Data Protection Agreement

 

PARTIES

• Govin B.V. incorporated under the laws of The Netherlands, having its principal place of business at Herengracht 280 (1016 BX), the Netherlands, registered under number 83058494 (hereinafter referred to as: “Govin“); and
• Customer, the party who is identified as customer on Govin’s order form or otherwise referred to as customer or client on an executed agreement that explicitly refers to this agreement (hereinafter referred to as: “Customer“).

each individually referred to as a “Party” and together referred to as the “Parties”

WHEREAS

• Govin provides a SaaS (Software-as-a-Service) subscription service, which empowers businesses to create a centralized governance hub on its platform. The Customer has engaged Govin to provide governance related Services. For the purposes of providing the Services to the Controller, Govin will Process Personal Data as a Processor on behalf of the Controller (“Processor Activities”).
• In addition to the Services for which Govin acts as Processor, the Customer has under the Terms of Service authorised Govin to Process Personal Data as independent Controller for its own purposes (“Controller Activities”).
• This Agreement sets out the obligations and responsibilities of the Parties with regard to the Processing of Personal Data to ensure Personal Data is Processed in compliance with Applicable Data Protection Laws. Part A of this Agreements sets out the obligations and responsibilities in relation to the Processor Activities and Part B of this Agreement sets out the obligations and responsibilities in relation to the Controller Activities.

the following is hereby agreed:

1. Definitions

• For the purposes of this Agreement, the following expressions bear the following meaning:
  • ”Agreement” means this data protection agreement including its appendices.
  • “Applicable Data Protection Laws” means any applicable law or regulation relating to the protection of personal data or the privacy of individuals, including but not limited to the GDPR, any legislation implementing the requirements of the GDPR in each EU Member State, any legally binding requirements of supervisory authorities and any other applicable EU or Member State law relating to data protection or privacy of individuals
  • “Data Subject Request” means request(s) of Data Subject(s) to access, rectify, change, delete or port Personal Data or to restrict or object to the Processing of Personal Data, or any other rights granted to Data Subjects under Applicable Data Protection Laws;
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  • “Service” means Govin’s products and services, including the subscription service to Govin’s governance platform and any other service that is described on Govin’s order form, Govin’s Terms of Service and/or this Agreement.
  • “Subprocessor” means any Subprocessor engaged by Govin or by any other Subprocessor of Govin as relevant for the Processor Activities, which agrees to receive from Govin, or from any other Subprocessor of Govin, Personal Data intended for the Processor Processing Activities to be carried in accordance with the Controller’s instructions, the terms of this Agreement and the terms of the written Subprocessing Agreement between Govin and the Subprocessor;
  • “Subprocessor Agreement” means the written agreement between Govin and the Subprocessor;
  • “Third Country” means countries outside the European Economic Area (“EEA”);
• In this Agreement, the terms “Data Subject”, “Data Protection Impact Assessment”, ”Controller”, “Personal Data”, “Personal Data Breach”, “Process/Processing”, ”Processor”, and “Supervisory Authority” and ”are as defined in the GDPR.

2. Liability and Indemnification

• Govin shall take reasonable measures to comply with this Agreement and Applicable Data Protection Laws and shall be responsible and liable to the Customer for any breach of Govin’s obligations in relation to the Controller Activities and Processor Activities as set out in this Agreement and under Applicable Data Protection Laws. With regard to the Processor Activities, Govin shall be fully responsible and liable to the Customer for the performance of the Subprocessor’s obligations, where the Subprocessor fails to fulfil its obligations laid down in the Subprocessing Agreement or Applicable Data Protection Laws. Any liability arising out of or related to this Agreement (and any other data protection agreements between parties if applicable) will be subject to the limitations and exclusions of liability as set out in section 7 of Govin’s Terms of Service.
• In the event of a dispute or claim brought by a third party (including but not limited to a Data Subject or a Supervisory Authority), the Party receiving such claim will promptly inform the other Party in writing, and both Parties will cooperate with a view to settling such claim or dispute amicably and in a timely fashion.

3. Governing Law and Jurisdiction

• This Agreement and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) is governed by the laws of the Netherlands.
• The place of jurisdiction for all disputes or claims that arise out of or in connection with this Agreement shall be Amsterdam, the Netherlands.

4. Miscellaneous

• If and to the extent that any provision of this Agreement is held to be illegal, void or unenforceable in any jurisdiction, such provision shall be given no effect in that jurisdiction, but without invalidating any of the remaining provisions of this Agreement.
• To the extent that any changes in applicable law, regulatory requirements or case law compel Parties to amend the terms of this Agreement, Parties shall without undue delay enter into negotiations to appropriately address such changes.
• In the event of inconsistency between the provisions of this Agreement and any other agreements between the Parties, including Govin’s Terms of Service, the provisions of this Agreement shall prevail with regard to the Parties’ obligations under the Agreement or any matter relating to data protection.
• In the event of a conflict between the provisions of any Applicable Data Protection Laws and the terms of this Agreement then the Parties shall take reasonable steps to comply with the terms of this Agreement without contravening Applicable Data Protection Laws.
• Parties mutually agree that this Agreement is subject to amendments in light of changing circumstances and hereby agree to amend this Agreement in good faith where necessary.

PART A – Processor Activities

5. Processor Activities details

• The details of the Processing activities to be carried out by Govin as Processor are set out in Schedule 1.
• Govin will:
  • only Process the Personal Data, including with regard to transfers of Personal Data to a Third Country, for the purpose of carrying out the Services as set out in Schedule 1, unless required to do so by European Union or Member State law to which Govin is subjected to. In such a case, Govin shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
  • comply with Applicable Data Protection Laws and shall not knowingly cause the Customer to breach Applicable Data Protection Laws;
  • abide by any specific advice of Supervisory Authorities addressed to the Customer or Govin with regard to the Processing of Personal Data.

6. Notification and Cooperation

• Govin will have in place appropriate technical and organisational measures, insofar as this is possible, to assist the Customer in complying with its obligations to respond to Data Subject Requests.
• Govin will make available all information reasonably necessary to demonstrate compliance with the obligations under Applicable Data Protection Laws and this Agreement.
• Govin will provide reasonable assistance to the Customer for complying with its obligations under Applicable Data Protection Laws, including obligations:
  • in relation to investigating, restoring and promptly notifying the Supervisory Authority and/or Data Subjects of Personal Data Breaches;
  • to carry out Data Protection Impact Assessments or audits of the Processor Activities, when required under Applicable Data Protection Laws;
  • to respond to Data Subject Requests and complaints and requests from Supervisory Authorities; and
  • to consult with the Supervisory Authority prior to the Processing in relation to Processing activities subject to a Data Protection Impact Assessment.
• Govin will promptly inform the Customer if:
  • it is of the opinion that an instruction from the Customer violates Applicable Data Protection Laws, this Agreement or any other applicable laws to which Govin is subject;
  • it is unable to comply with its obligations under this Agreement or Applicable Data Protection Laws;
  • applicable law to which it is subject requires it to Process Personal Data other than in accordance with the Customer’s instructions and this Agreement;
  • changes in any laws, regulations or government policies applicable to Govin that are likely to have an adverse effect on the obligations of this Agreement and/or the rights and interests of the Data Subject’s whose Personal Data is Processed in relation to this Agreement;
  • it, or its Subprocessors, receives any complaint, request or other communication of a Data Subject or a competent Supervisory Authority (without responding to that request unless it has been otherwise authorised by the Customer to do so); or
  • it, or its Subprocessors, receive any order, request, complaint or other demand by a court, Supervisory Authority or other regulator in relation to the Customer’s Personal Data, without responding to such order, request, complaint or demand unless the Processor has been authorized to do so in writing by the Customer.

7. Personal Data Breaches

• Upon discovery of any Personal Data Breach, Govin will;
  • take reasonably necessary action to prevent any (further) accidental or unlawful Processing of Personal Data Processed as part of the Processor Activities;
  • provide the Customer with reasonable co-operation and assistance in relation to the investigation of the Personal Data Breach, mitigation of the impact of the Personal Data Breach and any notifications that the Customer is required to make as a result of the Personal Data Breach;
  • not communicate about the Personal Data Breach in a way that directly or indirectly identifies the Customer without the prior written authorisation of the Customer; and
  • notify the Customer in writing per e-mail without undue delay after it becomes aware of any Personal Data Breach related to Customer’s Personal Data.
• Such notice will include, to the extent possible, all relevant details of the Personal Data Breach, including:
  • the nature of the Personal Data Breach;
  • the categories and number of Data Subjects and categories of Personal Data affected by the Personal Data Breach;
  • the measures taken to address the Personal Data Breach and to mitigate possible adverse effects suffered by the Customer and/or the affected Data Subjects;
  • any other details which Govin is required to notify to the Customer under Applicable Data Protection Laws.

8. Security Measures

• For the performance of this Agreement, Govin shall implement and maintain:
  • appropriate technical and organisational security measures (including confidentiality obligations applicable to their personnel) to ensure a level of security appropriate to the risks that are presented by the Processing of Personal Data, as further specified in Schedule 2. Processor shall have appropriate documentation in place to be able to demonstrate compliance with this clause; and
  • measures ensuring that all persons authorised to Process the Personal Data have committed themselves to confidentiality or are under appropriate statutory duty of confidentiality.

9. International Data Transfers

• Customer hereby grants Govin its general authorization to transfer Personal Data to Third Countries, to the extent reasonable necessary for Govin to provide Customer with the Services. Govin will take reasonable measures to comply with Applicable Data Protection Laws and this Agreement for international transfers of Personal Data to Third Countries.

10. Audits

• Govin will co-operate with the Customer to enable the Customer or its authorised third party auditors to audit Govin’s compliance with its obligations under this Agreement and Applicable Data Protection Laws, upon written notice of 30 working days and during regular business hours.
• Individuals conducting the audit will comply with the safety procedures implemented by Govin and a select group of Govin’s employees, such as the key employees of Govin’s development team, shall at all times be present during the audit procedure. The costs of such audit shall be borne by the Customer.

11. Subcontracting

• Customer hereby grants Govin general authorisation to engage Subprocessors.
• Govin shall choose any Subprocessor diligently and ensure that any Subprocessor provides sufficient guarantees that it will implement and maintain appropriate technical and organizational measures to ensure that its processing of Personal Data meets the requirements set out in this Agreement and Applicable Data Protection Laws.
• Govin shall enter into a Subprocessing Agreement and such Subprocessing Agreement shall impose upon the Subprocessor equivalent obligations as imposed by this Agreement upon Govin. Upon Customer’s reasonable request, Govin shall provide information and documentation reasonably requested to demonstrate compliance with the obligations of the Subprocessor under the Subprocessing Agreement and Applicable Data Protection Law.
• In Schedule 1, Govin will provide Customer with a list of all Subprocessors currently engaged by Govin to the extent relevant to the Processor Activities.
• To the extent reasonably possible, Govin will inform Customer about any new Subprocessor engaged by Govin or will update an online list of Subprocessors and provide the Customer with the means to access this list at least 15 working days prior to engaging such new Subprocessor. If the Customer does not provide reasonable objections within fourteen (14) working days after receipt of Govin’s notice, the Subprocessor shall be deemed accepted by the Customer.
• If Customer has a reasonable objection to object to a Subprocessor, Controller shall notify Govin thereof in writing within fourteen (14) days after receipt of Govin’s notice. If Customer objects to the use of the Subprocessor, Govin shall use efforts to address the objection through one of the following options: (a) Govin will offer an alternative to provide the Services without such Subprocessor; or (b) Govin will take the corrective steps requested by Customer in its objection (which would therefore remove such objection) and proceed to use Subprocessor. If none of the above options are reasonably available and the objection has not been sufficiently addressed within fourteen (14) working days after Govin’s receipt of Customer’s objection, Govin will cancel its plans to use Subprocessor with regard to Personal Data Processed under this Agreement.

PART B – CONTROLLER ACTIVITIES

12. Controller Activities Details

• Part A above does not apply where Govin is acting as Controller. The Customer has authorized Govin to Process Personal Data to develop and improve its Services. The scope, nature and purposes of the Controller Activities are set out in Schedule 3. Govin and the Customer acknowledge and agree that Govin will act as independent Controller for Processing Personal Data for the Controller Activities, not as Processor or joint Controller.

13. Compliance with Applicable Data Protection Laws

• Govin will comply with its obligations as independent Controller under Applicable Data Protection Laws for the Processing of Personal Data it collects itself or receives from the Customer pursuant to Govin’s Terms of Service and this Agreement and Processes for the Controller Activities. Govin will be responsible for its own compliance with Applicable Data Protection Laws and will not knowingly cause the Customer to breach Applicable Data Protection Laws.
• Govin will comply with the data protection principles following from Applicable Data Protection Laws, which includes:
  • Processing Personal Data for the Controller Activities in a lawful, fair and transparent matter, and only for lawful purposes;
  • Processing adequate and relevant Personal Data, limited to what is necessary for the Controller Activities;
  • erasing or rectifying inaccurate Personal Data, having regard to the Controller Activities for which the Personal Data are Processed;
  • securely deleting, blocking or anonymising Personal Data if identification of Data Subjects is no longer necessary for the Controller Activities;
  • taking reasonable measures to implement, regularly update and improve appropriate technical and organisational security measures to ensure a level of security appropriate and reasonable to the risks that are presented by the Processing of Personal Data for the Controller Activities.

14. Processor engagement

• Govin will ensure that if Processors are engaged to Process Personal Data for Controller Activities it will:
  • choose any Processor diligently and ensure that any such Processors provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws and protect the rights of the Data Subjects;
  • have appropriate contractual arrangements in place in accordance with Applicable Data Protection Laws.

15. International Data Transfers

• Govin will take reasonable measures to comply with Applicable Data Protection Laws and this Agreement for international transfers of Personal Data to Third Countries, including to engaged Processors.

16. Personal data breaches

• Govin will take all reasonable measures to remedy and mitigate Personal Data Breaches affecting Personal Data Processed for the Controller Activities as soon as becoming aware of such Personal Data Breach. Where required by Applicable Data Protection Laws, Govin will notify affected Data Subjects and relevant Supervisory Authorities.

17. Data Subject Rights

• Govin will independently handle and respond to Data Subject Requests it receives directly from the Data Subject and relates to the Processing of Personal Data by Govin with regard to the Controller Activities.

18. Notification and Cooperation

• Both Parties will provide each other with all information, assistance and cooperation reasonably necessary to enable that other Party to meet its obligations under Applicable Data Protection Laws with regard to Personal Data shared under Govin’s Terms of Service and this Agreement.
• Both Parties will inform each other without undue delay of any complaint, notice, request or communication (from a Data Subject, Supervisory Authority or otherwise) which relates directly or indirectly to the Processing of Personal Data shared under Govin’s Terms of Service and this Agreement or to either Party’s compliance with Applicable Data Protection Laws, and will provide the other Party with reasonable cooperation and assistance in relation to any such complaint, notice, request or communication.

 

Schedule 1

Details of the Processor Activities

Categories of Data Subjects whose Personal Data is Processed

Customers and users authorized by Customer to use Govin’s Services (including but not limited to shareholders, supervisory and management board members, advisory board members, works council members and other authorized users, such as employees, officers and professional advisors).

Categories of Personal Data Processed

Personal details (e.g. full name, prefix, title, age and gender), contact details (e.g. e-mail address, phone number and postal address), professional details (e.g. job title and other information about the organization users are affiliated with) as well as other categories of Personal Data that may be uploaded, posted, stored, transmitted, distributed or otherwise made available by Customer and its users.

Nature and purpose(s) of the Processing

The provision of Services by Processor to Customer.

The duration for which the Personal Data will be Processed/retained

Personal Data will be processed/retained by Processor as long as reasonably necessary for the provision of Services

On commencement of this Agreement, the Controller authorizes the engagement of the following Subprocessors:

• Google (various, including Cloud Hosting, User Authentication Services and Workspaces);
• SendGrid (e-mail delivery services);
• PandaDoc (electronic signature services);
• Mailchimp (newsletters);
• ClickUp (product and project management);
• HubSpot (CRM);
• Exact (accounting);
• CookieBot (cookie consent management platform);
• Intercom (customer support).

 

Schedule 2

Technical and Organizational Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Govin shall implement appropriate organizational and technical measures, and ensure that these are also applied by its Subprocessors, to ensure a level of security appropriate to the risks that are presented by the Processing of Personal Data. Such measures include in particular:

1. Physical Access Control

Measures are to be taken so that unauthorised individuals do not have access to the data processing systems with which personal data is processed.

Measures taken by Govin:

• Security locks
• Manned reception (building)
• Single access entry control systems
• Automated system of access control
• ID or chip card readers
• Monitoring installations (e.g. alarm device, video surveillance)
• Security personnel (after alarm)

2. System Access Control

Measures are to be taken in order to prevent unauthorised individuals using the data processing systems and methods.

Measures taken by Govin:

• Individual allocation of user rights
• Authentication by username and password
• Minimum requirements for passwords
• Password management (outsourced)
• Encryption at rest
• Firewall
• Intrusion detection systems
• Security awareness training
• Two-factor authentication for all employees

3. Data Access Control

Measures are to be taken to ensure that the parties authorised to use the data processing methods can only access the personal data which they are entitled to access.

Measures taken by Govin:

• Access to Personal data only on a need-to-know-basis
• Development of a role based authorization concept
• Permanent updating of role based authorization concept
• General access rights only for limited number of admins
• Logging of access to and copying, modifying and deletion of Personal data
• Intrusion detection systems
• Encryption at rest

4. Transmission Control

Measures are to be taken which ensure that personal data cannot be read, copied, modified or removed in an unauthorised manner during their electronic transmission, transport or storage on data carriers, and that it is possible to check and ascertain to which recipients the transmission of personal data is provided for by means of data transmission facilities.

Measures taken by Govin:

• Firewall
• Encryption in motion
• Recording of data transfers

5. Input Control

Measures are to be taken which ensure that it can subsequently be checked and ascertained whether and by whom Personal data has been entered, modified or removed in/from data processing systems.

Measures taken by Govin:

• Logging of entering, modification and removal of Personal data in/from the system
• Traceability of entering, modification and removal of Personal data by logging user names (not user groups)
• Individual allocation of user rights to enter, modify or remove based on a role based authorization concept

6. Job Control

Measures are to be taken which guarantee contract data processing in accordance with instructions.

Measures taken by Govin:

• Diligent selection of service providers (in particular with respect to IT security)
• Conclusion of data processing agreement with subprocessors

7. Availability Control

Physical and logical measures are to be taken in order to ensure that personal data is protected against accidental destruction or loss.

Measures taken by Govin:

• (Web)hosting services at the Google Cloud Platform (which implemented various measures, including redundant power systems, cooling systems, fire detection and suppression equipment).

8. Separation Control

Measures are to be taken which ensure that data collected for different purposes can be processed separately.

Measures taken by Govin:

• Defining and implementing database access properties
• Logical client separation
• Development of a role based authorization concept
• Separation of test data and live data
• Encryption of data sets stored for the same purpose
• Separating allocation file from data sets, when Personal data is alias

 

Schedule 3

Details of the Controller Activities

Categories of Data Subjects whose Personal Data is Processed

Customers and users authorized by Customer to use Govin’s Services (including but not limited to shareholders, supervisory and management board members, advisory board members, works council members and other authorized users, such as employees, officers and professional advisors).

Categories of Personal Data Processed

Personal details (e.g. full name, prefix, title, age and gender), contact details (e.g. e-mail address, phone number and postal address), professional details (e.g. job title and other information about the organization users are affiliated with) as well as any other personal data that may be uploaded, posted, stored, transmitted, distributed or otherwise made available by Customer and its users to Govin’s governance hub.

Nature and purpose(s) of the Processing

Govin uses Personal Data to provide, develop and improve its Services. We for example use search queries, feedback and documents (which may contain Personal Data) of the Customer and its users to train and enhance features (such as our inhouse build AI search tool) by using machine learning and natural language processing technologies.

The duration for which the Personal Data will be Processed/retained

We retain personal data no longer than reasonably necessary to fulfil the purposes for which we collect the information and to comply with our (legal) obligations.

 

*****