Data Processing Agreement
Last update: 15-05-2024
This Data Processing Agreement was created by Cyver B.V. (referred to herein as “we”, “us”, “our”, and “Cyver”) to disclose our processes and standards for handling and processing Company Personal Data. Cyver collects information from our users, visitors, clients, and their clients (collectively referred to as “users”, “you”, or “your” “Company”, throughout this Agreement) as well as Company Personal Data needed to carry out Services. This Agreement shares how this data will be used by us as well as by any third parties (Contracted Processors) we might rely on to deliver those services, including but not limited to email, web hosting, storage, and data analytics providers. This Agreement forms part of the contract for Services, as detailed in the Subscription Contract.
Herein, the parties consist of:
- The Company or User acting as a Data Controller and wishing to subcontract Services from Cyver, which necessitates the processing of personal data by the Data Processor
- Cyver, acting as a Data Processor, and providing services
GDPR
This Data Processing Agreement complies with the requirements of the current legal framework with the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, better known as the GDPR.
Processing of Personal Company Data
Cyver B.V. Shall:
- Comply with all applicable Data Protection Laws in the processing of Company Personal Data, including but not limited to the GDPR
- Not process Company Personal Data other than as is relevant to Company’s Documented Instructions
- Take reasonable steps to ensure the reliability of any employee, agent, contracted professional, or Contracted Processor who may have access to Company Personal Data. Cyver B.V. will ensure this by choosing our Contracted Processors with care, by maintaining adequate contracts and Data Processing Agreements with Contracted Processors, and by reviewing data usage and processing in case of any suspicion that data is not being processed in accordance with agreements.
- No individuals will have access to Company Personal Data where it is not strictly necessary for the purpose of carrying or delivering Services in accordance with the Subscription Agreement and to comply with Applicable Laws
- All individuals with access to Company Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality
Security
Cyver B.V. shall take all reasonable measures to ensure the security and reliability of Company Personal Data processed through our website, Services, and Sub Processors. These security measures will be undertaken in accordance with our Security Policy. Further, we shall take measures to ensure that any Contracted Processors implement appropriate technical and organizational measures to ensure a level of data security appropriate to risks including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, Cyver or its Contracted Processors shall take the risks of that data into account.
Subprocessing
Cyver B.V. shall not appoint or disclose any Company Personal Data to any Contracted Processor unless that appointment or disclosure is required to deliver services under the Subscription Agreement.
Data Subject Rights
Cyver B.V. shall implement appropriate technical and organizational measures, insofar as is possible, to fulfill obligations, as reasonably understood by Cyver, to respond to requests to exercise Data Subject Rights under Data Protection Laws.
Further, Cyver shall promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect to Company Personal Data. Cyver will not respond to that request except on the documented instructions of the company or as required under Applicable Laws. In this case, Cyver shall, to the extent permitted by Applicable Laws, inform Company of that legal requirement before or immediately following responding to the request.
Company Personal Data Breach
In the case of a company personal data breach, Cyver shall:
- Notify Company within 24 hours after we become aware that the Company Personal Data was impacted by the breach. This notification shall provide sufficient information, to the best of our ability, to allow Company to meet obligations and to report or inform Data Subjects of the Personal Data Breach.
- Cooperate with the Company and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach
- Assess the impact of the breach in consultation with third parties to determine appropriate next steps, which may include providing third-party access to a Data Protection Impact Assessment Consultation, consulting with Supervising Authorities, and consulting with other competent data privacy authorities as Company and Cyver consider reasonable and in accordance with the provisions in article 35 or 36 of the GDPR.
Deletion or Return of Company Personal Data
Company may at any time, request the deletion or return of Company Personal Data. Under the terms of this Agreement, Cyver agrees to:
Process a request for data deletion promptly. We will process needed changes at our earliest convenience and will notify our data compliance officer in case you are not our customer. Data will be changed or removed from our servers no later than 30 business days following the request. You may also request a restriction of personal processing.
In addition, we will delete or procure the deletion of any copies of personal data within 90 business days of cessation of Services.
Audit Rights
Cyver shall provide data showing compliance with this Agreement on request. Company may request proof of compliance and Cyver will allow for and contribute to audits, including audits by Company or an auditor mandated by the Company in relation to the processing of Company Personal Data by Cyver or its Contracted Processors.
Data Transfer
Cyver may not transfer or authorize the transfer of Company Personal Data to countries outside the EU or the EEA, without the prior written consent of the Company. If Company Personal Data processed under this agreement is transferred outside of the EEA, Cyver will take reasonable measures to ensure that data is adequately protected.
General Terms
Each Party must keep this Agreement and the information it receives about the other Party and its business in connection with this Agreement confidential. This information may not be used or disclosed without prior written consent of the other Party except where that disclosure is required by law or the relevant information is already in the public domain.
All Notices and Communication under this Agreement must be in writing and must be delivered personally, via email or by post, to an address set out in this Agreement.
Controlling Jurisdiction
These Terms will be interpreted in accordance with the Laws of the Netherlands. You and we agree to submit to the personal jurisdiction of a court located in Noord Holland, The Netherlands for any actions which the parties retain the right to seek an injunction or equitable relief.
Dispute Resolution
You and Cyver agree that, where possible, any dispute, claim, or controversy arising out of or relating to the Agreement or its breach, termination, enforcement, interpretation, or validity will be settled by binding arbitration, with the exception that each party retains the right to seek injunctive or equitable relief in the case of actual or threatened infringement, of a party’s intellectual property rights.
Definition of Terms
Unless otherwise herein defined, the following terms and expressions shall have the following meanings:
Agreement – This Data Processing Agreement
Company Personal Data – Any personal data processed on behalf of Company pursuant or in connection with the Subscription Agreement
Contracted Processor – A subprocessor, e.g., an email service or hosting platform utilized by Cyver B.V.
Data Protection Laws – EU Data Protection Laws to the extent applicable
EEA – The European Economic Area
GDPR – The EU General Data Protection Regulation 2016/679
Data Transfer – A transfer of Company Personal Data from the Company to a Contracted Processor or between two Contracted Processors
Services – Services contracted in the Subscription Agreement
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.