1 September 2021

Processor agreement

This processor's agreement applies to all forms of processing of personal data that Surver, registered with the Chamber of Commerce under number 69403678, (hereinafter: Processor) carries out on behalf of a counterparty to whom it provides services (hereinafter: Processor).
1. Purposes of processing

1.1 Under the terms of this Processing Agreement, the Processor undertakes to process personal data on the instructions of the Processing Responsible Party. Processing will take place exclusively in the context of processing orders and payments for products or services of the Processing Responsible Party, storing data of the Processing Responsible Party, managing financial administration of the Processing Responsible Party, providing and managing the online customer portal of the Processing Responsible Party for the Processing Responsible Party, informing the Processing Responsible Party of changes, renewals, potentially relevant new products and work affecting products, maintaining telephone contact and contact via support tickets with both the Processor and its customers, for handling complaints and providing service, carrying out Public Relations and marketing activities for the Processor, sending newsletters or e-mails on the instructions of the Processor, managing the customer administration of the Processor, plus those purposes which are reasonably related to them or which are determined by further agreement.

1.2. The personal data that are processed by the Processor in the context of the work referred to in the previous paragraph and the categories of data subjects from whom they originate are included in Appendix 1. The Processor shall not process the personal data for any purpose other than as determined by the Processing Responsibility. The Processing Responsible Party will inform the Processor of the processing purposes if they are not already stated in this Processing Agreement.

1.3. The personal data to be processed on the instructions of the Processing Responsible Party will remain the property of the Processing Responsible Party and/or the parties involved.

1.4. The controller warrants that the processing of personal data falls under one of the exemptions under the AVG, and that no notification to the AP is therefore required.

2. Obligations of Processor

2.1. With regard to the processing referred to in Article 1, the Processor shall ensure compliance with the conditions imposed on the processing of personal data pursuant to the AVG.

2.2. The Processor will inform the Processing Party, at the latter's first request, of the measures it has taken regarding its obligations under this Processor Agreement.

2.3. The obligations of the Processor arising from this Processing Agreement shall also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.

2.4. The Processor will immediately inform the Processor if, in its opinion, an instruction from the Processor is in breach of the legislation referred to in paragraph 1.

2.5. The Processor will, as far as it is within its power, provide assistance to the Processing Owner for the purposes of carrying out data protection impact assessments (PIAs).

3. Obligations of the Controller

3.1. Controller will ensure correct and safe use of the hosting services and is responsible for implementing security patches and security upgrades for installed or placed code within the hosting accounts and/or services unless agreed otherwise.

3.2. The processing responsibility includes in any case the correct and secure use of the services purchased, including:
- Applying a valid SSL certificate and connection to the relevant domains, websites, web shops and other code;
- Connecting email via SSL;
- Implementation of security patches and security upgrades on code;
- Keeping account content code up-to-date, including website, CMS, CRM software or other code.

4. Transfer of personal data

4.1. Processor may process personal data in countries within the European Union without prior written consent. Including the following countries: United Kingdom, Norway, Iceland and Switzerland.

4.2. Transfer to countries outside the European Union is not permitted without the prior written consent of the Controller. 

5. Division of responsibility

5.1. The permitted processing will be carried out by employees of the Processor within an automated environment.

5.2. The Processor is solely responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of the Processing Responsible Party and under the explicit (final) responsibility of the Processing Responsible Party. The Processor is explicitly not responsible for the other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Processing Responsible Party, processing for purposes not notified by the Processing Responsible Party to the Processor, processing by third parties and/or for other purposes.

5.3. The Controller warrants that the content, use and commissioning of the processing of the personal data referred to in this Processing Agreement are not unlawful and do not infringe any third-party right.

6. Use of third parties or subcontractors

6.1. The Processor may make use of a third party in the context of the Processing Agreement, without the prior consent of the Processing Responsible Party, on condition that the Processing Responsible Party may prohibit the use of the third party only if there are good reasons for doing so.

6.2. The Processor shall unconditionally ensure that these third parties assume in writing the same duties as agreed between the Controller and the Processing Agent.

6.3. The Processor guarantees that these third parties will correctly fulfil their obligations under this Processor Agreement and, in the event of errors by these third parties, shall be liable for all damage as if it had committed the error(s) itself.

7. Security

7.1. The Processor shall make an effort, with regard to its infrastructure and the third parties engaged by it with which or through which personal data may be processed, to take sufficient and appropriate technical and organisational measures concerning the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorised access, impairment, alteration or disclosure of the personal data).

7.2. Processor has in any case taken the following measures:
- Encryption of digital files containing personal data;
- Security of network connections via Secure Sockets Layer (SSL) technology;
- Applying updates and security patches for vulnerabilities at both infrastructure and operating system level, with the aim of providing the safest possible software and hardware services. Carrying out patching where applicable and for the purpose of security is carried out within 72 hours of available updates.

7.3. Processor is responsible for compliance with the measures agreed upon by the Parties and to be taken by Processor.

8. Duty to report

8.1. In the event of a security breach and/or a data leak (which is understood to mean: a breach of the security of personal data which leads to a significant risk of adverse effects, or has adverse effects, on the protection of personal data), Processor shall make every effort to inform Respondent immediately, but in any event within 48 hours of its discovery. Processor shall make every effort to ensure that the information provided is complete, correct and accurate. The duty to report applies regardless of the impact of the leak.

8.2. If required by law and/or regulations, Processor shall co-operate in informing the relevant authorities and any parties concerned. Controller is responsible for reporting to the relevant authorities.

8.3. The duty of notification includes in any case the reporting of the fact that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (as yet known and/or expected) consequence;
- What is the (proposed) solution;
- What measures have already been taken.

9. Handling of requests from data subjects
9.1. Where a data subject makes a request for inspection, as referred to in Article 35 AVG, or correction, addition, amendment or blocking, as referred to in Article 36 AVG, to the Processor, the Processor shall forward the request to the Accountable Party and inform the data subject accordingly. The Processor will then deal with the request independently.
10. Secrecy and confidentiality

10.1. All personal data that Processor receives from the Processing Party and/or collects itself in the context of this Processing Agreement is subject to an obligation of confidentiality vis-à-vis third parties. Processor shall not use this information for any purpose other than that for which it was obtained, not even if it is in such a form that it cannot be traced back to those involved.

10.2. This secrecy obligation will not apply insofar as the Processing Agent has given its explicit consent to providing the information to third parties, if providing the information to third parties is logically necessary in view of the nature of the assignment given and the performance of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.

11. Audit

11.1. The Processing Responsible Party is entitled to have audits carried out by an independent Registered EDP Auditor who is bound by confidentiality to verify compliance with the agreements in this Processing Agreement.

11.2. This audit will take place no more than once a year and will only take place if there is a concrete and well-founded suspicion of misuse of personal data by the Processor, and only after the Processor has requested similar reports from the Processor, assessed them and provided reasonable arguments to justify an audit initiated by the Processor. Such an audit will be justified if the similar reports available at the Processor do not provide any, or sufficient, evidence of the Processor's compliance with this Processor Agreement.

11.3. This audit shall take place two weeks after prior announcement by the Processing Owner, without using or inspecting any confidential data of the Processing Owner and without unnecessarily disrupting the work processes of the Processing Owner.

11.4. Processor shall cooperate with the audit and make all information reasonably relevant for the audit, including supporting data such as system logs, and employees available as soon as possible and within a reasonable period, whereby a period of up to four weeks is reasonable unless an urgent interest dictates otherwise.

11.5. The findings of the audit will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one or both Parties jointly.

11.6. The reasonable costs of the audit shall be borne by the Controller, it being understood that the costs of the third party to be hired shall always be borne by the Controller.

12. Liability and penalty provisions

12.1. The liability of the Processor for damage caused by an attributable shortcoming in the performance of the Processing Agreement, or in tort or otherwise, is excluded. Insofar as the aforementioned liability cannot be excluded, it is limited per event (a series of successive events is regarded as one event) to compensation for direct damage, up to a maximum of the amount of the fees received by Processor for the work under this Processing Agreement in the month preceding the event that caused the damage. The liability of Processor for direct damages shall never exceed € 50.00 in total.

12.2. Direct damage is exclusively understood as all damage consisting of:
- Damage caused directly to tangible property ("property damage");
- Reasonable and demonstrable costs to get the Processor to (re)properly comply with the Processing Agreement;
- Reasonable costs for determining the cause and extent of the damage, insofar as related to direct damage as referred to here;
- Reasonable and demonstrable costs incurred by the Processing Responsible Party to prevent or limit the direct damage referred to in this article.

12.3. Processor is not liable for damage that arises from installed code, CRM systems or other software installed in the hosting account, server or other related service. CRM systems include WordPress, Joomla, Prestashop, Magento or Drupal.

12.4. Liability is excluded for cloud services or additional services of which Processor does not do any server or infrastructure management, but only acts as a reseller, facilitator or user. Cloud services include Microsoft Office 365 email, Google G Suite email, Dropbox, Boxcryptor and Acronis backup. Additional services include CloudFlare, SpamExperts, SSL Certificate Authorities and Let's Encrypt.

12.5. The liability of Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and is therefore at least, but not limited to, consequential damage, loss of profit, missed savings, reduced goodwill, damage due to business interruption, damage due to failure to determine marketing objectives, damage relating to the use of data or data files prescribed by Processor, or loss, mutilation or destruction of data or data files.

12.6. The exclusions and limitations referred to in this Article shall cease to apply if and insofar as the damage is the result of intent or deliberate recklessness on the part of the Processor or its management.

12.7. Unless performance by the Processor is permanently impossible, the liability of the Processor for an attributable shortcoming in the performance of the Agreement will only arise if the Processor immediately gives notice of default in writing, stating a reasonable period for remedy of the shortcoming, and if the Processor continues to be in attributable default of performance of its obligations even after that period. The notice of default must contain a description of the shortcoming that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.

12.8. Any claim for compensation by the Processing Party against the Processor that is not specified and explicitly reported will lapse by the mere lapse of twelve (12) months after the claim arises.

12.9. During the term of the Processing Agreement, the Processor shall be adequately insured for liability in accordance with this Article.

12.10. In the event of a breach of the Processing Agreement, Processor shall pay an immediately due and payable penalty of
€ 50.00 per violation and € 50.00 for each day that the violation continues to the Processor.

13. Duration and termination

13.1. This Processing Agreement shall come into effect upon signature by the Parties and on the date of the last signature.

13.2. This Processing Agreement is entered into for the term specified in the main agreement between the Parties and, in the absence thereof, in any case for the duration of the cooperation.

13.3. As soon as the Processing Agreement is terminated, for whatever reason and in whatever way, the Processor will - at the request of the Processing Party - delete and/or destroy all the personal data present at the Processor.

13.4. The Processor is entitled to revise this agreement from time to time. It will notify the Processor of the changes at least three months in advance. The Processing Responsible may terminate the agreement at the end of these three months if it cannot agree to the changes.

14. Applicable law and dispute resolution

14.1. The Processing Agreement and its implementation are governed by Dutch law.

14.2. All disputes that may arise between the Parties in connection with the Processing Agreement shall be submitted to the competent court in the district where the Processor has its registered office.

14.3. In case of conflict between different documents or their annexes, the following order of precedence shall apply:
- the Agreement;
- the General Terms and Conditions;
- this Processing Agreement;
- the Service Level Agreement;
- any additional conditions.

This Processing Agreement has been accepted digitally, the time and IP address of which can be found in the Surver customer panel (my.surver.nl). This acceptance shall serve as signature of the Processing Agreement.
  • Hidden
Appendix 1: Specification of personal data and data subjects

Personal data
In the context of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data on the instructions of the Processing Responsible Party, where applicable:

  • Name
  • Company name
  • Address, postcode, city, country
  • E-mail addresses
  • Telephone numbers
  • Payment method, financial data and bank account data
  • Other information related to the services you purchase from us.
  • IP addresses

Of the categories involved:

  • Staff
  • Customers

Controller warrants that the personal data and categories of data subjects described in this Schedule 1 are complete and accurate, and indemnifies Processor against any defects and claims resulting from an incorrect representation by Controller.

Access to data
Through the Surver customer panel you can see what information we store about you and you can also make changes. You can also email us at info@surver.nl if you would like to know what information we store about you.

Scroll to Top