Data Processing Agreement.

This Data Processing Agreement (“DPA” or “Agreement”) forms an integral part of, and is subject to, the Terms of Use and other terms and conditions between MOVE37 BV, a Belgian company registered with the Crossroads Bank for Enterprises under number 0805.637.854, having its registered office at Drie Eikenstraat 373, 2650 Edegem (“Wundo”), and the Customer.

This DPA governs the processing of personal data by Wundo on behalf of the Customer in connection with the provision of the Wundo AI leadership assistant platform and related services.

This DPA sets out the terms, conditions, and technical and organizational measures under which Wundo will process personal data on behalf of the Customer. It supplements the Agreement and prevails over any conflicting provisions therein with respect to the subject matter of data protection and processing of personal data.

Article 1. General

The data processing agreement (hereinafter: the “Agreement”) is agreed between Controller and Processor. Processor provides an AI-based leadership enablement platform (‘Wundo’) supporting learning and development of the Controller’s staff. For purpose of this Agreement, “Processor” or “Controller” also means each of its affiliates, unless explicitly provided otherwise. 

Article 2. Definitions

For the purposes of the Agreement, the following terms, whenever used with a capital, in both the single and plural form, shall have the meaning as defined hereinafter:

  1. “Agreement”: means this Data Processing Agreement (“DPA”), in which the general rules are laid down with regard to the conditions pursuant to which the Processor will perform the Processing Services on Personal Data on behalf of the Controller.

  2. “Automated Processing” (or “AI processing”): means any operation performed by Wundo’s AI algorithms to provide personalized insights or learning cues to users, without producing legal or significant effects.

  3. “Business Day”: means a day (from 9 am to 5 pm) on which banks are generally open for business.

  4. “Data Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in article 4 (7) GDPR and hereinafter also referred to as “Controller”. 

  5. “Data Processor”: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Controller, as defined in article 4 (8) GDPR and hereinafter also referred to as “Processor”

  6. “Data Protection Legislation”: means (i) Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing directive 95/46/EC (“General Data Protection Regulation” or “”GDPR”);(ii) the local implementation law on the protection of natural persons with regard to the Processing of Personal Data (in particular the Act of 30 July 2018 on the processing of personal data); and ‘(iii) all current or future applicable national or European legislation relating to or Processing Services on the Processing of Personal Data and privacy.

  7. “Data Subject”: means an identified or identifiable natural person whose Personal Data are being processed. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specified to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in article 4 (1) GDPR.  

  8. “Effective Date”: means the date on which the Parties have signed the Principal Agreement.

  9. “European Economic Area”: means all member states of the European Union together with Iceland, Liechtenstein and Norway, also referred to as the “EEA”.

  10. “Personal Data“: means any information relating to a Data Subject, as defined in article 4 (1) GDPR. 

  11. “Personal Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as defined in article 4 (12) GDPR. 

  12. “Principal Agreement”: means the commercial  agreement (including but not limited to the Terms of Use and any other terms and conditions) entered into between the Parties . The Principal Agreement serves as the legal basis for Processing of Personal Data performed by the Processor, on behalf of the Controller.

  13. “Processing”: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data (Annex 1), whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in article 4 (2) GDPR. 

  14. “Processing Services”: means the services, functions, responsibilities and outputs to be provided and fulfilled by the Processor under this Agreement.

  15. “Standard Contractual Clauses”: means the appropriate safeguards which are adhered to by Controller on its own behalf and on behalf of its Affiliates and Processor acting on its own and on behalf of its Affiliates concerning the transfer of Personal Data outside the European Economic Area, as specified in Annex 2.

  16. “Sub-Processor”: means a Third Party engaged by the Processor as a Sub-Processor to provide the Processing services or any part of them.

  17. “Third Party”: means any person or entity which is not a party to the DPA, including any contractors (including Sub-Processors).

  18. “Third Country”: means any country that is not a Member State of the European Economic Area

Article 3. Data Processing under this Agreement

The Controller requests the Processing Services of the Processor, by which the Processor will Process Personal Data on behalf of the Controller. The Controller determines the purposes and means of the Processing. The Processor expressly acknowledges and warrants that it complies with all legal obligations as set out in the Data Protection Legislation.

The nature and purpose of the Processing, type of Personal Data and categories of Personal Data to be Processed and the categories of Data Subjects are further detailed in Annex 1 to this DPA.

The Processor only processes Personal Data following the written instructions (including e-mail) provided by this Agreement including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Wundo uses automated algorithms to provide personalized leadership insights, cues, and summaries to the Customer’s users. Such processing is limited to the scope of the Services and does not involve automated decision-making producing legal or similarly significant effects.

Wundo shall not use Customer Personal Data to train, retrain, or improve any general or third-party AI models. Any AI Processing is performed within Wundo’s controlled infrastructure with appropriate safeguards and human oversight. 

Processor shall process personal data solely to perform the services defined in the Principal Agreement and in accordance with Controller’s written instructions. Processor shall not use personal data to train, fine-tune, or improve general AI models.

The Processor shall, without undue delay and in any case within forty-eight (48) hours after acknowledging the infringement, inform the Controller in writing (including e-mail) if, in its opinion, an instruction infringes the Data Protection Legislation or other EU or Member State data protection provisions. Notifications outside office hours are “next business day”. The Processor has no decision power in, amongst others, determining the purpose and means of the Processing, the duration of the Processing, the Third Parties to whom the Personal Data is disclosed and the transfer of the Personal Data outside the European Economic Area (EEA). 

Article 4. Disclosure of Personal Data

Processor shall not disclose, Process, nor provide access or permit the disclosure of the Personal Data to any Third Party, other than in accordance with:

  1. The written instructions of Controller (which may be specific or of a general nature), as set out in this Agreement or otherwise notified by Controller to Processor, including the documented instructions with regard to the transfer of Personal Data to a Third Country (Annex 2); or

  2. Where required by EU or Member State Law to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before Processing those Personal Data, unless that law prohibits such information being provided on important grounds of public interest;

Processor immediately and without undue delay, and in any case within seventy-two (72) hours after such event takes place, informs Controller if:

  1. It intends to disclose Personal Data to any competent public authority; or

  2. It receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing, except where Processor is otherwise prohibited by law from making such disclosure.

Article 5. Confidentiality of Personal Data

Processor shall keep Personal Data confidential and takes all necessary and appropriate measures to:

  1. Ensure the reliability of any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Processor who may have access to the (the Processing of) Personal Data;

  2. Ensure in each case that access is strictly limited to any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Processor who needs to access the relevant (the Processing of) Personal Data for the performance of their tasks and duties; and 

  3. Ensure that any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Processor are informed and aware of the confidential nature of (the Processing of) the Personal Data and are subject to contractual, professional or statutory obligations of confidentiality. 

  4. Ensure that any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Processor is subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to (the Processing of) the Personal Data.

Article 6. Appropriate technical, physical and organisational security measures

Processor shall implement appropriate technical, physical and organisational security measures required pursuant to article 32 of the GDPR  to protect Personal Data against destruction or accidental loss, damage, alteration, unauthorised disclosure or access, and against all other forms of unlawful, unauthorized or accidental Processing including, but not limited to, unnecessary collection or further Processing (Annex 3). These measures shall be defined taking into account good industry practice, the costs of implementation and execution of these measures, the nature, scope, context and purposes of the Processing as well as the likelihood and severity of the risks for the rights and freedoms of the Data Subjects. The Processor shall ensure that its Sub-Processors and employees implement appropriate technical and organisation measures of at least the same security level as the technical and organisational measures provided in Annex 3. The Processor shall ensure that all Sub-Processors and employees authorized to process Personal Data are bound by written contractual obligations requiring them to implement technical, physical, and organisational security measures that provide at least an equivalent level of protection to those set out in this Agreement and in Annex 3. The Processor shall conduct reasonable due diligence before engaging any Sub-Processor and shall periodically verify that each Sub-Processor maintains the required level of security.

Article 7. Sub-Processors

Controller provides general authorization for the use of sub-processors, provided that Processor maintains an up-to-date list of such Sub-processors and notifies Controller of any intended changes with at least 15 days’ prior notice.

A list of Wundo’s current Sub-Processors is available for Controller at the Sub-processors page of the website. Wundo ensures that each Sub-Processor is bound by written obligations substantially similar to this Agreement, including the prohibition to use data for AI training.


Article 8. Data Subject requests

Processor shall notify Controller without undue delay and within ten (10) Business Days at the latest, after the receipt of a request from (a Third Party acting on behalf of) a Data Subject to exercise one or more of its rights under the Data Protection Legislation with respect to the Processing of Personal Data by the Processor in the context of or in connection with the performance of its agreement between Controller and Processor.

Processor shall cooperate as requested by Controller in writing (including e-mail) to enable Controller to comply with any exercise of rights by a Data Subject in respect of Personal Data processed by Processor under this Agreement.

The Processor shall only respond or implement such request upon explicit written instruction (including e-mail) of the Controller. The Processor shall upon such written instruction of the Controller, implement the instruction with regard to the request of the Data Subject, including but not limited to the rights of access, rectification, erasure or restriction of Processing without undue delay and in any case within two (2) Business Days.

Article 9. Personal Data Breach

Processor immediately and without undue delay, and in any case within twenty-four (24) hours after such event takes place, informs Controller if it detects or reasonably suspects or becomes aware that a Personal Data Breach has occurred. Processor shall fully co-operate with Controller and take such steps as requested by Controller to assist in the investigation, mitigation of the effects and remediation by providing solutions to solve the Personal Data Breach, taking into account the nature of the Processing and the information available to the Processor. 

The Processor shall, at all times, maintain a log of all Personal Data Breaches and related security incidents, including near-miss events, and shall review and evaluate such incidents on at least an annual basis in order to assess the effectiveness of its technical and organizational measures, as further detailed in Annex 3.

The Processor shall in any case provide the Controller all information that is required in order to allow the Controller to notify the Personal Data Breach to the supervisory authority and to inform the Data Subject of the Personal Data Breach without any delay. The Processor shall refrain from notifying any Personal Data Breach without the explicit written instructions (including e-mail) of the Controller. The Processor shall not notify any Personal Data Breach to any supervisory authority or to any Data Subject unless it has received the explicit prior written instruction (including by e-mail) of the Controller to do so.

In any event, Processor shall at its own costs and expenses and following consultation with Controller, take all such measures as are necessary to end, and to limit to the maximum extent possible the adverse consequences of such Personal Data Breach.

Article 10. Assistance of the Controller

Processor shall, and shall procure that its Sub-Processors and employees shall provide all assistance as requested in writing (including e-mail) by the Controller in order to allow the Controller to:

  1. prepare any data protection impact assessment and submit any prior consultation to a supervisory authority where required by the Data Protection Legislation; and

  2. comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any competent public authority.


Article 11. Audit

The Controller may, upon prior written notice of at least two (2) weeks, conduct an audit to verify whether the Processor complies with its obligations under this DPA and applicable Data Protection Legislation. Such audits may be performed no more than once every two (2) years, unless a Personal Data Breach or other substantiated indication of non-compliance has occurred.

To demonstrate compliance with its obligations under Articles 32 to 36 of the GDPR and this DPA, the Processor shall make available to the Controller, within fourteen (14) Business Days of a written request, all relevant documentation, records, and evidence reasonably required to confirm such compliance.

The Processor may fulfil its audit obligations by providing the Controller with independent third-party certifications, audit summaries, or assurance reports (such as ISO 27001, SOC 2, or equivalent) demonstrating that appropriate technical and organizational measures are in place. Where such reports are available, the Controller agrees that they constitute sufficient evidence of compliance, and no further on-site inspection shall be required unless the Controller provides a justified reason to the contrary.

Any physical or remote audit, where exceptionally necessary, shall be co-ordinated in advance, conducted during regular business hours, and carried out in a manner that minimises disruption to the Processor’s operations.

The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA or applicable Data Protection Legislation.

The Processor may request that the Controller provide a copy of the final audit report at no cost. The report, and all information obtained during the audit, shall be treated as strictly confidential by the Controller and any auditor mandated by it, and may not be disclosed or published except where required by law or by a competent supervisory authority.

Such confidential information includes, but is not limited to, details regarding the Processor’s business operations, methods, processes, technical architecture, security systems, and client relationships.

Article 12. Demonstrating compliance

Processor shall provide on request of the Controller, all information and documentation allowing it to demonstrate compliance of Processor with Data Protection Legislation and shall allow for and contribute to audits and inspections carried out by Controller or auditors acting on Controller’s behalf.

Article 13. Transfer of Personal Data

Processor shall not transfer Personal Data to any affiliate, or Third Party located in any country outside the European Economic Area or make Personal Data accessible from any such country without the express prior written approval of Controller in accordance with the Standard Contractual Clauses (Annex 2).

Processor ensures that any sub-processor located outside the EEA offers an equivalent level of data protection, through the EU Standard Contractual Clauses and supplementary measures such as encryption and pseudonymization.

These Standard Contractual Clauses should be complemented by supplementary measures if the level of protection as required by the Data Protection Legislation is not respected in the Third Country and therefore Standard Contractual Clauses cannot be complied with in practice. These supplementary measures should ensure an essentially equivalent level of protection as provided in the EEA. 

If there is new guidance or a change in the Data Protection Legislation or case law that renders all or part of the transfer illegal, the Processor shall take all necessary measures to remedy such unlawfulness.


Article 14. Suspension of the Agreement

Controller is entitled to temporarily suspend the Processing of Personal Data in whole or in part if Processor is unable to meet its obligations under this Agreement until such time that the non-compliance is remedied. To the extent that such remedy is not available, Controller is entitled to terminate the relevant part of the Processing with immediate effect. Controller is also entitled to terminate this Agreement with immediate effect if suspension of the Processing pursuant to this provision exceeds a period of three (3) calendar months.


Article 15. Term and termination of the Agreement

This Agreement shall commence on the Effective Date and continues as long as the Principal Agreement is in force. The termination modalities agreed upon by both Parties in the Principal  Agreement also apply to this DPA.

Processor shall cease the Processing of Personal Data immediately and in any case within seven (7) days upon the termination or expiry of this Agreement or sooner upon Controller’s demand, and shall at Controller’s option, either return, or securely delete the Personal Data and any copies and/or back-ups of it or of the information it contains from its systems (so that such Personal Data cannot be recovered or reconstructed), and Processor shall confirm in writing that this obligation has been fully complied with. The Controller may ask for a copy of the Personal Data within thirty (30) Business Days after termination of this DPA.

The Controller shall have the right, within thirty (30) Business Days following the termination or expiry of this DPA, to request a copy or export of the Personal Data processed on its behalf. Upon such request, the Processor shall provide the Personal Data in a structured, commonly used, and machine-readable format, enabling the Controller to exercise its rights under Article 20 of the GDPR (Data Portability).

After expiry of this period, or once the Controller confirms successful receipt of the data export, the Processor shall proceed with secure deletion in accordance with the above paragraph.


Article 16. Liability

In case a Party fails to comply with its obligations under this DPA, which causes damage to the other Party, that other Party shall give a written notice of default (including e-mail) to the non-compliant Party.

The Processor shall be liable only for direct damages resulting from an infringement of this DPA or of the applicable Data Protection Legislation. The Processor shall not be liable for any indirect, consequential, incidental, punitive, or special damages, including but not limited to loss of profit, loss of business, or reputational harm.

The total aggregate liability of the Processor arising out of or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, shall not exceed the liability cap set forth in the Principal Agreement, namely an amount equal to the total fees paid by the Controller to the Processor under the Principal Agreement during the twelve (12) months preceding the event giving rise to the liability.

The Processor shall not be liable for any damage or losses that result from actions or Processing carried out at the explicit instruction of the Controller, where the Processor has duly objected to such instruction in accordance with Article 3 of this DPA.

Article 17. Miscellaneous

This DPA is governed by and must be construed and interpreted in accordance with the Laws under which the Principal Agreement is concluded.

The courts and tribunals competent for any disputes under the Principal Agreement have exclusive jurisdiction over any dispute concerning the signing, validity, interpretation, execution or termination of the DPA and any other agreement or and deed which executes this DPA.

In the event of contradictions between the DPA and other provisions between the Parties, the stipulations of the DPA shall prevail. If a provision of this DPA is proven to be invalid or unenforceable in whole or in part, it will be regarded as severable (insofar as it is invalid or unenforceable) and the validity of the other provisions of this DPA and the remainder of the provisions in question will remain unaffected. If the invalid provision is of fundamental importance for achieving the goal of this DPA, the Parties shall negotiate in good faith to remedy the invalidity, illegality or unenforceability of the provision or otherwise change this DPA to achieve its purpose.



ANNEX 1: DETAILS OF THE PROCESSING OF PERSONAL DATA

1. The subject-matter of the Processing of Personal Data

Personal Data may be processed for the performance of the following Services: services in respect of the provision of the Wundo platform and Wundo Content to the Customer and (end-)Users as described in the Principal Agreement.

Personal Data may be processed for the performance of the following Services: the provision, operation, and improvement of the Wundo AI-powered leadership assistant platform and related Wundo Content to the Customer and its (end-)Users, as described in the Principal Agreement and Privacy Policy.

In this context, the Processor may carry out partially automated processing activities that support the functionality of the platform, including but not limited to:

  • analysis of user interactions, learning cues, communication context, and usage patterns to generate personalised insights and recommendations;

  • creation of pseudonymised analytical datasets for service optimisation, quality assurance, and bias-detection of AI models; and

  • limited profiling or categorisation of user preferences or learning behaviours, solely to tailor content delivery and platform experience.

Such automated processing is performed exclusively to assist human decision-making and does not produce legal or similarly significant effects within the meaning of Article 22 GDPR. The Processor shall maintain appropriate human oversight, apply data-minimisation techniques, and ensure that AI-based outputs are used only for the purposes defined in this DPA and the Principal Agreement.

2. The nature and purpose of the Processing of Personal Data

The Services include Services, the Wundo platform and Wundo Content to be used by the Customer and its Staff (employees / (end-)Users). The services are further described in the Principal Agreement. 

The purpose of the Services is to onboard and support Controller’s Staff (employees (admin User and end-Users) and to provide Wundo Content to the Customer.

 

3. The categories of Data Subjects

The Personal Data concern the following categories of Data Subjects:

Categories of Data Subjects: “Staff” of the Controller’s e.g. personnel (employees, self-employed,...) : Personal data of Staff members who are natural persons, consultants, directors, subcontractors’ employees, agents and/or other related persons (e.g. members of the company, advisors). 

4. The categories of Personal Data

The Personal Data concern the following categories of Personal Data:

Categories of Personal Data

  • Personal identification data: e.g. surname, first name

  • Contact information: e.g. address, telephone number, email address, whatsapp

  • Data on employees of the Data Controller, including name and surname, postal address, personal identification number, date/place of birth, telephone/fax number at work, e-mail address with the Data Controller (if the Staff member has one), function in accordance with internal organization and systematization made by the Data Controller, mobile number, whatsapp account name and number, interaction data between users and the Wundo AI assistant limited to metadata and contextual input necessary for the provision of insights (no full message content is permanently stored unless explicitly agreed with Controller. login and user (click) data, and other personal data on employees who are at Data Controller’s disposal, personal data which the Data Controller is obliged to keep in accordance with legal regulations, and which are strictly necessary for the Data Controller to meet the purpose of the Principal Agreement, attachments and annexes.

If the Processor processes any other Personal Data not specifically defined in Annex 1 of this Appendix in accordance with the explicit and recorded instructions of the Data Controller, such new Personal Data shall be processed under the same conditions contained in this Annex.



ANNEX 2: EU Standard Contractual Clauses (if applicable)





ANNEX 3: Appropriate technical, physical and organisational security measures (if applicable)

Heretoo we refer to the Security, Privacy, and Compliance section of this website.


Version October 16, 2025.