Data Processing Agreement

1. Definitions

Terms used in this DPA have the same meaning as in the Agreement or under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), including "Controller", "Processor", "Personal Data", "Data Subject", "Processing", "Personal Data Breach", and "Standard Contractual Clauses" ("SCCs").

2. Roles of the parties

• The customer accounting firm is the Controller.
• Pacium (Dalenstraat 2, 3020 Winksele, Belgium, VAT BE1025608813) is the Processor.
• End clients of the firm whose data appears in mailboxes or documents are Data Subjects; the firm remains their Controller.

Pacium processes Personal Data only on documented instructions from the Controller. The Agreement, the product configuration chosen by the firm, and any subsequent written instructions form those instructions.

3. Nature and purpose of processing

Purpose: deliver the Pacium service to the firm, including mailbox synchronisation, AI-assisted email drafting and classification, knowledge extraction from communications, retrieval-augmented answers to regulatory and accounting questions, document processing, and integration with accounting and e-invoicing systems.

Duration: for the term of the Agreement and any applicable post-termination retention period set out in Section 9.

Type of Personal Data:

• Email content and metadata (sender, recipient, subject, timestamps, attachments) accessed via Microsoft Graph or Gmail under user OAuth authorisation
• Client profile data and communication records held by the firm
• User account information for firm staff (name, work email, role, authentication identifiers)
• Usage, device, and diagnostic data needed to operate the service
• Incidental Personal Data appearing in invoices, attachments, or accounting records the firm chooses to process through Pacium

Data Subjects: the firm's staff and users, the firm's clients and their representatives, and any individuals whose Personal Data appears in mailboxes, documents, or accounting records the firm routes through Pacium.

Pacium does not perform contact enrichment, does not scrape external sources, and does not use Customer Data to train or improve foundation AI models.

4. Sub-processors

The Controller gives Pacium general written authorisation to engage sub-processors. Each sub-processor is contractually bound by data-protection obligations at least as protective as those in this DPA, including duties to assist with security, breach notification, and data-subject rights.

The current sub-processors are:

• Convex (application database, AWS eu-west-1)
• Amazon Web Services (cloud infrastructure, S3 storage, and Bedrock LLM inference; EU regions in Ireland and Frankfurt)
• Anthropic (Claude inference, routed through AWS Bedrock EU; Anthropic Ireland Ltd as EEA counterparty)
• Google Cloud (meeting transcription via Vertex AI and temporary audio staging in Cloud Storage, europe-west1)
• AssemblyAI (speech-to-text transcription for meeting recordings, EU processing)
• Vercel (frontend hosting, EU functions in fra1/cdg1)
• Hetzner (FastAPI email-intelligence service hosting, Falkenstein, Germany, EEA)
• Microsoft (mailbox access via Microsoft Graph when the User authorises it)
• Resend (transactional email delivery, EU region)
• Stripe (payment processing, Ireland)
• PostHog (product analytics, EU Cloud at eu.posthog.com)

The same list with each provider's purpose, region, and DPA link is published on the sub-processor page. We update it before any new sub-processor begins processing Customer Data, notify firm administrators of material additions, and the Controller may object on reasonable data protection grounds.

AI inference is routed under terms that prohibit training on data submitted via the API, and the optional training-related features offered by these providers are disabled where they exist.

5. International transfers

The majority of processing takes place inside the European Economic Area. Where Personal Data is transferred outside the EEA or the UK, Pacium relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, or another lawful transfer mechanism, supplemented by appropriate technical and organisational measures.

6. Security measures

Pacium implements appropriate technical and organisational measures under GDPR Article 32, including:

• AES-256 encryption at rest and TLS 1.3 in transit
• Tenant isolation enforced by organisation-scoped access controls
• Encrypted OAuth access and refresh tokens
• Role-based access control (owner, admin, member) and mandatory multi-factor authentication for staff
• Centralised logging, anomaly detection, and rate limiting on public endpoints
• Documented incident response procedures and regular security reviews
• Background-checked personnel bound by confidentiality, mirroring EU professional secrecy obligations

7. Assistance to the controller

Taking into account the nature of processing and the information available, Pacium will assist the Controller in:

• Responding to Data Subject rights requests (Articles 15 to 22)
• Conducting Data Protection Impact Assessments (Article 35) and prior consultations (Article 36)
• Investigating, mitigating, and notifying Personal Data Breaches
• Meeting the security obligations of Article 32

Where end clients of the firm contact Pacium directly, we redirect them to the firm as their Controller.

8. Personal data breaches

Pacium notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's data. The notification will include, to the extent known:

• A description of the nature of the breach
• The categories and approximate number of Data Subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Where information is incomplete at first notification, Pacium provides phased updates as facts develop.

9. Deletion or return of data

On termination of the Agreement the Controller may request that Pacium return all Personal Data, or delete it, within 30 days, unless retention is required by Union or Member State law (notably applicable EU and national accounting retention obligations and anti-money-laundering legislation, which may impose retention obligations of up to 10 years from the end of the business relationship). Data retained under such obligations is isolated and protected from further processing other than that required by law.

10. Audits

Pacium makes available to the Controller all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice the Controller (or an independent auditor appointed by the Controller and bound by confidentiality) may carry out an audit, no more than once per calendar year, during business hours, in a manner that does not disrupt operations and respects the security and confidentiality of other customers. Pacium may satisfy this obligation by providing recent third-party audit reports and answers to a standard security questionnaire.

11. Liability

Liability under this DPA is governed by the limitations and exclusions set out in the Agreement. This DPA does not expand or reduce either party's liability under the Agreement, except to the extent required by GDPR Article 82.

12. Governing law

This DPA is governed by EU law. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the courts of Leuven, Belgium, unless mandatory law provides otherwise.

13. Contact

Pacium
Dalenstraat 2, 3020 Winksele, Belgium
VAT: BE1025608813
Privacy and security: contact@pacium.com

For the supervisory authority, see the Privacy Policy.