Supplier–Customer Master Service & Data Processing Agreement

(replace bracketed text before signing)

---

1. Parties

• Supplier: Co‑Dex.eu bv, a Belgian company with registered office at Albert 1‑laan 23, 8920 Langemark‑Poelkapelle, Belgium
• Customer: [Customer Name], with registered office at [Customer Address]

Supplier and Customer are together referred to as “the Parties.”

2. Effective Date & Duration

This Agreement takes effect on [Effective Date] and remains in force until terminated under clause 16.

---

PART A – Service Terms

3. Services Provided

a. Supplier will provide the NoCode‑X platform and any additional professional services described in Exhibit A (together, “the Services”).

b. Services must be delivered in line with the current Service Level Agreement (SLA).

c. Supplier will not use Customer data for any purpose other than:

• performing the Services (including operation, security, troubleshooting and DevOps support for Customer’s environments and applications built with NoCode‑X); and
• fulfilling Supplier’s own legal obligations as further set out in this Agreement and Supplier’s privacy notice.

d. The Parties acknowledge that, as part of providing the Services, Supplier may process information, including personal data, from Customer’s data subjects (for example, end users of applications, workflows and websites built or operated using NoCode‑X), to:

• operate and secure the platform,
• provide support and DevOps services for Customer (including LLM‑assisted support where enabled), and
• maintain reliability and incident response,
  and for no other purposes, unless otherwise agreed in documented instructions from Customer or required by applicable law.

e. For the purposes of this Agreement, references to “applications built or operated with NoCode‑X” include any customer‑facing websites, portals or front‑end experiences that Customer builds, hosts or serves using the NoCode‑X platform.

4. Fees & Payment

Payment terms are defined in Exhibit B. Unless otherwise agreed in writing, invoices are payable within 30 days of the invoice date.

5. Intellectual Property

Each Party retains all intellectual‑property rights in items it owned before this Agreement or creates independently of it. No rights are transferred except those expressly granted herein.

---

PART B – Data Processing Agreement (DPA)

6. Roles under Data‑Protection Law

a. Customer as Controller. For personal data processed through the NoCode‑X platform that relate to Customer’s business purposes (including data processed via applications, workflows or websites built or operated using NoCode‑X), Customer is the Controller and Supplier acts as Processor.

b. Supplier as Controller. For personal data Supplier must process to run, secure or bill for the Services (e.g. account, log and audit data, billing and AML data), Supplier is a Controller.

c. Each Party is solely responsible for compliance when acting as Controller.

7. Supplier’s Processor Obligations

When acting as Processor, Supplier shall:

1. Instructions & purpose limitation

   • Supplier shall process Customer personal data, including personal data relating to Customer’s data subjects (such as end users of applications, workflows and websites built or operated with NoCode‑X), only on documented instructions from Customer and solely for the following purposes:
     • providing, operating and securing the Services;
     • support, diagnostics and DevOps activities for Customer (including analysis of application usage and user‑flows, and LLM‑assisted support as described below);
     • maintaining reliability, performance and incident management;
     • generating aggregated and irreversibly anonymised statistics for internal analytics and service improvement, provided such data can no longer reasonably be used to identify Customer or any individual; and
     • fulfilling Supplier’s legal obligations.
   • Supplier shall not process Customer personal data for its own independent purposes (such as Supplier’s own marketing or unrelated profiling), shall not sell Customer personal data, and shall not use Customer personal data to train or improve third‑party models, except where Customer has given a separate, explicit documented instruction to do so.

2. Confidentiality

   • Ensure staff and other persons authorised to process Customer personal data are bound by confidentiality obligations.

3. Security

   • Implement the technical and organisational security measures in clause 11 (and any agreed annexes), taking into account the state of the art, costs, nature, scope, context and purposes of processing.

4. Assistance to Customer

   • Assist Customer, taking into account the nature of processing, to:
     • respond to data‑subject requests under GDPR;
     • carry out data‑protection impact assessments (DPIAs) and consultations with supervisory authorities, where required;
     • meet security‑, transparency‑ or breach‑related obligations.

5. Personal‑data breach notification

   • Notify Customer without undue delay (and always within 48 hours) after becoming aware of a personal‑data breach affecting Customer personal data, and share available information to support assessment and mitigation.

6. Return and deletion

   • Delete or return all Customer personal data after termination as described in clause 13, unless retention is required by applicable law (in which case Supplier will continue to protect the data and process only for that legal requirement).

7. Information, documentation & audits

   • Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections in accordance with clause 12.

8. Sub‑processors

   • Engage Sub‑processors only under a written contract imposing obligations that are no less protective than those set out in this DPA, and, where required, with Customer’s general prior authorisation.
   • Supplier shall remain fully liable to Customer for the performance of any Sub‑processor.
   • Current Sub‑processors are listed in Exhibit C, which Supplier may update from time to time with notice to Customer.

9. LLM‑assisted support with external providers

   • Where Supplier uses an external large language model (“LLM”) provider to assist with support, diagnostics or DevOps for Customer’s environments, Supplier shall ensure that:
     • such LLM provider is engaged as a Sub‑processor under a written agreement that imposes data‑protection and confidentiality obligations consistent with this DPA, including obligations under the GDPR regarding security, international transfers and sub‑processing;
     • the LLM provider is contractually prohibited from re‑using Customer personal data (including prompts, outputs and logs) for its own purposes (including training or improving its foundation models), other than to provide the contracted LLM services to Supplier for the benefit of Customer;
     • Supplier limits the personal data transmitted to the LLM provider to what is strictly necessary for the relevant support/DevOps purpose and implements appropriate technical and organisational measures (such as redaction of secrets and minimisation of content data where feasible); and
     • Supplier implements and maintains controls and resilience measures so that the use of LLM‑assisted support does not reduce the overall level of protection or availability required under this Agreement.
   • Supplier shall, upon reasonable request, provide Customer with a description of the categories of data, safeguards and locations relevant to such LLM‑assisted support.

8. International Data Transfers

a. Where personal data is transferred outside the European Economic Area, the Parties will ensure that such transfers comply with Chapter V GDPR, including, where applicable, by:

• relying on an adequacy decision of the European Commission, or
• entering into and applying EU Standard Contractual Clauses or another lawful transfer tool, with appropriate supplementary measures where required.

b. Where personal data is transferred to the United States, the Parties will ensure the recipient either:

• holds a valid EU–US Data Privacy Framework certification (or successor mechanism), or
• is bound by EU Standard Contractual Clauses with any additional safeguards required by law.

c. Each Party is responsible for documenting and maintaining its chosen transfer mechanism.

9. Confidentiality

All non‑public information exchanged is Confidential Information. The receiving Party shall:

1. use it only to perform this Agreement;
2. protect it with at least the same care it uses for its own confidential information (never less than reasonable care);
3. disclose it only to personnel or advisers who need to know and are bound by confidentiality.

The obligation lasts three (3) years after termination, except for personal data, which must always be protected in accordance with applicable data‑protection law.

10. Requests from Authorities or Data Subjects

If Supplier (acting as Processor) receives a request, order or inquiry about Customer personal data from any authority, law‑enforcement body, or data subject, Supplier shall, unless legally prohibited:

• promptly notify and redirect the request to Customer; and
• refrain from responding directly on Customer’s behalf, except where Customer explicitly instructs Supplier to do so or where Supplier is legally required to respond (in which case Supplier will, where permitted, limit the response to what is strictly necessary and inform Customer without undue delay).

11. Security, Cyber‑Resilience & Availability

a. Security measures

• Supplier will maintain industry‑standard ISO 27001‑grade controls, including (without limitation):
  • encryption in transit and at rest where appropriate;
  • strong authentication and role‑based access control;
  • network and application security measures;
  • vulnerability management and regular security patching;
  • logging, monitoring and incident‑response processes;
  • business‑continuity and disaster‑recovery plans.

b. Service Availability

• Supplier shall meet the uptime targets in the SLA and restore the platform within the stated Recovery Time Objective (RTO).

c. Data Availability & Back‑ups

• Customer, as Controller, is responsible for maintaining functional back‑ups of the data it controls in line with its own risk appetite and regulatory duties.
• Supplier will provide documented APIs and scheduling options enabling Customer to extract or replicate data and achieve its chosen Recovery Point Objective (RPO).

12. Audit & Verification

Supplier will, on reasonable notice and up to once per contract year, provide:

• its third‑party security/compliance reports (e.g. ISO 27001 certificate, SOC 2, if available); and
• answers to reasonable security or privacy questionnaires.

If these prove insufficient for Customer to satisfy its regulatory duties, Customer may conduct an on‑site or remote audit (itself or via an independent auditor) provided it causes minimal disruption to Supplier’s operations and respects the confidentiality and security of other customers. Audits are at Customer’s cost unless they reveal a material breach of this Agreement by Supplier.

13. Return & Deletion of Data

On termination or expiry of the Agreement (or upon earlier request, where practicable):

1. Supplier will provide Customer with a self‑service export capability or, upon reasonable request, a one‑off export of Customer personal data in a commonly used, machine‑readable format.

2. Supplier will perform soft deletion of Customer personal data from active systems immediately after export or after the end of the applicable grace period defined in the service documentation.

3. Supplier will perform secure hard deletion of remaining Customer personal data from production systems within 93 days, unless a longer retention period is required by applicable law (in which case Supplier will restrict processing to the legal purpose and maintain security).

4. Supplier shall, upon written request from Customer, provide a written confirmation that deletion has been completed in accordance with this clause.

---

PART C – General Legal Terms

14. Mutual Cooperation & Good‑Faith Clause

The Parties undertake to co‑operate in good faith, exercise due professional care and use all reasonable efforts to protect each other’s legitimate interests and achieve the objectives of this Agreement.

15. Liability & Indemnification

a. Each Party is liable for direct damages caused by its breach of this Agreement, up to a cap of the total fees paid or payable by Customer during the 12‑month period preceding the event giving rise to the claim.

b. Neither Party is liable for indirect or consequential damages (including loss of profits, loss of business, loss of data or loss of goodwill), except where such limitation is prohibited by applicable law.

c. Nothing in this Agreement limits or excludes liability for death or personal injury caused by negligence, wilful misconduct, fraud, or any other liability that cannot legally be limited or excluded.

d. Each Party shall indemnify and hold harmless the other Party against third‑party claims (including from data subjects or supervisory authorities) to the extent arising from its own breach of data‑protection obligations under this Agreement or applicable law.

16. Termination

a. Either Party may terminate this Agreement for convenience by giving 30 days’ written notice, effective on the first day of the following month, unless a different period is agreed in an Order Form.

b. Either Party may terminate this Agreement immediately by written notice if the other Party materially breaches this Agreement and fails to cure the breach within 30 days after receipt of written notice describing the breach.

c. Clauses intended to survive termination (including, without limitation, Confidentiality, Liability, Data Protection, Return & Deletion, and Governing Law) remain in force after termination.

17. Governing Law & Jurisdiction

This Agreement is governed by Belgian law. The courts of Brussels, Belgium have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement, without prejudice to mandatory rights of data subjects or supervisory authorities under GDPR. Either Party may, however, seek injunctive or equitable relief in any competent court.

18. Entire Agreement & Amendments

This document, together with its Exhibits and any Order Forms referencing it, constitutes the Parties’ entire agreement on its subject matter and supersedes all prior understandings, proposals or communications, whether written or oral. Changes must be in writing and signed (physically or electronically) by both Parties.

---

Signatures

For Supplier	For Customer
Name: Wim Barthier	Name: _________________________
Title: Chief Executive Officer	Title: _________________________
Date: ___ / ___ / ______	Date: ___ / ___ / ______
Signature: ____________________	Signature: ____________________

---

Exhibits (incorporated by reference)

Exhibit A – Description of Services

The scope, features and operational parameters of the NoCode‑X platform and all associated professional services are described in the Supplier’s public documentation:
Description of services and context

This includes, for clarity, the processing of usage and telemetry data (including personal data of Customer’s data subjects) generated by applications, workflows and websites built or operated on NoCode‑X, to the extent necessary to provide, secure, support and improve the reliability of the Services in accordance with this Agreement.

Exhibit B – Payment Terms & Licensing

All pricing models, billing cycles, licence metrics and related commercial terms are detailed at:
Payment Terms & Licensing

Exhibit C – Approved Sub‑Processors / Supply Chain

Supplier’s current list of authorised Sub‑processors, including their locations and processing roles, is available at:
Approved Sub‑Processors enabling the managed supply chain

Supplier may update Exhibit C from time to time, provided it gives Customer advance notice in accordance with its standard change‑notification process. Where required by law, Customer may object to a new Sub‑processor on reasonable grounds relating to data protection.

End of Agreement