Data Processing Agreement – KITE KoneX End Users

Data Processing Agreement – KITE KoneX™ End Users

About KITE KoneX™

KITE KoneX™ is an iPaaS (integration Platform as a Service) middleware solution that ensures reliable and continuously operational connections and communication between (ecommerce) systems and their operating companies. It operates as an intelligent telephone line and switchboard, that also acts as a digital interpreter and translator between system protocols and specialized ecommerce company processes.

The KITE KoneX™ Platform only stores a minimal subset of information provided by the supplying system(s), required to complete an (e-commerce) transaction by the connected system(s). The processing of information is limited to passing on this information, mapping the correct data fields and queuing for this information where necessary to support communication by the connected systems. This information is stored for a maximum of 2 weeks, or shorter if so required by any of the connected systems, and is secured for unauthorized access using known and accepted industry standards.

Any data passed on via KITE KoneX™ must have been validated for consent by the supplying system(s). Both supplying and receiving systems should have security measures in place to prevent unauthorized access by connected systems. KITE KoneX™ is not responsible or liable for the actual content passed on by the connected systems.

Security measures, both technical and organizational, are compliant with ISO 27001 and GDRP standards and regulations. A compliancy check list is available upon request. Before any data will be processed an KITE KoneX™ End User will have signed and entered into an End User License Agreement (EULA) with Innovation Kite, which also refers to below Data Processing Agreement.

DATA PROCESSING AGREEMENT

BETWEEN:

InShoring Pros Nederland B.V., a private company with limited liability (besloten vennootschap met beperkte aansprakelijkheid), incorporated under the laws of the Netherlands, with its registered seat (statutaire zetel) in Haarlem, the Netherlands, and its principal place of business Donauweg 23, 1043 Amsterdam, the Netherlands, registered with the commercial register of the Dutch Chamber of Commerce under number 54142911, also operating under the trade name Innovation Kite (hereinafter to be referred to as: the “Data Processor” or “Innovation Kite”),

AND

The Customer or End User (hereinafter to be referred to as: the “Data Controller”).

HEREBY AGREE AS FOLLOWS:

1.Subject matter of this Data Processing Agreement This Data Processing Agreement applies exclusively to the processing of personal data in the scope of the Contract between the parties for services rendered (hereinafter to be referred to as: the “End User License Agreement”).

1.2.Terms such as “processing”, “personal data”, “data controller” and “processor” shall have the meaning ascribed to them in the General Data Protection Regulation (hereinafter: the “GDPR”) or any successor legislation.

1.3.It is possible that the Data Processor will be processing personal data (hereinafter to be referred to as: the “Personal Data”) on behalf of the Data Controller in the course of the performance of the End User License Agreement with the Data Controller. An overview of the categories of Personal Data and purposes for which the Personal Data are being processed is provided in Annex 1.

2.The Data Controller and the Data Processor

2.1.The Data Processor will act as the data processor and the Data Controller will act as the data controller.

2.2.The Data Processor warrants that it will only process the Personal Data in such manner as- and to the extent that – this is necessary for the provision of the services under the End User License Agreement, except as required to comply with a legal obligation to which the Data Processor is subject, or to follow instructions of the Data Controller. The Data Processor shall never process the Personal Data for its own purposes.

2.3.The Parties conclude the End User License Agreement in order to benefit from the expertise of the Processor in securing and processing the Personal Data for the purposes set out in Annex 1. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to comply with the End User License Agreement and the instructions of the Data Controller.

3.Security

3.1.Without prejudice to any other security standards agreed upon by the Parties, the Data Processor shall take appropriate technical and organisational measures to ensure the security of the processing of Personal Data. These measures shall include in any case:

(a)measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes of the End User License Agreement;

(b)measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure, in particular to use encryption for data in transit and at rest (where possible);

(c ) measures to identify breaches of and vulnerabilities in the security of those systems used to provide services to the Data Controller and mitigate and repair those breach and vulnerabilities;

(d) The data processor undertakes to commit all staff and personnel that process personal data to confidentiality. The commitment shall survive a termination or expiration of the staff member’s employment relationship with the data processor.

(e) the measures in Annex 2.

3.2.The Data Processor shall at all times have in place a suitable, written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Article 3.1. At the request of the Data Controller, the Data Processor shall provide a copy of such security policy, shall demonstrate the measures it has taken pursuant to this Article 3, shall allow the Data Controller to audit and test such measures, and shall amend its security policy in accordance with the Data Controller’s further written instructions. Data controller will bear the cost of such audit.

3.3 If a data subject contacts the Data Processor for the purpose of exercising their rights as a data subject (e.g. regarding access to, erasure or rectification of personal data), the Data Processor shall promptly forward this request to the Data Controller. The Data Processor will, upon request, reasonably assist the customer to comply with its obligations with respect to the rights laid down in Chapter III of the GDPR. Upon request, the Data Processor shall support the Data Controller by providing information for the performance of Data Protection Impact Assessments pursuant to Art. 35, 36 GDPR.

4.Improvements to Security

4.1.The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 3 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 3.

4.2.The Data Controller has the right to instruct the Data Processor to take additional security measures. Where an amendment to the End User License Agreement is necessary in order to execute such an instruction, the Parties shall negotiate an amendment to the End User License Agreement in good faith.

5.Audit

5.1.The Data Controller has the right to perform an audit of the Data Controller in order to determine to what extent the Data Processor complies with the provisions of the Data Processing Agreement. Such audit will be performed by an independent third party and will take place at a time defined by both parties together. The Data Processor shall provide the auditor access – on request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit.

5.2.The Data Controller will bear the costs for the audit, unless the audit shows that the Data Processor does not comply with the Data Processing Agreement. In such case, the Data Processor bears the costs of the audit.

6.International Data Transfer

6.1 The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining the consent of the Data Controller.

6.2 The Data Controller may impose conditions on the consent as meant in Article 6.1, such as the condition that a transfer only takes place if the relevant parties conclude model contract clauses, such as described in Article 46, second paragraph, under c, GDPR.

7.Information Obligations and Finding Management

7.1.The Data Processor shall immediately notify the Data Controller of any Finding with regard to the processing of the Personal Data, shall at all times cooperate with the Data Controller and shall follow the Data Controller’s instructions with regard to such Findings, in order to enable the Data Controller to perform a thorough investigation into the Finding, to formulate a correct response and to take suitable further steps in respect of the Finding. Specifically, the Data Processor warrants that it provides the Data Controller with all information necessary to fulfil its legal obligations, such as the obligation to notify Findings under Article 33 GDPR. The Data Controller alone may notify any public authority.

7.2.The term “Finding” used in Article 7.1 shall be understood to mean in any case any breach of the security and/or confidentiality as set out in Article 4, paragraph 12 GDPR and Article 3 of this Data Processing Agreement leading to the loss or any form of unlawful processing, including destruction, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.

7.3.The Data Processor shall notify the Data Controller within 24 hours after discovery of the Finding. Such notification shall include at least the following information: (i) the nature of the Finding; (ii) the date and time upon which the Finding took place and was discovered; (iii) the (amount of) data subjects affected by the Finding; (iv) which categories of Personal Data were involved with the Finding; and (v) whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data.

7.4.The Data Processor shall at all times have in place written procedures which enable it to provide an immediate response to the Data Controller about an Finding, and to cooperate effectively with the Data Controller in addressing the Finding, and shall provide the Data Controller with a copy of such procedures upon the Data Controller’s written request.

8.Contracting with Sub-Processors

8.1. The Data Processor may outsource part of its activities, as described in the End User License Agreement, to a third party under exactly the same conditions as defined in this Processing Agreement. The Data Controller may request an overview of assigned Sub-Processors at any time.

8.2.The consent of the Data Controller as described in the previous paragraph, shall be without the liability of the Data Processor vis-à-vis the Data Controller for any consequences of subcontracting – including any potential damages – with such third party in accordance with Article 10.

8.3.The consent of the Data Controller pursuant to Article 8.1 shall not alter the fact that consent is required under Article 7 GDPR for the engagement of sub-processors in a country outside the European Economic Area without an adequate level of protection. If the Processing carried out by the Data Processor includes the transfer of Personal Data to a country outside of the EEA which is not recognized by the European Commission to have an adequate level of protection in accordance with Data Protection Law, the Data Controller and the Data Processor shall enter into a supplementary agreement containing the Standard Contractual Clauses (“SCC”).

8.4 If Processing of Personal Data under this DPA includes the transfer of Personal Data to a Sub- processor located in a country outside of the EEA which is not recognised by the European Commission to have an adequate level of protection in accordance with Data Protection Law, the Data Processor shall ensure that the data transfer to such sub-processor is lawful in accordance with Art. 44 et seq. GDPR.

8.5.The Data Processor shall ensure that the sub-processor is bound by the same or equivalent obligations as the Data Processor under this Data Processing Agreement, and shall supervise compliance thereof.

9.Returning or Destruction of Personal Data

9.1.Upon termination of this Data Processing Agreement, or upon the Data Controller’s written request, the Data Processor shall, at the discretion of the Data Controller, either destroy or return the Personal Data to the Data Controller.

9.2.The Data Processor shall notify all third parties involved with the processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.

10.Liability and Indemnity

10.1.The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller and arising directly or indirectly out of or in connection with a breach of this Data Processing Agreement by the Data Processor.

10.2 All data provided by the Data Controller to the Data Processor must be validated for consent by the Data Controller. The Data Controller must have security measures in place to prevent unauthorized access by connected systems. The Data Processor is not responsible or liable for the actual content transmitted by the connected systems of the Data Controllers. This indemnification applies to both the sending and receiving Data Controllers between which the Data Processor facilitates communication. The Data Processor assumes no liability if privacy-sensitive information has been provided by the Data Controller in non-privacy-sensitive data fields.

11.Duration and Termination

11.1.This Data Processing Agreement shall come into effect on the same date as the End User License Agreement and shall end automatically either: when the End User License Agreement is terminated or expires; or at such as the Data Processor has deleted or returned all Personal Data in accordance with Article 9, whichever is later.

11.2.Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its obligations meant to survive the termination or expiration of the Data Processing Agreement, including but not limited the obligations deriving from 5, 9 and 10 of this Data Processing Agreement.

12.Miscellaneous

12.1.In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the End User License Agreement, the provisions of this Data Processing Agreement shall prevail.

12.2.This Data Processing Agreement is governed by the laws of the Netherlands. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent Court of Amsterdam.

12.3.Any reference to provisions of law which are repealed during the term of this Data Processing Agreement are also intended to include a reference to any successor provision with a similar subject matter.

12.4 The Data Protection Officer of Innovation Kite is Edgar Kiwiet. He can be reached via contact@innovation-kite.com or via our central phone number +31 88 467 467 4.

Annex 1: Data

Personal data that will be processed for the purpose of the specific system to system communication subject to the End User License Agreement:

Invoice Name
Invoice Address
Invoice Phone number
Delivery Name
Delivery address
E-mail
Order information (minimum data set required by both connected systems)
Shipment information (minimum data set required by both connected systems)

Optional depending on the nature of the system-to-system connection between 2 parties:

Product information (minimum data set required by both connected systems)
Stock information (minimum data set required by both connected systems)
Stock Mutation information (minimum data set required by both connected systems)
Return information (minimum data set required by the connected systems)
Return Confirmation information (minimum data set required by the connected systems)
Cancellation information (minimum data set required by the connected systems)
Purchase Oder information (minimum data set required by the connected systems)
Purchase Oder Confirmation information (minimum data set required by the connected systems)

Any data will be processed only for the purpose of the specific system to system communication subject to the End User License Agreement.

Annex 2: Security

The Data Processor shall take the appropriate technical and organizational measures to ensure the security of the processing of Personal Data as set out in Article 3.

The additional security measures taken by Data Processor are:

An extensive ISO27001 compliant IT security management system (ISMS) is in place which defines Data Processors’ policies and processes regarding information security. These policies include but are not limited to:

Change management policies
Continuous improvement policies
Asset management policies
Access policies
Cryptographic control policies
Password policies
Mobile device management policies
Data storage and exchange policies
Backup and restore policies
Patch management policies
Contract and vendor management policies

Recurring audits are performed by third parties on:

Automated security scans
Manual penetration testing
The up-to-dateness and ISO-compliance of our ISMS