Data Protection

1.1 The Processor shall process, on behalf of and under the responsibility of the Client, exclusively data that are necessary for the proper execution of the Agreement and shall not use such data for any purpose other than that for which they were obtained, even if they have been converted into a form that cannot be traced back to the data subjects.

2.1 For the proper execution of the Agreement, the following personal data are processed:

• Name and address details
• Email addresses
• Company details (including VAT identification numbers)
• IP addresses
• Other possible categories of non-special personal data

3.1 The Processor may process personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited.

3.2 Upon request, the Processor shall inform the Customer which country or countries within the European Union are involved in the processing.

4.1 The authorized processing is carried out by employees of the Processor within an automated environment.

4.2 The Processor is solely responsible for the processing of personal data under this Data Processing Agreement, in accordance with the Customer's instructions.

4.3 The Customer guarantees that the content, use, and sequence of the processing of personal data as described in the agreement are lawful and do not infringe upon the rights of third parties.

5.1 The Processor shall take reasonable technical and organizational measures to protect the personal data being processed against loss or any unauthorized processing (such as unauthorized access, damage, alteration, or disclosure of personal data).

5.2 The Processor has implemented the following measures:

• Encryption of digital files containing personal data
• Secure network connections via SSL technology (Secure Socket Layer)
• A secure internal network
• Backup system at geographically separated locations
• Multiple backups per day
• Dual implementation of internal systems

5.3 Only authorized personnel have access to the personal data and are bound by a statutory duty of confidentiality. This duty of confidentiality does not apply if the Client has expressly consented to the disclosure of the data to third parties, if disclosure to third parties is necessary in light of the nature of the assignment granted and the execution of this agreement, or if there is a legal obligation to disclose the data to a third party.

5.4 The Customer is of the opinion that the described security measures provide an adequate level of security.

6.1 The Customer is at all times responsible for reporting security breaches or data leaks to the supervisory authority and/or data subjects. In order to enable the Customer to comply with this legal obligation, the Processor shall notify the Customer of a security breach or data leak within a reasonable period of time.

• Report that a violation has occurred
• Determine the cause of the infringement
• Determining the consequences of the infringement
• Identify the proposed solution
• Determine who has been informed

8.1 The Customer has the right to have a DPIA or Audit performed by an independent third party bound by confidentiality to verify compliance with all aspects of the Data Processing Agreement.

8.2 The audit may take place if there is a concrete suspicion of misuse of personal data.

8.3 The Processor shall cooperate with the DPIA/Audit and make all reasonably relevant information, including supporting data such as system logs and employees, available as soon as possible.

8.4 The findings from the DPIA/Audit are reviewed by both parties in mutual consultation and, based on this, may or may not be implemented by one or both parties.

8.5 The costs of a DPIA and/or Audit shall be borne by the Client.

9.1 The Processor is permitted to make use of Sub-processors in the context of this Agreement, and the Processor shall impose on Sub-processors the same requirements and obligations that apply to the Processor under this Data Processing Agreement.

10.1 Acendae is not liable for damages in connection with the formation, performance, or execution of this Data Processing Agreement, regardless of the grounds on which an action for damages would be based, except in the cases mentioned below and up to the limits stated therein.

10.2 The total liability of Acendae for damage suffered by the Client as a result of a breach of contract by Acendae, including any failure to fulfill warranty obligations agreed with the Client, or as a result of a tortious act by Acendae, its employees or third parties engaged by it, is limited to an amount equal to the total fee (excluding VAT) that the Client shall owe under the Agreement.

10.3 Acendae is not liable for indirect damages, including but not limited to consequential damages, lost profits, lost savings, diminished goodwill, damages due to business interruption, damages due to failure to achieve marketing objectives, damages related to the use of data or data files provided by the customer, or loss, mutilation, or destruction of data or data files.

10.4 Unless performance by Acendae is permanently impossible, the liability of Acendae for attributable failure to perform an agreement arises only if the Client immediately gives written notice of default, setting a reasonable period for remedying the defect, and Acendae continues to fail to perform its obligations in an attributable manner even after that period. The notice of default must contain as complete and detailed a description of the defect as possible, so that Acendae can respond adequately thereto.

10.5 Any claim for compensation by the Client against Acendae that has not been specified and expressly reported shall lapse by the mere passage of 12 months after the claim arose.

10.6 The Client shall indemnify Acendae against any legal claim by third parties if such claim, in whatever form, relates to the processing of personal data, as well as against any fines imposed on the Client by the Dutch Data Protection Authority or other supervisory authorities.

11.1 This Data Processing Agreement remains in force for the duration as determined in the Agreement. Upon termination of the Agreement, the Data Processing Agreement also terminates and vice versa.

11.2 Upon termination of the agreement, the customer has 30 days to request the provided personal data.

11.3 The Processor retains personal data as required under the tax retention obligation. This statutory obligation prescribes that source, derived, and fixed data must be retained for at least 7 years. Personal data that do not fall under this obligation are deleted from the Processor's servers and systems after 30 days.

12.1 This Data Processing Agreement and its execution are governed by Dutch law.

12.2 All disputes arising between the Processor and the Client in connection with this Data Processing Agreement shall be submitted to the competent court in the district in which the Processor is established.