Data Processing Agreement

Purpose

Among other things, SoftApp processes personal data for and on behalf of “the client” because the client has a software user agreement with the cloud service: CallerConnect. CallerConnect is a cloud service provided by SoftApp.

SoftApp and the customer are required by the General Data Protection Regulation (AVG/GDPR) to enter into a Processing Agreement. SoftApp and the customer mutually undertake to comply with GDPR. Definitions follow the GDPR. SoftApp will only process personal data for and on behalf of the customer and to give effect to the agreement.

Instructions for processing

The processing consists of making the SoftApp applications available with the data entered and generated by the customer. SoftApp will not add, modify or delete data without specific instruction from the customer — instructions can be given via a request or via the self-service portal.

Within the applications, various types of personal data can be recorded, including: display name, first name, last name, office name, phone number, city, country, title, company, manager, department, user name. SoftApp is aware that the customer can enter all of these and any personal data or categories created by the customer, and that SoftApp will then process them. The client is responsible for assessing whether the purpose and nature of the processing is appropriate to the service SoftApp is providing.

Duty of confidentiality

SoftApp is aware that the information the client shares within CallerConnect is confidential and business-sensitive. All SoftApp employees handle customer information responsibly during their employment and thereafter, as set forth in their employment contract with confidentiality clause.

Employees with access to customer data

SoftApp system administrators and support staff have full access to customer data for:

• creating the customer (tenant) on the CallerConnect platform;
• installing a new version;
• implementing patches and hot fixes;
• making a backup;
• moving data within the CallerConnect domain.

Security

SoftApp permanently takes appropriate technical and organisational measures to protect the personal data of the customer against loss or any form of unlawful processing. These measures are considered an appropriate level of security within the meaning of GDPR. The customer is entitled, in consultation with SoftApp during the term of the agreement, to have an independent expert verify compliance — for example by conducting an audit. The customer will bear all costs related to this audit.

SoftApp shall be liable for damages in the context of personal data due to acts or omissions of sub-processors where the limitation of liability from the Liability chapter applies. The applicable limitation of liability does not apply if there is gross negligence or intentional misconduct on the part of the sub-processor. SoftApp is also not liable in case of force majeure on its own or on the part of the sub-processor.

If the Personal Data Authority issues a binding instruction to the Processor, the Customer must immediately inform SoftApp. SoftApp shall do everything reasonably expected of it to enable compliance.

Sub-processors

SoftApp processes customer data in the data centres of Iron Mountain Data Centers (Leaseweb), Whitesky.cloud (Gig.tech) and Microsoft Azure as sub-processors. SoftApp’s data centres are located in the Netherlands and Belgium and are subject to Dutch

Belgian laws and regulations and meet the strict Dutch

Belgian and European legislation with respect to logical and physical access protection and continuity. The data centres are at least ISO 27001 certified. (Personal) data is processed by SoftApp and sub-processors exclusively within the European Economic Area.

SoftApp will not allow new sub-processors to process data without informing the customer in a timely manner. The customer may object to a new sub-processor; objections are handled at management level. If SoftApp still wishes to use the new sub-processor, the customer has the option to terminate the agreement.

Privacy rights

SoftApp has no control over the personal data made available by the customer. Without necessity (given the nature of the order), explicit consent of the customer or legal obligation, SoftApp will not provide the data to third parties or process it for other purposes than the agreed purposes. The customer guarantees that the personal data may be processed on a basis specified in GDPR.

SoftApp will, however, if a request is made by the Netherlands Authority for the Financial Markets, the European Central Bank or De Nederlandsche Bank N.V. pursuant to their duties under the Wft (or other laws), make all possible information available to the relevant organisation. SoftApp also obliges sub-processors to comply with such a request.

Notification to the customer

If SoftApp identifies a security incident or data leak, SoftApp will notify the customer as soon as possible after becoming aware of it. To accomplish this, SoftApp ensures that all employees are and remain capable of detecting a data leak. If a data leak occurs at a SoftApp vendor, SoftApp will report it. SoftApp is the point of contact for the customer; the customer does not have to contact SoftApp’s suppliers directly.

Informing the customer (administrator)

Initially, SoftApp will inform the contact person (administrator) of the subscription about a data leak.

Provide information

SoftApp tries to provide the customer immediately with all the information needed to make a possible report to the Authority for the Protection of Personal Data and/or the data subject(s).

Term of informing

GDPR states notification must be made “without delay”. According to the AP, this is without undue delay and if possible no later than 72 hours after discovery by the responsible party. SoftApp will inform the customer no later than 48 hours after SoftApp has discovered a security incident. The customer assesses whether the incident falls under “data leak” and whether it should be reported to the AP — the customer has 72 hours to do so after being informed.

Progress and measures

SoftApp keeps the customer informed about progress and measures taken. SoftApp registers all security incidents and handles them according to a fixed procedure (workflow).

Deleting data

SoftApp will, at the end of the agreement, delete all customer data. If the customer wants the data removed earlier, a request can be made; SoftApp undertakes to comply.