Data Processing Addendum

This Data Processing Addendum describes specific terms in respect of the processing of Personal Data (as defined hereafter) by Future Brain in connection with the provision of Services (as defined in the Terms of Service). 






1.1  For the purposes of this Data Processing Addendum, the following terms, whether used in singular or plural, shall have the following meaning:

Controller” shall have the meaning ascribed to it in Article 4(7) GDPR.

Data Protection Regulations” means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) as well as any implementing or supplementary legislation, including the Greek relevant legislation, and any other applicable data protection or privacy legislation, as amended or updated from time to time.

Data Subject” shall have the meaning ascribed to it in Article 4(1) GDPR.

“Personal Data” shall have the meaning ascribed to it in Article 4(1) GDPR.

Personal Data Breach” shall have the meaning ascribed to it in Article 4(12) GDPR.

Processing” shall have the meaning ascribed to it in Article 4(2) GDPR.

Processor” shall have the meaning ascribed to it in Article 4(8) GDPR.

Restricted Country” means a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission.

Restricted Transfer” means a transfer of Personal Data from the EEA to a Restricted Country.

Supervisory Authority” shall have the meaning ascribed to this term in Article 4 GDPR.


1.2  Unless otherwise defined in this Data Processing Addendum, any terms used or referenced within this Data Processing Addendum shall have the meaning ascribed to them in the relevant Client Framework Agreement.






2.1  Any Processing of Personal Data in connection with and for the purpose of the Services shall be performed in accordance with applicable Data Protection Regulations.


2.2  For the performance and provision of the Services, Client shall be the Controller and Future Brain the Processor acting on behalf of Client.


2.3  As Processor, Future Brain will process Personal Data only upon Client’s written instructions. The following is deemed to be written instruction by Client to Process Personal Data: (a) Processing made in connection with and for the purposes of the Services; and (b) Processing initiated by an Authorized User (as defined in the Future Brain Platform Terms).


2.4  Client is entitled to issue instructions regarding the type, scope and methods of the Data Processing. At the request of Future Brain, verbal instructions must be confirmed immediately by the Controller in writing or in text form (e.g. by email).


2.5  Future Brain will immediately inform the Client if, in its opinion, an instruction infringes applicable Data Protection Regulations. Future Brain shall be entitled to suspend the relevant instruction until it is confirmed or amended by Client.


2.6  The duration of the Processing corresponds with the Term (as defined in the relevant Framework Agreement), unless otherwise instructed by Client, and can continue after termination of the Framework Agreement for a period of up to thirty (30) days as indicated in Section 6 below.

2.7  The subject-matter, nature, and purpose of the Processing as well as the type of Personal Data concerned, and the categories of Data Subjects affected are described in Schedule 1 to this Data Processing Addendum.






3.1  Client shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

3.2  Future Brain shall support Client, as far as reasonably possible, in fulfilling its obligations under applicable Data Protection Regulations in case of Data Subject requests, including requests made by a Data Subject to exercise their right of access, rectification, erasure, restriction of Processing or data portability or their right to object. In case of a Data Subject request for access or portability of data that is retained by Future Brain, Future Brain shall make the relevant data records available to Client promptly within ten (10) working days in a structured, commonly used, and machine-readable format.

3.3  If a Data Subject contacts Future Brain directly for the purpose of exercising any of their Data Subject right(s), Future Brain shall forward such request to Client promptly within ten (10) working days.






4.1  Future Brain shall ensure by appropriate means that Personal Data is processed in accordance with the terms of this Data Processing Addendum and Client’s corresponding instructions.

4.2  Future Brain may designate in the future and throughout the term of this Data Protection Addendum a data protection officer in compliance with applicable Data Protection Regulation.

4.3  Future Brain shall support Client, as far as reasonably possible, in complying with its obligations under Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information available to Future Brain.

To that extent, Future Brain shall:

   (a)  assist Client in carrying out data protection impact assessments or prior consultations with Supervisory Authority in accordance with Articles 35 and 36 GDPR, by providing necessary information;
   (b) notify Client of any suspected Personal Data Breach promptly within forty-eight (48) hours after having become aware of the breach;
   (c) reasonably assist Client in implementing actions to remediate a Personal Data Breach; and
   (d) where necessary, provide Client with information allowing Client to comply with its notification obligations under Article 33 and 34 GDPR.






5.1  Subject to Sections 5.2 and 9.1 below, Personal Data will be stored within the region of the Netherlands or in another state that is party to the Agreement on the European Economic Area.

5.2  The relocation of Personal Data to a third country outside the European Economic Area requires Client´s approval and shall conform with the data transfer requirements set forth under Article 44 et seq. GDPR.






At the latest within thirty (30) days upon termination of the Services, Future Brain shall either erase or return to Client Personal Data Processed on behalf of Client, provided that the erasure of the data does not conflict with Future Brain’s statutory retention obligations.






Following timely prior notification, not less than three (3) weeks, during normal business hours and without interrupting the operations of Future Brain or endangering the safeguards for other clients of Future Brain, Client shall be entitled to audit, at its own expenses, Future Brain’s compliance with applicable Data Protection Regulations and the terms of this Data Processing Addendum, to the extent required to do so under applicable Data Protection Regulations. Such audit may also be carried out by accessing industry-standard certifications of Future Brain, current audit reports or reports from an independent party (such as a certified accountant, external data protection officer or auditor) or via self-reporting. Future Brain shall provide reasonable assistance to carry out the audit.






8.1  Future Brain has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction, and, as appropriate, the technical and organizational measures described in Article 32 GDPR. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of the Processing and the risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data.

8.2  The technical and organizational measures currently implemented by Future Brain are described in Schedule 2 to this Data Processing Addendum. Future Brain may update and amend these measures provided that such update and/or amendment does not significantly reduce the level of security and protection of the Personal Data.

8.3  Upon Client’s written request, Future Brain shall provide Client with an updated description of its implemented technical and organizational measures within fourteen (14) calendar days after receipt of Client’s request.






9.1  Client authorizes Future Brain to use sub-processors by way of a general written authorisation pursuant to Article 28(2) GDPR and agrees to Future Brain’s engagement of all sub- processors as indicated in Schedule 3 of the present document.

9.2  Future Brain has entered or will enter into written agreements with its sub-processors which contain obligations no less protective than those contained in this Data Processing Addendum.

9.3  Future Brain shall be entitled to engage additional sub-processors or to replace sub-processors already engaged by other sub-processors. In such a case, Future Brain will notify Client in advance of the intended addition or replacement of a sub-processor allowing Client to object to the new sub-processor in writing within fourteen (14) days after receipt of Future Brain’s notification.


9.4  In the event of an objection by Client under Section 9.3, Future Brain may, at its own discretion, continue providing the Services without the engagement of the new sub-processor or propose a different sub-processor in accordance with Section 9.3.

9.5  Should the provision of Services without the new sub-processor not be reasonable for Future Brain (for example, due to disproportionate expenses on side of Future Brain), Future Brain may terminate the Framework Agreement and/or its Annexes by giving the Client one (1) month written notice.






10.1  Client shall comply with all applicable laws and regulations, including applicable Data Protection Regulations.

10.2  Client remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of their Personal Data.

10.3  Client shall take reasonable steps to keep Personal Data up to date to ensure the data is not inaccurate or incomplete with regard to the purposes for which they are collected.

10.4  With regard to components that Client provides or controls, including but not limited to workstations connecting to the Services, data transfer mechanisms used, and credentials issued to the Client’s personnel, Client shall implement and maintain the required technical and organizational measures for the protection of Personal Data.


Schedule 1: Details of Data Processing


● Employees of Client
● Contractors


2.1 Future Brain may Process the following categories of Personal Data from Client’s employees:

● Registration data (name, email address, date of birth, business contact details, employment date, gender)
● Employment data (salary, commission, bonuses, overtime pay, vacation pay, sick time pay, paid time off, paid leaves of absence, other type of leaves, business role etc.)

2.2 Future Brain may Process the following categories of Personal Data from contractors:

● Registration data (name, email address, date of birth, business contact details, contract initiation date, gender)
● Contractual data (salary, commission, bonuses, overtime pay, vacation pay, sick time pay, paid time off, paid leaves of absence, other type of leaves, business role etc.)


Personal Data may be Processed for the purpose of performing the Services and such Processing may include the collection, organization, structuring, recording, storing, use, hosting, adaption, maintaining and disclosure by transmission of the concerned Personal Data.

Schedule 2: Technical and organizational measures

Future Brain has implemented the following technical and organizational measures:


Section 1 – Measures for pseudonymisation

Measures that reduce direct personal references during Processing in such a way that a specific Data Subject can only be identified with the inclusion of additional information. The additional information is to be kept separately from the pseudonym using appropriate technical and organizational measures.

Section 2 – Measures for data protection

Measures or operations where personal data is converted into non-traceable data by applying MD5 hashing techniques:
● Only known and reliable hashing libraries and algorithms are to be used.
● Use of appropriate hashing algorithms (such as MD5) to convert personal data into a
fixed-size string of characters, which appears random and cannot be traced back to the original data.
● Hashed data are not reversed back to the original data.
● Originating personal data are to be deleted immediately after being hashed.

Section 3 – Measures to Safeguard Confidentiality

Infrastructure Security

We utilize Azure’s infrastructure to ensure the protection of personal data. Measures to ensure the protection of personal data by leveraging Azure’s comprehensive security measures:
● Admittance Control: Azure’s infrastructure includes robust physical security measures to prevent unauthorized access to IT systems and data processing systems used to process personal data.
● Azure Security Features:
   * Secure access management, including multi-factor authentication (MFA) and role- based access control (RBAC).
   * Data encryption at rest and in transit using industry-standard protocols.
   * Regular security audits and compliance certifications (e.g., ISO 27001, SOC 2, GDPR).
   * Advanced threat protection and monitoring with Azure Security Center.
   * Physical security controls at data centers, including biometric access, security personnel, and surveillance systems.

By leveraging Azure’s infrastructure, we ensure that all relevant security measures are applied accordingly to safeguard the confidentiality of personal data.

System access control

Measures to prevent unauthorized persons from Processing or using data protected by Applicable Regulation.

Description of the access control system:
● System and data access are restricted to authorized users.
● Users must identify themselves with username and password.
● User rights are granted only to a limited extent.
● All logins/logouts are recorded.
● Use of a central password policy

Data access control

Measures to ensure that authorized personnel may only access the data they are permitted to access, ensuring that personal data cannot be read, copied, altered, or removed without authorization during processing, use, and storage. It is important to note that we do not store client’s personal data at all. The only personal data we retain are the name and email of the platform’s admin users.

Schedule 3: Future Brain Sub-Processors

To ensure transparency and compliance with data protection regulations, Future Brain provides the following information about our sub-processors:


1. Azure
   a. Service Provided: Cloud infrastructure and data storage
   b. Type of Data Processed: All data stored and processed within Future Brain’s platform
   c. Location: as mentioned in this document above in section 5.1

For any inquiries or further information about our sub-processors, please contact us at [email protected]




Last Updated: May 22nd, 2024