Beebole Data Processing Addendum

Effective as of June 8, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Beebole Subscription Terms of Service (the “Agreement”) between Beebole s.r.l., Brussels, Belgium (“Beebole”, “we”, “us”) and the customer that accepts the Agreement (“Customer”, “you”, “Controller”). It governs Beebole’s processing of Personal Data on behalf of the Customer in the course of providing the Services.

This DPA is a public document. It applies automatically to every Customer and takes effect on the date the Customer first accepts the Agreement (or continues to use the Services after this DPA’s effective date), with no separate signature required. An optional signature block is provided at the end for Customers who require a countersigned copy; signature is not a condition of this DPA applying.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement.

  • “EEA” means the European Economic Area.

  • “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation), together with any applicable EU Member State or Belgian implementing legislation, and references in this DPA to “applicable data protection law” are to the GDPR and such legislation.

  • “Controller”, “Processor”, “Personal Data”, “processing”, “data subject”, “special categories of personal data” and “personal data breach” have the meanings given in the GDPR.

  • “Customer Data” has the meaning given in the Agreement, to the extent it constitutes Personal Data.

  • “Security Incident” means a personal data breach as defined in Art. 4(12) GDPR affecting Personal Data processed under this DPA.

  • “Sub-processor” means any third party engaged by Beebole to process Personal Data on Beebole’s behalf in connection with the Services.

  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision (EU) 2021/914.

  • “EU-US Data Privacy Framework” or “DPF” means the EU-US Data Privacy Framework and its underlying adequacy decision adopted by the European Commission on 10 July 2023.

2. Scope and applicability

2.1 This DPA applies to the processing of Personal Data by Beebole on behalf of the Customer in the course of providing the Services, where and to the extent the GDPR applies to that processing.

2.2 This DPA takes effect on the date the Customer accepts the Agreement, and remains in force for as long as Beebole processes Personal Data on behalf of the Customer.

2.3 Exhibit A (GDPR Addendum) and Exhibit B (Data Processing Appendix) form an integral part of this DPA.

3. Roles and instructions

3.1 Roles. As between the parties, the Customer is the Controller and Beebole is the Processor with respect to Customer Data that constitutes Personal Data. Where the Customer is itself a processor acting on behalf of a third-party controller, Beebole acts as a sub-processor and the Customer warrants that it has the authority of that controller to engage Beebole on these terms.

3.2 Documented instructions. Beebole will process Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Belgian law to which Beebole is subject (in which case Beebole will, where legally permitted, inform the Customer of that legal requirement before processing). The Agreement, this DPA (including its Exhibits), and the Customer’s use and configuration of the Services constitute the Customer’s complete documented instructions. Beebole will inform the Customer if, in its opinion, an instruction infringes applicable data protection law (see §11).

3.3 Purpose limitation. Beebole will process Personal Data solely to provide and support the Services and as otherwise instructed by the Customer, and not for any other purpose.

3.4 Customer responsibilities. The Customer is responsible for the accuracy, quality and legality of the Personal Data and for having a valid legal basis (and, for special categories of personal data, a valid Art. 9 GDPR condition) for the processing carried out through the Services. The Customer warrants that its instructions comply with applicable data protection law.

4. Confidentiality and security

4.1 Confidentiality. Beebole will ensure that persons authorised to process Personal Data are bound by an appropriate obligation of confidentiality and process Personal Data only as instructed.

4.2 Security measures. Beebole will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking account of the state of the art, the nature, scope, context and purposes of processing, and the risks to data subjects, in accordance with Art. 32 GDPR.

4.3 Security Incident notification. In the event of a Security Incident, Beebole will notify the Customer within 24 hours of becoming aware of it. The notification will describe, to the extent then known, the nature of the incident, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Beebole will provide the Customer with reasonable assistance and information to enable the Customer to meet its own breach-notification and communication obligations (including Art. 33 and Art. 34 GDPR). Beebole’s notification is not an acknowledgement of fault or liability.

5. Sub-processing

5.1 General authorisation. The Customer provides a general authorisation for Beebole to engage Sub-processors, including Beebole affiliates, to process Personal Data in connection with the Services. The current list of Sub-processors is maintained at ./sub-processors.md and incorporated by reference.

5.2 Flow-down and liability. Beebole will impose on each Sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA, in particular as regards the documented-instructions, confidentiality and security obligations. Beebole remains fully liable to the Customer for the performance of each Sub-processor’s obligations.

5.3 Change notice and objection right. Beebole will give the Customer reasonable prior notice of any intended addition or replacement of a Sub-processor (for example, by updating the Sub-processor list and/or providing a notification mechanism). The Customer may object to the change on reasonable, data-protection-related grounds by notifying Beebole within thirty (30) calendar days of the notice. If the Customer so objects, Beebole will not appoint the Sub-processor for the Customer’s Personal Data and the parties will work together in good faith to find an alternative. If no reasonable alternative is available, either party may terminate the affected Services as its remedy.

6. International transfers

6.1 Data residency. Customer Data of EU Customers is hosted in the EU (regional Google Cloud) and does not transfer to the United States under the current (V2) platform. The residual EU→US transfer surface is limited to (a) legacy US-hosted logs and audit-trail files maintained on the prior (V1) Google Cloud configuration during the platform coexistence period, and (b) Customer Data of US Customers, which is hosted on US servers.

6.2 Transfer mechanism. Where Beebole transfers Personal Data outside the EEA, or engages a Sub-processor that does so, it will ensure that the transfer is subject to appropriate safeguards under Chapter V GDPR, applied in the following order of preference:

  • (a) Adequacy — reliance on a European Commission adequacy decision where the recipient country (or relevant sector or recipient) benefits from one;

  • (b) EU-US Data Privacy Framework — for recipients in the United States that are certified under, and remain in good standing with, the EU-US Data Privacy Framework, reliance on the DPF adequacy decision; and

  • © Standard Contractual Clauses — where neither (a) nor (b) is available, the EU Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, supplemented by any additional measures required following a transfer impact assessment.

6.3 SCC modules. Where the SCCs apply, the parties agree that Module Two (controller-to-processor) governs transfers in the Customer→Beebole relationship (Customer as data exporter/controller, Beebole as data importer/processor), and Module Three (processor-to-processor) governs Beebole’s onward transfers of Personal Data to its Sub-processors (Beebole as data exporter/processor, the Sub-processor as data importer/processor).

6.4 The SCCs, where they apply, are incorporated into this DPA by reference and take precedence over any conflicting terms in respect of the transfer they govern.

7. Service data

7.1 Beebole may collect and analyse aggregated and de-identified data relating to the operation, support and use of the Services (“Service Data”), provided such data does not identify the Customer or any data subject. Service Data is owned by Beebole and used only in aggregated, de-identified form to operate, secure and improve the Services. This DPA does not apply to Service Data to the extent it does not constitute Personal Data.

8. Miscellaneous

8.1 The Agreement remains in full force and effect; this DPA supplements it.

8.2 In the event of a conflict between this DPA and the Agreement in respect of the processing of Personal Data, this DPA controls. As between this DPA and its Exhibits, the Exhibits control in respect of the matters they address.

8.3 Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

8.4 This DPA is governed by Belgian law, and disputes are subject to the jurisdiction provisions of the Agreement.

8.5 Data Protection Officer. Beebole has appointed an external (outsourced) Data Protection Officer, who can be contacted at dpo@beebole.com for any matter relating to this DPA or the processing of Personal Data.

Exhibit A — GDPR Addendum

This Exhibit sets out the Art. 28 GDPR processor terms.

A.1 Scope. This Exhibit applies to Beebole’s processing of Personal Data on behalf of the Customer under the Agreement.

A.2 Documented instructions. The Agreement, this DPA and this Exhibit constitute the Customer’s complete and final documented instructions to Beebole for the processing of Personal Data. Additional or alternative instructions must be agreed in writing.

A.3 Purpose limitation. Beebole will process Personal Data only for the purposes set out in Exhibit B and as necessary to provide the Services, and will inform the Customer if it is required by EU or Belgian law to process for another purpose (unless that law prohibits such notice on important grounds of public interest).

A.4 Data protection impact assessments (DPIAs). Taking into account the nature of processing and the information available to it, Beebole will provide the Customer with reasonable assistance with data protection impact assessments and prior consultations with the supervisory authority under Art. 35–36 GDPR. Given that special-category (health-adjacent) absence data is in scope (see Exhibit B), Beebole will in particular assist the Customer with DPIAs relating to such processing. Assistance beyond standard documentation may be provided at the Customer’s reasonable cost.

A.5 Sub-processing. Sub-processing is governed by §5 of this DPA, including the general authorisation, the flow-down and continuing-liability obligations, and the 30-day objection right on reasonable grounds. The current Sub-processor list is maintained at ./sub-processors.md.

A.6 Confidentiality and Security Incidents.
(1) Beebole will ensure that persons authorised to process Personal Data are subject to an appropriate duty of confidentiality.
(2) Beebole will notify the Customer of a Security Incident without undue delay and in any event within 24 hours of becoming aware of it, and will provide reasonable assistance with the Customer’s breach-reporting and communication obligations, as set out in §4.3.

A.7 Audit. Beebole will make available to the Customer information reasonably necessary to demonstrate compliance with Art. 28 GDPR and will allow for and contribute to audits, including inspections. Audits may be conducted by the Customer or an independent auditor mandated by it, on reasonable prior written notice, during business hours, subject to confidentiality, and so as not to disrupt Beebole’s operations, in particular following a Security Incident or where a supervisory authority so instructs. Beebole may satisfy audit requests by providing relevant certifications, audit reports or documentation where these reasonably address the Customer’s request. If Beebole declines a reasonable audit request, the Customer may terminate the affected Services.

A.8 Data-subject rights. Taking into account the nature of the processing, Beebole will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Beebole will, without undue delay and by no later than the next working day, forward to the Customer any data-subject request it receives directly that relates to the Customer’s Personal Data, and will not respond to such a request itself except on the Customer’s documented instruction or as required by law.

A.9 Retention, deletion or return. Beebole does not automatically delete Customer Data on termination or expiry of the Agreement; the account and the Personal Data processed on the Customer’s behalf (including audit-trail data, which forms part of the Customer Data) are retained so that the Customer may reactivate and regain access. The Customer may delete its data at any time, and may at any time elect to have Beebole delete or return all Personal Data processed on its behalf and delete existing copies, unless EU or Belgian law requires continued storage. In particular, Beebole may retain billing and accounting data for ten (10) years where required by Belgian law, notwithstanding any deletion or return request; such retained data is processed only for that statutory purpose and remains subject to appropriate security measures. The timing of any deletion takes account of the retention periods for operational logs and backups described in the Services documentation.

A.10 Demonstrate compliance; infringement notice. Beebole will make available to the Customer all information necessary to demonstrate compliance with its obligations under Art. 28 GDPR. Beebole will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

A.11 Conflict. In the event of a conflict between this Exhibit and the body of this DPA in respect of the matters it addresses, this Exhibit controls.

Exhibit B — Data Processing Appendix

Subject matter and duration. Processing of Personal Data submitted to the Services by or on behalf of the Customer, for the duration of the Agreement and any applicable retention period thereafter.

Nature and purpose of processing. Provision of the Beebole time-tracking and planning Services, including recording, aggregating, approving, analysing and reporting on time worked and absences, on the Customer’s documented instructions.

Categories of data subjects. The Customer’s end users and employees who record hours worked and absences, and other individuals whose data the Customer submits to the Services (e.g. project contacts).

Categories of Personal Data. Name, password, email address, IP address, analytics data, device data, usage data, location data, and tracked-hours data.

Special categories of Personal Data. Special-category (health-adjacent) data that may arise from absence and leave records — for example, the recording of sick leave or medical/health-related absence types — to the extent the Customer chooses to record such information in the Services.

Note on special categories. Processing of special-category (health-adjacent) data is in scope of the Services. The Customer (as Controller) is responsible for ensuring it has a valid condition under Art. 9 GDPR for processing such data (for example, an obligation or right in the field of employment law under Art. 9(2)(b), with appropriate Belgian/Member-State safeguards) before recording it in the Services. Beebole will provide reasonable assistance with related data protection impact assessments (see Exhibit A.4) and applies heightened technical and organisational measures appropriate to such data.

Sub-processors. As listed at ./sub-processors.md.

Optional signature block (not required for this DPA to apply)

This DPA applies automatically on acceptance of the Agreement. The following block is provided only for Customers who require a countersigned copy.

Customer

Name: ____________________ Title: ____________________ Date: ____________________

Signature: ____________________

Beebole s.r.l.

Name: Yves Hiernaux Title: CEO Date: ____________________

Signature: ____________________