Data Processing Agreement - TLI S.A. / EasyBoard

Version: 1.0

Date: March 2026

Document ID: EB-DPA-2026-001

This Data Processing Agreement ("DPA") forms part of the Agreement for Services ("Principal Agreement") between the Controller and the Processor, as defined below.

Between:

The entity subscribing to EasyBoard services (hereinafter the "Controller" or "Client")

and

TLI S.A., a company incorporated under the laws of Luxembourg, operating the EasyBoard platform (hereinafter the "Processor")

Article 1 -- Subject Matter and Duration

1.1. This DPA governs the processing of personal data by the Processor on behalf of the Controller in the context of the EasyBoard platform for board meeting minutes generation.

1.2. The duration of this DPA is aligned with the duration of the Principal Agreement. Upon termination of the Principal Agreement, this DPA shall automatically terminate, subject to the obligations set forth in Article 11 (Data Deletion).

1.3. The Processor shall process personal data solely for the purposes described in this DPA and in accordance with the Controller's documented instructions.

Article 2 -- Nature and Purpose of Processing

2.1. The Processor provides an online platform ("EasyBoard") enabling the Controller to:

Upload audio recordings of board meetings;
Transcribe audio recordings into text using speech-to-text technology;
Generate structured board meeting minutes using artificial intelligence;
Export and manage generated minutes in various document formats.

2.2. The processing operations include: collection, storage, transcription, AI-assisted generation, retrieval, consultation, use, erasure, and destruction of personal data as necessary for the provision of the EasyBoard service.

Article 3 -- Type of Personal Data

3.1. The following categories of personal data may be processed under this DPA:

Audio recordings: Voice recordings of board meetings, which may contain names, opinions, decisions, and other personal information spoken by participants;
Names and identification data: Names, titles, and roles of meeting participants as included in meeting agendas and generated minutes;
Meeting content: Discussions, decisions, votes, and any other content captured during board meetings;
Account data: Email addresses, names, and company affiliations of users of the EasyBoard platform;
Usage data: Technical logs related to the use of the platform (timestamps, actions performed).

Article 4 -- Categories of Data Subjects

4.1. The personal data processed under this DPA may relate to the following categories of data subjects:

Board members and directors of the Controller's organization;
Meeting participants, including external advisors, auditors, or guests;
Employees and officers of the Controller mentioned during meetings;
Authorized users of the EasyBoard platform within the Controller's organization.

Article 5 -- Obligations of the Processor

5.1. The Processor undertakes to:

(a) Process personal data only on documented instructions from the Controller, unless required to do so by European Union or Member State law;
(b) Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) Implement appropriate technical and organizational measures as set forth in Article 8 to ensure a level of security appropriate to the risk;
(d) Respect the conditions for engaging sub-processors as set forth in Article 6;
(e) Assist the Controller in responding to requests from data subjects exercising their rights as set forth in Article 7;
(f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;
(g) At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage;
(h) Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits.

Article 6 -- Sub-processing

6.1. The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 calendar days.

6.2. The Processor has engaged the following sub-processors as of the date of this DPA:

Sub-processor	Purpose	Location
Anthropic LLC	AI text generation (Claude API) for minutes drafting	USA
Google LLC / Firebase	Authentication, database (Firestore), cloud infrastructure	EU (europe-west1)
EdenAI SAS	Speech-to-text transcription of audio recordings	France (EU)
Netlify Inc.	Web hosting, serverless functions (compute)	EU / Global CDN
Stripe Inc.	Payment processing and subscription management	EU
Resend Inc.	Transactional email delivery	USA
CloudConvert GmbH	Document format conversion (DOCX generation)	Germany (EU)

6.3. The Processor shall impose on each sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

Article 7 -- Data Subject Rights

7.1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR, including:

Right of access (Article 15);
Right to rectification (Article 16);
Right to erasure (Article 17);
Right to restriction of processing (Article 18);
Right to data portability (Article 20);
Right to object (Article 21).

7.2. The Processor shall promptly notify the Controller if it receives a request from a data subject in respect of personal data processed under this DPA. The Processor shall not respond to such a request itself unless authorized by the Controller.

Article 8 -- Security Measures

8.1. The Processor shall implement and maintain appropriate technical and organizational measures to protect personal data, including but not limited to:

Encryption at rest: AES-256 encryption for all stored data;
Encryption in transit: TLS 1.3 for all data transmissions;
Access control: Firebase Authentication with role-based access control and per-company data isolation;
Infrastructure: EU-based hosting (Firebase europe-west1, Netlify EU compute);
Data minimization: Audio recordings are deleted immediately after transcription; AI providers operate under zero-retention API policies;
Monitoring: Automated health checks and logging of access to personal data;
Pseudonymization: Where technically feasible and appropriate to the processing purpose.

8.2. A detailed description of the technical and organizational measures is provided in the separate Technical and Organizational Measures (TOMs) document, which forms an integral part of this DPA.

Article 9 -- Data Breach Notification

9.1. The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting personal data processed under this DPA.

9.2. Such notification shall include at minimum:

(a) A description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects and records concerned;
(b) The name and contact details of the Processor's point of contact;
(c) A description of the likely consequences of the breach;
(d) A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

9.3. The Processor shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any personal data breach.

Article 10 -- Audit Rights

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.

10.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be subject to:

(a) Reasonable prior written notice of at least 30 calendar days;
(b) Conducted during normal business hours;
(c) Not unreasonably interfering with the Processor's business operations;
(d) Confidentiality obligations regarding any proprietary information of the Processor.

10.3. The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.

Article 11 -- Data Deletion

11.1. Upon termination of the Principal Agreement or upon the Controller's request, the Processor shall, at the Controller's choice:

(a) Return all personal data to the Controller in a commonly used, machine-readable format; or
(b) Delete all personal data and certify such deletion in writing.

11.2. The Processor shall complete the return or deletion within 30 calendar days of the request or termination, unless Union or Member State law requires further storage of the personal data.

11.3. Audio recordings uploaded to EasyBoard are automatically deleted immediately upon completion of the transcription process. This deletion is irreversible.

Article 12 -- Governing Law and Jurisdiction

12.1. This DPA shall be governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg.

12.2. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Luxembourg City.

12.3. This DPA shall be interpreted in accordance with the GDPR and any applicable guidance issued by the European Data Protection Board (EDPB) or the Commission Nationale pour la Protection des Donnees (CNPD) of Luxembourg.

For the Controller

Name:

Title:

Date:

For the Processor (TLI S.A.)

Name:

Title:

Date: