Definitions:

1. NextGen Digital Evolutions: Baydar International Commerce Solutions, established in The Hague, Chamber of Commerce

no. 93519702.

2. Customer: the party which NextGen Digital Evolutions has entered into an agreement with.

3. Parties: NextGen Digital Evolutions and customer together.

4. Consumer: a customer who is an individual acting for private purposes.

1. Purpose

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.

• Processing: Any operation performed on personal data (e.g., collection, storage, use, transmission).

• Controller: The entity that determines the purposes and means of processing.

• Processor: The entity that processes personal data on behalf of the Controller.

• Sub-processor: Any third party engaged by the Processor to process data.

3. Scope of Processing

3.1 Subject Matter

Provision of AI agents, automation systems, chatbots, and related digital services.

3.2 Nature and Purpose

Processing of personal data for:

• Customer communication

• Automation workflows

• Data analysis and service optimization

3.3 Types of Personal Data

May include:

• Names

• Email addresses

• Phone numbers

• Customer messages and inquiries

• Any data submitted through AI systems

3.4 Categories of Data Subjects

• Customers of the Controller

• Website visitors

• End-users interacting with AI agents

4. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller

• Ensure confidentiality of authorized personnel

• Implement appropriate technical and organizational security measures

• Assist the Controller in complying with GDPR obligations

• Notify the Controller of any personal data breach without undue delay

• Delete or return all personal data upon termination of services

5. Obligations of the Controller

The Controller shall:

• Ensure lawful basis for processing personal data

• Provide clear instructions to the Processor

• Inform data subjects as required by law

• Ensure data accuracy and legitimacy

6. Sub-processors

The Controller authorizes the Processor to engage sub-processors, including but not limited to:

• Cloud hosting providers

• AI service providers (e.g., OpenAI or similar platforms)

• CRM and automation tools

The Processor shall ensure that sub-processors are bound by equivalent data protection obligations.

7. Data Security

The Processor shall implement appropriate measures, including:

• Encryption of data where applicable

• Access controls and authentication

• Regular system monitoring and updates

8. Data Subject Rights

The Processor shall assist the Controller in responding to requests related to:

• Access

• Rectification

• Erasure

• Restriction of processing

• Data portability

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay

• Provide relevant details of the breach

• Assist in mitigation efforts

10. Data Transfers

If personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs)

• Adequacy decisions

11. Audit Rights

The Controller may request reasonable information to verify compliance with this Agreement.

12. Term and Termination

This Agreement remains in effect as long as the Processor processes personal data on behalf of the Controller.

Upon termination:

• All personal data shall be deleted or returned, unless legally required otherwise

13. Liability

Each Party shall be liable for damages caused by its breach of this Agreement or applicable data protection laws.

14. Governing Law

This Agreement shall be governed by the laws of the Netherlands and European Union.

15. Signatures

Controller

Name: ________________________

Company: _____________________

Signature: ____________________

Date: ________________________

Processor

Name: ________________________

Company: NextGen Digital Evolutions

Signature: ____________________

Date: 02-05-2026

Annex 1 – Technical and Organizational Measures (TOMs)

• Secure cloud infrastructure

• Role-based access control

• Data encryption in transit (SSL/TLS)

• Regular backups

• Monitoring and logging systems

Annex 2 – List of Sub-processors

The Processor uses the following sub-processors to deliver its AI and automation services:

• Retell AI (voice AI and communication processing)

• Make (automation platform)

• n8n (workflow automation)

• Replit (development and hosting environment)

• OpenAI (AI processing)

• Cloud hosting providers (e.g., AWS, Google Cloud)

• CRM and integration tools as applicable

The Processor may update this list from time to time. The Controller will be informed of any significant changes where required by applicable law.

Annex 3 – AI-Specific Processing Disclosure

The Processor provides AI-driven services that may include:

• Automated conversations (chatbots, voice agents)

• Workflow automation

• Data processing for response generation

Data Handling

• Input data may be temporarily processed to generate outputs

• Conversations and interactions may be logged for service functionality and improvement

• Data is not used for model training unless explicitly agreed with the Controller

Data Retention

• Data is retained only as long as necessary for service delivery or as agreed with the Controller

• The Controller may request deletion of stored data at any time, unless legal obligations apply

Responsibility Split

• The Controller remains responsible for the lawful collection and use of personal data

• The Processor is responsible for secure and compliant processing within the provided systems

Drawn up on 01 May 2026.