Data Processing Agreement

This Processing Agreement supplements the existing Agreement between Ambassify and the Client and serves to explain the obligations of Ambassify as the processor of the personal data provided by the Client.

The provisions of the existing Agreement regarding the protection of personal data are supplemented by the conditions of this Addendum.

Definitions

In this Addendum, the following terms will have the meaning given below

    1. Data Processing Agreement (DPA): The present document
    2. Agreement: The service agreement 'Ambassify Client and Use Terms' between Ambassify and Client with date 13/08/2018 including the Privacy Policy
    3. Client: ______________________ with registered office at ________________________________ and company number ____________________
    4. Ambassify(Processor): Ambassify NV with registered office at Tervantstraat 2b, 3583 Beringen and company number 0830.870.128
    5. Services: Ambassify offers the Client a platform that offers users the opportunity to advertise, participate in campaigns and stimulate the development of the Clients brand. Furthermore, and if this has been agreed in writing, Ambassify can provide services of customization and integration, using third-party software, services of technical support and maintenance services relating to the platform.

The terms "Commission", "Controller", "Data Subject", "Member State", "Personal data", "Personal Data Breach", "Processing" and "Supervisory Authority" have the same meaning as in the GDPR and their related terms will be interpreted accordingly

Processing of personal data

When Personal Data is processed by Ambassify, its affiliates, agents, subcontractors or employees, under or in connection with this Agreement, Ambassify will ensure that its affiliates, agents, subcontractors or employees

    1. Comply with the GDPR when processing Personal Data from the Client;
    2. Process the Personal Data only in accordance with the Client's documented instructions, unless otherwise required by the Union or the Member States. In this case, as far as permitted by law, Ambassify will inform the Client before Processing the Personal Data;
    3. Restrict access to data on a need to know basis. Ambassify will take all reasonable steps to ensure that all affiliated companies, employees, subcontractors, and agents that process Personal Data are bound by appropriate confidentiality.

Security

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, Ambassify will take appropriate technical and organizational measures to ensure an appropriate security level for that risk.

Without prejudice to the above provisions, the Processor undertakes to take the necessary technical and operational measures to

    1. Be able to identify the person to whom and by whom the data is forwarded;
    2. Ensure that the data is protected against destruction or loss, in particular by making regular backups;
    3. Ensure that the IT systems of the Processor are adequately protected, for instance against viruses and against the interception of data within the network.

Data that is in motion during the use of the Services between the Client, the User and Ambassify are secured by using Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols. For the security of Personal Data at rest, Ambassify uses cryptographic hashing and encryption mechanisms such as cryptographic keys and application secrets.

Taking into account the state of technology, the costs of the implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ambassify may unilaterally make changes to these security measures.

Subprocessing

The Client authorizes Ambassify to appoint Sub Processors. Ambassify will, prior to the appointment of new Subprocessors, inform the Client thereof in writing. Ambassify will also keep a list with the appointed Sub Processors, which can be found at https://doc.ambassify.com/subprocessors.html

The Client authorizes Ambassify to take appropriate measures to ensure an adequate level of protection for data transferred outside the EEA and Processed by a Sub Processor outside of the EEA. This includes the conclusion of a sub processing agreement considering the Standard Contractual Clauses.

On reasonable grounds, the Client may object to the addition or replacement of Sub Processors. This objection must be sent in writing to [email protected] within ten working days of the announcement.

The contract between Ambassify and the Subprocessor contains provisions that are essentially the same as those set out under 2, 3, 5, 6, 7, 8 and 9. The customer has the right to inspect this contract.

Where the Sub Processor fails to fulfill its data protection obligations, Ambassify shall remain fully liable to the Client for the performance of the Subprocessors obligations.

Rights of the Data Subject

If the Client receives a request from a Data Subject who exercises a right under the GDPR and with regard to Personal Data that are processed by Ambassify, Ambassify will assist the Client, insofar as necessary and reasonable, to comply with the Data Subject's request.

If the Controller instructs him to do so, the Processor will correct, delete or process the data as requested by the Data Subject.

If a Data Subject directly addresses Ambassify with regard to Personal Data that Ambassify processes for the Client, Ambassify will refer the Data Subject to Client. Ambassify will not further deal with the data subject's request.

Data Protection Impact Assessment and research

Ambassify will provide the Client with reasonable assistance with regard to any Data Protection Impact Assessment and prior consultation with SuperVisory Authority, when the Client reasonably assumes that this is required under Article 35 or 36 of the GDPR, each time exclusively in connection with the processing of Personal data of Client and taking into account the type of processing and the information available for Ambassify.

Ambassify will cooperate as reasonably required by the Client, when the Client must cooperate in any assessment, investigation, notification or request under the GDPR, including by a regulatory authority.

Personal Data Breach

Ambassify will inform the Client without undue delay, and if possible, within 24 hours after having taken notice of the Personal Data Breach, of a Breach relating to Client's Personal Data. Ambassify will adequately inform the Client so that the Client is able to inform the Data Subject or the Supervisory Authority regarding the Personal Data Breach in the context of the GDPR and to comply with all obligations relating to the investigation, court case and the resolution of an infringement. The processor will state at least the following in this notification:

    1. Nature of the incident
    2. Time of determination
    3. Data affected
    4. Direct measures are taken to limit additional damage
    5. Time of closure of the incident
    6. Structurally taken measures for prevention in the future

In addition, the Processor undertakes to take the necessary measures to remedy the Data Breach in connection with personal data, including if necessary, the measures to limit the possible negative consequences. These measures are taken in consultation with the Controller unless in cases of extreme urgency requiring immediate intervention by the Processor.

Unless the law obliges him to do so or if it is explicitly assigned to him by the Controller, the Processor will not pass on any information relating to a data breach to any third party.

Deleting or returning Personal Data

After termination of the Agreement, Ambassify will, at the choice of the Client, delete or return all Personal Data of the Client, except when the law of the Union or a Member State requires the Personal Data to be stored.

Ambassify will confirm to the customer in writing that he has fully complied with this Section 8 within 30 days of termination of the service.

Audit rights

At Client's request, Ambassify will disclose all information required to demonstrate that Ambassify meets its obligations under this Addendum.

Ambassify will allow and cooperate with audits, including inspections, performed by the Client and related to the obligations under this Addendum, provided that such audits are:

    1. Conducted by an auditor, identified in Annex, Ambassify will not unreasonably oppose the addition of new auditors to the list
    2. Limited to 1 audit or inspection per calendar year, except where the Client is requested by the GDPR or the Supervisory Authority.

This is without prejudice to the right of Ambassify to charge the Client reasonable costs for such audits/inspectionsRevisionmission of Data outside the Union

Ambassify undertakes not to export data to a country that is not a member of the EEA and that does not offer an adequate level of protection without the prior written consent of the Client.

General conditions

In case of contradiction, ambiguity or inconsistency between a provision of the Agreement and the Addendum, this Addendum prevails over the Agreement.

The Client may propose changes to this Addendum that the Client reasonably deems necessary to comply with the requirements of the GDPR and future changes to the GDPR. Ambassify may not unreasonably refuse or delay such changes in this Addendum. The parties shall immediately discuss the proposed changes and negotiate in good faith with a view to agreeing and implementing the changes.

Should a provision of this Addendum be invalid or unenforceable, the remainder of this Addendum remains valid and in force. The invalid or unenforceable provision will (i) be amended as necessary to ensure its validity and enforceability, and this while maintaining the parties' intentions, if this is not possible, (ii) be constructed as if it the invalid or unenforceable part was never included therein.

This agreement is subject to Belgian law. The courts of Limburg have exclusive jurisdiction.

This Addendum is entered into with effect from _________________ and forms part of the Agreement.

DRAWN UP IN _____________________, IN TWO COPIES, ONE ORIGINAL FOR EACH PARTY,

CUSTOMER

Name: _________________________________

Title: __________________________________

Date: ____________________________

Signature:

AMBASSIFY

Name: Stevens Koen

Title: Director

Date: ____________________________

Signature:

ANNEX: DETAILS RELATING TO THE PROCESSING OF PERSONAL DATA

This Annex contains further information regarding the processing activity, in addition to the information already given in the Agreement and the Addendum.

  1. The purpose of the Processing of Personal Data

Setting up and managing marketing and communication campaigns.

  1. The types of Personal Data that are Processed

Internal

    • Authentication (password)
    • Interests (groups)

External

    • Identifying (first name, last name, profile picture)
    • Behavioral (browsing history on the platform)
    • Demographic (age)
    • Ethnicity (language)
    • Physical Characteristics (gender)

Social

    • Communication (messages sent to the user using e-mail or text using the platform)
    • Professional (Company, Job title, Employee/Customer Identification number, Education)
    • Social Network (identifier, number of connections for Twitter, LinkedIn and Facebook pages)

Tracking

    • Contact (email address, phone number, home address)
    • Device (IP address, browser)
    • Location (Country)
  1. The categories of Persons whose Personal Data are Processed
    • Prospects
    • Clients
    • Suppliers
    • Employees
    • Management

  2. Instructions for Processing Personal Data by Ambassify

The Client hereby gives the following instructions to Ambassify for the Processing of Personal Data (including instructions that arise directly from the provisions of the Agreement and this Addendum or that are reasonably required for the proper execution by Ambassify of its obligations):

    • Data Consultation: Data Consultation refers to the services where personal data of customers can be viewed, such as, but not limited to, support services, maintenance services and technical support.
    • Data storage: data storage refers to the services of Ambassify whereby Client related personal data is stored on infrastructure managed by Ambassify or one of it’s Sub Processors.
    • Data transfer: Data transfer refers to the services of Ambassify where Personal Data are transported to, from or between applications on a platform managed by Ambassify.
    • Data adjustment: Data adjustment refers to the services of Ambassify where Personal Data is adjusted manually or automatically.