General Terms & Conditions

The following General Terms and Conditions (hereafter “GT&Cs”) apply to all business relationships between Cheqroom and the Customer.

The last update to the GT&Cs was posted on June 7, 2022.

Article 0 - Definitions

Account: means the account for the use of the SaaS-platform granted to the Customer.

Agreement: means the contractual relationship between Cheqroom and the Customer, including these GT&Cs, the Commercial Order, Cheqroom’s Data Processing Agreement, including any annexes and/or schedules thereto, and any other applicable agreement between Cheqroom and the Customer.

Cheqroom: means Checkroom NV, a limited Belgian public liability company having its registered offices at Wiedauwkaai 23x, 9000 Ghent and company number 0504.999.915 (RLE Ghent, department Ghent).

Commercial Order: means the offer as agreed upon between the Customer and Cheqroom, as set out on the cover page, titled “Commercial Order”.

Confidential Information: of a Party means the information of such Party, whether in written, oral, electronic or other form, and which (i) is explicitly marked as confidential or proprietary, or (ii) should reasonably be considered confidential or is traditionally recognized to be of a confidential nature, regardless of whether or not it is expressly marked as confidential, including but not limited to, information and facts concerning business plans, customers, prospects, personnel, suppliers, partners, investors, affiliates or others, training methods and materials, financial information, marketing plans, sales prospects, client lists, inventions, program devices, discoveries, ideas, concepts, know-how, techniques, formulas, blueprints, software (in object and source code form), documentation, designs, prototypes, methods, processes, procedures, codes, and any technical or trade secrets, including all copies of any of the foregoing or any analyses, studies or reports that contain, are based on, or reflect any of the foregoing. The Confidential Information of Cheqroom shall include, without limitation, the SaaS-platform.

Customer: shall mean the Customer specified in the Commercial Order.

Customer Data: all content, data or information provided, submitted, uploaded to or made available through the SaaS-platform by the Customer or User.

Customizations: mean Customer-specific adaptations, additions, or enhancements of the standard SaaS-platform or Cheqroom’s products specifically developed by Cheqroom as per the terms agreed in the Commercial Order, which is not considered as part of the standard SaaS-platform, services or product offering.

Data Protection Laws: mean all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to the Customer Data, the General Data Protection Regulation (Regulation (EU) 2016/679).

Hosting Partner: means Amazon Web Services (“AWS”) (or such other provider of hosting services Cheqroom might contract in the future, as will be notified to the Customer from time to time).

Intellectual Property Rights: means any and all now or hereafter existing (a) rights associated with works of authorship, including copyrights, copyrightable or mask work rights, neighboring rights and moral rights; (b) trademark or service mark rights; (c) trade secret rights; (d) patents, patent rights, rights to know-how and trade secrets, and industrial property rights; (e) layout design rights, design rights, topographic right (f) Internet domain names, (g) rights to software and computer software programs (including but not limited to source code and object code), rights to data, database sui generis right and documentation thereof; and other proprietary rights of every kind and nature other than trademarks, service marks, trade dress, and similar rights; whether registered or not and (h) all registrations, applications, renewals, extensions, or reissues of the foregoing, in each case in any jurisdiction throughout the world.

Party: means a party to the Agreement.

Professional Services: mean the development, implementation and integration services (including, but not limited to Customizations) or such other services in relation to the SaaS-platform, or development of Customizations as may be agreed between Customer and Cheqroom from time to time and set out in the Commercial Order.

SaaS-platform: the proprietary software as a service and related services, features, content, programs or applications (web-based or mobile) developed and owned by Cheqroom.

Terms of Use: refers to the terms and conditions governing the use of the SaaS-platform by the Users.

Third Party: a natural or legal person, a government agency or other body, not being a Party to this Agreement or an Affiliated Party.

User: represents any user of the SaaS-platform who has an Account.

Article 1 - Applicability

1.1 These GT&Cs apply to all Offers, all use by the Customer of the SaaS-platform and all related services provided by Cheqroom, unless expressly agreed otherwise. The GT&Cs take precedence over all other conditions from the Customer or from a Third Party, even where it is stated therein that only those conditions may apply and even if they were not protested by Cheqroom.

1.2 Subject to the prior written approval by Cheqroom, the Customer shall have the right to sublicense the license granted under these GT&C’s to any of the Customer’s affiliates identified in a Commercial Order (a “Permitted Affiliate”), under the following conditions: (i) the Customer shall inform the Permitted Affiliate of the provisions of these GT&C’s; (ii) the Customer shall enter into an agreement with the Permitted Affiliate where such Permitted Affiliate agrees to fully comply with the relevant provisions of these GT&C’s, as if the Permitted Affiliate were the Customer; (iii) the Customer shall be fully responsible and shall be fully liable for the actions and/or omissions of its Permitted Affiliate and any breach of the provisions of these GT&C’s by a Permitted Affiliate shall be deemed to be a breach by the Customer; (iv) when a Permitted Affiliate ceases to be an affiliate, the Customer shall immediately inform Cheqroom thereof in writing and the relevant sublicense granted hereunder to said Permitted Affiliate shall immediately and automatically terminate. The former affiliate shall conclude a new agreement with Cheqroom for the continued use of the SaaS-platform and/or Professional Services; (v) any sublicense of the SaaS-platform to a Party that is not (or ceases to be) a Permitted Affiliate and/or to any Third Party, shall be deemed to be null and void and shall be deemed to be a material breach of these GT&C’s by the Customer; (vi) and the Permitted Affiliate does not reside in a jurisdiction listed in the United States list of ‘Export Controlled or Sanctioned Countries, Entities and Persons’.

Article 2 – License to use the SaaS-platform

2.1 Subject to the Agreement and timely payment of the license fees Cheqroom grants to the Customer a personal, restricted, non-exclusive, non-transferrable and non-assignable license to access and use the SaaS-platform strictly in accordance with the Commercial Order and these GT&Cs. The Customer may use the SaaS-platform for its internal business purposes but may not commercialize it.

2.2 The Customer shall not: (i) make back-up copies of the SaaS-platform or Professional Services without Cheqroom’s authorization; (ii) arrange or create derivative works based on the SaaS-platform or Professional Services without Cheqroom’s express written consent; (iii) assign, distribute, sub-license, hire, transfer, sell, lease, rent, charge or otherwise deal in or encumber the SaaS-platform, or use the SaaS-platform on behalf of any Third Party or make them available to any Third Party, nor allow or permit a Third Party to do any of the same; (iv) copy, duplicate, reverse engineer, reverse compile, disassemble, record or otherwise reproduce the SaaS-platform or Professional Services or any part of them except as expressly provided in these GT&Cs; (v) remove or alter any copyright or other proprietary notice on any of the SaaS-platform or Professional Services.

2.3 These GT&Cs apply to any update or upgrade of the SaaS-platform. Cheqroom will support previous version(s) for a minimum of six (6) months. Thereafter, Cheqroom is no longer responsible for the proper functioning of the older versions.

Article 3 – Professional Services

3.1 Upon agreement between Cheqroom and the Customer, as specified in writing in the Commercial Order, Cheqroom may provide Professional Services to the Customer, including but not limited to Customizations. Unless stated differently in the particular Commercial Order, all Professional Services are charged as a fixed non-refundable fee.

3.2 Cheqroom shall exercise reasonable care and skill in performing the Professional Services. The obligation to perform the Professional Services shall be regarded as an obligation of means and shall not bind Cheqroom to achieve a predefined result. Cheqroom will provide Professional Services in complete independence. Any timelines included in the Commercial Order or otherwise specified shall be deemed to be indicative only and shall not bind Cheqroom unless expressly agreed to be binding. The provision of the Professional Services is at all times subject to the cooperation of the Customer in good faith. In particular, and without prejudice to the generality of the foregoing, the Customer shall provide on a timely basis any accesses, approvals, business rules and information as necessary to allow Cheqroom to perform the Professional Services. Cheqroom shall not be responsible or held liable for any delay or failure in the provision of the Professional Services resulting from the Customer’s obligation to cooperate in good faith or to provide the necessary input. The scope of the Professional Services may only be changed in mutual agreement and such change(s) shall be documented in writing.

3.3 Cheqroom does not ensure that any Customizations or Professional Services on the current SaaS-platform will remain compatible with any new release, version or hotfix of the SaaS-platform, which is used or will be used by the Customer. To the extent that one or more Customizations or Professional Services are not fully compatible with any new release or version of the SaaS-platform, Cheqroom can agree to make changes as may be required to make them compatible with such a new release or version. Such changes will be subject to a separate Commercial Order. In no event shall Cheqroom be obliged to provide Professional Services or assistance to Third Parties, engaged by the Customer.

3.4 the relationship between the Parties is that of independent contractors. Neither Party is an agent for the other and neither Party has any authority to make any contracts, whether expressly or by implication, in the name of the other Party, without that party’s prior written consent for express purposes connected with the performance of this Agreement. In no case shall the Customer exercise (or be deemed to exercise) partial or complete employer’s authority over Cheqroom’s personnel.

Article 4 – Maintenance, Support and Hosting

4.1 The Customer acknowledges that support services in relation to the SaaS-platform are provided during business hours on a best-efforts basis only. In such case, the Customer may notify a problem, or an incident related to the SaaS-Platform to Cheqroom, and Cheqroom shall try to provide a resolution or workaround as soon as commercially possible. Cheqroom makes no warranty whatsoever to provide a resolution or workaround for each specific problem that could arise. The Customer and Cheqroom may opt to include a separate Service Level Agreement, subject to a separate support fee outlined in the Commercial Offer.

4.2 The SaaS-platform will be hosted in the datacenters of Cheqroom’s Hosting Partner and such hosting is subject to the applicable service offering of the Hosting Partner. Cheqroom does not warrant that the SaaS-platform shall be available on an uninterrupted basis and the Customer agrees that the SaaS-platform may be unavailable during periods of planned or unplanned maintenance undertaken by Cheqroom or the Hosting Partner. To the extent reasonably possible, Cheqroom shall notify Customer of any planned maintenance

4.3 The Customer represents and warrants that it accepts the terms and conditions of the last version of the Hosting Partner’s terms of use as available on https://aws.amazon.com/agreeme.... The Customer on behalf of its Users give the Hosting Partner the permission to process all Personal Data as contemplated by this Agreement.

Article 5 – Customer Data

5.1 All Customer Data, is the sole property and responsibility of the person who originated the Customer Data. The Customer shall indemnify and hold Cheqroom harmless for any claims in relation to the Customer Data. The Customer represents that all Customer Data provided by any User is accurate, complete, up-to-date, and in compliance with all applicable laws, rules and regulations. The Customer acknowledges that all content, including the Customer Data, accessed by using the SaaS-platform is at the Customer’s own risk and the Customer shall be solely responsible for any damage or loss to the Customer or any other Party resulting therefrom. Cheqroom does not guarantee that any content the Customer or his Users access on or through the SaaS-platform and/or Professional Service is or will continue to be accurate. The Customer hereby represents and warrants that the Customer Data does not include any inappropriate content, malware or any other elements that could result in harm to the SaaS-platform and/or Professional Service or to Third Parties.

5.2 By submitting any Customer Data to the SaaS-platform, the Customer hereby grants Cheqroom a worldwide, non-exclusive, royalty-free, sub-licensable and transferable license to use, aggregate, reproduce, distribute, display, and perform the data made available by the Customer to the extent required for the performance of Cheqroom’s obligations under the Agreement. The latter includes the right for Cheqroom to use data derived from the use of the SaaS-platform, including but not limited to, information regarding the performance of the Customer’s network, applications and/or systems, data about transactions in the Customer’s network, and in general any data generated as a result of the use of the SaaS-platform, however solely for purposes of operating, maintaining and improving the SaaS-platform and/or Service or, if compiled into non-identifiable aggregate data, for Cheqroom’s sales and marketing purposes. Customer warrants to Cheqroom that the Customer data, when used by Cheqroom in accordance with this Agreement, will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation, in any jurisdiction and under any applicable law.

Article 6 - Intellectual Property

6.1 Cheqroom exclusively owns and retains all rights, titles, interests in and to all Intellectual Property Rights in or pertaining to its SaaS-platform (including the underlying software, computer programs, platforms, applications, algorithms, software code and methodology pertaining thereto), the Professional Services (including but not limited to Customizations), its website and all the documentation and materials pertaining or relating thereto (including any copies and portions thereof), whether in machine-readable or printed form, including but not limited to (i) all software and materials which are related to the SaaS-platform, the Professional Services, its website, (ii) all modifications and Customizations to, and derivative works, compilations or collective works of the SaaS-platform, and (iii) all related technical know-how. The Customer agrees to be bound by and observe the proprietary nature of the SaaS-platform. The Customer agrees not to remove, suppress or modify in any way any proprietary marking, including any trademark or copyright notice, on or in the SaaS-platform, or visible during its operation, or on media or any documentation. The Customer shall incorporate or reproduce such proprietary markings in any permitted back-up or other copies.

6.2 Cheqroom does not claim to have any intellectual right, title or interest in any of the images that may be uploaded to the SaaS-platform by the Customer. The Customer and its Users are responsible for all content uploaded to the SaaS-platform.

6.3 It is expressly understood, acknowledged and agreed that for any reasonable suggestions, comments and feedback regarding the SaaS-platform, the Customer grants Cheqroom a worldwide, non-exclusive, perpetual, irrevocable, royalty free, fully paid license to use such feedback freely for his own purposes.

6.4 The SaaS-platform may contain service marks or trademarks of Cheqroom, as well as those of his affiliates or other companies, in the form of words, graphics, and logos. The use of the SaaS-platform by the Customer does not constitute any right or license for the Customer to use such service marks/trademarks, without the prior written permission of the corresponding service mark/trademark owner. The SaaS-platform is also protected under international copyright laws. The copying, redistribution, use or publication by the Customer of any portion of the SaaS-platform is strictly prohibited. The use of the SaaS-platform does not grant the Customer or the User ownership rights of any kind in the SaaS-platform.

Article 7 – Third Party Materials

7.1 The SaaS-platform may enable access to Third Party services and content (“Third Party Materials”); however such access does not imply any form of cooperation or association between Cheqroom and the relevant Third Party and/or Third Party Materials.

7.2 Third Party Materials may contain content that is governed by the additional licensing terms. This Agreement does not grant Customer any right to use such Third Party Materials, and use of these may require Customer’s acceptance of additional licensing terms or terms of service issued by the relevant Third Party (“Additional Third Party Terms”).

7.3 Accessing the Third Party Materials indicates Customer’s unconditional consent with the Additional Third Party Terms and implies that Customer intends to be bound by such terms in its relationship with the relevant Third Party.

7.4 When accessing Third Party Materials via the SaaS-platform, Customer acknowledges and agrees that Cheqroom provides this access “as is” and “as available” and is not responsible for examining or evaluating the content, accuracy, completeness, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Materials. It is Customer’s duty to analyze and assess the reliability of the source of this information and the accuracy, completeness and other features of Third Party Materials.

7.5 Cheqroom reserves the right to change, suspend, remove, impose limitations on or disable access to any Third Party Materials at any time. In no event will Cheqroom be liable for the removal or disabling of access to any such Third Party Materials.

Article 8 - Term, Billing and Payment

8.1 The Customer will be charged a yearly license fee to be paid before the beginning of each contract year, unless otherwise set out in the Commercial Order.

8.2 The Agreement shall be concluded for the term set out in the Commercial Order. If the Commercial Order does not specify the term, the Agreement will be concluded for a one-year term (“Initial Subscription Period”). The Initial Subscription Period will be renewed automatically with subsequent one-year periods after expiration of the applicable subscription term, until the Customer or Cheqroom explicitly cancel the Agreement with a notice period as mentioned in article 9.

8.3 The license fee will be non-refundable. There will be no refunds or credits for partial years of license to use the SaaS-platform, upgrade/downgrade refunds, account cancellations, or refunds for years unused with an open account.

8.4 Each contract year Cheqroom shall have the right to increase the fees due under the Agreement by using the following formula: P = P0 x [0.2 + 0.8 x (S/S0)], whereby: "P" stands for the revised price; "P0" stands for the price on the effective date of the relevant Commercial Order; "S0" shall be the national average reference salary as published by Agoria ("Reference Salary") on the effective date of the Offer (or, if this index is no longer published, the index replacing it or failing such index by another index reflecting the increases of labor cost); "S" shall be the Reference Salary at the time of the price revision; and "S/S0" shall be referred to as "Index". A negative Index shall have no impact on the fees. The base Index taken is the Index applicable three (3) months before the signing of the Commercial Order.

8.5 The Customer must provide Cheqroom with accurate billing information and keep this information up to date.

8.6 By subscribing to the SaaS-platform, the Customer gives Cheqroom the right to charge Customer’s credit card, or bill Customer via other payment methods, for license fees connected with the SaaS-platform such as renewal fees or fees for Professional Services. For any change in the license fee due to requested additional services by the Customer, Cheqroom will automatically charge the Customer’s credit card that they provided or bill the Customer via other payment methods for the new rate on the next billing cycle.

8.7 All undisputed invoices (or parts thereof) must be paid and payment must be received within thirty (30) days after the invoice date. Disputes must be notified by registered mail (containing the reason for such disputes) within ten (10) business days after the invoice date, failure to do so shall result in the invoice being deemed accepted by Customer.

8.8 Any amounts of undisputed invoices (or parts thereof) that have not been paid on the due date shall automatically and without notice be subject to a late payment interest equal to the rate applicable pursuant to the Belgian law of 2 august 2002 (as modified from time to time), which interest shall be compounded daily as of the due date until receipt of full payment. In addition, Customer shall pay all costs incurred by Cheqroom, as a result of the (extra)judicial enforcement of the Customer’s payment obligation under this Agreement, with a minimum of one hundred fifty (150) EUR. If the Customer fails to pay outstanding amounts, Cheqroom can suspend its obligations and Customer’s rights until receipt of payment.

8.9 The Customer will pay any and all applicable international, federal, state, and local sales, use, value-added, excise, duty, and any other taxes, fees, or duties not based on net income of Cheqroom that are assessed on or as a result of this Agreement. Any such taxes, (bank) fees, and duties collected by Cheqroom from the Customer on behalf of a governmental agency or financial institution shall not be considered a part of, a deduction from, or an offset against, payments due to Cheqroom under this Agreement.

8.10 All fees payable to Cheqroom under this Agreement shall be paid without the right to set off or counterclaim and free and clear of all deductions or withholdings whatsoever, unless the same are required by law, in which case the Customer undertakes to pay Cheqroom such additional amounts as are necessary in order that the net amounts received by Cheqroom after all deductions and withholdings shall not be less than such payments would have been in the absence of such deductions or withholding. Sums stated to be payable under this Agreement do not include any applicable value added tax or other taxes, which shall be additionally charged to the Customer.

8.11 All prices are stated in US dollars unless stated otherwise.

Article 9 - Termination

9.1 Termination for cause by Cheqroom.

a) Cheqroom may terminate the Agreement or suspend access to the SaaS-platform, Professional Services and/or User rights granted hereunder by written notice to the Customer if the Customer fails to pay Cheqroom the license fee before the expiration date or violates these GT&Cs (or other terms of the Agreement) and the Customer fails to cure such failure to pay or breach within fifteen (15) days from the date of such notice.

b) The Customer acknowledges and agrees that any use of the SaaS-platform outside the scope of the license as set forth in the Agreement, unless such use has been expressly approved in writing by a duly authorized representative of Cheqroom, the misuse of system resources or when Cheqroom reasonably suspects that the Customer is using the SaaS-platform to break the law or infringe Third Party rights, shall entitle Cheqroom to immediately terminate - or alternatively, at Cheqroom’s discretion, suspend - one or more of the licenses granted under the GT&Cs for material breach by the Customer, without any formalities being required and without prejudice to any other right or remedy available to Cheqroom pursuant to these GT&Cs or under applicable law.

9.2 Termination for cause by a Party.

Either Party may terminate these GT&Cs by written notice to the other, effective as of the date of delivery of such notice, if the other Party becomes the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding or otherwise liquidates or ceases to do business.

9.3 Termination without cause by the Customer.

The Customer may terminate the Agreement no less than thirty (30) days before the end of the Initial Subscription Period and each anniversary of the Effective Date following the Initial Subscription Period, such cancellation will take effect immediately at the end of the relevant subscription period and the subscription will not automatically renew. For the purposes of clarification: the Customer cannot terminate part of an ongoing subscription period.

9.4 Consequences of termination.

The Customer understands that if the Customer terminates these GT&Cs, the Customer will lose access to the SaaS-platform and any Customer Data the Customer has provided thereon. The Customer understands that Cheqroom is not required to provide him with copies of such Customer Data nor continue to maintain copies of such Customer Data on the SaaS-platform. Cheqroom will not retain Customer Data beyond a term of thirty (30) days after termination of the Agreement.

Article 10 - Confidentiality

10.1 Each Party must treat the Confidential Information received from the other with the strictest confidentiality, in the same way it would treat its own Confidential Information, and not below an adequate level of protection. No Party shall disclose Confidential Information to any Third Party, other than an employee, (independent) service provider, director or agent, to whom the Professional Services and/or SaaS-Platform will be made available, and who will be able to use the Services and SaaS-Platform as Users. Confidential Information disclosed under the Agreement shall not be used by the recipient thereof for any purpose other than as required for the performance of its obligations under the Agreement. The Customer Data will be treated in the strictest confidence and will be regarded as Confidential Information.

10.2 The Customer shall take precautions to maintain the confidentiality of the Confidential Information and in particular the Customer covenants that he: (i) shall not copy or otherwise exploit any component of the Confidential Information other than as herein provided, nor make any disclosures with reference thereto to any Third Party; (ii) shall ensure that all copies of the Confidential Information (made in accordance with the provisions of these GT&Cs) contain a permanently legible reproduction of Cheqroom’s copyright notice and a confidentiality notice.

10.3 The provisions of this article shall not apply to any secret or information which: (i) is published or comes into the public domain other than by a breach of these GT&Cs or, (ii) can be shown to have been known by the receiving Party before disclosure by the disclosing Party or, (iii) is lawfully obtained from a Third Party or, (iv) can be shown to have been created by the receiving Party independently of the disclosure and other than as part of the project.

10.4 If a receiving Party becomes aware that it will be required, or is likely to be required, to disclose Confidential Information in order to comply with applicable laws or regulations or with a court or administrative order, it shall, to the extent it is lawfully able to do so, prior to any such disclosure, notify the disclosing Party and comply with the disclosing Party’s reasonable instructions to protect the confidentiality of the information.

Article 11 - Privacy and Data Protection

11.1 Each Party shall comply with the applicable Data Protection Laws. Customer represents and warrants to Cheqroom that it has the legal right to disclose any personal data that it makes available to Cheqroom under or in connection with this Agreement. Cheqroom shall process such personal data in accordance with the Data Processing Agreement (“DPA”), as set forth in Schedule 1 to these GT&Cs.

11.2 If any changes or prospective changes to the Data Protection Laws result or will result in one or both Parties not complying with the Data Protection Laws in relation to processing of personal data carried out under this Agreement, then the Parties shall use their best endeavors promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

11.3 Cheqroom shall process Customer Data in accordance with the Data Processing Agreement.

Article 12 - Publicity

12.1 Unless agreed otherwise in writing, Cheqroom shall have the right to use any trademarks or other marks of Customer (including Customer’s corporate name) for marketing or promotion purposes, such as (but not limited hereto) client references on Cheqroom’s website, announcement of a new customer and sales presentations.

Article 13 – Warranties

13.1 Insofar and to the fullest extent permitted under applicable law, the SaaS-platform is provided “as-is,” “as available”. Cheqroom does not make any other representations or warranties, express or implied, concerning any matter under this Agreement and, to the maximum extent permitted by applicable law, Cheqroom disclaims any representations or warranties, express or implied, including (without limitation) any implied warranties of accuracy or completeness of data, fitness for a particular purpose, merchantability, or non-infringement.

13.2 Without prejudice to the foregoing, the Customer understands and agrees that the use of the Saas-platform is at the Customer’s own risk and that the Customer will be solely responsible for its use thereof and any damages to the Customer. Cheqroom as well as all of Cheqroom’s affiliates, are not liable for any indirect, special, incidental or consequential damages (including damages for loss of income, business, profits, litigation, or the like), whether based on breach of contract, breach of warranty, tort (including negligence), product liability or otherwise, even if advised of the possibility of such damages. The negation and limitation of damages set forth above are fundamental elements of the basis of the bargain between the Customer and Cheqroom. The SaaS-platform would not be provided without such limitations. No advice or information, whether oral or written, obtained by the Customer from Cheqroom through the SaaS-platform shall create any warranty, representation or guarantee not expressly stated in the Agreement.

Article 14 - Limitations of Liability

14.1 The limitations and exclusions of liability set out in this article and elsewhere in the Agreement govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement.

14.2 Neither Party shall be liable to the other Party in respect of any losses arising out of a force majeure event, except otherwise provided in the Agreement. A force majeure event means an event, or a series of related events, that is outside the reasonable control of the Party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any Third Party, social strikes or actions, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars).

14.3 Subject to the maximum extent permitted by applicable law, Cheqroom’s liability under this Agreement in respect of each event and each calendar year (or series of connected events) shall not exceed the license fees paid by the Customer to Cheqroom under the present Agreement for a period of six (6) months prior to the date of the event (or last of the series of connected events) giving rise to the claim.

14.4 Under no circumstances shall Cheqroom be liable to the Customer for any indirect, punitive, special consequential or similar damages (including damages for loss of profit, anticipated savings, lost revenue or income, loss of use or production, loss of business, loss or corruption of data, loss of database or software, loss of customers and contracts, loss of goodwill, the cost of procuring replacement goods or services, and reputational damage) whether arising from negligence, breach of contract or of statutory duty or otherwise howsoever, and Third Parties’ claims. Each Party shall have the duty to mitigate damages.

Article 15 - Indemnification

15.1 Cheqroom shall defend and indemnify Customer against any founded and well-substantiated claims brought by Third Parties to the extent such claim is based on an infringement of the Intellectual Property Rights of such Third Party by the SaaS-platform and excluding any claims resulting from (i) Customer’s unauthorized use of the SaaS-platform; (ii) Customer’s or any Third Party’s modification of the SaaS-platform; and/or (iii) Customer’s unauthorized use of Third Party Materials.

15.2 Such indemnity obligation shall be conditional upon the following: (i) Cheqroom is given prompt written notice of any such claim; (ii) Cheqroom is granted sole control of the defense and settlement of such a claim; (iii) upon Cheqroom’s request, Customer fully cooperates with Cheqroom in the defense and settlement of such a claim, at Cheqroom’s expense; and (iv) Cheqroom makes no admission as to Cheqroom’s liability in respect of such a claim, nor does Customer agree to any settlement in respect of such a claim without Cheqroom’s prior written consent. Provided these conditions are met, Cheqroom shall indemnify Customer for the damages and costs incurred by Customer as a result of such a claim, as awarded by a competent court of final instance, or as agreed to by Cheqroom pursuant to a settlement agreement.

15.3 In the event the SaaS-platform, in Cheqroom’s reasonable opinion, is likely to or become the subject of a Third-Party infringement claim, Cheqroom shall have the right, at its sole option and expense to: (i) modify the ((allegedly) infringing part of the) SaaS-platform so that it becomes non-infringing while preserving equivalent functionality; (ii) obtain for Customer a license to continue using the SaaS-platform in accordance with this Agreement; or (iii) terminate the relevant Agreement and pay to Customer an amount equal to a pro rata portion of the license fee paid to Cheqroom hereunder for that portion of the SaaS-platform which is the subject of such infringement.

15.4 The foregoing states the entire liability and obligation of Cheqroom and the sole remedy of Customer with respect to any infringement or alleged infringement of any Intellectual Property Rights caused by the SaaS-platform or any part thereof.

15.5 Customer shall indemnify, defend and hold harmless Cheqroom, its affiliates, and its officers, directors, employees and agents from and against any loss, expense, cost (including reasonable attorney’s fees), liability, damage or claim by a Third Party made against any of said indemnitees to the extent arising in connection with Customer’s (including, without limitation, any of its affiliates and its or their officers, directors, employees or agents) use of the SaaS-platform, its infringement of any Third Party Intellectual Property Rights or Third Party Materials, gross negligence or willful misconduct, fraud, and breach of any representation or warranty made under this Agreement.

Article 16 – Audit

16.1 If Cheqroom reasonably suspects a breach of this Agreement, Cheqroom can perform an audit at the Customer’s or it’s affiliate’s premises to verify Customer’s compliance with its obligations and restrictions under this Agreement.

16.2 Customer undertakes to reasonably assist Cheqroom with such audits.

16.3 Notice of such audit shall be given at least ten (10) business days and shall be executed with minimum disruption to Customer’s business. The cost of the audit shall be borne by Cheqroom, unless such audit evidences a breach by the Customer.

Article 17 - Dispute Settlement

17.1 Parties shall exercise reasonably good faith efforts to resolve any dispute, controversy or claim arising in connection with this Agreement. Whenever necessary or opportune the Parties shall escalate the dispute to the next business level. For the avoidance of doubt, the dispute resolution shall have no impact on the Parties’ termination rights and the Parties’ other rights under the Agreement.

17.2 When Parties have not been able to resolve their dispute amicably after sixty (60) days, any the legal controversy or legal claim arising out of or relating to the GT&Cs and/or the SaaS-platform shall be settled by the competent Belgian courts in accordance with Belgian law (preferred clause).

17.3 Any cause of action by the Customer with respect to the SaaS-platform, must be instituted within one (1) year after the cause of action arose or be forever waived and barred.

Article 18 - Miscellaneous

18.1 Applicable law and competent courts.

The Agreement shall be governed by and construed in accordance with the laws of Belgium, without regard to conflict of law principles. The United Nations Convention for the International Sale of Goods shall not apply to this Agreement. The Parties hereto submit to the exclusive jurisdiction of the competent courts of Ghent, department of Ghent.

18.2 Severability.

Should any part of the Agreement be held invalid or unenforceable, that portion shall be construed consistent with applicable law and the remaining portions shall remain in full force and effect. To the extent that any content in the SaaS-platform conflicts or is inconsistent with the Agreement, the Agreement shall take precedence.

18.3 No waiver.

Cheqroom’s failure to enforce any provision of the Agreement shall not be deemed a waiver of such provision nor of the right to enforce such provision.

18.4 Survival.

The rights of Cheqroom under the Agreement shall survive the termination of the Agreement.

18.5 Non-Assignment.

The Customer shall not assign or otherwise transfer any of its rights or obligations under this Agreement without Cheqroom’s prior written consent. Cheqroom’s consent should be requested by registered letter, disclosing the identity of the prospective transferee. Subject to any restrictions on assignment herein contained, the provisions of the Agreement shall inure to the benefit of and shall be binding upon the Parties hereto and their respective heirs, legal representatives, successors and assignees.

18.6 Non-solicitation

During the Agreement and until twenty-four (24) months after termination, the Customer agrees not to hire any staff from Cheqroom directly or indirectly as an employee or on any other basis, nor will the Customer attempt to do so. In the context of this article, the term “staff” means all personnel, employees or other persons, such as freelancers or subcontractors. Should the Customer act in breach of this article, the Customer will be liable to pay a lump sum of fifty thousand euro (€50,000) to Cheqroom. The Customer acknowledges that this is a fair estimate of the cost for hiring and training such staff members.

18.7 Special terms and conditions.

If the Customer wishes to modify and negotiate deviating terms and conditions to the Agreement, the Parties may agree to such special terms and conditions and attach them to the Commercial Order. In such case, Cheqroom undertakes to comply with the additional special terms and conditions, if applicable, as set out in the Commercial Order if and to the extent required by regulatory requirements.

18.8 Amendments

This Agreement may be modified or amended only by written agreement executed by a duly authorized representative of both Parties hereto.

Schedule 1 – Cheqroom Data Processing Agreement


INTRODUCTION

By means of this Schedule 1, Cheqroom (hereinafter “Cheqroom” or the “Processor”) and the Customer (hereinafter the “Customer”, the “Controller” or “you”) whish to lay down their rights and obligations with respect to the processing of Personal Data. The Controller and the Processor will be referred together as the “Parties” and individually as a “Party” hereafter.

This DPA was drafted and entered into in order for the Parties to comply with the obligations set forth in the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (hereinafter the “GDPR”). This DPA contains the rights and obligations of the Controller and the Processor with regard to the processing of Personal Data.

These provisions form an integral part of the GT&Cs.

In the event of a contradiction between the provisions of this DPA and the Agreement (including the GT&Cs), this DPA shall prevail as to its subject matter. This DPA supersedes all previous agreements regarding the processing of Personal Data and data protection.

For the purpose of this DPA, terms defined in the GDPR, shall have the same meaning as set forth therein and any other capitalized term used but not defined in this DPA shall have the same meaning as ascribed to it in the Agreement.

ARTICLE 1: SUBJECT-MATTER OF THE AGREEMENT

1.1 Subject matter. For the execution of the Agreement, the Controller wishes to entrust the Processor with the processing of Personal Data. The Processor shall process the Personal Data in name of and on behalf of the Controller.

1.2 The Processor performs the Professional Services in accordance with the provisions of this DPA.

1.3 Data Protection Legislation. Both Parties explicitly commit to comply with their obligations under the applicable Data Protection Laws and shall not do or omit anything that may cause the other Party to infringe the applicable Data Protection Laws.

1.4 Processing Activities. The processing carried out by the Processor in name and on behalf of the Controller relates to the Services performed by the Processor. The Processing Activities consist of:

• Delivery and provision of the Professional Services and SaaS-platform
• Storing and structuring a person’s (planned) use of equipment via Cheqroom
• Tracking the access of a User to Cheqroom

1.5 Categories of Personal Data. The Personal Data that are processed are:

• Personal identification data (such as first name, last name, e-mail address)
• Electronic identification data (such as cookies, IP-address, etc.)
• Username
• Geographical area
• Usage data
  

1.6 Data Subjects. The Data Subjects are

• Cheqroom users of the Controller

1.7 Purposes, Nature and Legal Basis of the Processing. The Processor shall only process the Personal Data to ensure a good performance of the SaaS-Platform and the Professional Services as part of the Agreement in accordance with the provisions of this DPA. By extension, the Processor may use the Personal Data during the Agreement solely for its own internal purposes to further improve its SaaS-platform and Professional Services and to monitor the performance and stability of CHEQROOM, taking into account the GDPR principle of data minimization.

ARTICLE 2: DURATION OF THE PROCESSING

2.1 This DPA shall apply as long as the Processor processes Personal Data in name of and on behalf of the Controller as part of the Agreement. If the Agreement comes to an end this DPA will also automatically come to an end.

2.2 In the event of a breach of this DPA or the applicable provisions of the GDPR, the Controller can instruct the Processor to stop further processing of the Personal Data with immediate effect.

2.3 In the event of the end of the Agreement, or in the event of the Personal Data no longer being relevant for the provision of the SaaS-Platform and the performance of the Professional Services, the Processor shall anonymize or pseudonymize to a maximum extent the Personal Data it has received or obtained in the provision of the SaaS-Platform or the performance of the Professional Services and this solely for the following internal purposes:

• To comply with legal obligations (i.e. statute of limitations of claims);
• To further improve its SaaS-platform and Professional services.

ARTICLE 3: CONTROLLERS’ INSTRUCTIONS

3.1 The Processor processes the Personal Data only on the documented instructions of the Controller and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this DPA in order to provide the SaaS-Platform and to perform the Professional Services. The Processor shall not further process the Personal Data subject to this DPA in a manner which is incompatible with these instructions and the provisions laid down in this DPA

3.2 The Controller can make limited changes to the instructions unilaterally. The Processor shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement and/or this DPA, must be agreed upon by both Parties.

 3.3 The Processor processes the Personal Data in accordance with Article 3.1 of this DPA, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

ARTICLE 4: ASSISTANCE TO THE CONTROLLER

4.1 Compliance with legislation. The Processor shall provide all reasonable assistance to the Controller in ensuring its compliance with its obligations pursuant to the GDPR, taking into account the nature of processing and the information available to the Processor.

4.2 Personal Data Breach. In the case of a Personal Data Breach related to Personal Data being processed by the Processor, the Processor shall notify the Controller without undue delay (this is, if possible, within seventy-two (72) hours after the Processor becomes aware of a Personal Data Breach) via the contact point as appointed in accordance with this DPA.

This notification shall at least include following information:

• The nature of the Personal Data Breach;
• The categories of Personal Data that are affected;
• The categories and approximate number of Data Subjects concerned;
• The categories and approximate number of Personal Data records concerned;
• The (alleged) cause, date on which the breach occurred (if no exact date is known: the period within which the breach occurred), the date and time on which the breach became known to the processor or to a sub-processor engaged by it, and the likely consequences of the Personal Data Breach;
• Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.3 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

4.4 In case the Processor makes use of a Subprocessor, the Processor shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The Processor shall promptly relay the information received from the Subprocessor to the Controller.

4.5 The Processor, its Subprocessor(s) and Controller shall appoint a single point of contact who shall be responsible for all communication in the event of an incident which has led or may lead to an accidental or non-authorized destruction or loss or a non-authorized access, alteration or transmission of the Personal Data processed on behalf of the Controller.

4.6 The Controller shall exclusively decide, at its own discretion and in compliance with the relevant and applicable data protection laws, whether or not Data Subjects whose Personal Data have been impacted by a Personal Data Breach shall be notified of this. It is the responsibility of the Controller to notify the Supervisory Authority of a Personal Data Breach.

4.7 The Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach and shall keep each other informed of any new developments regarding the Personal Data Breach and of the measures they are taking to mitigate its effects and prevent the recurrence of such breaches. In particular, the Processor shall, to the best of its ability, assist the Controller in respect to its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of processing and the information available to the processor.

4.8 Further assistance. Furthermore, the Processor shall assist the Controller, in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor: (i) as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the GDPR; (ii) as it consults the competent Supervisory Authority/ies prior to processing where a Data Protection Impact Assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk; (iii) the obligation to ensure that the Personal Data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated; and (iv) its obligations in Article 32 of the GDPR.

The Processor, at its own discretion, is free to charge additional costs for the performance of these services provided in accordance with Article 15 of this DPA. These costs shall at all times be in relation to the delivered performances. Such reimbursement by the Controller shall not be due if the Personal Data Breach is attributable to the Processor.

ARTICLE 5: INFORMATION OBLIGATIONS

5.1 The Parties shall be able to demonstrate compliance with this DPA.

5.2 The Processor shall provide the Controller, at any time upon request of Controller (however such request needs to be made giving the Processor a reasonable delay to comply with such request), with all information the Controller requires, at minimum with the information as determined by the provisions of this clause:

• All relevant details regarding its own corporate structure, as well as accurate and up-to-date identifying information on all of Processor’s entities involved in the processing of Personal Data, including the location of their main establishment;
• Without prejudice to what has been agreed in Article 8, the aspects of the processing that rely or intend to rely on the Services of a Subprocessor, as well as the identification data of a Subprocessor including the location of its main establishment, and the Processor shall relay to the Controller the agreement with the Subprocessor(s) which pertains or is relevant to the processing of Personal Data, unless where such agreement with the Subprocessor(s) contains Confidential Information, in which case it may remove such Confidential Information;
• Geographical details of processing locations, including back-up and redundancy facilities;
• The physical, organizational, technical and logical security measures that the Processor and its Subprocessor(s) have implemented, as set out in Article 10 and Annex 1 of this DPA.

ARTICLE 6: PROCESSORS’ OBLIGATIONS

6.1 The Processor shall handle all reasonable requests of the Controller concerning the processing of Personal Data related to this DPA, within a reasonable time and in a proper manner. Processor shall only accept such requests if they are submitted by the Cheqroom account owner. The Customer hereby accepts the above and authorizes its account owner to submit such requests in the name of the Customer.

6.2 The Processor guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this DPA.

6.3 The Processor undertakes to not process Personal Data for another purpose than the performance of the Services and the compliance with the responsibilities of this DPA in accordance with the documented instructions of the Controller; if the Processor, for any reason, cannot comply with this requirement,.

6.4 The Processor shall notify the Controller without delay if he is of the opinion that an instruction from the Controller violates the applicable legislation related to data protection. The Processor shall be entitled to terminate the DPA insofar in the event, after having informed the Controller that its instructions infringe the applicable Data Protection Laws, the Controller insists on compliance with the instructions.

6.5 The Processor shall ensure that the access to, the inspection, the processing and the disclosure of Personal Data shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e. data are only disclosed to the persons that require Personal Data for the provision of the SaaS-Platform and the performance of the Professional Services).

6.6 The Processor shall undertake to not disclose Personal Data to other persons than the employees of the Controller who need the Personal Data to comply with the obligations of this DPA, and shall ensure that the relevant employees shall commit themselves to confidentiality or are under a statutory obligation of confidentiality unless such disclosure is foreseen under the Agreement.

ARTICLE 7: CONTROLLERS’ OBLIGATIONS

7.1 The Controller shall render all assistance needed and shall cooperate in good faith with the Processor in order to ensure that all processing of Personal Data complies with the requirements of the GDPR particularly with the principles relating to processing of Personal Data.

7.2 The Controller shall agree with the Processor on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Data that are processed by the Processor on behalf of the Controller is well received between the Parties. The Parties shall appoint a single point of contact, as may be further specified in the Commercial Order. By default, the Controller's single point of contact shall be the Cheqroom account owner and all communications relating to this DPA shall be through that person.

7.3 The Controller warrants that it shall not issue any instructions, directions or requests to the Processor, which do not comply with the provisions of the GDPR.

7.4 Without prejudice to Article 14.2 of this DPA, the Controller shall render the assistance needed for the Processor and/or its Subprocessor(s) to comply with a request, order, inquiry or subpoena directed at the Processor or its Subprocessor(s) by a competent national governmental or judicial authority.

7.5 The Controller warrants that it shall not issue instructions, directions or requests to the Processor which would require the Processor and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the Processor and/or its Subprocessor(s) are subject.

7.6 The Controller warrants that it shall cooperate in good faith with the Processor in order to mitigate the adverse effects of a security incident impacting Personal Data processed by the Processor and/or its Subprocessor(s) on behalf of the Controller.

ARTICLE 8: THE USE OF SUBPROCESSORS

8.1 The Controller acknowledges and agrees that the Processor has engaged Subprocessors to provide the SaaS-platform or to deliver the Professional Services. The Controller gives by means of this DPA his general authorization to the Processor for the engagement of the categories of Subprocessors as set out in Article 8.5 of this DPA. If the Processor wishes to change or involve a new category of Subprocessors, the Controller shall be notified thereof (at least one (1) month in advance, and shall be given the opportunity to communicate any reasonable concerns the Controller might have with such replacement or addition of a category of Subprocessors. The Controller may only reject a proposed category of Subprocessors on the basis of a written and well-founded justification and within a period of two (2) weeks after the Processor’s written notification.

8.2 The Controller can at all times request the Processor to disclose a more detailed list of the then current engaged Subprocessor(s), provided such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the Processor has entered into with the relevant Subprocessor. In the latter event, the Processor shall provide a formal justification in writing.

8.3 The Processor shall ensure that its Subprocessors will be bound to the same obligations, in substance, with respect to Personal Data as to which the Processor is bound by this DPA.

8.4 The Processor shall relay the purposes determined and instructions issued by the Controller in an accurate and prompt manner to the Subprocessor(s) when and where these purposes and instructions pertain to the part of the processing in which the Subprocessor(s) is(are) involved.

8.5 In accordance with Article 8.1 of this DPA, the Processor is expressly authorized to engage one or more of the following categories of Subprocessors in order to ensure the provision of the SaaS-platform and the performance of the Professional Services to the Data Subjects and the Client:
individual (self-employed) consultants, contractors and freelancers engaged by the Processor to provide the SaaS-platform and/or the Professional Services;
Customer messaging platform and other communication and customer service providers;

• Payment platform providers;
• CRM-tool providers;
• Hosting server providers (including without limitation cloud and storage providers);
• Professional service provides (such as individual consultants, freelancers, lawyers, bankers, auditors, accountants, and insurers);
• IT and security providers.

ARTICLE 9: RIGHTS OF THE DATA SUBJECTS

9.1 With respect to any request from Data Subjects regarding their rights concerning the processing of Personal Data pertaining to them by the Processor and/or its Subprocessor(s), the following conditions apply, taking into account the nature of the processing:

• The Processor shall on a best efforts basis promptly inform the Controller of any request made by a Data Subject with regard to the Personal Data the Processor and/or its Subprocessor(s) processes on behalf of the Controller, without giving any consequence to such request unless explicitly authorized by the Controller to do so;
• The Processor shall promptly and on a best efforts basis comply and shall require its Subprocessor(s) to promptly comply with any request made by the Controller in order for the Controller to comply with a request made by the Data Subject who wishes to exercise one of its rights;
• The Processor shall, upon simple request of the Controller and upon best efforts basis render all assistance required and provide all information necessary for the Controller to defend its interests in any proceedings – legal, arbitral or others – brought against the Controller or its employees for any violation of fundamental rights to privacy and protection of Personal Data of Data Subjects.

9.2 The Controller shall reimburse the Processor in accordance with Article 15 of this DPA for services rendered in connection with this Article 9.

ARTICLE 10: SECURITY MEASURES

10.1 Throughout the term of this DPA the Processor shall have in place and maintain appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subject.

10.2 The Processor shall amongst others have in place technical and organizational measures against unauthorized and unlawful processing and shall on a regular basis evaluate and adjust if required, the appropriateness of the security measures.

10.3 More in particular, the Processor shall implement appropriate technical and organizational measures (set forth in Annex 1 to this DPA) to ensure a level of security appropriate to the risk, according to Article 32 of the GDPR.

10.4 In assessing the appropriate level of security, account was taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

10.5 The Processor has implemented robust information security policies and procedures to protect Personal Data from unauthorized access, alteration, disclosure or destruction and has implemented several layers of security measures (physical, logical, technical and organizational security measures).

10.6 If the Controller requests the Processor to implement specific technical and organizational measures, the Controller shall compensate the processor for the implementation of those measures in accordance with Article 15 of this DPA, limited to the extent that the Processor does not have equivalent measures in place.

10.7 The Controller shall provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing complies with the requirements set out in the GDPR and so that the protection of the rights of Data Subjects is ensured. These measures shall also include the measures referred to in Article 32 of the GDPR. The Controller shall only make Personal Data available to the Processor for processing if it has verified that the appropriate security measures are in place.

ARTICLE 11: AUDIT

11.1 The Processor acknowledges that the Controller is under the supervision of several/a Supervisory Authority/ies. The Processor acknowledges that the Controller and any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the Processor, during the term of this DPA to assess whether the Processor is compliant to the GDPR and the provisions of this DPA. The Processor shall provide cooperation to the extent reasonably necessary.

11.2 The Controller shall only have a right to audit the Processor if the Controller has justifiable grounds to request such audit and if such grounds are communicated and demonstrated in writing to the Processor. Justifiable grounds shall mean a (strong presumption of a Personal Data Breach (and in the case of an actual data breach if such data breach has not been notified and no remediation actions have been taken), destruction of confidential Personal Data, material breach of any of the Processor’s obligations under this DPA). In such event and upon written request of the Controller, the Processor will provide an independent third party, certified auditor, appointed by the Controller or the involved Supervisory Authority access to the relevant parts of the administration of the Processor and all locations and information of interest of the Processor (and those of its agents, subsidiaries and sub-contractors) to determine if the Processor is compliant with the GDPR and the provisions of this DPA. On request of the Processor, the concerned parties shall agree to a confidentiality agreement.

11.3 The Controller shall take all appropriate measures to minimize any obstruction caused by the audit on the daily functioning of the Processor.

11.4 If there is an agreement between the Processor and the Controller on a material shortcoming in the compliance with the GDPR and/or the DPA, as revealed in the audit, the Processor shall recover this failure as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.

11.5 The Controller will bear the costs of any performed audit in the meaning of this Article and shall reimburse the Processor in accordance with Article 15 of this DPA. Although, when the audit has revealed that the Processor is manifestly not compliant to the GDPR and/or the provisions of this DPA, the Processor shall bear the costs of such audit.

ARTICLE 12: TRANSFER TO THIRD PARTIES
12.1 The transfer of Personal Data to Third Parties in any manner possible is prohibited, unless it is legally required or in case the Processor has obtained the explicit consent of the Controller to do so. In case a legal obligation applies to transfer Personal Data, to Third Parties, the Processor shall prior to the transfer notify the Controller, unless such prior notification is legally prohibited on grounds of public interest.

ARTICLE 13: INTERNATIONAL TRANSFER

13.1 The Parties agree that Personal Data can only be transferred to and/or kept with the recipient outside the European Economic Area (“EEA”) in a country that does not fall under an adequacy decision issued by the European Commission by exception and only if necessary to comply with the obligations of this DPA.

13.2 Such transfer shall, in addition to what is said forth in this DPA, be governed by the terms of a data transfer agreement containing the standard contractual clauses for the transfer of personal data to third countries as adopted by the European Commission, or by other mechanisms foreseen by the applicable data protection law.

13.3 Controller expressly agrees that Personal Data may be transferred to Subprocessors and/or stored by said Subprocessors outside the EEA and even to or in a country not covered by an adequacy decision issued by the European Commission in order to provide the SaaS-Platform and the Professional Services, provided that the conditions of Article 13.2 are met.

ARTICLE 14: CONDUCT IN RELATION TO NATIONAL GOVERNMENTAL AND JUDICIAL AUTHORITIES

14.1 The Processor shall inform the Controller immediately of any request, order, inquiry or subpoena by a competent national governmental or judicial authority directed at the Processor or its Subprocessor which entails the communication of Personal Data processed by the Processor or a Subprocessor for and on behalf of the Controller.

14.2 Without prejudice to Article 14.1 of this DPA, the Processor warrants that there are, to the best of its knowledge, no obligations of applicable statutory law, which make it impossible for the Processor to comply with its obligations under this DPA.

ARTICLE 15: COSTS

15.1 The services performed under this DPA for which the Processor may charge the Controller will be charged on the basis of the amount of hours worked and the Processor's then standard hourly rates. The Processor will invoice these amounts on a monthly basis.

15.2 All payments by the Controller to the Processor shall be executed in accordance with the terms of the GT&Cs.

ARTICLE 16: LIABILITY

16.1 Without prejudice to the GT&Cs, the Processor is liable for the damage caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.

16.2 A Party is only liable (whether contractual or in tort/delict (including default) for misconduct or otherwise) for verified shortcomings attributable to her. The liability of the Parties for a breach under this DPA, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where “consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.

16.3 If it appears that both the Controller and the Processor are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.

16.4 In any event the total liability of the Processor arising out of or in connection with this DPA shall, in respect of each event (or series of connected events) and each calendar year, be limited to the amount that equals the total amount of fees paid by the Controller to the Processor under the Agreement for a period not more than twelve (12) months immediately prior to the date of the event (or last of the series of connected events) giving rise to the claim. In no event shall the Processor be held liable if the Processor can prove he is not responsible for the event or cause giving rise to the damage.

16.5 The exclusions and limitations of liability under this Article 15 shall operate in favor of the Processor’s affiliates and Subprocessors to the same extent as these provisions operate in favor of the Processor. The Processor shall not be held liable for any damage or loss (whether or not caused by error, gross misconduct or willful misconduct) caused by a Third Party (including, but not limited to, third party software, hosting services, systems or tools). Notwithstanding the foregoing, the Processor will only be liable to the Controller to the extent of the amount it is able to recover from the Subprocessor or Third Parties.

16.6 The Controller shall indemnify, defend and hold harmless the Processor against all Third Party claims if it has failed to comply with or breached one or more obligations under the applicable Data Protection Laws. The Controller guarantees that the content, use and instructions for the processing of Personal Data referred to in this DPA are not unlawful and do not infringe the rights of Third Parties and shall indemnify the Processor against all claims related thereto.

ARTICLE 17: MISCELLANEOUS

17.1 The provisions of the GT&Cs regarding (among other things) amendments, entire agreement, applicable law and jurisdiction shall apply to this DPA.

17.2 If and to the extent any provision of this DPA is determined by a court or other public authority to be invalid or unenforceable, this shall not affect the remaining provisions of this DPA which shall remain valid and enforceable. The invalid or void provisions shall be restricted to the maximum extent permitted under applicable law.

ARTICLE 18: TERMINATION OF THE DPA

18.1 This DPA shall apply as long as the Processor processes Personal Data on behalf of the Controller.

18.2 n the event of breach of this DPA or the Regulation, the Controller can instruct the Processor to stop further processing of the information with immediate effect.

18.3 The Processor shall not store the data any longer than needed to perform the Service for which the data is provided. At the choice of Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of the Professional Services and SaaS-platform in relation to processing, and deletes existing copies, and will certify that it has done so, unless Union or Member State law requires storage of the Personal Data. The Personal Data shall be provided to the Controller without charge, unless otherwise agreed upon. Notwithstanding the above, Processor reserves the right to archive the data of the Controller in order to comply with legal obligations and to be able to defend itself in court (i.e. statute of limitations).

18.4 The provisions that are expressly or impliedly (by their nature) intended to remain in effect after the termination of the DPA shall remain in effect after the termination.

Annex 1 – Technical and Organizational Measures

in accordance with Article 10 of Schedule 1 above, Cheqroom undertakes to implement technical and organizational measures such as set forth in this Annex 1.

The Processor utilizes third party data centers that maintain current ISO 27001 certifications. The Processor will not utilize third party data centers that do not maintain ISO 27001 certifications, or other substantially similar or equivalent certifications and/or attestations.

The following descriptions provide an overview of the technical and organizational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available.

It is acknowledged and agreed that the technical and organizational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor.

Confidentiality

TOMs to ensure the confidentiality of the Personal Data processed by our equipment management platform CHEQROOM (“the Service”).

• Data is encrypted in transit: data transmitted between the user's browser and the Service is always encrypted over HTTPS using TLS protocols with minimum 128-bit keys and using SHA256 certificates. The Processor uses modern, strong ciphers for encryption. Known-weak ciphers are explicitly disabled with regular protocol reviews. Data sent to third parties is always sent over encrypted connections. This mitigates the risk of deliberate data interception or accidental data leakage, for example man-in-the-middle attacks.
• Data is encrypted at rest: data at rest, for example in backups or on the Processor's computers, is always encrypted using AES encryption with minimum 256-bit keys. This mitigates the risk of data falling into unauthorized hands, for example due to network exfiltration or stolen devices.
• Data retention policies: the Processor maintains policies to ensure the minimal amount of Personal Data is retained and that Personal Data is not retained any longer than necessary. This mitigates the risk of accidental or deliberate disclosure of Personal Data. The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorized to be processed may be accessed. This mitigates the risk of accidental or deliberate disclosure of Personal Data.
• The data centers used by the Processor implement multiple physical access controls to prevent unauthorized people from physically accessing data processing equipment which processes or uses Personal Data. The Processor only authorizes specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate disclosure of Personal Data.
• The Controller's Personal Data is kept logically separate from other Personal Data (i.e. to keep the Controller’s Personal Data separate from the Personal Data from the Processor, any Subprocessor or any other third party). This mitigates the risk of accidental disclosure of Personal Data.

Integrity

TOMs to ensure the integrity of the Personal Data processed by the Service.

• The Controller may view, update, and delete all their Personal Data held in the Service. This mitigates the risk of Personal Data becoming inaccurate or out of date and supports data subjects' right to rectification.
• The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorized to be processed may be accessed. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.
• The Processor only authorizes specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.
• The Processor maintains separate development and production systems utilizing different security tokens, passwords, and privileges. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.

Availability

TOMs to ensure the availability of the Personal Data processed by the Service.

• The availability of the Service is monitored continually and the results are made publicly available at https://status.cheqroom.com . This supports the data protection principle of transparency. Automatic notifications are sent to the Processor in the event of the Service becoming unavailable so that the Processor may act to restore availability in a timely fashion.
• The Processor only authorizes specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate interference with the Service which could affect availability.
• If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.
  Further TOMs including but not limited to those ensuring resilience.

Resilience

TOMs to ensure the resilience of the Personal Data processed by the Service.

• Data is backed up regularly. This mitigates the risk of data loss, destruction or damage.
• Data centers used by the Processor utilize multiple redundant network connections to major internet exchanges. This provides resilience in the face of adverse network conditions. Data centers used by the Processor utilize redundant UPS power supplies supported by for example diesel generators for standby power. This mitigates the risk of power outages and provides resilience in the face of electrical supply problems. Data centers used by the Processor utilized redundant air cooling systems to mitigate the risk of overheating computing and network equipment (such as, for example N + 2 air cooling systems). Data centers used by the Processor utilize modern fire systems for prevention, detection and response with direct connections to the local fire service.Data centers used by the Processor provide automatic protection against distributed denial of service (DDoS) attacks. This provides resilience in the face of network attacks whether directed against the Service or others on the network.
• DNS services used by the Processor are built on distributed, redundant architectures. This provides resilience in the face of adverse network conditions.

General Technical measures

The Processor implements general technical measures, including but not limited to the following, to support the confidentiality, integrity, availability, and resilience of Personal Data.

• Physical security Office premises protected by locks.
• All paper destroyed after use.
• Old computer equipment securely formatted before disposal.

Device security

• All computers and devices use full disk encryption.
• All backup media use full disk encryption.
• All computers and devices regularly updated and security-patched.
• All passwords generated by and stored in an industry-leading password manager.

Network security

• All networks are protected by firewalls.
• All Personal Data that is transmitted, either to the Service or to a Third Party, is sent over encrypted networks.

System security

• Policies, training and reminders to rotate all passwords and authentication keys regularly.
• All servers regularly updated and security-patched.
• All user passwords hashed with a one-way cryptographic hashing function with salt before storage.

Website security

• All web traffic is protected by HTTPS / TLS and appropriate security headers.

Data center security

Manned 24hr/day all year.

• Entry controlled via electronic access control terminals.
• Continual high definition video surveillance.
• All personnel movements recorded and documented.

Data security

• Regular encrypted back-ups.
• Data is deleted when no longer needed.

Software development

• All developers are familiar with the OWASP Top Ten web application security risks. All software must pass automated tests before deployment. Data privacy is always a fundamental requirement for the Service's software.

General Organizational measures
Staff with access to Personal Data only process that data when instructed to do so and only within the scope of the instructions.

• Staff (each to the extent applicable) are trained on:
  • responsibilities as a Controller and Processor under GDPR;
    staff responsibilities for Protecting Personal data, including the collection, processing and use of Personal Data only within the framework and for the purposes of their duties (e.g. Service provision);
  • proper procedures to identify callers;
    proper procedures to identify social engineering and phishing attacks;
    security policies.

• Personal Data is only accessed as needed and only when approved by the Controller (e.g. for support), or by technical staff for necessary support and maintenance of the Service.
• Staff confidentiality agreements.
• Only designated staff can access production systems.
• Personal Data used for internal purposes only e.g. as part of the respective Customer relationship, may be transferred to a Third Party such as a Subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
• The transfer of Personal Data to a Third Party (e.g. customers, sub-contractors, service providers) is only made for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor shall take appropriate safeguards for such transfer.

Despite the above-described measures, the Controller acknowledges that there are always risks associated with sending Personal Data over the internet and that the security and protection of Personal Data can never be fully guaranteed, nor can it be guaranteed that unauthorized Third Parties will never be able to defeat those measures or use the Personal Data processed by the Processor for improper purposes.

For transfers to (sub-) processors:

Processor uses its best efforts to ensure that its Subprocessors undertake to implement (to the extent applicable) mutatis mutandis the technical and organizational measures as defined in this Annex 1, or such other measures resulting in an equivalent or higher level of protection of the transferred Personal Data, as deemed useful or necessary by such Subprocessors.