Annex 1

Mobiess End User License Agreement for Planon

This software as a service (SaaS) agreement (the “EULA”) is made by and between Mobiess Ltd (“Tech Partner”) and the legal entity which has ordered the access to the Tech Partner Platform Apps and Connector Software under an Order Form (“Customer”), each a “Party”, and jointly the “Parties”. This EULA shall be effective upon access to the Tech Partner Platform Apps and Connector Software (“Effective Date”).

1. DEFINITIONS. Where capitalized in this EULA, capitalized terms shall have the meanings as set forth within the body of the EULA or as set forth this article. “Affiliate” means any entity controlled by, controlling, or under common control with a Party hereto. For this purpose, the term “control” shall mean the direct or indirect ownership of more than 50% of the voting stock or other ownership interests of that entity. “Customer Data” means any data submitted by or for Customer to the Tech Partner Platform Apps and Connector Software and all results from processing such data, including derivative works thereof. “Documentation” means the documentation of the Tech Partner Platform Apps and Connector Software made accessible by Tech Partner, as updated or amended from time to time, including without limitation the description of the Tech Partner Platform Apps and Connector Software including the related support services and the user guides. “Order Form” means an ordering document specifying the Tech Partner Platform Apps and Connector Software to be provided hereunder that is entered into between Customer and Planon. “Tech Partner Platform Apps and Connector Software” means the software as a services and related support services thereto that are provided by Tech Partner and/or its licensors as more specifically defined and set forth in this EULA, including associated offline components, as described in the Documentation. “Planon” means the legal entity Planon International B.V. a private limited liability company, duly incorporated and existing under the laws of the Netherlands, with its principal office at Wijchenseweg 8, 6537 TL Nijmegen, the Netherlands, registered with the trade register under number 09102087, any of its Affiliate(s) or any of its authorized reseller(s).

2. TECH PARTNER PLATFORM APPS AND CONNECTOR SOFTWARE. Tech Partner grants Customer the right to access and use the Tech Partner Platform Apps and Connector Software pursuant to this EULA, the Documentation and the applicable Order Form for the duration as agreed in the Order Form. The foregoing grant of rights applies to Affiliates of Customer as well provided that Customer is responsible for compliance by its Affiliates with this EULA and any breach thereof by an Affiliate shall constitute a breach of this EULA by Customer. Tech Partner expressly reserves all rights in its Tech Partner Platform Apps and Connector Software. It is acknowledged that all right, title and interest and all intellectual property rights inherent therein and/or related thereto are and will remain with Tech Partner (or third party supplier(s) or licensor(s), if applicable) and that the Tech Partner Platform Apps and Connector Software are provided to Customer on a “Software as a Service” basis only and not sold, assigned or transferred to Customer.

3. CUSTOMER’S DUTIES AND OBLIGATIONS. Customer shall prevent any unauthorized access to, or use of, the Tech Partner Platform Apps and Connector Software and Customer will promptly notify Tech Partner of any such unauthorized access or use. Customer shall be responsible for its users in compliance with this EULA, for the accuracy, quality, integrity and legality of Customer Data. Customer shall not (i) use the Tech Partner Platform Apps and Connector Software to store or transmit infringing, libelous or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights; (ii) use the Tech Partner Platform Apps and Connector Software to store or transmit any malicious code such as but not limited to cancelbots, back doors, easter eggs, time bombs, trap doors, trojan horses viruses, worms, files, scripts, agents or programs intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information (“Malicious Code”); (iii) intentionally interfere with or disrupt the integrity or performance of the Tech Partner Platform Apps and Connector Software or third party data contained therein, and shall make reasonable efforts to ensure that no other software, data or equipment having an adverse impact on the Tech Partner Platform Apps and Connector Software has been introduced in backend systems; or (iv) attempt to gain unauthorized access to the Tech Partner Platform Apps and Connector Software or to related systems or networks.

4. PERFORMANCE OF THE TECH PARTNER PLATFORM APPS AND CONNECTOR SOFTWARE. During the Subscription Period Tech Partner ensures that (a) the Tech Partner Platform Apps and Connector Software will operates in accordance with this EULA, the Order Form(s) and the Documentation and that; (b) the Tech Partner Platform Apps and Connector Software will be free from Malicious Code; provided, that (i) Customer has implemented and used the Tech Partner Platform Apps and Connector Software in accordance with all instructions supplied; (ii) Customer notifies Tech Partner in writing of any defect within three (3) business days after the appearance thereof; (iii) Customer has, if applicable and/or if requested by Tech Partner, installed all updates/upgrades, new versions, and new releases made available by Tech Partner with respect to the Tech Partner Platform Apps and Connector Software, and all updates/upgrades recommended by Tech Partner with respect to any third party software products that may materially affect the performance of the Tech Partner Platform Apps and Connector Software on the Devices used; and (iv) Customer has maintained all associated equipment, software and environmental conditions in accordance with applicable specifications and industry standards; (v) Customer has not introduced other equipment or software creating an adverse impact on the Tech Partner Platform Apps and Connector Software; (vi) Customer is not in material default of any provision of the EULA.

5. SUBSCRIPTION PERIOD AND TERMINATION. This EULA shall commence on the Effective Date and continues until all subscription(s) to the Tech Partner Platform Apps and Connector Software have been terminated. The term of a subscription to the Tech Partner Platform Apps and Connector Software shall as specified in the applicable Order Form. Except as otherwise specifically specified in an Order Form, a subscription to the Tech Partner Platform Apps and Connector Software shall continue for an initial term of one (1) year (the “Initial Subscription Period”); thereafter, the subscription term shall be automatically extended for successive twelve (12) months periods (each an “Extended Subscription Period”), unless either Customer or Planon have terminated the subscription in accordance with the Order Form, in which case the subscription to the Tech Partner Platform Apps and Connector Software shall terminate upon the expiry of the applicable Initial Subscription Period or Extended Subscription Period (all together the “Subscription Period”). Tech Partner shall not be liable to Customer or any third party for termination of this EULA in accordance with its terms or any suspension of Customer’s access to, and/or right to use, the Tech Partner Platform Apps and Connector Software under this EULA in accordance herewith. Upon the effective date of termination of this EULA for any reason, whether by Customer or Tech Partner, Customer shall cease any use whatsoever of the Tech Partner Platform Apps and Connector Software and all other information and materials provided by Tech Partner to Customer under this EULA. The definitions and the rights, duties and obligations of the Parties that by their nature continue and survive shall survive any termination of this EULA for any reason.

6. CONFIDENTIALITY. Each Party agrees that all business, technical, financial and other information that it obtains from the other is the confidential property of the disclosing Party (“Confidential Information” of the disclosing Party). Except as expressly and unambiguously allowed herein, the receiving Party will hold in confidence and not use or disclose any Confidential Information of the disclosing Party and shall similarly bind its employees in writing. Each Party may disclose Confidential Information of the other to the receiving Party’s parent company and Affiliates, provided that employees receiving such Confidential Information are bound by confidentiality obligations at least as restrictive as those contained herein. Upon termination of this EULA or upon request of the disclosing Party, the receiving Party will return to the disclosing Party or destroy (and certify in writing such destruction) all Confidential Information of such disclosing Party, all documents and media containing such Confidential Information and any and all copies or extracts thereof. The receiving Party shall not be obligated under this article with respect to information the receiving Party can document: (a) is or has become readily publicly available without restriction through no fault of the receiving Party or its employees or agents; or (b) is received without restriction from a third party lawfully in possession of such information and lawfully empowered to disclose such information; or (c) was rightfully in the possession of the receiving Party without restriction prior to its disclosure by the other Party; or (d) was independently developed by employees or consultants of the receiving Party without access to such Confidential Information; or (e) is required to be disclosed by law or order of court of competent jurisdiction.

7. WARRANTY. Tech Partner warrants that the Tech Partner Platform Apps and Connector Software will operate during the Subscription Period subject to and in the manner as provided in article 4. Except as provided in the previous sentence and to the maximum extent permitted by law, Tech Partner expressly disclaims any warranties or conditions of any kind, including, without limitation, any (implied) warranty, guarantee or condition in respect of quality, title, performance, merchantability, fitness for a particular purpose or non-infringement. Tech Partner does not warrant that the Tech Partner Platform Apps and Connector Software meet requirements other as warranted hereunder or that the provision of the Tech Partner Platform Apps and Connector Software will be uninterrupted or that the Tech Partner Platform Apps and Connector Software will be error-free.

8. INDEMNIFICATION. Tech Partner shall at its sole option defend or settle at its expense any claim or suit against Customer arising out of or in connection with a third party claim assertion that the Tech Partner Platform Apps and Connector Software infringes any intellectual property rights from a third party and Tech Partner shall indemnify and hold harmless Customer and Planon from damages, costs, and reasonable attorneys’ fees, if any, finally awarded in such suit or the amount of the settlement thereof; provided that (a) Tech Partner shall have the right to replace or modify the alleged infringing Tech Partner Platform Apps and Connector Software with a non-infringing version under the condition that Customer shall use this replaced or modified version; (b) Tech Partner is promptly notified in writing of such claim or suit, (c) Tech Partner shall have the sole control of the defence and/or settlement thereof, and (d) Customer furnishes to Tech Partner, on request, all relevant information available to Customer and reasonable cooperation for such defence.

9. LIMITATION OF LIABILITY. Notwithstanding anything to the foregoing and to the maximum extent permitted by law, neither Party shall be liable whether in tort or contract for (i) lost profits, (ii) lost savings, (iii) reduced goodwill, (iv) damage caused by interruption of business operations, (v) lost or damaged data, or (vi) any incidental or consequential, special or punitive damages, even if a Party has been notified of the possibility of such damage. Tech Partner’s aggregate liability with respect to any matters whatsoever arising under or in connection with this EULA (including non-contractual claims) shall not exceed EURO 100.000 or the amounts for which Tech Partner is insured.

10. GENERAL. This EULA executed by the Parties is the entire agreement between the Parties regarding the subject matter hereof. This EULA The rights and obligations of each Party under this EULA may not be transferred or assigned directly or indirectly without the prior written consent of the other Party. Except as otherwise expressly provided herein,

the provisions hereof shall inure to the benefit of, and be binding upon, the successors, assigns, heirs, executors and administrators of the Parties hereto. No waiver will be deemed effective unless set forth in writing and signed by the Party charged with such waiver, and no waiver of any right arising from any breach will be deemed to be a waiver or authorization of any other breach or of any other right arising under this EULA. If any provision of this EULA is held to be invalid, illegal, or unenforceable, the remaining provisions hereof shall be unaffected thereby and remain valid and enforceable as if such provision had not been set forth herein. The Parties agree to substitute for such provision a valid provision that most closely approximates the intent of such severed provision. This EULA will be governed exclusively by the laws of the Netherlands. If Tech Partner and Customer are located in the European Union the parties irrevocably consent to the exclusive jurisdiction of the competent court in Arnhem, the Netherlands in connection with any dispute or action arising out of or in connection with this EULA, the overall relationship between the parties (if any), as well as any tort claims related to the EULA. If Tech Partner and/or Customer is/are located outside the European Union the Parties irrevocably consent to settle any dispute or action arising out of or in connection with this EULA, the overall relationship between the Parties (if any), as well as any tort claims related to the EULA, in accordance with the Arbitration Rules of the Netherlands Arbitration Institute. The place of arbitration shall be Nijmegen, the Netherlands and the proceedings shall be conducted in the English language. The Parties agree that the United Nations Convention of Contracts for the International Sale of Goods shall not apply to this EULA. Neither Party shall be liable for non-performance or delay caused by wars, riots, strikes, fires, floods, earthquakes, government restrictions, failure or errors of the internet or causes beyond its reasonable control, together: “Force Majeure”.

SERVICE AVAILABILITY AND SUPPORT SERVICES

1 DEFINITIONS. Where capitalized in this EULA, capitalized terms shall have the meanings as set forth within the body of the EULA or as set forth this article. “Excluded Events” means Planned Maintenance Times and issues (i) caused by factors outside of Tech Partner’s reasonable control, including denial of service or similar attacks, mail bombs, DNS resolution, Domain Name expiration, Internet availability, SYN attacks, and other events or Force Majeure event or internet access or related problems beyond the demarcation point of the Tech Partner Platform Apps and Connector Software, (ii) that result from any actions or inactions of Customer or any third party, (iii) that result from Customer’s equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within Tech Partner’s direct control) and/or (iv) arising from Tech Partner’s suspension and termination of Customer’s right to use the Tech Partner Platform Apps and Connector Software in accordance with this EULA. “Planned Maintenance Times” means maintenance times in minutes in each 12 Months Period, which are set by Tech Partner by means of an advance notice at five (5) business days before. Tech Partner will, if possible, perform Planned Maintenance between Monday to Friday outside 08.00 am through 6.00 pm local Datacentre location time; however, only the first four (4) incidents of planned maintenance per month will be regarded as Planned Maintenance Times. “Service Availability” means the availability of the Tech Partner Platform Apps and Connector Software in production environment essentially for the usage of Tech Partner Platform Apps and Connector Software by Customer. Failures affecting not essential features or features that are not used by Customer do not count. Service Availability is calculated per 12 Months Period as follows: (Total Minutes – Excluded Events – unavailability in minutes) / (Total Minutes – Excluded Events) x 100. “Total Minutes” mean the total minutes of the respective 12 Months Period. “Upgrade Control” means the product ordered by Customer by means of an Order Form, which entitles Customer to carry out updates/upgrades of the software as made available as part of the Tech Partner Platform Apps and Connector Software itself at Customer’s own responsibility.

2 SERVICE AVAILABILITY AND UPDATE. Tech Partner shall provide Customer a Service Availability of 99,5% per 12 Months Period. Tech Partner will automatically update the software made available as part of the Tech Partner Platform Apps and Connector Software within 3 months timeframe, unless Customer purchased Upgrade Control. If Customer has purchased Upgrade Control, then Customer may decide within a certain period to update the software as made available as part of the Tech Partner Platform Apps and Connector Software and the production environment as set out in more depth in the Documentation, provided that it is Customer’s responsibility that its production environment will run a software version that is no more than 12 months older than the then latest software version made available by Tech Partner. If the software version in Customer’s production environment is 12 months older than the then latest software version as made available by Tech Partner, then the software in Customer’s production software as part of the Tech Partner Platform Apps and Connector Software will be scheduled to be updated automatically in the next maintenance window.

3 SUPPORT SERVICE. The following applies to the support services as provided by Tech Partner as part of the Tech Partner Platform Apps and Connector Software. During the Subscription Period, one or more application managers, as designated by Customer and agreed between Customer, Tech Partner and/or Planon (each a “Customer Application Manager”), are granted access to technical support as set forth in this article. Tech Partner shall respond to the request within the response time periods provided below. A Customer Application Manager may report a first request or issue related to Tech Partner Platform Apps and Connector Software in production environment as provided below. Such request or issue, will be provided by the Customer Application Manager with a clear description thereof, if applicable with a Customer request number and an indication of the urgency level (together “Incident”) to the Planon support desk (“Planon Support Desk”), either: a) by phone, b) by email, or c) via the Planon website as further detailed in the most current version of the Planon Support Handbook. Only Customer Application Managers may report Incidents to the Planon Support Desk. The Planon Support Desk shall assess the Incident and if validated assign the Incident to the Tech Partner. The support desk of the Tech Partner (or the Planon Support Desk on Tech Partner’s behalf (herein after the “Tech Partner Support Desk”) shall respond to an Incident within the response time periods provided in Table 1 below. The urgency levels and service windows for Incidents as provided in Table 1 apply to standard software in production environment only. The Planon Support Desk and Tech Partner Support Desk are available on business days (excluding bank and public holidays) during Tech Partner business hours as further detailed in the most current version of the Planon Support Handbook. Tech Partner will respond to an Incident within the response time provided in Table 1 below. Five (5) Incident types and related support services are identified in table 1 as follows: “Service Availability Incident” is an Incident which has direct impact on the availability of the Tech Partner Platform Apps and Connector Software. The Tech Partner Support Desk will assign to a Service Availability Incident one of three degrees of urgency, and will take the related actions, each as set forth in Table 1 below. “User question” is an Incident related to a question regarding the use of the Tech Partner Platform Apps and Connector Software. User questions qualify as “Level 3” urgency level Incidents (see Table 1 below). “Enhancement Request” is an Incident related to a request for enhancements to standard functionality of the Tech Partner Platform Apps and Connector Software. An Enhancement Request will be noted by the Tech Partner Support Desk and included in the Tech Partner change management procedure. This procedure handles the acceptance, prioritization, and processing of enhancement requests. Enhancement Requests qualify as “Level 3” urgency level Incidents (see Table 1 below). “Loss of functionality” is an Incident related to limited functionality of the Tech Partner SaaS Service. The Tech Partner Support Desk will assign to a Loss of functionality Incident one of three degrees of urgency, and will take the related actions, each as set forth in Table 1 below. “Security Incident” is an Incident related to a report by the Customer Application Manager of a security risk perceived to be caused by the Tech Partner Platform Apps and Connector Software. The Tech Partner Support Desk will assign to a Security Incident one of three degrees of urgency levels, each as set forth in Table 1 below.

Table 1: INCIDENT URGENCY LEVELS AND SERVICE WINDOWS

Table 1: INCIDENT URGENCY LEVELS AND SERVICE WINDOWS
Incident Urgency LevelRemarkFulfils all criteria below:Service window (response time)
Level 1 /

STANDSTILL

/ P1

The highest urgency level; only assigned in very exceptional circumstances; to be reported by phone.The Tech Partner Platform Apps and Connector Software is seriously disrupted, with the majority of users down15 minutes
There is limited functionality of the Tech Partner Platform Apps and Connector Software, rendering Customer incapable of fulfilling important internal needs in the short term
The Tech Partner Support Desk is unable to offer a workaround (or partial workaround) to resolve the problem completely or partially within 1 business day
Level 2 /

URGENT / P2

A midlevel degree of urgency.The Tech Partner Platform Apps and Connector Software is disrupted at a level to cause inconvenience for a number of users but not all users4 hours
There is partial limited functionality of the Tech Partner Platform Apps and Connector Software, but Customer is still able to fulfil its own needs, and/or Tech Partner Support Desk is able to offer a workaround (or partial workaround) to resolve the problem completely or partially within 3 business days
Level 3 /

MINOR / P3

All Incidents that do not qualify as Level 1 or Level 21 business day

Annex 1

Mobiess DPA for Planon

 

This Data Processing Addendum (hereinafter referred to as “Addendum”) is an addendum to the “Mobiess End User License Agreement for Planon” (hereinafter referred to as “Agreement”) between the legal entity which has ordered the access to the Tech Partner Platform Apps and Connector Software under an Order Form (hereinafter referred to as “Controller”) and Mobiess Ltd (hereinafter referred to as “Processor). In consideration of the obligations of each party set out in this Addendum, the parties agree as follows:

  1. DEFINITION

Unless otherwise defined in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them below:

  1. a.Processor Security Standards” means the security standards attached to this Addendum as Annex 1;
  2. Personal Data” means the “personal data” (as defined in the GDPR) that is uploaded by or on behalf of Customer to the Services and/or processed by Processor under the Agreement;
  3. Data Subject” means identified or identifiable natural person to which the Personal Data are related.
  4. d. “Documentation” means the documentation of the Services accessible in Processor’s online environment, as updated or amended from time to time, including without limitation the description of the Services and the user guides as available within the Services;
  5. e.EEA” means the European Economic Area;
  6. f.GDPR” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament) and any national implementing laws as amended or updated from time to time. For Controllers in the UK: Unless or until it is no longer directly applicable in the UK, thereafter any successor legislation to the GDPR or the Data Protection Act 2018;
  7. Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly;
  8. Services” means the Tech Partner Platform Apps and Connector Software and/or related services provided by or on behalf of Processor under the Agreement.
  9. “Planon” means the legal entity Planon International B.V. a private limited liability company, duly incorporated and existing under the laws of the Netherlands, with its principal office at Wijchenseweg 8, 6537 TL Nijmegen, the Netherlands, registered with the trade register under number 09102087 or any of its affiliate(s).
  10. Order Form” means an ordering document specifying the Tech Partner Platform Apps and Connector Software to be provided hereunder that is entered into between Customer and Planon.
  1. DATA PROCESSIN
  • Scope and Roles. This Addendum applies when Personal Data is processed by Processor on behalf of Controller as required for the provision of Services in accordance with the provisions of the Agreement and this Addendum. Planon provides the cloud platform (software as a service) on which the Processor provides its Services under the Agreement to the Controller. Controller acknowledges and accepts that Personal Data will be processed on the cloud platform and may otherwise be shared with Planon subject to the terms of the data processing agreement as agreed between Planon and the Controller. The relationship between Planon and Controller and any related processing of Personal Data is governed separately from the Agreement and this Addendum
  • Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including all statutory requirements relating to data protection including GDPR.
  • Instructions for Data Processing. Processor will process Personal Data in accordance with Controller’s written instructions, unless required to do otherwise by applicable law, in which case Processor shall provide prior notice to Controller unless prohibited from doing so by law. Controller herewith instructs Processor to process Personal Data as required for the provision of Services in accordance with the provisions of the Agreement and this Addendum. Processing outside the scope of this Addendum will require prior written agreement between Processor and Controller on additional instructions for processing, including agreement on any additional fees Controller will pay to Processor for carrying out such instructions, if applicable. Processor shall not process any Personal Data for its own purposes.
  • Access or Use. Processor will not access or use Personal Data, except as necessary to provide the Services to Controller, unless required to do otherwise by applicable law, in which case Processor shall provide prior notice to Controller unless prohibited from doing so by a legal regulation.
  • Subject matter and duration of the processing. The subject matter and duration of the processing of Personal Data are as described in Annex 2 of the Addendum.
  • Nature and purpose of the processing. The nature and purpose of the processing of Personal Data are as described in Annex 2 of the Addendum.
  • Description of Data Subjects, categories of data and processing operations. Data Subjects, Categories of data, Special categories of data (if appropriate) and Processing operations are as described in Annex 2 of the Addendum. The following types of sensitive personal data (including images or other information containing or revealing such sensitive data) may not be submitted to the Services:
  • government issued identification numbers;
  • racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information concerning health or sex life;
  • information related to an individual’s physical or mental health; and information related to the provision or payment of health care;
  • Other types of sensitive personal data that are classified as special categories of personal data as referred to in Article 9 and Article 10 of the GDPR.
    • Disclosure. Processor will not disclose Personal Data to any third party, except as necessary to comply with this Addendum, the law or a valid and binding order of a law enforcement agency (such as a subpoena, court order or order of a competent administrative authority). If a law enforcement agency or other third party sends Processor a demand for Personal Data, Processor will attempt to redirect the law enforcement agency or other third party to request that data directly from Controller. As part of this effort, Processor may provide Controller’s basic contact information to the law enforcement agency or other third party. If compelled to disclose Personal Data to a third party (including e.g. a law enforcement agency), then Processor will give Controller reasonable notice of the demand to Controller unless Processor is legally prohibited from doing so.
  • Processor Personnel. Processor restricts its personnel from processing Personal Data without authorisation by Processor as described in the Processor Security Standards. Processor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality.
  • Processing locations. Processor will comply with applicable laws when transferring Personal Data outside the EEA. Any transfers of Personal Data outside the EEA taking place at the conclusion of the Agreement are described in Annex 2 of the Addendum. Processor shall inform Controller of any intended changes concerning the addition or replacement of transfers of Personal Data outside the EEA. Controller shall be entitled to object to such changes – for a compelling reason – vis-à-vis Processor in due course.
  1. SECURITY RESPONSIBILITIES OF
  • Processor shall take all measures required pursuant to Article 32 GDPR. The technical and organisational security measures currently implemented by Processor in this respect are described in Annex 1 of the Addendum.

3.2  The technical and organisational measures include the following:

(i)    Processor has implemented and will maintain measures to maintain the security of the Services as set out in the Processor Security Standards;

(ii)   Processor has implemented and will maintain measures to control access rights for Controller employees and contractors in relation to the Services as set out in article 1.1 of the Processor Security Standards. Controller has implemented and will maintain measures to control access rights to Personal Data.

3.3  Processor shall maintain the record of all categories of processing activities carried out on behalf of Controller as provided by Article 30§2 of the GDPR.

  1. RESPONSIBILITIES OF
  • Controller is responsible for reviewing the Processor Security Standards relating to data security and making an independent determination as to whether the Services meet Controller’s requirement

4.2  Controller shall be responsible for informing Data Subjects of the processing of their data under the Agreement.

  1. CERTIFICATIONS. Processor and/or its affiliate(s) hold a ISO 27001 certificate or such other alternative standards as are substantially equivalent to ISO 27001 and agree to maintain an information security program that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the Processor Security Standards.
  1. CONTROLLER AUDIT.

6.1  Processor uses external auditors to verify the adequacy of Processor Security Standards and this Addendum. This audit: (a) will be performed annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third party security professionals at Processor’s selection and expense; and (d) will result in the generation of a confidential audit report (“Report”), which will be Processor’s Confidential Information.

6.2  At Controller’s written request, Processor will provide Controller with a Report in order to enable Controller to reasonably verify Processor’s compliance with the security obligations under this Addendum.

6.3  Controller agrees to exercise its audit right by instructing Processor to execute the audit as described in this article. With respect to requests for audits other than described in the previous sentence or other requests or instructions by Controller, Processor will respond with reasonable effort and provide Controller with information on Processor standard processes and an estimate of additional fees and costs that Controller would have to pay before Processor has to grant any requests or instructions that Processor does not offer as part of its standard services. Controller shall not be obligated to pay such additional fees or costs, unless and until Controller, at its sole discretion, agrees to such payment obligations in writing. Processor shall not be obligated to meet Controller’s requests or instructions until agreement on additional payments, if any, is reached, and Processor has received such payments, if any.

  1. DATA BREACH NOTIFICATION.

7.1  In accordance with article 33.2 of the GDPR, Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (as defined in the GDPR).

7.2  Controller agrees that:

  • the Controller is responsible for notifying the data breach to the competent authority within 72 hours, if notification to the competent authority is necessary pursuant to article 33 paragraph 1 of the GDPR; and
  • Processor’s obligation to report or respond to a personal data breach under this article is not and will not be construed as an acknowledgement by Processor of any fault or liability of Processor with respect to the personal data breach.

7.3  Notification(s) of personal data breach, if any, will be delivered to one or more of Controller’s administrators by any means Processor selects, including via email. It is Controller’s sole responsibility that Controller has provided the accurate contact information of Controller’s administrators.

 

  1. SUB-PROCESSOR.

 

8.1  Authorised Sub-processor. Controller agrees that Processor may use other processer(s) (“Sub-processor”) to fulfil its contractual obligations under the Agreement. Controller hereby consents to Processor’s use of the Sub-processors listed under Annex 2 hereto, and as described in this article. Processor shall inform
Controller of any intended changes concerning the addition or replacement of any Sub-processor. Controller shall be entitled to object to such changes – for a compelling reason – vis-à-vis Processor in due course.

8.2  Sub-processor Obligations. Where Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, similar data protection obligations as set out in this Addendum shall be imposed in writing on that Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Addendum as well as generally the mandatory requirements for data processing agreements pursuant to Art. 28 GDPR. Processor will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of a Sub-processor that cause Processor to breach any of Processor’s obligations under this Addendum.

  1. LIABILITY. The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA or the GDPR.
  1. CONFLICT. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum on the subject matter of this Addendum, the terms of this Addendum will control.
  2.  ASSISTANCE OBLIGATIONS. Processor will assist Controller, at Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the GDPR with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, in each case to the extent relevant to the processing carried out by Processor.
  1. DATA RETURN / DATA DESTRUCTION. Upon the expiration or termination of the Agreement, unless otherwise instructed by Controller, Processor makes available to Controller data received from Controller and all data obtained or generated in connection with the Services (including Personal Data), except for data which will be (continued to be) processed on the cloud platform by Planon. Processing of such data shall be subject to the terms of the data processing agreement as agreed between Planon and the Controller. After a prior agreed period, Processor will destruct the data of Controller, except for data which will be (continued to be) processed on the cloud platform by Planon, including files, databases and backups. On request of the Controller, Processor gives proof of such destruction within thirty (30) days from such destruction.
  1. APPLICABLE LAW – DISPUTES. This Addendum shall be subject to the same terms and conditions as the Agreement as regards the applicable law and the resolution of disputes.

Annex 1

Processor Security Standards

This Annex describes the technical and organizational security measures and procedures that Processor shall, as a minimum, maintain to protect the security of personal data created, collected, received, or otherwise obtain. Processor will keep documentation of technical and organizational measures identified below to facilitate audits and for the conservation of evidence.

  1. INFORMATION SECURITY PROGRAM. Processor will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure, (b) identity reasonably foreseeable and internal risks to security and unauthorized access to Personal Data, and (c) minimize security risks, including through risk assessment and regular testing. Processor will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include (but not limited to) the following measures:
  • Access control. Processor’s employees, contractors and any other persons entitled to perform the Services are only able to access the Personal Data within the scope and to the extent covered by its access permission (authorization). All services are secured with a login and a password. Customer has the possibility to adjust the password policy, e.g. the minimum password length and complexity of the password.
  • Network security. Processor’s infrastructure will be electronically accessible to Processor’s employees, contractors and any other persons as necessary to provide the Services. Processor will maintain access control and policies to manage what access is allowed to the infrastructure from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Processor will maintain corrective action and incident response plans to respond to potential security threats.
  • Encryption of all data. Every data the Controller enter into Processor is fully encrypted (AES 256). In case of a data breach the data is not readable for a third party.
  • Human resource. Processor’s employees who have access to the Personal Data will be submitted to a background check prior to access, must sign a confidentiality agreement and an annual awareness program is mandatory. They are not allowed to use the personal data for purpose other than providing Services to the Controller. Processor will further instruct its staff regarding the applicable provisions on data protection.
  • Supplier relationship. Processor will monitor its suppliers by reviewing the audit reports made available by the suppliers. When deemed needed by Processor other methods will be used to monitor the information security compliance. In case of non-compliance, the supplier will be contacted by Processor to address the issue and find a solution.
  • Disaster Recovery. Processor will maintain a disaster recovery plan in a way so it will limit the chance of downtime for the Processor. The disaster recovery plan is tested regularly.
  • CONTINUED EVALUATION. Processor will conduct periodic reviews of the security of its infrastructure and adequacy of its information security program as measured against industry security standards of Processor’s choice.
  • DATA BREACH NOTICE. The Processor shall notify the Controller of any violations of the protection of personal data, providing at least the following information:
  • A description of the nature of the violation, the categories concerned and the approximate number of individuals and data sets affected;
  • The name and contact details of a contact partner for further information;
  • A description of the likely consequences of the violation;
  • A description of the steps taken in order to rectify or alleviate the violation.

 

Annex 2

Description of Data Subjects, categories of data and processing operations / Subject matter, duration, nature and purpose of the processing of Personal Data / Sub-processors / Transfers outside the EEA

DATA SUBJECTS.

Data Subjects include Controller’s employees, agents, advisors, contractors and/or customers.

If applicable, additional Data Subjects must be additionally instructed by Controller and agreed between Processor and Controller in writing.

CATEGORIES OF DATA.

The personal data relating to individuals which is uploaded onto the Services by Controller and/or processed by Processor and/or a Sub-processor under the Agreement:

  • First name and surname;
  • Telephone number;
  • Gender;
  • Email address;
  • Password
  • Profile picture

If applicable, additional categories must be additionally instructed by Controller and agreed between Processor and Controller in writing.

PROCESSING OPERATIONS.

Processing through or by the Services pursuant to the Agreement.

SUBJECT MATTER, DURATION, NATURE AND PURPOSE OF THE PROCESSING OF PERSONAL DATA.

The subject matter, duration, nature and purpose of the processing of Personal Data as part of the Services, but not limited to, as follows:

Subject matter: On-line access to Software provided by Processor on behalf of Controller.

Duration: For the term during which the Services are provided as agreed in the Agreement.

Nature: On-line access to Software provided by Processor on behalf of Controller.

Purpose:

  • To enable Controller access on-line the Software provided by Processor on behalf of Controller;
  • To conclude and carry out the contract between Processor and Controller;
  • To comply with legal obligations of Processor.

 

SUB-PROCESSORS AUTHORISED BY CONTROLLER.

 At the conclusion of the Agreement, the Processor does not engage any Sub-processors.

TRANSFERS OUTSIDE THE EEA.

 At the conclusion of the Agreement, the Processor does not transfer Personal Data outside the EEA.

CONTACT DETAILS OF PROCESSOR.

The contact details for privacy related issues are:

 

Email:                                                                     [email protected]

Phone:                                                                   +44(0)203 411 1795

CONTACT DETAILS OF CONTROLLER

 

The contact details for privacy related issues are:

Name DPO (if applicable):                            As specified in the Order Form]

Email address:                                                As specified in the Order Form]

(reporting) Data breach email address:   As specified in the Order Form]

Phone:                                                             As specified in the Order Form]