Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Sila Technologies B.V., operating as Michi (“Processor”), and the customer (“Controller”) for use of the Michi platform, and governs the processing of personal data under GDPR Article 28.

“GDPR” means Regulation (EU) 2016/679.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” have the meanings given in the GDPR.

“Services” means the Michi Relationship Intelligence Platform.

“Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

• 2.1 Subject matter: The Processor provides a relationship intelligence platform enabling Controllers to manage contacts, partnerships, investments, grants, and supplier relationships.
• 2.2 Nature: Storage, retrieval, analysis, AI-assisted processing, and deletion of Personal Data entered by the Controller.
• 2.3 Purpose: Providing the Services as described in the Terms of Service.
• 2.4 Duration: The term of the Controller’s subscription, plus 30 days for data deletion.

Types of personal data processed may include:

• Contact information: names, email addresses, phone numbers, job titles, LinkedIn profiles
• Professional data: company affiliations, investment history, grant applications, meeting notes
• Communication records: email threads (where integrated), meeting transcripts, call notes
• User account data: names, work emails of the Controller’s team members

Categories of data subjects:

• The Controller’s customers, partners, investors, and suppliers (third parties whose data is entered by the Controller)
• The Controller’s team members using the platform

• 4.1 Documented instructions: The Processor shall process Personal Data only on documented instructions from the Controller, which shall be the Terms of Service and any additional written instructions provided. If required by EU or Member State law, the Processor shall inform the Controller before processing.
• 4.2 Confidentiality: The Processor shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
• 4.3 Security: The Processor shall implement appropriate technical and organisational measures per GDPR Article 32, including: AES-256 encryption at rest, TLS 1.2+ encryption in transit, row-level security, role-based access controls, regular security reviews, and incident response procedures.
• 4.4 Subprocessors: The Processor shall not engage new Subprocessors without prior general authorisation from the Controller. The Controller provides general authorisation for the Subprocessors listed in Annex A. The Processor shall provide 30 days’ notice of any intended changes to the Subprocessor list.
• 4.5 Data subject rights: The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) through the Settings → Data & Privacy interface and, if needed, via support@michiplatform.com.
• 4.6 Security assistance: The Processor shall assist the Controller with obligations under GDPR Articles 32–36, including breach notification (within 72 hours of becoming aware), data protection impact assessments, and prior consultation with supervisory authorities.
• 4.7 Deletion and return: On termination of the Services, the Processor shall, at the Controller’s choice, delete or return all Personal Data and delete existing copies, unless retention is required by EU or Member State law.
• 4.8 Audit: The Processor shall make available all information necessary to demonstrate compliance with this Article and shall allow for and contribute to audits conducted by the Controller or a mandated auditor, with reasonable notice.

The Controller warrants that it has a lawful basis for processing the Personal Data it uploads to the Services, has provided appropriate privacy notices to data subjects, and is authorised to instruct the Processor as set out in this DPA.

Where processing involves transfer of Personal Data outside the EEA, the Processor shall ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) per Commission Decision 2021/914 or alternative mechanisms approved by the European Commission. See Annex A for transfer mechanisms applicable to each Subprocessor.

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA excludes or limits either party’s liability for breaches of data protection obligations under GDPR.

This DPA is governed by Belgian law and subject to the exclusive jurisdiction of the courts of Antwerp, Belgium.

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.2 minimum
• Database: Row-level security (RLS) enforcing org-level data isolation
• Access control: Role-based (owner/admin/member), least privilege principle
• Authentication: Supabase Auth with JWT tokens; MFA available
• API security: Rate limiting, HMAC webhook signatures, API key hashing (SHA-256)
• Backup: Automated daily backups with point-in-time recovery
• Incident response: 72-hour breach notification to affected Controllers
• Vulnerability management: Regular dependency audits
• Personnel: Confidentiality agreements for all staff with data access

To request a signed DPA or raise a DPA question: support@michiplatform.com