Data Processing Agreement

Version N 1.2, May 2021

Convious exploits a SaaS (software as a service) solution that can be simply integrated on the Partner’s website using JavaScript (hereinafter: the “Software”). For this purpose, Convious processes personal data on behalf of the Partner, of their website visitors and clients. Under the General Data Protection Regulation (‘GDPR’), the Partners are considered to be ‘controllers’ for the personal data which they process about their (potential) guests, and Convious is considered to be the ‘Processor’ of such personal data. In the remainder of this Data Processing agreement (‘DPA’), the Partner is therefore called ‘the Controller’. Both Controller and Convious might also be referred to as both Party or Parties.

This DPA applies to the processing of personal data by Convious on behalf of the Controller, as is required for the performance of the services as set out in the Order Form and Convious Terms of Service. Together with the Order Form and the Terms of Service, this DPA forms the entire agreement between Convious and Partner.

1. Definitions

1.1. In this Data Processing Agreement, 'GDPR' means Regulation (EU) 2016/679, known as the General Data Protection Regulation, as well as all laws and regulations that may replace this regulation in future.

1.2. Terms defined in the GDPR have the same meaning in this Data Processing Agreement, unless another definition is given here.

1.3.Personal Data' means personal data (as defined by the GDPR) relating to the Controller, its clients and/or other contacts.

1.4. ‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.5.'Subprocessor' means a legal entity or person, not being an employee of Convious, who is or will be engaged by Convious for the purpose of providing services to the Controller on Convious’ behalf, for which purpose the engaged person or entity may receive or have access to Personal Data.

2. DPA

2.1. This DPA comes into effect on the date of signing the Order Form by the Controller or when Convious starts Processing the Personal Data, or whichever date is the earlier and will stay in force for the duration of the Agreement or when the Processing of Personal Data is terminated, whichever is the later. If the Agreement is terminated, this DPA is terminated automatically.

2.2. Neither Party can terminate the DPA prematurely.

2.3. Appendix 1 and 2 are an inseparable part of this DPA.

2.4. Parties agree that on the termination of this DPA, Processor shall, at the choice of Controller, return all the Personal Data which it has obtained on the basis of the Agreement – to the extent that this data is not deleted yet subject to this article - and the copies thereof to Controller or shall destroy all Personal Data and certify to Controller that it has done so, unless legislation imposed upon Processor prevents it from returning or destroying all or part of the Personal Data. In that case, Processor warrants that it will guarantee the confidentiality of the Personal Data and that it will not actively Process the Personal Data anymore.

3. Processor obligations

Processor agrees and warrants:

3.1. to Process the Personal Data only on behalf of the Controller and in compliance with its instructions, this DPA and for the purpose mentioned in the Agreement. If it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Controller of its inability to comply, in which case the Controller is entitled to suspend the supply of data and/or terminate the Agreement;

3.2. to Process the Personal Data in a proper and careful manner and in accordance with the GDPR and other applicable legislation governing the disposal- and Processing of Personal Data;

3.3. to delete all Personal Data as soon as the storage thereof is no longer necessary for the execution of the Agreement and/or required by Controller;

3.4. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Controller and its obligations under the Agreement and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, it will promptly notify the change to the Controller as soon as it is aware, in which case the Controller is entitled to suspend the supply of data and/or terminate the Agreement;

3.5. that it has implemented the technical and organizational security measures specified in Appendix 2 before Processing the Personal Data;

3.6. that it will promptly notify the Controller about:

  • any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

  • any accidental or unauthorized access, and

  • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

3.7. to deal promptly and properly with all inquiries from the Controller relating to the Processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority with regard to the Processing of the Personal Data;

3.8. at the request of the Controller to submit its data Processing facilities for audit of the Processing activities covered by the DPA which shall be carried out by the Controller or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Controller, where applicable, in agreement with the supervisory authority;

3.9. that, in the event of sub processing, it has previously informed the Controller and obtained its prior written consent; that the Processing services by the sub processor will be carried out in accordance with this DPA and that it will send promptly a copy of any sub processor agreement it concludes with a sub processor;

3.10. to cooperate with any registration, for example with a supervisory authority, if legally required;

3.11. to cooperate with a request of a data subject to, for example, view and/or change its Personal Data bases on the GDPR, without extra costs.

4. Lawfulness of Processing and Indemnification

4.1. The Controller warrants that the processing (including the collection and the transfer to the Processor) of Personal Data in accordance with this Agreement is in compliance with the General Data Protection Regulation (GDPR) and any other applicable data protection legislation. The Controller will indemnify the Processor against any and all related claims, including claims from the data subjects and/or penalties imposed by the responsible authority.

4.2. The Processor will indemnify the Controller and hold it harmless in respect of any penalties and claims for damages imposed on the Controller by third parties, if such penalties and claims for damages are due to the Processor's non-compliance with this Agreement or the Processor's legal obligations. The amount to be paid by the Processor under this warranty and/or indemnification will be limited to the invoice value of the products and/or services provided under the Main Agreement.

5. General

5.1. The Processor has no control over the purposes/grounds and means of the Processing of Personal Data. Unless otherwise specified in this DPA, Processor does not take decisions on the use of the Personal Data, the supply to third parties and the length of the storage of Personal Data.

5.2. Processor shall implement appropriate technical and organizational measures to secure Personal Data against loss and/or against any form of unlawful Processing. These measures shall guarantee an appropriate level of security, taken into account the state of the art and the costs of implementation, and having regard to the risks associated with the Processing and the nature of the Personal Data to be protected, as laid down in Appendix 2. Processor will enable Controller on its first request to inspect the measures that are taken.

5.3. If the Processor in another member state of the European Union Processes or designates to Process the Personal Data of Controller, she shall do so or designate as such in compliance with laws and regulations of the concerning member state. The Processor shall only Process the Personal Data of Controller in a country outside the European Union after prior written approval of Controller.

5.4. The obligation of confidentiality by the Processor, on the basis of the GDPR, can only be superseded when a legal obligation requires to disclose Personal Data or Processor has notified Controller of the necessity to disseminate.

6. Data Breach

6.1. The Processor shall as soon as possible, but at least within 72 hours after it has become aware of any incident or security breach (of any kind) relating to- or potentially relating to Personal Data (“datalek”) notify the Controller thereof.

6.1. The Processor shall in the event described above in 5.1 provide the Controller with the following minimum information: (i) the nature of the incident or data security breach, (ii) the Personal Data that is or could be affected, (iii) the established and expected consequences of the incident or data security breach on the Personal Data, and (iv) the measures that the Processor has taken and is expected to take.

6.1. The Processor shall undertake the appropriate measures to contain any (potential) (further) damage and/or leakage/loss of (Personal Data or) data.

6.1. Processor shall assist Controller with any notifications to data subjects and/or authorities if requested by Controller. Processor shall refrain from notifying subjects and/or authorities without prior discussion with the Controller.

7. Jurisdiction

7.1. This DPA is governed by Dutch Law and all (legal) transactions resulting from this agreement are governed by Dutch law. In the event of disputes, the competent court in Amsterdam has exclusive jurisdiction over the dispute.

Appendix 1 Processing Data and Purposes

This Appendix forms part of the DPA

Personal Data:

  • We collect email addresses shared with us to be able to deliver electronically purchased goods, invoices, reminders about purchased events and custom offers. We use email addresses to provide customer services, send service or support messages, updates, and other notifications. We also use email addresses to facilitate referral invitations, detect and prevent fraud, abuse and other harmful activity.

  • We automatically collect log information of users on the Convious Enabled Site. This information includes details how the Convious Enabled Site is used, IP address, access times, hardware and software information, device information, device event information (eg. crashes, browser type), pages viewed or engaged with. We also collect information related to customer transactions on the Convious Enabled Site, including date and time, amount charged, payment type and other related transaction details. We do not collect financial information (like bank account or credit card information);

  • Referring URL and domain;

  • Pages visited;

  • Preferred language used to display the webpage;

  • Date and time when website pages were accessed.

  • IP adress

  • We log and analyze communication on Convious Enable Site:

    • to enable customers to access and use Convious software

    • to operate, protect, improve, and optimize Convious software and our users’ experience

    • to help create and maintain and trusted and safe environment (detect and prevent fraud, asses risk, conduct checks against public databases)

    • to send service, support, administrative messages, reminders, technical notices, updates, security alerts and information requested by customers

    • for product development

    • for research and product innovation

    • customer support purposes.

For example, we scan and analyze chat messages to improve and expand product offerings. We will not review, scan, or analyze communication to send third party marketing messages.

Appendix 2 Security Measures

This Appendix forms part of the DPA.

Security measures adopted by Convious include:

  • Access to the information stored within Convious's servers is tiered and limited to Convious employees by job function that’s necessary to carry out their job responsibilities and to users designated on our Customer's accounts and Third Parties who can access the information only in specific and limited circumstances and are bound by confidentiality. All accesses to the information stored within Convious is logged, reported and reviewed by our security team;

  • Personal data processing systems require authorization;

  • Personal data is protected against accidental destruction or loss;

  • Convious's servers are protected by: a) firewalls establishing a barrier between our trusted, secure internal network and the internet; b) IP restrictions, limiting access to whitelisted IPs; and c) encrypted communication between services;

  • Each Customer may only access information pertaining to its Customer Website that it is tracking and to the specific End Users visiting such Customers Website;

  • We use HTTPS for Convious's Services providing secure transfer of data to prevent wiretapping and man-in-the-middle attacks;

  • Convious reviews its information collection and processing practices periodically and will review and amend this Privacy Policy accordingly.

Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.