Data Processing Agreement

Version AV2024-1.0

Parties:
1. Jimani, hereinafter referred to as “Processor”;
2. Customer, hereinafter referred to as “Controller”;
‍
Processor and Controller, hereinafter jointly referred to as: “Parties”

Considering that:

– The Controller has instructed the Processor to process the personal data of his/her company in the context of the main agreement, which forms an integral part of this data processing agreement;- The Controller designates the purposes and means for which the conditions mentioned herein apply;- The Processor is willing to perform the processing and is also willing to comply with obligations regarding security and other aspects of the General Data Protection Regulation (“GDPR”), to the extent that this is within its power;- The Processor does not process the personal data for its own purposes;- The Controller can be regarded as a controller within the meaning of Article 4(7) GDPR;- The Processor can be regarded as a processor within the meaning of Article 4(8) GDPR;- Where this agreement refers to Personal Data, this means personal data within the meaning of Article 4(1) GDPR;- The Parties, also considering the requirement of Article 28(3) GDPR, wish to record their rights and obligations in writing by means of this Data Processing Agreement (hereinafter (“Data Processing Agreement”).

The parties have agreed as follows:

‍Article 1 – Purpose of the processing

Under the terms of this Data Processing Agreement, the Processor undertakes to process Personal Data on behalf of the Controller, and processing will take place solely in the context of the execution of the service agreement and this Data Processing Agreement within the meaning of Article 28(3) GDPR. 2. The Processor is prohibited from processing the Personal Data for any purpose other than the purpose determined by the Controller, which is to provide the services requested by the Controller as described in the Main Agreement, including providing a platform for the client’s operations and related activities. 3. The categories of data subjects whose Personal Data is collected include customer data, login details, and employee data of the Client, as well as other persons or relations of the Controller with whom the Processor comes into contact when processing Personal Data on behalf of the Controller. 4. The categories of Personal Data to be processed include personal data and employee data of the Client. 5. The Processor will not process the Personal Data for any purpose other than those determined by the Controller, and the Controller will inform the Processor of the processing purposes insofar as they are not already stated in this Data Processing Agreement. 6. The Processor has control over the means used for the processing and storage of the Personal Data, while the Controller is responsible for determining the purpose of the processing and must clearly define it. 7. The processing will take place both manually and (semi)automatically. 8. The Personal Data processed on behalf of the Controller remains the property of the Controller and/or the relevant data subjects.

‍Article 2 – Duration of the agreement

This agreement comes into effect upon approval and is entered into for the duration of the main agreement. 2. This agreement cannot be terminated prematurely. 3. Changes to this agreement resulting from modifications to the underlying service agreement, laws or regulations, or other relevant circumstances are only legally valid if, after consultation and with the explicit consent of the parties, they are added to the Data Processing Agreement. 4. This agreement will automatically terminate if the main agreement ends. 5. Once the agreement has ended, for any reason and in any manner, the Processor will—at the choice of the Controller—return all Personal Data in its possession, in original or copy form, to the Controller and/or delete and/or destroy the original Personal Data and any copies within a maximum period of 28 days, with any related costs to be borne by the Controller. 6. The provisions regarding confidentiality, liability, and dispute resolution will remain in full force after the termination of this agreement.

‍Article 3 – Obligations of the Processor

The Processor is required to comply with the conditions set out by applicable laws and regulations, in particular the GDPR and the Dutch GDPR Implementation Act, regarding the processing of Personal Data. 2. The Processor is prohibited from enriching its own databases and/or files with any (personal) data from the Controller’s databases, except where the Processor must create temporary databases and/or files for the proper processing of the Personal Data; these temporary files will be deleted immediately once they are no longer required for processing. 3. Upon the Controller’s first request, the Processor will inform the Controller of the measures it has taken to meet its obligations under this Data Processing Agreement. 4. If the Controller provides instructions regarding the processing of Personal Data, the Processor must follow these instructions if necessary for proper processing, unless such instructions conflict with laws, regulations, or applicable professional or conduct rules; only the Controller is authorized to make the final determination in this regard. 5. All obligations resting on the Processor also apply to the persons who process Personal Data under the authority of the Processor (after explicit consent from the Controller), including the Processor’s employees and engaged third parties. 6. The Processor is responsible for ensuring that only employees and/or third parties who require access for the execution of the agreement have access to the Personal Data, and these employees and/or third parties act under the Processor’s responsibility. 7. The Controller has unrestricted access to the Personal Data held by the Processor, and the Processor is required to cooperate upon the Controller’s request regarding such access. 8. This agreement is not transferable unless explicitly agreed otherwise.

‍Article 4 – Transfer of personal data

Unless the Controller has given written consent, the Processor will not transfer Personal Data processed by or on behalf of the Processor, or by a sub-processor engaged by it, in connection with the execution of the Agreement, to countries or international organizations that the European Commission has not recognized as providing an adequate level of protection in accordance with applicable privacy regulations. Articles 44 through 50 of the GDPR will be complied with at all times. Upon the Controller’s first request, the Processor will provide insight into the location(s) where the processing takes place. 2. The Processor will handle the Controller’s Personal Data with due care.

‍Article 5 – Responsibility of the Processor

Under this agreement, the Processor will perform the activities for the Controller as described in Article 1.2 of this agreement, as well as any additional activities set out in the Main Agreement. 2. The Processor is responsible for processing the Personal Data under this Data Processing Agreement in accordance with the Controller’s instructions. For all other processing of Personal Data—including, but not limited to, the collection of Personal Data by the Controller, processing for purposes not communicated by the Controller to the Processor, processing by third parties, and/or processing for other purposes—the Controller remains responsible.

‍Article 6 – Third parties

The Processor may only outsource its activities to third parties with the explicit prior consent of the Controller. The Processor remains fully responsible for these third parties and is liable for any damage caused by them to the Controller. All obligations under this agreement also apply to these third parties, referred to as sub-processors.

Article 7 – Security Measures Personal Data

The Processor will make every effort to implement sufficient and appropriate organizational and technical measures to prevent any form of unlawful processing related to the Personal Data it processes. 2. The security level of these measures must at least meet a level that is reasonable in relation to the associated costs, the sensitivity of the Personal Data, the state of the art, and the risks involved. The Processor does not guarantee that the security measures it has taken will be effective under all circumstances. The parties may agree on additional or more specific security measures. 3. The Processor is responsible for informing itself, its employees, and any engaged third parties about all protocols, security policies, and other instructions that enable and promote secure processing. 4. The Processor is responsible and liable for its part of the processing. 5. In the event of a security breach involving Personal Data that may cause damage or have adverse consequences for the protection of the Personal Data, the Processor must inform the Controller immediately, or at least without unreasonable delay and within 24 hours after the Processor could reasonably have become aware of it. The Controller will then inform the Data Protection Authority within 48 hours and the affected individuals as soon as possible. 6. In accordance with the Processor’s notification obligation, the breach notification must include at least the following components: the nature of the personal data breach, including, where possible, the categories of data subjects and Personal Data concerned and the approximate number of data subjects and data records involved; the name and contact details of the data protection officer or another contact point where more information can be obtained; the likely consequences of the breach; and the measures the Processor has proposed or taken to address the breach, including, where applicable, measures to mitigate any adverse effects. 7. The Controller must maintain a register of all breaches in accordance with Article 33(5) GDPR. 8. If a personal data breach occurs at the Processor, the Processor is required, at its own expense, to take appropriate measures to prevent future incidents and/or breaches.

‍Article 8 – Confidentiality

The Processor, its employees, and any third parties engaged by the Processor are required to maintain confidentiality regarding all Personal Data, sensitive information, and/or company data obtained under this agreement. This confidentiality obligation does not apply if the Controller has given explicit written consent for the Processor to share such data and information with third parties, or if there is a legal obligation to provide the data and information to a third party. After the termination of this agreement, the parties remain bound by this confidentiality obligation.

‍Article 9 – Rights of the data subject

If the Processor receives a request for access from a data subject or a competent authority, the Processor will handle this request as soon as possible, but no later than within 5 working days. If it is not possible to handle the request independently, the request will be forwarded to the Controller within 5 working days. The Processor must, if requested, cooperate in fulfilling the request, and any costs incurred for this cooperation will be borne by the Controller. 2. The provisions of Article 9.1 apply accordingly if a data subject wishes to exercise other rights, such as the right to rectification, data erasure, restriction of processing, data portability, the right to object, and rights related to automated individual decision-making, as set out in Chapters 3 and 4 of the General Data Protection Regulation.

‍Article 10 – Liability

The Processor is responsible for the processing of Personal Data and guarantees that the processing is lawful and does not infringe upon the rights of data subjects. The Processor is only liable for damage resulting from its actions and/or omissions, or from failure to comply with applicable laws and regulations. 2. The Processor’s liability is limited to a maximum of one time the value of the assignment. All consequential damages are explicitly excluded from the Processor’s liability. 3. Without prejudice to the provisions of this article, the Processor is liable for damage caused by processing when the processing does not comply with specific obligations of the GDPR directed at the Processor, or when it has acted contrary to the lawful instructions of the Controller. 4. The Processor is not liable for damage if it can demonstrate that it is in no way responsible for the event causing the damage.

‍Article 11 – Indemnification

The Controller indemnifies the Processor against claims, fines, and/or penalties imposed by or on behalf of the Data Protection Authority and/or other authorities, where it has been established that the violations fall under the responsibility of the Controller. 2. The Processor may recover any imposed fines and/or penalties from the Controller insofar as the Processor is held responsible for violations caused by the Controller.

‍Article 12 – Dispute resolution

This agreement is governed by Dutch law. 2. All disputes arising between the parties that result from, relate to, or are connected with this Data Processing Agreement will be settled by the competent court in the place of business of the Processor.