Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

This DPA governs the processing of personal data by Require ApS on behalf of the Customer in connection with the provision of the conexor.io platform and related services ("Services"), as required by Article 28 of Regulation (EU) 2016/679 ("GDPR").

This DPA forms part of and is incorporated into the Terms of Service between the parties. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Subject matter: Require ApS processes personal data solely to deliver the Services, including relaying AI queries to Customer's connected databases and maintaining audit logs.

Nature: Transmission, temporary processing, and audit logging of queries and metadata. Require ApS does not store query results or raw database content.

Duration: For the term of the Services agreement, and thereafter for such limited period as required to fulfil legal obligations, subject to Section 11 (Deletion and Return).

The categories of personal data processed depend entirely on the Customer's database configuration and instructions. Require ApS does not determine the categories — that determination rests solely with the Customer.

Known categories processed by Require ApS in its own infrastructure:

Customer database data

Require ApS relays queries to Customer's databases and returns results to the requesting AI model or user session. Query results are not stored or retained by Require ApS beyond the duration of the active session.

The Customer is solely responsible for:

• Ensuring that all Personal Data provided to Require ApS or accessible via the Services is processed in accordance with applicable law, including GDPR;
• Having a valid legal basis for each processing activity carried out through the Services;
• Providing all required notices to and obtaining all required consents from Data Subjects;
• Ensuring the accuracy, quality, and legality of Personal Data;
• Determining what data is exposed to AI models via the MCP connection and ensuring this is appropriate under applicable law;
• Responding to Data Subject requests (access, erasure, rectification, portability, objection) in relation to data stored in Customer's own databases.

The Customer warrants that it has the legal authority to instruct Require ApS to process Personal Data as described in this DPA, and that such instructions are lawful.

Require ApS shall:

• Process Personal Data only on documented instructions from the Customer, including as set out in this DPA, unless required to do so by EU or Member State law;
• Inform the Customer immediately if an instruction infringes GDPR or other applicable data protection law;
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality;
• Implement appropriate technical and organisational measures as described in Section 8;
• Assist the Customer in fulfilling its obligations to respond to Data Subject requests, to the extent technically feasible;
• Assist the Customer with GDPR Articles 32–36 obligations (security, breach notification, DPIAs) as reasonably requested;
• Delete or return Personal Data upon termination as described in Section 11;
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9.

7.1 Authorised sub-processors

The Customer provides general written authorisation for Require ApS to engage sub-processors. Current sub-processors are listed in the Sub-Processor List at conexor.io/legal/sub-processors.

7.2 New sub-processors

Require ApS shall provide at least 30 days' prior written notice before adding or replacing a sub-processor that processes Personal Data. Notice shall be given by email or via an in-platform notification.

7.3 Objection

The Customer may object to a new sub-processor within the notice period by notifying [email protected] in writing with reasons. If Require ApS cannot accommodate the objection, the Customer may terminate the Services with written notice, receiving a pro-rata refund of prepaid fees.

7.4 Sub-processor contracts

Require ApS shall impose data protection obligations on sub-processors equivalent to those in this DPA. Where sub-processors are located outside the EEA, Require ApS shall implement appropriate safeguards, including SCCs where applicable.

7.5 Liability

Require ApS shall be liable to the Customer for the sub-processor's data protection obligations to the same extent as if Require ApS had performed the processing directly, subject to the liability limitations in the Terms of Service.

9.1

Require ApS shall, upon reasonable written request (minimum 30 days' notice), provide the Customer with documentation sufficient to demonstrate compliance with this DPA, including third-party audit reports, certifications, and descriptions of TOMs.

9.2

If the Customer requires an on-site audit, this shall be conducted: (a) at the Customer's cost; (b) during business hours; (c) with minimum disruption to Require ApS's operations; (d) no more than once per calendar year unless required by a supervisory authority.

9.3

The Customer agrees to treat all audit findings as confidential.

10.1

Require ApS shall notify the Customer without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA.

10.2

Notification shall include, to the extent available: description of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

10.3

The Customer is solely responsible for determining whether notification to a supervisory authority or Data Subjects is required and for making such notifications.

11.1

Upon termination of the Services, Require ApS shall, at the Customer's choice: (a) Delete all Personal Data (including copies) within 90 days of termination; or (b) Return Personal Data in a machine-readable format, where technically feasible.

11.2

Audit log data shall be deleted within 90 days of termination unless a longer retention period is required by applicable law.

11.3

Require ApS shall provide written confirmation of deletion upon request.

Personal Data processed under this DPA is stored on Microsoft Azure infrastructure located in the EU (West Europe). No Personal Data is transferred to third countries by Require ApS's core infrastructure.

The SCCs referenced above are incorporated into the agreements with each relevant sub-processor and are available upon request at [email protected].

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

Require ApS is not liable for any damage arising from: the Customer's unlawful instructions; the Customer's failure to comply with GDPR or other applicable law; the content, accuracy, or legality of data stored in Customer's databases; the Customer's decision to expose particular data to AI models via MCP; or actions or omissions of Customer's employees, contractors, or end users.

Any liability of Require ApS under this DPA is subject to the liability limitations set out in the Terms of Service, including the aggregate liability cap of three (3) months of fees paid.

Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation, to the extent such limitations are not permitted by applicable law.

This DPA is governed by the laws of Denmark. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Copenhagen City Court (Københavns Byret) as first instance.

Require ApS may amend this DPA from time to time, with 30 days' prior notice to the Customer. If amendments are required to comply with changes in applicable law, the amended DPA shall apply from the date the legal requirement takes effect.