Data Processing Agreement

1. The Parties

This Data Processing Agreement ("DPA") is entered into between:

(a) The Controller:the legal entity identified in the cover sheet or main services agreement that uses the Leapo platform (the "Customer" or "Controller"); and

(b) The Processor:Leapo, operated by Hussam Abu Ramadan, with registered business address in Belgium (the "Processor" or "Leapo").

2. Background

The Controller has engaged the Processor to provide the Leapo service: a guided business-launch platform for solopreneurs, including AI-assisted content generation, progress tracking, and email communications (the "Services"). In connection with providing the Services, the Processor processes personal data on behalf of the Controller. This DPA governs that processing under Article 28 GDPR.

3. Definitions

Capitalized terms not defined here have the meaning given to them in the GDPR. "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" all carry their GDPR meaning.

4. Subject-matter and details of processing

4.1 Subject-matter

Processing of Personal Data by the Processor as necessary to provide the Services described in the main services agreement.

4.2 Duration

For the term of the main services agreement, plus the retention periods described in Annex A.

4.3 Nature and purpose

Hosting, storage, retrieval, computation, transmission, and AI-assisted generation of business artefacts based on Controller- provided inputs.

4.4 Categories of Data Subjects

End users of the Controller's account (e.g. the Controller's own clients, members, or beneficiaries who use the Leapo platform under the Controller's organization).

4.5 Categories of Personal Data

Identification data (name, email), professional data (niche, work style, business-plan inputs), location data (city, country), transactional data (subscription status), usage data (feature interactions). The Processor does not knowingly process special categories of personal data (Article 9 GDPR).

5. Obligations of the Processor

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries — unless required to do so by EU or Member State law, in which case the Processor will inform the Controller of that legal requirement before processing.
2. Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
3. Take all measures required under Article 32 GDPR (see Annex B — Technical and Organisational Measures).
4. Respect the conditions in Sections 6 and 7 for engaging sub-processors.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to data subject rights requests.
6. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA).
7. At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits — including inspections — conducted by the Controller or another auditor mandated by the Controller, subject to reasonable scoping and confidentiality protection.

6. Sub-processors

The Controller grants the Processor general written authorisation to engage sub-processors. The Processor maintains the up-to-date list of sub-processors at leapo.app/security/subprocessors.

The Processor will notify the Controller of any intended additions or replacements of sub-processors at least thirty (30) days in advance, giving the Controller the opportunity to object on reasonable grounds (which must relate to data protection).

Where the Processor engages a sub-processor, it imposes data protection obligations on that sub-processor by way of a contract, providing in substance the same obligations as set out in this DPA.

7. International transfers

Where Personal Data is transferred to a country outside the EEA that has not been deemed adequate by the European Commission, the Processor will ensure such transfer takes place on the basis of an appropriate safeguard listed in Article 46 GDPR — typically the Standard Contractual Clauses (SCCs) adopted by the Commission under Implementing Decision (EU) 2021/914.

A list of sub-processors with their location and applicable transfer mechanism is maintained at leapo.app/security/subprocessors.

8. Personal data breach

The Processor shall notify the Controller without undue delay, and in any event within 72 hoursafter becoming aware of a Personal Data Breach affecting the Controller's data, providing sufficient information to allow the Controller to meet its obligations under Articles 33 and 34 GDPR.

9. Return or deletion of data

On termination or expiry of the Services, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on the Controller's behalf, and delete existing copies, within thirty (30) days. Encrypted backups containing the data may be retained for up to a further thirty (30) days before being permanently destroyed.

10. Liability

Liability under this DPA is subject to the limitation of liability clause of the main services agreement between the Parties.

11. Governing law and jurisdiction

This DPA is governed by the law of Belgium. Disputes arising in connection with this DPA are subject to the exclusive jurisdiction of the courts of Brussels.

Annex A — Description of processing

Categories of Data Subjects

End users of the Controller's Leapo account: independent professionals, sole traders, or small-business operators using the Leapo platform.

Categories of Personal Data

• Identification: full name, email address, account UUID
• Authentication: hashed password (via Supabase Auth), OAuth tokens (if Google sign-in)
• Professional: business niche, target market, work style
• Location: city, country
• Free-text inputs: business-plan answers, AI-coach conversation history
• Transactional: subscription tier, billing status (via Stripe)
• Usage: feature interactions, AI generation counts (for rate-limit enforcement)

Retention

Account data is retained for the lifetime of the account. On deletion request, primary database records are purged within 30 days; encrypted backups containing the data are purged within an additional 30 days. Stripe billing records are retained for the minimum period required by Belgian tax law (currently 7 years).

Annex B — Technical and Organisational Measures (Article 32)

The full description of TOMs is maintained at leapo.app/security and incorporated by reference. Summary:

• EU-hosted infrastructure (Supabase eu-central-1, Vercel EU)
• AES-256 encryption at rest; TLS 1.3 in transit
• Row-level security (RLS) enforced at the database layer
• MFA on all administrative access
• Secrets stored encrypted in Vercel + GitHub secret managers
• Runtime monitoring (Sentry); audit logs for administrative actions
• Written incident response plan with 72-hour breach notification
• Daily encrypted backups with 7–30 day retention

Annex C — Sub-processors

The current list of sub-processors, their location, purpose, and applicable transfer mechanism is published at leapo.app/security/subprocessors and incorporated by reference into this DPA.

Signatures