Legal

Data Processing Agreement

Our commitments when we act as a processor on your behalf.

Last updated: April 22, 2025

Copilot Audit Data Processing Agreement (DPA)

Last updated: December 8, 2025

This Data Processing Agreement ("DPA") supplements and forms an integral part of the Terms and Conditions or any other applicable master agreement (the "Principal Agreement") concluded between NEXT BP ("We", "us", "our" or the "Processor") and you ("You", the "Client") regarding the use of the Copilot Audit software (the "Software"). This DPA governs the processing of Personal Data by the Processor on behalf of the Client in connection with the provision of the Software.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Client is the Controller.
  • "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller. For the purposes of this DPA, NEXT BP is the Processor.
  • "Sub‑processor" means any third‑party processor engaged by the Processor (NEXT BP) to process Personal Data on behalf of the Client.
  • "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Data Protection Legislation" means all applicable laws and regulations relating to data protection and privacy, including, without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679 – "GDPR") and any national legislation implementing or supplementing it.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. Roles and Responsibilities

2.1 The Client acts as Controller. The Client is solely responsible for the lawfulness of the collection and Processing of Personal Data that it entrusts to the Processor via the Software, including the legal basis for such Processing.

2.2 NEXT BP acts as Processor. NEXT BP shall process Personal Data only on behalf of the Client, based on the Client’s documented instructions (as set out in the Principal Agreement and this DPA, and through the Client’s use of the Software) and in accordance with applicable Data Protection Legislation.

3. Subject Matter, Nature and Duration of the Processing

3.1 Subject Matter
The Processing is carried out to enable the Processor to provide the Software and related services to the Client in accordance with the Principal Agreement. This includes, in particular, data hosting, execution of the Software’s functionalities (for example, analysis and automated processing of audit documents imported by the Client), maintenance and technical support.

3.2 Nature of Processing Operations
Processing operations may include receiving, storing, organising, analysing, consulting, using, making available (through the Software interface), erasing and/or returning Personal Data.

3.3 Types of Personal Data
The types of Personal Data processed are determined and controlled solely by the Client and may include, without limitation, information contained in documents imported by the Client into the Software (such as names, contact details, financial information, professional information, etc.).

3.4 Categories of Data Subjects
The categories of Data Subjects are determined by the Client and may include, without limitation, employees, customers, suppliers, audited entities or any other natural person whose Personal Data is contained in documents processed via the Software.

3.5 Duration of Processing
The Processor will process Personal Data for the duration of the Principal Agreement, unless otherwise instructed in writing by the Client or required by law. The procedures for deletion or return of data at the end of the contract are defined in Section 4.7.

4. Obligations of the Processor (NEXT BP)

The Processor undertakes to:

4.1 Processing on Instructions
Process Personal Data only on the documented instructions of the Client, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Client of that legal requirement before Processing, unless the relevant law prohibits such information on important grounds of public interest. The Client’s use of the Software constitutes a documented instruction.

4.2 Confidentiality
Ensure that persons authorised to process Personal Data (employees, agents, sub‑processors) commit themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security of Processing
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are intended to protect Personal Data against destruction, loss, alteration, disclosure or access without authorisation.

4.4 Use of Sub‑processors
Not engage another processor (Sub‑processor) without the prior written authorisation of the Client, whether specific or general. In the case of general written authorisation, the Processor shall inform the Client of any intended changes concerning the addition or replacement of Sub‑processors, thereby giving the Client the opportunity to object to such changes.
Where the Processor engages a Sub‑processor, it shall impose on the Sub‑processor the same data protection obligations as set out in this DPA, by way of contract or other legal act.

By way of example, the Processor may use:

  • payment service providers (such as Stripe) for managing subscription payments;
  • infrastructure and compute providers (such as Hetzner Online GmbH for hosting, or Modal.com for GPU compute required for certain Processing operations, including OCR).

An up‑to‑date list of these Sub‑processors may be provided to the Client upon request.

4.5 Assistance to the Client
Assist the Client, by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Client’s obligation to respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection).

4.6 Notification of Personal Data Breaches
Notify the Client of any Personal Data Breach without undue delay after becoming aware of it, and provide the Client with the information necessary for the Client to meet its own notification obligations towards supervisory authorities and/or Data Subjects.

4.7 Data at the End of the Contract
At the choice of the Client, delete all Personal Data or return it to the Client upon termination of the services relating to Processing, and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

4.8 Audit and Information
Make available to the Client all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

4.9 Usage Data
Insofar as the Software records usage metrics (such as the number of documents processed, volume of data, or other technical indicators) for billing, service improvement, security or performance monitoring purposes, these metrics may indirectly be linked to Personal Data if the elements counted (e.g. documents) contain such data.
The Processor undertakes to process such aggregated or technical usage data in accordance with this DPA and applicable Data Protection Legislation, limiting its use to the purposes mentioned above.

5. Transfers of Personal Data Outside the EEA

Any transfer of Personal Data by the Processor to a country outside the European Economic Area (EEA) shall only take place where appropriate safeguards are in place in accordance with Data Protection Legislation (for example, an adequacy decision by the European Commission, approved Standard Contractual Clauses, Binding Corporate Rules). The Processor shall inform the Client of the transfer mechanisms used, upon request.

6. Governing Law and Jurisdiction

This DPA is governed by French law. Any dispute relating to its interpretation or performance shall be subject to the jurisdiction of the courts designated in the Principal Agreement.

7. Liability

The liability of each party arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

By accepting the Terms and Conditions or by using the Software, you acknowledge that you have read, understood and agreed to be bound by the provisions of this Data Processing Agreement.

We use cookies

We use cookies to enable support chat, understand how the site is used, and measure marketing performance. You can accept all cookies or manage your preferences. Privacy policy.