Processor agreement

September 1, 2020

This processor's agreement applies to all forms of processing of personal data that Surver, registered with the Chamber of Commerce under number 69403678, (hereinafter: Processor) carries out on behalf of a counterparty to whom it provides services (hereinafter: Processor).
1. Purposes of processing
1.1 The Processor undertakes to process personal data on the instructions of the Processing Party under the terms of this Processing Agreement. Processing will take place exclusively in the context of processing orders and payments for products or services of the Processing Responsible Party, storing data of the Processing Responsible Party, managing financial administration of the Processing Responsible Party, providing and managing the online customer portal of the Processing Responsible Party for the Processing Responsible Party, informing the Processing Responsible Party of changes, renewals, potentially relevant new products and work affecting products, maintaining telephone contact and contact via support tickets with both Processor and its customers, for handling complaints and providing service, performing Public Relations and marketing activities for Processor, sending newsletters or emails on behalf of Processor, managing Processor's customer records, plus those purposes reasonably related thereto or determined by further agreement.
1.2. The personal data that are processed by the Processor in the context of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are set out in Schedule 1. The Processor will not process the personal data for any purpose other than as determined by the Processing Responsible Party. The Processing Responsible Party will inform the Processor of the processing purposes if they are not already set out in this Processing Agreement.
1.3. The personal data to be processed on the instructions of the Processing Responsible Party will remain the property of the Processing Responsible Party and/or the parties involved.1.4. The Processing Responsible Party guarantees that the processing of personal data will fall under one of the exemptions under the AVG, and that notification to the AP is therefore not required.
2. Obligations of Processor
2.1. With regard to the processing referred to in Article 1, the Processor shall ensure compliance with the conditions imposed on the processing of personal data under the AVG.
2.2. The Processor will inform the Processing Party, at the latter's first request, of the measures it has taken regarding its obligations under this Processor Agreement.
2.3. The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
2.4. The Processor will immediately notify the Processor if, in its opinion, an instruction from the Processor is in breach of the legislation referred to in paragraph 1.
2.5. Processor will, to the extent within its power, provide assistance to Processor for the purposes of conducting data protection impact assessments (PIAs).
3. Obligations of the Controller
3.1. Controller will ensure correct and safe use of the hosting services and is responsible for implementing security patches and security upgrades for installed or placed code within the hosting accounts and/or services unless agreed otherwise.
3.2. The processing responsibility includes in any case the correct and secure use of the services purchased, including:
- Applying a valid SSL certificate and connection to the relevant domains, websites, web shops and other code;
- Connecting email via SSL;
- Implementation of security patches and security upgrades on code;
- Keeping account content code up-to-date, including website, CMS, CRM software or other code.
4. Transfer of personal data
4.1. Processor may process personal data in countries within the European Union without prior written consent. Including the following countries: United Kingdom, Norway, Iceland and Switzerland.
4.2. Transfer to countries outside the European Union is not permitted without the prior written consent of the Controller. 
5. Division of responsibility
5.1. The permitted processing will be carried out by employees of Processor within an automated environment.
5.2. Processor is solely responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of Processor and under the express (final) responsibility of Processor. For the other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Processor, processing for purposes not notified to Processor by Processor, processing by third parties and/or for other purposes, Processor is expressly not responsible.
5.3. The Processor guarantees that the content, use and assignment of the processing of the personal data referred to in this Processing Agreement are not unlawful and do not infringe any third-party right.
6. Use of third parties or subcontractors
6.1. Processor may make use of a third party in the context of the Processing Agreement, without the prior consent of Processor, subject to the condition that Processor may prohibit the use of the third party, only in the event that there are legitimate reasons for doing so.
6.2. Processor shall unconditionally ensure that such third parties assume in writing the same duties as agreed between Controller and Processor.
6.3. The Processor guarantees that these third parties will comply correctly with the obligations of this Processor Agreement and, in the event of errors by these third parties, will itself be liable for all damage as if it had committed the error(s) itself.
7. Security
7.1. Processor shall make an effort, with respect to its infrastructure and third parties engaged by it with which or through which personal data may be processed, to take sufficient and appropriate technical and organizational measures with respect to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, impairment, alteration or disclosure of the personal data).
7.2. Processor has taken at least the following measures: - Encryption of digital files containing personal data; - Securing network connections via Secure Sockets Layer (SSL) technology; - The application of updates and security patches for vulnerabilities at both infrastructure and operating system level, with the aim of providing the safest possible software- and hardware-based services. Execution of patching where applicable and to promote security will be carried out within 72 hours of delivery of available updates.
7.3. Processor is responsible for compliance with the measures agreed by the Parties and to be taken by Processor.
8. Duty to Report
8.1. In the event of a security breach and/or a data leak (which is understood to mean: a breach of the security of personal data which leads to a significant risk of adverse effects, or has adverse effects, on the protection of personal data), Processor will make every effort to notify Verantwoord immediately, but in any event within 48 hours of its discovery. Processor shall make a best effort to make the information provided complete, correct and accurate. The duty to report applies regardless of the impact of the leak.
8.2. If required by law and/or regulations, Processor will cooperate in informing the relevant authorities and any parties concerned. Controller is responsible for reporting to the relevant authorities.
8.3. The duty of notification includes in any case the reporting of the fact that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (as yet known and/or expected) consequence;
- What is the (proposed) solution;
- What measures have already been taken.
9. Handling of requests from those concerned
9.1. Where a data subject makes a request for inspection, as referred to in Article 35 AVG, or correction, addition, amendment or blocking, as referred to in Article 36 AVG, to the Processor, the Processor will forward the request to the Accountable Party and inform the data subject accordingly. The Accountable Party will then deal with the request independently.
10. Secrecy and confidentiality
10.1. All personal data that Processor receives from the Processing Party and/or collects itself in the context of this Processing Agreement is subject to an obligation of confidentiality in relation to third parties. Processor will not use this information for any purpose other than that for which it was obtained, even if it is in such a form that it cannot be traced back to those involved.
10.2. This secrecy obligation will not apply insofar as the Processing Agent has given express permission to provide the information to third parties, if providing the information to third parties is logically necessary in view of the nature of the assignment given and the performance of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.
11. Audit
11.1. The Processing Responsible Party is entitled to have audits carried out by an independent Register EDP Auditor who is bound by confidentiality in order to verify compliance with the agreements in this Processing Agreement.
11.2. This audit will take place no more than once a year and will only take place if there is a concrete and well-founded suspicion of misuse of personal data by the Processor, and only after the Processor has requested similar reports from the Processor, assessed them and provided reasonable arguments to justify an audit initiated by the Processor. Such an audit will be justified if the similar reports available at the Processor do not provide any, or sufficient, evidence of the Processor's compliance with this Processor Agreement.
11.3. This audit will take place two weeks after prior announcement by Processor, without using and inspecting any confidential data of Processor and without unnecessarily disrupting Processor's work processes.
11.4. Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period, whereby a period of up to four weeks is reasonable unless an urgent interest dictates otherwise.
11.5. The findings of the audit will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one or both Parties jointly.
11.6. The reasonable costs of the audit shall be borne by the Respondent, it being understood that the costs of the third party to be hired shall always be borne by the Respondent.
12. Liability and penalty clauses
12.1. The liability of the Processor for damage caused by an attributable shortcoming in the performance of the Processing Agreement, or in tort or otherwise, is excluded. Insofar as the aforementioned liability cannot be excluded, it is limited per event (a series of successive events is regarded as one event) to the compensation for direct damage, up to a maximum of the amount of the fees received by Processor for the work under this Processing Agreement in the month preceding the event giving rise to the damage. The liability of Processor for direct damages shall never exceed € 50.00 in total.
12.2. Direct damage is exclusively understood as all damage consisting of: - Damage directly caused to tangible property ("property damage"); - Reasonable and demonstrable costs incurred in order to persuade the Processor to properly perform the Processing Agreement or to resume it; - Reasonable costs incurred to determine the cause and scope of the damage insofar as it relates to direct damage as referred to here - Reasonable and demonstrable costs incurred by the Processor to prevent or limit the direct damage referred to in this Article.
12.3. Processor is not liable for damages resulting from installed code, CRM systems or other software installed in the hosting account, server or other related service. CRM systems include WordPress, Joomla, Prestashop, Magento or Drupal.
12.4. For cloud services or additional services of which Processor does not do server or infrastructure management, but only acts as a reseller, facilitator or user, liability is excluded. Cloud services include Microsoft Office 365 email, Google G Suite email, Dropbox, Boxcryptor and Acronis backup. Additional services include CloudFlare, SpamExperts, SSL Certificate Authorities, and Let's Encrypt.
12.5. The liability of Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and therefore at least, but not limited to, consequential damage, loss of profit, missed savings, reduced goodwill, damage due to business interruption, damage due to failure to determine marketing objectives, damage relating to the use of data or data files prescribed by the Processor, or loss, mutilation or destruction of data or data files.
12.6. The exclusions and limitations referred to in this Article will lapse if and insofar as the damage is the result of intent or deliberate recklessness on the part of the Processor or its management.
12.7. Unless performance by the Processor is permanently impossible, the liability of the Processor for an attributable shortcoming in the performance of the Agreement will only arise if the Processor immediately gives notice of default in writing, stating a reasonable period for remedying the shortcoming, and if the Processor continues to be in attributable default of its obligations even after that period. The notice of default must contain a description of the shortcoming that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.
12.8. Any claim for compensation by Processor against Processor that is not specified and explicitly reported will lapse by the mere lapse of twelve (12) months after the claim arises.
12.9. Processor shall have and maintain adequate insurance during the Processor Agreement for liability in accordance with this Article.
12.10. In the event of a breach of the Processing Agreement, Processor will forfeit an immediately payable penalty of 12.10. In the event of a breach of the Processing Agreement, the Processor will forfeit to the Processing Agent an immediately payable penalty of € 50.00 per breach and € 50.00 for each day that the breach continues.
13. Duration and termination
13.1. This Processing Agreement shall come into effect upon signature of the Parties and on the date of the last signature.
13.2. This Processing Agreement has been entered into for the term specified in the main agreement between the Parties and, failing that, in any event for the duration of the collaboration.
13.3. As soon as the Processor Agreement is terminated, for whatever reason and in whatever way, the Processor will - at the request of the Processing Party - delete and/or destroy all the personal data in its possession.
13.4. The Processor is entitled to revise this agreement from time to time. It will notify the Processor of the changes at least three months in advance. The Processing Responsible may terminate the agreement at the end of those three months if it cannot agree to the changes.
14. Applicable law and dispute resolution
14.1. The Processing Agreement and its implementation are governed by Dutch law.
14.2. All disputes that may arise between the Parties in connection with the Processing Agreement will be submitted to the competent court in the district where the Processor has its registered office.
14.3. In the event of conflict between different documents or their annexes, the following order of priority will apply: - the Agreement; - the General Terms and Conditions - this Processing Agreement - the Service Level Agreement; - any additional conditions.
This Processing Agreement has been accepted digitally, the time and IP address of which can be found in the customer panel of Surver (my.surver.nl). This acceptance shall serve as signature of the Processing Agreement.
  • Hidden
Appendix 1: Specification of personal data and data subjects

Personal data
In the context of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data, where applicable, on the instructions of the Processor:

  • Name
  • Company name
  • Address, postal code, town, country
  • Email addresses
  • Telephone numbers
  • Payment method, financial data and bank account data
  • Other information related to the services you purchase from us.
  • IP addresses

Of the categories involved:

  • Staff
  • Customers

Processor warrants that the personal data and categories of data subjects described in this Schedule 1 are complete and accurate, and indemnifies Processor for any deficiencies and claims resulting from Processor's incorrect representation.

Access to data
Through the Surver customer panel you can see what information we store about you and you can also make changes. You can also email us at info@surver.nl if you want to know what information we store about you.

Scroll to Top