Data Processing Agreement
Last updated: April 20, 2022
1.Before we get started
Webclew BV (“us”, “we”, or “our”) operates a domain monitoring platform (“Platform”) that you as subscriber (“Client”, “you”, “your”) can use for our services as described in the Order Form (“Services”). This Data Processing Agreement (“DPA”) supplement and form an integral part of the Webclew BV Terms and Conditions. The terms of this DPA apply only when:
- we process personal data on behalf of you as a Client (“Client Data”) using the Platform;
- personal data are subject to the data protection laws of (a) the European Union, (b) the European Economic Area, (c) Switzerland; and/or (d) the United Kingdom; and
- you use the platform with an active account in line with our Terms and Conditions. Any capitalized terms not defined in this DPA will have the meaning as set out in our Terms and Conditions. All terms that coincide with terms used in the GDPR, have the meaning assigned to them in the GDPR.
2. Role of the parties
We act as a processor on behalf of you as controller.
3. Nature of data processing
The scope of data processing under this DPA is that we provide Services you initiated through our Platform. Personal data are limited to:
- contact details of Platform users; and
- contact details and correspondence of your employees for contractual purposes, invoicing and other administrative tasks.
4. Purpose and Subject Matter
We will process personal data on behalf of you as the controller, for the purposes of providing the Services in accordance with the Terms and Conditions.
5. Our Obligations as Processor
We will:
- only process personal data on your behalf in line with Documented Instructions (as defined hereafter), unless we are required to do so by union or member state law, which we will inform you if we are permitted by law;
- ensure that our authorized employees, contractors or agents only process personal data with adequate confidentiality obligations;
- process all personal data on EU-controlled servers
- transfer Client Data outside of the EEA only with appropriate safeguards to ensure the same level of protection as under the GDPR
- adopt appropriate technical and organizational measures when processing personal data;
- provide reasonable assistance with your obligations as a controller (including your obligation to fulfill the data subject’s rights);
- notify you without undue delay after becoming aware of a personal data breach, and assist in providing information necessary for you to comply with applicable data protection laws;
- notify you of government access requests unless this is prohibited by law; and
- not disclose personal data to government authorities or third parties unless this is strictly necessary to comply with a legally binding request.
6. Your Rights and Obligations as Controller
You acknowledge and agree that:
- you are solely responsible for the legality, integrity and accuracy of Client Data;
- you comply with applicable Data Protection Laws to provide Client Data with us;
- you will notify applicable regulatory authorities and data subjects in case of a personal data breach pursuant applicable Data Protection Laws;
- you independently determine whether processing Client Data for Services meets your obligations under applicable Data Protection Laws;
- you verify that security measures of our Platform provide adequate protection of Client Data.
7. Controller instructions
You agree that this DPA and the use of Services in line with the Terms and Conditions constitute your instructions (“Documented Instructions”) for processing personal data on your behalf. Additions to Documented Instructions require a prior written agreement between you and us. We will immediately inform you if we consider such an instruction incompatible with Data Protection Laws. In such case, we shall bear no liability if we refuse to carry out any instruction we deem unlawful.
8. Audit
You have the right to perform an audit at your own expense once per calendar year during business hours unless you have reasonable grounds to suspect non-compliance with the DPA or unless requested by a supervisory authority. You can request an audit in writing at least one month prior to the date on which the audit will be performed unless the audit relates to a personal data breach or the audit is requested by a supervisory authority. You can perform the audit yourself or appoint an independent auditor. An audit pursuant to this clause may not unreasonably interfere with our regular business operations and any of our confidentiality obligations towards third parties. You (and your auditors) must keep the information collected in connection with an audit secret and may use it exclusively to verify our compliance with this DPA. We will use our best efforts to cooperate with an audit and will respond in writing to all reasonable requests for information to demonstrate compliance with this DPA.
9. Use of Sub-processor
We ensure that any processing of personal data by a sub-processor is governed by terms that are not less protective than the obligations and limitations as those set out in this DPA. We currently use the sub-processors listed in Appendix 1. You authorize us to:
- work with the sub-processors listed in Appendix 1; and
- change an existing sub-processor or add a new one. We will notify you four weeks before making any changes to sub-processors in Appendix 1. You are entitled to object to such a change by terminating the Agreement.
10. Duration and termination
We process Client Data for the duration of the Agreement, unless otherwise agreed in writing.
11. Deletion of Data
We will return or delete Client Data upon your request up to 90 days after the end of the Agreement.
12. Liability
We shall only be liable under this DPA if we (i) did not comply with its specific obligations under the GDPR, or (ii) acted outside or in violation of the lawful instructions of the Controller In any case, the provisions of the Agreement concerning liability shall also apply to this DPA and any services provided by us hereunder.
13. Other provisions
The provisions of the Terms and Conditions concerning changes, completeness of the agreement, severability, applicable law and competent court are applicable to this DPA.
Appendix 1
The following sub-processors are used to operate the Services:
| Entity name | Activities | Data scope | Transfer mechanism | | ------------------- | ---------------------------------------------------- | ------------- | ---------------------------------------- | | Amazon Web Services | Cloud Service Provider | United States | Standard Contractual Clauses | | Fathom Analytics | Platform usage analytics | Canada | Adequacy decision | | Sentry | Application monitoring for technical troubleshooting | United States | Standard Contractual Clauses | | Crisp | Messaging platform for customers | France | EU member state |