Back to Home

    Data Processing Agreement (DPA)

    Last updated: October 3, 2025

    This Data Processing Addendum (the "Addendum"), including its Exhibits, forms a part of the Order Form and Terms of Service, Enterprise SaaS Agreement, or other written agreement executed by the Parties (the "Agreement") between Belum Inc. ("Company") and [INSERT CUSTOMER NAME] ("Customer," and together with Company, the "Parties").

    Subject Matter and Duration

    a) Subject Matter

    This Addendum reflects the Parties' commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company's execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; and (3) the Agreement. For purposes of Data Protection Laws, Company is the "processor"/"service provider" and Customer is the "controller"/"business" with respect to Customer Personal Data processed in the Service. With respect to Company Service Data (e.g., account registration, billing, security logs, product telemetry), Company acts as an independent controller/business as described in Company's Privacy Policy.

    b) Duration and Survival

    This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Company will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Company's obligations and Customer's rights under this Addendum will continue in effect so long as Company Processes Customer Personal Data.

    Definitions

    For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

    a) "Authorized Persons"
    means (i) personnel of Company and (ii) third parties engaged by Company in accordance with Sections 3(b)–(d) of this Addendum.
    b) "Customer Personal Data"
    means Personal Data Processed by Company on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A.
    c) "Data Protection Laws"
    means any applicable laws and regulations in any relevant jurisdiction relating to the use or Processing of Personal Data including: (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act ("CPRA"); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") (together, the "GDPR"); (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vi) the Virginia Consumer Data Protection Act (Va. Code §§ 59.1‑575 et seq.) ("VCDPA"); in each case, as updated, amended, or replaced from time to time.
    d) "EU‑US DPF"
    means the EU‑U.S. Data Privacy Framework, the UK Extension to the EU‑U.S. Data Privacy Framework, and the Swiss‑U.S. Data Privacy Framework developed by the U.S. Department of Commerce together with the European Commission, UK Government, and Swiss Federal Administration.
    e) "EU SCCs"
    means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 of 4 June 2021, for transfers of Customer Personal Data to countries not otherwise recognized as offering an adequate level of protection by the European Commission (as amended and updated from time to time), as modified by Section 4(c) of this Addendum.
    f) "ex‑EEA transfer"
    means the transfer of Customer Personal Data, which is Processed in accordance with the GDPR, from Customer to Company (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
    g) "ex‑UK Transfer"
    means the transfer of Customer Personal Data covered by Chapter V of the UK GDPR, which is Processed in accordance with the UK GDPR and the Data Protection Act 2018, from Customer to Company (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy regulation made by the UK Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
    h) "Personal Data"
    means any information relating to: (i) an identified or identifiable natural person; (ii) a household under CPRA; and/or (iii) any elements that constitute personal information or a similar construct under applicable law, in each case where such information is maintained on behalf of the Customer by the Company within its Services environment and is protected similarly as personal data under Data Protection Laws.
    i) "Process," "Processes," "Processing," or "Processed"
    means any operation or set of operations performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    j) "Security Incident"
    means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
    k) "Services"
    means any and all products and services that Company provides and/or performs under the Agreement.
    l) "Standard Contractual Clauses" or "SCCs"
    means the EU SCCs and the UK SCCs.
    m) "Subprocessor"
    means Company's authorized contractors, agents, vendors, and third‑party service providers (i.e., sub‑processors) that Process Customer Personal Data.
    n) "UK Addendum"
    means the International Data Transfer Addendum attached hereto as Exhibit D.
    o) "UK SCCs"
    means the EU SCCs as amended by the UK Addendum.

    3. Data Use and Processing

    a) Documented Instructions

    Company and its Subprocessors shall Process Customer Personal Data solely for the purpose of providing the Services to Customer, and only to the extent necessary to provide the Services, in each case in accordance with the Agreement, this Addendum, and Data Protection Laws. Unless legally prohibited, Company will inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law.

    b) Authorization to Use Subprocessors

    To the extent necessary to fulfill Company's contractual obligations, Customer authorizes Company to engage Subprocessors. Any Subprocessor Processing of Customer Personal Data shall be consistent with Customer's documented instructions and comply with Data Protection Laws. Prior to engaging any Subprocessor, Company shall conduct appropriate due diligence and enter into a written agreement with such Subprocessor providing sufficient guarantees to implement appropriate technical and organizational measures and substantially the same level of data protection obligations as set out in this Addendum.

    c) Company and Subprocessor Compliance

    Company shall (i) maintain written agreements with Subprocessors imposing confidentiality and data protection obligations no less protective than those in this Addendum; and (ii) remain responsible to Customer for its Subprocessors' performance of their obligations with respect to Customer Personal Data. Customer provides a general authorization for Company to engage Subprocessors subject to Section 3(d).

    d) Right to Object to Subprocessor

    Company's current Subprocessors are available upon request. Customer may object to any newly added Subprocessor on reasonable, good‑faith data protection grounds. The Parties will work in good faith to mitigate; if unresolved, Customer may disable the impacted feature.

    e) Personal Data Inquiries and Requests

    Company will provide reasonable assistance and comply with reasonable instructions from Customer related to requests from individuals exercising their rights in Customer Personal Data under Data Protection Laws.

    f) CPRA

    (i) Definitions.

    For purposes of this Section 3(f), the terms "Business," "Business Purpose," "Commercial Purpose," "Consumer," "Personal Information," "Processing," "Sell," "Service Provider," "Share," and "Verifiable Consumer Request" have the meanings set forth in the CPRA. References to "Personal Data," "Controller," "Processor," and "Data Subject" in this Addendum shall be deemed references to "Personal Information," "Business," "Service Provider," and "Consumer" as defined in the CPRA.

    (ii) Obligations.

    (1) The Parties acknowledge and agree that Customer is a Business and Company is a Service Provider for purposes of the CPRA (to the extent it applies) and Company is receiving Customer Personal Data to provide the Services, which constitutes a Business Purpose.

    (2) Company certifies that it understands and will comply with CPRA's service‑provider restrictions; will not Sell or Share Customer Personal Data; will not use it for cross‑context behavioral advertising; will not retain, use, or disclose it except to perform the Services or as otherwise permitted by CPRA; will not combine it with personal information from other sources except as permitted by CPRA to provide the Services (e.g., for fraud/security, debugging, or to perform services on Customer's behalf); and will notify Customer if Company determines it can no longer meet its CPRA obligations.

    (3) If Company engages a new Subprocessor to assist in providing the Services, Company shall: (i) notify Customer of such engagement via the mechanism in Section 3(d) at least ten (10) days before enabling the new Subprocessor; and (ii) enter into a written contract requiring the Subprocessor to observe applicable CPRA requirements.

    (iii) Consumer Rights.

    Company shall assist Customer, subject to cost reimbursement, in responding to Verifiable Consumer Requests as set forth in Section 7 of this Addendum.

    (iv) Audit Rights.

    To the extent required by CPRA, Company shall allow Customer to conduct inspections or audits in accordance with Section 8 of this Addendum.

    g) VCDPA

    (i) Definitions.

    For purposes of this Section 3(g), the terms "Consumer," "Controller," "Personal data," "Processing," and "Processor" have the meanings set forth in the VCDPA. References to "Data Subject" herein are deemed references to "Consumer."

    (ii) Obligations.

    (1) The Parties acknowledge and agree that Customer is a Controller and Company is a Processor for purposes of the VCDPA (to the extent it applies).

    (2) The nature, purpose, and duration of Processing, types of Personal Data, and categories of Consumers are described in Exhibit A.

    (3) Company shall adhere to Customer's instructions regarding Processing and shall assist Customer in meeting its obligations under the VCDPA by: (a) assisting with Consumer rights requests as set forth in Section 7; (b) complying with Section 5 with respect to Customer Personal Data; (c) in the event of a Security Incident, providing information sufficient to enable Customer to meet its obligations pursuant to Va. Code § 18.2‑186.6; and (d) providing information reasonably necessary to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.

    (4) Company shall maintain the confidentiality of Customer Personal Data and require each person Processing such data to be subject to a duty of confidentiality.

    (5) Upon Customer's written request, Company shall delete or return all Customer Personal Data in accordance with Section 9(b), unless retention is required or authorized by law or the Agreement/Addendum.

    (6) If Company engages a new Subprocessor, Company shall enter into a written contract requiring such Subprocessor to observe applicable Processor requirements under the VCDPA.

    (iii) Audit Rights.

    Upon Customer's written request no more than once annually, Company shall, as set forth in Section 8, (i) make available information reasonably necessary to demonstrate Company's compliance with its VCDPA obligations; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA.

    4. Cross‑Border Transfers of Personal Data

    a) Restricted Transfers

    To the extent Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to Company in a country not recognized as adequate, the Parties agree such transfers shall be subject to the SCCs (Commission Decision 2021/914), as supplemented by this Addendum. The SCCs (Module Two and/or Module Three, as applicable) are incorporated by reference and deemed executed by the Parties, with Annexes completed in Exhibits B–C.

    b) Law and Jurisdiction

    For EU SCCs: Clause 17 (governing law) = Ireland; Clause 18(b) (forum) = Irish courts. For UK transfers, the UK Addendum in Exhibit D applies. For Swiss transfers, the SCCs apply with the modifications set out in Section 4(e).

    c) EU‑US DPF

    Where Company maintains a current and valid certification under the EU‑US DPF (and UK/Swiss extensions, as applicable), Company may additionally rely on such certification as a transfer safeguard and will maintain certification during any period it relies upon the DPF.

    d) ex‑UK Transfers

    The Parties agree that ex‑UK Transfers are made pursuant to the EU‑US DPF or the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and amended and completed in accordance with the UK Addendum in Exhibit D.

    e) Transfers from Switzerland

    The Parties agree that transfers from Switzerland are made pursuant to the EU‑US DPF or EU SCCs with the following modifications: (i) references to the "General Data Protection Regulation" or "Regulation (EU) 2016/679" in the SCCs shall be interpreted to include the Swiss Federal Act on Data Protection (as revised) with respect to data transfers subject to that law; (ii) the SCCs shall be interpreted to protect the data of legal entities until the effective date of the revised Swiss law removing such protection; (iii) Clause 13 of the SCCs is modified so the Swiss Federal Data Protection and Information Commissioner is competent for transfers governed by Swiss law and the appropriate EU supervisory authority is competent for transfers governed by the GDPR; and (iv) the term "EU Member State" shall not be interpreted to exclude Swiss data subjects from exercising rights in their place of habitual residence consistent with Clause 18(c) of the SCCs.

    f) Supplementary Measures (Schrems II)

    Company agrees: (i) as of the Effective Date, to Company's knowledge, it has not received government demands for bulk access to Customer Personal Data inconsistent with the SCCs; (ii) Company will not build or maintain backdoors or provide direct access to Customer Personal Data; (iii) if Company receives a legally binding request from law enforcement or national security authorities, it will, where legally permitted, notify Customer, limit disclosure to what is legally required, and provide reasonable cooperation; (iv) Company will use appropriate encryption and organizational controls to protect Customer Personal Data in transit and at rest; and (v) if a transfer mechanism relied upon becomes invalid, the Parties will in good faith implement an alternative lawful mechanism within 60 days; if none is feasible, Customer may suspend affected transfers without penalty.

    5. Information Security Program

    Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Customer Personal Data. Exhibit C sets forth additional information about Company's technical and organizational security measures.

    6. Security Incidents

    a) Procedure

    Company will maintain policies and procedures to detect, respond to, and otherwise address Security Incidents, including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects, document Security Incidents and outcomes, and (ii) restore the availability of or access to Customer Personal Data in a timely manner.

    b) Notice

    Company will notify Customer without undue delay and no later than 72 hours after verification of a Security Incident affecting Customer Personal Data, and will provide updates as information becomes available, to support Customer's regulatory or individual notifications.

    7. Rights of Data Subjects

    a) Notification and Direction

    To the extent permitted by law, Company shall notify Customer upon receipt of a request by a Data Subject to exercise rights of access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent, and/or objection to Processing that constitutes automated decision‑making (each, a "Data Subject Request"). If Company receives a Data Subject Request relating to Customer Personal Data, Company will advise the Data Subject to submit the request to Customer, and Customer will be responsible for responding, including, where necessary, using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of consent are communicated to Company and, if applicable, for ensuring that a record of consent is maintained.

    b) Assistance

    At Customer's request, and taking into account the nature of the Processing applicable to any Data Subject Request, Company will apply appropriate technical and organizational measures to assist Customer in complying with its obligation to respond and/or in demonstrating compliance, where possible, provided that (i) Customer is itself unable to respond without Company's assistance and (ii) Company is able to do so in accordance with applicable laws. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from such assistance.

    8. Audits

    a) Right to Audit; Permitted Audits

    In lieu of on‑site audits, Company will make available its SOC 2 Type II and/or ISO 27001 report (or equivalent), penetration‑test summaries, and responses to reasonable security questionnaires. If such materials are insufficient to verify compliance, if required by law or a regulator, or following a material Security Incident, Customer may conduct a targeted on‑site audit no more than once per 12 months, during normal business hours, limited to systems relevant to the Service, for up to one business day. Customer bears its own costs; auditors must sign an NDA; audits must not unreasonably disrupt operations.

    9. Data Storage and Deletion

    a) Storage

    Company will not store or retain Customer Personal Data except as necessary to perform the Services under the Agreement.

    b) Deletion

    Upon termination of the Services or upon written request, Company will delete Customer Personal Data from active systems within 90 days and from encrypted backups within 12 months, subject to legal holds. Upon request, Company will provide a Certificate of Deletion.

    10. Limitation of Liability

    Each Party's liability, including the liability of its affiliates, arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement, and any reference to the liability of a Party means the total liability of that Party and all of its affiliates under the Agreement and this Addendum together.

    11. Contact Information

    The Customer Designated Point of Contact shall be the contact specified for the Data Exporter in Exhibit B.

    SIGNATURE PAGE

    BELUM INC.

    Signature:

    _________________________________

    Name:

    _________________________________

    Title:

    _________________________________

    Date:

    _________________________________

    [INSERT CUSTOMER NAME]

    Signature:

    _________________________________

    Printed Name:

    _________________________________

    Title:

    _________________________________

    Date:

    _________________________________

    EXHIBIT A

    Details of Processing

    1.1 Subject Matter of Processing

    The subject matter of Processing is the Services pursuant to the Agreement.

    1.2 Duration of Processing

    The Term of the Agreement plus the period from the expiry of such Term until deletion of all Customer Personal Data by Company in accordance with this Addendum.

    1.3 Categories of Data Subjects

    The categories of data subjects are within the control of the Customer and may include individuals about whom data is provided to Company by or at the direction of Customer pursuant to the Agreement.

    1.4 Nature and Purpose of Processing

    Company will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services. The Processing operations are the Services used by Customer.

    1.5 Types of Personal Data

    The categories of Personal Data are within the control of the Customer, including images and video/audio recordings of an individual's appearance and voice, to the extent provided to Company by or at the direction of the Customer pursuant to the Agreement.

    1.6 Sensitive Personal Data or Special Categories of Data

    Biometric data associated with an individual's face for the purpose of authenticating the identity of the individual (if provided by Customer and enabled in the Services).

    1.7 Frequency of the Transfer

    Continuous.

    1.8 Subprocessors

    Upon request.

    EXHIBIT B

    (ANNEX I & ANNEX III TO EU SCCs; TABLE 1, ANNEX 1A & ANNEX 1B TO UK ADDENDUM)

    The Parties

    Data exporter(s):

    Name: As designated by Customer in the Order Form to the Agreement

    Address: As designated by Customer in the Order Form to the Agreement

    Contact person's name, position and contact details: As designated by Customer in the Order Form to the Agreement

    Activities relevant to the data transferred under these Clauses: The provision of the Services under the Agreement.

    Signature and date: By entering into this Addendum, Data Exporter is deemed to have signed these SCCs incorporated herein, as of the Effective Date of the Agreement.

    Role (controller/processor): Controller

    Data importer(s):

    Name: Belum Inc.

    Trading Name (if different): N/A

    Official Registration Number (if any): N/A

    Contact person's name, position and contact details: Data Protection Contact, privacy@belum.ai

    Activities relevant to the data transferred under these Clauses: The provision of the Services under the Agreement.

    Signature and date: By entering into this Addendum, Data Importer is deemed to have signed these SCCs incorporated herein, as of the Effective Date of the Agreement.

    Role (controller/processor): Processor (and sub‑processor as applicable)

    Description of the Transfer

    Data Subjects: As described in Exhibit A of the Addendum.

    Categories of Personal Data: As described in Exhibit A of the Addendum.

    Special Category Personal Data (if applicable): Biometric data for authentication, if explicitly agreed to in writing by Company and Customer.

    Nature of the Processing: As described in Exhibit A of the Addendum.

    Purposes of Processing: As described in Exhibit A of the Addendum.

    Duration of Processing and Retention (or the criteria to determine such period): As described in Exhibit A of the Addendum.

    Frequency of the transfer: As necessary to perform the Services.

    Recipients of Personal Data Transferred to the Data Importer: As described in Section 4 of the Addendum and as supplemented by any third parties added in accordance with Section 3(d) of the Addendum.

    Competent Supervisory Authority: The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs based on the Customer's location. For the UK Addendum, the competent authority is the UK Information Commissioner's Office.

    List of Authorized Subprocessors

    Upon request.

    EXHIBIT C

    (ANNEX II TO EU SCCs; APPENDIX II TO UK ADDENDUM)

    Description of the Technical and Organizational Security Measures implemented by the Data Importer

    1. Adoption and implementation of written security policies and standards.
    2. Assignment of responsibility for information security management.
    3. Adequate personnel resources devoted to information security.
    4. Background checks as appropriate and confidentiality agreements for employees, vendors, and others with access to Personal Data.
    5. Security and privacy training to raise awareness of risks and enhance compliance.

    6. Measures to prevent unauthorized access to Personal Data, including as appropriate:

      • 6.1) Physical access controls (e.g., access ID cards, readers, reception/security desk, alarms, motion detectors, video surveillance, exterior security).
      • 6.2) Logical access controls (e.g., enforced password complexity and rotation, role‑based access control, firewalls, MFA).
      • 6.3) Authorization and access rights based on least privilege; monitoring and logging of system access to identify unauthorized Processing.
      • 6.4) Transmission controls to ensure Personal Data cannot be read, copied, modified, or removed without authorization during transmission, transport, or storage on media; maintenance of transfer and receipt records.
      • 6.5) Encryption of Personal Data in transit and at rest.
      • 6.6) Entry controls to ensure it is possible to check and establish whether and by whom Personal Data has been input, modified, or removed.
      • 6.7) Subprocessor supervision to ensure compliance with this Addendum.
      • 6.8) Measures to protect against accidental destruction or loss, including backup, retention, secure destruction, secure offsite storage, and disaster recovery programs.
      • 6.9) Measures to ensure data collected for different purposes can be processed separately, including physical or logical separation of client data.

    EXHIBIT D

    UK Addendum - International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

    Part 1: Tables

    Table 1: Parties

    Start Date: This UK Addendum shall have the same effective date as the Addendum.

    Parties' Details: Exporter = Customer; Importer = Company.

    Key Contacts: See Exhibit B of this Addendum.

    Table 2: Selected SCCs, Modules and Selected Clauses

    EU SCCs: The version of the approved EU SCCs appended to and incorporated by reference in this Addendum and completed by Sections 4(c) and 4(d) of the Addendum.

    Table 3: Appendix Information

    "Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

    • Annex 1A: List of Parties – as per Table 1 above.
    • Annex 1B: Description of Transfer – see Exhibit B of this Addendum.
    • Annex II: Technical and organisational measures including those to ensure security of the data – see Exhibit C of this Addendum.
    • Annex III: List of Sub‑processors (Modules 2 and 3 only) – see Exhibit B of this Addendum.

    Table 4: Ending this UK Addendum when the approved UK Addendum changes

    Ending this UK Addendum when the approved UK Addendum changes: Exporter.

    Entering into this UK Addendum

    Each party agrees to be bound by this UK Addendum, in exchange for the other party also agreeing to be bound.

    Although Annex 1A and Clause 7 of the approved EU SCCs require signature by the Parties, for ex‑UK Transfers the Parties may enter into this UK Addendum in any way that makes them legally binding and allows data subjects to enforce their rights. Entering into this UK Addendum has the same effect as signing the approved EU SCCs and any part thereof.

    Interpretation of this UK Addendum

    Where this UK Addendum uses terms defined in the approved EU SCCs those terms have the same meaning. Additional terms:

    • UK Addendum: this International Data Transfer Addendum incorporating the EU SCCs, attached as Exhibit D.
    • EU SCCs: as defined above, including the Appendix Information.
    • Appropriate Safeguards: the standard of protection required by UK Data Protection Laws when making an ex‑UK Transfer relying on SCCs under Article 46(2)(d) UK GDPR.
    • Approved UK Addendum: the template issued by the ICO and laid before Parliament on 2 February 2022, as revised under Section 18 thereof.
    • ICO: the UK Information Commissioner.
    • ex‑UK Transfer: has the meaning in Section 2(g) of this Addendum.
    • UK Data Protection Laws: all laws relating to data protection, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

    The UK Addendum must always be interpreted consistently with UK Data Protection Laws and to fulfill the Parties' obligation to provide Appropriate Safeguards.

    For the complete UK Addendum provisions including hierarchy, incorporation, amendments, and detailed modifications to EU SCCs, please refer to the full legal document.

    © 2025 Belum. All rights reserved.