applicable EU or Member State law.

12.2 End Customer Operational Data

Termination of the Reseller MSA does not affect End Customer Operational Data. End Customer data retention and deletion are governed exclusively by the End Customer DPA and the End Customer's own contractual relationship with LeoPulse.

12.3 End Customer Continuity on Reseller Termination

If the Reseller MSA is terminated for any reason:

• End Customers shall, by default, transition to a direct contractual relationship with LeoPulse for continued use of the Service, including billing and support.
• As an alternative, End Customers may elect to be migrated to another authorized ELIAN reseller, subject to availability and agreement of the receiving reseller.
• In no event shall End Customer access to the Service be terminated solely as a consequence of the termination of the Reseller MSA. End Customer data and service continuity are protected regardless of the status of the Reseller relationship.

The mechanics of End Customer transition are further defined in the Reseller MSA. This Section 12.3 governs the data protection implications of such transitions.

13. Limitation of Liability

13.1 Liability Cap

The total aggregate liability of LeoPulse under or in connection with this Reseller DPA, whether in contract, tort (including negligence), or otherwise, shall be limited to the total fees paid by the Reseller to LeoPulse in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation applies to direct damages only.

13.2 Exclusion of Indirect Damages

In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, data, or business opportunity.

13.3 Reseller Indemnification

The Reseller shall indemnify and hold harmless LeoPulse against any claims, damages, fines, or losses arising from:

• The Reseller's failure to ensure End Customer DPA acceptance before Provisioning
• The Reseller's failure to forward data subject requests or regulatory inquiries as required by this Reseller DPA
• Misrepresentations by the Reseller to End Customers regarding LeoPulse's data protection obligations
• The Reseller's modification or overriding of End Customer DPA terms

13.4 Carve-outs

The limitations set out in this section shall not apply to liability arising from willful misconduct or gross negligence, or to liability that cannot be limited or excluded under applicable law.

13.5 Separation of Liability

Liability under the End Customer DPA is separate from and independent of liability under this Reseller DPA. Claims by End Customers are governed by the End Customer DPA.

14. Term, Termination, and Survival

14.1 Term

This Reseller DPA enters into force on the effective date of the Reseller MSA and remains in effect for the duration of the Reseller MSA, including any renewal periods.

14.2 Survival

The following obligations shall survive termination of this Reseller DPA and the Reseller MSA:

• Confidentiality obligations (indefinitely)
• Data retention and deletion obligations (Section 12) until fully performed
• Audit cooperation (Section 10) for a period of twelve (12) months after termination
• Indemnification obligations (Section 13.3) for claims arising from events during the term

14.3 End Customer Notification

In the event of termination of the Reseller MSA, LeoPulse shall notify affected End Customers of the transition arrangements set out in Section 12.3 within thirty (30) days of the effective date of termination. The Reseller shall cooperate with LeoPulse in facilitating a smooth transition.

15. Governing Law and Dispute Resolution

15.1 Governing Law

This Reseller DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws principles.

15.2 Dispute Resolution

In the event of any dispute arising out of or in connection with this Reseller DPA, the parties shall first seek to resolve the matter amicably through good faith negotiation within thirty (30) days of written notice of the dispute. If the dispute cannot be resolved through negotiation, it shall be submitted to the competent court in The Hague, the Netherlands.

15.3 End Customer DPA Jurisdiction

The governing law and jurisdiction applicable to the End Customer DPA are determined by that agreement and are independent of this Reseller DPA.

16. General Provisions

16.1 Relationship to Reseller MSA

This Reseller DPA forms part of and is supplemental to the Reseller MSA. In the event of a conflict between this Reseller DPA and the Reseller MSA on matters of data protection, this Reseller DPA shall prevail.

16.2 Amendments

LeoPulse may update this Reseller DPA to reflect changes in applicable data protection laws or supervisory authority guidance. Material changes will be notified to the Reseller with at least thirty (30) days' prior written notice. Continued use of the Service after the effective date of changes constitutes acceptance.

16.3 Entire Agreement

This Reseller DPA, together with the Reseller MSA and any annexes referenced herein, constitutes the entire agreement between the parties regarding the processing of Reseller Personal Data. It supersedes all prior agreements, representations, and understandings relating to the subject matter hereof.

17. Contact

For questions about this Reseller DPA or data protection matters, please contact our Data Protection contact at [email protected].

Related documents:

• End Customer Data Processing Agreement
• Privacy Policy
• Terms of Service