Data Processing Agreement - Tweakwise

Data Processing Agreement

The parties:

Optimizers Group B.V. and the Customer have agreed based on the Terms of Service (the “Optimizers Agreement”) or other written or electronic agreement between Optimizers Group B.V. and the Customer for the purchase and/or use of on-line services from Optimizers Group B.V. The relationship between Optimizers Group B.V. and the Customer is thus based on on-line registration process of the Customer or via written or electronic contract to which Terms are attached (the “Optimizers Agreement“). This data processing addendum (hereinafter as the “DPA”) forms integral part of the Agreement. 

Whereas:

A. The Processor and Data Controller have entered into an agreement (the “Optimizers Agreement”) under which the Processor provides certain services to the Data Controller and processes personal data for which the Data Controller is ‘Data Controller’ within the meaning of the General Data Protection Regulation (“GDPR”); 

B. Parties wish to lay down the terms and conditions of the processing of personal data by the Processor in this agreement (the “Data Processing Agreement”). 

Agree as follows:

Subject and scope

1. The Parties acknowledge and agree that regarding the Processing of Personal Data, you may be either the Controller or the Processor of the Personal Data. Where you are the Controller, we are the Processor and where you are a Processor, we acknowledge that we will be a Sub-Processor to you. 

2. This DPAapplies to the processing of personal data by the Processor in the context of executing the Optimizers Agreement. In case of contradiction between provisions in this DPA and the Optimizers Agreement, provisions of this DPA prevail. 

3. All terms used in this DPA, such as ‘personal data’ and ‘processing’, have the meaning given in the GDPR. 

4. Annex 1 to this DPA gives an initial overview of the personal data, categories of data subjects, and the processing’s purposes. 

5. Where ‘in writing’ is mentioned in this DPA, it will also mean ‘electronically’ (e.g., email). 

I. Obligations of the processor

1. The Processor will process personal data solely on behalf of and for the benefit of the Data Controller, following the Data Controller’s written instructions and in accordance with the GDPR and any other applicable laws and regulations. 

2. Under no circumstances will the Processor process the personal data for other, independent purposes. 

3. The Processor will implement all appropriate technical and organizational measures to secure the personal data against destruction, loss, alteration, unauthorized dissemination or access, or any other form of unlawful processing. These measures should provide a level of security appropriate to the risks presented by the processing and the nature of the personal data, considering the state of the art and the costs of implementation. 

4. The Processor acknowledges that ensuring an appropriate level of security may continually require additional security measures. The Processor will immediately comply with all reasonable requests from the Data Controller for additional security measures. 

5. The Processor is not allowed to process the personal data outside the European Economic Area (EEA) without prior written consent from the Data Controller. 

II. Obligations of the data controller

1. The Processor will process personal data solely on behalf of and for the benefit of the Data Controller, following the Data Controller’s written instructions and in accordance with the GDPR and any other applicable laws and regulations. 

2. Under no circumstances will the Processor process the personal data for other, independent purposes. 

3. The Processor will implement all appropriate technical and organizational measures to secure the personal data against destruction, loss, alteration, unauthorized dissemination or access, or any other form of unlawful processing. These measures should provide a level of security appropriate to the risks presented by the processing and the nature of the personal data, considering the state of the art and the costs of implementation. 

4. The Processor acknowledges that ensuring an appropriate level of security may continually require additional security measures. The Processor will immediately comply with all reasonable requests from the Data Controller for additional security measures. 

5. The Processor is not allowed to process the personal data outside the European Economic Area (EEA) without prior written consent from the Data Controller. 

III. Duration and termination

1. This DPA enters into force when signed by the Parties and lasts for the same term as indicated in the Optimizers Agreement. 

2. Neither Party can terminate the DPA prematurely.

IV. Involvement of third parties/sub-processors

1. The Processor is permitted to involve third parties as a sub-processor in the processing of personal data, on the condition that the Processor remains fully liable to the Data Controller for the acts or omissions of the sub-processor in connection with the processing of personal data. The Processor will maintain and keep up to date a list of sub-processors which can be provided to the Data Controller upon request. The Data Controller will be notified in writing prior to any changes. The Data Controller is entitled to object to changes, if it reasonable suspects that the change will result in a violation of applicable laws and regulations. In any case, obligations concerning data protection that are at least as strict as those imposed on the Processor by this DPA must be imposed on such third parties contractually. 

2. Notwithstanding the above, the use of specific services such as, but not limited to, Microsoft Azure is a core part of the Processor’s infrastructure. As such, its use for the storage and management of the data involved in providing the service is an integral part of the service and is not subject to additional permissions or change. These services are subject to robust security measures and are in compliance with relevant data protection regulations. 

V. Confidentiality

1. The Processor keeps the personal data confidential and ensures that the personal data do not directly or indirectly become available to third parties except as explicitly allowed in this DPA. 

2. The Processor guarantees that it will inform all of its employees, representatives, and/or approved sub-processors who are involved in the processing of the personal data about the confidential nature of the personal data. The Processor ensures that such individuals and parties are bound by an appropriate confidentiality agreement/statement. 

3. The confidentiality provisions described in this article do not apply if:

a. The Data Controller has given its prior written consent to provide personal data to third parties; or 
b. The Processor is obliged to provide the personal data to a third party based on a legal obligation, in which case the Processor will immediately inform the Data Controller about this. 

VI. Data breaches

1. The Processor shall immediately – at the latest within 72 hours – inform the Data Controller in writing of a potential data breach, providing the following information:

a. The nature of the data breach, including the personal data involved, the categories of data subjects; 
b. The day and time at which the data breach was discovered: 
c. The potential consequences of the data breach; 
d. The measures that have been taken or proposed to address the data breach and/or mitigate any potential adverse effects; 
e. The contact person at the Processor and their contact details for further correspondence about the data breach 

2. A ‘data breach’ is defined as a breach of security leading to the (potential) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, or any indication that such a breach will occur or has occurred.

3. It is solely up to the Data Controller to determine whether a data breach discovered at the Processor will be reported to the supervisory authority and/or to the relevant data subjects.

4. At all times, the Processor shall fully cooperate with the Data Controller to enable the Data Controller to conduct an investigation into the (possible) data breach and/or report the data breach in a timely manner to the supervisory authority and, where applicable, to the data subjects.

VII. Rights of data subjects

1. The Processor shall provide the Data Controller with all reasonable assistance to enable the Data Controller to comply within the legal deadlines with requests from data subjects based on rights granted to the data subject under the GDPR, specifically, requests for access to and rectification or deletion of personal data or restriction of processing concerning them (including the withdrawal of previously given consent), as well as requests based on the right to data portability. 

VIII. Audit

1. The Data Controller has the right, whenever there is reason to do so, to check compliance with this DPAand the legal provisions applicable to the processing of personal data, through an audit conducted by an IT auditor. 

2. In the context of the provisions of paragraph 1 of this article, the Processor will, among other things:

a. Make the necessary space(s) and data accessible and/or available and provide all cooperation so that the control can be carried out; 
b. Proactively inform the Data Controller of any relevant changes in its organization or performance; 
c. In case of involvement of third party(ies), agree with this third party(ies) wherever possible that the Data Controller is entitled to exercise the control referred to in the first paragraph of this article also at this third party(ies). 

3. The Processor will give the Data Controller, its employees, and/or third parties appointed by the Data Controller access to all buildings, processing locations, data files, documentation and other information relevant to the audit. 

4. The Processor will cooperate fully with the audit and will provide all requested information within a reasonable period of time, to be determined by the Data Controller. 

5. The costs of the audit are borne by the Data Controller.  

6. The Processor will promptly take remedial action for any shortcomings identified during the audit. 

IX. Liability

1. The Processor’s liability for direct damage, of whatever nature, arising out of or in connection with the performance of this Data Processing Agreement, per event (a sequence of events shall be considered one event), is limited to the compensation of the actual direct damage, up to the amount paid out under Processor’s insurance policy for such cases. If for any reason the insurance company does not pay out under the insurance policy, any liability of the Processor is limited to the compensation of the actual direct damage, up to an amount of the fees paid by the Data Controller to the Processor in the 12 months preceding the damaging event. 

2. The Processor’s liability for indirect damage, consequential damage, loss of profit, missed savings, reduced goodwill, damage due to business stagnation, damage as a result of claims from the Data Controller’s customers, and all other forms of damage other than those mentioned in paragraph 1 of this article, for whatever reason, is excluded. 

3. Any claim for compensation is only valid if the Data Controller has reported the damage to the Processor in writing as soon as possible, but no later than two (2) weeks after its discovery. 

X. Termination of the data processing agreement

1. Following termination of the Optimizers Agreement, we will retain the personal data forming part of the service data for a maximum of one hundred twenty (120) days from such date of termination (“Data Retention Period”). Upon the expiration of the Data Retention Period, we will no longer have an obligation to maintain or provide you, users and end-customers access to the personal data. Thereafter, unless required for compliance with applicable laws and regulations, or as necessary to protect, defend or establish our rights, or defend against potential claims, we reserve the right to destroy all personal data in our possession. You understand that personal data, once deleted, cannot be recovered. Notwithstanding the Data Retention Period, upon your written request following the termination of an account, we will destroy all personal data in our possession; provided, however, that we may retain service data to the extent required for compliance with applicable laws and regulations, or as necessary to protect, defend or establish our rights, or defend against potential claims. 

XI. Final provisions

1. Changes to this DPA will only be valid if agreed upon in writing by the Data Controller and the Processor. 

2. If any provision of this DPA is declared null and void or is annulled, the other provisions of this DPA will remain fully in force. The parties will then discuss a new provision to replace the void/null/annulled provision, considering as much as possible the purpose and intent of the void/null/annulled provision. 

3. This DPA is governed by Dutch Law. All disputes arising from and/or related to this DPA will be submitted to the competent court in The Netherlands. 

4. This DPA and its appendices form the complete and entire agreement between the parties and replace all previous agreements and proposals, both oral and written, including correspondence and proposals, between the parties. 

5. The appendices to this DPA form an integral part of it. In the event of any discrepancies between the main body of this DPA and the appendices, the provisions of the main body of the DPA prevail. 

Appendix 1

Details of Data Processing Activities Tweakwise

Categories of Data Subjects 

1. Customers (or users) of Tweakwise, the Processor Software as a Service (SaaS) platforms. This refers exclusively to users who access and use the Tweakwise app for managing configuration settings. It does not include the end users of Tweakwise’s services. The app is solely intended for administrative and configuration management purposes.

2. Types of Personal Data

a. Login ID 
b. First Name 
c. Middle Name 
d. Last Name 
e. Email Address 
f. Function 
g. Company Name 
h. Other information provided by customers in support cases 

3. Nature and Purposes of the Processing / Description of the Services: Tweakwise collects personal data only from users (both customers as employees) of the App. This data is solely used to enable logging into the App. This is Tweakwise Account. The frontend API and other frontend products never collect personally identifiable information.  

4. The Processor shall implement appropriate technical and organizational measures to secure the personal data against destruction, loss, alteration, unauthorized dissemination or access, or any other form of unlawful processing.