General Terms and Conditions

November 2018

General Conditions
Latest update: November 2018

Below are the General Terms and Conditions (“GTC”) of AttachingIT B.V. John M. Keynesplein 12-46, 1066 EP Amsterdam Chamber of Commerce number 61781614. (“we”, “us” or “our”). These GTC apply to our offers and are a part of each agreement that we may enter into with you. “You” is the (prospective) customers to which we have send an offer of with whom we have entered into an agreement.

1. Definitions
The terms used in these GTC or elsewhere in the Agreement, which start with a capital letter shall have the meaning assigned to them below.

1.1 Agreement: the Order Form combined with these GTC.
1.2 “Applicable Data Protection Law” means all laws and regulations and sectoral recommendations containing rules for data protection and privacy which are applicable to the processing of Personal Data under the Agreement (e.g. the General Data Protection Regulation 2016/679/EC), including without limitation security requirements.
1.3 Application: the Microsoft Outlook plug-in supplied by us to you.
1.4 Business Days: Monday to Friday, except national holidays in the Netherlands, provided that the fifth of May is a national holiday once in five years.
1.5 Business Hours: hours on Business Days between 08.30 and 17.00 (Dutch time).
1.6 Cloud Service: our remote delivery of the Functionality to you over the Internet, including related Support and Documentation.
1.7 Deficiency: each specific situation whereby the Functionality is not provided in accordance with the Documentation.
1.8 Documentation: the documentation relating to the Cloud Service that we have provided to you via the Cloud Service user interface.
1.9 “Effective Date”: the start date of the Term as indicated on the Order Form.
1.10 Functionality: the capability to safely transmit (large) data files directly from within Microsoft Outlook. In addition, Users can receive data files via an upload request that is submitted via Microsoft Outlook by means of a designated upload page. The administrator tool will enable you to monitor the use of the Cloud Service or the Software and by doing so exercise control over your company assets. Monitoring is conducted by means of logging, filters on file type and e-mail addresses and the availability of transmitted data for the recipient. A full overview of the Functionality is provided in the Documentation.
1.11 Incident: this is the situation whereby the Cloud Service or the Software does not work in accordance with the Documentation.
1.12 Intellectual Property Rights: means all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right of application for such rights (and the “intellectual property rights” referred to above include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents and rights in designs).
1.13 “Order Form”: the order form that you have signed or have accepted electronically (click to accept) to convey your order for the provision of one or more Services by us to you.
1.14 Permitted Purpose: sending digital files via Microsoft Outlook in a secure manner.
1.15 Platform: the SmartLockr Data Protection Platform; the software platform that is used by us to enable Users to access the Functionality.
1.16 Response Time: this is the time we take to provide you with our initial response to your Incident report. This time starts running from the date of our receipt of your report presuming that you have correctly issued it to us.
1.17 Services: all of the Services provided or to be provided by us to you under the Agreement including Support and Documentation.
1.18 Software: the software that is installed on the Platform.
1.19 Support: this is where we provide you during Business Hours with information and advice on the use of the Functionality or the Software, including the provision of help with the investigation into causes, including Defects, that prohibit the undisturbed use of the Cloud Service or the Software.
1.20 Term: the term of the Agreement. This is the term for which you have acquired a license from us to use the Cloud Service or the Software and is indicated in the Order Form.
1.21 Training: when we make Users familiar with the Functionality and train them in the use of it.
1.22 User: someone assigned by you to use the Functionality or the Software.
1.23 Website: https://smartlockr.eu and other relating sub domains, if any.

2. Applicability and interpretation
2.1 The GTC apply to and form part of every act relating to the preparation, formation or performance of the Agreement. Each Agreement is formed by your acceptance of the Order Form and our subsequent confirmation to you of our receipt of the accepted Order Form. You accept the Order Form online when you click to accept it or offline by signing it and returning it to us.
2.2 Deviations of and Schedules to the GTC and/or the Order Form are only valid if these have been agreed upon in writing.
2.3 In case of contradictions between the various documents, the following order of preference applies:
a. The Order Form (signed or accepted electronically);
b. These GTC.
2.4 We may unilaterally change these GTC. If we do so we will inform you by e-mail of our intention to do so at least three (3) months prior to the renewal date of the Agreement. If you continue your use of the Services after you have received our notification, you will be deemed to have accepted the changed GTC. Otherwise your only recourse is to terminate the Agreement on the renewal date free of charge.

3. Proposal and acceptance
3.1 All of our offers are non-binding, unless the offer contains an express term for acceptance.
3.2 You shall timely provide us with all (technical) information, decisions and information that are reasonably necessary for the performance of the Agreement. We are not responsible if you provide us with incorrect or incomplete information. We may suspend our performance of the Agreement when you fail to provide us with correct and complete information in a timely fashion.

4. Cooperation
4.1 We shall apply reasonable commercial efforts to meet the agreed upon dates and terms. All dates and terms are always indicative, unless it is expressly stated that it concerns fatal dates or terms.
4.2 We will deliver the Cloud Service to you or install the Software within a week after receiving the signed Agreement.
4.3 All Cloud Services will be delivered by us on best effort-basis: We shall deliver the Cloud Services as good as possible but does not provide any performance guarantee.
4.4 We may engage third parties to perform the Agreement.

5. The Platform
5.1 We will enable you to access the Platform by providing you with a license key within 3 (three) Business Days following the Effective Date. The license key will activate the Application. After the installation of the Application you can access the Functionality for the agreed number of licensed Users.
5.2 Subject to the limitations set out in article 5.3, we hereby grant to you a non-exclusive license to use the Platform for the Permitted Purpose via the Application or online by directly accessing the Platform. Your license shall be valid for the Term and you are required to use the Platform in accordance with the Documentation.
5.3 The license that we grant to you is subject to the following limitations:
a. the Platform must not be used at any point in time by more than the number of licensed Users specified in the Order Form, providing that you can submit a request to us to add or remove Users;
b. the Platform may only be used by your employees, agents and sub-contractors; and
c. You must comply at all times with the terms of the Acceptable Use Policy set out in Schedule 1 (“AUP”), and must ensure that all Users comply with the terms of the AUP;
5.4 Everything that is done through Applications carrying your license key or online via the Platform with your access credentials, is for your responsibility and risk. If you know or suspects that your license key has been compromised, you are required to inform us immediately.
5.5 For the avoidance of doubt, you shall no right to access the object code or source code of the Platform, either during or after the Term.
5.6 All Intellectual Property Rights in the Platform shall be our exclusive property.
5.7 You must not use the Platform in any way that causes, or may cause, damage to the Platform or impairment of the availability or accessibility of the Platform, or any of the areas of, or services on, the Platform. More specifically, you shall not use the Cloud Service in a manner that causes a system- and network load on the Platform that is higher than that of our average customer.
5.8 You must not use the Platform:
a. in any way that is unlawful, illegal, fraudulent or harmful; or
b. in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
5.9 We provide an availability for the Platform of 99.95%. The Platform is available if the Cloud Service is accessible to Users from the Internet outside.

6. The Application
6.1 Upon providing you with the license key as described in article 5.1, we will direct you to an online download location for the Application. You are responsible for subsequently downloading the Application.
6.2 Your use of the Application shall be subject to the following licensing terms:
a. you may only use the Application for your own business purposes;
b. you may download, install and use a number of Applications that is equal to the numbers of licensed Users;
c. You must not:
(i) copy or reproduce Application or any part of the Application other than in accordance with the license granted in this article 6;
(ii) sell, resell, rent, lease, loan, supply, distribute, redistribute, publish or re-publish the Application or any part of the Application;
(iii) modify, alter, adapt, translate or edit, or create derivative works of, the Application or any part of the Application;
(iv) reverse engineer, decompile, disassemble the Application or any part of the Application (except as mandated by applicable law);
(v) use the Application other than in accordance with the Documentation; or
(vi) circumvent or remove or attempt to circumvent or remove the technological measures applied to the Application for the purposes of preventing unauthorized use.
6.3 All Intellectual Property Rights in the Application shall be our exclusive property.
6.4 You shall be responsible for the security of your copies of the Application and will use all reasonable endeavors to ensure that only licensed Users access and use these copies.

7. On-premises use of the Software
7.1 This article 7 applies when you have elected to use the on-premise version of the Software as opposed to using our Cloud Service.
7.2 When you use the on-premises version of the Software you shall have completed the “Checklist for on-premises installation AttachingIT Outlook” before the planned installation date of the Software. The checklist is provided as a download on the Support Portal.
7.3 As of the date of installation of the Software we hereby grant you a non-exclusive license for the duration of the Term to use the Software and the Applications solely for the Permitted Purpose.
7.4 Your license to use the Software shall be subject to the following licensing terms:
a. you may only use the Software for your own business purposes.
b. you may download, install and use a number of Applications that is equal to the numbers of licensed Users;
c. You may use one copy of the Software for back-up purposes;
d. You must not:
(i) copy or reproduce the Software or any part of the Software other than in accordance with the license granted in this article 7;
(ii) sell, resell, rent, lease, loan, supply, distribute, redistribute, publish or re-publish the Software or any part of the Software;
(iii) modify, alter, adapt, translate or edit, or create derivative works of, the Software or any part of the Software;
(iv) reverse engineer, decompile, disassemble the Application or any part of the Software (except as mandated by applicable law);
(v) use the Software other than in accordance with the Documentation; or
(vi) circumvent or remove or attempt to circumvent or remove the technological measures applied to the Software for the purposes of preventing unauthorized use.
7.5 All Intellectual Property Rights in the Software shall be our exclusive property.
7.6 We shall have the right to audit the number of Users of the Software within your company provided that we issue you with a reasonable advance notice to do so. If the actual number of Users exceed the licensed number of Users by 2, we shall be entitled to issue you with an invoice for the license fee for the unlicensed Users with an uplift of 50%. Our audit right can be exercised once per year during Business Hours. You shall provide all reasonable cooperation with this audit, including providing us with access to relevant parts of your IT environment.

8. Support and Maintenance
8.1 As part of our Support we will enable you to contact us via e-mail and telephone for queries related to your use of the Platform and the Software or for reporting Incidents to us. Our Support E-mail and telephone contact details are displayed on the Website.
8.2 Our standard Response Times are displayed on the Website. You may have a need for shorter Response Times. If you have such a need please indicate this to us. If possible we may provide you with an offer for shorter Response Times. This offer will be dependent on your willingness to pay an additional fee to us.
8.3 When you report an Incident you will need to provide us with the information that we may reasonably need to be able to replicate the error in the Platform or the Software that is causing the Incident.
8.4 We may elect to provide a work-around to solve an Incident if resolving the error that caused the Incident will likely have a negative impact on the Functionality or your use of the Software, as applicable for you.
8.5 If we feel that a reported Incident has been caused by use of the Cloud Service or the Software in violation with the Documentation or with these GTC, we will communicate this you. Such an Incident is not covered by Support. If you then still want us to resolve the Incident, we may charge you a fee per hour at our then current rates to do so.
8.6 When your Users log a disproportionate amount of support call’s to us or create an above average amount of Incidents, we may require you to obtain Training from us for those Users. If you fail to do so, we may suspend our Support obligations.

9. Obligations Customer
9.1 When making use of the Cloud Service or the Software you will observe the installation and software compatibility guidance provided by us in the Documentation. If you fail to observe this guidance, you may not be able to use the Cloud Service or the Software and are not eligible to receive Support, depending on what you have elected to use.
9.2 You will be responsible for maintaining a working Internet connection to the Platform.

10. Intellectual Property Rights
10.1 We guarantee that we have all the necessary rights for providing the Cloud Service, including, if applicable for you, all necessary rights for providing you with a license to use the Software.
10.2 The Intellectual Property Rights in the Platform and the Software shall remain with us or with our suppliers, you shall only receive a right to access the Platform and subsequently use the Functionality or, if applicable for you, use the Software, as described in the Agreement or agreed upon otherwise in writing.
10.3 You are not allowed to remove or modify from the Platform and/or the Software any indication regarding an Intellectual Property Right, including notices regarding the confidential nature and secrecy of information contained in the Platform and/or the Software.
10.4 We are allowed to take technical measures to secure the Cloud Service and/or the Software. If we have done so you are not permitted to remove or evade such security. Technical measures shall not prohibit you to exercise mandatory statutory use rights with respect to the Cloud Service and the Software
10.5 We may freely use insights and other learnings gained by us and by our personnel by means of the performance of an Agreement, provided that such use does not breach any of your proprietary rights.
10.6 You are not allowed to use domains or social media channels containing the name AttachingIT and/or SmartLockr without having asked our prior approval.

11. Training
11.1 Our teachers that provide a Training have sufficient knowledge of the Functionality and have the teaching skills required to properly provide the Training.
11.2 We shall provide each participant with training material for their own personal use. Participants may only reproduce training materials for personal reference purposes.
11.3 You may cancel a Training for free until five days before the scheduled Training date.

12. Prices, rates, invoicing and payment
12.1 All agreed upon prices and rates and the licensed number of Users are listed in the Agreement. All listed prices and rates are exclusive of VAT.
12.2 We may increase the agreed prices and tariffs annually, effective January 1st. We will inform you of an intended price increase no later than 31st October of the preceding year. If you do not agree with the intended price increase, the only remedy available to you is the termination of the Agreement.
12.3 Price changes as a result of substantial Functionality enhancements may be invoiced directly by us.
12.4 We will send an invoice covering the one-time fees and the recurring fees annual fees for the full Term upon the date of signature of the Agreement. Any recurring fees due after a renewal of the Agreement are invoiced annually in advance.
12.5 If specific services and activities are not covered by the Agreement, then we may send you an invoice for the hours actually worked against the then current hourly rates. If we are requested to provide additional services, we will provide you with an offer for those services. Only after having received the approval of this proposal, we shall perform these additional services. For additional work that is reasonably necessary or follows from your prior instructions, no prior approval is needed. When an offer or job description mentions a fixed price, additional work will not be charged unless it falls outside the job description and prior approval was given.
12.6 Extra Functionality provided to you during the term of the Agreement, will be invoiced pro rata up to the following recurring invoice date.
12.7 You shall pay any payable amounts to us within 14 (fourteen) days after the invoice date.
12.8 If you disputes the invoice(s), this dispute will not affect your obligation to pay the undisputed part of the invoice(s).
12.9 If you do not pay the invoiced amounts within the payment term, the statutory interest on the outstanding amount shall be owed you without any prior notice of default being required, unless you have disputed the invoice within 10 (ten) days of the invoice date. If you fail to pay the invoice, we may claim compensation for extrajudicial collection costs at a percentage of at least 15% of the total invoice amount, in addition to the statutory interest.
12.10 If have you are overdue with the payment of two subsequent invoices, we may suspend your access to the Platform, provided that we have informed you of our intention to do so in writing (including e-mail) and you have been granted at least 5 (five) Business Days to fully meet your payment obligations, i.e. including statutory interest, extrajudicial and other costs.

13. Duration, termination, extension and exit
13.1 The Agreement shall enter into force on the Effective Date.
13.2 The Agreement is concluded for a minimum initial Term of one (1) year, unless otherwise agreed upon.
13.3 An agreement with a one (1) year Term will always be automatically renewed for one (1) year, provided neither you nor we have terminated the Agreement by registered letter no later than three (3) months before the renewal date.
13.4 You and we may:
a) terminate the Agreement with immediate effect in writing (including e-mail) if the other party fails to fulfill its obligations under the Agreement and continues such failure after notice to the other party granting him a reasonable time limit in order to meet its obligations.
b) without any further notice being required, terminate the Agreement outside of court by means of a registered letter with immediate effect if the other party applies for a moratorium on payments or a such a moratorium is granted; the other party requests or is declared bankrupt; the company of the other party is liquidated or terminated other than for the purpose of merger of companies; a substantial part of the assets of the other party or the infrastructure and/or the computer software related to the performance of the Agreement is seized, or the other party can no longer be deemed to fulfil the obligations under the Agreement.
13.5 If the Agreement is terminated by you pursuant to article 13.4, you are entitled to continue the use of the Functionality or, if applicable for you, the Software, for a period of two (2) consecutive months against a reasonable fee to be determined by us and to be prepaid by you.
13.6 All your rights expire upon termination of the Agreement, except as provided for in article 13.5.
13.7 Unless provided otherwise, the obligations which by their nature are intended to continue also after termination of the Agreement, remain valid after its termination. The provisions relating to confidentiality, liability, intellectual property rights, transfer of personnel, applicable law and jurisdiction extend beyond the termination of the Agreement.

14. Performance
14.1 We shall perform the Services with care and to the best of our ability, in accordance with the Agreement. We will do our best to provide you with the Services unless and insofar as we have expressly promised a specific result in the Agreement and the result has been defined with sufficient determinability.
14.2 Both the Platform and the Software shall work substantially in accordance with the Documentation.

15. Liability
15.1 Our aggregate liability for our attributable breach of the Agreement is limited to us remunerating you for your resulting direct financial loss up to a maximum of the fees (excluding VAT and other government levies) received by us from you in the six (6) months, immediately prior to the month in which the harmful event occurred. Direct financial damages are made up solely of:
a. Reasonable expenses you would have to incur to ensure that we would not be in breach of the Agreement; these expenses however are not reimbursed if the Agreement is dissolved by you or on behalf of you.
b. Reasonable costs incurred by you for having to continue the solution that you used to provide yourself with the Functionality prior to your intended use of the Platform or the Software.
c. Reasonable costs incurred in determining the cause and extent of the damage, insofar as the determination relates to direct financial loss within the meaning of these terms.
d. Reasonable costs incurred to prevent or mitigate damage, insofar as you are in a position to demonstrate that these expenses resulted in mitigation of direct damages within the meaning of these terms.
15.2 Liability for damages other than those mentioned in article 15.1, including but not limited to consequential damages, lost profits, lost savings, loss of data and loss due to business interruption, are explicitly excluded.
15.3 The aforementioned limitations of liability does not apply:
a. in case of claims for damages followed by death or bodily injury;
b. if the damages have been the direct result of our gross negligence or willful intent.
15.4 Damage as mentioned in article 16.1 shall, as soon as possible but no later than two (2) weeks after the occurrence, be reported in writing to us. Any damage that has not been brought to our attention within such period, shall not be recoverable by you.

16. Force majeure
16.1 If we fail to fulfill any obligation under the Agreement by reasons of force majeure, you may, after a period of no less than thirty (30) days has lapsed, terminate the Agreement by means of a registered letter. If you do so you will not be liable to us for any associated compensation. For any Services performed by us up to the date of termination, for which the fee has not yet been invoiced to you, we may send you an invoice which you will pay in accordance with these GTC.
16.2 In any event we may claim force majeure if one of the following circumstances have arisen: sickness, lack of staff, strike or non-attributable failures of suppliers, loss of data, power failures, failures in the telecommunications infrastructure, license refusals, (distributed) denial of service attacks and/or loss of network connections.

17. Confidentiality
17.1 Without your express prior written consent, we shall not make available to any third parties, files that are processed by means of the Platform including the details of the sender and recipient of the file (collectively “Confidential Information”). Confidential Information shall only be made available to our employees on a strict need to know basis and to the extent that such availability is required to be able to perform the agreed Service. We may disclose Confidential Information if we are obliged to do so by law. When legally possible we will inform you of such disclosure in advance so as to enable you to object to it.

18. Protection of Personal Data
18.1 With respect to personal data we are both a controller and as a processor. Personal data that is processed by us as a controller is described in the privacy statement that we have published on the Website. We will process such personal data in accordance with the privacy statement and Applicable Data Protection Laws.
18.2 Files and related e-mail messages that are send by your Users via the Cloud Service, for which you have not set a password, constitute Personal data that is processed by us as a processor. For this personal data you will act as a controller. If you have set a password this data will be encrypted using a one-way hash and we will no longer have access to the data. It will consequently no longer be personal data to us.
18.3 Our role as a processor is governed by Schedule 2 “Data Processing Agreement” to these GTC.

19. Transfer of rights and obligations
19.1 You may not transfer your rights and obligations out of this Agreement to third parties without our written consent.
19.2 We may at all times transfer the rights and obligations arising under the Agreement.
19.3 In the performance of the Agreement, we may use the services of third party, either as a subcontractor or through temporary hiring of personnel. Our right does not affect our responsibility for the performance of our obligations pursuant to the Agreement.

20. Applicable law and dispute resolution
20.1 The Agreement is governed by Dutch law.
20.2 Any disputes that may arise in relation to or from the Agreement will be submitted to competent court in Amsterdam.

21. Miscellaneous
21.1 Verbal statements, promises or agreements related to the execution of the Agreement have no legal force unless they are confirmed in writing by party that have made them.
21.2 The failure of a party to demand compliance with any provision within a period specified in the Agreement, does not affect the right to still demand such compliance, unless the party has expressly agreed in writing to such non-compliance.
21.3 If any provision of the Agreement is void or unenforceable, the remaining provisions of this Agreement shall remain in force and the parties shall consult to agree on a substitute provision which will maximally approach the invalid (destroyed/void) clause within the scope of the agreement.

Schedule 1
Acceptable Use Policy

(1) This Policy
This Acceptable Use Policy (the “Policy”) sets out the rules governing the use of the Cloud Service and any content that you may submit to the Cloud Service (“Content”).

(2) General restrictions
You must not use the Service in any way that causes, or may cause, damage to the Cloud Service or impairment of the availability or accessibility of the Cloud Service, or any of the areas of, or services on, the Cloud Service.

You must not use the Cloud Service:
a. in any way that is unlawful, illegal, fraudulent or harmful; or
b. in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

(3) License
You grant to us a worldwide, irrevocable, non-exclusive, royalty-free license to use, reproduce, and distribute your Content to the extent that we need to have these rights to able to provide you with the Cloud-Service.

(4) Unlawful and illegal material
You must not use the Cloud Service to store, host, copy, distribute, display, publish, transmit or send Content that is illegal or unlawful, or that will or may infringe a third party’s legal rights, or that could give rise to legal action whether against you or us or a third party (in each case in any jurisdiction and under any applicable law).

Content must not:
a. infringe any copyright, moral rights, database rights, trade mark rights, design rights, rights in passing off, or other intellectual property rights;
b. infringe any rights of confidence, rights of privacy, or rights under data protection legislation;
c. be in breach of official secrets legislation; or
d. be in breach of any contractual obligation owed to any person.

You must not submit any Content that is or has ever been the subject of any threatened or actual legal proceedings or other similar complaint.

(5) Harmful software
You must not use the Cloud Service to promote or distribute any viruses, Trojans, worms, root kits, spyware, [adware] or any other harmful software, programs, routines, applications or technologies.

You must not use the Cloud Service to promote or distribute any software, programs, routines, applications or technologies that will or may negatively affect the performance of a computer or introduce significant security risks to a computer.

(6) Marketing and spam
You must not use the Cloud Service for any purposes related to marketing, advertising, promotion, or the supply and/or sale of goods and/or services.

Content must not constitute spam.

You must not use the Cloud Service to transmit or send unsolicited commercial communications.

You must not use the Cloud Service to market, distribute or post chain letters, ponzi schemes, pyramid schemes, matrix programs, „get rich quick“ schemes or similar schemes, programs or materials.]

(7) Breaches of this Policy
Without prejudice to this general right and our other legal rights, if you breach this Policy in any way, or if we reasonably suspect that you have breached this Policy in any way, we may:

a. delete or edit any of your Content;
b. send you one or more formal warnings;
c. temporarily suspend your access to a part or all of the Cloud Service; and/or
d. permanently prohibit you from using a part or all of the Cloud Service.

(8) Banned Users
Where we suspend or prohibit your access to the Cloud Service or a part of the Cloud Service, you must not take any action to circumvent such suspension or prohibition (including without limitation using a different account).

(9) Monitoring
Notwithstanding the provisions of this Policy, we do not actively monitor Content.]

Schedule 2
Data Processing Agreement

This Schedule 2 supplements the GTC and as such is part of the Agreement. Next to the definitions as provided in article 1 below, terms used in this Schedule have the same meaning as those used in the GTC, unless explicitly provided otherwise. If there are any conflicts or inconsistencies between this Schedule and GTC, the provisions in this Schedule prevail.

1 DEFINITIONS
1.1 “Approved Measure”: an appropriate safeguard as provided for in article 46 of the General Data Protection Regulation not being the execution of EC Standard Contractual Clauses.
1.2 “Data Subject”: any individual whose Personal Data is processed by us in the course of the performance of the Agreement.
1.3 “EC Standard Contractual Clauses”: the EC Standard Contractual Clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC).
1.4 “Non-Adequate Country”: a country that is deemed not to provide an adequate level of protection of Personal Data within the meaning of the General Data Protection Regulation 2016/679/EC.
1.5 “Personal Data”: means any information relating to a Data Subject.
1.6 “Personal Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.7 “Sub-Processor”: any Third Party that processes Personal Data under our instruction or supervision but that does not fall under our direct authority.
1.8 “Third Party”: any party other than the parties to the Agreement.

2 Description of the processing
2.1 The subject-matter of this Schedule is the processing of Personal Data by us on behalf of you and in accordance your written instructions as described in the Agreement (which includes this Schedule) or otherwise in writing.
2.2 This Schedule shall be valid for the Term. The nature and purpose of the processing, the types of Personal Data and the Data Subjects concerned are described in the Agreement.

3 Instructions
3.1 We shall process Personal Data as described in this Schedule only (i) on behalf and for the benefit of you, (ii) in accordance with the instructions you provide to us through Platform and (iii) for the purposes authorized by the Agreement. We shall comply with Applicable Data Protection Law when carrying out the obligations under the Agreement.
3.2 We shall not process the Personal Data further than as instructed in writing and as strictly necessary for the performance of the Agreement, or as required by applicable EU or EU member state law. In case of such requirement of EU or EU member state law, we shall inform you of that legal requirement before the processing takes place, unless that law prohibits such information on important grounds of public interest.

4 Non-disclosure and confidentiality
4.1 We shall keep Personal Data confidential and shall not disclose Personal Data in any way to any Third Party without your prior written approval, except where, subject to this Schedule, (i) such disclosure is required for the performance of the Agreement or the processing by a Sub-Processor, (ii) where Personal Data need to be disclosed as required for audit purposes as described in article 10 or (iii) such disclosure is allowed in accordance with article 11 of this Schedule.
4.2 We shall ensure that any employee, agent, contractor or any other person working under the direct authority of us is committed to respect and maintain the confidentiality and security of the Personal Data.

5 Security
5.1 We will be responsible for ensuring that the information security measures that apply to the Platform shall at all times be in accordance with the requirements of article 32 GDPR. More detail on our current information security measures is provided below in Annex 1 to this Schedule 2. If these measures are updated will be provide you with the updated information per e-mail.

6 Sub-Processors
6.1 We shall only permit Sub-Processors to process Personal Data with your prior written consent. We will remain fully liable to you for the Sub-Processor’s performance of the Agreement and this Schedule.
6.2 We shall ensure that Sub-Processors are contractually bound to the same restrictions and obligations with respect to the processing as those to which we are bound under the Agreement and this Schedule.
6.3 You are deemed to have consented in writing to the processing of Personal Data by the Sub-Processors listed by us on the following webpage here. We shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. We shall inform you by updating the Sub-Processor webpage on our website. You are obliged to regularly check page to make sure you are informed about any changes.

7 Cooperation obligations
7.1 We shall deal promptly and appropriately and in a commercially reasonable manner with your enquiries or requests for assistance of related to the processing under the Agreement. This obligation includes cooperation and assistance in cases where Data Subjects wish to exercise their rights of access, rectification, erasure, restriction or data portability. We shall establish and maintain procedures to be able to handle such requests in compliance with Applicable Data Protection Law.
7.2 We shall cooperate with and you in as far as this is reasonably necessary for you to be able to comply with your data protection impact assessment and prior consultation obligations under Applicable Data Protection Law. You agree that we are entitled to (partly) provide this cooperation by sending you a copy of a data protection impact assessment that we have conducted ourselves.

8 Personal Data Breaches
8.1 We shall, without undue delay, inform you if we or a Sub-Processor has become aware of the occurrence a Personal Data Breach.
8.2 In the event of a Personal Data Breach, we shall promptly take adequate remedial measures. Furthermore, we shall promptly provide you with all relevant information as requested by you regarding the Personal Data Breach, cooperate with you to investigate the nature and scope of the Personal Data Breach and provide any other assistance as reasonably required by you to allow you to comply with any legal obligations, including notification obligations to regulators and Data Subjects, in this respect.

9 Return and destruction of Personal Data
9.1 In the event of termination of Agreement, you and we will forthwith discuss the (method of) transfer of data, services and/or other measures required for a smooth progress of any of your data that is stored on the Platform. All the work carried out by us may be charged by us to you on the basis of our then current rates.
9.1 If we are required by applicable EU or EU member state law to continue storing your Personal Data, we shall inform you of such legal obligation, shall keep the Personal Data confidential and shall only process the Personal Data to the extent required by the applicable EU or EU member state law.

10 Compliance and right of audit
10.1 We shall make available to you all information necessary to demonstrate compliance with the provisions of this Schedule. Such information will in any case include information on (i) the security measures, (ii) Sub-Processor agreements (including copies thereof with commercial elements blacked-out), (iii) Personal Data Breaches, (iv) deletion of Personal Data, (v) international data transfers and the safeguards taken to address transfer restrictions and (vi) measures in place to allow you to comply with your obligations in relation to Data Subject’s rights.
10.2 You shall have the right to inspect our and our Sub-Processor’s compliance of the obligations under this Schedule. Any such inspection shall be conducted on behalf of you by and independent professional auditor subject to professional secrecy rules, like an EDP auditor or an accountant.
10.3 You shall:
a) give us reasonable notice of the intention to have an audit performed pursuant to Clause 10.2;
b) procure that the audit is performed in compliance with our and Sub-Processor’s reasonable confidentiality provisions, as notified by us to you; and
c) procure that reasonable efforts are used to minimise any disruption to our or our Sub-Processor’s business caused by the performance of the audit.

11 International data transfer
11.1 We may transfer Personal or make Personal Data accessible to the approved Sub-Processor(s) established in Non-Adequate Country/Countries as listed on the webpage provided for in article 6.3.
11.2 You hereby provide us with a mandate to enter into EC Standard Contractual Clauses (Processor-Processor) with a Sub-Processor that is located in a Non-Adequate Country on your behalf.
11.3 Article 11.2 will not apply if the transfer is or the transfers are covered by Approved Measures. In such case, we shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on such Approved Measure are maintained. If we no longer maintain the Approved Measure, we will immediately inform you thereof and ensure that the necessary EC Standard Contractual Clauses are concluded in absence of the Approved Measure.
11.4 Where any of the EC Standard Contractual Clauses or Approved Measures applying to a transfer under this article 11 requires adjustment or is invalidated as a result of any change in, or decision of a competent authority under, Applicable Data Protection Law, we will ensure that the necessary adjustments to the EC Standard Contractual Clauses or Approved Measure are made or the necessary alternative EC Standard Contractual Clauses or Approved Measure are implemented to ensure that the transfer(s) remain to be performed in compliance with Applicable Data Protection Law.

Annex 1 – INFORMATION SECURITY
We apply the following information security measures on the Platform:

• The Platform uses Microsoft Windows Azure. More information on how Microsoft has secured Windows Azure is provided here: https://www.microsoft.com/en-us/trustcenter/security or on an alternative website designated by Microsoft for this purpose. We have elected that Microsoft only stores your data on servers located within the European Community. With respect to Windows Azure we shall provide you with the level of information security that Microsoft publicly offers to all Windows Azure customers. Microsoft Azure is the first Cloud service that has acquired ISO/IEC 27018 certification and is also covered by: ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2.
• Your data will be primarily stored in the Microsoft data center in Amsterdam with a back-up copy in the data center in Dublin, Ireland. This back-up copy is only used when the Amsterdam data center is not available.
• We maintain a dedicated separate storage container for you on the Platform which ensures that your documents are logically separated from other customer’s data. Prior to placing a document in your storage container the document is encrypted using your own unique encryption key. All encryption keys are subsequently stored in a key vault. If a User transmits documents with a password, these documents will be encrypted with the password.
• All your files that are processed by means of the Platform have a standard retention term of fourteen (14) days. When the retention term lapses, the document plus associated meta-data and possible back-up copies will be deleted. Actual retention terms can vary subject to an agreement that you and we have made.
• The SaaS Service and the Software enable the use of a password for a recipient. This password is hashed and as a consequence not viewable for us.
• All IP traffic between us and you and between us and the recipient of your secure document is secured by means of TLS (Transport Layer Security).
• We use end-to-end encryption and zero knowledge techniques when transmitting files to ensure that we are not made aware of the contents of these files.
• Access to personal data is strictly provided on a need to know basis to our employees and has been made subject to contractual confidentiality terms.