Data processing agreement

Version 1.2 November 2023

This processing agreement is part of the agreement between Pluvo B.V. (“Processor”) and the customer (“Controller”), and will take effect on the date that you have accepted this processing agreement. You guarantee that you are allowed to conclude this processing agreement. If you do not have this authority, please do not accept this agreement.”

The parties consider the following:

• Controller works in the field of trainings/courses and uses Processor in that context;
• Processor provides the Controller with the Service as described in the Agreement, and, in that capacity, processes (special) personal data for the Controller;
• With regard to the processing of personal data, the controller is considered to be the controller within the meaning of Article 4 introductory words and under 7 of the General Data Protection Regulation (“GDPR”);
• Parties wish - also in implementation of the provisions of article 28, paragraph 3 of the GDPR - to lay down in the present Processing Agreement a number of conditions that apply to their relationship with regard to the (processing of personal data in the context of) the activities mentioned for and on behalf of the Controller.
• With regard to the storage and processing of the personal data for the Controller, the Processor is regarded as a processor within the meaning of Article 4 introductory words and under 8 of the GDPR;

Agree as follows:

Article 1. Definitions

1. In this Data Processing Agreement, the following terms, always written with a capital letter, have the following meaning regardless of whether they are used in plural or singular form:
   Annex: appendix to the Processor Agreement, which forms an integral part of the Processor Agreement.
   ‍Agreement: the Pluvo Customer Contract concluded between Controller and Processor;
   Personal Data: all data that can be traced directly or indirectly to a natural person as referred to in article 4 introductory words and under 1 GDPR;
   Sub-processor: the subcontractor engaged by Processor, who Processes Personal Data under this Processing Agreement on behalf of the Controller as referred to in article 28 paragraph 4 of the GDPR;
   Processing: processing Personal Data as referred to in article 4 introductory words and under 2 of the GDPR;
   Data processing agreement: the present agreement, which forms part of the Agreement.
2. The provisions of the Agreement apply in full to the Processing Agreement. Insofar as the Agreement includes provisions concerning the processing of personal data, the provisions of this Processor Agreement prevail.

Article 2. Data Controller and Data Processor

1. Under this Processing Agreement, Processor undertakes to Process Personal Data on behalf of the Controller. An overview of the type of Personal Data, the categories of data subjects and the purposes for which the Processing of Personal Data takes place is included in Annex 1.
2. Controller is liable for the Processing of Personal Data under the Agreement and guarantees that the order to Process that Personal Data complies with all applicable laws and regulations. Controller indemnifies Processor against all claims from third parties, in particular from the supervisor, which in any way arise from non-compliance with this guarantee.
3. Processor undertakes to Process personal data only for the activities mentioned in this Processor Agreement and/or the Agreement. Processor guarantees that, without the express written consent of the Controller, it will not make use of the Personal Data Processed under this Processor Agreement, unless a legal provision applicable to the Processor requires it to process. In that case, the Processor will inform the Controller of that legal requirement prior to Processing, unless that law prohibits such notice for important reasons of public interest.

Article 3. Technical and organisational provisions

1. The Processor will, taking into account the nature of the processing and, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Taking into account the state of the art and the costs of implementation, these measures will guarantee an appropriate level of security, taking into account the risks associated with the Processing and the nature of the data to be protected. In any case, Processor will take measures to protect Personal Data against accidental or unlawful destruction, accidental and intentional loss, falsification, unauthorised distribution or access, or any other form of unlawful Processing.
2. The technical and organisational measures taken by Processor are described in Annex 2. The Controller acknowledges having taken note of the measures concerned and by signing this Processor Agreement, the Controller agrees to the measures taken by Processor.

Article 4. Confidentiality

1. Processor will let its employees, who are involved in the execution of the Agreement, sign a confidentiality agreement - whether or not included in the employment agreement with those employees - that at least states that these employees must maintain confidentiality with regard to the Personal Data.

Article 5. Data processing outside the Netherlands

1. The transfer of Personal Data by Processor outside the European Economic Area is only permitted in compliance with the applicable legal obligations.

Article 6. Third parties and subcontractors  

1. Processor is allowed to use Sub Processors, as included in Annex 3, under this Processor Agreement and the Agreement. If Processor wishes to engage another Sub Processor, Processor will inform the Controller about the intended changes. The controller must object to these changes within 5 working days. Processor will respond to the Controller's objection within 4 working days.
2. Processor contractually obliges each Sub Processor to comply with the confidentiality obligations, reporting obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.

Article 7. Liability

1. With regard to the liability of Processor under the Processor Agreement and with regard to the indemnification obligations for Processor included in the Processor Agreement, the regulation concerning the limitation of liability included in, among others, article 9 of the Agreement applies in full.
2. Without prejudice to article 7.1 of this Processor Agreement, Processor is only liable for damage caused by the Processing if such Processing fails to comply with obligations specifically addressed to Processor under the GDPR or if the Controller's lawful instructions have been acted in violation of the Controller's lawful instructions.

Article 8. Incidents

1. If Processor becomes aware of an incident that may have a (material) impact on the security of Personal Data, it will i) inform the Controller without unreasonable delay and ii) take all reasonable measures to prevent or limit (further) violation of the GDPR.
2. Processor will, insofar as reasonable, cooperate with the Controller and support the Controller in carrying out its legal obligations with regard to the detected incident.
3. Processor will, insofar as reasonable, support the Controller in its obligation to report the personal data breach to the Data Protection Authority (“AP”) and/or the data subject, as referred to in articles 33, paragraphs 3 and 34, paragraph 1 of the GDPR. Processor is never obliged to independently report a personal data breach to the AP and/or the person concerned.
4. Processor is never liable for the (correct and/or timely execution of) the reporting obligation on the Controller as referred to in articles 33 and 34 of the GDPR.

Article 9. Assistance to the Data Controller

1. Processor will, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to respond to requests to exercise a data subject's rights, in particular the right to access (art. 15 GDPR), rectification (art. 16 GDPR), data erasure (art. 17 GDPR), restriction (art. 18 GDPR), portability (art. 20 GDPR) and the right to object (art. 21 and 22 GDPR). Processor will forward a complaint or request from a data subject regarding the Processing of Personal Data to the Controller, who is responsible for processing the request, as soon as possible. Processor is entitled to charge the Controller for any costs associated with the cooperation.
2. Processor will, as far as reasonably possible, assist the Controller in fulfilling its duty under the GDPR to carry out a data protection impact assessment (arts. 35 and 36 GDPR).
3. Processor will provide the Controller with all information reasonably necessary to demonstrate that Processor complies with its obligations under the GDPR. Furthermore, at the request of the Controller, Processor will enable and contribute to audits, including inspections, by the Controller or an auditor authorised by the Controller. If the Processor believes that an instruction in connection with the provisions of this paragraph infringes the GDPR or other privacy laws applicable to it, the Processor will immediately notify the Controller.
4. Processor is entitled to charge the Controller for any costs associated with the provisions of article 9.3.

Article 10. Termination & Miscellaneous

1. With regard to cancellation and/or dissolution of this Processing Agreement, the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will delete or return all Personal Data to him at the Data Controller's first request, and delete existing copies, unless Processor is legally obliged to continue to store (parts of) the Personal Data.
2. Controller will adequately inform Processor about (legal) retention periods that apply to the Processing of Personal Data for Processor.
3. Controller declares that he is authorised to conclude this Data Processing Agreement.
4. The obligations under this Data Processing Agreement, which by their nature are intended to survive termination, remain in force even after termination of this Data Processing Agreement.
5. The choice of law and competent court are in line with the provisions of the Agreement.

----------------------------

Annex 1. Overview of Personal Data

Type of personal data

The following categories of personal data may be processed by the Processor on behalf of the Controller:

1. Basic Identification Information:
   Name
   E-mail address
   Profile image‍
2. Custom User Fields:
   Fields added by the Data Controller, specific to their operational needs. These may vary and include but are not limited to occupation, organisation, contact information, and other relevant information.‍
3. Educational Data:
   Progress in course material
   Evaluation and test scores and results

Dynamic Nature of Data

• The Controller reserves the autonomy to determine which personal data is processed via the Processor's software. This includes both the basic identification information and the specific custom fields that are relevant to their purposes.
• Given the ability for the Controller to add custom fields, there is an inherently dynamic aspect to the types of personal data processed.

Access to Data

• An up-to-date and complete overview of the processed personal data is accessible to the Controller after logging into their account within the Processor's software provided by the Processor.
• This access allows the Data Controller to regularly review the types of data collected and, if necessary, update them to ensure accuracy and relevance.

Transparency and Compliance

• This specification of personal data is made in the spirit of transparency and compliance with the GDPR, with the privacy and protection of user data paramount.

Purposes of Processing

The processing of personal data by the Processor takes place for specific purposes as determined by the Controller. These purposes concern the data of natural persons (data subjects) who:

1. Relationship with Data Controller: This includes, but is not limited to, customers, members, students, prospects, donors, guests, employees, consumers, and citizens who have a relationship with the Controller.
2. Participation in Trainings: Persons who have registered for training courses or courses offered by the Data Controller.

These purposes include:

• Communication with stakeholders.
• Conducting research.
• Compliance with legal obligations.
• Implementation of agreements with those involved.

Processing activities

The processing is carried out independently by the Controller or the data subject, using the Processor's systems. These processing activities include but are not limited to:

• Data collection, capture, organisation, segment, filter, and structure.
• Data storage, including email communications and chat logs.
• Update, modify, synchronise, enrich, and analyse data.
• Requesting, consulting, using, sharing, distributing or otherwise making data available.
• Align, combine, protect, erase, or destroy data.

This list of processing activities provides a broader picture of the possible interactions with personal data within the Processor's systems and the diversity of the processing operations.

----------------------------

Annex 2 Security Specification

General Obligations

The Processor undertakes to take all necessary technical and organisational security measures as required by the General Data Protection Regulation (GDPR), with particular attention to the requirements set out in Article 32 of the GDPR. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, as well as the nature, scope, context and purposes of the processing and the risks of varying probability and seriousness to the rights and freedoms of natural persons.

ISO 27001:2017 Compliance

In addition to the GDPR requirements, the Processor will act in accordance with the standards and best practices set out in the ISO/IEC 27001:2017 Information Security Management Standard. This means:

1. Risk Management: Regular identification, assessment and treatment of information security risks.
2. Security policy: Implementation and maintenance of a documented information security policy.
3. Organisation of Information Security: Establishing an information security management structure and defining roles and responsibilities.
4. Human Resource Security: Ensure that employees are aware of their security responsibilities.
5. Asset Management: Identification and classification of information assets.
6. Access control: Restriction of access to information and processing systems.
7. Cryptography: Using cryptography to protect the confidentiality and integrity of information.
8. Physical and Environmental Security: Protection of physical locations and equipment.
9. Operations & Security: Security of operational processes and procedures.
10. Communication security: Protection of information in networks.
11. System Acquisition, Development and Maintenance: Ensuring that information security is an integral part of IT systems.
12. Supplier relationships: Data security in relation to external suppliers.
13. Information Security Incident Management: Effective response to information security incidents.
14. Continuity Management: Protecting the continuity of business processes.
15. observance: Assessment against legal, statutory, regulatory and contractual requirements.

----------------------------

Annex 3 Sub-Processor Specification

Processor can make use of the following categories and parties of sub-processors for Processing:

Message board

• ‍Identity:
  https://messagebird.com
• ‍Processed Data:
  First and Last Name
  E-mail address
  E-mail content information
• Purpose of Processing: Messagebird is used to send email communication. This includes transactional emails, and other forms of communication via email.
• Processing activities: Sending emails to users based on the lists provided.
  Processing response data such as email open and click rates.
  Maintenance of email lists and unsubscribe requests.
• Location of Processing: The data is processed in SparkPost data centers, located in Europe.
• Security measures: Messagebird implements industry-standard security protocols and encryption techniques to ensure data integrity and confidentiality.
• Duration of Processing: The data is processed for as long as necessary to perform the email services, or until a user unsubscribes or requests the deletion of their data.
• Compliance with Laws and Regulations: Messagebird complies with the GDPR and other relevant privacy laws for the protection of personal data.

Amazon AWS

• Identity:
  https://aws.amazon.com
• ‍Processed Data: User names and email addresses.User profile images.Additional fields added by the controller, which may vary depending on user requirements.User progress and scores in course materials and evaluations.Log files that record changes to the database.Files stored on AWS S3, including any user data or course materials.‍
• Purpose of Processing: AWS is used to host and manage this data to provide a scalable, reliable, and secure infrastructure for our services.‍
• Processing activities:
  Storage and management of personal data and user profiles.
  Hosting educational content and monitoring user performance.
  Maintenance and management of log files for security and monitoring.
  File storage and management on AWS S3.‍
• Location of Processing: Data is processed and stored in AWS data centers located in Frankfurt, Germany.‍
• Security measures: AWS implements comprehensive security measures including network security, encryption, access control, and regular security audits. Compliance with relevant industry standards and certifications such as ISO 27001, SOC 1, SOC 2, and GDPR‍
• Duration of Processing: Data is stored and processed for as long as necessary to provide the services.‍
• Compliance with Laws and Regulations: AWS complies with the GDPR and other relevant European and international privacy laws for the protection of personal data.

Rights and Obligations

• Audit rights: We reserve the right to inspect data security and privacy compliance.
• Data Breach Notification: The sub-processor must inform us immediately of any data breaches or security incidents that occur.
• Sub-processors: The sub-processor is obliged to clarify any additional sub-processors, and must confirm whether the data processing takes place within the European Union.