Advanta Legal · DPA Template

Data Processing Agreement

Template version 1.0 · Effective from execution · Pursuant to GDPR Article 28

This is a template for review. The executed DPA is the binding instrument between Advanta and the Customer. Customers may execute this template by countersigning the PDF version provided in their commercial agreement. To request the executable PDF, email diogo@advanta.pt.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller: the customer entity identified in the underlying Service Agreement ("Customer")
Processor: Advanta Tecnologia, Lda., registered office in [Lisbon, Portugal], NIPC [pending update] ("Advanta")

This DPA forms part of and is incorporated into the underlying Service Agreement (the "Agreement") between the parties. Capitalised terms not defined here have the meanings given in the Agreement or in Regulation (EU) 2016/679 ("GDPR").

2. Subject matter and scope

Advanta processes Customer Personal Data solely for the purpose of providing the Services and only on the documented instructions of the Customer, as set out in the Agreement, this DPA, and Annex I.

3. Roles

The Customer is the Controller and Advanta is the Processor. For the avoidance of doubt, when Advanta acts as a sub-processor for a Customer that is itself a processor (e.g. a bank acting as processor for its end-customers), the Customer warrants that it has the lawful basis and authority to instruct Advanta to process Personal Data.

4. Duration

This DPA applies for the term of the Agreement and any survival period required by law for return or deletion of Customer Personal Data.

5. Processing details (Annex I)

5.1 Categories of data subjects

End-customers of the Customer (typically: small and medium enterprises and their authorised representatives), and Customer's authorised users.

5.2 Categories of Personal Data

Identification data: name, NIF (Portuguese tax ID), email, phone, role
Company data: legal name, address, sector, size, revenue band
Authentication data: hashed passwords, MFA enrolment metadata, session tokens, OAuth tokens (encrypted)
Financial data (when Customer enables ERP connector): invoices, receivables, payment history
Behavioural data: API request logs (with PII redaction), audit log entries

5.3 Special categories of data

None. Customers warrant they will not submit special-category data (Art. 9 GDPR) absent a separate written agreement with Advanta.

5.4 Frequency of transfer / processing

Continuous, on a per-API-request basis.

5.5 Nature and purpose

Hosting, storage, computation, transmission, audit, and operational support of the Services.

5.6 Retention

Operational data: for the duration of the contract; deleted within 90 days of termination unless retention required by law
Audit log: 7 years (immutable, WORM)
Backups: 35 days rolling

6. Confidentiality and personnel

Advanta ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and have received GDPR awareness training.

7. Security measures

Advanta implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in our Security Overview. Measures include:

Pseudonymisation and encryption of Personal Data (TLS 1.3 in transit; AES-256 at rest with customer-managed KMS keys)
Ongoing confidentiality, integrity, availability, and resilience of processing systems
Ability to restore availability and access to Personal Data in a timely manner (RTO/RPO documented)
Regular testing, assessing, and evaluating the effectiveness of measures (annual penetration test, continuous monitoring)
Multi-tenant logical isolation enforced by RLS and application controls
Compliance-grade audit log with WORM retention

8. Sub-processors

The Customer authorises Advanta to engage the sub-processors listed at /legal/sub-processors. Advanta will:

Notify the Customer of any addition or replacement of sub-processors at least 30 days in advance
Impose data protection obligations on each sub-processor that are no less protective than those in this DPA
Remain liable for the acts and omissions of its sub-processors

The Customer may object to a new sub-processor on reasonable grounds within 30 days; the parties will work in good faith to resolve, failing which the Customer may terminate the affected Service.

9. International transfers

Customer Personal Data is stored within the European Economic Area (EEA), specifically AWS eu-central-1 (Frankfurt, Germany). Where transfer outside the EEA is unavoidable for incidental processing by sub-processors, such transfers rely on the EU Standard Contractual Clauses (Module Two — Controller to Processor; Decision (EU) 2021/914) supplemented by Advanta's technical and organizational measures.

10. Data subject rights

Advanta provides the Customer with reasonable assistance to fulfil its obligations to respond to data subject requests. The web admin app at admin.advanta.pt provides self-service tools for:

Data export (Article 20 — right to portability)
Data deletion (Article 17 — right to erasure)
Data rectification (Article 16)
Restriction of processing (Article 18)

11. Personal Data breach notification

Advanta will notify the Customer without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:

Description of the nature of the breach, categories and approximate number of data subjects and records concerned
Likely consequences
Measures taken or proposed to address the breach and mitigate adverse effects
Contact details of the Data Protection Officer

12. Audits

Customer may, on reasonable prior written notice (no less than 30 days), and not more than once per twelve-month period, audit Advanta's compliance with this DPA, either directly or via an independent third-party auditor bound by confidentiality. Audits must occur during normal business hours, must not unreasonably interfere with Advanta's operations, and the Customer bears the cost. Advanta may satisfy audit requests by providing a copy of its current SOC 2 report or equivalent certification.

13. Return or deletion of Personal Data

Upon termination of the Agreement, Advanta will, at the Customer's choice:

Return all Customer Personal Data via export tools, or
Delete all Customer Personal Data within 90 days, save for the WORM audit log (which is retained for the legally mandated 7 years and remains accessible for compliance verification only)

Backup copies are deleted in accordance with the rolling 35-day retention schedule.

14. Governing law and jurisdiction

This DPA is governed by Portuguese law. The courts of Lisbon, Portugal, have exclusive jurisdiction.

15. Contact

Data Protection Officer: diogo@advanta.pt
Postal: Advanta Tecnologia, Lda., Lisbon, Portugal

This template is provided in good faith as a reasonable starting point. Customer-specific terms (additional security requirements, audit rights, BYOK arrangements, regulator-specific clauses for banking) are negotiated as part of the commercial agreement.