Terms & Conditions Lexidy Outsourcing

TERMS & CONDITIONS

WORK TEAM

The services covered under this Agreement shall be supervised by Federico Richardson Alborna, Managing Partner and Administrator of Lexidy Outsourcing S.L., a company specialising in business support services, including:

• Payroll processing
  
  
• Accounting
  
  
• Tax advisory
  
  
• Compliance assistance
  
  
• And other operational back-office services
  
  

The execution of the services will be carried out by the appropriate qualified professionals within Lexidy Outsourcing S.L., depending on the nature, scope, and complexity of the assistance requested, always ensuring the highest standard of service within the company’s areas of expertise.

For the avoidance of doubt, Lexidy Outsourcing S.L. acts as an independent service provider and shall not assume, unless expressly agreed otherwise in writing, the role of director, legal representative, or employer of the Client’s personnel, nor any decision‑making powers of the Client’s governing bodies.

INVOICING

The fees and expenses for the services requested shall be invoiced directly by Lexidy to the Client, or to any subsidiary expressly designated for such purpose, as set out in the engagement terms.

All quoted fees are exclusive of VAT (21%), which shall be added where applicable and itemised in the corresponding invoice. Where intra-EU VAT exemptions apply, VAT shall not be charged. In addition, the Client shall bear any necessary expenses associated with the provision of the services, including but not limited to: translation, legalisation, notarisation, registry fees, transport, courier dispatch, digital certificates, and representation before public authorities.

The client is obligated to provide all supporting documentation required for correct invoicing and VAT treatment. In the absence of such documentation, the applicable VAT will be charged.

Payment in full is required prior to the commencement of services, unless otherwise agreed in the specific quote. Acceptance of these Terms and Conditions constitutes the Client’s authorisation for Lexidy to issue the corresponding invoice and begin work.

Any financing or instalment arrangements offered by such third‑party providers are entered into directly between the Client and the relevant provider and shall not affect the Client’s payment obligations towards Lexidy.

Payments may be processed through third-party platforms or financing providers. These services operate independently and are governed by their own terms. Lexidy accepts no responsibility for their availability, authorisation, delays, or technical performance. The Client remains fully responsible for ensuring full payment for the services  is duly completed to Lexidy. Choosing instalments does not reduce this obligation, and any unpaid balance may be claimed directly from the Client.

Fees for recurrent outsourcing services may be reviewed annually, from the second year onwards, in line with the inter‑annual Consumer Price Index (CPI) or any other agreed index, and/or in the event of significant increases in the Client’s activity or volume (including, without limitation, number of employees, number of accounting entries, or turnover), upon prior written notice to the Client.

• Refunds Policy

Lexidy’s professional fees are, as a general rule, strictly non‑refundable and are independent of the outcome or success of any application, filing, or service. Any specific refund or credit rights shall only apply where expressly set out in the applicable engagement terms.

• Right of Withdrawal 

When the Client qualifies as a consumer or, where applicable, as a self‑employed professional under applicable EU consumer protection laws and the Contract is concluded at a distance or off‑premises, the Client shalll have a period of fourteen (14) calendar days from the date of payment to withdraw from the Contract without giving any reason.

To exercise this right, the Client may send an email to the address indicated in the Proposal, clearly stating their decision to withdraw from the Contract. Lexidy will acknowledge receipt of the withdrawal on a durable medium.

If the Client expressly requests Lexidy to begin providing the services during this 14‑day period, the Client acknowledges and agrees that, in the event of withdrawal, Lexidy will be entitled to the proportion of the agreed fees corresponding to the services effectively provided, work performed and time spent up to the date on which the Client communicates the withdrawal. Any official fees, translations, notarizations, legalisations and other third‑party costs already incurred on behalf of the Client will in all cases remain non‑refundable.

The Client further understands and accepts that the statutory right of withdrawal will be lost if the services have been fully performed within the 14‑day period, provided that the Client has given prior express consent for the services to commence during that period and has expressly acknowledged that they would lose the right of withdrawal once the services have been fully performed.

• Early Termination by the Client and Commercial Refund Policy

This Agreement has a minimum term of three (3) months from the date of signing. During this period, neither party may terminate the Agreement without cause. After the minimum term, either party may terminate this Agreement without cause by giving the other party at least thirty (30) calendar days’ prior written notice before the intended termination date.

Upon termination, the Client shall remain liable for all fees and expenses corresponding to services provided up to the effective date of termination and, where applicable, for fixed fees covering the notice period.

No refund shall be due in respect of fees already invoiced or paid for services duly rendered before the effective termination date.

Any third-party costs, official fees, translations, notarisations, administrative charges, or other external expenses incurred on behalf of the Client shall be non-refundable in all cases.

In all cases, Lexidy reserves the right to deduct from any applicable refund the value of work already performed, time invested, or services rendered up to the date of termination. Any third-party costs, official fees, translations, notarizations, administrative charges, or other external expenses incurred on behalf of the Client shall be non-refundable under any circumstances.

ANTI-MONEY LAUNDERING POLICIES

Lexidy complies with all applicable legislation on the prevention of money laundering and the financing of terrorism, including Law 10/2010 of 28 April and Royal Decree 304/2014.

To this end, Lexidy is legally required to verify the identity of its clients and, where applicable, their up‑to‑date beneficial owners and corporate control structure, as well as the nature of their business or professional activity, prior to the commencement of any services. The Client must provide accurate, complete, and up‑to‑date information and documentation for this purpose.. This may include personal identification documents, proof of business activity, and structural charts in the case of corporate entities or non-profits.

Lexidy may use electronic identification services to carry out this verification and will retain such documentation for the period required by law.

In certain circumstances, Lexidy may be legally required to report to the Executive Service for the Prevention of Money Laundering and Terrorist Financing (SEPBLAC) any transaction, assignment, or activity that raises reasonable suspicion of money laundering or terrorist financing. Lexidy is prohibited by law from informing the Client of such reporting and may be required to suspend or terminate its services without prior notice. Lexidy shall not be liable for any delays, losses, or damages resulting from the fulfilment of these legal obligations.

The provision of services will not commence until the required Know Your Client (KYC) process has been completed and the submitted information has been duly verified. If the Client fails to complete the KYC process within fifteen (15) calendar days, Lexidy reserves the right to cancel the engagement and refund any fees paid, subject to deduction of any applicable administrative costs.

PROFESSIONAL INDEMNITY INSURANCE

Lexidy  Group is covered under the professional liability insurance policy issued by GENERALI España, S.A. de Seguros y Reaseguros.

This policy provides coverage of up to 2,000,000.00 EUR per claim, including legal defence costs and damages in accordance with the policy’s terms.

RESPONSIBILITY OF LEXIDY

• Client’s Responsibility

The Client acknowledges that all decisions concerning the execution, follow-up, and implementation of any legal advice, opinion, or recommendation provided by Lexidy are  made at the Client’s own risk and responsibility.

The Client is solely responsible for the accuracy, completeness, and timeliness of all information and documentation provided to Lexidy, including documentation required for Know Your Customer (KYC) procedures. Lexidy shall not be liable for any damages arising from the use of incomplete, false, inaccurate, or delayed information provided by the Client.

The Client acknowledges that any delay, omission, or inaccuracy in the information or documentation supplied, including payroll, accounting, and tax data, may adversely affect the provision and timing of the services and may limit or exclude Lexidy’s liability for any resulting penalties, surcharges, or damages.

The limitations of liability set out in these Terms and Conditions are intended to operate in harmony with, and not in excess of, the coverage provided under this professional liability insurance, without prejudice to any mandatory legal provisions that may apply.

• Nature and Scope of Services

Lexidy does not assume or exercise decision-making powers of the Client’s governing or management bodies. Lexidy shall not act on behalf of the Client or intervene before third parties, unless expressly authorised in writing by the Client. Any such intervention will be carried out in the Client’s name and under its exclusive responsibility. The relationship between the Client and Lexidy shall not constitute, unless expressly agreed in writing, any agency, employment, mandate, or representation arrangement.

In particular, Lexidy shall not assume any employer obligations towards the Client’s staff, nor any director or representative duties, unless expressly agreed in writing.

•  Limitation of Liability

Lexidy shall only be liable to the Client for damages directly caused by proven fraud or gross negligence by Lexidy or its professionals in the course of service delivery.

In all other cases, Lexidy’s liability shall be limited to direct damages that were foreseeable and attributable to Lexidy at the time of accepting the relevant engagement, subject to the following monetary caps:

• For recurring or ongoing services (or engagements exceeding one year): a maximum of six (6) months’ worth of fees paid for the relevant service.
  
  
• For one-off or short-term services (duration under one year): a maximum of three (3) times the total fees paid for such service.
  
  

In all cases, the Client must submit a detailed written claim within three (3) years from the end of the service provision. Claims submitted after this period will be time-barred, except in cases of fraud, for which the applicable statutory limitation period shall apply.

Nothing in this clause shall limit or exclude any liability that cannot be limited or excluded under mandatory applicable law, including, where applicable, certain rights of Clients acting as consumers, or in cases of fraud or wilful misconduct.

In particular, Lexidy shall not be liable for any fines, penalties, surcharges, or interest imposed by tax, labour, or social security authorities where such sanctions arise, in whole or in part, from late, incomplete, or inaccurate information or documentation provided by the Client, or from the Client’s failure to follow Lexidy’s recommendations.

• Exclusions

Lexidy shall not be liable for:

• Any indirect, consequential, or reputational damages;
  
  
• Damages arising in whole or in part from the Client’s wilful misconduct, bad faith, gross negligence, or failure to provide timely and truthful information;
  
  
• Failures due to force majeure or events beyond Lexidy’s reasonable control.
  
  

Liability, if any, shall be owed exclusively to the Client and not to any third parties who may use or rely upon the services rendered by Lexidy.

CONTRACT RESCISSION

• Confidentiality

Lexidy undertakes to treat all information received from the Client with the strictest confidentiality, which shall survive the termination of the engagement indefinitely, unless disclosure is required by law or competent authority.

• Termination of Legal Engagement

The legal relationship between Lexidy and the Client shall be deemed terminated when Lexidy ceases to be actively involved in the matter for which it was engaged.

Lexidy may, at its discretion and in accordance with applicable professional conduct rules, terminate the provision of services and representation of the Client for justified reasons, including but not limited to:

• Non-compliance with anti-money laundering (AML), Know Your Customer (KYC), or conflict-of-interest procedures;
  
  
• Lack of cooperation or communication by the Client;
  
  
• Failure to provide required documents or information necessary for service execution;
  
  
• Actions or requests by the Client that are unethical, illegal, or contrary to Lexidy’s professional obligations;
  
  
• The development of a conflict of interest.
  
  

In the case of recurrent outsourcing services, and without prejudice to the above justified causes, Lexidy may also terminate the engagement with prior written notice of thirty (30) as specified in the engagement terms, where there is a material change in the Client’s risk profile or circumstances that renders the continuation of the services objectively disproportionate under the agreed commercial terms.

In such cases, Lexidy shall provide written notice to the Client, and the Client shall be responsible for all fees and expenses accrued up to the effective date of termination. If the representation has not yet begun, and services were prepaid, Lexidy may retain an amount proportional to the preparatory work undertaken.

• Inactivity by the Client

If the Client fails to respond within one (1) year to a written request and at least two (2) follow-up communications requesting essential documentation or action necessary for the provision of services, Lexidy reserves the right to terminate the engagement unilaterally. No refund shall be due for any fees paid. Termination shall be communicated in writing with reference to the unresponsiveness.

Any amounts retained by Lexidy in such cases shall be deemed to cover the work already performed, time invested, and administrative costs incurred up to the date on which the engagement is deemed terminated.

Return of Materials

Upon termination of services, Lexidy shall return to the Client all original documents and materials provided by the Client upon request, except those that are required to be retained by law or for Lexidy’s legitimate record-keeping purposes. The Client shall likewise return any materials or property belonging to Lexidy.

• Confidentiality

Lexidy undertakes to treat all information received from the Client with the strictest confidentiality, which shall survive the termination of the engagement indefinitely, unless disclosure is required by law or competent authority.

• Termination of Legal Engagement

The legal relationship between Lexidy and the Client shall be deemed terminated when Lexidy ceases to be actively involved in the matter for which it was engaged.

Lexidy may, at its discretion and in accordance with applicable professional conduct rules, terminate the provision of services and representation of the Client for justified reasons, including but not limited to:

• Non-compliance with anti-money laundering (AML), Know Your Customer (KYC), or conflict-of-interest procedures;
  
  
• Lack of cooperation or communication by the Client;
  
  
• Failure to provide required documents or information necessary for service execution;
  
  
• Actions or requests by the Client that are unethical, illegal, or contrary to Lexidy’s professional obligations;
  
  
• The development of a conflict of interest.
  
  

In such cases, Lexidy shall provide written notice to the Client, and the Client shall be responsible for all fees and expenses accrued up to the effective date of termination. If the representation has not yet begun, and services were pre-paid, Lexidy may retain an amount proportional to the preparatory work undertaken.

• Inactivity by the Client

If the Client fails to respond within one (1) year to a written request and at least two (2) follow-up communications requesting essential documentation or action necessary for the provision of services, Lexidy reserves the right to terminate the engagement unilaterally. No refund shall be due for any fees paid. Termination shall be communicated in writing with reference to the unresponsiveness.

• Return of Materials

Upon termination of services, Lexidy shall return to the Client all original documents and materials provided by the Client upon request, except those that are required to be retained by law or for Lexidy’s legitimate record-keeping purposes. The Client shall likewise return any materials or property belonging to Lexidy.

APPLICABLE LAW AND DISPUTE RESOLUTION

• Applicable Law 

This Agreement, including its formation, validity, performance, interpretation, and any amendments or revisions, shall be governed exclusively by the laws of Spain, and specifically by the provisions of Spanish Common Law (“legislación común española”), excluding any conflict-of-law rules.

• Jurisdiction and Resolution of Disputes

The parties expressly agree that any dispute, controversy, or claim arising out of or in connection with this Agreement, including non-contractual obligations, shall first be submitted to mediation in accordance with the rules of the Mediation Centre of the Barcelona Bar Association (CEMICAB). The place of mediation shall be Barcelona, and the language of the mediation shall be English.

If the dispute is not resolved within thirty (30) calendar days from the date mediation commences, or if either party refuses to participate or continue in the mediation process, the matter shall be referred to and finally settled by arbitration in accordance with the rules of the Arbitral Tribunal of the Barcelona Bar Association (Tribunal Arbitral del Colegio de la Abogacía de Barcelona, TACAB).

The arbitration shall be conducted:

• by a sole arbitrator,
  
  
• in the city of Barcelona,
  
  
• in the Spanish language, and
  
  
• under the procedural rules in force at the time of commencement of arbitration.
  
  

The parties expressly waive any right to submit disputes to ordinary courts, except for urgent precautionary or interim measures which may be brought before the courts of Barcelona, without such recourse being considered a waiver of arbitration.

CONFIDENTIALITY

• Professional Secrecy

Lexidy shall be bound by the duty of professional secrecy in accordance with applicable legal and ethical standards governing the legal profession. This duty shall continue to apply after the termination of the contractual relationship. All lawyers, staff, and collaborators of Lexidy shall maintain in strict confidence any information to which they may gain access in the course of their professional duties, except where disclosure is required by law.

• Legal Disclosure Obligations

Notwithstanding the foregoing, Lexidy may be required to disclose certain information to competent authorities pursuant to:

• Spanish and EU legislation on the prevention of money laundering and terrorist financing;
  
  
• Council Directive (EU) 2018/822 of 25 May 2018 (DAC6) and its implementing legislation, concerning the mandatory reporting of certain cross-border arrangements.
  
  

In such cases, Lexidy shall act in good faith and, where permitted by law, inform the Client of such disclosures.

• Mutual Confidentiality Undertaking

The Parties mutually undertake to:

• Share only the information reasonably required for the proper execution of the Agreement;
  
  
• Maintain the confidentiality of all such information both during the term of the Agreement and after its termination;
  
  
• Not disclose, disseminate, or use any such information for any purpose other than that agreed herein;
  
  
• Refrain from disclosing any details relating to clients, leads, commercial contacts, or internal communications, without the prior written consent of the other Party.
  
  

• Definition of Confidential Information

“Confidential Information” shall, for the purposes of this Agreement, include but shall not be limited to:

• Technical, legal, tax, financial, and commercial information;
  
  
• Business models, strategies, and know-how;
  
  
• Names and contact details of clients or prospective clients;
  
  
• Details of projects, commercial proposals, and operations under consideration;
  
  
• Market studies, forecasts, internal reports, memoranda, or analyses;
  
  
• Internal discussions or correspondence relating to the engagement;
  
  
• Any information disclosed, directly or indirectly, whether orally, in writing, electronically, or by any other means, in connection with this Agreement.
  
  

• Exceptions to Confidentiality

Information shall not be deemed Confidential Information where it:

• Is or becomes publicly available other than as a result of a breach of this Agreement;
  
  
• Is lawfully received from a third party not bound by confidentiality;
  
  
• Was already known by the receiving Party prior to disclosure;
  
  
• Must be disclosed by law, court order, or regulatory obligation, provided the disclosing Party gives prompt written notice to the other Party (unless prohibited by law).
  
  

• Information Security and Third-Party Access

Each Party shall:

• Take appropriate technical and organisational measures to prevent unauthorised access, disclosure, or misuse of Confidential Information;
  
  
• Ensure that employees, advisers, subcontractors, or other representatives who may have access to Confidential Information are bound by confidentiality obligations no less stringent than those set out herein;
  
  
• Implement safeguards against security threats or data breaches that could compromise the integrity or confidentiality of such information.
  
  

• Consent to Disclosure

If either Party intends to disclose Confidential Information for any reason not permitted herein, it shall first obtain the prior written consent of the other Party.

• Return or Destruction of Confidential Information

Upon termination of this Agreement, each Party shall, upon request and to the extent permitted by law, return or permanently delete all Confidential Information received from the other Party, regardless of format or medium, unless retention is required to comply with a legal obligation.

DATA PROTECTION

Lead management and CRM – Lexidy Tech S.L.

Lexidy Tech S.L. acts as a data controller for the purposes of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and guarantee of digital rights (LOPDGDD), in relation to the personal data it collects through Lexidy Group websites, online forms, landing pages, digital campaigns and its customer relationship management (CRM) platform (currently HubSpot or any successor tool), as well as in relation to the management of leads and pre‑contractual enquiries concerning outsourcing services.

For these purposes, Lexidy Tech S.L. processes identification and contact details and basic information about the Client’s country of origin and requested outsourcing services (for example, accounting, tax, payroll or HR administration) in order to (i) manage requests for information, (ii) qualify and route leads within the Lexidy Group, (iii) prepare and send proposals, and (iv) monitor the performance of marketing and business development activities.

Depending on the nature of the requested services and internal allocation rules, Lexidy Tech S.L. may share such lead and contact data with Lexidy Outsourcing S.L. and, where relevant, with other Lexidy Group entities, strictly for internal administration, lead allocation and, where applicable, the performance of services in other jurisdictions, always under appropriate contractual and security safeguards.

The Client may exercise their rights of access, rectification, erasure, restriction of processing, objection, data portability and not to be subject to automated individual decisions, including profiling, in relation to this lead‑management processing by contacting Lexidy Tech S.L. at Avinguda Diagonal 442, 1‑1, 08037 Barcelona, Spain, or by email at compliance@lexidy.com / info@lexidy.com. The Client may also lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD) via www.aepd.es if they believe their data protection rights have been violated in this context.

Performance of outsourcing services – Lexidy Outsourcing S.L.

For the purposes of GDPR and LOPDGDD, Lexidy Outsourcing S.L. (“Lexidy Outsourcing”) may act as:

• an independent data controller for its own client contact, billing and compliance data; and
• a data processor on behalf of the Client in respect of personal data of the Client’s employees, directors and other data subjects, as defined in the applicable Engagement Letter and Data Processing Agreement (DPA).

For the controller‑level processing (for example, client contact and billing data):

Purpose of processing: managing the contractual relationship with the Client, issuing invoices, maintaining internal records, and complying with legal and regulatory obligations.

Legal basis: performance of the contract with the Client and compliance with Lexidy Outsourcing’s legal obligations.

Retention: data will be retained for the duration of the contractual relationship and, once concluded, for the period required to comply with applicable legal, regulatory and tax obligations, and then deleted securely.

Recipients: data may be communicated to public authorities, courts and regulators where legally required, and to service providers (including IT, CRM and infrastructure providers) acting as data processors on behalf of Lexidy Outsourcing under appropriate agreements.

For the processor‑level processing (for example, payroll and HR data of the Client’s staff), Lexidy Outsourcing will process personal data only in accordance with the Client’s documented instructions, as set out in the DPA and in compliance with GDPR and LOPDGDD.

The Client and, where applicable, the data subjects may exercise their rights of access, rectification, erasure, restriction, objection and portability in accordance with the terms set out in the applicable privacy notice and, where Lexidy Outsourcing acts as processor, through the Client as controller. Complaints may be lodged with the AEPD via www.aepd.es.

ACCEPTANCE & ENTIRETY

These Terms and Conditions constitute the entire agreement between the parties in relation to the subject matter and supersede all prior discussions, negotiations, representations or agreements, whether oral or written.

 No waiver or amendment shall be binding unless made in writing and signed by an authorised representative of the firm.

SEVERANCE

If any provision of these Terms and Conditions is found to be invalid, unlawful or unenforceable, that provision shall be deemed severed, and the remainder shall continue in full force and effect.

The parties shall negotiate in good faith to replace any such provision with a valid and enforceable one that most closely reflects their original intent.

Amendments to Terms and Conditions

Lexidy reserves the right to amend these Terms and Conditions at any time for legal, technical, operational, or commercial reasons.
Any material changes will be communicated to the Client by email, through an update in the client portal, or in the contractual documentation.

Such changes will apply only to services contracted after the date indicated in the notice. If the Client does not agree with the modifications, they may request to terminate the agreement without penalty for services not yet provided.

For the avoidance of doubt, if a separate contract has already been signed between Lexidy and the Client for ongoing services (defined as legal services provided on a continuous basis for a period exceeding two months), that contract will prevail over these Terms and Conditions for the services it covers. In such cases, Lexidy will directly inform the Client of any material changes that may impact the ongoing services.

DEBT RECOVERY & DATA TRANSFER

In the event that the Client fails to make the payment within the agreed timeframe, Lexidy reserves the right to transfer the debt to its Collections Department or to collaborating agencies specialized in debt collection. The Client expressly authorizes Global Recobros to carry out the appropriate actions within the legal framework and regulations in force, pursuant to the GDPR, for the use of data, location of their debtors, obtaining commercial solvency reports, and listings in default registers such as ASNEF, Equifax, ICIRE, among others, as well as to collect the debt validly, always in accordance with the legal requirements for reporting debts to credit information systems, including the existence of a due, payable, undisputed debt and prior notice to the Client where required by law.

The Client commits that the unpaid debts are certain, liquid, determined, due, and enforceable, in order to facilitate and resolve the payment compliance by the debtor.

Lexidy guarantees that all the Client’s personal data will be processed in accordance with current data protection regulations, ensuring their confidentiality and appropriate use solely for the purposes described in this clause.

Additionally, the Client agrees that, in the event of non-payment, they may receive automated calls and messages (SMS, emails) from Lexidy or collaborating agencies. These communications will aim to inform the Client about the status of their debt and manage its recovery

• Late Payment Interest: In the event that the Client fails to make the payment of the invoice within the established period, a late payment interest of 3%, , or the maximum rate permitted by applicable law if lower, will be applied on the outstanding amount. This interest will be calculated as follows:
• Interest Calculation: The 3%,  or the maximum rate permitted by applicable law if lower, interest will be applied to the total amount of the unpaid invoice. The calculation will be based on an annual rate and prorated for the days of delay in payment.
• Application Period: The interest will start to accrue from the day following the expiration of the agreed payment period and will continue until the date the full amount owed is paid.
• Payment of Interest: The Client must pay the amount of the late payment interest along with the payment of the principal debt. Lexidy will provide a detailed breakdown of the accrued interest in the communication regarding the status of the debt.

ANNEX – DATA PROCESSING AGREEMENT (DPA)

for Software / SaaS Providers – Lexidy Outsourcing S.L.

1. Parties and role in the processing

This Data Processing Agreement (“Agreement” or “DPA”) is entered into between:

Lexidy Outsourcing S.L. (“Lexidy” or the “Controller/Primary Processor”), with its registered address and tax identification number (NIF) as indicated in the applicable proposal, purchase order or service agreement, which acts, as applicable, as:

Controller in relation to its own internal data processing activities; and/or

Processor in relation to personal data processed on behalf of its clients in the context of accounting, tax, payroll and related outsourcing services.

The software, infrastructure or SaaS provider identified in the purchase order, proposal, master services agreement or relevant technical annex (“Provider”, acting as Processor when Lexidy acts as Controller, or as Sub‑processor when Lexidy acts as Processor on behalf of its own clients).

When Lexidy uses the Provider’s services to process personal data that Lexidy controls (for example, client or contact data of Lexidy), the Provider shall act as processor on behalf of Lexidy as controller.

When Lexidy uses the Provider’s services to process personal data on behalf of Lexidy’s own clients, the Provider shall act as sub‑processor on behalf of Lexidy in its role as processor, in accordance with Article 28(4) GDPR.

In both cases, the Provider is bound by the obligations set out in this Agreement.

2. Subject matter, duration, nature and purposes of the processing

Subject matter.

This Agreement governs the conditions under which the Provider processes personal data on behalf of Lexidy in order to provide the software, infrastructure, support and related services described in the applicable proposal, main contract or technical annex (the “Services”).

Duration.

This Agreement shall remain in force for as long as the Provider processes personal data on behalf of Lexidy in connection with the Services. Upon full termination of the Services, or whenever so requested by Lexidy, Clause 11 (Return and deletion of data) shall apply.

Nature and purposes.

The processing may consist, inter alia, of the following operations: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, for the following main purposes, as applicable:

Provision of accounting and financial reporting services supported by accounting/ERP tools.

Provision of payroll and HR management services, including the preparation of payslips, social security filings, employment contracts and communications to labour and social security authorities.

Provision of tax compliance and related services, including the preparation and submission of tax returns, periodic filings, SII or other formal obligations.

Provision of document management, archiving, cloud storage, electronic signature and case management services.

Any other technology or support services described in the applicable technical annex.

3. Types of data and categories of data subjects

Unless otherwise specified in the relevant technical annex, the Provider may process, on behalf of Lexidy, the following categories of data subjects and personal data:

Categories of data subjects:

• Employees, former employees and candidates of Lexidy’s client.
• Directors, attorneys‑in‑fact, legal representatives and shareholders of the client.
• Self‑employed workers, professionals and collaborators of the client.
• Suppliers and third parties involved in the client’s accounting, tax and payroll operations.
• Any other data subjects whose data are lawfully entered into the systems covered by the Services.

Categories of data:

• Identification data (name, surname, ID/passport, address, phone, email, signature).
• Employment data (position, department, work centre, working time, employment regime, employment history, incidents, hirings, terminations and changes).
• Payroll and remuneration data (base salary, supplements, bonuses, deductions, garnishments, benefits in kind and social benefits).
• Tax and financial data (tax ID, tax status, taxable bases, withholdings, contributions, bank information needed for payments/collections).
• Social security data (affiliation number, contribution bases, contingencies, status of registration/deregistration).
• Professional and corporate contact data (corporate emails, business phone numbers, user IDs and access credentials).
• Data contained in accounting and supporting documentation (invoices, contracts, receipts, accounting entries and supporting documents).
• Any other personal data lawfully provided by the client to Lexidy that are necessary for the purposes described in Clause 2.

As a general rule, no processing of special categories of data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR) is envisaged, unless expressly described in the technical annex and subject to the implementation of any additional safeguards required by law.

4. General obligations of the Processor / Sub‑processor

The Provider, acting as Processor or Sub‑processor, undertakes to:

1. Process personal data only on documented instructions from Lexidy, which include this Agreement, the main contract and the technical annexes. The Provider shall not process the data for its own purposes or for any purposes other than those indicated.
2. Refrain from using the data for its own marketing, independent profiling, data monetisation or disclosure to third parties, unless expressly authorised in advance in writing by Lexidy.
3. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and as further described in Clause 6 and in the technical annex.
5. Assist Lexidy, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to data subject requests (access, rectification, erasure, restriction, objection, portability and any other applicable rights).
6. Assist Lexidy in ensuring compliance with the obligations regarding security of processing, personal data breach notification, data protection impact assessments and, where applicable, prior consultation with the supervisory authority, insofar as reasonably possible and proportionate.
7. Make available to Lexidy all information necessary to demonstrate compliance with the obligations laid down in this Agreement and in Article 28 GDPR, and allow for and contribute to reasonable audits and inspections carried out by Lexidy or by another auditor mandated by Lexidy, as described in Clause 10.
8. Ensure that, unless required to do so by Union or Member State law, it will not disclose or otherwise make available personal data to any third party other than Lexidy, the end client or authorised sub‑processors without Lexidy’s prior written authorisation.

5. Processing instructions and notification of impossibility

The Provider shall inform Lexidy without undue delay if, in its opinion, an instruction infringes GDPR or other Union or Member State data protection provisions. In such case, the Provider may suspend execution of the relevant instruction until Lexidy confirms, amends or withdraws it in writing.

6. Security measures

The Provider represents and warrants that it has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

Such measures shall include, at least, where appropriate:

• Pseudonymisation and encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
• Logical and physical access controls, identity and privilege management, and logging of relevant activities.
• Backup, retention and secure deletion policies for personal data.

The specific measures applicable to each Service may be described in the relevant technical annex. If the Provider intends to materially modify such measures, it shall notify Lexidy in advance, allowing Lexidy to assess their adequacy.

7. Sub‑processing (sub‑processors)

The Provider shall not engage another processor (“sub‑processor”) that will have access to personal data without prior written authorisation from Lexidy, which may be specific to one or more individual sub‑processors, or general for an identified category of sub‑processors.

Where sub‑processing is authorised, the Provider undertakes to:

• Enter into a written contract with each sub‑processor imposing data protection obligations equivalent to those set out in this Agreement.
• Remain fully liable to Lexidy for the performance by sub‑processors of their data protection obligations, as if their acts and omissions were those of the Provider itself.
• Maintain an up‑to‑date list of authorised sub‑processors and make it available to Lexidy upon request.

8. International data transfers

The Provider shall not carry out international transfers of personal data to a third country or an international organisation that does not provide an adequate level of protection, unless:

• Such transfer is covered by an adequacy decision of the European Commission; or
• Appropriate safeguards are in place in accordance with Article 46 GDPR (such as standard contractual clauses, binding corporate rules, approved codes of conduct or certification mechanisms); or
• One of the derogations set out in Article 49 GDPR applies and Lexidy has been informed in advance.

In all cases, the Provider shall inform Lexidy, prior to carrying out any such transfer, of the envisaged transfers and the safeguards relied upon, and shall provide Lexidy with copies of the relevant documentation upon request.

9. Personal data breach notification

The Provider shall notify Lexidy without undue delay and, where feasible, not later than 48 hours after becoming aware of any personal data breach affecting personal data processed under this Agreement.

Such notification shall, at least, include the following information, insofar as it is available at that time:

• A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
• The name and contact details of the data protection officer or other contact point where more information can be obtained.
• A description of the likely consequences of the personal data breach.
• A description of the measures taken or proposed to be taken by the Provider to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Provider shall cooperate diligently with Lexidy to provide any additional information that becomes available and to assist Lexidy in complying with its obligations to notify the competent supervisory authority and, where applicable, the affected data subjects.

10. Audits and inspections

Lexidy shall have the right to carry out, itself or through independent external auditors, reasonable audits (including inspections) in order to verify the Provider’s compliance with this Agreement and with applicable data protection law.

Unless there is a reasonable suspicion of a serious breach or data incident, audits shall be conducted upon prior reasonable notice, during normal business hours and in a manner that minimises disruption to the Provider’s operations.

The costs of the audits shall be borne by Lexidy, unless serious breaches attributable to the Provider are detected, in which case the Provider shall bear the reasonable additional costs of any follow‑up audits that may be necessary.

11. Return and deletion of data

Upon termination of the Services or upon Lexidy’s request, the Provider shall, as instructed by Lexidy:

• Return to Lexidy all personal data processed on its behalf, as well as any copies in the possession of the Provider or its authorised sub‑processors, in a structured, commonly used and machine‑readable format; and/or
• Proceed to the secure deletion of all personal data and copies thereof, without prejudice to any retention that may be strictly necessary to comply with a legal obligation incumbent on the Provider, in which case the data shall be kept duly blocked.

At Lexidy’s request, the Provider shall certify in writing that it has returned and/or securely deleted the data in accordance with the above.

12. Prevalence and hierarchy

In the event of any conflict between the provisions of this Agreement and those of the main contract, the provisions of this Agreement shall prevail with respect to personal data processing, unless the main contract contains more protective or stricter data protection terms, in which case the more protective or stricter terms shall apply.

13. Technical annexes per system or application

For each software, SaaS, ERP, payroll system, tax filing platform or document management tool used by Lexidy in the context of the Services, a specific technical annex shall be attached and shall form an integral part of this Agreement, containing at least the following information: