Processor Agreement

This processor agreement applies to all forms of processing of personal data carried out by Surver B.V., registered with the Chamber of Commerce under number 90020294, (hereinafter: Processor) on behalf of an opposing party to whom it provides services (hereinafter: Processor).

1. Purposes of processing.

1.1 Processor undertakes under the terms of this Processing Agreement to process personal data on behalf of the Processing Responsible Party. Processing will only take place in the context of handling orders and payments for products or services of Processor, storing data of Processor, management of financial administration of Processor, offering and managing the online customer portal of Processor for Processor, informing about changes, renewals, possibly relevant new products and work affecting products, maintaining telephone contact and contact via support tickets with both Processor as well as its customers, for handling complaints and providing service, performing Public Relations and marketing activities for Processor, sending newsletters or emails on behalf of Processor, managing Processor's customer records, plus those purposes reasonably related thereto or as determined by further agreement.

1.2. The personal data processed by Processor as part of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are listed in Schedule 1. Processor shall not process the personal data for any purpose other than as determined by Processor. Controller shall inform Processor of the processing purposes to the extent they are not already mentioned in this Processor Agreement.

1.3. The personal data to be processed on behalf of Processor shall remain the property of Processor and/or the relevant data subjects.

1.4. Controller warrants that the processing of personal data falls under one of the exemptions under the AVG, and thus no notification to the AP is required.

2. Obligations of Processor

2.1. In respect of the processing mentioned in Article 1, Processor shall ensure compliance with the conditions that, under the AVG, are imposed on the processing of personal data.

2.2. Processor shall inform Processor, upon its first request to do so, about the measures taken by it regarding its obligations under this Processor Agreement.

2.3. The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of Processor, including but not limited to employees, in the broadest sense.

2.4. The Processor shall immediately notify the Controller if, in its opinion, an instruction of the Controller violates the legislation referred to in paragraph 1.

2.5. Processor shall, to the extent within its power, provide assistance to Processor for the purpose of conducting data protection impact assessments (PIAs).

3. Obligations Processor.

3.1. Controller shall ensure proper and secure use of the hosting services and is solely responsible for implementation of security patches and security upgrades for installed or placed code within the hosting accounts and/or services unless otherwise agreed.

3.2. In any case, the processing responsibility includes the correct and secure use of the purchased services, including:
- Applying a valid SSL certificate and connection to the relevant domains, websites, web shops and other code;
- Connecting email via SSL;
- Implementation of security patches and security upgrades on code;
- Keeping account content code up-to-date, including website, CMS, CRM software or other code.

4. Transfer of personal data

4.1. Processor may process Personal Data in countries within the European Union without prior written consent. Including the following countries: United Kingdom, Norway, Iceland and Switzerland.

4.2. Transfer to countries outside the European Union is not permitted without the prior written consent of Respondent. 

5. Distribution of responsibility

5.1. The permitted processing operations will be performed by employees of Processor within an automated environment.

5.2. Processor is solely responsible for the processing of the Personal Data under this Processor Agreement, in accordance with the instructions of Processor and under the express (ultimate) responsibility of Processor. For other processing of Personal Data, including in any case, but not limited to, the collection of the Personal Data by the Controller, processing for purposes not notified to the Processor by the Controller, processing by third parties and/or for other purposes, the Processor is explicitly not responsible.

5.3. Processor guarantees that the content, use and commissioning of the processing of the personal data referred to in this processor agreement are not unlawful and do not infringe any rights of third parties.

6. Engaging third parties or subcontractors

6.1. Processor may make use of a third party in the context of the Processor Agreement, without the prior consent of Processor, subject to the condition that Processor may prohibit the use of the third party, only in the event that there are legitimate reasons for doing so.

6.2. Processor unconditionally ensures that these third parties assume in writing the same duties as agreed upon between Controller and Processor.

6.3. Processor warrants proper compliance by these third parties with the obligations under this Processor Agreement and, in the event of errors by these third parties, is itself liable for all damages as if it had itself committed the error(s).

7. Security

7.1. Processor shall make every effort, with respect to its infrastructure and third parties engaged by it with which or through which personal data may be processed, to take sufficient and appropriate technical and organizational measures with respect to the processing of personal data to be performed, against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or disclosure of the personal data).

7.2. Processor has taken at least the following measures:
- Encryption (encryption) of digital files containing personal data;
- Securing network connections via Secure Sockets Layer (SSL) technology;
- Applying updates and security patches for vulnerabilities at both infrastructure and operating system levels, with the goal of providing the most secure software and hardware services possible. Implementation of patching where applicable and to promote security is performed within 72 hours of delivery of available updates.

7.3. Processor is responsible for compliance with the measures agreed upon by the Parties, and to be taken by Processor.

8. Duty to Report

8.1. In the event of a security breach and/or a data breach (by which is meant: a breach of the security of personal data that leads to a significant probability of adverse consequences, or has adverse consequences, for the protection of personal data), Processor, to the best of its ability, shall make every effort to inform the Respondent about this immediately, but in any case within 48 hours of its discovery. Processor shall make best efforts to make the information provided complete, correct and accurate. The obligation to notify applies regardless of the impact of the leak.

8.2. If required by law and/or regulations, Processor shall cooperate in informing the relevant authorities and any data subjects. Processor is responsible for reporting to the relevant authorities.

8.3. The duty to report includes, in any case, reporting the fact that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (as yet known and/or expected) consequence;
- What is the (proposed) solution;
- What actions have already been taken.

9. Handling requests from data subjects.

9.1. In the event that a data subject submits a request for inspection, as referred to in Article 35 AVG, or correction, addition, amendment or blocking, as referred to in Article 36 AVG, to Processor, Processor shall forward the request to Responsible Party and inform the data subject thereof. Respondent will then handle the request further independently.

10. Secrecy and confidentiality

10.1. All personal data that Processor receives from Processor and/or collects itself in the context of this Processor Agreement shall be subject to a duty of confidentiality towards third parties. Processor shall not use this information for any purpose other than that for which it obtained it, even if it is put in such a form that it cannot be traced back to data subjects.

10.2. This obligation of confidentiality does not apply to the extent that Processor has given express consent to provide the information to third parties, if the provision of the information to third parties is logically necessary given the nature of the assignment provided and the performance of this Processor Agreement, or if there is a legal obligation to provide the information to a third party.

11. Audit

11.1. Controller has the right to have audits performed by an independent Registered EDP Auditor who is bound by confidentiality to verify compliance with the agreements in this Processor Agreement.

11.2. This audit shall take place no more than once a year and shall only take place in the event of a concrete and well-founded suspicion of misuse of personal data by Processor, and only after Processor has requested and assessed the similar reports present at Processor and presents reasonable arguments that still justify an audit initiated by Processor. Such an audit shall be justified if the similar reports present at Processor do not or not sufficiently conclusive about Processor's compliance with this Processor Agreement.

11.3. This audit shall take place two weeks after prior notice by Processor, without using and viewing confidential data of Processor and without unduly disrupting Processor's work processes.

11.4. Processor shall cooperate with the audit and make available all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable time frame, whereby a period of up to four weeks is reasonable unless an urgent interest dictates otherwise.

11.5. The findings as a result of the audit conducted will be reviewed by the Parties in mutual consultation and, as a result, may or may not be implemented by either or both Parties jointly.

11.6. The reasonable cost of the audit shall be borne by the Respondent, except that the cost of the third party to be hired will always be borne by the Respondent.

12. Liability and penalty provisions.

12.1. Processor's liability for damages resulting from an attributable failure to perform the Processor Agreement, or in tort or otherwise, is excluded. Insofar as the aforementioned liability cannot be excluded, it is limited per event (a series of consecutive events counts as one event) to compensation for direct damage, up to a maximum of the amount of the fees received by Processor for the work under this Processor Agreement for the month preceding the event causing damage. Processor's liability for direct damages shall never exceed €50 in total.

12.2. Direct damage means exclusively all damage consisting of:
- Damage directly inflicted on tangible property ("property damage");
- Reasonable and demonstrable costs to compel the Processor to (re)properly comply with the Processor Agreement;
- Reasonable costs to determine the cause and extent of the damage insofar as related to the direct damage as referred to herein;
- Reasonable and demonstrable costs incurred by Processor to prevent or limit the direct damage referred to in this Article.

12.3. Processor is not liable for damages arising from installed code, CRM systems or other software installed in the hosting account, server or other related service. CRM systems include, among others, WordPress, Joomla, Prestashop, Magento or Drupal.

12.4. For cloud services or additional services of which Processor does not do server or infrastructure management, but only acts as reseller, facilitator or user, liability is excluded. Cloud services include, among others, Microsoft Office 365 email, Google G Suite email, Dropbox, Boxcryptor and Acronis backup. Additional services include CloudFlare, SpamExperts, SSL Certificate Authorities and Let's Encrypt, among others.

12.5. Processor's liability for indirect damages is excluded. Indirect damages are understood to mean all damages that are not direct damages and therefore in any case, but not limited to, consequential damages, lost profits, missed savings, reduced goodwill, damages due to business stagnation, damages due to failure to determine marketing purposes, damages related to the use of data or data files prescribed by Processor, or loss, mutilation or destruction of data or data files.

12.6. The exclusions and limitations referred to in this Article shall lapse if and to the extent that the damage results from intentional or deliberate recklessness on the part of Processor or its management.

12.7. Unless performance by Processor is permanently impossible, Processor's liability for attributable failure in the performance of the Contract shall arise only if Processor immediately gives Processor written notice of default, setting a reasonable period for the rectification of the failure, and Processor continues to fail imputably in the performance of its obligations even after that period. The notice of default must contain as complete and detailed a description of the failure as possible, so that Processor is given the opportunity to respond adequately.

12.8. Any claim for damages by Processor against Processor that is not specified and explicitly reported shall expire by the mere lapse of twelve (12) months from the occurrence of the claim.

12.9. Processor shall have and maintain adequate insurance coverage for liability in accordance with this Article during the Processor Agreement.

12.10. In case of breach of the Processor Agreement, Processor shall pay an immediately due and payable penalty of
Forfeit €50.00 per violation and €50.00 per day that the violation continues to occur to Processor.

13. Duration and termination

13.1. This Processor Agreement shall come into existence by signature of the Parties and on the date of the last signature.

13.2. This Processor Agreement is entered into for the duration as stipulated in the main agreement between the Parties and, in the absence thereof, in any case for the duration of the cooperation.

13.3 Once the Processor Agreement is terminated, for whatever reason and in whatever manner, Processor shall - at the request of Processor - delete and/or destroy all personal data present with it.

13.4. Processor is entitled to revise this Agreement from time to time. It shall give at least three months' notice of the amendments to Processor. Processor may terminate by the end of these three months if it cannot agree to the changes.

14. Applicable law and dispute resolution

14.1. The Processor Agreement and its performance shall be governed by Dutch law.

14.2. All disputes that may arise between the Parties in connection with the Processor Agreement shall be submitted to the competent court in the district where Processor is located.

14.3. In case of conflict between different documents or their annexes, the following order of precedence shall apply:
- the Agreement;
- the General Conditions;
- this Processor Agreement;
- the Service Level Agreement;
- any additional conditions.

This Processor Agreement is digitally accepted whose time and IP address can be found in Surver's customer panel (my.surver.nl). This acceptance will serve as the signature of the Processor Agreement.

Sign processor agreement

Processor Agreement

Clear Signature

Appendix 1: Specification of personal data and data subjects.

Personal data

Processor shall, within the scope of Article 1.1 of the Processor Agreement, where applicable, process the following (special) personal data on behalf of Processor:

  • Name
  • Company name
  • Address, zip code, city, country
  • Email addresses
  • Phone numbers
  • Payment method, financial data and bank account details
  • Other information related to the services you purchase from us.
  • IP addresses

Of the categories involved:

  • Staff
  • Customers

Processor warrants that the personal data and categories of data subjects described in this Schedule 1 are complete and accurate, and indemnifies Processor for any defects and claims resulting from an incorrect representation by Processor.

Data access

Through the Surver customer panel you can see what information we hold about you and you can also make changes. You can also e-mail us at support@surver.nl should you want to know what data we store about you.

All legal documents

4.94/5 based on 150+ reviews

Home - Legal - Processor Agreement
SOC 1
SOC 2
PCI-DDS
ISO 27001
GDPR
All services feature enterprise-level security and encryption. Also, our data centers have the highest certifications such as ISO 27001 and PCI-DDS.

Managed hosting

Hosting
Hosting & management
Other
Quick links

Prices

Solutions

Services

Working in the cloud
Other

About us

Knowledge base

Contact

Customers

Legal

© 2017 - 2025 Surver B.V. - All rights reserved.
All prices quoted are excluding 21% VAT.