Data Processing Agreement

Processing of personal data


Introduction

This Processing Agreement is part of the Main Agreement between Apostle B.V. (hereinafter: "Apostle" or "Processor") and the natural or legal person with whom Apostle enters into an agreement for the provision and use of the Apostle software (hereinafter: "Customer" or "Controller"). Together, the Controller and Processor are referred to as the "Parties".

For the use of the Apostle software, the Parties have entered into an agreement to which the Apostle General Terms and Conditions also apply (collectively: "Main Agreement").

For the purposes of performing the Main Agreement, personal data will be processed by Apostle on behalf of the Controller. In accordance with Applicable Law, the Parties enter into this agreement, which sets out their respective rights and obligations with regard to the processing of personal data (the "Processing Agreement"). The Main Agreement and the Processing Agreement jointly determine the subject matter and duration of the Processing of Personal Data

Article 1: Details of processing

Apostle processes personal data on behalf of the Controller, in the context of the services described in the agreement:

The Apostle platform is used to let ambassadors easily submit content, to edit content and to easily present it to groups of ambassadors. Creators use the Apostle platform app (available for IOS and Android). Publishers use the app and/or receive the proposed messages by email.

Further elaboration of the processing:

The nature of the processing: Brand Advocacy Platform.

Purpose(s) of the processing: Sharing content on the personal social media networks of employees for the purpose of increased awareness and visibility (branding).

Types of personal data processed ("Personal Data"):

Categories of personal data:

  • Name
  • E-mail address
  • Social media account
  • IP address
  • Logging activities
  • Device type
  • Message content and attachments
  • Social media connection ID
  • Social media connection name
  • Social media connection network
  • Social media connection API key
  • Social media message URL

Categories of data subject

  • Employees
  • Website visitors
  • User platform
  • Mobile app users
  • Users web version
  • Customers
  • Prospects
  • Partners
  • Resellers
  • Contacts

Apostle may use anonymised data ofController for analytical and statistical purposes, in order to improve its ownservices.

Storageperiods: All data is stored according to GDPR guidelines within the EuropeanUnion. All communication within the Apostle platform system is via HTTPS or SSLconnections. Once a user is removed from the system, all information about theuser is deleted except information about sent emails, which is automaticallydeleted from the system within 30 days.  

Sub-processor

Type of service

Processing location

Rootnet

Servers

Netherlands

HubSpot

Marketing automation

Switzerland and the UK

TimeChimp

CRM

Netherlands

Hupber

Social e-learning

Netherlands

Teamleader

CRM

Frankfurt and Ireland

Amazon

Servers

Frankfurt and Ireland

Article 2: Instructions

Apostle will only process the Personal Data:

  • On the basis of written instructions from the Controller,
  • Within the framework of the execution of the Agreement, and
  • Apostle will inform the Controller immediately if, in its opinion, instructions are contrary to the GDPR or otherwise unreasonable.

Article 3: Transfer of Personal Data outside the European Union

  1. Apostle may process the Personal Data in countries within the European Economic Area (EEA). Transfer to countries outside the EEA is not allowed without prior written consent of the Controller.
  2. Apostle shall inform the Controller of the country in which the personal data are processed.

Article 4: Confidentiality and special personal data

  1. Personal data is confidential information.
  2. Apostle may only give employees and/or thirdparties access to Personal Data when this is necessary for the performance ofthe Agreement. Apostle guarantees that all of them are obligated to maintainthe confidentiality of the Personal Data they have access to.
  3. The hosting platform Apostle uses is ISO 27001 /ISO 27002 certified. Apostle deliberately does not offer 2FA at this timebecause it detracts from the low threshold for using the platform AND becausethe security risk of Apostle is extremely low. Why?
  • For privacy/security reasons, no personal phone numbers of users are stored. There could still be double authentication via mail, but it does not add much:
  • If the ambassadors approve via mail, 2FA has no added value because they already get the proposed mail via their personal email address, so that they would get the second authentication on the same email address as the first.
  • If the ambassadors approve via the app, then two-step authentication applies already. This is because there is a security built into the app that for personal posts, you must also log in to your own social media network (e.g., LinkedIn) initially and periodically after that.
  • So the risk of someone pretending to be someone else and posting under that name on social media is negligible.

Article 5: Confidentiality

  1. When executing the Agreement, Apostle will ensure that appropriate technical, physical and organisational measures are taken to secure the Personal Data against loss or any form of unlawful processing. These measures guarantee an appropriate security level in view of the risks involved in the processing and the nature of the Personal Data to be protected, taking into account the state of the art, context and purpose of the processing and the costs of implementing the measures. The measures shall include, where appropriate, the following:
  • pseudonymization andencryption,
  • the ability to ensure, on anongoing basis, the confidentiality, integrity, availability and resilience ofthe processing systems and services,
  • the ability to restore theavailability of and access to the Personal Data in a timely manner in the eventof a physical or technical incident.
  • a procedure for regulartesting, evaluation and assessment of the effectiveness of the technical andorganisational measures to secure processing.
  1. Apostle will reportany changes in the security measures to the Controller.

Article 6: Reporting of data leaks

  1. Apostle shall inform the contact person of the Controller as soon as possible, in any event within 24 hours of discovery, of any breaches relating to Personal Data (Data Leaks). The notification of a Data Leak will be made to the contact person of Processing Responsible via e-mail.
  2. In the event of a data breach, Apostle shall immediately take remedial action. Apostle will fully cooperate with the Controller in setting up and implementing a response plan. Apostle shall assist the Controller in adequately informing the individuals involved and the supervisory authority or authorities.
  3. Apostle will provide the Controller with all relevant information when reporting, including in any case:
    a. the nature of the breach and the country (and, ifconcerned, the Sub-processor) where it has taken place;
    b. what Personal Data are involved;
    c. where possible, the categories of data subjects and the approximate number of data subjects concerned;
    d. the name and contact details of the data protection officer of Apostle or another contact point where further information can be obtained;
    e. whether the Personal Data have been encrypted, hackedor otherwise made unintelligible or inaccessible;
    f. the measures that Apostle has already taken or proposes to take in order to terminate the breach, limit its consequences and prevent any recurrence in the future.

If it is not possible to provide all the information at the same time, the information may be provided in stages without unreasonable delay.

  1. Apostle shall keep records of all breaches involving Personal Data of the Processing Party and the measures taken, and shall allow the Controller to inspect these upon request.

Article 7: Engaging third parties

  1. Apostle may make use of Sub-processors in the course of providing its services. The Sub-processors engaged by Apostle at the time of entering into this Processing Agreement are listed in the table in Article 1. The Controller has the right to object in writing to any new or amended Sub-processor(s), stating reasons, within two weeks of the notification of Apostle to this effect. If the Controller objects, Apostle and the Controller will enter into consultation to find a solution.
  2. Apostle guarantees correct compliance with the obligations of this Processor Agreement by these Sub-processors and, in the event of errors by these Sub-processors, will be liable to Processor itself for all damages as if it had committed the error(s) itself.
  3. Apostle shall ensure that Sub-processors are contractually bound to the same personal data protection obligations as those to which Apostle is bound under the Agreement, in particular the obligation to provide adequate guarantees regarding the application of appropriate technical and organisational measures so that the processing will meet the legal requirements.

Article 8: Cooperation with complaints and requests

  1. Apostle will deal promptly and appropriately with questions and requests from the Controller regarding the processing under the Agreement.
  2. Apostle shall inform the Controller directly of any complaints or queries from customers of the Controller. Apostle shall not address the customers of the Controller directly, unless the Controller has specifically instructed it to do so.
  3. Apostle will, as far as possible, enable the Controller to comply with the rights of data subjects, such as the right to inspect, correct or delete data, within the statutory time limits. Apostle has taken appropriate technical and organisational measures (including procedures) to this end.

Article 9: Others

  1. Upon termination of the Agreement, Apostle shall, at the option of the Controller, return or destroy the Personal Data and all copies thereof to the Controller, except where the Agreement or applicable law indicates otherwise. Apostle shall promptly confirm in writing to the Controller that it has returned or destroyed all Personal Data and copies thereof without unreasonable delay after termination of the Agreement.

Audits

  1. The Controller has the right to have an independent external auditor or its internal audit department carry out an audit of compliance with the processing agreement. An audit will be announced in advance if this is reasonably possible. Apostle will cooperate with an audit.
  2. If an audit reveals that Apostle has failed to comply with the obligations set out in this Processor Agreement, the reasonable audit costs incurred by Processor will always be borne by Apostle.
  3. Apostle will support the Controller in fulfilling the obligations of the Controller under Sections 32 to 36 of the GDPR, should this be necessary.