Data Processing Agreement

Pursuant to Article 28.3 of Regulation (EU) 2016/679 General Data Protection Regulation

Parties

The parties identified in APPENDIX I of this agreement, acting in the capacity they hold and mutually recognising each other’s legal capacity to enter into contracts and assume obligations.

Recitals

The General Data Protection Regulation (Regulation EU 2016/679 of the European Parliament and of the Council), hereinafter the GDPR, establishes that the processing of personal data by a processor shall be governed by a contract or other legal act. The content of such contract is regulated in Article 28.3 of the GDPR.

Clauses

1. Subject Matter of the Processing

By means of these clauses, SOCIALO, the PROCESSOR, is authorised to process personal data on behalf of the CONTROLLER, to the extent necessary to provide the following service:

Provision of a digital platform service aimed at facilitating and enhancing cultural and community life, promoting the participation of members and improving internal communication in university halls of residence, student residences and other communities or educational institutions.

The processing of personal data shall include the following operations: Collection, Recording, Structuring, Alteration, Storage, Retrieval, Consultation, Disclosure by transmission, Dissemination, Alignment, Combination, Restriction, Erasure, Destruction and Communication.

2. Identification of the Information Concerned

For the performance of the obligations arising from the fulfilment of the subject matter of this agreement, the CONTROLLER authorises the PROCESSOR to process the following categories of personal data, the specific detail of which shall be determined by the CONTROLLER through the configuration of the registration forms and functionalities of the platform:

2.1. Categories of Personal Data

The PROCESSOR is authorised to process exclusively the following categories of personal data, insofar as the CONTROLLER enables and provides them through the platform:

a) Identification data: Name, surname(s), identity document (DNI, NIE, passport or other identification document), photograph. b) Contact data: Email address (personal and institutional), mobile and landline telephone number, postal address, professional social media profiles. c) Organisational context data: Academic, professional or contextual information relevant to the community (for example: university degree programme, institution, department, professional area, specialisation, position, function or role within the organisation). d) Location or assignment data: Location, assigned space or membership information within the organisation (for example: room number, building, office, area, section, group, team or unit), dates of joining and expected end date where applicable. e) Participation and activity data: Activities in which the individual participates, events attended, activity preferences, declared personal interests, groups or committees to which the individual belongs, comments and ratings. f) User profile data: Personal biography, interests, hobbies, languages, skills, notification and communication preferences. g) Platform usage data: Access logs, date and time of connection, pages visited within the platform, interactions with content. h) Other identifying data: Any other identifying personal data not covered by the categories above that the CONTROLLER deems necessary to provide to the PROCESSOR for the proper provision of the service that is the subject matter of this agreement, provided that such data does not constitute special categories of data pursuant to Article 9 of the GDPR.

2.2. Categories of Data Subjects

a) Community members: Persons who are part of the organisation, community or institution and use the platform (for example: residents, hall members, students, members, associates, affiliated members, participants or regular users). b) Organisation staff: Administrative, managerial, management, coordination and other staff authorised by the CONTROLLER who require access to the platform for the performance of their duties. c) Other authorised users: Any other natural person whom the CONTROLLER expressly authorises to access the platform (for example: former members, external collaborators, service or activity providers, guests, visitors).

2.3. Purpose of the Processing

Personal data shall be processed by the PROCESSOR exclusively for the following purposes related to the provision of the service:

User management and access control to the platform.
Facilitation of internal communication between community members and with the organisation’s administration.
Organisation and promotion of activities, events and services of the organisation.
Improvement of member participation and engagement within the community.
Sending of notifications and communications related to the service.
Maintenance, technical support and improvement of the platform.
Preparation of aggregated and anonymised statistics on platform usage.

2.4. Express Exclusion of Special Categories of Data

The PROCESSOR shall NOT under any circumstances process special categories of personal data pursuant to Article 9 of the GDPR, which include:

Data revealing racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data for the purpose of uniquely identifying a natural person.
Data concerning physical or mental health.
Data concerning a natural person’s sex life or sexual orientation.

Nor shall it process data relating to criminal convictions and offences pursuant to Article 10 of the GDPR.

The CONTROLLER warrants that it shall not enable or provide the PROCESSOR with any data falling within these special categories. In the event that the PROCESSOR accidentally detects the processing of these categories of data, it shall immediately notify the CONTROLLER so that the CONTROLLER may adopt the appropriate corrective measures, including the immediate erasure of such data.

2.5. Determination of Specific Data by the CONTROLLER

The CONTROLLER is solely empowered to determine which specific data within the categories described above are necessary and proportionate for the provision of the service. This determination shall be made by means of:

The configuration of mandatory and optional fields in the platform’s registration forms.
The enabling or disabling of specific functionalities that require the processing of certain categories of data.
The specific instructions communicated to the PROCESSOR at any given time.

The PROCESSOR undertakes not to process any personal data to which it has access for any purpose other than that expressly authorised by the CONTROLLER, nor to carry out processing operations that exceed the instructions received.

3. Duration

This agreement shall enter into force on the date of its signature and shall remain in effect for the duration of the contractual relationship between the parties arising from the Socialo services subscription agreement. The termination, for any reason, of the main agreement shall automatically entail the termination of this data processing agreement, without prejudice to the obligations that must survive in accordance with Section 4 (Return of Data).

4. Return of Data

Once this agreement has ended:

The CONTROLLER shall have a period of 30 calendar days from the date of termination of the contractual relationship to download from the platform all information available in its account. The PROCESSOR shall provide the necessary technical means for such extraction in a structured, commonly used and machine-readable format (for example: JSON, CSV, XML), in accordance with Article 28.3(g) of the GDPR.

Note: The 30 calendar day period is considered reasonable for most cases. In exceptional situations requiring a longer period due to the volume of data, the CONTROLLER must request this in writing before the termination of the agreement, and the parties shall agree in good faith on a reasonable extension.
Once such period has elapsed, the PROCESSOR shall erase or return all personal data to the CONTROLLER, as the latter may indicate, and shall delete existing copies, unless Union or Member State law requires their retention.
The PROCESSOR may retain personal data duly blocked for a maximum period of 5 years from the termination of the agreement, exclusively to address potential legal liabilities arising from the performance of the agreement (tax, civil, commercial or administrative), in compliance with Article 32 of the LOPDGDD and Article 1,964.2 of the Spanish Código Civil.
During the blocking period, the data may not be accessed or processed by the PROCESSOR, except for making it available to Courts and Tribunals, the Public Prosecutor’s Office (Ministerio Fiscal), the competent Public Administrations, the Ombudsman (Defensor del Pueblo), the Court of Auditors (Tribunal de Cuentas) or data protection authorities that require it for the exercise of their functions.
Once the blocking period has elapsed without the need for their retention, the data shall be definitively deleted by means of secure procedures that prevent their recovery.

5. Obligations of the PROCESSOR

5.1. Purpose

The PROCESSOR shall use the personal data subject to processing solely for the purpose set out in this agreement. Under no circumstances may it use the data for its own purposes.

5.2. Instructions of the CONTROLLER

The PROCESSOR shall process the data in accordance with the instructions of the CONTROLLER. If the PROCESSOR considers that any of the instructions infringes the GDPR or any other Union or Member State data protection provision, the PROCESSOR shall immediately inform the CONTROLLER.

5.3. Records of Processing Activities

The PROCESSOR shall maintain a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing:

The name and contact details of the processor or processors and of each controller on whose behalf the processor is acting, and, where applicable, of the controller’s or processor’s representative and the data protection officer.
The categories of processing carried out on behalf of each controller.
International transfers: Where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation. In the case of transfers referred to in Article 49(1), second subparagraph, of the GDPR, the documentation of suitable safeguards.
A general description of the technical and organisational security measures relating to: a) The pseudonymisation and encryption of personal data. b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

5.4. Non-Disclosure

The PROCESSOR shall not disclose the data to third parties, unless it has the express authorisation of the CONTROLLER, in the legally admissible cases. The PROCESSOR may disclose the data to other processors of the same CONTROLLER, in accordance with the CONTROLLER’s instructions. In this case, the CONTROLLER shall identify, in advance and in writing, the entity to which the data must be disclosed, the data to be disclosed and the security measures to be applied to carry out the disclosure.

5.5. International Transfer

The PROCESSOR may transfer personal data to third countries or international organisations where necessary for the provision of the service, provided that the safeguards set out in Chapter V of the GDPR are met (adequacy decisions, standard contractual clauses or other legally recognised mechanisms). The PROCESSOR shall keep an up-to-date list of all sub-processors that carry out international transfers, specifying the countries of destination and the protection mechanisms applied. Such list is attached to this agreement as APPENDIX II. If legally required to transfer data by public authorities of third countries, the PROCESSOR shall inform the CONTROLLER in advance where it is legally possible to do so, in order for the CONTROLLER to take such action as it deems appropriate.

5.6. Sub-Processing

General authorisation with prior notification: The CONTROLLER grants the PROCESSOR a general authorisation for the sub-processing of personal data processing services, provided that the conditions set out in this section are met. Categories of services that may be sub-processed: The PROCESSOR may engage sub-processors within the following categories of services:

Hosting and cloud infrastructure providers
Communication and messaging services (email, SMS, notifications)
Payment processing
Analytics, monitoring and error management
Managed databases and storage
CDN and file storage
Authentication and security services
Other ancillary technical services necessary for the provision of the service

The PROCESSOR may engage, replace or use providers within the above categories without prior notification or additional authorisation from the CONTROLLER. Prior notification (with 10 business days’ notice to exercise the right of objection) shall only be required where the PROCESSOR wishes to engage sub-processors that are NOT included in the above-mentioned categories. The PROCESSOR undertakes to ensure that all engaged sub-processors comply with equivalent data protection obligations in accordance with the GDPR. The PROCESSOR shall keep the list of sub-processors up to date in APPENDIX II.

5.7. Duty of Secrecy

The PROCESSOR and all its staff shall maintain the duty of secrecy with respect to personal data to which they have had access by virtue of this agreement, including after the termination thereof.

5.8. Written Confidentiality Undertakings

The PROCESSOR shall ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed. The PROCESSOR shall keep available to the CONTROLLER the documentation evidencing compliance with this obligation.

5.9. Training of Authorised Persons

The PROCESSOR shall ensure the necessary training in personal data protection for persons authorised to process personal data.

5.10. Assistance in the Exercise of Data Subject Rights

The PROCESSOR shall assist the CONTROLLER in responding to the exercise of the following rights:

Access, rectification, erasure and objection
Restriction of processing
Data portability
Not to be subject to automated individual decision-making (including profiling)

When data subjects exercise the rights of access, rectification, erasure and objection, restriction of processing, data portability and the right not to be subject to automated individual decision-making before the PROCESSOR, the PROCESSOR must notify the CONTROLLER by email. The notification must be made immediately and in no case later than the following business day after receipt of the request, together with, where applicable, any other information that may be relevant to resolving the request.

5.11. Right to Information

It is the CONTROLLER’s responsibility to provide the right to information at the time of collection of the data.

5.12. Notification of Personal Data Breaches

The PROCESSOR shall notify the CONTROLLER, without undue delay and in any event no later than 48 hours after becoming aware thereof, of any personal data breaches under its responsibility of which it becomes aware, together with all relevant information. The following information shall be provided as a minimum: a) A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. b) The name and contact details of the data protection officer or another contact point of the PROCESSOR where more information can be obtained. c) A description of the likely consequences of the personal data breach. d) A description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide the information at the same time, the information shall be provided in phases without undue delay. The PROCESSOR shall make this notification by email marked as URGENT to the previously agreed email address. Notification to Data Protection Authorities: It is the CONTROLLER’s responsibility to notify personal data breaches to the Data Protection Authority. Notification to data subjects: It shall be the CONTROLLER’s responsibility to notify personal data breaches to data subjects, where necessary. The PROCESSOR shall provide the necessary support so that the CONTROLLER can make such notification as soon as possible.

5.13. Support in Carrying Out Data Protection Impact Assessments

The PROCESSOR shall support the CONTROLLER in carrying out data protection impact assessments, where appropriate.

5.14. Support in Prior Consultations with Supervisory Authorities

The PROCESSOR shall support the CONTROLLER in carrying out prior consultations with the supervisory authority, where appropriate.

5.15. Compliance with Obligations

The PROCESSOR shall make available to the CONTROLLER the information reasonably necessary to demonstrate compliance with its data protection obligations. This information may include security certifications, documentation of policies and procedures, or existing audit reports. Submission of existing audit reports: The CONTROLLER accepts that the PROCESSOR may satisfy audit requirements by submitting recent audit reports (no older than 12 months) carried out by other clients or independent auditors, provided that they cover the relevant areas of data processing. Where the CONTROLLER considers that such reports are not sufficient for its specific needs, it may request an additional audit justifying the need. The CONTROLLER may request audits with a maximum frequency of once per year, unless there is justified cause (such as a security breach, significant changes to the processing of data, or a requirement from a competent authority). Audits must be notified with a minimum of 30 calendar days’ notice, carried out exclusively during the PROCESSOR’s working hours (Monday to Friday, 9:00 to 18:00h), by remote means unless physical access is strictly necessary, and must not interfere with normal business operations. The auditor must sign a confidentiality agreement with the PROCESSOR in advance, respect all confidential information unrelated to the audit, and be subject to the supervision of the PROCESSOR’s staff throughout the process. The costs of the audit shall be borne by the CONTROLLER, unless significant non-compliance by the PROCESSOR is detected.

5.16. Security Measures

The PROCESSOR shall implement at least the security measures that enable: a) Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services. b) Restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident. c) Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented to ensure the security of processing. d) Pseudonymising and encrypting personal data, where appropriate.

Furthermore, APPENDIX III sets out the additional security measures that the PROCESSOR undertakes to apply to the processing of the CONTROLLER’s personal data.

5.17. Data Protection Officer

The PROCESSOR shall communicate the identity and contact details of the data protection officer to the CONTROLLER, whenever its appointment is mandatory or the PROCESSOR has appointed one voluntarily.

6. Obligations of the CONTROLLER

The CONTROLLER shall be responsible for: a) Providing the PROCESSOR with the data necessary for the provision of the services referred to in this agreement. b) Carrying out, where required by applicable regulations, a data protection impact assessment of the processing operations to be carried out by the PROCESSOR. c) Carrying out the relevant prior consultations with the Data Protection Authorities. d) Ensuring, prior to and throughout the processing, that the PROCESSOR complies with the GDPR. e) Supervising the processing of the data, including carrying out inspections and audits.

7. Non-Compliance

Non-compliance by the PROCESSOR with the obligations set out in this agreement shall result in the PROCESSOR being considered a controller as well, and it shall be liable before the Data Protection Authorities, or before any third party, for the infringements that may have been committed arising from the performance of this agreement and/or from compliance with the applicable personal data protection legislation.

8. Liability

Both the CONTROLLER and the PROCESSOR shall be liable for all damages caused to the other party in all cases of negligent or culpable conduct in the performance of the obligations incumbent upon them respectively, in accordance with the terms of this agreement. Neither party shall assume any liability for the non-performance or delay in the performance of any of the obligations under this agreement if such non-performance or delay results from or is a consequence of force majeure or fortuitous event recognised as such by case law, provided that such event is: (i) unforeseeable, (ii) unavoidable and insurmountable, and (iii) beyond the control of the party invoking it. The following shall be considered causes of force majeure: natural disasters of extraordinary magnitude (earthquakes, catastrophic floods), war, acts of terrorism, or exceptional total lockdown measures adopted by governmental authorities that materially prevent the performance of the service. The following shall not be considered causes of force majeure: ordinary technical failures, power supply interruptions of less than 24 continuous hours, internal strikes of the PROCESSOR, or any circumstance that could have been avoided by adopting reasonable technical and organisational security measures, including the implementation of redundancy systems, backups and business continuity plans. In particular, the PROCESSOR’s obligations regarding security, confidentiality and notification of data security breaches shall not be exempted by causes of force majeure, unless their fulfilment is rendered materially impossible by the total physical destruction of the facilities and backups.

9. Confidentiality

The PROCESSOR warrants that it shall maintain the strictest confidentiality and express compliance with the duty of professional secrecy in relation to the CONTROLLER’s affairs during the term of the provision of services and after its termination. The PROCESSOR, during and after the term of this agreement, shall treat all information owned by the CONTROLLER as strictly confidential, taking the necessary measures to ensure that its content is not disclosed to third parties, nor that third parties may have access thereto without the express authorisation of the CONTROLLER. For the purposes of this agreement, confidential information shall mean any information capable of being disclosed by word of mouth, in writing or by any other means or medium, tangible or intangible, currently known or hereafter invented, whether exchanged as a result of this contractual relationship or designated by one party as confidential to the other.

10. Notices

Any notice required for the purposes of this agreement shall be made in writing to the attention and address of the party stated in the heading of this agreement.

11. General Provisions

This agreement contains the entire agreement between the parties regarding its subject matter and supersedes and replaces any prior agreement, oral or written, that the parties may have reached. Likewise, in the event of a conflict between the terms set out in this agreement and any other agreement previously signed between both parties, the terms set out in this agreement shall prevail. Nothing in this agreement implies identity of the parties, or that one is considered the agent of the other. Neither party shall be liable for any declaration, act or omission of the other party that is contrary to the foregoing. Any modification to the content of this agreement shall only be effective if made in writing and with the consent of both parties. The failure by either party to enforce any of its rights under this agreement shall not be deemed to constitute a waiver of such rights in the future. The contractual documents are, in order of priority, this agreement and its annexes (“APPENDICES”). In the event of a conflict, the agreement shall prevail over the APPENDICES.

12. Governing Law and Jurisdiction

This agreement shall be governed by and construed in accordance with Spanish law in all matters not expressly regulated herein, and the parties submit, for any disputes that may arise in relation thereto, to the jurisdiction of the Courts and Tribunals of Madrid, waiving any other jurisdiction to which they may be entitled.

APPENDIX I — Identification of the Parties and Description of the Processing

Controller(s)

Name: ___________________________
Address: ___________________________
Contact person name: ___________________________
Telephone: ___________________________
Email: ___________________________

Processor(s)

Name: Socialo, S.L.
NIF: B26602979
Address: Paseo de la Castellana, 194, Bajo B, 28046 Madrid, España
Contact person name: José Javier Román Camacho
Position: CEO
Email: dpo@socialo.live

Description of the processing

Creation and management of users on the platform.
Management and storage of personal data necessary to provide community communication and participation services.
Sending of notifications and communications related to the use of the platform.
Organisation and promotion of activities and events.
Quality assurance and improvement of the platform.
Technical support.

Categories of data subjects whose personal data is processed

Members of the community or organisation
Administrative and managerial staff
Other authorised users

Communication

Email: dpo@socialo.live SOCIALO has designated a Data Protection Officer within its organisation. If you wish to make an enquiry regarding the processing of your personal data, you may contact us at the email address indicated above.

Nature of the processing

Collection, storage, retrieval, consultation, use, restriction, erasure or destruction.

Purpose(s) for which the personal data is processed on behalf of the Controller

Provision of the services agreed in this agreement. The legal basis being the contractual relationship with the Controller.

Duration of the processing

The duration of this agreement is set out in Section 3 of this document.

APPENDIX II — Sub-Processors

Last updated: January 2026

The following sub-processors are authorised to process personal data on behalf of Socialo, S.L.:

Entity Name	Sub-Processor Activity	Location	Transfer Mechanism	Product Use
Google Cloud Platform	Cloud infrastructure and hosting services	United States / European Union	EU-US Data Privacy Framework	Core platform infrastructure
Google Analytics	Web analytics services	United States	EU-US Data Privacy Framework	Aggregated platform usage statistics
GetStream	Real-time messaging and activity feeds	European Union	N/A (within the EEA)	Chat and notifications
Twilio SendGrid	Email delivery services	United States	EU-US Data Privacy Framework	Transactional emails

Updating this list

This list is updated each time a sub-processor is added, replaced or removed. The date of last update is indicated at the beginning of the document.

Contact

For more information about sub-processors: dpo@socialo.live

APPENDIX III

Security Measures Applied by the PROCESSOR

Measure	Implemented	Comments
Physical access controls to the data centre	☒	Infrastructure hosted with cloud providers with restricted physical access controls.
Physical protection measures at the data centre	☒	Data centres managed by cloud providers with recognised security standards.
Access logs to applications and databases	☒	Access and activity logging for control and security.
User identification and authentication procedure	☒	Access via individual credentials and authentication controls.
Identification, communication and documentation of the duties and obligations of personnel with access to the data	☒	Access limited by roles and under the principle of least privilege.
Backups (indicate frequency)	☒	Automated backups with tiered retention: one per minute for the last 7 days and one per day for the last 30 days.
Planned restoration tests of backups	☒	Quarterly restoration drills in an isolated environment, as well as after any significant infrastructure change.
Deletion of temporary files	☒	Temporary files are stored in the ephemeral storage of the compute instances and are automatically deleted upon execution end.
Resilience: redundancy and recovery	☒	Cloud providers with redundancy and recovery mechanisms.
Business continuity procedure	☐
Incident management (logging and notification of security breaches)	☒	Internal incident management and notification procedure.
Technical systems audit and penetration testing	☐
Vulnerability management for systems and applications	☒	GitHub security alerts and Dependabot enabled to detect CVEs in dependencies, with regular updates; underlying infrastructure patching is handled by the cloud providers.
Encryption on equipment and mobile devices	☒	Full-disk encryption enabled on work devices (FileVault on macOS, BitLocker on Windows).
Security in development and test environments	☒	Development and test environments are kept separate from production through local emulators and independent credentials; no real personal data is used.
Pseudonymisation / anonymisation of personal data	☐
Up-to-date inventory of media and storage devices	☐
Media filing criteria	☐
Encryption of media, secure deletion of media, etc.	☐
Encryption of communications	☒	Use of HTTPS/TLS.
Administrators and users, segregation of duties at operating system and application level	☐
Password policies	☒
Other security measures	☐

This document is a translation provided for informational purposes only. In the event of any discrepancy or conflict between this version and the Spanish original, the Spanish version shall prevail.