AI For Excel Data Processing Agreement

Last Updated: 04/22/2025

This Data Processing Agreement (“DPA”) supplements and forms an integral part of the Terms and Conditions or any other applicable main agreement (the “Main Agreement”) concluded between NEXTBP (“We”, “us”, “our” or the “Processor”) and you (“You”, the “Customer”) concerning the use of the AI For Excel software (the “Software”). This DPA governs the Processing of Personal Data carried out by the Processor on behalf of the Customer in connection with the provision of the Software.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings assigned to them below:

Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”).
Controller: The natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Within the scope of this DPA, the Customer is the Controller.
Processor: The natural or legal person who processes Personal Data on behalf of the Controller. Within the scope of this DPA, NEXTBP is the Processor.
Sub-processor: Any third-party processor engaged by the Processor (NEXTBP) to process Personal Data on behalf of the Customer.
Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Legislation: All applicable laws and regulations relating to data protection and privacy, including, but not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679 or “GDPR”) and any national legislation transposing or supplementing it.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. Roles and Responsibilities

2.1. The Customer acts as the Controller. The Customer is solely responsible for the lawfulness of the collection and Processing of Personal Data entrusted to the Processor via the Software, including the legal basis for such Processing.

2.2. NEXTBP acts as the Processor. NEXTBP will process Personal Data only on behalf of the Customer, based on the Customer’s documented instructions (as set out in the Main Agreement and this DPA, and through the Customer’s use of the Software) and in accordance with applicable Data Protection Legislation.

3. Subject Matter, Nature, and Duration of Processing

3.1. Subject Matter of Processing: The purpose of the Processing is to enable the Processor to provide the Software and related services to the Customer, in accordance with the Main Agreement. This includes, in particular, data hosting, execution of Software functionalities (e.g., automated analysis and processing of imported audit documents, AI-powered features), maintenance, and technical support.

3.2. Nature of Processing Operations: Operations may include receiving, storing, organizing, analyzing, consulting, using, making available (via the Software interface), processing through AI services, erasing, and/or returning Personal Data.

3.3. Types of Personal Data: The types of Personal Data processed are determined and controlled by the Customer at its sole discretion, and may include, but are not limited to, information contained in documents imported by the Customer into the Software (such as names, contact details, financial, professional information, etc.).

3.4. Categories of Data Subjects: The categories of Data Subjects are determined by the Customer and may include, but are not limited to, employees, clients, suppliers, auditees, or any other natural person whose Personal Data is contained in the documents processed via the Software.

3.5. Duration of Processing: The Processor will process Personal Data for the duration of the Main Agreement, unless otherwise instructed in writing by the Customer or required by law. The procedures for deleting or returning data at the end of the contract are defined in Article 4.7.

4. Obligations of the Processor (NEXTBP)

The Processor undertakes to:

4.1. Processing according to instructions: Process Personal Data only on documented instructions from the Customer, including with regard to transfers of data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Customer’s use of the Software constitutes documented instructions.

4.2. Confidentiality: Ensure that persons authorized to process the Personal Data (employees, agents, subcontractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security of Processing: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures aim to protect Personal Data against destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

4.4. Use of Sub-processors: Not engage another processor (Sub-processor) without prior specific or general written authorization of the Customer. In the case of general written authorization, the Processor shall inform the Customer of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Customer the opportunity to object to such changes. Where the Processor engages a Sub-processor, it shall impose on that Sub-processor the same data protection obligations as set out in this DPA, by way of a contract or other legal act.

Current Sub-processors include:

Stripe, Inc. for payment processing
Third-party AI service providers for AI-powered features (specific providers may vary and will be communicated to Customer upon request)
Hetzner Online GmbH for infrastructure hosting

4.5. Assistance to the Customer: Assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights (access, rectification, erasure, restriction, portability, objection).

4.6. Notification of Data Breaches: Notify the Customer of any Personal Data Breach without undue delay after becoming aware of it, and provide the Customer with the necessary information to enable the Customer to meet its own notification obligations to supervisory authorities and/or Data Subjects.

4.7. Fate of Data at the end of the contract: At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4.8. Audit and information: Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

4.9. Usage Data: To the extent that the Software records usage metrics (such as the number of documents processed, data volume, AI requests, or other indicators) for billing, quota management, service improvement, or performance tracking purposes, these metrics may indirectly relate to Personal Data if the counted items (e.g., documents) contain such data. The Processor undertakes to process this aggregated or technical usage data in compliance with this DPA and Data Protection Legislation, limiting its use to the stated purposes.

4.10. AI Service Processing: When Personal Data is processed through third-party AI services:

The Processor will ensure that such third-party AI providers offer adequate data protection guarantees
Processing will occur only for the duration necessary to complete the requested AI operation
The Processor will not retain copies of Personal Data processed by AI services beyond operational requirements
AI service providers are contractually bound to process data only as instructed and to implement appropriate security measures

5. Transfers of Personal Data outside the EEA

Any transfer of Personal Data by the Processor to a country outside the European Economic Area (EEA) shall only be made if appropriate safeguards are in place in accordance with the requirements of the Data Protection Legislation (e.g., adequacy decision of the European Commission, approved Standard Contractual Clauses, Binding Corporate Rules). The Processor shall inform the Customer of the transfer mechanisms used upon request.

Note: Some third-party AI service providers may process data outside the EEA. In such cases, appropriate safeguards will be implemented to ensure GDPR compliance.

6. Governing Law and Jurisdiction

This DPA is governed by French law. Any dispute relating to its interpretation or execution shall fall within the jurisdiction of the courts designated in the Main Agreement.

7. Liability

The liability of each party arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability stipulated in the Main Agreement.

By accepting the Terms and Conditions or using the Software, you acknowledge that you have read, understood, and agreed to be bound by the provisions of this Data Processing Agreement.