Revend NV Data Protection Agreement

Date of last revision: October 2022

This Data Processing Agreement, including its Schedules (the “DPA”) supplements the Revend General Terms and Conditions concluded between the Parties (the “Agreement”) and is entered into by and between Revend NV, a Belgian corporation with registered offices at De Beuckerstraat 56, 2018 Antwerp, Belgium, and registered in the Register for Legal Entities under enterprise number 0783.632.712, hereafter referred to as “PROCESSOR” and PROCESSOR’s customer; hereafter referred to as “CUSTOMER” or “CONTROLLER”;

PROCESSOR and CONTROLLER/CUSTOMER are herein referred to as a “Party” and collectively, the “Parties”.

1 Definitions

Capitalized terms used in this DPA shall have the meaning as described herein. Capitalized terms not separately defined shall have the respective meanings ascribed in the Agreement.

Agreement: means the Revend General Terms and Conditions in relation to the provisioning of the Software made and entered into between Parties.

Annex: means the annexes to this DPA, which forms an integral part thereof and which describes the further details with respect to the Processing of the Personal Data.

Controller: means the Party who determines the purposes and the means of the Processing of Personal Data, as determined by article 4.7 GDPR.

Data Protection Legislation: means (i) the GDPR; (ii) the Belgian law of 30 July 2018 on the protection of natural persons with regard to the Processing of Personal Data; and (iii) all other current or future applicable national laws relating to or impacting the Processing of Personal Data and privacy.

Data Subject: means an identified or identifiable natural person whose Personal Data is being processed.

DPA: means this Data Processing Agreement, including the Annexes, in which the general rules are laid down with regard to the conditions pursuant to which the Processor will perform the activities for the Processing of Personal Data on behalf of the Controller. The DPA shall be an integral part of the Agreement.

GDPR: means the EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC as from 25 May 2018.

Personal data: means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Process: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Services: means the services, functions, responsibilities and outputs to be provided and fulfilled by Processor under the Agreement.

Sub-Processor: means a Third Party engaged by Processor as Sub-Processor to provide the Services or any part of them.

Third Party: means any person or entity which is not a party to the Agreement, including any contractors (including Sub-Processors).

2 Data processing under the agreement

The Controller requests the Services of the Processor, by which the Processor will Process Personal Data on behalf of the Controller. The Controller determines the purposes and means of the Processing (see Annex 1) and expressly acknowledges and warrants that it has all necessary rights to provide the Personal Data to the Processor, and that one or more lawful bases set forth in the Data Protection Legislation supports the lawfulness of the processing.

2.1 The Processor shall, without undue delay, inform the Controller if, in its opinion, an instruction infringes this DPA, Data Protection Legislation or other EU or Member State data protection provisions.

2.2 Where Personal Data is Processed by Processor, its agents, Sub-Processors or employees under or in connection with the Agreement, Processor shall, and shall procure that its agents, Sub-Processors and employees shall:

2.2.1 only Process the Personal Data or disclose or permit the disclosure of the Personal Data to any Third Party:

  • in accordance with the documented instructions of the Controller as stated in this DPA and Annex 1; or
  • where required by EU or Member State law to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest;

2.2.2 take reasonable steps to ensure that all employees, agents and Sub-Processors who may have access to the Personal Data:

  • are informed of the confidential nature of the Personal Data;
  • and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to (the Processing of) such Personal Data;

2.2.3. except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Processor to a Controller, notify Controller without undue delay upon becoming aware of a Personal Data Breach, and otherwise assist Controller taking into account the nature of Processing and the information available to Processor, in meeting its obligations regarding the notification, investigation, mitigation and remediation of a Personal Data Breach under the Data Protection Legislation, without prejudice to Processors right to charge Customer any reasonable costs for such assistance. Processor’s obligation to notify or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach;

2.2.4. co‑operate as reasonably requested by Controller, to the extent necessary to enable Controller to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data Processed by Processor under the Agreement or comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any regulator, subject to reasonable advance notice and without prejudice to Processor’s right to charge Customer any reasonable costs for such assistance;

2.2.5. cease Processing the Personal Data upon the termination or expiry of the Agreement or, if sooner, the Service to which it relates and, at Controller’s option, either (if technically possible) return or delete the Personal Data and any copies of it or of the information it contains, without prejudice to any EU or Member State legal obligations for Processor to store or archive such Personal Data.

2.3. The nature and purpose of the Processing, type of personal data and categories of Personal Data to be Processed are further detailed in Annex 1.

3 Sub-processors

3.1. Customer authorizes the use of third-party sub-processors to Process Personal Data on its behalf.

3.2.Processor has currently appointed, as sub processors, third parties as listed in Annex 2. Upon execution of this DPA, Customer explicitly gives its written authorization to engage those sub-processors to Process Personal Data on Customer’s behalf.

3.3. Processor shall notify Customer by email of any intended changes concerning the addition or replacement of its current sub-processors prior to any such changes. Customer will be allowed to object to such addition or replacement on reasonable grounds relating to the protection of Personal Data within 30 days after the notification by submitting by email to legal@revend.ai. The Customer’s failure to object within this timeframe shall be deemed to have waived its right to object and to have authorized Processor to engage such sub-processor.

3.4. If Customer does notify Processor of such an objection, Parties will discuss Customer's concerns with a view to achieving a reasonable resolution. If no such resolution can be reached, Processor will, at its sole discretion, either not appoint the new sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination of the Agreement). The Customer will bear the costs incurred in relation to this article 3.4.

3.5. Processor’s sub-processors will be held to the same contractual obligations as set out in this Agreement to the extent applicable to the nature of the services provided by such sub-processors. Where a sub-processor fails to fulfil its data protection obligations, Processor will remain fully liable towards the Customer for the performance of that sub-processor’s obligations.

4 Liability of the processor

4.1 The liability provision set out in the Agreement is fully applicable to the extent possible under Data Protection Legislation.

4.2 Processor can only be held liable for an infringement of this DPA that is directly attributable to it, or the provisions that apply directly to Processor on the basis of the applicable Data Protection Legislation insofar as the Controller has complied with its own obligations as set out in this DPA and the applicable Data Protection Legislation.

4.3 The Processor shall not be liable for any damage or losses attributed to actions, instructed by the Controller, and to which the Processor has protested in accordance with article 2.2 of this DPA.

5 Customer responsibilities

5.1. The Customer shall comply with all applicable laws and regulations, including the Data Protection Legislation.

5.2. The Customer remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.

5.3. The Customer shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.

5.4. With regard to components that Customer provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the Customer’s personnel, the Customer shall implement and maintain the required technical and organizational measures for protection of Personal Data.

6 Audit

6.1 Upon request of the Controller, the Processor shall make available to Controller all information necessary to demonstrate compliance with its obligations under Article 32 to 36 of the GDPR and allow for and contribute to audits conducted by Controller or another auditor mandated by Controller (which may be refused by Processor if this is a competitor of Processor or if there is a conflict of interest with this mandated auditor), and in accordance with the Agreement.

6.2. In all cases, it is essential to protect the confidential information of Processor. Controller must, or will request that its external auditors, send a draft version of the audit report to Processor. Processor has the right to submit its comments within a timeframe as agreed between the Parties. The auditor shall take the comments of Processor into account.

6.3 The Customer shall limit its initiatives to conduct an audit or inspection to no more than once a year, except in the event that (i) it is legally required to do so, (ii) Processor has experienced a Personal Data Breach in the preceding twelve (12) months that has affected the Customer's Personal Data or (iii) in the event of a mutual agreement, and shall notify Processor of such request at least thirty (30) business days prior to the audit. The Customer shall bear all costs for conducting an audit or inspection.

7 Security of Processing

7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall implement the measures required pursuant to article 32 of the GDPR and ensure that its agents, Sub‑Processors and employees implement appropriate technical and organisational measures[ as described in annex 3] to ensure a level of security appropriate to the risk, taking into account in particular the risk of accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to the Personal Data.

7.2. The Controller and Processor shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by EU or Member State law.

8 Transfer of Personal Data

8.1. Any transfer of Personal Data to a third country or international organisation may only take place in accordance with the principles set out in the applicable Data Protection Legislation and this DPA.

8.2. The Controller grants the Processor permission to transfer Personal Data to a third country or to an international organisation, as set out in the Annex 1. Any change or addition to the list as stated in the Annex 1, as proposed or required by the Processor, will be communicated to the Controller before such transfer takes place. The Controller has the right to object to such transfer within five (5) days of notification of the change. The Parties agree on whether or not to proceed with the transfer and the consequences thereof for the provision of the Services in terms of scope, timing and budget.

8.3. Any transfer to a third country or international organisation can take place on the following grounds:

  1. 8.3.1. An adequacy decision by the Commission;

  1. 8.3.2. Appropriate safeguards, including the availability of enforceable rights of Data Subjects and effective legal means. Appropriate safeguards must be adhered to in the following cases: (i) binding corporate rules; (ii) standard data protection clauses adopted by the Commission or by a Supervisory Authority and approved by the Commission; or (iii) an approved code of conduct or an approved certification mechanism.

8.4. If there is new guidance or a change in the Data Protection Legislation or case law that renders all or part of the Services illegal, Processor may terminate the Agreement unless the Parties reach agreement to change the Services whereby the Services are no longer illegal.

9 Term and termination of the DPA

9.1. This Agreement shall commence on the date mentioned in the Order Form and/or the Agreement and continues as long as the Agreement is in force. The termination modalities agreed upon by both Parties in the Agreement also apply to this DPA.

9.2. The Processor shall cease all processing activities in the context of the Agreement in the event of a termination of the Agreement.

9.3. The Processor shall delete all Personal Data and existing copies and/or back-ups, within 60 (sixty) calendar days upon termination of the Agreement, unless the Processor is legally obliged to store the Personal Data for a determined period. The Controller may ask for a copy of the Personal Data within thirty (30) Business Days.

10 Miscellaneous

10.1. This DPA is governed by and must be construed and interpreted in accordance with the Laws of Belgium. All disputes with respect to this DPA shall be submitted to the competent courts in Antwerp, Belgium. Before instituting proceedings in court, Parties will attempt to negotiate in good faith in order to reach an amicable settlement.

10.2. In the event of contradictions between the DPA and any provisions of the Agreement, the stipulations of the DPA shall prevail.

10.3. If a provision of this DPA is proven to be invalid or unenforceable in whole or in part, it will be regarded as severable (insofar as it is invalid or unenforceable) and the validity of the other provisions of this DPA and the remainder of the provisions in question will remain unaffected. If the invalid provision is of fundamental importance for achieving the goal of this DPA, the Parties shall negotiate in good faith to remedy the invalidity, illegality or unenforceability of the provision or otherwise change this DPA to achieve its purpose.

Annex 1: Details of Processing of Personal Data

This Annex 1 includes further information relating to the processing activities, in addition to the information already provided in the Agreement.

1. The subject-matter of the Processing of Personal Data

Personal Data may be processed for the performance of the following Services

  • Monitoring of business operations and KPIs through the processing of event streams of the Controller which are stored anonymized and in summary form. This may include customer shopping behaviors and registration/identification data when creating an account.
  • Ingesting data at rest in data stores of the Controller and executing row-level comparison of data, potentially including Personal Data, in order to verify the quality of replication processes, data freshness and data transformations

2. The nature and purpose of the Processing of Personal Data

The Services facilitate prioritising the handling of data-related issues that impact the Controller’s revenue and reporting operations by matching perceived event streams to expected event streams and tracking changes.

3. The categories of Personal Data to whom Personal Data relates

the personal data concern the following categories of Data Subjects:

CATEGORIES OF DATA SUBJECTS: APPLICABILITY (potential)/(ex) customers: Yes applicants and (ex) employees, interns: No (potential)/(ex) suppliers: No (potential)/'ex) business partners: No Agency, agent or employees of the agent: No Children below the age of 16 years: Yes Any other category: No

4. The Personal Data concern the following categories of Personal Data:

CATEGORIES OF DATA SUBJECTS: APPLICABILITY Identification data. Examples are surname, first name, age, gender, date of birth, electronic identification data (such as IP address, cookies), license plate. : Yes. Identification data captured by ecommerce platforms that Revend monitors for the Customer Contact data. Examples are address, telephone number, email address: Yes. Contact data captured by ecommerce platforms that Revend monitors for the Customer. Location data. Examples are location data from GPS or mobile phones. : No National identification number: No Financial identification data. Examples are bank account number, card number, PIN code: No Income and asset data. Examples are salary, data concerning assets (such as the house of a client and the characteristics of that house), data concerning savings of financial instruments: No Characteristics of financial and insurance products. Examples are characteristics of mortgages (such as the amount of the loan, duration, interest rate ): No Expenses and debts. Examples are the total amount of expenses, monthly rent.: No Financial profiles. Examples are a credit score and risk profile.: No Settlement/Resolution data. Examples are transaction data, data concerning an insurance claim.: No Lifestyle and habits. Examples are tobacco consumption, alcohol consumption, data related to trips.: No Leisure activities and interests. Examples are hobbies, sports and other interests.: No Consumption habits: Yes. Shopping behavior data captured by ecommerce platforms that Revend monitors for the Customer Relational data. Examples are marital data, data concerning family members.: No Education and training data. Examples are, certifications, professional experiences.: No Professional data. Examples are data concerning the termination of an employment, attendance, salary.: No Image recordings. Examples are, photo, video recording.: No Sound Recordings. Examples are telephone recording.: No Data concerning legal proceedings. Examples are subpoenas, notice of default.: No Any other category: No

5. The Personal Data concern the following categories of Personal Data:

SPECIAL CATEGORIES OF DATA: APPLICABILITY

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning a natural person's sex life or sexual orientation. : No Genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health. : No Personal data relating to criminal convictions and offences.: No

Annex 2: Sub-Processors

  • Google Cloud Platform (GCP) – https://cloud.google.com

Annex 3: Security measures

A. Management Direction for Information Security

i. Revend has implemented an appropriate information security policy.

ii. Revend has suitably qualified information security specialists, supported by the Revend business leadership.

iii. Revend management requires employees and third-party contractors with access to Customer information to commit to written, confidentiality, and privacy responsibilities with respect to that information. These responsibilities survive termination or change of employment or engagement.

B. Human Resource Security

i. Revend provides information security awareness information to employees and relevant third-party contractors.

C. Access Control

User Access Management

i. Revend implements access control policies to support creation, amendment and deletion of user accounts for systems or applications holding or allowing access to Customer information.

ii. Revend implements a user account and access provisioning process to assign and revoke access rights to systems and applications.

iii. The use of “generic” or “shared” accounts is prohibited without system controls enabled to track specific user access and prevent shared passwords.

iv. Revend monitors and restricts access to utilities capable of overriding system or application security controls.

v. User access to systems and applications storing or allowing access to Customer information is controlled by a secure logon procedure.

Physical Access Management

vi. Physical access to facilities where Customer information is stored or processed is protected in accordance with good industry practices by our third-party hosting partner Google Cloud Platform

D. Communications Security

Network Security

  1. i. Revend logically segregates Customer data within a shared service environment.

  1. ii. Revend secures network segments from external entry points where Customer data is accessible.

  1. iii. External network perimeters are hardened and configured to prevent unauthorized traffic.

  1. iv. Inbound and outbound points are protected by firewalls and intrusion detection systems (IDS). c. Ports and protocols are limited to those with specific business purpose.

  1. v. Revend synchronizes system clocks on network servers to a universal time source (e.g. UTC) or network time protocol (NTP).

  1. vi. Revend’s servers are not directly exposed to the internet and are defended using a DMZ (demilitarized zone) approach

Cryptographic Controls

  1. vii. Customer data, including personal data, is encrypted at rest.

Cloud Controls

  1. viii. Revend encrypts data during transmission between each application tier and between interfacing application

E. Operations Security

Service Management

  1. i. Revend has implemented formal operating procedures for system processes impacting Customer data. This notification may occur through generic change logs. Procedures must track author, revision date and version number, and must be approved by management.

  1. ii. Revend monitors service availability.

Vulnerability Management

  1. iii. Revend performs annual penetration testing for systems and applications that store or allow access to Customer data, including personal data. Identified issues must be remediated within a reasonable timeframe.

  1. iv. Revend has implemented a patch and vulnerability management process to identify, report and remediate vulnerabilities by:

  1. a. Implementing vendor patches or fixes.

  1. b. Developing a remediation plan for critical vulnerabilities.

  1. v. Revend has implemented controls to detect and prevent malware, malicious code and unauthorised execution of code. Controls must be updated regularly with the latest technology available (e.g. deploying the latest signatures and definitions).

Logging and Monitoring

  1. vi. Revend generates administrator and event logs for systems and applications that store or allow access to Customer data.

  1. vii. Revend reviews system logs periodically to identify system failures, faults, or potential security incidents affecting Customer information.

F. Third Party Supplier Management

  1. i. Revend has contractual agreements with third parties handling Customer information must include appropriate information security, confidentiality, and data protection requirements, as detailed in the Agreement. Agreements with such parties are reviewed periodically to validate that information security and data protection requirements remain appropriate.

  1. ii. Revend reviews its third parties’ information security controls periodically and validates that these controls remain appropriate according to the risks represented by the third party’s handling of Customer information, taking into account any state-of-the-art technology and the costs of implementation.

  1. iii. Revend restricts third party access to Customer data, including personal data.

  1. iv. If requested by Customer, Revend provides the Customer a list of third parties with required access to Customer data, including personal data.

  1. v. Revend permits access to Customer data, including personal data, only as necessary to perform the services that the third party has contractually agreed to deliver.

G. Resilience

  1. i. Revend performs business continuity risk assessment activities to determine relevant risks, threats, impacts, likelihood, and required controls and procedures.

  1. ii. Based on risk assessment results, Revend documents, implements, annually tests and reviews its Business Continuity and Disaster Recovery (BC/DR) plans to validate the ability to restore availability and access to Customer data in a timely manner, in the event of a physical or technical incident that results in loss or corruption of Customer data.

H. Audit and Compliance

  1. i. Revend periodically reviews whether its systems and equipment storing or enabling access to Customer data, including personal data, comply with legal and regulatory requirements and contractual obligations owed to Customer.

  1. ii. Revend maintains current independent verification of the effectiveness of its technical and organisational security measures (e.g. ISO certification). The independent information security review are performed at least annually.