top of page

Data Processing Addendum

This Data Processing Addendum ("DPA") governs the processing of personal data by Duely BV (address: Montereystraat 46, 9000 Gent, company number: BE1015.781.822) ("Sub-processor" or "Duely") on behalf of its clients ("Processor" or "Client") in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

​

This DPA applies where Client acts as a data processor on behalf of a data controller. Client will ensure it has proper authorization from the data controller to engage Duely as a sub-processor.

last update: 28 May 2025

1. Processing instructions

Duely will process personal data only on documented instructions from Client, provided that:

  • Such instructions are within the scope of Client's authorization from the data controller

  • Instructions do not conflict with the data controller's original instructions
     

Duely will immediately inform Client if any instruction appears to:

  • Violate GDPR or applicable data protection law

​2. Confidentiality

Duely ensures that persons authorized to process personal data:

  • Are bound by confidentiality obligations

  • Have access only on a need-to-know basis

  • Receive appropriate data protection training

3. Security measures

Duely implements technical and organizational measures that are at least equivalent to those implemented by Client, including:

  • Access controls based on least privilege principle

  • Encryption of data in transit and at rest

  • Regular security assessments and updates

  • Staff training on data protection

4. Sub-processors

  • Duely may engage further sub-processors with Client's specific or general written authorization

  • Client will be informed of sub-processor changes with 7 days' notice

  • Client may object to new sub-processors (and must inform the data controller)

  • All sub-processors are bound by equivalent data protection obligations

  • Client remains fully liable to the data controller for Duely's performance

5. International Data Transfers

Any transfer of personal data to third countries will:

  • ​Use appropriate technical, organizational or contractual safeguards

  • Be documented and, if requested, communicated to Client for onward reporting to data controller

6. Data Subject Rights Assistance

Duely will assist Client in enabling Client to assist the data controller with data subject requests by:

  • Providing relevant information to Client within 72 hours of request

  • Implementing technical measures to facilitate data portability, erasure, etc.

  • Cooperating with Client's obligations to the data controller

7. Breach notification

Duely will notify Client of any personal data breach without undue delay and no later than 48 hours after becoming aware, enabling Client to:

  • Notify the data controller within required timeframes

  • Provide sufficient information for data controller to assess supervisory authority notification obligations

  • Assist data controller with breach response
     

Notification Chain: Duely → Client → Data Controller → Supervisory Authority (if required)

8. Data Protection Impact Assessments

Duely will assist Client in enabling the data controller to conduct Data Protection Impact Assessments by:

  • Providing relevant information about sub-processing operations and security measures

  • Supplying technical details necessary for impact assessment

  • Cooperating with any DPIA requirements imposed by the data controller

9. Audit

  • Client may audit Duely's compliance on behalf of the data controller

  • Audit rights include review of documentation, certifications, and inspection of relevant systems

  • Duely will provide necessary cooperation for controller audits

10. Data deletion / return

  • Duely may engage further sub-processors only with Client's specific or general authorization

  • Client will be informed of sub-processor changes with 7 days' notice

  • Client may object to new sub-processors (and must inform the data controller)

  • All sub-processors are bound by equivalent data protection obligations

11. Liability

  • Client remains fully liable to the data controller for Duely's processing activities

  • Duely will be liable to Client for damages caused by its breach of GDPR or this DPA

  • Client must ensure adequate liability coverage toward the data controller

All related queries can be directed to privacy@duely.ai

MG Business Center

Esplanade Oscar van de Voorde 1
9000 Gent,
Belgium

spun off from

your partner in AI

2025 Duely

bottom of page