General Terms and Conditions
Latest update: June 2022.
Below are the General Terms and Conditions (“GTC”) of SmartLockr B.V. H.J.E Wenckebachweg 123, 1096 AM Amsterdam Chamber of Commerce number 61781614. (“we”, “us” or “our”). These GTC apply to our offers and are a part of each agreement that we may enter into with you. “You” is the (prospective) customer to which we have send an offer of with whom we have entered into an agreement.1. Definitions
The terms used in these GTC or elsewhere in the Agreement, which start with a capital letter shall have the meaning assigned to them below.
- 1.1 “Accepted Proposal”: our Proposal that you have signed or have accepted electronically.
1.2 “Agreement”: your Accepted Proposal combined with these GTC including Annex 1 (AUP) and Annex 2 (Data Processing Agreement).
1.3 “Applicable Data Protection Law”: all laws and regulations and sectoral recommendations containing rules for data protection and privacy which are applicable to the processing of Personal Data under the Agreement (e.g. the General Data Protection Regulation 2016/679/EC), including without limitation security requirements.
1.4 “Business Days: Monday to Friday, except national holidays in the Netherlands, if the fifth of May is a national holiday once in five years.
1.5 “Business Hours”: hours on Business Days between 08.30 and 17.30 (Dutch time).
1.6 “Cloud Service”: our remote delivery of the Functionality to you over the Internet, including related Support and Documentation.
1.7 “Deficiency”: each specific situation whereby the Functionality is not provided in accordance with the Documentation.
1.8 “Documentation”: the documentation on the Cloud Service that we have provided to you via the Cloud Service user interface.
1.9 “Effective Date”: the start date of the Term as indicated on the Accepted Proposal.
1.10 “Functionality”: the capability to safely send email with associated (large) data files directly from within Microsoft Outlook. In addition, Users can receive data files via an upload request that is submitted via Microsoft Outlook by means of a designated upload page. The administrator tool will enable you to monitor the use of the Cloud Service or the Software and by doing so exercise control over your company assets. Monitoring is conducted by means of logging, filters on file type and email addresses and the availability of transmitted data for the recipient. A full overview of the Functionality is provided in the Documentation.
1.11 “GTC”: these general terms and conditions including Annex 1 (AUP) and Annex 2.
1.12 “Incident”: this is the situation whereby the Cloud Service or the Software does not work in accordance with the Documentation.
1.13 “Intellectual Property Rights”: all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right to apply for such rights (and the “intellectual property rights” referred to above include, amongst other rights, copyright and related rights, database rights, trade secrets, Confidential Information, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents and rights in designs).
1.14 “Permitted Purpose”: sending digital files via Microsoft Outlook in a secure manner.
1.15 “Platform”: the SmartLockr Data Protection Platform; the IT platform that is used by us to enable Users to access the Functionality. The Platform is comprised of the combination of the hosting platform, our SMTP-server, the Software, and integrations with the services of our third-party services providers.
1.16 “Plug-in”: the Outlook plug-in which we provide to you in order make use of the Services as described in more detail in article 7.
1.17 “Proposal”: our proposal for the supply of one or more Services.
1.18 “Response Time”: this is the time we take to provide you with our initial response to your Incident report. This time starts running from the date of our receipt of your report presuming that you have correctly issued it to us.
1.19 “Services”: all the services provided or to be provided by us to you under the Agreement including Support and Documentation.
1.20 “Software”: the software that is installed on the Platform.
1.21 “Support”: this is where we provide you during Business Hours with information and advice on the use of the Functionality or the Software, including the provision of help with the investigation into causes, including Defects, that prohibit the undisturbed use of the Cloud Service or the Software.
1.22 “Term”: the term of the Agreement. This is the term for which you have acquired a license from us to use the Cloud Service or the Software and is indicated in the Accepted Proposal.
1.23 “Training”: when we make Users familiar with the Functionality and train them in the use of it.
1.24 “Update”: a partial renewal of the Platform identified by a change of the existing version number, for example version 5.x.
1.25 “Upgrade”: a full renewal of the Platform identified by a new version number, for example version 5.
1.26 “User”: someone assigned by you to use the Functionality or the Software.
1.27 “Website”: https://smartlockr.io and other relating sub domains, if any.
2. Applicability and interpretation
- 2.1 The GTC apply to and form part of every act relating to the preparation, formation, or performance of the Agreement. Each Agreement is formed by (i) your acceptance of our Proposal and (ii) our subsequent confirmation to you of our receipt of your acceptance. You accept our Proposal online when you click to accept it or offline by signing it and returning it to us.
2.2 Deviations of and Schedules to the GTC and/or the Accepted Proposal are only valid if these have been agreed upon in writing.
2.3 If there are any contradictions between the various documents, the following order of preference applies:
- a. Schedule 2 (Data Processing Agreement) to the GTC;
b. Your Accepted Proposal;
c. these GTC except for Schedule 2.
- a. Schedule 2 (Data Processing Agreement) to the GTC;
- 2.4 We may unilaterally change these GTC. If we do so we will inform you by email of our intention to do so at least three (3) months prior to the renewal date of the Agreement. If you continue your use of the Services after you have received our notification, you will be deemed to have accepted the changed GTC. Otherwise, your only recourse is to terminate the Agreement on the renewal date free of charge.
3. Proposal and acceptance
- 3.1 All our Proposals are non-binding unless the offer contains an express term for acceptance.
3.2 You must timely provide us with all (technical) information, decisions and information that are reasonably necessary for our performance of the Agreement. We are not responsible if you provide us with incorrect or incomplete information. We may suspend our performance of the Agreement when you fail to provide us with correct and complete information in a timely fashion.
- 4.1 We will apply reasonable commercial efforts to meet the agreed upon dates and terms. All dates and terms are always indicative, unless it is expressly stated that it concerns fatal dates or terms.
4.2 We will deliver the Cloud Service to you or install the Software within a week after receiving the signed Agreement, or within an alternative term that we agreed upon separately with you.
4.3 The Cloud Service will be delivered by us on best effort-basis; we will deliver the Cloud Service as good as possible but do not provide any performance guarantee.
4.4 We are entitled to engage third parties to perform the Agreement.
5. The Platform
- 5.1 We will enable you to access the Platform by providing you with a license key within 3 (three) Business Days following the Effective Date. The license key will activate the Plug-in. After the installation of the Plug-in, you can access the Functionality for the agreed number of licensed Users.
5.2 Subject to the limitations set out in article 5.3, we hereby grant to you a non-exclusive license to use the Platform for the Permitted Purpose via the Plug-in or online by directly accessing the Platform. Your license will be valid for the Term, and you are required to use the Platform in accordance with the Documentation.
5.3 The license that we grant to you is subject to the following limitations:
- a. the Platform must not be used at any point in time by more than the number of licensed Users specified in the Accepted Proposal, you may however submit a request to us to add or remove Users;
b. the Platform may only be used by your employees, agents, and sub-contractors; and
c. you must always comply with the Acceptable Use Policy set out in Schedule 1 (“AUP”) and must ensure that all Users comply with the AUP.
- a. the Platform must not be used at any point in time by more than the number of licensed Users specified in the Accepted Proposal, you may however submit a request to us to add or remove Users;
- 5.4 Everything that is performed through a Plug-in carrying your license key or online via the Platform with your access credentials, is for your responsibility and risk. If you know or suspects that your license key has been compromised, you are required to inform us immediately.
5.5 You do not have a right to access the object code or source code of the Platform, either during or after the Term.
5.6 All Intellectual Property Rights in the Platform are our exclusive property.
5.7 You must not use the Platform in any way that causes, or may cause, damage to the Platform or impairment of the availability or accessibility of the Platform, or any of the areas of, or services on, the Platform. More specifically, you will not use the Cloud Service in a manner that causes a system and network load on the Platform that is higher than that of our average customer.
5.8 You must not use the Platform:
- a. in any way that is unlawful, fraudulent, or harmful; or
b. in connection with any unlawful, fraudulent, or harmful purpose or activity.
- a. in any way that is unlawful, fraudulent, or harmful; or
- 5.9 We provide an availability for the Platform of 99.95%. The Platform is available if the Cloud Service is accessible to Users from the Internet.
The actual availability is calculated by us per calendar quarter in accordance with the following formula. AST stands for Agreed Service Time, the period during the Platform is supposed to be available and DT stands for downtime:
Our calculated availability percentage over any calendar quarter is made available to you on request. If the actual availability drops beneath 99,95% in two consecutive calendar quarters, you are entitled to terminate the Agreement without cost. This is your sole recourse.
6. Platform Updates and Upgrades
6.1 We will introduce Updates and/or Upgrades to the Platform during the Term. An Update or an Upgrade may involve, for example, modifications to the Software, the introduction of new filtering techniques or changes to processes. If an Update or Upgrade is introduced by us, this will result in a unilateral modification of the Services purchased by you. We will always publish an overview of the adjustments to the Services in advance via the Website. An Update or Upgrade always provides a Functionality that is materially similar to or broader than the Functionality of the last version of the Platform.
6.2 An Upgrade of the Platform may require a modification of the technical implementation of the Services in your environment. If so, we will notify you in advance by email of the necessary implementation adjustments. You must implement the adjustments yourself and at your own expense. At your request, we can support you in this. For our support we may charge you for the hours made at our then current rates.
6.3 If article 6.2 is applicable and you fail to make the necessary implementation changes within 3 (three) months after our notification, we have the right to unilaterally terminate the Agreement without being obliged to pay compensation to you in connection with that termination for any damage suffered or costs incurred by you. If you are unwilling to make the adjustments, you have the right to terminate the Agreement without charge. You must notify us of your termination by email no later than 1 (one) month after our notification.
7. Platform Integration
7.1 For you to use the Functionality, an integration of your email environment with the Platform is required. Integration is possible at an e-mail client level (an Outlook Plug-in) and at email server level (SMTP relay). Which (combination of) integration means apply to you depends on the implementation conditions that have agreed with you. The following paragraphs of this article apply to your use of the integration means.
7.2 Upon providing you with the license key as described in article 5.1, we will direct you to an online download location for the Application. You are responsible for subsequently downloading the Application.
7.3 Your use of the Plug-in shall be subject to the following licensing terms:
(i) copy or reproduce Plug-in or any part of the Plug-in other than in accordance with the license granted in this article 7;
(ii) sell, resell, rent, lease, loan, supply, distribute, redistribute, publish, or re- publish the Plug-in or any part of the Plug-in;
(iii) amend, alter, adapt, translate, or edit, or create derivative works of, the Plug-in or any part of the Application;
(iv) reverse engineer, decompile, disassemble the Plug-in or any part of the Plug-in (except as mandated by applicable law);
(v) use the Plug-in other than in accordance with the Documentation; or
(vi) circumvent or remove or attempt to circumvent or remove the technological measures applied to the Plug-in for the purposes of preventing unauthorized use.
7.4 All Intellectual Property Rights in the Plug-in shall be our exclusive property.
7.5 You shall be responsible for the security of your copies of the Plug-in and will use all reasonable endeavors to ensure that only licensed Users access and use these copies.
7.6 With SMTP relay, we work with you to set up your SMTP server so that it sends all outgoing emails via a TLS (Transport Layer Security) connection to an SMTP server on the Platform. Based on a set content policy, the desired security is then applied, and the email is sent to the recipient. The content policy can be manual based on specified keywords or automatic by applying an algorithm developed by us. In case of a manual policy, you are responsible for providing us with a complete and correct list of keywords in advance. You accept that applied content policies are never comprehensive. We do not guarantee that all your sent emails will be secured at the level you require.
7.7 You accept that when using SMTP relay email, we forward it using an external email delivery service. This means, amongst other things, that the email headers may contain the IP addresses of the servers of the external email delivery service. We do not guarantee that emails forwarded by us will always arrive or will never be labeled as spam.
8. Support and Maintenance
8.1 As part of our Support, we will allow you to contact us via email and telephone for queries related to your use of the Platform and the Software or for reporting Incidents to us. Email and telephone contact details for Support are displayed on the Website.
8.2 Our standard Response Times are displayed on the Website or in the service level agreement that we may have agreed with you. You may have a (business)need for shorter Response Times. If you have such a need, please indicate this to us. If possible, we may provide you with an offer for shorter Response Times. This offer will depend on your willingness to pay an additional fee to us.
8.3 When you report an Incident, you will need to provide us with the information that we may reasonably need to be able to replicate the error in the Platform or the Software that is causing the Incident.
8.4 We may choose to provide a work-around to solve an Incident if resolving the error that caused the Incident will likely have a negative impact on the Functionality or your use of the Software, as applicable for you.
8.5 If we feel that a reported Incident has been caused by use of the Cloud Service or the Software in violation with the Documentation or with these GTC, we will communicate this you. Such an Incident is not covered by Support. If you still want us to resolve the Incident, we may charge you a fee per hour at our then current rates.
8.6 When your Users log a disproportionate amount of support calls to us or create an above average amount of Incidents, we may require you to obtain Training from us for those Users. If you fail to do so, we may suspend our Support obligations.
9. Obligations of the Customer
9.1 When making use of the Cloud Service or the Software you will observe the installation and software compatibility guidance provided by us in the Documentation. If you fail to observe this guidance, you may not be able to use the Cloud Service or the Software and are not eligible to receive Support, depending on what you have elected to use.
9.2 You will be responsible for maintaining a working Internet connection to the Platform.
10. Intellectual Property Rights
10.1 We guarantee that we have all the necessary rights for providing the Cloud Service, including, if applicable for you, all necessary rights for providing you with a license to use the Software.
10.2 The Intellectual Property Rights in the Platform and the Software shall remain with us or with our suppliers, you shall only receive a right to access the Platform and subsequently use the Functionality or, if applicable for you, use the Software, as described in the Agreement, or agreed upon otherwise in writing.
10.3 You are not allowed to remove or amend from the Platform and/or the Software any indication regarding an Intellectual Property Right, including notices regarding the confidential nature and secrecy of information contained in the Platform and/or the Software.
10.4 We are allowed to take technical measures to secure the Cloud Service and/or the Software. If we have done so you may not remove or evade such security. Technical measures shall not prohibit you to exercise mandatory statutory use rights with respect to the Cloud Service and the Software.
10.5 We may freely use insights and other learnings gained by us and by our personnel by means of our performance of the Agreement, provided that such use does not breach any of your proprietary rights.
10.6 You are not allowed to use domains or social media channels containing the name AttachingIT and/or SmartLockr without having asked our prior approval.
11.1 Our teachers that provide a Training have sufficient knowledge of the Functionality and have the teaching skills required to properly provide the Training.
11.2 We shall provide each participant with training material for their own personal use. Participants may only reproduce training materials for personal reference purposes.
11.3 You may cancel a Training for free until five (5) days before the scheduled Training date. If you cancel within five (5) days of the scheduled Training date, we may charge the costs of the Training to you.
12. Prices, rates, invoicing, and payment
12.1 All agreed upon prices and rates and the licensed number of Users are listed in the Agreement. All listed prices and rates are exclusive of VAT.
12.2 We may increase the agreed prices and tariffs annually, effective January 1st. We will inform you of an intended price increase no later than 31st October of the preceding year. If you do not agree with the intended price increase, the only remedy available to you is a cost-free termination of the Agreement.
12.3 Price changes due to inflation or price changes introduced in connection with substantial Functionality enhancements may be invoiced directly by us. The possibility of terminating the contract does not apply to the increase of the price due to price inflation.
12.4 We will send an invoice covering the one-time fees and the recurring fees annual fees for the full Term upon the date of signature of the Agreement. Any recurring fees due after a renewal of the Agreement are invoiced annually in advance.
12.5 If specific services and activities are not covered by the Agreement, then we may send you an invoice for the hours worked against the then current hourly rates. If we are asked to provide additional services, we will provide you with an offer for those services. Only after having received the approval of this proposal, we shall perform these additional services. For additional work that is reasonably necessary or follows from your prior instructions, no prior approval is needed. When an offer or job description mentions a fixed price, additional work will not be charged unless it falls outside the job description and prior approval was given.
12.6 Extra Functionality provided to you during the Term, will be invoiced pro rata up to the following recurring invoice date.
12.7 You shall pay any payable amounts to us within fourteen (14) days after the invoice date.
12.8 If you dispute the invoice(s), this dispute will not affect your obligation to pay the undisputed part of the invoice(s).
12.9 If you do not pay the invoiced amounts within the payment term, the statutory interest on the outstanding amount shall be owed you without any prior notice of default being required, unless you have disputed the invoice within ten (10) days of the invoice date. If you fail to pay the invoice, we may claim compensation for extrajudicial collection costs at a percentage of at least 15% of the total invoice amount, in addition to the statutory interest.
12.10 If have you are overdue with the payment of two subsequent invoices, we may suspend your access to the Platform, if we have informed you of our intention to do so in writing (including email) and you have been granted at least five (5) Business Days to fully meet your payment obligations, i.e., including statutory interest, extrajudicial and other costs.
13. Duration, termination, extension, and exit
13.1 The Agreement shall enter into force on the Effective Date.
13.2 The Agreement is concluded for a minimum initial Term of one (1) year, unless otherwise agreed upon.
13.3 An agreement with a one (1) year Term will always be automatically renewed for one (1) year, provided neither you nor we have terminated the Agreement by registered letter no later than three (3) months before the renewal date.
13.4 You and we may:
a. terminate the Agreement with immediate effect in writing (including email) if the other party fails to fulfil its obligations under the Agreement and continues such failure after notice to the other party granting him a reasonable time limit to meet its obligations.
b. without any further notice being required, terminate the Agreement by means of a registered letter with immediate effect if the other party applies for a moratorium on payments or a such a moratorium is granted; the other party requests or is declared bankrupt; the company of the other party is liquidated or terminated other than for the purpose of merger of companies; a substantial part of the assets of the other party or the infrastructure and/or the computer software related to the performance of the Agreement is seized, or the other party can no longer be deemed to fulfil the obligations under the Agreement.
13.5 If the Agreement is terminated by you pursuant to article 13.4, you are entitled to continue the use of the Functionality or, if applicable for you, the Software, for two (2) consecutive months against a reasonable fee to be determined by us and to be prepaid by you.
13.6 All your rights expire upon termination of the Agreement, except as provided for in article 13.5.
13.7 Unless provided otherwise, the obligations which by their nature are intended to continue also after termination of the Agreement, remain valid after its termination. The provisions on confidentiality, liability, intellectual property rights, applicable law and jurisdiction extend beyond the termination of the Agreement.
14.1 We shall perform the Services with care and to the best of our ability, in accordance with the Agreement. We will do our best to provide you with the Services unless and insofar as we have expressly promised a specific result in the Agreement and the result has been defined with sufficient determinability.
14.2 Both the Platform and the Software shall work substantially in accordance with the Documentation.
15.1 Our aggregate liability for our attributable breach of the Agreement is limited to us remunerating you for your resulting direct financial loss up to a maximum of the fees (excluding VAT and other government levies) received by us from you in the twelve (12) months, immediately before the month in which the harmful event occurred. Direct financial damages consist exclusively of:
a. reasonable expenses you would have to incur to ensure that we would not be in breach of the Agreement; these expenses however are not reimbursed if the Agreement is dissolved by you or on behalf of you;
b. reasonable costs incurred by you for having to continue the solution that you used to provide yourself with the Functionality before your intended use of the Platform or the Software;
c. reasonable costs incurred in determining the cause and extent of the damage, insofar as the determination relates to direct financial loss within the meaning of these terms;
d. reasonable costs incurred to prevent or mitigate damage, insofar as you can demonstrate that these expenses resulted in mitigation of direct damages within the meaning of these terms.
15.2 Liability for damages other than those mentioned in article 15.1, including but not limited to consequential damages, lost profits, lost savings, loss of data and loss due to business interruption, are explicitly excluded.
15.3 The aforementioned limitations of liability do not apply:
a. if there is a claim for damages followed by death or bodily injury;
b. if the damages have been the direct result of our gross negligence or willful intent.
15.4 Damage as mentioned in article 15.1 shall, as soon as possible but no later than two (2) weeks after the occurrence, be reported to us in writing or by email. Any damage that has not been brought to our attention within such period, shall not be recoverable by you.
16. Force majeure
16.1 If we fail to fulfil any obligation under the Agreement by reasons of force majeure, you may, after a period of no less than thirty (30) days has lapsed, terminate the Agreement by means of a registered letter. If you do so you will not be liable to us for any associated compensation. For any Services performed by us up to the date of termination, for which the fee has not yet been invoiced to you, we may send you an invoice which you will pay in accordance with these GTC.
16.2 In any event we may claim force majeure if one of the following circumstances have arisen: non-attributable failures of suppliers, loss of data, power failures, failures in the telecommunications infrastructure, license refusals, (distributed) denial of service attacks and/or loss of network connections.
17.1 Without your express prior written consent, we shall not make available to any third parties, files that are processed by means of the Platform including the details of the sender and recipient of the file (collectively “Confidential Information”). Confidential Information shall only be made available to our employees on a strict need to know basis and to the extent that such availability is required to be able to perform the agreed Service. We may disclose Confidential Information if we are obliged to do so by law. When legally possible we will inform you of such disclosure in advance to enable you to object to it.
18. Protection of Personal Data
18.1 We will process personal data on the Platform in accordance with our privacy statement and Applicable Data Protection Laws. If we process personal data as your data processor, we will do so in accordance with the terms included in Annex 2 (Data Processing Agreement). In case of a conflict between the contents of Annex 2 and these GTC (including Annex 1), the terms of Annex 2 will take precedence over these GTC (including Annex 1).
19. Transfer of rights and obligations
19.1 You may not transfer your rights and obligations out of this Agreement to third parties without our written consent.
19.2 We may always transfer the rights and obligations arising under the Agreement.
19.3 In the performance of the Agreement, we may use the services of third party, either as a subcontractor or through temporary hiring of personnel. Our right does not affect our responsibility for the performance of our obligations pursuant to the Agreement.
20. Applicable law and dispute resolution
20.1 The Agreement is governed by Dutch law.
20.2 Any disputes that may arise in relation to or from the Agreement will be submitted to the competent court in Amsterdam.
21.1 Verbal statements, promises or agreements related to the execution of the Agreement have no legal force unless they are confirmed in writing by party that have made them.
21.2 The failure of a party to demand compliance with any provision within a period specified in the Agreement, does not affect the right to still demand such compliance, unless the party has expressly agreed in writing to such non-compliance.
21.3 If any provision of the Agreement is void or unenforceable, the remaining provisions of this Agreement shall remain in force and the parties shall consult to agree on a substitute provision which will maximally approach the invalid (destroyed/void) clause within the scope of the Agreement.
Schedule 1 - Acceptable Use Policy
(1) This Policy
This Acceptable Use Policy (the “Policy”) sets out the rules governing the use of the Cloud Service and any content that you may submit to the Cloud Service (“Content”).
(2) General restrictions
You must not use the Service in any way that causes, or may cause, damage to the Cloud Service or impairment of the availability or accessibility of the Cloud Service, or any of the areas of, or services on, the Cloud Service.
You must not use the Cloud Service:
a. in any way that is unlawful, fraudulent, or harmful; or
b. in connection with any unlawful, fraudulent, or harmful purpose or activity.
You grant to us a worldwide, irrevocable, non-exclusive, royalty-free license to use, reproduce, and distribute your Content to the extent that we need to have these rights to able to provide you with the Cloud Service.
(4) Unlawful Content
You must not use the Cloud Service to store, host, copy, distribute, display, publish or send Content that is unlawful, or that will or may infringe a third party's legal rights, or that could give rise to legal action whether against you or us or a third party (in each case in any jurisdiction and under any applicable law).
Content must not:
a. infringe any copyright, moral rights, database rights, trademark rights, design rights, rights in passing off, or other intellectual property rights;
b. infringe any rights of confidence, rights of privacy, or rights under data protection legislation;
c. be in breach of official secrets legislation;
d. be in breach of any contractual obligation owed to any person.
You must not submit any Content that is or has ever been the subject of any threatened or actual legal proceedings or other similar complaint.
(5) Harmful software
You must not use the Cloud Service to promote or distribute any viruses, Trojans, worms, root kits, spyware, [adware] or any other harmful software, programs, routines, applications, or technologies.
You must not use the Cloud Service to promote or distribute any software, programs, routines, applications, or technologies that will or may negatively affect the performance of a computer or introduce significant security risks to a computer.
(6) Marketing and spam
You must not use the Cloud Service for any purposes related to marketing, advertising, promotion, or the supply and/or sale of goods and/or services.
Content must not constitute spam.
You must not use the Cloud Service to send unsolicited commercial communications.
You must not use the Cloud Service to market, distribute or post chain letters, ponzi schemes, pyramid schemes, matrix programs, "get rich quick" schemes or similar schemes, programs, or materials.
(7) Breaches of this Policy
If you breach this Policy in any way, or if we reasonably suspect that you have breached this Policy in any way, we may:
a. delete or edit any of your Content;
b. send you one or more formal warnings;
c. temporarily suspend your access to a part or all the Cloud Service; and/or
d. permanently prohibit you from using a part or all of the Cloud Service.
Our exercise of these rights does not prejudice our other rights under the Agreement.
(8) Banned Users
Where we suspend or prohibit your access to the Cloud Service or a part of the Cloud Service, you must not take any action to circumvent such suspension or prohibition (including without limitation using a different account).
Notwithstanding the provisions of this Policy, we do not actively monitor Content.
Schedule 2 – Data Processing Agreement
(a) We provide you, on the basis of the Agreement, with the means to send and receive messages and files in a secure manner;
(b) That the design of these means is such that we are not able to know the contents of the messages and attached files, but that they nevertheless contain personal data within the meaning of the General Data Protection Regulation (“GDPR”); and
(c) That we therefore agree in writing with you on the potential processing of such personal data (hereinafter the “Data Processing Agreement”). The personal data that we may potentially process and the categories of data subjects it concerns are described in an overview that we publish on our Website. You can consult this overview here.
WE AGREE AS FOLLOWS:
1.1. All terms referred to in this Data Processing Agreement shall be interpreted in accordance with:
a. Article 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “‘GDPR”); and
b. the contents of your Accepted Proposal and Article 1 of the GTC.
1.2. A reference to a specific standard (such as ISO and NEN standards) is a reference to the most current version of that standard. If the relevant standard is no longer maintained, the most current version of the logical successor to the relevant standard must be read in its place.
2. Subject of this Data Processing Agreement
2.1. This Data Processing Agreement applies to the processing of Personal Data contained in messages and files sent and received by your Users using the technical means provided under the Agreement.
2.2. If information sent or received by your Users by means of the offered means contains Personal Data, we shall process it in the capacity of Processor on your behalf as a Controller within the meaning of the GDPR.
3. Duration and termination
3.1. This Data Processing Agreement forms an integral and inseparable part of the Agreement.
3.2. This Data Processing Agreement shall enter into force upon the formation of the Agreement. Termination of the Agreement will also result in termination of this Data Processor Agreement.
3.3. The relevant obligations of this Data Processing Agreement will remain in force after the termination of the Agreement, until all Personal Data still being processed thereunder have been destroyed or deleted.
4. Execution of processing
4.1. We shall process Personal Data held by us pursuant to Article 2 only on your instructions and to the extent necessary to execute the Agreement or any arrangements made with you in writing.
4.2. An essential feature of the technical means we provide is that they are designed to prevent us from obtaining knowledge of the content of messages and files processed by them. Our facilities therefore enable you to perform all content-related actions with respect to Personal Data necessary to comply with your obligations under the GDPR yourself.
4.3. To the extent permitted by the nature of the facilities we provide, we will:
a. carry out all reasonable and lawful instructions given by you pursuant to this Data Processing Agreement in relation to the processing of Personal Data; and
b. provide all information and support reasonably requested by you to enable you to comply with Your obligations under the GDPR.
We will inform you if complying with such instructions or requests would violate any legal obligation incumbent upon us. In no event shall this legal provision oblige us to modify the technical means we provide.
4.4. We may charge you a fee in accordance with Article 12.5 of the GTC for the support we provide under this Data Processing Agreement. This includes activities pursuant to clause 4.3 and activities in support of an investigation pursuant to clause 7.2.
4.5. Without prejudice to the provisions of Article 4.1, we may process Personal Data if we are required to do so by law. In that case, we will notify you in writing prior to processing that we will do so, unless that notification is prohibited by law.
5.1. We shall treat Personal Data as strictly confidential and shall ensure that they are not made available to third parties unless this is necessary for the fulfilment of obligations under the Agreement or unless the law obliges us to do so.
5.2. Our employees, representatives and/or third parties involved in processing Personal Data on our behalf have a contractual obligation to keep Personal Data they process confidential.
6.1. We shall take and maintain appropriate technical and organisational security measures to adequately protect Personal Data, in the light of the state of the art and the costs involved, against loss, unauthorised access, corruption or any other form of unlawful processing.
6.2. We maintain our security policy for the protection of Personal Data in accordance with ISO27001:2017, NEN7510:2018 and NEN:NTA 7516. In line with this, we shall maintain at least the following security measures:
a. measures to ensure that only authorised persons have access to the Personal Data and for the purposes set out;
b. measures to ensure that employees and third parties only have access to systems on which Personal Data is processed through nominative accounts and for necessary purposes, with the use of such accounts adequately logged;
c. measures to protect the Personal Data against accidental or unlawful destruction, accidental loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure;
d. measures to identify vulnerabilities with respect to the processing of Personal Data in the systems used to provide services to your organisation;
e. measures to ensure the timely availability of the Personal Data;
f. measures to ensure that Personal Data are processed logically separate from the Personal Data that we process for our own organisation or on behalf of third parties.
7. Monitoring and auditing
7.1. At your first request, we may issue a report or certificate issued by an independent and competent third party to demonstrate our compliance with our obligations under this Data Processing Agreement.
7.2. We will allow you to have an independent third party audit our compliance with this Data Processing Agreement once a year to the extent that a certificate or report referred to in clause 7.1 does not reasonably allow you to comply with your monitoring obligations under the GDPR. The limitation to an annual audit does not apply if objective grounds warrant a suspicion that we are not complying with our obligations under this Data Processing Agreement.
7.3. You must give notice of an investigation pursuant to clause 7.2 at least thirty (30) calendar days prior to its intended execution. The investigation must be carried out during normal business hours by an independent and accredited external auditing firm that is bound by a written promise of confidentiality. If the investigation shows that we have materially failed to comply with this Data Processor Agreement, we shall implement a mitigation plan without delay.
7.4. You are responsible for all costs related to the investigation pursuant to clause 7.2, unless the investigation shows that we have materially failed to comply with our obligations under this Data Processor Agreement.
8. Breach Management
8.1. If a Personal Data Breach (a “Breach”) occurs at our premises or at those of a third party engaged by us or on our behalf, or there is a reasonable suspicion that it has occurred, we will inform you without delay. We will provide all reasonably relevant information including:
1) the nature of the Incident and/or the situation;
2) the observed and suspected consequences of the Breach; and
3) the measures taken, or intended to be taken, to resolve the Breach and to minimise the potential consequences/damage.
8.2. Without prejudice to the other obligations under this Data Processing Agreement, We are required, and you indemnify us, to take all measures that may reasonably be expected of us to investigate a Breach, to remedy it and to limit further consequences.
9. Use of third parties
9.1. We may be required to engage third parties (“Sub processors”) in the performance of this Data Processing Agreement. We impose at least the same obligations on Sub processors as we are bound to under this Data Processing Agreement. We will put these agreements in writing and ensure that they are complied with. We remain responsible for any consequences of our outsourcing the Processing of Personal Data to third parties.
9.2. We publish all relevant information about our Sub processors on our website. By entering into the Master Agreement, you consent to the use of the Sub processors already appointed. If we intend to appoint a new Sub processor, we will notify you electronically at least three (3) months in advance and seek your consent where required under the GDPR.
9.3. If you do not consent to the intention following a notice pursuant to Section 9.1, You have the right to terminate the Master Contract in writing within sixty (60) calendar days of receipt of such notice. If you do not exercise this right, you will be deemed to have agreed to the intention.
10. International data transfer
10.1. We do not process Personal Data, or allow third parties to process Personal Data, in countries or territories outside the European Economic Area, unless:
a. the European Commission has decided in respect of them that they guarantee an adequate level of protection for Personal Data;
b. You have given your written consent to do so at our request; or
c. one of the other grounds for doing so provided in the GDPR is fulfilled.
11. Retention periods, return and destruction of Personal Data
11.1. We will retain Personal Data in our possession under this Data Processing Agreement for no longer than is strictly necessary for the provision of our services under the Master Agreement and the fulfilment of any statutory retention obligations.
11.2. The nature of the means presumes that we do not have access to Personal Data under our control for the purposes of this Data Processing Agreement. You are required to copy or migrate and secure all Personal Data that we process under this Data Processing Agreement before terminating the Agreement.
11.3. We shall promptly and irrevocably destroy the Personal Data upon termination of the Agreement and expiry of applicable retention periods, unless you agree with us on additional retention periods prior to such termination.
11.4. At your request, we will provide you with a statement of the fact that the Personal Data has been irrevocably destroyed or deleted. If irrevocable destruction or removal is not possible, we will inform you without delay. The Personal Data will be treated confidentially until such time as it is destroyed or deleted.