GDPR Data Processing Agreement

Last updated: 26 April 2026

This Data Processing Agreement (“DPA”) forms part of the Customer Terms of Service between Cloudpepper BV (Witte Patersstraat 4, 1040 Brussels, Belgium — Enterprise number BE 0804.323.604) and the Customer. By accepting the Customer Terms of Service or otherwise using the Services, the Customer enters into this DPA. A counter-signed copy is available on request to privacy@cloudpepper.io.

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 (“GDPR”) and other applicable Data Protection Laws.

A. The Customer and Cloudpepper BV (“Cloudpepper”) have entered into a Customer Terms of Service or other written agreement under which Cloudpepper provides managed Odoo hosting and related services to the Customer (the “Agreement”).

B. In the course of providing the Services, Cloudpepper processes Personal Data on behalf of the Customer. This DPA sets out the terms governing that processing in accordance with Article 28 GDPR and other applicable Data Protection Laws.

C. This DPA forms an integral part of, and is incorporated into, the Agreement. In the event of any conflict between this DPA and the Agreement in respect of the processing of Personal Data, this DPA shall prevail.

In this DPA, capitalised terms shall have the meanings set out below. Capitalised terms not defined in this DPA shall have the meaning given to them in the Agreement or, where applicable, in the GDPR.

“Affiliate” means any entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity, where “control” means ownership or voting rights of fifty percent (50%) or more.

“Customer Data” means any data, including Personal Data, that the Customer or its end users submit to, or which Cloudpepper processes on the Customer’s behalf in connection with, the Services.

“Data Protection Laws” means the GDPR, the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, the UK GDPR and Data Protection Act 2018 (where applicable), the Swiss Federal Act on Data Protection (where applicable), and all other data protection and privacy laws applicable to the processing of Personal Data under the Agreement.

“Data Subject” has the meaning given in the GDPR.

“EEA” means the European Economic Area.

“Personal Data” has the meaning given in the GDPR and refers to Customer Data that constitutes personal data under Data Protection Laws.

“Personal Data Breach” has the meaning given in Article 4(12) GDPR: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

“Processing” has the meaning given in Article 4(2) GDPR; “process”, “processes” and “processed” are construed accordingly.

“Services” means the managed Odoo hosting services and related services provided by Cloudpepper to the Customer under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.

“Sub-processor” means any third party engaged by Cloudpepper to process Personal Data on the Customer’s behalf in connection with the Services.

“Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 GDPR; for Belgium, the Gegevensbeschermingsautoriteit / Autorité de protection des données.

2.1 Scope. This DPA applies to all processing of Personal Data by Cloudpepper on behalf of the Customer in the course of providing the Services.

2.2 Roles of the parties. For the purposes of this DPA and Data Protection Laws: (i) the Customer is the Controller of Personal Data and Cloudpepper is the Processor; (ii) where the Customer acts as a processor for a third party (e.g., its own customers), Cloudpepper acts as a sub-processor and the Customer represents that it has all necessary authorisations to engage Cloudpepper on the same terms as set out in this DPA.

2.3 Subject matter, nature, purpose and duration. The subject matter, nature, purpose, duration of processing, types of Personal Data and categories of Data Subjects are described in Annex C (Description of Processing). The Services are provided for the duration of the Agreement and any wind-down period agreed between the parties.

2.4 Cloudpepper as Controller for limited operational data. Cloudpepper acts as an independent Controller — not as a Processor — for limited operational data necessary to operate its business, including: (i) account-level data of the Customer entity and its administrative contacts; (ii) billing and payment records; (iii) records of support interactions and customer communications; (iv) website analytics; and (v) aggregated or anonymised usage statistics generated by the Services. Cloudpepper processes such data in accordance with its Privacy Policy and Data Protection Laws.

2.5 Customer Data appearing in operational records. To the extent that logs, telemetry, diagnostics, support records, security events or backups generated in the course of operating the Services contain Customer Data from a hosted Odoo environment, Cloudpepper processes such data as a Processor on the Customer’s behalf, solely to provide, secure, monitor, troubleshoot and support the Services in accordance with this DPA. Cloudpepper does not access, mine, profile, sell, share for advertising purposes, or otherwise use Customer Data for any purpose other than providing the Services.

3.1 Documented instructions. Cloudpepper shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Cloudpepper is subject. In such a case, Cloudpepper shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 Scope of instructions. The Agreement (including this DPA), the Customer’s configuration of the Services, and any further written instructions agreed by the parties constitute the Customer’s complete and final documented instructions to Cloudpepper. Any additional or alternative instructions shall be agreed between the parties in writing and may be subject to additional fees.

3.3 Notice of unlawful instructions. Cloudpepper shall promptly inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. Cloudpepper may, in such case, suspend the performance of the relevant instruction until the Customer confirms or modifies it.

3.4 Customer responsibilities. The Customer warrants that: (i) it has a valid legal basis under Data Protection Laws for the processing of Personal Data through the Services and has provided all required notices and obtained all required consents from Data Subjects; (ii) it has the right to transfer Personal Data to Cloudpepper for the purposes set out in the Agreement; and (iii) its instructions to Cloudpepper comply with Data Protection Laws. The Customer is solely responsible for the accuracy, quality and legality of Personal Data and for the means by which it acquired such data.

4.1 Confidentiality. Cloudpepper shall ensure that personnel authorised to process Personal Data are bound by appropriate written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access to Personal Data is limited to those personnel who need such access to provide the Services.

4.2 Compliance. Cloudpepper shall process Personal Data in compliance with Data Protection Laws and shall maintain such records of processing activities as are required under Article 30(2) GDPR.

4.3 Cooperation. Taking into account the nature of the processing and the information available to Cloudpepper, Cloudpepper shall provide reasonable cooperation and assistance to enable the Customer to comply with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation).

5.1 General authorisation. The Customer grants Cloudpepper a general authorisation to engage Sub-processors for the provision of the Services, subject to the conditions in this Section 5. The Sub-processors authorised as at the date of this DPA are listed in Annex A.

5.2 Sub-processor obligations. Cloudpepper shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, including in particular sufficient guarantees to implement appropriate technical and organisational measures in accordance with Article 28(4) GDPR. Cloudpepper remains fully liable to the Customer for the performance of any Sub-processor’s obligations.

5.3 Notice of changes. Cloudpepper shall give the Customer at least thirty (30) days’ prior notice of the addition or replacement of any Sub-processor. Notice may be given by email to the Customer’s designated contact or by publication on Cloudpepper’s website at a URL designated for this purpose, in which case the Customer is responsible for monitoring that page.

5.4 Right to object. The Customer may object to the addition or replacement of a Sub-processor on reasonable grounds relating to data protection by giving written notice within thirty (30) days of receipt of the notice referred to in Section 5.3. The parties shall discuss such objection in good faith with a view to reaching a commercially reasonable resolution. If no resolution can be reached, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services without penalty by giving written notice to Cloudpepper, and Cloudpepper shall refund any pre-paid fees for the terminated portion of the Services covering the period after the effective date of termination.

6.1 Customer-managed servers. Where the Customer elects to have the Services delivered on infrastructure that the Customer itself procures, owns or contracts for (e.g., a server with a hosting provider of the Customer’s choice, anywhere in the world), the relevant infrastructure provider is a sub-processor of the Customer, not of Cloudpepper. The Customer is responsible for: (i) entering into a data processing agreement directly with that provider, (ii) ensuring that the chosen location and provider provide an adequate level of protection under Data Protection Laws, and (iii) implementing any transfer mechanisms required for transfers outside the EEA.

6.2 Cloudpepper-listed infrastructure providers. Where the Customer selects a deployment tier offered by Cloudpepper as part of the Services, the underlying infrastructure provider for that tier is engaged as a Sub-processor of Cloudpepper and is listed in Annex A. As at the date of this DPA, the High Performance tier is provisioned on infrastructure operated by The Constant Company, LLC (Vultr), and the Dedicated Performance tier is provisioned on infrastructure operated by UpCloud Ltd. The Customer selects the geographic region for deployment; Cloudpepper recommends EEA regions and will deploy to non-EEA regions only where the Customer expressly so requests.

6.3 Cloudpepper’s role on Customer-chosen infrastructure. On Customer-chosen infrastructure, Cloudpepper continues to act as Processor with respect to its management, support and operational activities, and the obligations of this DPA (including Sections 4, 7 and 8) apply to those activities. Cloudpepper does not, however, assume responsibility for the security, availability or compliance of the underlying infrastructure itself.

7.1 Technical and organisational measures. Cloudpepper shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. A description of such measures is set out in Annex B (Security Measures).

7.2 Updates to security measures. The measures in Annex B may be updated from time to time to reflect technical progress, evolving threats or new requirements, provided that any such update does not materially diminish the overall level of security.

7.3 Customer responsibility. The Customer is responsible for the secure configuration and use of the Services, including the management of access credentials, user permissions, multi-factor authentication, and the security of any application logic deployed on the hosted environment.

8.1 Notification. Cloudpepper shall notify the Customer of a Personal Data Breach affecting the Customer’s Personal Data without undue delay and, in any event, no later than forty-eight (48) hours after Cloudpepper becomes aware of it, to enable the Customer to comply with its obligations under Articles 33 and 34 GDPR.

8.2 Content of notification. The notification shall, to the extent then available, include: (i) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (ii) the likely consequences of the breach; (iii) the measures taken or proposed to address the breach and mitigate its effects; and (iv) contact details for further information. Where information cannot be provided at the same time, it shall be provided in phases without further undue delay.

8.3 Cooperation. Cloudpepper shall reasonably cooperate with the Customer’s investigation, remediation and notification activities in respect of the breach.

8.4 No admission. Cloudpepper’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgement by Cloudpepper of any fault or liability.

9.1 Information. Cloudpepper shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under Article 28 GDPR, including by providing on request copies of relevant certifications, audit summaries (such as ISO 27001 or SOC 2 reports, where available), and responses to reasonable security questionnaires.

9.2 Audit. The Customer may, no more than once per twelve-month period, conduct an audit of Cloudpepper’s compliance with this DPA. Such audit shall be carried out at the Customer’s cost, on at least thirty (30) days’ prior written notice, during normal business hours, in a manner that does not unreasonably interfere with Cloudpepper’s business operations, and subject to appropriate confidentiality obligations. Where the Customer engages a third-party auditor, that auditor shall not be a competitor of Cloudpepper and shall sign confidentiality undertakings reasonable to Cloudpepper.

9.3 Additional audits. Notwithstanding Section 9.2, the Customer may conduct an additional audit (or have one conducted on its behalf) where: (i) a Personal Data Breach affecting the Customer has occurred; or (ii) such audit is required by a Supervisory Authority.

9.4 Sub-processor audits. Cloudpepper shall use reasonable efforts to obtain comparable information and audit rights from its Sub-processors and shall make such information available to the Customer on request.

10.1 Default location. Cloudpepper stores and processes Personal Data within the EEA in the ordinary course of providing the Services. Cloudpepper’s primary infrastructure providers operate from data centres in Belgium and elsewhere within the EEA, as set out in Annex A.

10.2 Limited transfers outside the EEA. Personal Data may be transferred to or accessed from outside the EEA only: (i) where a Sub-processor providing ancillary services (e.g., content delivery, edge security) operates outside the EEA, as identified in Annex A; or (ii) where the Customer expressly requests deployment of the Services in a non-EEA region (see Section 6).

10.3 Transfer mechanism. For any transfer of Personal Data to a country outside the EEA that is not the subject of an adequacy decision under Article 45 GDPR, Cloudpepper shall implement appropriate safeguards under Article 46 GDPR. Unless another lawful transfer mechanism applies, the parties hereby incorporate the Standard Contractual Clauses (Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable), with: Clause 7 (docking) included; Clause 9 option (a) and the time period set in Section 5.3 above; Clause 11(a) optional language not included; Clause 17 governed by the law of Belgium; Clause 18 with the Belgian courts as the chosen forum; Annex I.A populated with the parties’ details from the Agreement; Annex I.B as set out in Annex C of this DPA; Annex I.C identifying the Belgian Supervisory Authority as competent; Annex II as set out in Annex B; and Annex III as set out in Annex A. Where the UK Addendum or the Swiss Addendum is required, those addenda are deemed incorporated by reference.

10.4 Supplementary measures. Where required by case law (including Schrems II) or by guidance from competent Supervisory Authorities, Cloudpepper shall implement supplementary technical, contractual and organisational measures to ensure an essentially equivalent level of protection. A summary Transfer Impact Assessment is available on request.

11.1 Assistance. Taking into account the nature of the processing, Cloudpepper shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR.

11.2 Direct requests. If Cloudpepper receives a request from a Data Subject relating to Personal Data processed on the Customer’s behalf, Cloudpepper shall, unless legally prohibited, promptly forward the request to the Customer and shall not respond to the request directly except on the Customer’s instructions or as required by law.

11.3 Costs. Cloudpepper shall provide the assistance described in this Section 11 at no charge for routine requests. Where assistance requires significant or extraordinary engineering effort, Cloudpepper may charge its reasonable costs after first agreeing the scope and cost with the Customer in writing.

12.1 End of Services. Upon termination or expiry of the Services, Cloudpepper shall, at the Customer’s option, return or delete all Personal Data, except to the extent retention is required by Union or Member State law.

12.2 Default deletion timeline. Unless the Customer instructs otherwise in writing, Cloudpepper shall delete production Personal Data within thirty (30) days of termination of the Services. Personal Data residing in routine backups will be overwritten in the ordinary course of the backup cycle (currently up to ninety (90) days) and shall, until then, be isolated from active processing and protected by appropriate measures.

12.3 Confirmation. Cloudpepper shall provide written confirmation of deletion on the Customer’s reasonable request.

13.1 Liability. Each party’s liability arising out of or in connection with this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including liabilities of either party towards Data Subjects under Article 82 GDPR.

13.2 Term. This DPA takes effect on the date the Agreement enters into force and remains in effect for so long as Cloudpepper processes Personal Data on behalf of the Customer.

14.1 Governing law. This DPA shall be governed by and construed in accordance with the laws of Belgium, without regard to its conflict-of-laws principles.

14.2 Jurisdiction. The courts of Brussels, Belgium shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to any right of a Data Subject to bring proceedings before the courts of his or her habitual residence under Article 79 GDPR.

15.1 Order of precedence. If there is any conflict or inconsistency between (i) this DPA, (ii) the SCCs (where incorporated under Section 10.3), and (iii) the Agreement, the order of precedence shall be: (a) the SCCs, (b) this DPA, (c) the Agreement.

15.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the parties shall replace the invalid or unenforceable provision with a valid provision that most closely reflects the original intent.

15.3 Amendments. Cloudpepper may amend this DPA from time to time to reflect changes in Data Protection Laws, guidance from Supervisory Authorities, or the introduction of new Sub-processors or Services. Material amendments will be notified to the Customer at least thirty (30) days before they take effect.

15.4 Entire agreement. This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements or understandings on that subject.

15.5 Contact. Questions or notices relating to this DPA should be sent to privacy@cloudpepper.io.

This annex lists the Sub-processors engaged by Cloudpepper to process Customer Data on the Customer’s behalf in connection with the Services, as required by Article 28(2) and (4) GDPR. The list is current as of the date of this DPA and may be updated in accordance with Section 5.3.

Other service providers engaged by Cloudpepper for its own business operations (such as payment processing, accounting, banking, marketing and internal communications) are not Sub-processors of Customer Data within the meaning of Article 28 GDPR. Information about those providers is set out in Cloudpepper’s Privacy Policy.

Sub-processor	Purpose of processing	Location	Transfer mechanism
Amazon Web Services EMEA SARL	Cloud infrastructure and data hosting for the Cloudpepper management platform.	EEA (Belgium / Ireland regions)	N/A (EEA)
Google Cloud EMEA Limited	Cloud infrastructure and data hosting for the Cloudpepper management platform.	EEA (Belgium region)	N/A (EEA)
OVH SAS (OVHcloud)	Backup storage and Kubernetes-based workloads relating to Customer environments.	EEA (France)	N/A (EEA)
UpCloud Ltd	Hosting infrastructure for the Dedicated Performance deployment tier of the managed Odoo Service.	EEA (Customer-selected region; non-EEA available on request)	SCCs (where applicable)
The Constant Company, LLC (Vultr)	Hosting infrastructure for the High Performance deployment tier of the managed Odoo Service.	EEA (Customer-selected region; non-EEA available on request)	SCCs
Cloudflare, Inc.	CDN, DDoS protection and edge security in front of the Services.	Global edge; primary processing EU/US	SCCs
Crisp IM SAS	Customer support chat, ticketing and support communications, including information voluntarily submitted by the Customer for troubleshooting.	EEA (France)	N/A (EEA)

A.1 Customer-chosen infrastructure

Where the Customer elects to deploy the Services on infrastructure procured directly by the Customer from a third party of the Customer’s choice (any datacenter, any provider, any country), that third party is not a Sub-processor of Cloudpepper. The Customer is responsible for the data protection arrangements with that provider in accordance with Section 6.1 of this DPA.

This annex describes the technical and organisational measures implemented by Cloudpepper in accordance with Article 32 GDPR. Specific implementation details are subject to change in line with Section 7.2 of this DPA, provided that the overall level of security is not materially diminished.

Scope and variability. The measures below apply to Cloudpepper’s own platform and managed service operations. Specific measures may vary depending on the Customer’s selected deployment model, infrastructure provider, region, service plan, and configuration. Where the Customer uses customer-managed or customer-selected infrastructure, certain controls remain the Customer’s responsibility.

B.1 Access control and authentication

• Role-based access control (RBAC) and least-privilege principles for internal systems.
• Multi-factor authentication is supported and recommended for Cloudpepper accounts and administrative access where available.
• Access to internal systems is granted based on role and business need and is reviewed periodically and on personnel changes.
• SSH key-based authentication is supported and recommended for production server access. The Customer is responsible for managing SSH credentials and server access policies for customer-managed or customer-selected infrastructure.

B.2 Encryption

• Encryption of Personal Data in transit using TLS where supported and applicable.
• Encryption at rest is applied where supported by the selected infrastructure, storage backend, service plan or configuration.
• Backup encryption is available where supported by the selected backup storage and service configuration. Customers requiring encrypted backups should enable or request this option.

B.3 Network and infrastructure security

• Segregation of production, staging and management networks.
• Firewalls, DDoS mitigation and security monitoring at the perimeter and within the platform, with capabilities depending on the deployment model.
• Operating system images are hardened and patched in accordance with internal procedures.
• Vulnerability scanning of the management platform; remediation prioritised by severity.

B.4 Logging and monitoring

• Centralised logging of administrative actions and security-relevant events for the management platform.
• Continuous monitoring of platform health, availability and operational signals.
• Alerting on anomalous events; documented incident-response procedures.

B.5 Backup and resilience

• Regular backups of Customer environments, with frequency, retention and storage location configured per service plan and Customer election.
• Documented restore procedures.
• The Customer is responsible for selecting backup options consistent with the Customer’s recovery objectives and regulatory requirements.

B.6 Personnel

• Confidentiality undertakings in employment and contractor agreements.
• Security and data-protection awareness expectations communicated to personnel.

B.7 Sub-processor management

• Due diligence on Sub-processors prior to engagement.
• Written agreements with Sub-processors imposing data protection obligations consistent with this DPA.
• Periodic review of Sub-processor compliance.

B.8 Data segregation and tenant isolation

• Logical separation of Customer environments; dedicated compute resources where the service plan so provides.
• Per-Customer credentials and access controls; no shared production credentials between Customers.

B.9 Incident response

• Documented incident-response approach covering detection, containment, eradication, recovery and post-incident review.
• Defined notification timelines and escalation paths consistent with Section 8 of this DPA.

B.10 Governance

• Designated privacy contact accessible at privacy@cloudpepper.io.
• Records of processing activities maintained in accordance with Article 30 GDPR.
• Data Protection Impact Assessment support available on request.

This annex sets out the information required by Article 28(3) GDPR and, where the Standard Contractual Clauses are incorporated under Section 10.3, populates Annex I.B of those Clauses.

Subject matter of processing	The provision of managed Odoo hosting and related services by Cloudpepper to the Customer under the Agreement.
Nature and purpose of processing	Hosting, deploying, configuring, monitoring, backing up, securing, supporting and otherwise operating the Customer’s Odoo environment, including any related platform features the Customer enables.
Duration of processing	For the term of the Agreement, plus any wind-down period and any retention required by applicable law (see Section 12).
Categories of Data Subjects	Determined by the Customer’s use of the Services. Typically includes: the Customer’s employees, contractors and end users; the Customer’s own customers, prospects, suppliers and other business contacts; and other natural persons whose personal data the Customer chooses to store or process within the hosted Odoo environment.
Categories of Personal Data	Determined by the Customer’s use of the Services. May include: identification and contact data (name, email, postal address, telephone); employment and HR data; account credentials and access logs; financial and transactional data; commercial and CRM data; communication content; and any other data the Customer elects to process via Odoo modules. Cloudpepper does not require special categories of personal data (Article 9 GDPR) to provide the Services; the Customer is responsible for any decision to process such data.
Frequency of processing	Continuous, for the duration of the Services.
Retention period	Personal Data is retained for the duration of the Services and thereafter as set out in Section 12. Backups follow the cycle described in Section 12.2.
Transfers to third countries	As described in Section 10 and Annex A. Default processing location is the EEA.