Processors
agreement

Parties:
The Customer, hereinafter referred to as "Controller";

and

the private company TwoPurpose B.V., having its registered office in Utrecht, the Netherlands and having its registered office at Utrecht at Europalaan 93, represented in this matter by T. Slijp, hereinafter referred to as "Processor".

Considerations:

1. Processor has entered into or will enter into one or more agreements with Processor for the provision of various services by Processor to Processor. This agreement or these agreements collectively is or are hereinafter referred to as "the Main Agreement" indicated.
   1. In performing the Main Contract, Processor will process data for which Processor is and remains responsible. Such data includes personal data within the meaning of the General Data Protection Regulation (EU 2016/679), hereinafter the "AVG". 
   2. In view of the provisions of Article 28(3) AVG, set out the conditions of processing these personal data in this agreement.

Agreement:

1. Scope
   1. This agreement applies to the extent that the provision of the services under the Master Agreement involves one or more processing operations included in Annex 1. 
   2. The processing of Annex 1 that take place in the provision of the services are set out below: "the Processes" mentioned. Personal data processed in the process: "the Personal Data".
   3. In respect of the Processing Operations, Controller is the Processor and Processor is the Processor. The natural persons who actually use the services of Processor under the Master Agreement and, if any, their representatives, are also referred to hereinafter as "the End-users" indicated. 
   4. All terms in this agreement have the meaning given to them in the AVG.
   5. If more and different personal data are processed on behalf of Processor or if processing is carried out differently than described in this article, this agreement shall also apply to those processing operations to the extent possible.
   6. With regard to the processing of certain data of the End Users, Processor itself is (co-)responsible. In particular, this concerns the contact details and other data of the End User that Processor needs to perform the Master Agreement. 
   7. The annexes form part of this agreement. They are:
      1. Annex 1 the Processing Operations, the Personal Data and the retention periods;
      2. Annex 2 the sub-processors and categories of sub-processors that Controller approves.
2. Subject
   1.  Processor shall have and maintain full control over the Personal Data. If the Controller does not process the Personal Data itself using the Processor's systems, the Processor shall only process the Personal Data on the basis of written instructions from the Controller. The Master Contract shall serve as a generic instruction in this regard.  
   2. The Processing shall only take place in the context of the Main Contract. Processor shall not process Personal Data other than as provided for in the Main Contract. In particular, Processor shall not use Personal Data for its own purposes.
   3. Processor shall perform the Processing Operations in a proper and careful manner.
3. Security measures
   1. Processor takes all technical and organisational security measures required under the AVG and in particular under Article 32 AVG be demanded of her.
   2. Processor shall ensure that persons, not limited to employees, who participate in Processing at Processor are bound by an obligation of confidentiality in respect of Personal Data.
4. Data breach
   1. Processor shall notify Processor of any "personal data breach" referred to in article 4 sub 12 AVG. Such an infringement is hereinafter referred to as: "Data breach" mentioned. 
   2. Processor shall timely provide Processor with all information in its possession that is necessary to comply with the obligations under article 33 AVG comply. Processor shall otherwise provide the relevant information as soon as possible in a common format to be determined by Processor.
   3. The Processor will not notify the Controller about a Data Breach if it is immediately clear that the Data Breach does not pose a risk to the rights and freedoms of natural persons. If there is room for doubt in this respect, the Processor does report the Data Breach to the Controller in order to enable the Controller to form its own opinion regarding a possible report of the Data Breach. Processor shall document all breaches, including those that do not need to be reported to the Processor, and provide that documentation to the Processor once every quarter. 
   4. It is the sole responsibility of Processor to determine whether a Data Breach identified at Processor is reported to the Personal Data Authority and/or relevant data subjects.
5. Engagement of sub-processors
   1. Processor shall not be entitled to engage a third party as a sub-processor in the Processing without the prior written consent of Processor. Consent of Processor may also relate to a certain type of third party.
   2. If Processor gives its consent, Processor shall ensure that the relevant third party enters into an agreement in which it at least complies with the same legal obligations.
   3. In case the consent relates to a certain type of third parties, Processor shall inform Processor about the sub-processors it has engaged. Processor may then object to additions or substitutions regarding Processor's sub-processors.
   4. Controller hereby authorises the use of the in Annex 2 included sub-processors and/or categories of sub-processors.
6.  Duty of confidentiality
   1. Processor shall keep the Personal Data confidential. Processor shall ensure that the Personal Data is not made available, directly or indirectly, to third parties. Third parties also include Processor's staff insofar as it is not necessary for them to know the Personal Data. This imperative does not apply if this Agreement provides otherwise and/or insofar as a statutory regulation or judgment requires any disclosure.
   2. Processor shall inform Controller of any request to inspect, provide or otherwise request and communicate the Personal Data in violation of the obligation of confidentiality contained in this article.
7. Retention periods and deletion
   1. Processor is responsible for determining the retention periods in relation to Personal Data. To the extent Personal Data is under the control of the Processing Responsible Party (for example, in the case of hosting services), it shall delete it itself in a timely manner.
   2. Processor shall delete the Personal Data within thirty days after the end of the Main Contract or, at the discretion of the Processor, transfer the Personal Data to the Processor, unless the Personal Data needs to be kept longer, such as in the context of (legal) obligations of the Processor, or if the Processor requests the Processor to keep Personal Data longer and the Processor and the Processor agree on the costs and other conditions of such longer retention, the latter without prejudice to the responsibility of the Processor to comply with the statutory retention periods. Any transfer to the Processor shall take place at the expense of the Processor.
   3. Processor shall at the request of the Processing Responsible Party certify that the deletion referred to in the preceding paragraph has taken place. Processor may, at its own expense, have a check carried out to see whether this has indeed taken place. Article 10 of this Agreement shall apply to such control. To the extent necessary, Processor shall notify all sub-processors involved in the processing of Personal Data of a termination of the Master Agreement and shall instruct them to act as provided herein.
   4. Unless the parties agree otherwise, Processor shall itself ensure a backup of Personal Data.
8. Rights of data subjects
   1. If Processor itself has access to the Personal Data, it shall itself comply with any requests from data subjects in relation to the Personal Data. Processor shall promptly communicate any requests received by Processor to Controller.  
   2. Only to the extent that the above paragraph is not possible, Processor shall provide its full and timely cooperation to Processor to: 
      • allow data subjects to access the Personal Data relating to them after approval by and on the instructions of Processor,
      • Delete or correct personal data
      • demonstrate that Personal Data have been deleted or corrected if they are incorrect (or, in the event Processor disagrees that Personal Data are incorrect, record the fact that the data subject considers their Personal Data to be incorrect) 
      • the Personal Data concerned to Processor or to a person designated by the Processor's designated third party in a structured, common and machine-readable form and 
      • otherwise enable Processor to comply with its obligations under the AVG or any other applicable law regarding the processing of Personal Data.
   3. The costs of and requirements for the previous paragraph said cooperation shall be determined jointly by the parties. Without an agreement to that effect, the costs shall be borne by the Controller.
9. Liability
   1. The Controller bears, among other things, the responsibility and is, on that account, fully liable for (the stated purpose of) the Processing, the use and content of the Personal Data, the disclosure to third parties, the duration of storage of the Personal Data, the manner of processing and the means used for that purpose.
   2. Processor shall be liable to Processor as provided in the Master Contract
10. Check
    1. Controller shall have the right to audit compliance with the provisions of this agreement once a year at its own expense or to have it audited by an independent chartered accountant or chartered computer scientist. 
    2. Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 AVG. If the third party engaged by the Controller issues an instruction that, in the opinion of the Controller, violates the AVG, the Controller shall immediately notify the Controller.
    3. Controller's investigation will always be limited to Processor's systems used for the Processing Operations. Processor shall keep the information found during the audit confidential and shall only use it to verify Processor's compliance with the obligations under this agreement and may delete the information or parts thereof as soon as possible. Processor guarantees that any third parties engaged will also assume these obligations.
11. Other provisions
    1. Amendments to this agreement shall only be valid if agreed in writing between the parties.
    2. The parties will adapt this agreement to amended or supplemented regulations, additional instructions from the relevant authorities and advancing insight into the application of the AVG (e.g. through, but not limited to, case law or reports), the introduction of standard clauses and/or other events or insights that require such adaptation. 
    3. This Agreement shall continue as long as the Master Agreement continues. The provisions of this Agreement shall continue to apply to the extent necessary for the completion of this Agreement and to the extent intended to survive the termination of this Agreement. The latter category of provisions include, but are not limited to, confidentiality and litigation provisions. 
    4. This agreement prevails over all other agreements between Controller and Processor.
    5. This agreement is exclusively governed by Dutch law.
    6. The parties will submit their disputes related to this agreement exclusively to the District Court of Amsterdam.