/Aristotl

Data Processing Agreement

Version: v1.02•Last updated: December 31, 2025

Between the Customer (as defined below) and Aristotl Effective date: date of electronic acceptance by the Customer

Acceptance and binding nature

This DPA forms part of the Agreement. By clicking “I agree to the Privacy Policy, Terms of Service and DPA” (or equivalent), the person accepting declares that he/she is authorized to bind the Customer and the Customer accepts this DPA. The Customer may save and reproduce this DPA.

1. Parties

This Data Processing Agreement (“DPA”) applies between:

  • Customer / Controller: the legal entity using the Services, as identified via the account and/or the order form.
  • Aristotl / Processor: Aristotl, Entrepotkaai 2/802, 2000 Antwerp, enterprise number 1018.326.784.

The Customer and Aristotl are hereinafter collectively referred to as the “Parties”.

2. Purpose of the Agreement

The Parties acknowledge that this DPA is required to set out the terms for the processing of personal data by Aristotl, in its capacity as Processor, in accordance with Article 28 of the General Data Protection Regulation (GDPR) and other applicable privacy legislation. This DPA governs how Aristotl processes personal data on behalf of the Customer and provides safeguards for the protection of such data.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR.
  • Controller: The party that determines the purposes and means of the processing of personal data (in this case the Customer).
  • Processor: The party that processes personal data on behalf of the Controller (in this case Aristotl).
  • Sub-processor: Another party engaged by Aristotl to perform certain processing activities, as described in Article 28 of the GDPR.
  • Processing Purposes: The purposes for which personal data are processed by the Processor, as specified in this agreement and the related services.
  • Agreement: the contractual relationship between the Customer and Aristotl for the use of the Services, consisting of (i) the Terms of Service, (ii) any order form/quote/subscription, and (iii) the applicable documentation. In case of conflict regarding data protection, this DPA prevails.
  • Services: the Aristotl platform and all related services provided to the Customer.
  • Documented Instructions: written or demonstrably documented instructions from the Customer to Aristotl regarding the processing of Personal Data, including configurations and actions the Customer performs within the Services.
  • Annexes: the annexes to this DPA, including (at least) Annex 1 (Description of the Processing) and Annex 2 (Technical and Organizational Measures).

4. Subject matter of the Processing

Aristotl processes Personal Data on behalf of the Customer for the performance of the Services under the Agreement and solely in accordance with the Customer’s Documented Instructions, as further described in Annex 1.

The processing includes, where relevant:

  • provision, hosting and operation of the platform,
  • security, monitoring and fraud prevention,
  • support and maintenance, and
  • improvements and bug fixing of the Services (insofar as this requires Personal Data and falls within the Customer’s instructions).

5. Types of Personal Data

The categories of Personal Data that Aristotl may process depend on (i) the Services purchased by the Customer and (ii) the Personal Data that the Customer (or its end users) provides or has provided via the Services. This may include, among others:

  • Identifying data: name, email address, telephone number, role, company information of users;
  • Technical data: IP address, login and log data, device and browser information;
  • Usage data: data about the use of the Services (e.g. usage patterns, settings, preferences);
  • Content/data that the Customer uploads or has uploaded via the Services, insofar as it contains Personal Data.

The categories of data subjects and the nature/purposes of the processing are further described in Annex 1.

Aristotl processes Personal Data solely on the basis of the Customer’s Documented Instructions, unless Aristotl is required to act otherwise under EU or Belgian law; in that case, Aristotl will inform the Customer prior to the processing, unless that law prohibits doing so for important reasons of public interest.

As Controller, the Customer is responsible for:

  • the legal basis/bases for the processing,
  • informing data subjects (transparency),
  • ensuring the accuracy, relevance and minimization of the Personal Data, and
  • the lawfulness of the instructions it gives to Aristotl.

If Aristotl considers that an instruction from the Customer infringes the GDPR or other applicable privacy legislation, Aristotl shall inform the Customer thereof without undue delay.

7. Duration of the Processing

The processing of personal data will take place during the term of the agreement and for the duration of the related services, or for as long as the Controller needs the personal data for the purposes of the processing. After termination of the services, the Processor will destroy or return the personal data at the request of the Controller or on its own initiative, unless otherwise required by law.

8. Responsibilities of the Processor

The Processor shall:

  • Process Personal Data solely on the basis of written instructions from the Controller (unless another obligation is legally required).
  • Ensure the implementation of appropriate technical and organizational measures to safeguard the security of the personal data, as required by Article 32 of the GDPR.
  • Ensure the confidentiality of personal data by employees and subcontractors who have access to such data.
  • Assist in the exercise of the data subject’s rights (such as the right of access, rectification, erasure and portability) and in complying with the Controller’s obligations upon request.

9. Sub-processors

The Customer grants Aristotl a general written authorization to engage sub-processors for the processing of Personal Data, insofar as this is necessary for the delivery of the Services. Aristotl makes an up-to-date list of sub-processors available (the “Sub-processor List”) via its website or customer portal. Aristotl will inform the Customer in advance of any intended change regarding the addition or replacement of sub-processors. The Customer has the right to raise a reasoned objection to a new sub-processor within thirty (30) days after notification. In that case, the Parties will consult in good faith to (i) provide a reasonable alternative or (ii) if no alternative is possible, allow the Customer to terminate the relevant Service with a pro rata refund of prepaid, unused fees for that Service (where applicable). Aristotl enters into a written agreement with each sub-processor that imposes at least the same data protection obligations as this DPA, in particular with respect to confidentiality, security and assistance.

10. Security of Personal Data

Aristotl implements appropriate technical and organizational measures (“TOMs”) to secure Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as required under Article 32 GDPR. The TOMs applied by Aristotl are described in Annex 2. Aristotl may update these TOMs to improve security, provided that the level of protection is not materially reduced.

11. Personal Data Breach notifications

The Processor will inform the Controller without undue delay of any security breach that leads to loss or unlawful processing of personal data (“personal data breach”). The notification will take place without unreasonable delay and will provide the Controller with the necessary information to comply with the GDPR notification requirements.

12. Rights of the Data Subjects

The Processor shall assist the Controller in complying with its obligations regarding the rights of data subjects, including:

  • The right of access to personal data.
  • The right to rectify or erase personal data.
  • The right to object to the processing.
  • The right to restriction of processing.

13. Audit and Control

Upon written request from the Customer, Aristotl will make reasonable information available that is necessary to demonstrate compliance with this DPA (for example policy documents, summaries of security measures and/or relevant attestations), provided this does not constitute a disproportionate burden and without disclosure of confidential information of Aristotl or third parties. If the Customer wishes to conduct an on-site audit, this is permitted only (i) for a justified reason related to data protection, (ii) at most once per calendar year, (iii) with at least thirty (30) days’ prior written notice, (iv) during normal business hours, (v) in a manner that does not unreasonably disrupt Aristotl’s operations, and (vi) under an appropriate confidentiality agreement. The costs of the audit are borne by the Customer, unless the audit demonstrates a material non-compliance with this DPA by Aristotl.

14. Termination of the Agreement

After termination of the agreement, the Processor will destroy or return all personal data that falls under this DPA to the Controller, unless otherwise required by law. The Processor will confirm to the Controller that the data has been deleted.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of Belgium, and any disputes will be submitted to the competent courts of Antwerp.

16. Final provisions

This DPA constitutes the entire agreement between the Parties with respect to the processing of Personal Data in the context of the Services and replaces all prior arrangements in this regard. Aristotl may amend this DPA from time to time (for example due to changes in legislation, Services or sub-processors), provided that (i) the Customer is informed in advance via the platform, by email or by another reasonable notice and (ii) the Customer can save and reproduce the updated DPA. Unless stated otherwise, an updated DPA takes effect on the date stated in the notice. If the Customer continues to use the Services after that date, this constitutes acceptance. If an amendment materially and adversely changes the Customer’s rights or obligations, the Customer may terminate the Agreement within thirty (30) days after notice.

Electronic acceptance

This DPA is validly accepted electronically. Aristotl retains evidence of acceptance (date/time and identification of the accepting account/user) and will make this available upon request, to the extent reasonable and in accordance with applicable law.

ANNEX 1 – Description of the Processing

Subject: provision of the Aristotl platform and related Services.

Duration: during the term of the Agreement, and thereafter during a limited technical retention/backup period (if applicable), in accordance with Article 14.

Nature of the processing: collecting, storing, consulting, using, transferring (as necessary), securing and deleting Personal Data in the context of the Services and support.

Purposes: (i) providing and maintaining the Services, (ii) account management, (iii) customer support, (iv) security/monitoring and incident prevention, (v) compliance with legal obligations.

Categories of data subjects: users of the Customer (employees/contractors) and, depending on the Customer’s use, end customers/relations of the Customer.

Categories of Personal Data: identification and contact data, technical/log data, usage data and content provided by the Customer via the Services (insofar as it contains Personal Data).

Special categories: the Services are not intended for processing special categories of personal data, unless the Customer expressly initiates this and applies appropriate additional safeguards.

ANNEX 2 – Technical and Organizational Measures (TOMs)

Aristotl applies, among others, the following measures (non-exhaustive):

  • Access control: least privilege, role-based access, strong authentication for administrators where possible;
  • Logging & monitoring: logging relevant system and access events and monitoring for incidents;
  • Encryption: encryption of data transport (in transit) and appropriate protection of secrets/credentials;
  • Backups & recovery: periodic backups and procedures for recovery tests where appropriate;
  • Incident management: procedures for detection, response and notification of security incidents;
  • Security maintenance: patching/vulnerability management and periodic evaluation of measures;
  • Confidentiality: employees/contractors with access are bound by confidentiality obligations.