1 April 2023
Processor agreement
This processor agreement applies to all forms of processing of personal data carried out by Surver B.V., registered with the Chamber of Commerce under number 90020294, (hereinafter: Processor) on behalf of an opposing party to whom it provides services (hereinafter: Processor).
1. Purposes of processing
1.1 Processor undertakes, under the terms of this Processing Agreement, to process personal data on behalf of the Processing Responsible Party. Processing will only take place in the context of handling orders and payments for Processor's products or services, storing Processor's data, managing Processor's financial administration, providing and managing Processor's online customer portal for Processor, notifying Processor of changes, renewals, potentially relevant new products and work affecting products, maintaining telephone contact and contact via support tickets with both Processor and its customers, for handling complaints and providing service, performing Public Relations and marketing activities for Processor, sending newsletters or emails on behalf of Processor, management of Processor's customer records, plus those purposes reasonably related thereto or as determined by further agreement.
1.2. The personal data processed by Processor as part of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are set out in Schedule 1. Processor shall not process the personal data for any purpose other than as determined by Processor. Processor shall inform Processor of the processing purposes insofar as they are not already mentioned in this Processor Agreement.
1.3. The personal data to be processed on behalf of Processor shall remain the property of Processor and/or the relevant data subjects.
1.4. Controller warrants that the processing of personal data falls under one of the exemptions under the AVG, and thus no notification to the AP is required.
2. Obligations of Processor
2.1. In respect of the processing mentioned in Article 1, Processor shall ensure compliance with the conditions imposed, under the AVG, on the processing of personal data.
2.2. Processor shall inform Processor, upon its first request to do so, about the measures it has taken regarding its obligations under this Processor Agreement.
2.3. The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense.
2.4. The Processor shall immediately notify the Controller if, in its opinion, an instruction of the Controller violates the legislation referred to in paragraph 1.
2.5. Processor shall, to the extent within its power, provide assistance to Processor for the purpose of conducting data protection impact assessments (PIAs).
3. Obligations Processor
3.1. Controller shall ensure correct and secure use of the hosting services and shall be solely responsible for implementation of security patches and security upgrades for installed or placed code within the hosting accounts and/or services unless otherwise agreed.
3.2. The processing responsibility includes in any case the correct and secure use of the purchased services, including:
- Applying a valid SSL certificate and connection to the relevant domains, websites, web shops and other code;
- Connecting email via SSL;
- Implementation of security patches and security upgrades on code;
- Keeping account content code up-to-date, including website, CMS, CRM software or other code.
4. Transfer of personal data
4.1. Processor may process personal data in countries within the European Union without prior written consent. Including the following countries: United Kingdom, Norway, Iceland and Switzerland.
4.2. Transfer to countries outside the European Union is not permitted without the prior written consent of the Responsible Party.
5. Division of responsibility
5.1. The permitted processing operations will be performed by employees of Processor within an automated environment.
5.2. The Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the express (ultimate) responsibility of the Controller. For other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Controller, processing for purposes not notified to the Processor by the Controller, processing by third parties and/or for other purposes, the Processor is explicitly not responsible.
5.3. Processor guarantees that the content, use and commissioning of the personal data processing operations referred to in this processor agreement are not unlawful and do not infringe any third-party right.
6. Engagement of third parties or subcontractors
6.1. Processor may make use of a third party in the context of the Processor Agreement, without the prior consent of Processor, on the condition that Processor may prohibit the use of the third party, only in the event that there are legitimate reasons for doing so.
6.2. Processor shall unconditionally ensure that these third parties assume in writing the same duties as agreed between Controller and Processor.
6.3. Processor guarantees that these third parties comply correctly with the obligations under this Processor Agreement and, in the event of errors by these third parties, it shall itself be liable for all damages as if it had committed the error(s) itself.
7. Security
7.1. Processor shall endeavour, with regard to its infrastructure and third parties engaged by it with which or through which personal data may be processed, to take sufficient and appropriate technical and organisational measures in relation to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorised access, impairment, modification or disclosure of the personal data).
7.2. In any case, Processor has taken the following measures:
- Encryption (encryption) of digital files containing personal data;
- Securing network connections via Secure Sockets Layer (SSL) technology;
- Implementation of updates and security patches for vulnerabilities at both infrastructure and operating system levels, with the aim of providing the most secure software and hardware services possible. Implementation of patching where applicable and to promote security is carried out within 72 hours of delivery of available updates.
7.3. Processor is responsible for compliance with the measures agreed by the Parties and to be taken by Processor.
8. Duty to report
8.1. In the event of a security breach and/or a data leak (by which is meant: a breach of the security of personal data that leads to a significant risk of adverse consequences, or has adverse consequences, for the protection of personal data), Processor, to the best of its ability, will make every effort to inform the Responsible Party about this immediately, but in any case within 48 hours of its discovery. Processor shall make best efforts to make the information provided complete, correct and accurate. The notification obligation applies regardless of the impact of the leak.
8.2. If required by law and/or regulations, Processor will cooperate in informing the relevant authorities and any data subjects. Processor is responsible for reporting to the relevant authorities.
8.3. The duty to report shall at least include reporting the fact that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (as yet known and/or expected) consequence;
- What is the (proposed) solution;
- What action has already been taken.
9. Handling requests from data subjects
10. Secrecy and confidentiality
10.1. All personal data that Processor receives from Processor Responsible Party and/or collects itself in the context of this Processor Agreement is subject to an obligation of confidentiality towards third parties. Processor shall not use this information for any other purpose than that for which it obtained it, even if it is put in such a form that it cannot be traced back to data subjects.
10.2. This confidentiality obligation does not apply to the extent that Processor has given express consent to provide the information to third parties, if the provision of the information to third parties is logically necessary given the nature of the assignment provided and the performance of this Processor Agreement, or if there is a legal obligation to provide the information to a third party.
11. Audit
11.1. Processor has the right to have audits performed by an independent Registered EDP Auditor bound by confidentiality to verify compliance with the agreements in this Processor Agreement.
11.2. This audit will take place no more than once a year and will only take place in the event of a concrete and well-founded suspicion of misuse of personal data by the Processor, and only after the Controller has requested and assessed the similar reports present at the Processor and presents reasonable arguments that still justify an audit initiated by the Controller. Such an audit shall be justified when the similar reports present at Processor do not or not sufficiently conclusively demonstrate Processor's compliance with this Processing Agreement.
11.3. This audit shall take place two weeks after prior notice by Processor, without using and viewing Processor's confidential data and without unduly disrupting Processor's work processes.
11.4. Processor shall cooperate in the audit and make available all information reasonably relevant for the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period of time, whereby a period of up to four weeks is reasonable unless an urgent interest dictates otherwise.
11.5. The findings resulting from the audit carried out will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one of the Parties or by both Parties jointly.
11.6. The reasonable costs for the audit shall be borne by the Responsible Party, provided that the costs for the third party to be hired will always be borne by the Responsible Party.
12. Liability and penalty provisions
12.1. The liability of Processor for damages resulting from an attributable failure in the performance of the Processor Agreement, or in tort or otherwise, is excluded. Insofar as the aforementioned liability cannot be excluded, it is limited per event (a series of consecutive events counts as one event) to compensation for direct damage, up to a maximum of the amount of the fees received by Processor for the work under this Processor Agreement for the month preceding the event causing damage. Processor's liability for direct damage shall never exceed €50 in total.
12.2. Direct damage means exclusively all damage consisting of:
- Damage directly caused to tangible property ("property damage");
- Reasonable and demonstrable costs to compel the Processor to properly comply (again) with the Processor Agreement;
- Reasonable costs to determine the cause and extent of the damage insofar as related to direct damage as referred to here;
- Reasonable and demonstrable costs incurred by Processor to prevent or limit the direct damage referred to in this article.
12.3. Processor is not liable for damages arising from installed code, CRM systems or other software installed in the hosting account, server or other related service. CRM systems include, among others, WordPress, Joomla, Prestashop, Magento or Drupal.
12.4. For cloud services or additional services of which Processor does not do any server or infrastructure management, but only acts as reseller, facilitator or user, liability is excluded. Cloud services include, among others, Microsoft Office 365 email, Google G Suite email, Dropbox, Boxcryptor and Acronis backup. Additional services include CloudFlare, SpamExperts, SSL Certificate Authorities and Let's Encrypt, among others.
12.5. Processor's liability for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and thus in any case, but not limited to, consequential damage, loss of profit, missed savings, reduced goodwill, damage due to business stagnation, damage due to the failure to determine marketing purposes, damage related to the use of data or data files prescribed by Processor, or loss, mutilation or destruction of data or data files.
12.6. The exclusions and limitations referred to in this article shall lapse if and to the extent that the damage is the result of intent or conscious recklessness on the part of Processor or its management.
12.7. Unless performance by Processor is permanently impossible, Processor's liability for attributable failure in the performance of the Contract only arises if Processor promptly gives Processor written notice of default, setting a reasonable deadline for remedying the failure, and Processor continues to fail attributably in the performance of its obligations even after that deadline. The notice of default must contain as complete and detailed a description of the failure as possible, so that Processor is given the opportunity to respond adequately.
12.8. Any claim for damages by Processor against Processor that is not specified and explicitly reported shall expire by the mere lapse of twelve (12) months after the claim arose.
12.9. Processor shall have and maintain adequate insurance for liability in accordance with this article during the Processor Agreement.
12.10. In the event of breach of the Processor Agreement, Processor shall pay an immediately payable penalty of
Forfeit €50.00 per violation and €50.00 per day that the violation continues, to Processor.
13. Duration and termination
13.1. This Processor Agreement shall come into existence by signature of the Parties and on the date of the last signature.
13.2. This Processor Agreement is entered into for the duration as stipulated in the main agreement between the Parties and, in the absence thereof, in any case for the duration of the cooperation.
13.3 Once the Processor Agreement is terminated, for whatever reason and in whatever manner, Processor shall - at the request of the Controller - delete and/or destroy all personal data present with it.
13.4. Processor is entitled to revise this agreement from time to time. It shall give at least three months' notice of the amendments to Processor. Processor may terminate by the end of these three months if it cannot agree to the changes.
14. Applicable law and dispute resolution
14.1. The Processor Agreement and its performance shall be governed by Dutch law.
14.2. All disputes that may arise between the Parties in connection with the Processor Agreement will be submitted to the competent court in the district where Processor has its registered office.
14.3. In case of conflict between different documents or their annexes, the following order of precedence shall apply:
- the Agreement;
- the General Terms and Conditions;
- this Processor Agreement;
- the Service Level Agreement;
- any additional conditions.
Annex 1: Specification of personal data and data subjects
Personal data
Processor shall, where applicable, process the following (special) personal data on behalf of Processor under Article 1.1 of the Processor Agreement:
- Name
- Company name
- Address, postal code, city, country
- Email addresses
- Telephone numbers
- Payment method, financial data and bank account details
- Other information related to the services you purchase from us.
- IP addresses
Of the categories involved:
- Staff
- Customers
Processor warrants that the personal data and categories of data subjects described in this Schedule 1 are complete and accurate, and indemnifies Processor against any defects and claims resulting from an incorrect representation by Processor.
Access to data
Via the Surver customer panel, you can see what data we hold on you and you can also report changes. You can also e-mail us at info@surver.nl if you would like to know which of your data we store.