Manual.to Customers: Hereinafter referred to as the “Customer”;
BINDERS MEDIA, a private limited liability company (besloten vennootschap met beperkte aansprakelijkheid or bvba) at Volmolenstraat 29, 9000 Ghent (Belgium) and registered with the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen or KBO) under enterprise number 0657.817.970, doing business as “Manual.to”, hereby legally represented by Jorim Rademaker, in his capacity of CEO;
Hereinafter referred to as “Binders Media” or the “Supplier”;
The Customer and Binders Media/Supplier are hereinafter individually referred to as a ‘Party’ jointly as the ‘Parties’.
1. In connection with and for the purpose of the performance of the Services with the Customer (the “Agreement”), Personal Data will be processed in accordance with the provisions of the present data processing agreement (the “Data Processing Agreement”). A more detailed description of the purposes for the Processing of Personal Data is contained in Article 3 of Annex 1 hereto;
2. The Agreement necessitates the processing by the Supplier of Personal Data; and
3. This Data Processing Agreement and its annexes set forth the terms and conditions pursuant to which Personal Data will be processed in the framework of the Agreement.
ARTICLE 1 DEFINITIONS
For the purpose of this Data Processing Agreement, the following terms shall have the following meanings. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
“Contact Person” | means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services. |
“Data Controller” | means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data. |
“Data Processor” | means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller. |
“Data Protection Legislation” | means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time. |
“Data Subject” | means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1. |
“Personal Data” | means any information relating to a Data Subject. The relevant categories of Personal Data that are provided to the Supplier by, or on behalf of the Customer are identified in Annex 1; |
“Personal Data Breach” | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services. |
“Processing”, “Process(es)” or “Processed” | means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
“Services” | means all services, functions, responsibilities and outputs of Supplier as described in the Agreement. |
“Standard Contractual Clauses” | means the standard contractual clauses of which the European Commission on the basis of Article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of personal data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship. |
“Sub-processor” | means any subcontractor engaged by the Supplier to perform a part of the Services and who agrees to receive Personal Data intended for Processing on behalf of the Customer in accordance with the Customer’s instructions and the provisions of the Agreement. |
ARTICLE 2 INTERPRETATION
2.1 This Data Processing Agreement forms an integral part of the Agreement. The provisions of the Agreement therefore apply to this Data Processing Agreement. All capitalized terms not defined in this Data Processing Agreement will have the meaning set forth in the Agreement.
2.2 In case of conflict between any provision in this Data Processing Agreement and any provision of another part of the Agreement, this Data Processing Agreement shall prevail.
ARTICLE 3 SCOPE AND PURPOSE
In connection with and for the purpose of the performance of the Services under the Agreement, the Customer commissions the Supplier to process Personal Data in accordance with the provisions of the present Data Processing Agreement.
ARTICLE 4 SPECIFICATION OF THE DATA PROCESSING
4.1. Any Processing of Personal Data under the Agreement shall be performed in accordance with the applicable Data Protection Legislation.
4.2 For the performance of the Services, the Supplier is a Data Processor acting on behalf of the Customer. As a Data Processor, the Supplier will only act upon the Customer’s instructions. The Agreement, including this Data Processing Agreement, is the Customer’s complete instruction to Supplier with regard to the Processing of Personal Data. Any additional or alternate instructions must be jointly agreed by the Parties in writing. The following is deemed an instruction by the Supplier to Process Personal Data: (1) Processing in accordance with the Agreement and (2) Processing initiated by the Customer users in their use of the Services.
4.3 A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Annex 1 hereto.
ARTICLE 5 DATA SUBJECTS’ RIGHTS
5.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the Customer shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
5.2. Should a Data Subject directly contact the Supplier wanting to exercise his individual rights such as requesting a copy, correction or deletion of his data or wanting to restrict or object to the Processing activities, the Supplier shall inform the Customer of such request within reasonable delay not exceeding one (1) month as from the request, and provide the Customer with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. The Supplier shall promptly direct such Data Subject to the Customer. In support of the above, the Supplier may provide the Customer’s basic contact information to the requestor. the Customer agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.
5.3 Insofar as this is possible, the Supplier shall cooperate with and assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights.
ARTICLE 6 CONSULTATION AND CORRECTION OF PERSONAL DATA
The Supplier (Data Processor) will provide the Customer (Data Controller), with access to Personal Data Processed under the Agreement, in order to allow the Customer to consult and correct such Personal Data.
ARTICLE 7 DISCLOSURE
7.1. The Supplier shall not disclose Personal Data to any third party, unless it determines that the protection and confidentiality of the data will be ensured in accordance with the GDPR and such disclosure may be necessary within the scope of the contract. The Supplier is also authorized to disclose the Personal Data (1) based on the Client’s instructions, (2) as stipulated in the Agreement, (3) as required for processing by authorized Subcontractors in accordance with Article 10, or (4) as required by law, in which case the Supplier shall inform the Client of such legal requirement before processing these Personal Data, unless such law prohibits the provision of such information for significant reasons of public interest.
7.2 Supplier represents and warrants that persons acting on behalf of Supplier and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of the present Data Processing Agreement, (ii) are subject to user authentication and log on processes when accessing the Personal Data and (iii) have undertaken appropriate training in relation to Data Protection Legislation. Supplier shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.
ARTICLE 8 DELETION AND RETURN OF PERSONAL DATA
8.1. At the latest within 30 days upon termination of the Agreement, the Supplier shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all Personal Data is deleted and unrecoverable. Data used to verify proper data processing in compliance with the assignment and data that needs to be kept to comply with relevant legal and regulatory retention requirements may be kept by the Supplier beyond termination or expiry of the Agreement only as long as required by such laws or regulations.
8.1 Upon written request submitted by the Customer no later than fourteen (14) calendar days prior to termination of the Agreement, the Supplier will provide the Customer with a readable and usable copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or destruction.
ARTICLE 9 LOCATION OF PROCESSING
9.1. The Supplier will store Personal Data at rest within the territory of the European Union.
9.2 Any Processing of Personal Data by Supplier personnel or subcontractors not located within the European Union may only be undertaken if the entity with which the data is shared is listed in an adequacy decision or otherwise, following prior written approval of the Customer and the execution of one of the then legally recognized data transfer mechanisms, such as an additional data processing agreement governed by the Standard Contractual Clauses.
ARTICLE 10 USE OF SUB-PROCESSORS
10.1. The Customer acknowledges and expressly agrees that the Supplier may use third party Sub-processors for the provision of the Services as described in the Agreement.
10.2. Any such Sub-processors that provide services for the Supplier and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the services Supplier has entrusted them with and will be prohibited from Processing such Personal Data for any other purpose. The Supplier remains fully responsible for any such Sub-processor’s compliance with Supplier’s obligations under the Agreement, including the present Data Processing Agreement. The Supplier shall, prior to the entrusting of services to such Sub-processor, carry out any relevant due diligence on such Sub-processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Agreement, and provide evidence of such due diligence to the Customer where requested by the Customer or a regulator.
10.3. The Supplier will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Data Processing Agreement, including the obligations imposed by the Standard Contractual Clauses, as applicable.
10.4. The Supplier shall make available to the Customer the current list of Sub-processors for the Services identified in Annex 2 of this Agreement. Such Sub-processors list shall include the identities of those Sub-processors and their country of location. The Supplier shall provide the Customer with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services under this Agreement.
10.5. If the Customer objects to the use of a new Sub-processor who will be processing the Customer’s Personal Data, then the Customer shall notify Supplier in writing within twenty-one (21) calendar days after receipt of the Supplier’s written request to that effect. In such a case, the Supplier will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Customer’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned.
ARTICLE 11 TECHNICAL AND ORGANIZATIONAL MEASURES
11.1. The Supplier has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. These measures shall include the following measures:
– the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control)
– the prevention of systems Processing Personal Data from being used without authorization (logical access control)
– ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control)
– ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control)
– ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from systems Processing Personal Data (entry control)
– ensuring that Personal Data Processed are Processed solely in accordance with the instructions (control of instructions)
– ensuring that Personal Data are protected against accidental destruction or loss (availability control)
– ensuring that Personal Data collected for different purposes can be processed separately (separation control)
11.2 The present technical and organizational measures are described in Annex 3 of this Data Processing Agreement. The Supplier shall adapt these measures systematically to the development of regulations, technology and other aspects and supplemented with the applicable technical and organizational measures of Sub-processors, as the case may be. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking also into account the state of technology and the cost of their implementation.
11.3 Upon the Customer’s request, the Supplier must provide the Customer within fourteen (14) calendar days of receipt by the Supplier of the Customer’s request with an updated description of the implemented technical and organizational protection measures. An ISAE3402 type II report and/or other similar certifications can be used to describe and demonstrate compliance of the implemented technical and organizational measures.
ARTICLE 12 PERSONAL DATA BREACHES
12.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, the Supplier shall notify the Customer without undue delay and at the latest within forty-eight hours after having become aware of (the likelihood or occurrence of) such Personal Data Breach, providing the Customer with sufficient information and in a timescale, which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. The notification will be sent to the contact at the Customer responsible for Data Protection:
Such notification shall as a minimum specify:
– the nature of the Personal Data Breach;
– the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
– the likely consequences of the Personal Data Breach;-
– as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
-the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.
12.2 The Supplier shall without undue delay further investigate the Personal Data Breach and shall keep the Customer informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
12.3 A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.
ARTICLE 13 CUSTOMER RESPONSIBILITIES
13.1 The Customer shall comply with all applicable laws and regulations, including the Data Protection Legislation.
13.2. The Customer remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
13.3. The Customer shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
13.4. With regard to components that Customer provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used and credentials issued to the Customer’s personnel, the Customer shall implement and maintain the required technical and organizational measures for protection of Personal Data.
ARTICLE 14 NOTIFICATIONS
14.1. Unless legally prohibited from doing so, the Supplier shall notify the Customer as soon as reasonably possible, and at the latest within two (2) business days of becoming aware of the relevant circumstances, if it or any of its Sub-processors:
14.1.1. receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing;
14.1.2. intends to disclose Personal Data to any competent public authority outside the scope of the Services of the Agreement. At the request of the Customer, the Supplier shall provide a copy of the documents delivered to the competent authority to the Customer;
14.1.3. receives an instruction that infringes the Data Protection Legislation or the obligations of this Data Processing Agreement;
14.2. In this respect, the Supplier shall cooperate as requested by the Customer to enable the Customer to comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, which shall include the provision of:
14.2.1. all data requested by the Customer (which is not otherwise available to the Customer) within the reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to the relevant Data Subject(s); and
14.2.2. where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the Data Protection Legislation statutory timescales.
14.3. Any notification under this Data Processing Agreement, including a Personal Data Breach notification, will be delivered to one or more of the Customer’s Contact Persons via email possibly supplemented by any other means the Supplier selects. Upon request of the Customer, the Supplier shall provide the Customer with an overview of the contact information of the registered Customer’s Contact Persons. It is Customer’s sole responsibility to timely report any changes in contact information and to ensure the Customer’s Contact Persons maintain accurate contact information.
ARTICLE 15 TERM AND TERMINATION
This Data Processing Agreement enters into force on the date of its signing by all Parties and remains in force until Processing of Personal Data by the Supplier is no longer required in the framework of or pursuant to the Agreement.
ANNEX 1 – DETAILS OF THE PERSONAL DATA PROCESSING;
ANNEX 2 – LIST OF CURRENT SUB PROCESSORS; and
ANNEX 3 – TECHNICAL AND ORGANIZATIONAL MEASURES.
ANNEX 1 – DETAILS OF THE PERSONAL DATA PROCESSING
1. Data Subjects
Employees, contractors, agents, distributors, suppliers and other collaborators of the Customer and other readers of the Customers’ content.
2. Categories of Personal Data
The Supplier may Process (a subset of) the following categories of Personal Data:
– Email address
Optional (thus not required by the supplier and only applicable if the Customer or a natural person chooses to complete these):
– First name
– Last name
– Birthday
– Middle name
– City + Postal Code
– Country
– Street Name + Number
– Job Title
– Department
– Phone number
– Languages preferences
3. Purposes of Processing of Personal Data
Personal Data will be Processed for the purpose of the performance of the Services under the Agreement including the following purposes:
– Providing and securing access to the platform
– Providing statistical analysis of the usage of the platform
ANNEX 2 – LIST OF CURRENT SUB PROCESSORS
Sub-processor | Entity type |
Analytics – Drive | |
Microsoft Azure | Cloud service Provider |
Bitbucket | Source code repository hosting service |
BrowserStack | Browser testing tool |
Intercom | Support chat in app |
Hubspot | Customer relationship management tool |
ANNEX 3 – TECHNICAL AND ORGANIZATIONAL MEASURES
Access controls
All data in the platform is protected using access controls that work on the principle of least privilege, following industry best practices. Customers’ data will only be visible to entities which have been given explicit access. This access can be revoked at any time.
– All users are individually identifiable.
– Password procedures to enforce password policies.
– Firewall protection.
– Auditing user activity on the platform.
– All servers are hosted in secure data centers, which are tested for their security regularly (https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance/).
– All servers are shielded from the internet, only allowing access to specific ports from the single entrypoint.
Encryption
All data in the platform is encrypted, both in-flight and at-rest. All data in-flight is encrypted using TLS. The cipher suites used are following industry best practices.
Data at rest is encrypted using Azure Storage Service Encryption (https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption).
Backup policy
Data protection is one of our key concerns. We protect our customers data by applying industry best practices across our entire stack (infrastructure-database-object storage)
Processing control
Customer’s data shall be treated at least with the same care as Processor’s own “confidential” data;
Control of contract execution (including control of sub processes of Processor).
Policies and Procedures
We have established clear data protection policies, procedures and guidelines to ensure proper handling of personal data. Regular training keeps our staff informed and fosters a privacy-conscious culture.
Employee Training
Periodic training programs sensitize employees to GDPR principles, data breach response, and proper data handling, reducing the risk of breaches.
Data Protection Officer (DPO)
A designated DPO oversees compliance and acts as a point of contact for privacy matters
Incident Management
A plan ensures swift response to data security incidents, with proper reporting to authorities and affected individuals.
Contracts Management
Contracts with third-party vendors mandate GDPR compliance and safeguard data subjects’ rights throughout data processing.