Supplier–Customer Master Service & Data Processing Agreement

(plain-language version – replace bracketed text before signing)

1. Parties

• Supplier: Co-Dex.eu bv, a Belgian company with registered office at Albert 1-laan 23, 8920 Langemark, Belgium
• Customer: [Customer Name], with registered office at [Customer Address]

Supplier and Customer are together referred to as “the Parties.”

2. Effective Date & Duration

This Agreement takes effect on [Effective Date] and remains in force until terminated under clause 16.

PART A – Service Terms

3. Services Provided

a. Supplier will provide the NoCode-X platform and any additional professional services described in Exhibit A (together, “the Services”).
b. Services must be delivered in line with the current Service Level Agreement (SLA).
c. Supplier will not use Customer data for any purpose other than:
• performing the Services; and
• fulfilling Supplier’s own legal obligations as further set out in this Agreement and Supplier’s privacy notice.

4. Fees & Payment

Payment terms are defined in Exhibit B. Unless otherwise agreed in writing, invoices are payable within 30 days of the invoice date.

5. Intellectual Property

Each Party retains all intellectual-property rights in items it owned before this Agreement or creates independently of it. No rights are transferred except those expressly granted herein.

PART B – Data Processing Agreement (DPA)

6. Roles under Data-Protection Law

a. Customer as Controller. For personal data processed through the NoCode-X platform that relate to Customer’s business purposes, Customer is the Controller and Supplier acts as Processor.
b. Supplier as Controller. For personal data Supplier must process to run, secure or bill for the Services (e.g. account, log and audit data), Supplier is a Controller.
c. Each Party is solely responsible for compliance when acting as Controller.

7. Supplier’s Processor Obligations

When acting as Processor, Supplier shall:

Process Customer personal data only on documented instructions from Customer.
Ensure staff are bound by confidentiality.
Implement the technical and organisational security measures in clause 11.
Assist Customer to:
• respond to data-subject requests;
• carry out DPIAs;
• meet security- or breach-related duties.
Notify Customer without undue delay (and always within 48 hours) after becoming aware of a personal-data breach.
Delete or return all Customer personal data after termination (see clause 13).
Make available information and allow audits (clause 12).
Engage Sub-processors only under a written contract imposing equivalent duties and, where required, with Customer’s prior general authorisation.
• Current Sub-processors are listed in Exhibit C.
Respect purpose limitation by not re-using Customer personal data outside the documented instructions.

8. International Data Transfers

a. Where personal data is transferred to the United States, the Parties will ensure the recipient either:
• holds a valid EU–US Data Privacy Framework certification (or successor mechanism), or
• is bound by EU Standard Contractual Clauses or another lawful transfer tool.
b. Each Party is responsible for documenting its chosen transfer mechanism.

9. Confidentiality

All non-public information exchanged is Confidential Information. The receiving Party shall:

use it only to perform this Agreement;
protect it with at least the same care it uses for its own confidential information (never less than reasonable care);
disclose it only to personnel or advisers who need to know and are bound by confidentiality.

The obligation lasts three (3) years after termination, except for personal data, which must always be protected.

10. Requests from Authorities or Data Subjects

If Supplier (acting as Processor) receives a request about Customer personal data from any authority, law-enforcement body or data subject, Supplier shall, unless legally prohibited, promptly redirect the request to Customer and refrain from responding on Customer’s behalf.

11. Security, Cyber-Resilience & Availability

a. Supplier will maintain industry-standard ISO 27001-grade controls, including encryption in transit and at rest, access controls, vulnerability management, business-continuity and disaster-recovery plans.
b. Service Availability. Supplier shall meet the uptime targets in the SLA and restore the platform within the stated Recovery Time Objective (RTO).
c. Data Availability & Back-ups.
• Customer, as Controller, is responsible for maintaining functional back-ups of the data it controls.
• Supplier will provide documented APIs and scheduling options enabling Customer to extract or replicate data and achieve its chosen Recovery Point Objective (RPO).

12. Audit & Verification

Supplier will, on reasonable notice and up to once per contract year, provide:

• its third-party security/compliance reports (e.g. ISO 27001 certificate, SOC 2), and
• answers to reasonable security or privacy questionnaires.

If these prove insufficient, Customer may conduct an on-site or remote audit (itself or via an independent auditor) provided it causes minimal disruption. Audits are at Customer’s cost unless they reveal a material breach.

13. Return & Deletion of Data

On termination or expiry:

Supplier will provide Customer with a self-service export or, upon request, a one-off export of Customer personal data.
Supplier will perform soft deletion immediately after export.
Supplier will perform secure hard deletion of remaining Customer personal data within 93 days, unless longer retention is legally required.

Supplier shall certify deletion to Customer on request.

PART C – General Legal Terms

14. Mutual Cooperation & Good-Faith Clause

The Parties undertake to co-operate in good faith, exercise due professional care and use all reasonable efforts to protect each other’s legitimate interests and achieve the objectives of this Agreement.

15. Liability & Indemnification

a. Each Party is liable for direct damages caused by its breach, up to a cap of the total fees paid or payable by Customer during the 12-month period preceding the event.
b. Neither Party is liable for indirect or consequential damages (including lost profits), except where such limitation is prohibited by law.
c. Nothing limits liability for death, personal injury, wilful misconduct or any liability that cannot legally be limited.
d. Each Party shall indemnify the other against third-party claims (including from data subjects) arising from its own breach of data-protection obligations.

16. Termination

a. Either Party may terminate for convenience by giving 30 days’ written notice, effective on the first day of the following month.
b. Either Party may terminate immediately if the other materially breaches and fails to cure within 30 days of written notice.
c. Clauses intended to survive (including Confidentiality, Liability and this DPA) remain in force after termination.

17. Governing Law & Jurisdiction

This Agreement is governed by Belgian law. The courts of Brussels, Belgium have exclusive jurisdiction, except that either Party may seek injunctive relief in any competent court.

18. Entire Agreement & Amendments

This document, together with its Exhibits, constitutes the Parties’ entire agreement on its subject and supersedes all prior understandings. Changes must be in writing and signed by both Parties.

Signatures

For Supplier	For Customer
Name: Wim Barthier	Name: _________________________
Title: Chief Executive Officer	Title: _________________________
Date: ___ / ___ / ______	Date: ___ / ___ / ______
Signature: ____________________	Signature: ____________________

Exhibits (incorporated by reference)

Exhibit A – Description of Services

The scope, features and operational parameters of the NoCode-X platform and all associated professional services are described in the Supplier’s public documentation:
Description of services and context

Exhibit B – Payment Terms & Licensing

All pricing models, billing cycles, licence metrics and related commercial terms are detailed at:
Payment Terms & Licensing

Exhibit C – Approved Sub-Processors / Supply Chain

Supplier’s current list of authorised Sub-processors, including their locations and processing roles, is available at:
Approved Sub-Processors enabling the managed supply chain

End of Agreement

1. Parties​

2. Effective Date & Duration​

PART A – Service Terms​

3. Services Provided​

4. Fees & Payment​

5. Intellectual Property​

PART B – Data Processing Agreement (DPA)​

6. Roles under Data-Protection Law​

7. Supplier’s Processor Obligations​

8. International Data Transfers​

9. Confidentiality​

10. Requests from Authorities or Data Subjects​

11. Security, Cyber-Resilience & Availability​

12. Audit & Verification​

13. Return & Deletion of Data​

PART C – General Legal Terms​

14. Mutual Cooperation & Good-Faith Clause​

15. Liability & Indemnification​

16. Termination​

17. Governing Law & Jurisdiction​

18. Entire Agreement & Amendments​

Signatures​

Exhibits (incorporated by reference)​

Exhibit A – Description of Services​

Exhibit B – Payment Terms & Licensing​

Exhibit C – Approved Sub-Processors / Supply Chain​