Data Processor Agreement

General

Article 1. Definitions

1.1 Data Subject: the person to whom the Personal Data relates;
1.2 Data Processor Agreement: this addendum between the Controller and the Processor.
1.3 Agreement: Agreement between the Controller and Processor relating to the service(s) provided to the Controller by the Processor;
1.4 Processing: a processing operation or set of processing operations with respect to personal data or sets of personal data, carried out by means of automated processes or otherwise, such as collection, recording, organisation, structuring, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, aligning or combining, blocking, erasure or destruction of data;
1.5 Annex: annex to the Data Processor Agreement, which forms an integral part of the Data Processor Agreement;
1.6 GDPR: General Data Protection Regulation.

Article 2: Controller and Processor of the data

2.1 Within the scope of this Data Processor Agreement, the Processor undertakes to Process Personal Data on the instructions of the Controller. The Controller and Processor have entered into this Data Processor Agreement with respect to the performance of the Agreement. A list of the type of Personal Data, the categories of data subjects and the purposes for which the Processing of Personal Data is carried out is included in Annex 1.
2.2 The Controller shall be liable for the Processing of Personal Data within the framework of the Agreement and guarantees that the instruction to Process such Personal Data is in accordance with all applicable laws and regulations. The Controller shall indemnify the Processor against all claims of third parties arising in any way from failure to comply with this guarantee.
2.3 The Processor undertakes to Process Personal Data exclusively for the purpose of the activities referred to in this Data Processor Agreement and/or the Agreement. The Processor guarantees that it will not use in any manner the Personal Data Processed under this Data Processor Agreement and/or the Agreement without the explicit and written consent from the Controller, unless the Processor is obliged to process the Personal Data pursuant to a statutory provision. In that case, the Processor shall notify the Controller of that statutory provision prior to Processing, unless that legislation prohibits such notification based on important grounds of public interest.
2.4 The Processor shall only process the Personal Data received for the purpose of providing the Service to the Processor and only to the extent that processing of such data is strictly necessary for the purpose of providing the Service.

Article 3. Agreements & ranking

3.1 The Processor shall implement (or cause to implement) appropriate technical and organisational measures to protect Personal Data against loss or against any form of unlawful processing, thereby ensuring a level of security appropriate to the risk. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the data to be protected. In any event, the Processor shall implement measures to protect Personal Data against accidental or unlawful destruction or accidental and intentional loss, alteration, unauthorised disclosure or access, or any other unlawful forms of processing.
3.2 The technical and organisational measures used by the Processor are set out in Annex 2. The Controller acknowledges to have taken note of the relevant measures and by signing this Data Processor Agreement the Controller agrees to the measures implemented by the Processor and agrees that these comply with the requirements in 3.1 above.
3.3 Considering the nature of the Processing and to the extent reasonably possible, the Processor shall assist the Controller in complying with its obligation under the GDPR to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
3.4 The Controller has the right, in prior consultation and written agreement with the Processor on the scope, to have the technical and organisational (security) measures implemented by the Processor audited – at the expense of the Controller – by a certified and independent auditor no more than once a year. In that case, the Controller shall have the right to have this audit – whether or not on its own initiative – carried out by an independent certified auditor to be engaged by the Processor who shall issue a third-party statement. The Processor shall be informed of the results.

Article 4: Secrecy and confidentiality

4.1 The Processor shall cause all its employees who are involved in the performance of the Agreement to sign a non-disclosure agreement – whether or not included in the employment contract with those employees – which shall in any event stipulate that those employees must maintain confidentiality with respect to the Personal Data. The Processor shall implement measures to guarantee compliance with this obligation of confidentiality.
4.2 If the Processor receives a request or an order from a Dutch or foreign supervisory authority or an investigation, criminal prosecution or national security authority to provide (access to) Personal Data the Processor shall inform the Controller thereof without delay to the extent permitted by law. In handling the request or order, the Processor shall, to the extent permitted by law and or such request to order, comply with all instructions of the Controller (including the instruction to leave the handling of the request or order in whole or in part to the Institution) and render all reasonably necessary cooperation, without prejudice to Processor’s own obligation(s) (if any) to comply with the request itself.

Article 5: Data processing outside the Netherlands

5.1 The Processor shall be permitted to transfer Personal Data outside the European Economic Area only with due observance of the applicable statutory obligations under the GDPR.

Article 6: Sub-processors

6.1 It is necessary for the Processor to engage Sub-processors for the provision of the Service. Sub-processors necessary for the provision of the Service are listed in Annex 3.
6.2 The Controller acknowledges to have taken note of these Sub-processors and by signing this Data Processor Agreement the Controller agrees to the Sub-processors engaged by the Processor.
6.3 The Processor shall render efforts to contractually impose on each Sub-processor the obligation to observe the confidentiality obligations, reporting obligations and security measures with respect to the Processing of Personal Data, to a degree that these essentially are similar with the provisions of this Data Processor Agreement.
6.4 Processor uses public cloud providers, as specified in Annex 3. For these public cloud providers Article 6.3 does not apply. Processor, and where applicable also its Sub Processors, have signed the standard data processing agreements of these public cloud providers. Controller agrees that Processor may invoke the terms of these agreements (“Public Cloud Provider Terms”) against Controller (including Data Subjects). By execution of this Data Processing Agreement, the Controller agrees to the applicability of these Public Cloud Provider Terms, and Controller explicitly consents to Processor making the Public Cloud Provider Terms electronically available via the hyperlinks in Annex2. Parties are also aware of the ECI’s ‘Schrems II’ requirements relating to a transfer. To the extent public cloud providers transfer Personal Data outside the European Economic Area, Parties consider these providers to be compliant with the ECI’s ‘Schrems II’ requirements based upon the public cloud providers’ statements in this regard and Parties agree to inform each other of relevant (regulatory) developments in the EU regarding these requirements.
6.5 In the event that the Processor engages another Sub-processor for the provision of services, the Processor shall inform the Controller of the intended changes and afford the Controller the opportunity to object to these changes prior to entering into an agreement with the Sub-processor.

Article 7: Liability

7.1 The Processor shall only be liable for the damage caused by Processing if, with respect to this Processing, the obligations of the GDPR that specifically apply to the Processor have not been met or if acts have been performed that fall outside or are in violation of the lawful instructions of the Processor. The total, cumulative, aggregate liability of the Processor shal, however, at all times be limited to the amount reimbursed by the liability insurer of the Processor in the respective case.

Article 8: Security breach

8.1 If the Processor becomes aware of a breach in connection with Personal Data as referred to in Article 4.12 of the GDPR, it shall i) notify the Processor thereof without unreasonable delay and ii) implement all reasonable measures to prevent and/or limit (further) loss of and/or unauthorised access to Personal Data.
8.2 The Processor shall, to the extent reasonable, cooperate with the Controller and support the Controller in the performance of its statutory obligations with respect to the observed incident, if this incident qualifies, in the opinion of the Controller, as a breach as referred to in Article 4 paragraph 12 of the GDPR (‘Data breach’).
8.3 To the extent reasonable, the Processor shall support the Controller in the obligation incumbent on the Controller to report a Data Breach to the Dutch Data Protection Authority and/or the data subject, within the meaning of Articles 33 and 34 of the GDPR. The Processor shall never be obliged to independently report a Data Breach to the Data Protection Authority and/or the data subject.
8.4 The Processor shall never be liable for the (correct and/or timely performance of the) Controller’s duty to report within the meaning of Articles 33 and 34 of the GDPR.
8.5 The Processor is entitled to charge any possible costs with the Controller.

Article 9: Assistance to the Controller

9.1 To the extent reasonably possible, the Processor shall assist the Controller in fulfilling its duty under the GDPR to respond to requests for the exercise of a data subject’s rights, in particular the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), data erasure (Art. 17 GDPR), restriction (Art. 18 GDPR), portability (Art. 20 GDPR) and the right to object (Art. 21 and 22 GDPR). The Processor shall forward a complaint or a request from a data subject relating to the Processing of Personal Data to the Controller without delay, who shall be responsible for processing the request. The Processor shall be entitled to charge any costs associated with cooperating with the Controller.
9.2 The Processor shall, to the extent reasonably possible, assist Controller in complying with its obligation under the GDPR to carry out a PIA (art. 35 and 36 of the GDPR).
9.3 The Processor shall provide the Controller with all information necessary to demonstrate that the Processor complies with its obligations under the GDPR.
9.4 The Processor is entitled to charge any possible costs with the Controller.

Article 10: Duration, termination & miscellaneous

10.1 The term of this Data Processor Agreement shall be equal to the term of the Agreement entered into between the Parties. In the event that the services provided by the Processor to the Controller are (still) ongoing, this Data Processor Agreement shall remain in force.
10.2 Upon (premature) termination of this Data Processor Agreement, the provisions of Articles 2, 3.4, 4, 5 and 7 shall continue to apply in full.
10.3 Upon termination of the Agreement, and/or upon termination of the service provision to the Controller, the Processor shall be obliged to return the Personal Data provided by the Controller within 30 days after termination (or to afford the Controller the opportunity to obtain these data digitally). Any remaining (copies of) Personal Data and/or backups must be destroyed by the Processor, unless the Processor is legally required to store the Personal Data.

Annex 1: Specification of the Personal Data Processing

1. Types of Personal Data
Depending on the use of the Saysimple Service and the messaging channels used, the following personal data will be stored:

Contacts:

  • Name of the Data Subject (set by the Data Subject on his telephone)
  • Mobile phone number of the Data Subject
  • Profile photo (depending on privacy settings of the Data Subject)
  • About message
  • Twitter handle
  • Facebook IDs
  • Contact ID
  • Address information

Incoming messages:

  • Date and time
  • Mobile phone number of the Data Subject
  • Name of the Controller (set by the Data Subject on his telephone)
  • Message content (text, multimedia, documents)

Outgoing messages:

  • Date and time
  • Mobile phone number of the Data Subject
  • Name of the User who sent the message
  • Message content (audio, photo, text or video)

Users:

  • Email addresses of the users logging on to the Service
  • Names of the users logging on to the Service
  • Name of the users when using 2FA
  • IP ranges of the users for the purpose of IP whitelist

In addition, data is logged, whether or not by deduction, with respect to the actions of the Users and the use of the Saysimple service, such as response times, volumes and resolution times.

2. Data Subject categories
See under types above.

3. Purposes of the Processing
Performance of the main agreement.

Annex 2: Technical and organisational measures

1. Organisational measures by Saysimple
The organisational security of Saysimple BV is laid down in the ‘Security plan’ of the parent company ‘Just Internet Group’, which is updated annually and assessed weekly by the designated officers who are in possession of a ‘Certificate of Good Conduct’ [Verklaring Omtrent het Gedrag] (VOG).

For questions about the handling of data within Just Internet and privacy protection, please contact the Data Protection Officer.

General Continuity
The following points apply to continuity in general:

  • The internal company network is protected by a firewall, which:
    • opens only the necessary ports;
    • intercepts digital attacks, such as DoS.
  • daily backup via SSH encrypted connection;
  • system access via VPN;
  • no hard copies of confidential information are available;
  • a personal PIN for the alarm system;
  • a shredder for destroying printed information;
  • camera images outside office hours.

The officers check and evaluate the above items for correct operation and improper use once a week. In the event of an aspect not functioning properly or in the event of misuse, management will be informed immediately. Management shall subsequently take measures, if considered necessary.

In the event of a technical failure or disruption of the electricity supply, all systems are redundant and an emergency generator can be used. This allows us to guarantee the continuity of our services.

Continuity requirements with respect to personnel
All employees have certain rights and permissions with respect to retrieving information for both practical and preventive purposes.

The following points apply to personnel security:

  • A separate security level is set for each job profile within Just Internet Group. This security level is expressed in permissions and access to the various systems, CRM package, accounting, servers and Services;
  • The switchboard keeps track of the numbers called by each employee;
  • Required passwords are provided by means of OpenPGP cryptography and sent encrypted by means of OpenPGP. In addition, a password manager is used;
  • Required passwords are stored in a secure encrypted environment;
  • Employees are not permitted to store confidential information on their own computer and/or removable data carriers (e.g. USB flash drive);
  • Every employee has been issued with a copy of the staff manual;
  • Every employee who may have access to technology and/or customer data has a Certificate of Good Conduct;
  • Confidentiality and discretion are laid down in a non-disclosure agreement entered into with each employee;
  • When an employee of Just Internet Group leaves employment, the officers use the available checklist for removing access to the systems.

2. Technical measures by Saysimple
Retention period
Saysimple retains personal data for the Saysimple Messaging Platform for a period of 90 days if the online dashboard is used. Saysimple retains personal data for a period of 14 days if only the APIs are used. When setting the retention period, a distinction can be made between conversation data and contact data. The retention period shall be adjusted at the request of the Controller while maintaining a balance between:

  • Workability: deleted data cannot be used to provide the Service. To communicate in an appropriate manner with the Data Subject Users usually need access to part of the history;
  • Quantity: an exceptionally large amount of data may lead to performance issues and/or incur additional retention costs;
  • Period: unnecessarily prolonged storage is undesirable as it increases the impact of a data breach.

General architecture and security features

  • Online application accessible via SSL only
  • Online application implemented redundantly
  • Restrict use of online application usage by means of User restrictions and roles
  • Online application login secured with username and password, which must meet strict requirements (minimum 8 characters, 1 number, 1 capital letter and a special character)
  • Secure online application login with 2 factor authorisation via SMS tokens (optional)
  • Online application login from designated IP addresses/ranges (optional)
  • Agent accounts can be blocked (and session logged off) directly by the Manager.
  • https APIs use TLS 1.2
  • Daily backups
  • Encrypted password storage
  • SaaS application with individual customer storage
  • Received content (images, video, audio) strictly separated and only accessible via signed URLs
  • Online application login (optional) prevent showing multimedia such as photo & video (sender receives auto reply due to privacy rights we do not support multimedia, but we look forward to helping you’)
  • Tailored retention periods
  • Databases executed redundantly
  • Availability of raw data exports (optional)
  • Servers and systems protected by firewalls
  • Proactive update and system management

WhatsApp encryption
The data subject sends messages from their mobile phone to the Controller’s mobile number linked to the Service. The WhatsApp Inc. application encrypts the message on the phone and then sends it to WhatsApp Inc. servers. Because the encryption takes place on the device itself, WhatsApp Inc. cannot read the content of the messages. Only the recipient of the message can decrypt and read the message. The Service uses RC4 encryption to prevent intrusion of communications between the device and WhatsApp Inc. Received messages are decrypted and stored in a secure database. The Saysimple web application receives the messages in real time via a secure HTTPS connection (SHA2). See also the schematic illustration below.

IT architecture
Saysimple Messaging Platform (not all message providers are shown, not all AWS services are shown)

Data centres
Saysimple uses multiple data centres.

Amazon Web Services (AWS)
Saysimple’s core network is hosted by AWS. We use various (global) services of AWS. AWS is used for compute, network, storage, databases and artificial intelligence (AI). Saysimple uses different regions and for each service we use at least 2 Availability Zones (AZ). All AWS data centres are ISO certified. For more information about the certification of AWS visit: https://aws.amazon.com/compliance/ For more information about the privacy policy of AWS visit: https://aws.amazon.com/compliance/data-privacy/

Iron Mountain
In addition to AWS, Saysimple uses Iron Mountain’s data centre in Haarlem. This network is managed by Saysimple. The Iron Mountain environment is used for backup and secure storage. Iron Mountain is ISO certified, among other things. For more information about the certification of Iron Mountain visit: https://www.ironmountain.nl/digital-transformation/data-centers/about/data-center-compliance-security

Annex 3: Sub-processors

Just Internet Group Haarlem
As a subsidiary within the Just Internet Group Haarlem, Saysimple makes use of the shared resources within this holding company. Saysimple is facilitated by the holding company in areas such as Finance, Administration, HR, Management, Marketing and Software.

Messagebird
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of WhatsApp-approved Business Service Provider Messagebird B.V., registered office at Trompenburgstraat 2 C 1079TX Amsterdam, Netherlands, registered under Chamber of Commerce (KvK) number 51874474.

Amazon Web Services
For its core infrastructure, Saysimple uses the (global) services of Amazon Web Services. The core infrastructure is needed to provide the Service.
Headquartered at 1918 8th Ave, Seattle, WA 98101, United States

Iron Mountain
In addition to AWS, Saysimple uses Iron Mountain’s data centre in Haarlem. This network is managed by Saysimple. The Iron Mountain environment is used for backup and secure storage. Iron Mountain is ISO certified, among other things. For more information about the certification of Iron Mountain visit: Iron Mountain Datacenters | Colocatie Diensten. Registered office at J.W. Lucasweg 35, 2031 BE Haarlem, The Netherlands.

Twilio
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of WhatsApp-approved Business Service Provider TWILIO Inc., registered office at 375 Beale St #300, San Francisco, CA 94105, United States and registered with the California Secretary of State under registration number C3152782 (abbreviated to ‘Twilio’).

Smooch
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of the WhatsApp-approved Business Service Provider Smooch.io., registered office at 5333 Casgrain, Suite 1201, Montreal H2T1X3, Canada.

CM.com
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of the WhatsApp-approved Business Service Provider CM.com.., registered office at Konijnenberg 30, 4825 BD Breda, The Netherlands, registered under Chamber of Commerce (KvK) number 20123808 (abbreviated to: ‘CM’).

Obi4wan
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of the WhatsApp-approved Business Service Provider Obi4wan and to automatically process WhatsApp Business messages using Chatbot technology, which is part of the Service, Saysimple uses the services of OBI4wan B.V., registered office at Korte Hogendijk 2, 1506 MA Zaandam, The Netherlands, registered under Chamber of Commerce (KvK) number 53021029.

Wireless Services
To send and receive WhatsApp Business messages, which is part of the Service, Saysimple uses the services of Wireless Services., registered office at Newtonlaan 115, 3584 BH Utrecht, The Netherlands, registered under Chamber of Commerce (KvK) number 30152075.

Facebook
To send and receive Facebook messages, which is part of the Service, Saysimple uses the services of Facebook Inc., registered office at 1 Hacker Way Menlo Park, CA 94025, United States

Twitter
To send and receive Twitter messages, which is part of the Service, Saysimple uses the services of Twitter Inc., registered office at 1355 Market St suite 900, San Francisco, CA 94103, United States

Spryng
To send and receive SMS messages, which is part of the Service, Saysimple uses the services of Spryng B.V., registered office at Hannie Dankbaarpassage 18, 1053RT Amsterdam, The Netherlands, registered under Chamber of Commerce (KvK) number 62962825.

Explicit mention
Facebook and/or WhatsApp Inc. are not considered (sub-)processors and Saysimple cannot be held liable in any way by the Controller for claims made by WhatsApp Inc. or claims made by third parties against the Controller that relate to WhatsApp Inc.’s platform or the processing of data by WhatsApp Inc.