EFILOS Logo
Back to site

Data Processing Addendum

Last updated: March 2026

1. Parties and roles

This Data Processing Addendum applies where EFILOS processes personal data on behalf of a customer in connection with SCREDIT. The customer is the controller or business, and EFILOS is the processor or service provider, except where applicable law or the parties’ separate agreement states otherwise.

2. Subject matter and duration

The subject matter of processing is the provision of SCREDIT and related support, implementation, analytics, hosting, and security operations. The duration of processing continues for the term of the applicable services agreement unless deletion, return, or retention is required by law or contract.

3. Nature and purpose of processing

  • Hosting, storing, organizing, retrieving, transmitting, and deleting customer-controlled data.
  • Supporting workflows such as credit applications, credit review, collections, reporting, notifications, and integrations enabled by the customer.
  • Providing technical support, preventing abuse, and maintaining platform security and reliability.

4. Categories of data and data subjects

  • Business contacts, customer employees, applicant representatives, guarantors, trade contacts, bank contacts, and other individuals included in customer data.
  • Data may include business identifiers, contact details, financial records, payment data, trade reference details, login logs, and other information the customer submits to the services.

5. Processor commitments

  • Process personal data only on documented instructions from the customer unless otherwise required by law.
  • Ensure personnel with access are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures designed to protect personal data.
  • Assist the customer, taking into account the nature of processing, with reasonable requests related to data subject rights, security, breach response, and impact assessments where applicable.

6. Subprocessors

EFILOS may engage subprocessors to support the service. EFILOS will maintain a subprocessor list or equivalent disclosure and remain responsible for subprocessor performance to the extent required by law and contract.

7. Security incidents

EFILOS will notify the customer without undue delay after becoming aware of a confirmed security incident affecting customer personal data, and will provide information reasonably available to support the customer’s legal obligations.

8. Return and deletion

Upon termination of the applicable services agreement and upon the customer’s written request, EFILOS will return or delete applicable personal data, unless retention is required by law, needed for security or backup cycles, or otherwise provided in the governing agreement.

9. Audit and information rights

Subject to confidentiality, security, and operational restrictions, EFILOS will make available information reasonably necessary to demonstrate compliance with this DPA and, where required and appropriate, support audits or assessments through documentation, third-party reports, or agreed review procedures.