Data Processing Agreement

Last updated: 7 June 2026

Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between TopLan Solution and the Client where TopLan Solution processes personal data on behalf of the Client.

This DPA applies when TopLan Solution provides services that involve the processing of personal data for the Client, including but not limited to customer communication systems, smart booking systems, review request systems, smart menu and ordering systems, websites, forms, customer follow-up flows, AI-assisted business support, reporting, invoicing support, and related digital services.

This DPA is intended to define the roles, responsibilities, and obligations of the parties regarding the processing of personal data under applicable data protection laws, including the General Data Protection Regulation (GDPR), where applicable.

Parties

Processor:

TopLan Solution
Legal name / registered business name: TopLan Solution
Trade name: TopLan Solution
Legal form: Sole proprietorship / Eenmanszaak, operated as a secondary occupation / zelfstandige in bijberoep
Company number: 1001.822.730
VAT number: BE1001.822.730
Business address: Kattenstraat 188, 8800 Roeselare, Belgium
Email: [email protected]
Phone / WhatsApp: +32 476 09 11 20

Controller:

The Client who purchases, uses, or receives services from TopLan Solution.

The Client’s identity, business details, and contact information are defined in the accepted proposal, invoice, agreement, or onboarding information.

Relationship between the parties

For personal data processed by TopLan Solution on behalf of the Client, the Client acts as the Data Controller and TopLan Solution acts as the Data Processor, unless otherwise agreed in writing.

The Client determines the purposes and means of processing personal data.

TopLan Solution processes personal data only to provide the agreed services and according to the Client’s documented instructions, unless required otherwise by applicable law.

Scope of this DPA

This DPA applies to the processing of personal data carried out by TopLan Solution on behalf of the Client.

This may include processing through:

Smart customer communication systems

Smart booking systems

Review request systems

Smart menu and ordering systems

Website forms

Dedicated offer pages

Customer follow-up flows

Client management systems

AI-assisted message organization

Payment or invoice support

Reporting tools

Business support systems

Technical setup and support activities

Processing instructions

TopLan Solution shall process personal data only on documented instructions from the Client.

The Client’s documented instructions may include:

The accepted proposal

The service agreement

The onboarding form

Written messages

System configuration requests

Workflow setup instructions

Support requests

Approved project scope

Other written instructions provided by the Client

TopLan Solution may refuse to follow an instruction if, in its reasonable opinion, the instruction may violate applicable data protection law, platform rules, security requirements, or these terms.

If TopLan Solution believes that an instruction may violate data protection law, it will inform the Client where legally permitted.

Subject matter of processing

The subject matter of processing is the provision of digital business systems and related services by TopLan Solution to the Client.

This may include the setup, configuration, operation, support, maintenance, and improvement of systems used for customer communication, bookings, reviews, menus, forms, websites, follow-up, reporting, and AI-assisted business support.

Duration of processing

TopLan Solution processes personal data for the duration of the service relationship with the Client.

Processing may continue after the end of the service only where necessary for:

Data export

Service closure

Legal compliance

Accounting and tax obligations

Dispute resolution

Security purposes

Backup retention

Legitimate business records

Compliance with third-party provider requirements

After termination, data will be deleted, returned, anonymized, archived, or restricted according to this DPA, the service agreement, technical feasibility, and applicable legal obligations.

Nature and purpose of processing

The nature of processing may include:

Collection

Recording

Organization

Structuring

Storage

Retrieval

Consultation

Use

Transmission

Disclosure by transmission

Alignment

Combination

Restriction

Erasure

Export

Support access

Technical configuration

Message organization

AI-assisted classification or suggestion

Reporting

The purpose of processing is to provide the agreed services to the Client.

This may include:

Organizing customer communication

Managing bookings

Sending review requests

Displaying smart menus

Processing order-related information

Managing customer inquiries

Supporting follow-up flows

Improving response speed

Supporting business workflows

Providing reports

Supporting payment or invoice-related workflows

Providing technical support

Maintaining system functionality

Improving service delivery

Categories of data subjects

Personal data may relate to the following categories of individuals:

Client representatives

Client employees

Client contractors

Client team members

Client customers

Client leads

Client prospects

Website visitors

Form submitters

Booking users

Review request recipients

Smart menu users

Order submitters

Communication recipients

Support contacts

Other individuals whose data is provided by the Client or processed through the systems

Categories of personal data

Depending on the service, the personal data processed may include:

Name

Business name

Email address

Phone number

Address

City

Country

Communication history

Messages

Booking details

Appointment details

Order details

Menu selections

Product or service preferences

Branch or location selection

Review feedback

Form submissions

Customer notes

Follow-up status

Payment or invoice-related information

Technical data

IP address

Device information

Browser information

System usage data

Support request data

The exact data processed depends on the Client’s business, the selected services, and the data entered into the systems.

Special categories of personal data

TopLan Solution does not intentionally request or require special categories of personal data unless expressly agreed and necessary for the service.

Special categories of personal data may include health-related data, medical information, biometric data, religious information, or other sensitive data protected under applicable law.

If the Client operates in a sensitive sector, including clinics, dental clinics, beauty centers, medical services, health-related services, wellness services, or similar sectors, the Client is responsible for ensuring that it has a valid legal basis and appropriate safeguards before collecting or processing such data.

The Client must inform TopLan Solution before using any system to process sensitive or regulated data.

TopLan Solution may refuse or restrict the processing of sensitive data if the necessary safeguards are not in place.

Client obligations

The Client is responsible for:

Determining the purposes and means of processing

Having a lawful basis for processing personal data

Informing data subjects about processing

Obtaining consent where required

Ensuring that data provided to TopLan Solution is lawful, accurate, relevant, and necessary

Responding to data subject requests

Defining retention periods

Ensuring that customer communication is lawful

Ensuring that marketing messages comply with applicable laws

Managing staff access and permissions

Reviewing sensitive or important communication

Notifying TopLan Solution of any sensitive, regulated, or high-risk data

Complying with industry-specific rules

Maintaining its own privacy notices and policies

Ensuring that its customers understand how their data is processed

The Client must not instruct TopLan Solution to process personal data unlawfully.

Processor obligations

TopLan Solution shall:

Process personal data only on documented instructions from the Client

Use personal data only for the agreed services

Keep personal data confidential

Ensure that persons authorized to process personal data are subject to confidentiality obligations

Apply reasonable technical and organizational security measures

Assist the Client with data subject requests where reasonably possible

Assist the Client with security and breach obligations where reasonably possible

Use sub-processors according to this DPA

Inform the Client of significant sub-processor changes where appropriate

Delete, return, restrict, or archive data after termination according to this DPA

Make available reasonable information necessary to demonstrate compliance with this DPA

Inform the Client if an instruction appears to violate data protection law, where legally permitted

Confidentiality

TopLan Solution shall ensure that persons authorized to process personal data are required to keep such data confidential.

Confidentiality obligations apply to employees, contractors, service providers, and other authorized persons who may access personal data for service delivery.

TopLan Solution shall not disclose Client Data or End-Customer Data except as necessary to provide the services, comply with law, protect rights, or use approved third-party providers.

Security measures

TopLan Solution shall implement reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

These measures may include, where applicable:

Access control

Password protection

Two-factor authentication where available

User permission management

Limited internal access based on business need

Secure third-party platforms

Secure payment providers

Encryption where available

Backup and recovery measures provided by technology providers

Separation between client workspaces where technically available

Confidential handling of client information

Secure communication practices

System monitoring where available

Security updates where applicable

Removal of unnecessary access

Staff confidentiality expectations

Reasonable administrative controls

The Client acknowledges that no digital system can be guaranteed to be completely secure.

Client security responsibilities

The Client is responsible for:

Using strong passwords

Enabling two-factor authentication where available

Limiting access to authorized users

Removing access for former staff members

Keeping login details confidential

Avoiding shared accounts where possible

Reviewing user permissions regularly

Informing TopLan Solution of any unauthorized access or suspected security issue

Avoiding the upload of unnecessary or excessive personal data

Ensuring that staff members use the systems lawfully and securely

TopLan Solution is not responsible for security incidents caused by the Client’s weak passwords, shared logins, unauthorized staff access, failure to remove users, or misuse of systems.

Sub-processors

The Client gives TopLan Solution general written authorization to use sub-processors where necessary to provide the services.

Sub-processors may include providers for:

Customer management systems

Communication systems

Website hosting

Payment processing

Electronic invoicing

Booking systems

Review systems

Smart menu systems

Analytics

AI-assisted features

Security

Support tools

Domain services

Data storage

Reporting

Technical infrastructure

TopLan Solution shall take reasonable steps to ensure that sub-processors are subject to appropriate contractual, confidentiality, security, or data protection obligations.

TopLan Solution may update, replace, add, or remove sub-processors where necessary for service delivery.

Where appropriate, TopLan Solution may provide a Sub-processors Notice or relevant provider information.

Objection to sub-processors

If the Client has a reasonable data protection objection to a new sub-processor, the Client must notify TopLan Solution in writing within a reasonable time after receiving notice, where notice is provided.

The objection must be based on specific and reasonable data protection grounds.

TopLan Solution may respond by:

Explaining the safeguards in place

Offering an alternative where commercially and technically feasible

Adjusting the service where possible

Terminating the affected service if no reasonable solution is available

TopLan Solution is not required to provide a service if the necessary sub-processor is essential for that service and no reasonable alternative is available.

International data transfers

The Client acknowledges that some personal data may be processed or stored outside Belgium, outside the European Economic Area, or in countries that may not provide the same level of data protection as the European Union.

Where international transfers occur, TopLan Solution aims to rely on appropriate safeguards where required.

These safeguards may include:

Adequacy decisions

Standard Contractual Clauses

Data Processing Agreements

Recognized transfer mechanisms

EU-U.S. Data Privacy Framework participation by relevant providers

Other lawful transfer mechanisms

TopLan Solution does not guarantee that all personal data will remain inside Belgium or inside the European Economic Area.

Assistance with data subject requests

Taking into account the nature of the processing and the information available to TopLan Solution, TopLan Solution shall provide reasonable assistance to the Client in responding to data subject requests.

Such requests may include:

Access requests

Correction requests

Deletion requests

Restriction requests

Objection requests

Data portability requests

Consent withdrawal requests

If TopLan Solution receives a request directly from a data subject regarding data controlled by the Client, TopLan Solution may refer the request to the Client.

TopLan Solution will not respond to such requests on behalf of the Client unless instructed or legally required.

Additional support may be charged separately if the request requires significant time, manual work, technical work, legal review, or third-party provider coordination.

Assistance with compliance obligations

Taking into account the nature of the processing and the information available to TopLan Solution, TopLan Solution shall provide reasonable assistance to the Client with obligations relating to:

Security of processing

Personal data breaches

Data protection impact assessments

Prior consultation with supervisory authorities where applicable

This assistance is limited to information and technical support reasonably available to TopLan Solution.

TopLan Solution does not provide legal advice. The Client remains responsible for consulting qualified legal advisers where necessary.

Personal data breaches

If TopLan Solution becomes aware of a personal data breach affecting personal data processed on behalf of the Client, TopLan Solution shall notify the Client without undue delay after becoming aware of the breach.

The notification may include, where known and reasonably available:

Nature of the incident

Categories of data affected

Categories of data subjects affected

Likely consequences

Measures taken or proposed

Relevant contact information

Any steps the Client may need to consider

The Client is responsible for determining whether notification to a supervisory authority or data subjects is required.

The Client is responsible for making such notifications where the Client is the Data Controller.

Deletion or return of data

At the end of the service, the Client may request deletion or return of personal data processed by TopLan Solution on behalf of the Client.

TopLan Solution shall delete, return, restrict, anonymize, or archive data according to:

The Client’s written instruction

Technical feasibility

Platform limitations

Applicable law

Third-party provider rules

Security requirements

Backup retention practices

Outstanding payment obligations

Legal, accounting, tax, or dispute-related retention obligations

If no instruction is received, TopLan Solution may retain, archive, or delete data according to its standard retention practices and legal obligations.

Backups

Some data may remain in backup systems for a limited period after deletion from active systems.

Backup data may not be immediately accessible or editable.

TopLan Solution and its providers may retain backup copies for security, recovery, legal, or operational reasons.

Backup data will be protected according to reasonable security measures and deleted or overwritten according to standard backup cycles where applicable.

Audit and compliance information

TopLan Solution shall make available reasonable information necessary to demonstrate compliance with this DPA.

The Client may request information about:

Processing activities

Sub-processors

Security measures

Data deletion or export procedures

Relevant service safeguards

Any audit, inspection, or detailed review must be:

Requested in writing

Limited to what is necessary

Conducted during normal business hours

Subject to confidentiality

Not disruptive to TopLan Solution’s business

Not expose data of other clients

Not compromise security or third-party confidentiality obligations

TopLan Solution may charge reasonable fees for audits, inspections, or compliance assistance that require significant time, technical work, or third-party coordination.

Records of processing

Where required by applicable law, each party shall maintain appropriate records of processing activities.

The Client is responsible for maintaining its own records as Data Controller.

TopLan Solution may maintain records relating to processing performed as Processor, where required.

AI-assisted processing

Some services may use AI-assisted features or smart systems to support communication, organization, classification, follow-up, or suggested replies.

The Client understands that AI-assisted outputs may be incomplete, inaccurate, unsuitable, or unexpected.

The Client remains responsible for reviewing important, sensitive, legal, medical, financial, complaint-related, or high-risk communication before acting on it.

The Client must not use AI-assisted features as a substitute for qualified human judgment, professional advice, emergency support, medical advice, legal advice, or financial advice.

Payment and invoicing data

Where TopLan Solution supports payments, invoices, or subscription management, personal data may be processed through payment processors, invoicing tools, accounting tools, or electronic invoicing providers.

Payment providers may act as independent controllers or processors depending on their role and terms.

TopLan Solution may process payment status, transaction references, billing details, invoice information, payment fees, refund status, and payout information for billing, accounting, administration, and dispute management.

Marketing and communication compliance

If the Client uses TopLan Solution systems to send customer communication, marketing messages, follow-ups, reminders, review requests, or promotional messages, the Client is responsible for ensuring that such communication is lawful.

The Client is responsible for:

Obtaining required consent

Respecting opt-out requests

Keeping contact lists lawful and accurate

Avoiding spam

Complying with advertising and communication laws

Complying with platform and provider rules

Ensuring the content of messages is lawful and not misleading

TopLan Solution is not responsible for unlawful contact lists, unlawful marketing, lack of consent, misleading messages, or Client misuse of communication systems.

Special sectors

If the Client operates in a regulated or sensitive sector, the Client is responsible for complying with all applicable sector-specific laws.

Such sectors may include:

Medical services

Dental clinics

Beauty clinics

Health-related services

Financial services

Legal services

Education

Child-related services

Insurance

Other regulated services

The Client must inform TopLan Solution before processing sensitive or regulated data through any system.

TopLan Solution may require additional safeguards, limitations, or written instructions before supporting such processing.

Limitation of processing

TopLan Solution shall not use Client Data or End-Customer Data for its own unrelated purposes.

TopLan Solution shall not sell Client Data or End-Customer Data.

TopLan Solution may process limited service-related data for:

Service delivery

Security

Billing

Support

Troubleshooting

Legal compliance

System maintenance

Quality improvement

Protection of rights

Dispute handling

Confidential business data

In addition to personal data, TopLan Solution may receive confidential business information from the Client.

Such information may include:

Business strategies

Internal workflows

Customer lists

Pricing

Offers

Sales processes

Technical settings

Project details

Financial information

Internal communications

TopLan Solution will handle such information confidentially and use it only as necessary to provide the agreed services, unless disclosure is required by law or authorized by the Client.

Liability

Each party is responsible for its own obligations under applicable data protection law.

The Client is responsible for its role as Data Controller.

TopLan Solution is responsible for its role as Data Processor.

To the maximum extent permitted by law, TopLan Solution shall not be liable for claims, penalties, losses, or damages caused by:

Unlawful instructions from the Client

Data collected unlawfully by the Client

Lack of consent where consent is required

Inaccurate or excessive data provided by the Client

Client misuse of the systems

Unauthorized access caused by Client staff or weak Client security

Failure of the Client to respond to data subject requests

Failure of the Client to maintain its own privacy notices

Client communication sent without lawful basis

Client use of AI-assisted outputs without human review

Order of precedence

This DPA forms part of the agreement between TopLan Solution and the Client.

If there is a conflict between this DPA and the general Terms & Conditions regarding data processing, this DPA shall prevail for the specific data processing issue.

If there is a signed written agreement between the parties that specifically addresses data processing, that signed agreement shall prevail for the matters it expressly covers.

Changes to this DPA

TopLan Solution may update this DPA from time to time to reflect legal, technical, operational, or service changes.

The latest version may be made available on the website or provided to the Client upon request.

If changes materially affect the processing of personal data, TopLan Solution may take reasonable steps to inform active clients where appropriate.

Continued use of the services after updates means the Client accepts the updated DPA, unless mandatory law requires otherwise.

Governing law

This DPA is governed by Belgian law, unless mandatory law provides otherwise.

Contact

For questions about this DPA or data processing matters, contact:

TopLan Solution
Kattenstraat 188
8800 Roeselare
Belgium

Email: [email protected]
Phone / WhatsApp: +32 476 09 11 20

Company number: 1001.822.730
VAT number: BE1001.822.730

Privacy contact: [email protected]

Appendix 1: Processing details

Subject matter:

Provision of smart business systems, websites, booking systems, review systems, smart menu and ordering systems, customer communication support, customer follow-up flows, AI-assisted business support, reporting, and related digital services.

Duration:

For the duration of the service relationship and any additional period required for legal, accounting, security, backup, dispute, or technical reasons.

Nature of processing:

Collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, restriction, erasure, export, technical configuration, support access, message organization, reporting, and AI-assisted support where applicable.

Purpose of processing:

To provide the agreed services to the Client, including customer communication, bookings, reviews, menus, forms, websites, follow-up, reporting, support, and business system operation.

Categories of data subjects:

Client representatives, Client employees, Client contractors, Client customers, Client leads, Client prospects, website visitors, form submitters, booking users, smart menu users, review request recipients, order submitters, and other individuals whose data is processed through the services.

Categories of personal data:

Name, business name, email address, phone number, address, city, country, messages, communication history, booking details, order details, menu selections, service preferences, review feedback, form submissions, customer notes, follow-up status, payment or invoice-related information, IP address, device information, browser information, and system usage data.

Special categories of data:

Not intentionally required by TopLan Solution. May be processed only if the Client uses the systems for sensitive sectors or sensitive data and has appropriate legal basis and safeguards.

Appendix 2: Technical and organizational measures

TopLan Solution may apply reasonable technical and organizational measures, depending on the service and tools used.

These may include:

Access control

User permission management

Password protection

Two-factor authentication where available

Limited access based on business need

Confidentiality expectations

Secure third-party providers

Encryption where available

Payment security through payment providers