Solutions
Bloomberg Cheqroom Blog
Customer Story
How Bloomberg L.P. turned cumbersome spreadsheets into seamless workflows, boosting data accuracy and reducing equipment loss.
Bloomberg Cheqroom Blog
Customer Story
How Bloomberg L.P. turned cumbersome spreadsheets into seamless workflows, boosting data accuracy and reducing equipment loss.
Bloomberg Cheqroom Blog
Customer Story
How Bloomberg L.P. turned cumbersome spreadsheets into seamless workflows, boosting data accuracy and reducing equipment loss.
Bloomberg Cheqroom Blog
Customer Story
How Bloomberg L.P. turned cumbersome spreadsheets into seamless workflows, boosting data accuracy and reducing equipment loss.
Platform
PGA tour Cheqroom blog 3
Customer story
The PGA Tour traded its pen and paper for Cheqroom
PGA tour Cheqroom blog 3
Customer story
The PGA Tour traded its pen and paper for Cheqroom
PGA tour Cheqroom blog 3
Customer story
The PGA Tour traded its pen and paper for Cheqroom
PGA tour Cheqroom blog 3
Customer story
The PGA Tour traded its pen and paper for Cheqroom
Enterprise
Resources
View all
Asset tag website
Asset labeling for better identification
Asset tag website
Asset labeling for better identification
Pricing
Product tour Book demo Login

General Terms & Conditions

The following General Terms and Conditions (hereafter “GT&Cs”) apply to all business relationships between Parties.

If you are an employee (or contractor) of the Customer entering into the Agreement on behalf of the Customer, you represent and warrant that (i) you have full legal authority to bind the Customer to the Agreement; (ii) you have read and understand the Agreement; and (iii) you agree on behalf of the Customer to the Agreement.

The last update to the GT&Cs was posted on May 22, 2024.

Article 0 – Definitions
In this Agreement, the following concepts shall have the meaning described in this article (when written with a capital letter).

Active User: an individual who has registered for a User Account and who can log into the Platform to actively engage with its features and services. Active Users are also individually bound by the Terms of Use and other relevant provisions included in these GT&Cs.
Affiliate: any related subsidiaries, entities, and affiliates of a Party and any other entity that directly or indirectly controls, is controlled by, or is under common control with, that Party. For purposes of this definition, “control” means the direct or indirect power to direct the affairs of the other entity through at least 50% of the shares, voting rights, participation, or economic interest in this entity.

Agreement: the contractual relationship between Parties which is governed by these GT&Cs, the Offer, the DPA, including any annexes and/or schedules thereto, and any other applicable agreement between Parties.

Cheqroom: as applicable (i) if the Customer is located anywhere but the EU, including the USA, Cheqroom USA LLC, a limited liability company having its registered offices at 400 N Ashley Drive, Suite 2624, Tampa, FL 33602 (United States of America) and registered under EIN: 92-1661369, or (ii) if the Customer is located in the EU, Checkroom NV, a limited public liability company (“naamloze vennootschap” under Belgian law) having its registered offices at Wiedauwkaai 23x, 9000 Ghent (Belgium) and registered under company number 0504.999.915 (RLE Ghent, department Ghent). These two entities are considered Affiliates as defined in this Article.

Communication: any non-commercial communication concerning the Services by Cheqroom to the Customer (and, where appropriate, to its Users) via its Website, email, messages (e.g. banners) in the Platform, invoices and/or via any other appropriate means of communication;

Confidential Information: the information of a Party, whether in written, oral, electronic or other form, and which (i) is explicitly marked as confidential or proprietary, or (ii) should reasonably be considered confidential or is traditionally recognized to be of a confidential nature, regardless of whether or not it is expressly marked as confidential, including but not limited to, information and facts concerning business plans, customers, prospects, personnel, suppliers, partners, investors, affiliates or others, training methods and materials, financial information, marketing plans, sales prospects, client lists, inventions, program devices, discoveries, ideas, concepts, know-how, techniques, formulas, blueprints, software (in object and source code form), documentation, designs, prototypes, methods, processes, procedures, codes, and any technical or trade secrets, including all copies of any of the foregoing or any analyses, studies or reports that contain, are based on, or reflect any of the foregoing. The Confidential Information of Cheqroom shall include, without limitation, the Platform.

Customer: the legal entity that enters into the Agreement with Cheqroom and which is identified by the company details in the Offer.
Customer Account: the unique environment established by a Customer to enable its Users to access and use the Platform. It has its own configuration, a unique account number and includes all User Accounts associated with it, along with all Customer Data stored in them.

Customer Data: any data (information, files, records, or any other digital content), both personal and non-personal, which is entered and/or uploaded directly into the Customer Account by the Customer and its User(s) when using the Services, including data directly related to Passive Users and excluding data directly related to the Customer and its Active Users.

Customer Information: any information about the Customer Account, the Customer, the Active User(s) and User Account(s) which Cheqroom collects, manages and stores in the context of its Services, including, but not limited to: general business details, billing and payment data, Subscription specifics, marketing preferences, log records, etc.

Data Protection Laws: all applicable US and EU laws relating to the processing of Personal Data including the General Data Protection Regulation (Regulation (EU) 2016/679).

DPA: the data processing agreement which the Parties enter into as part of the Agreement and which is attached to the Agreement as Schedule 1.
Documentation: any documentation, tutorials or other materials regarding the Services provided by Cheqroom, available in the Platform and on the Website.
Hosting Partner: Amazon Web Services (“AWS”) (or such other provider of hosting services Cheqroom might contract in the future, as will be notified to the Customer from time to time).

Intellectual Property Rights: any and all now or hereafter existing (a) rights associated with works of authorship, including copyrights, copyrightable or mask work rights, neighboring rights and moral rights; (b) trademark or service mark rights; (c) trade secret rights; (d) patents, patent rights, rights to know-how and trade secrets, and industrial property rights; (e) layout design rights, design rights, topographic right (f) Internet domain names, (g) rights to software and computer software programs (including but not limited to source code and object code), rights to data, database sui generis right and documentation thereof; and other proprietary rights of every kind and nature other than trademarks, service marks, trade dress, and similar rights; whether registered or not and (h) all registrations, applications, renewals, extensions, or reissues of the foregoing, in each case in any jurisdiction throughout the world.

Offer: the offer with regard to the Services which Cheqroom presents to a potential customer with a view to concluding the Agreement and which includes, among other things: the initial Term, the initial price of the Subscription, the price of any Professional Services requested by the Customer and the billing cycle.

Party: a party to the Agreement, either Cheqroom or the Customer.

Passive User: an individual whose personal details, such as name and email address, are included in the Customer Account but who does not log in to the Platform to actively engage with the Platform’s features or services. Passive Users may be added to the Customer Account by Active Users for administrative or informational purposes, such as receiving notifications or updates related to the Platform.

Personal Customer Data: any Customer Account Data, both relating to Passive Users and third parties, regarded as 'personal data' within the meaning of the Data Protection Laws.

Personal Customer Information: any Customer Account Information, in particular related to Active Users, regarded as 'personal data' within the meaning of the Privacy Legislation.

Pricing Plans: the different paying plans with respect to the Subscription which Cheqroom offers and which the Customer can choose from. A non-exhaustive overview of the functionalities included in each Pricing Plan can be found on the Website.

Professional Services: the development, implementation and integration services or such other services in relation to the Platform as may be agreed between Customer and Cheqroom from time to time and set out in the Offer.

Platform: the proprietary ‘Cheqroom’ software as a service (SaaS) and related services, features, content, programs or applications (web-based or mobile) developed and owned by Cheqroom. The name ‘Cheqroom’ is registered and protected as European trademark with the European Union Intellectual Property Office (EUIPO), with trademark registration number 018681308.

Renewal Date: the date, after expiry of the previous Term, on which the Subscription is automatically renewed for an additional Term.
Services: the services provided by Cheqroom to the Customer in the context of the Agreement, including in particular the Subscription and, where appropriate, the Professional Services.

Subscription: the software license with regard to the Platform and all associated rights of use provided by Cheqroom to the Customer and its Users as stipulated in these GT&Cs, which is granted for a specified Term.

Subscription Fee: the recurring amount paid by the Customer for the Subscription based on the Pricing Plan selected.

Term: the initial or renewed term during which the Customer and its Users are granted the Subscription.

Terms of Use: the terms and conditions governing the use of the Platform by the Users.

Third Party: a natural or legal person, a government agency or other body, not being a Party to this Agreement or an Affiliate.

User: refers collectively to both Active and Passive Users.

User Account: an individual user account on the Platform that can be accessed by an Active User through their unique and personal login.

Website: Cheqroom’s official website is available at www.cheqroom.com. 

Article 1 - Applicability
1.1 These GT&Cs apply to all Offers, all use by the Customer of the Platform and all related services provided by Cheqroom, unless expressly agreed otherwise. The GT&Cs take precedence over all other conditions from the Customer or from a Third Party, even where it is stated therein that only those conditions may apply and even if they were not protested by Cheqroom.

1.2 Subject to the prior written approval by Cheqroom, the Customer shall have the right to sublicense the license granted under these GT&C’s to any of the Customer’s permitted Affiliates, under the following conditions: (i) the Customer shall inform the permitted Affiliate(s) of the provisions of these GT&C’s; (ii) the Customer shall enter into an agreement with the permitted Affiliate(s) where such permitted Affiliate(s) agree(s) to fully comply with the relevant provisions of these GT&C’s, as if the permitted Affiliate(s) were the Customer; (iii) the Customer shall be fully responsible and shall be fully liable for the actions and/or omissions of its permitted Affiliate(s) and any breach of the provisions of these GT&C’s by a permitted Affiliate shall be deemed to be a breach by the Customer; (iv) when a permitted Affiliate ceases to be an Affiliate the relevant sublicense granted hereunder to said permitted Affiliate shall immediately and automatically terminate. The former Affiliate shall conclude a new agreement with Cheqroom for the continued use of the Platform and/or Professional Services; (v) any sublicense of the Platform to a Party that is not (or ceases to be) a permitted Affiliate and/or to any Third Party, shall be deemed to be null and void and shall be deemed to be a material breach of these GT&C’s by the Customer; (vi) and the permitted Affiliate does not reside in a jurisdiction listed in the United States of America list of ‘Export Controlled or Sanctioned Countries, Entities and Persons’.

Article 2 – License to use the Platform
2.1 Subject to the timely payment of the Subscription Fees Cheqroom grants to the Customer a personal, restricted, non-exclusive, non-transferrable and non-assignable license to access and use the Platform strictly in accordance with the Offer and these GT&Cs. The Customer may use the Platform for its internal business purposes but may not commercialize it.

2.2 The Customer shall not: (i) make back-up copies of the Platform or Professional Services without Cheqroom’s authorization; (ii) arrange or create derivative works based on the Platform or Professional Services without Cheqroom’s express written consent; (iii) assign, distribute, sub-license, hire, transfer, sell, lease, rent, charge or otherwise deal in or encumber the Platform, or use the Platform on behalf of any Third Party or make them available to any Third Party, nor allow or permit a Third Party to do any of the same; (iv) copy, duplicate, reverse engineer, reverse compile, disassemble, record or otherwise reproduce the Platform or Professional Services or any part of them except as expressly provided in these GT&Cs; (v) remove or alter any copyright or other proprietary notice on any of the Platform or Professional Services.

2.3 Cheqroom reserves the right to update its Platform at any time, which may involve modifying or adjusting the functionalities offered. Cheqroom will make reasonable efforts to notify Customers of any material changes to the Platform through a Communication within a reasonable timeframe before implementing such changes.

2.4 Cheqroom grants to the Customer a non-exclusive, non-transferable license during the Term to reproduce copies of the Documentation solely for use by the Customer in connection to the license granted under Article 2.1. Cheqroom does not guarantee that any Documentation the Customer or its Users access on or through the Platform and/or Professional Services is or will continue to be accurate.

Article 3 – Professional Services 
3.1 Upon agreement between Parties, as specified in writing in the Offer (if applicable), Cheqroom may provide Professional Services to the Customer. Unless stated differently in the particular Offer, all Professional Services are charged as a fixed non-refundable fee.

3.2 Cheqroom shall exercise reasonable care and skill in performing the Professional Services. The obligation to perform the Professional Services shall be regarded as an obligation of means and shall not bind Cheqroom to achieve a predefined result. Cheqroom will provide Professional Services in complete independence. Any timelines included in the Offer or otherwise specified shall be deemed to be indicative only and shall not bind Cheqroom unless expressly agreed to be binding. The provision of the Professional Services is at all times subject to the cooperation of the Customer in good faith. In particular, and without prejudice to the generality of the foregoing, the Customer shall provide on a timely basis any accesses, approvals, business rules and information as necessary to allow Cheqroom to perform the Professional Services. Cheqroom shall not be responsible or held liable for any delay or failure in the provision of the Professional Services resulting from the Customer’s obligation to cooperate in good faith or to provide the necessary input. The scope of the Professional Services may only be changed in mutual agreement and such change(s) shall be documented in writing.

3.3 Cheqroom does not ensure that any Professional Services on the current Platform will remain compatible with any new release, version or hotfix of the Platform, which is used or will be used by the Customer. To the extent that one or more Professional Services are not fully compatible with any new release or version of the Platform, Cheqroom can agree to make changes as may be required to make them compatible with such a new release or version. Such changes will be subject to a separate Offer. In no event shall Cheqroom be obliged to provide Professional Services or assistance to Third Parties, engaged by the Customer.

3.4 The relationship between the Parties is that of independent contractors. Neither Party is an agent for the other and neither Party has any authority to make any contracts, whether expressly or by implication, in the name of the other Party, without that party’s prior written consent for express purposes connected with the performance of this Agreement. In no case shall the Customer exercise (or be deemed to exercise) partial or complete employer’s authority over Cheqroom’s personnel.

Article 4 – Maintenance, Support, Hosting and Upgrades
4.1 The Customer acknowledges that support services in relation to the Platform are provided during business hours on a best-efforts basis only. In such case, the Customer may notify a problem, or an incident related to the Platform to Cheqroom, and Cheqroom shall try to provide a resolution or workaround as soon as commercially possible. Cheqroom makes no warranty whatsoever to provide a resolution or workaround for each specific problem that could arise.

4.2 The Platform will be hosted in the datacenters of Cheqroom’s Hosting Partner and such hosting is subject to the applicable service offering of the Hosting Partner. Cheqroom does not warrant that the Platform shall be available on an uninterrupted basis and the Customer agrees that the Platform may be unavailable during periods of planned or unplanned maintenance undertaken by Cheqroom or the Hosting Partner. To the extent reasonably possible, Cheqroom shall notify Customer of any planned maintenance.

4.3 The Customer represents and warrants that it accepts the terms and conditions of the last version of the Hosting Partner’s terms of use as available on https://aws.amazon.com/agreeme.... The Customer, on behalf of its Users, gives the Hosting Partner the permission to process all personal data as contemplated by this Agreement.

4.4 The Customer agrees that its order of the Services is not contingent on the delivery of any future functionality or features of the Platform, or dependent on any oral or written public comments made by Cheqroom regarding future functionality or features of the Platform. The Customer acknowledges that new products or features are not automatically included in the license granted under this Agreement. An upgrade of the Subscription (cf. Art. 8.5) may be required before Customer can start using such products or features. Any practice to the contrary shall in no way constitute a free grant of an additional license to these products or features. 

Article 5 – Customer Data
5.1 All Customer Data is the sole property and responsibility of the person who originated the Customer Data. The Customer shall indemnify and hold Cheqroom harmless for any claims in relation to the Customer Data. The Customer represents that all Customer Data provided by any User is accurate, complete, up-to-date, and in compliance with all applicable laws, rules and regulations. The Customer acknowledges that all content, including the Customer Data, accessed by using the Platform is at the Customer’s own risk and the Customer shall be solely responsible for any damage or loss to the Customer or any other Party resulting therefrom. The Customer hereby represents and warrants that the Customer Data does not include any inappropriate content, malware or any other elements that could result in harm to Cheqroom or to Third Parties.

5.2 By submitting any Customer Data to the Platform, the Customer hereby grants Cheqroom a worldwide, non-exclusive, royalty-free, sub-licensable and transferable license to use, aggregate, reproduce, distribute, display, and perform the data made available by the Customer to the extent required for the performance of Cheqroom’s obligations under the Agreement. The latter includes the right for Cheqroom to use data derived from the use of the Platform, including but not limited to, information regarding the performance of the Customer’s network, applications and/or systems, data about transactions in the Customer’s network, and in general any data generated as a result of the use of the Platform, however solely for purposes of operating, maintaining and improving the Platform and/or Services. Additionally, Cheqroom may compile this data into non-identifiable aggregate forms for its business purposes, including, but not limited to, industry analysis, benchmarking, analytics, and marketing. This aggregated data will under no circumstances contain any information that can be linked back to the Customer, its Users, or any Third Party. Customer warrants to Cheqroom that the Customer data, when used by Cheqroom in accordance with this Agreement, will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation, in any jurisdiction and under any applicable law.

Article 6 - Intellectual Property
6.1 Cheqroom exclusively owns and retains all rights, titles, interests in and to all Intellectual Property Rights in or pertaining to its Platform (including the underlying software, computer programs, platforms, applications, algorithms, software code and methodology pertaining thereto), the Professional Services, its Website and all the documentation and materials pertaining or relating thereto (including any copies and portions thereof), whether in machine-readable or printed form, including but not limited to (i) all software and materials which are related to the Platform, the Professional Services, its Website, (ii) all modifications and customizations to, and derivative works, compilations or collective works of the Platform, and (iii) all related technical know-how. The Customer agrees to be bound by and observe the proprietary nature of the Platform. The Customer agrees not to remove, suppress or modify in any way any proprietary marking, including any trademark or copyright notice, on or in the Platform, or visible during its operation, or on media or any documentation. The Customer shall incorporate or reproduce such proprietary markings in any permitted back-up or other copies.

6.2 Cheqroom does not claim to have any intellectual right, title or interest in any of the images that may be uploaded to the Platform by the Customer. The Customer and its Users are responsible for all content uploaded to the Platform.

6.3 It is expressly understood, acknowledged and agreed that for any reasonable suggestions, comments and feedback regarding the Platform, the Customer grants Cheqroom a worldwide, non-exclusive, perpetual, irrevocable, royalty free, fully paid license to use such feedback freely for its own purposes.

6.4 The Platform may contain service marks or trademarks of Cheqroom, as well as those of its Affiliates or other companies, in the form of words, graphics, and logos. The use of the Platform by the Customer does not constitute any right or license for the Customer to use such service marks/trademarks, without the prior written permission of the corresponding service mark/trademark owner. The Platform is also protected under international copyright laws. The copying, redistribution, use or publication by the Customer of any portion of the Platform is strictly prohibited. The use of the Platform does not grant the Customer or the User ownership rights of any kind in the Platform.

6.5 Customer acknowledges that the Documentation is part of Cheqroom's intellectual property and agrees to accurately reproduce all proprietary notices, including any copyright notices, trademark notices or confidentiality notices, that are contained within any copies of the Documentation. 

Article 7 – Third Party Materials
7.1 The Platform may enable access to Third Party services and content (“Third Party Materials”); however such access does not imply any form of cooperation or association between Cheqroom and the relevant Third Party and/or Third Party Materials.

7.2 Third Party Materials may contain content that is governed by the additional licensing terms. This Agreement does not grant Customer any right to use such Third Party Materials, and use of these may require Customer’s acceptance of additional licensing terms or terms of service issued by the relevant Third Party (“Additional Third Party Terms”).

7.3 Accessing the Third Party Materials indicates Customer’s unconditional acceptance of the Additional Third Party Terms implies that Customer intends to be bound by such terms in its relationship with the relevant Third Party.

7.4 When accessing Third Party Materials via the Platform, Customer acknowledges and agrees that Cheqroom provides this access “as is” and “as available” and is not responsible for examining or evaluating the content, accuracy, completeness, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Materials. It is Customer’s duty to analyze and assess the reliability of the source of this information and the accuracy, completeness and other features of Third Party Materials.

7.5 Cheqroom reserves the right to change, suspend, remove, impose limitations on or disable access to any Third Party Materials at any time. In no event will Cheqroom be liable for the removal or disabling of access to any such Third Party Materials. 

Article 8 - Term, Billing and Payment

8.1 Each Subscription is entered into by the Customer for renewable Terms, the duration of which is specified in the Offer. If the Offer does not specify the Term, the Subscription is entered into for renewable one-year Terms.

8.2 The Subscription will be renewed automatically with subsequent Terms equal in duration to the initial Term after expiration of the applicable (initial or renewed) Term, unless the Agreement is terminated in accordance with Article 9.

8.3 Unless otherwise agreed in the Offer, the Customer will be charged a Subscription Fee to be paid before the beginning of each Term. When appropriate, the fee for Professional Services will be invoiced by Cheqroom immediately after the Customer agrees to the Offer.

8.4 Any promotions, commercial offers, discounts and announcements of Cheqroom communicated via the Website, via e-mail or in any other form (including, but not limited to catalogs, brochures, newsletters, folders and other publicity announcements), are entirely non-binding, and may only be regarded by the (potential) Customer as an invitation to order the Services, unless explicitly specified otherwise. Any commercial discounts on the standard prices which are granted orally (e.g. by telephone) must be confirmed in writing (e.g. on the corresponding invoice) to be valid. The (potential) Customer acknowledges that discounts shall only be applicable in accordance with the guidelines and conditions expressly stated in this regard. Such discounts are deemed to be granted on a one-off basis for the initial Term or the specified duration and shall thus not automatically apply to subsequent Terms and Offers. Any other practice to the contrary shall be regarded as a commercial gesture and shall only apply as long as it is not revoked by Cheqroom. The (potential) Customer acknowledges that discounts (as well as any other promotional gifts) cannot be accumulated, are personal by nature and can never give rise to acquired rights.

8.5 The Customer can upgrade its Subscription (i) in writing, by requesting to switch to a higher Pricing Plan or (ii) automatically, by increasing the number of items, workplaces and/or users above the limits of its current Pricing Plan. Upgrades do not affect the duration of the current Term. Upon upgrading, the Customer will immediately receive a pro rata invoice for the remaining portion of the current Term. Upgrades are always done at then-current prices.

8.6 Customer acknowledges and agrees that reducing the number of items, workplaces and/or users included in its Pricing Plan will not result in a downgrade of the Subscription. Downgrades may be granted only following the Customer's written request. Downgrades will not affect the invoice for the current term; instead, they will be applied starting from the invoice relating to the next Term following the Renewal Date.

8.7 The Customer acknowledges and agrees that it is not entitled to any refunds for (i) any portion of the Term during which it did not make use of the Platform, including in the event of late notice and consequent renewal of the Subscription, and (ii) in case of downgrades, any portion of the Term during which it could no longer make use of the features and/or items included in the original Subscription.

8.8 Cheqroom reserves the right to increase the Subscription Fee annually by giving the Customer at least 60 days’ notice through a Communication. Customer shall pay such increased Subscription Fee unless it has opted out of such price increase by providing Cheqroom written notice of its intention to cancel its Subscription no later than 30 calendar days before the new Subscription Fee takes effect.

8.9 The Customer expressly agrees to electronic invoicing, unless agreed otherwise in the Offer. All invoices under this Agreement will be sent to the electronic address provided by the Customer when ordering the Services. It’s the Customer's responsibility to keep its invoicing information up to date. The Customer is not discharged from its payment obligation and the consequences of late or non-payment in case Cheqroom prepares and sends an invoice using the Customer’s outdated invoicing information.

8.10 By subscribing to the Platform, the Customer gives Cheqroom the right to charge Customer’s credit card, or bill Customer via other payment methods, for the Subscription Fees and, where appropriate, the fees for any Professional Services ordered. For any change in the Subscription Fee due to requested additional services by the Customer, Cheqroom will automatically charge the Customer’s credit card that they provided or bill the Customer via other payment methods for the new rate on the next billing cycle.

8.11 All undisputed invoices (or parts thereof) must be paid and payment must be received within thirty (30) days after the invoice date. Disputes must be notified in writing to [email protected] (containing the reason for such disputes) within ten (10) business days after the invoice date. Failure to do so shall result in the invoice being deemed accepted by Customer.

8.12 Except in the event of a good faith dispute under article 8.11, if Customer fails to make payment when due, without limiting Cheqroom’s other rights and remedies: (a) Cheqroom may charge interest on the past due amount at a rate of 1.5% per month or, if lower, the highest rate permitted under applicable law; (b) Customer shall reimburse Cheqroom for all reasonable costs incurred by Cheqroom in collecting any late payments or interest, including attorneys’ fees; and (c) if such failure continues, Cheqroom may suspend Customer’s and its Users’ access to the Platform until such amounts are paid in full. The temporary suspension of access to the Platform does not affect the continuation of the Term.

8.13 The Customer will pay any and all applicable international, federal, state, and local sales, use, value-added, excise, duty, and any other taxes, fees, or duties not based on net income of Cheqroom that are assessed on or as a result of this Agreement. Any such taxes, (bank) fees, and duties collected by Cheqroom from the Customer on behalf of a governmental agency or financial institution shall not be considered a part of, a deduction from, or an offset against, payments due to Cheqroom under this Agreement.

8.14 All fees payable to Cheqroom under this Agreement shall be paid without the right to set off or counterclaim and free and clear of all deductions or withholdings whatsoever, unless the same are required by law, in which case the Customer undertakes to pay Cheqroom such additional amounts as are necessary in order that the net amounts received by Cheqroom after all deductions and withholdings shall not be less than such payments would have been in the absence of such deductions or withholding. Sums stated to be payable under this Agreement do not include any applicable value added tax or other taxes, which shall be additionally charged to the Customer.

8.15 For Customers located outside the EU, including those in the USA and other non-EU countries, all prices and fees will be displayed and invoiced in United States Dollars (USD). For Customers located within the EU, all prices and fees will be displayed and invoiced in Euros (EUR).

Article 9 - Termination
9.1 Termination for cause by Cheqroom. 
a) Cheqroom may terminate the Agreement or suspend access to the Platform, Professional Services and/or User rights granted hereunder by written notice to the Customer if the Customer fails to pay Cheqroom the Subscription Fee before the due date or violates these GT&Cs (or other terms of the Agreement) and the Customer fails to cure such failure to pay or breach within fifteen (15) days from the date of such notice. 
b) Cheqroom is entitled to immediately terminate - or alternatively, at Cheqroom’s discretion, suspend - one or more of the licenses granted under the GT&Cs for material breach by the Customer, without any formalities being required and without prejudice to any other right or remedy available to Cheqroom pursuant to these GT&Cs or under applicable law. The Customer acknowledges and agrees that any of the following shall be considered material breaches: (i) use of the Platform outside the scope of the license as set forth in the Agreement, unless such use has been expressly approved in writing by a duly authorized representative of Cheqroom (ii) the misuse of system resources, and (iii) any case in which Cheqroom reasonably suspects that the Customer is using the Platform to break the law or infringe Third Party rights.

9.3 Termination for cause by either Party. 
Either Party may terminate these GT&Cs by written notice to the other, effective as of the date of delivery of such notice, if the other Party becomes the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding or otherwise liquidates or ceases to do business.

9.4 Termination for convenience by the Customer. 
The Customer may terminate the Agreement at the latest thirty (30) days before the end of the then current Term. Such termination will take effect at the end of the relevant Term. As a result, the Subscription will not automatically renew.

9.5 Consequences of termination. 
The Customer understands that if the Customer terminates the Agreement, the Customer will lose access to the Platform and any Customer Data the Customer has provided thereon. The Customer understands that Cheqroom is not required to provide it with copies of such Customer Data nor continue to maintain copies of such Customer Data on the Platform. Cheqroom will not retain Customer Data beyond a term of one (1) year after termination of the Agreement.

Article 10 - Confidentiality
10.1 Each Party must treat the Confidential Information received from the other with the strictest confidentiality, in the same way it would treat its own Confidential Information, and not below an adequate level of protection. No Party shall disclose Confidential Information to any Third Party, other than an employee, (independent) service provider, director or agent, to whom the Professional Services and/or Platform will be made available, and who will be able to use the Services and Platform as Users. Confidential Information disclosed under the Agreement shall not be used by the recipient thereof for any purpose other than as required for the performance of its obligations under the Agreement. The Customer Data will be treated in the strictest confidence and will be regarded as Confidential Information, however, taking into account the provisions of Article 5.2.

10.2 The Customer shall take precautions to maintain the confidentiality of the Confidential Information and in particular the Customer covenants that he: (i) shall not copy or otherwise exploit any component of the Confidential Information other than as herein provided, nor make any disclosures with reference thereto to any Third Party; (ii) shall ensure that all copies of the Confidential Information (made in accordance with the provisions of these GT&Cs) contain a permanently legible reproduction of Cheqroom’s copyright notice and a confidentiality notice.

10.3 The provisions of this article shall not apply to any secret or information which: (i) is published or comes into the public domain other than by a breach of these GT&Cs or, (ii) can be shown to have been known by the receiving Party before disclosure by the disclosing Party or, (iii) is lawfully obtained from a Third Party or, (iv) can be shown to have been created by the receiving Party independently of the disclosure and other than as part of the project.

10.4 If a receiving Party becomes aware that it will be required, or is likely to be required, to disclose Confidential Information in order to comply with applicable laws or regulations or with a court or administrative order, it shall, to the extent it is lawfully able to do so, prior to any such disclosure, notify the disclosing Party and comply with the disclosing Party’s reasonable instructions to protect the confidentiality of the information.

Article 11 - Privacy and Data Protection
11.1 Cheqroom processes Personal Customer Information for a number of its own purposes (mainly to provide the Services, but e.g. also to send newsletters and other marketing communications). Cheqroom acts as a ‘data controller’ within the meaning of the Data Protection Laws for these processing activities. Cheqroom’s privacy statement includes all relevant information about the way in which Cheqroom handles Personal Customer Information in its capacity as a data controller (including: the purposes of data processing, the type(s) of personal data to be processed, the period for which they are retained, the recipients of the data, etc.). Cheqroom’s privacy statement must be read together with Cheqroom’s cookie policy. By entering into an Agreement with Cheqroom the Customer is deemed to have read the privacy statement and to understand its content. Cheqroom shall comply with the applicable Data Protection Laws when processing Personal Customer Information.

11.2 Customer acknowledges that it shall act as ‘data controller’ and Cheqroom as ‘data processor’ within the meaning of the Data Protection Laws for the processing of Personal Customer Data. Cheqroom shall process such Personal Customer Data in accordance with the DPA as set forth in Schedule 1 to these GT&Cs. 
11.3 Customer represents and warrants to Cheqroom that it has the legal right to disclose any personal data that it makes available to Cheqroom under or in connection with this Agreement.

11.4 If any changes or prospective changes to the Data Protection Laws result or will result in one or both Parties not complying with the Data Protection Laws in relation to processing of personal data carried out under this Agreement, then the Parties shall use their best endeavors promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

Article 12 – Publicity
12.1 Unless agreed otherwise in writing, Cheqroom shall have the right to use any trademarks or other marks of Customer (including Customer’s corporate name) for marketing or promotion purposes, such as (but not limited hereto) client references on Cheqroom’s Website, announcement of Customer as a new customer and sales presentations.

Article 13 – Warranties 
13.1 Insofar and to the fullest extent permitted under applicable law, the Platform is provided “as-is,” “as available”. Cheqroom does not make any other representations or warranties, express or implied, concerning any matter under this Agreement and, to the maximum extent permitted by applicable law, Cheqroom disclaims any representations or warranties, express or implied, including (without limitation) any implied warranties of accuracy or completeness of data, fitness for a particular purpose, merchantability, or non-infringement.

13.2 Without prejudice to the foregoing, the Customer understands and agrees that the use of the Platform is at the Customer’s own risk and that the Customer will be solely responsible for its use thereof and any damages to the Customer.
13.3 No advice or information, whether oral or written, obtained by the Customer from Cheqroom through the Platform shall create any warranty, representation or guarantee not expressly stated in the Agreement.

Article 14 – Limitations of Liability
14.1 The limitations and exclusions of liability set out in this article and elsewhere in the Agreement govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement.

14.2 Neither Party shall be liable to the other Party in respect of any losses arising out of a force majeure event, except otherwise provided in the Agreement. A force majeure event means an event, or a series of related events, that is outside the reasonable control of the Party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any Third Party, social strikes or actions, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars).

14.3 Subject to the maximum extent permitted by applicable law, Cheqroom’s liability under this Agreement in respect of each event and each calendar year (or series of connected events) shall not exceed the Subscription Fees paid by the Customer to Cheqroom under the present Agreement for a period of six (6) months prior to the date of the event (or last of the series of connected events) giving rise to the claim.

14.4 Under no circumstances shall Cheqroom be liable to the Customer for any indirect, punitive, special consequential or similar damages (including damages for loss of profit, anticipated savings, lost revenue or income, loss of use or production, loss of business, loss or corruption of data, loss of database or software, loss of customers and contracts, loss of goodwill, the cost of procuring replacement goods or services, and reputational damage) whether arising from negligence, breach of contract or of statutory duty or otherwise howsoever, and Third Parties’ claims. Each Party shall have the duty to mitigate damages.

Article 15 – Indemnification
15.1 Cheqroom shall defend and indemnify Customer against any founded and well-substantiated claims brought by Third Parties to the extent such claim is based on an infringement of the Intellectual Property Rights of such Third Party by the Platform and excluding any claims resulting from (i) Customer’s unauthorized use of the Platform; (ii) Customer’s or any Third Party’s modification of the Platform; and/or (iii) Customer’s unauthorized use of Third Party Materials.

15.2 Such indemnity obligation shall be conditional upon the following: (i) Cheqroom is given prompt written notice of any such claim; (ii) Cheqroom is granted sole control of the defense and settlement of such a claim; (iii) upon Cheqroom’s request, Customer fully cooperates with Cheqroom in the defense and settlement of such a claim, at Cheqroom’s expense; and (iv) Cheqroom makes no admission as to Cheqroom’s liability in respect of such a claim, nor does Customer agree to any settlement in respect of such a claim without Cheqroom’s prior written consent. Provided these conditions are met, Cheqroom shall indemnify Customer for the damages and costs incurred by Customer as a result of such a claim, as awarded by a competent court of final instance, or as agreed to by Cheqroom pursuant to a settlement agreement.

15.3 In the event the Platform, in Cheqroom’s reasonable opinion, is likely to or become the subject of a Third-Party infringement claim, Cheqroom shall have the right, at its sole option and expense to: (i) modify the ((allegedly) infringing part of the) Platform so that it becomes non-infringing while preserving equivalent functionality; (ii) obtain for Customer a license to continue using the Platform in accordance with this Agreement; or (iii) terminate the relevant Agreement and pay to Customer an amount equal to a pro rata portion of the Subscription Fee paid to Cheqroom hereunder for that portion of the Platform which is the subject of such infringement.

15.4 The foregoing states the entire liability and obligation of Cheqroom and the sole remedy of Customer with respect to any infringement or alleged infringement of any Intellectual Property Rights caused by the Platform or any part thereof.

15.5 Customer shall indemnify, defend and hold harmless Cheqroom, its Affiliates, and its officers, directors, employees and agents from and against any loss, expense, cost (including reasonable attorney’s fees), liability, damage or claim by a Third Party made against any of said indemnitees to the extent arising in connection with Customer’s (including, without limitation, any of its Affiliates and its or their officers, directors, employees or agents) use of the Platform, its infringement of any Third Party Intellectual Property Rights or Third Party Materials, gross negligence or willful misconduct, fraud, and breach of any representation or warranty made under this Agreement.

Article 16 – Formal notices
16.1 All notices required to be given by Cheqroom to the Customer under this Agreement shall be sufficient if done via a Communication using the Customer’s last known contact information (possibly provided when the Customer first registered). The Customer is expected to keep its contact information up to date. Cheqroom cannot be held responsible if a Customer has not received a particular Communication because the available contact information was no longer correct.

Article 17 - Dispute Settlement
17.1 Parties shall exercise reasonably good faith efforts to resolve any dispute, controversy or claim arising in connection with this Agreement. Whenever necessary or opportune the Parties shall escalate the dispute to the next business level. For the avoidance of doubt, the dispute resolution shall have no impact on the Parties’ termination rights and the Parties’ other rights under the Agreement.

17.2 When Parties have not been able to resolve their dispute amicably after sixty (60) days, the legal controversy or legal claim arising out of or relating to the GT&Cs and/or the Platform shall be settled by the competent courts in accordance with Article 18.1.

17.3 Any cause of action by the Customer with respect to the Platform, must be instituted within one (1) year after the cause of action arose or be forever waived and barred.

Article 18 - Miscellaneous
18.1 Applicable law and competent courts. 
As applicable, the Agreement shall be governed by and construed in accordance with (i) the laws of the State of Delaware, United States of America if Cheqroom USA LLC is a Party to the Agreement or (ii) the laws of Belgium if Checkroom NV is a Party to the Agreement, without regard to conflict of law principles. The United Nations Convention for the International Sale of Goods shall not apply to this Agreement. The Parties hereto submit to the exclusive jurisdiction of the competent courts of (i) the State of Delaware if the laws of the State of Delaware apply or (ii) Ghent, department of Ghent if the laws of Belgium apply.

18.2 Severability. 
Should any part of the Agreement be held invalid or unenforceable, that portion shall be construed consistent with applicable law and the remaining portions shall remain in full force and effect. To the extent that any content in the Platform conflicts or is inconsistent with the Agreement, the Agreement shall take precedence.

18.3 No waiver. 
Cheqroom’s failure to enforce any provision of the Agreement shall not be deemed a waiver of such provision nor of the right to enforce such provision.

18.4 Survival. 
The rights of Cheqroom under the Agreement shall survive the termination of the Agreement.

18.5 Assignment.
Cheqroom may freely assign or transfer this Agreement to any of its respective Affiliates, or as part of a merger, consolidation, sale of all or substantially all assets, or other change of control transaction. Customer may not assign or transfer any of its rights or obligations under this Agreement without obtaining the prior written consent of Cheqroom, which shall be requested in writing and shall disclose the identity of the prospective transferee. Subject to any restrictions on assignment herein contained, the provisions of the Agreement shall inure to the benefit of and shall be binding upon the Parties hereto and their respective heirs, legal representatives, successors and assignees.

18.6 Non-solicitation
During the Agreement and until twenty-four (24) months after termination, both Parties agree not to hire any staff member from the other Party directly or indirectly as an employee or on any other basis, nor will either Party attempt to do so. In the context of this article, the term “staff member” means all personnel, employees, or other persons, such as freelancers or subcontractors. Should either Party act in breach of this article, the breaching Party will be liable to pay a lump sum of fifty thousand euros (€50,000) to the other Party. The Parties acknowledge that this is a fair estimate of the cost for hiring and training such staff members. This clause shall not apply if the staff member seeks employment with the other Party in response to a public advertisement or job posting.

18.7 Special terms and conditions. 
If the Customer wishes to modify and negotiate deviating terms and conditions to the Agreement, the Parties may agree to such special terms and conditions and attach them to the Offer. In such case, Cheqroom undertakes to comply with the additional special terms and conditions, if applicable, as set out in the Offer if and to the extent required by regulatory requirements.

18.8 Amendments
This Agreement may be modified or amended only by written agreement executed by a duly authorized representative of both Parties hereto.

Schedule 1 – Cheqroom Data Processing Agreement

INTRODUCTION

By means of this Schedule 1, Cheqroom (hereinafter the “Processor”) and the Customer (hereinafter the “Controller”) wish to lay down their rights and obligations with respect to the processing of Personal Data. The Controller and the Processor will be referred together as the “Parties” and individually as a “Party”.

This DPA was drafted and entered into in order for the Parties to comply with the obligations set forth in the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (hereinafter the “GDPR”). This DPA contains the rights and obligations of the Parties with regard to the processing of Personal Data.

These provisions form an integral part of the GT&Cs.

In the event of a contradiction between the provisions of this DPA and the GT&Cs, this DPA shall prevail. This DPA supersedes all previous agreements regarding the processing of Personal Data and data protection.

For the purpose of this DPA, terms defined in the GDPR, shall have the same meaning as set forth therein and any other capitalized term used but not defined in this DPA shall have the same meaning as ascribed to it in the GT&Cs.

ARTICLE 1: SUBJECT-MATTER OF THE AGREEMENT

1.1 Subject matter. For the execution of the Agreement, the Controller wishes to entrust the Processor with the processing of Personal Data, more specifically Personal Customer Data. The Processor shall process the Personal Customer Data in name of and on behalf of the Controller.

1.2 The Processor performs the Professional Services in accordance with the provisions of this DPA.

1.3 Data Protection Laws. Both Parties explicitly commit to comply with their obligations under the applicable Data Protection Laws and shall not do or omit anything that may cause the other Party to infringe the applicable Data Protection Laws.

1.4 Processing Activities. The processing carried out by the Processor in name and on behalf of the Controller relates to the Services performed by the Processor. The Processing Activities consist of: Storing and structuring Personal Customer Data in the cloud; Making the Personal Customer Data readily available, editable, exportable and analyzable for the Controller in the Customer Account; Make back-ups of the Personal Customer Data for disaster recovery purposes.

1.5 Personal Customer Data. Processor is expected to process the following Personal Customer Data: Personal identification data (such as first name, last name, e-mail address, phone number); and Any other Personal Data included in custom fields added to the Customer Account or in documents uploaded to the Customer Account. The Processor does not, under any circumstances, expect to collect any special categories of Personal Data as defined in the GDPR, including, but not limited to: information about the Data Subject’s health, race, political opinions, religious or other beliefs, sexual orientation, etc. The responsibility for any processing of such sensitive Personal Data through the Customer Account rests entirely with the Controller.

1.6 Data Subjects. The Personal Customer Data relates to the following Data Subjects: Passive Users Third parties (non-users) whose Personal Data is entered into the Platform by Active Users

1.7 Purposes, Nature and Legal Basis of the Processing. The Processor shall only process the Personal Customer Data to ensure a good performance of the Services as part of the Agreement in accordance with the provisions of this DPA. By extension, the Processor may use the Personal Customer Data during the Agreement solely for its own internal purposes to further improve its Services and to monitor the performance and stability of the Platform, taking into account the principle of data minimization. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries issued by the European Commission on 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

ARTICLE 2: DURATION OF THE PROCESSING

2.1 This DPA shall apply as long as the Processor processes Personal Customer Data in name of and on behalf of the Controller as part of the Agreement. If the Agreement comes to an end this DPA will also automatically come to an end.

2.2 In the event of a breach of this DPA or the applicable provisions of the GDPR, the Controller can instruct the Processor to stop further processing of the Personal Customer Data with immediate effect.

2.3 In the event of the end of the Agreement, or in the event of the Personal Customer Data no longer being relevant for the provision of the Services, the Processor shall anonymize or pseudonymize to a maximum extent the Personal Customer Data it has received or obtained and this solely for the following internal purposes: To comply with legal obligations (i.e. statute of limitations of claims); To further improve its Services.

ARTICLE 3: CONTROLLERS’ INSTRUCTIONS

3.1 The Processor processes the Personal Customer Data in accordance with the documented instructions of the Controller and in any case in accordance with the agreed Processing Activities as set out in Article 1.4 of this DPA in order to provide the Services. The Processor shall not process the Personal Customer Data subject to this DPA in a manner which is incompatible with these instructions and the provisions laid down in this DPA.

3.2 The Controller can make limited changes to the instructions unilaterally. The Processor shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement and/or this DPA, must be agreed upon by both Parties.

3.3 The Processor processes the Personal Customer Data in accordance with Article 3.1 of this DPA, including with regard to transfers of Personal Customer Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. ARTICLE 4: ASSISTANCE TO THE CONTROLLER

4.1 Compliance with legislation. The Processor shall provide all reasonable assistance to the Controller in ensuring its compliance with its obligations pursuant to the GDPR, taking into account the nature of processing and the information available to the Processor.

4.2 Personal Data Breach. In the case of a Personal Data Breach related to Personal Customer Data being processed by the Processor, the Processor shall notify the Controller without undue delay (this is, if possible, within seventy-two (72) hours after the Processor becomes aware of a Personal Data Breach) via the contact point as appointed in accordance with this DPA. This notification shall at least include following information: The nature of the Personal Data Breach; The categories of Personal Data that are affected; The categories and approximate number of Data Subjects concerned; The categories and approximate number of Personal Customer Data records concerned; The (alleged) cause, date on which the breach occurred (if no exact date is known: the period within which the breach occurred), the date and time on which the breach became known to the Processor or to a Sub-Processor engaged by it, and the likely consequences of the Personal Data Breach; Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.3 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

4.4 In case the Processor makes use of a Sub-Processor, the Processor shall require the Sub-Processor to provide it with the same information when a Personal Data Breach takes place at the Sub-Processor. The Processor shall promptly relay the information received from the Sub-Processor to the Controller.

4.5 The Processor, its Sub-Processor(s) and Controller shall appoint a single point of contact who shall be responsible for all communication in the event of an incident which has led or may lead to an accidental or non-authorized destruction or loss or a non-authorized access, alteration or transmission of the Personal Customer Data processed on behalf of the Controller.

4.6 The Controller shall exclusively decide, at its own discretion and in compliance with the relevant and applicable Data Protection Laws, whether or not Data Subjects whose Personal Data has been impacted by a Personal Data Breach shall be notified of this. It is the responsibility of the Controller to notify the Supervisory Authority of a Personal Data Breach.

4.7 The Parties, and if applicable the Sub-Processor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach and shall keep each other informed of any new developments regarding the Personal Data Breach and of the measures they are taking to mitigate its effects and prevent the recurrence of such breaches. In particular, the Processor shall, to the best of its ability, assist the Controller in respect to its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of processing and the information available to the Processor.

4.8 Further assistance. Furthermore, the Processor shall assist the Controller, in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor: (i) as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the GDPR; (ii) as it consults the competent Supervisory Authority/ies prior to processing where a Data Protection Impact Assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk; (iii) the obligation to ensure that the Personal Customer Data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the Personal Customer Data it is processing is inaccurate or has become outdated; and (iv) its obligations in Article 32 of the GDPR. The Processor, at its own discretion, is free to charge additional costs for the performance of these services provided in accordance with Article 15 of this DPA. These costs shall at all times be in relation to the delivered performances. Such reimbursement by the Controller shall not be due if the Personal Data Breach is attributable to the Processor.

ARTICLE 5: INFORMATION OBLIGATIONS

5.1 The Parties shall be able to demonstrate compliance with this DPA.

5.2 The Processor shall provide the Controller, at any time upon request of Controller (however such request needs to be made giving the Processor a reasonable delay to comply with such request), with all information the Controller requires, at minimum with the information as determined by the provisions of this clause: All relevant details regarding its own corporate structure, as well as accurate and up-to-date identifying information on all of Processor’s entities involved in the processing of Personal Customer Data, including the location of their main establishment; Without prejudice to what has been agreed in Article 8, the aspects of the processing that rely or intend to rely on the Services of a Sub-Processor, as well as the identification data of a Sub-Processor including the location of its main establishment, and the Processor shall relay to the Controller the agreement with the Sub-Processor(s) which pertains or is relevant to the processing of Personal Customer Data, unless where such agreement with the Sub-Processor(s) contains Confidential Information, in which case it may remove such Confidential Information; Geographical details of processing locations, including back-up and redundancy facilities; The physical, organizational, technical and logical security measures that the Processor and its Sub-Processor(s) have implemented, as set out in Article 10 and Annex 1 of this DPA.

ARTICLE 6: PROCESSORS’ OBLIGATIONS

6.1 The Processor shall handle all reasonable requests of the Controller concerning the processing of Personal Customer Data related to this DPA, within a reasonable time and in a proper manner. Processor shall only accept such requests if they are submitted by the owner of the Customer Account. The Controller hereby accepts the above and authorizes its account owner to submit such requests in the name of the Controller.

6.2 The Processor guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this DPA.

6.3 The Processor undertakes to not process Personal Customer Data for another purpose than the performance of the Services and the compliance with the responsibilities of this DPA in accordance with the documented instructions of the Controller.

6.4 The Processor shall notify the Controller without delay if it is of the opinion that an instruction from the Controller violates the Data Protection Laws. The Processor shall be entitled to terminate the DPA insofar in the event, after having informed the Controller that its instructions infringe the applicable Data Protection Laws, the Controller insists on compliance with the instructions. 6.5 The Processor shall ensure that the access to, the inspection, the processing and the disclosure of Personal Customer Data shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e. Personal Customer Data is only disclosed to the persons that require such access for the provision of the Services).

6.6 The Processor shall undertake to not disclose Personal Customer Data to other persons than the employees of the Controller who need such access to comply with the obligations of this DPA, and shall ensure that the relevant employees shall commit themselves to confidentiality or are under a statutory obligation of confidentiality unless such disclosure is foreseen under the Agreement.

ARTICLE 7: CONTROLLERS’ OBLIGATIONS

7.1 The Controller shall render all assistance needed and shall cooperate in good faith with the Processor in order to ensure that all processing of Personal Customer Data complies with the requirements of the Data Protection Laws.

7.2 The Controller shall agree with the Processor on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Customer Data that is processed by the Processor on behalf of the Controller is well received between the Parties. By default, the Controller’s single point of contact shall be the owner of the Customer Account and all communications relating to this DPA shall be through that person.

7.3 The Controller warrants that it shall not issue any instructions, directions or requests to the Processor, which do not comply with the provisions of the Data Protection Laws or which would require the Processor and/or its Sub-Processor(s) to violate any obligations imposed by applicable mandatory national law to which the Processor and/or its Sub-Processor(s) are subject.

7.4 Without prejudice to Article 14.2 of this DPA, the Controller shall render the assistance needed for the Processor and/or its Sub-Processor(s) to comply with a request, order, inquiry or subpoena directed at the Processor or its Sub-Processor(s) by a competent national governmental or judicial authority.

7.5 The Controller warrants that it shall cooperate in good faith with the Processor in order to mitigate the adverse effects of a security incident impacting Personal Customer Data processed by the Processor and/or its Sub-Processor(s) on behalf of the Controller.

ARTICLE 8: THE USE OF SUBPROCESSORS

8.1 The Controller acknowledges and agrees that the Processor has engaged Sub-Processors to provide the Services. By means of this DPA, the Controller gives its general authorization to the Processor for the engagement of the categories of Sub-Processors as set out in Article 8.5 of this DPA. If the Processor wishes to change or involve a new category of Sub-Processors, the Controller shall be notified thereof through a Communication at least one (1) month in advance, and shall be given the opportunity to communicate any reasonable concerns it might have with such replacement or addition of a category of Sub-Processors. The Controller may only reject a proposed category of Sub-Processors on the basis of a written and well-founded justification and within a period of two (2) weeks after the Processor’s written notification.

8.2 A detailed list of the Sub-Processor(s) currently engaged by the Processor is made available upon the Controller’s request, provided such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the Processor has entered into with the relevant Sub-Processor. In the latter event, the Processor shall provide a formal justification in writing. 8.3 The Processor shall ensure that its Sub-Processors will be bound to the same obligations, in substance, with respect to Personal Customer Data as to which the Processor is bound by this DPA.

8.4 The Processor shall relay the purposes determined and instructions issued by the Controller in an accurate and prompt manner to the Sub-Processor(s) when and where these purposes and instructions pertain to the part of the processing in which the Sub-Processor(s) is(are) involved.

8.5 In accordance with Article 8.1 of this DPA, the Processor is expressly authorized to engage one or more of the following categories of Sub-Processors in order to ensure the provision of the Services: to host the Platform; to offer certain built-in functionalities; to analyze Platform usage; to offer customer support.

ARTICLE 9: RIGHTS OF THE DATA SUBJECTS

9.1 With respect to any request from Data Subjects regarding their rights concerning the processing of Personal Customer Data pertaining to them by the Processor and/or its Sub-Processor(s), the following conditions apply, taking into account the nature of the processing: The Processor shall on a best efforts basis promptly inform the Controller of any request made by a Data Subject with regard to the Personal Customer Data the Processor and/or its Sub-Processor(s) processes on behalf of the Controller, without giving any consequence to such request unless explicitlyauthorized by the Controller to do so; The Processor shall promptly and on a best efforts basis comply and shall require its Sub-Processor(s) to promptly comply with any request made by the Controller in order for the Controller to comply with a request made by the Data Subject who wishes to exercise one of its rights; The Processor shall, upon simple request of the Controller and upon best efforts basis render all assistance required and provide all information necessary for the Controller to defend its interests in any proceedings – legal, arbitral or others – brought against the Controller or its employees for any violation of fundamental rights to privacy and protection of Personal Customer Data of Data Subjects.

9.2 The Controller shall reimburse the Processor in accordance with Article 15 of this DPA for services rendered in connection with this Article 9.

ARTICLE 10: SECURITY MEASURES

10.1 Throughout the term of this DPA the Processor shall have in place and maintain appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the Data Subject.

10.2 The Processor shall amongst others have in place technical and organizational measures against unauthorized and unlawful processing and shall on a regular basis evaluate and adjust if required, the appropriateness of the security measures.

10.3 More in particular, the Processor shall implement appropriate technical and organizational measures (set forth in Annex 1 to this DPA) to ensure a level of security appropriate to the risk, according to Article 32 of the GDPR. 10.4 In assessing the appropriate level of security, account was taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Customer Data transmitted, stored or otherwise processed.

10.5 The Processor has implemented robust information security policies and procedures to protect Personal Customer Data from unauthorized access, alteration, disclosure or destruction and has implemented several layers of security measures (physical, logical, technical and organizational security measures).

10.6 If the Controller requests the Processor to implement specific technical and organizational measures, the Controller shall compensate the processor for the implementation of those measures in accordance with Article 15 of this DPA, limited to the extent that the Processor does not have equivalent measures in place.

10.7 The Controller shall provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing complies with the requirements set out in the GDPR and so that the protection of the rights of Data Subjects is ensured. These measures shall also include the measures referred to in Article 32 of the GDPR. The Controller shall only make Personal Customer Data available to the Processor for processing if it has verified that the appropriate security measures are in place.

ARTICLE 11: AUDIT

11.1 The Processor acknowledges that the Controller is under the supervision of several/a Supervisory Authority/ies. The Processor acknowledges that the Controller and any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the Processor, during the term of this DPA to assess whether the Processor is compliant to the Data Protection Laws and the provisions of this DPA. The Processor shall provide cooperation to the extent reasonably necessary.

11.2 The Controller shall only have a right to audit the Processor if the Controller has justifiable grounds to request such audit and if such grounds are communicated and demonstrated in writing to the Processor. Justifiable grounds shall mean a (strong presumption of a Personal Data Breach (and in the case of an actual data breach if such data breach has not been notified and no remediation actions have been taken), destruction of confidential Personal Customer Data, material breach of any of the Processor’s obligations under this DPA). In such event and upon written request of the Controller, the Processor will provide an independent third party, certified auditor, appointed by the Controller or the involved Supervisory Authority access to the relevant parts of the administration of the Processor and all locations and information of interest of the Processor (and those of its agents, subsidiaries and sub-contractors) to determine if the Processor is compliant with the Data Protection Laws and the provisions of this DPA. At the request of the Processor, the concerned parties shall agree to a confidentiality agreement.

11.3 The Controller shall take all appropriate measures to minimize any obstruction caused by the audit on the daily functioning of the Processor.

11.4 If there is an agreement between the Processor and the Controller on a material shortcoming in the compliance with the Data Protection Laws and/or the DPA, as revealed in the audit, the Processor shall remedy this failure as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.

11.5 The Controller will bear the costs of any performed audit in the meaning of this Article and shall reimburse the Processor in accordance with Article 15 of this DPA. Although, when the audit has revealed that the Processor is manifestly not compliant to the GDPR and/or the provisions of this DPA, the Processor shall bear the costs of such audit.

ARTICLE 12: TRANSFER TO THIRD PARTIES

12.1 The transfer of Personal Customer Data to Third Parties in any manner possible is prohibited, unless it is legally required or in case the Processor has obtained the explicit consent of the Controller to do so. In case a legal obligation applies to transfer Personal Customer Data, to Third Parties, the Processor shall prior to the transfer notify the Controller, unless such prior notification is legally prohibited on grounds of public interest.

ARTICLE 13: INTERNATIONAL TRANSFER

13.1 The Parties agree that Personal Customer Data can only be transferred to and/or kept with the recipient outside the European Economic Area (“EEA”) in a country that does not fall under an adequacy decision issued by the European Commission by exception and only if necessary to comply with the obligations of this DPA.

13.2 If applicable, such transfer shall, in addition to what is set forth in this DPA, be governed by the appropriate module of the Standard Contractual Clauses (“SCCs”) approved by the European Commission. The specific module applicable will depend on the nature of the transfer, including but not limited to:

  • Transfers from a processor to a sub-processor shall be governed by Module Three (Processor to Processor) of the SCCs.
  • Transfers from a processor to a controller shall be governed by Module Four (Processor to Controller) of the SCCs.

In case of a contradiction between the provisions of this DPA and the provisions of the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail. Any replacement to the Standard Contractual Clauses adopted in accordance with the GDPR shall supersede the Standard Contractual Clauses incorporated into this DPA automatically, and Annex 2 to this DPA shall be interpreted instead so as to give full effect to such replacement Standard Contractual Clauses.

13.3 In addition to the availability of an adequacy decision or the adoption of Standard Contractual Clauses, other mechanisms foreseen by the applicable data protection law may apply.

13.4 Customer expressly agrees that Personal Customer Data may be transferred to Sub-Processors and/or stored by said Sub-Processors outside the EEA and even to or in a country not covered by an adequacy decision issued by the European Commission in order to provide the Services, provided that the conditions of Article 13.2 and 13.3 are met.

ARTICLE 14: CONDUCT IN RELATION TO NATIONAL GOVERNMENTAL AND JUDICIAL AUTHORITIES

14.1 The Processor shall inform the Controller immediately of any request, order, inquiry or subpoena by a competent national governmental or judicial authority directed at the Processor or its Sub-Processor which entails the communication of Personal Customer Data processed by the Processor or a Sub-Processor for and on behalf of the Controller.

14.2 Without prejudice to Article 14.1 of this DPA, the Processor warrants that there are, to the best of its knowledge, no obligations of applicable statutory law, which make it impossible for the Processor to comply with its obligations under this DPA.

ARTICLE 15: COSTS

15.1 The services performed under this DPA for which the Processor may charge the Controller will be charged on the basis of the amount of hours worked and the Processor's then standard hourly rates. The Processor will invoice these amounts on a monthly basis.

15.2 All payments by the Controller to the Processor shall be executed in accordance with the terms of the GT&Cs.

ARTICLE 16: LIABILITY

16.1 Without prejudice to the GT&Cs, the Processor is liable for the damage caused by processing only where it has not complied with the obligations of the Data Protection Laws specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.

16.2 A Party is only liable (whether contractual or in tort/delict (including default) for misconduct or otherwise) for verified shortcomings attributable to it. The liability of the Parties for a breach under this DPA, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where “consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.

16.3 If it appears that both the Controller and the Processor are responsible for the damage caused by the processing of Personal Customer Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.

16.4 In any event the total liability of the Processor arising out of or in connection with this DPA shall, in respect of each event (or series of connected events) and each calendar year, be limited to the amount that equals the total amount of fees paid by the Controller to the Processor under the Agreement for a period not more than twelve (12) months immediately prior to the date of the event (or last of the series of connected events) giving rise to the claim. In no event shall the Processor be held liable if the Processor can prove it is not responsible for the event or cause giving rise to the damage.

16.5 The exclusions and limitations of liability under this Article 15 shall operate in favor of the Processor’s affiliates and Sub-Processors to the same extent as these provisions operate in favor of the Processor. The Processor shall not be held liable for any damage or loss (whether or not caused by error, gross misconduct or willful misconduct) caused by a Third Party (including, but not limited to, third party software, hosting services, systems or tools). Notwithstanding the foregoing, the Processor will only be liable to the Controller to the extent of the amount it is able to recover from the Sub-Processor or Third Parties.

16.6 The Controller shall indemnify, defend and hold harmless the Processor against all Third Party claims if it has failed to comply with or breached one or more obligations under the applicable Data Protection Laws. The Controller guarantees that the content, use and instructions for the processing of Personal Customer Data referred to in this DPA are not unlawful and do not infringe the rights of Third Parties and shall indemnify the Processor against all claims related thereto.

ARTICLE 17: MISCELLANEOUS

17.1 The provisions of the GT&Cs regarding (among other things) amendments, entire agreement, applicable law and jurisdiction shall apply to this DPA.

17.2 If and to the extent any provision of this DPA is determined by a court or other public authority to be invalid or unenforceable, this shall not affect the remaining provisions of this DPA which shall remain valid and enforceable. The invalid or void provisions shall be restricted to the maximum extent permitted under applicable law.

ARTICLE 18: TERMINATION OF THE DPA

18.1 This DPA shall apply as long as the Processor processes Personal Customer Data on behalf of the Controller.

18.2 In the event of breach of this DPA or the Data Protection Laws, the Controller can instruct the Processor to stop further processing of the Personal Customer Data with immediate effect.

18.3 The Processor shall not store the Personal Customer Data any longer than needed to perform the Services for which the data is provided. At the choice of Customer, the Processor shall delete or return all the Personal Customer Data to the Controller after the end of the provision of the Services in relation to processing, and deletes existing copies, and will certify that it has done so, unless Union or Member State law requires storage of the Personal Customer Data. The Personal Customer Data shall be provided to the Controller without charge, unless otherwise agreed upon. Notwithstanding the above, Processor reserves the right to archive the data of the Controller in order to comply with legal obligations and to be able to defend itself in court (i.e. statute of limitations).

18.4 The provisions that are expressly or impliedly (by their nature) intended to remain in effect after the termination of the DPA shall remain in effect after the termination.

Annex 1 – Technical and Organizational Measures

In accordance with Article 10 of Schedule 1 above, The Processor undertakes to implement technical and organizational measures such as set forth in this Annex 1.

The Processor utilizes third party data centers that maintain current ISO 27001 certifications.

The Processor will not utilize third party data centers that do not maintain ISO 27001 certifications, or other substantially similar or equivalent certifications and/or attestations. The Processor represents and warrants that it has obtained SOC 2 Type 1 certification, demonstrating its commitment to maintaining robust security, availability, processing integrity, confidentiality, and privacy controls in accordance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.

The following descriptions provide an overview of the technical and organizational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available. It is acknowledged and agreed that the technical and organizational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor.

Confidentiality

TOMs to ensure the confidentiality of the Personal Customer Data processed in the context of the Services:

Data is encrypted in transit: data transmitted between the user's browser and the Platform is always encrypted over HTTPS using TLS protocols with minimum 128-bit keys and using SHA256 certificates.

The Processor uses modern, strong ciphers for encryption. Known-weak ciphers are explicitly disabled with regular protocol reviews. Data sent to third parties is always sent over encrypted connections. This mitigates the risk of deliberate data interception or accidental data leakage, for example man-in-the-middle attacks.

Data is encrypted at rest: data at rest, for example in backups or on the Processor's computers, is always encrypted using AES encryption with minimum 256-bit keys. This mitigates the risk of data falling into unauthorized hands, for example due to network exfiltration or stolen devices.

Data retention policies: the Processor maintains policies to ensure the minimal amount of Personal Customer Data is retained and that Personal Customer Data is not retained any longer than necessary. This mitigates the risk of accidental or deliberate disclosure of Personal Customer Data. The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorized to be processed may be accessed. This mitigates the risk of accidental or deliberate disclosure of Personal Customer Data.

The data centers used by the Processor implement multiple physical access controls to prevent unauthorized people from physically accessing data processing equipment which processes or uses Personal Customer Data. The Processor only authorizes specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate disclosure of Personal Customer Data. The Personal Customer Data is kept logically separate from other Personal Data. This mitigates the risk of accidental disclosure of Personal Customer Data.

Integrity 

TOMs to ensure the integrity of the Personal Customer Data processed. The Controller may view, update, and delete all their Personal Customer Data held in the Platform. This mitigates the risk of Personal Customer Data becoming inaccurate or out of date and supports data subjects' right to rectification. The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorized to be processed may be accessed. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Customer Data.

The Processor only authorizes specific staff to access the Platform's production systems. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Customer Data. The Processor maintains separate development and production systems utilizing different security tokens, passwords, and privileges. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Customer Data.

Availability

TOMs to ensure the availability of the Personal Customer Data processed. The availability of the Platform is monitored continually and the results are made publicly available at https://status.cheqroom.com . This supports the data protection principle of transparency. Automatic notifications are sent to the Processor in the event of the Platform becoming unavailable so that the Processor may act to restore availability in a timely fashion. The Processor only authorizes specific staff to access the Platform's production systems. This mitigates the risk of accidental or deliberate interference with the Platform which could affect availability. If Personal Customer Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Customer Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage. Further TOMs including but not limited to those ensuring resilience.

Resilience

TOMs to ensure the resilience of the Personal Customer Data processed. Data is backed up regularly. This mitigates the risk of data loss, destruction or damage. Data centers used by the Processor utilize multiple redundant network connections to major internet exchanges. This provides resilience in the face of adverse network conditions. Data centers used by the Processor utilize redundant UPS power supplies supported by for example diesel generators for standby power. This mitigates the risk of power outages and provides resilience in the face of electrical supply problems. Data centers used by the Processor utilized redundant air cooling systems to mitigate the risk of overheating computing and network equipment (such as, for example N + 2 air cooling systems). Data centers used by the Processor utilize modern fire systems for prevention, detection and response with direct connections to the local fire service.Data centers used by the Processor provide automatic protection against distributed denial of service (DDoS) attacks. This provides resilience in the face of network attacks whether directed against the Platform or others on the network. DNS services used by the Processor are built on distributed, redundant architectures. This provides resilience in the face of adverse network conditions.

General Technical measures

The Processor implements general technical measures, including but not limited to the following, to support the confidentiality, integrity, availability, and resilience of Personal Customer Data.

Physical security 

  • Office premises protected by locks.
  • All paper destroyed after use.
  • Old computer equipment securely formatted before disposal.

Device security

  • All computers and devices use full disk encryption.
  • All backup media use full disk encryption.
  • All computers and devices are regularly updated and security-patched.
  • All passwords generated by and stored in an industry-leading password manager.

Network security

  • All networks are protected by firewalls.
  • All Personal Customer Data that is transmitted, either to the Platform or to a Third Party, is sent over encrypted networks. System security
  • Policies, training and reminders to rotate all passwords and authentication keys regularly.
  • All servers are regularly updated and security-patched.
  • All user passwords hashed with a one-way cryptographic hashing function with salt before storage.

Website security

  • All web traffic is protected by HTTPS / TLS and appropriate security headers.

Data center security

  • Manned 24hr/day all year.
  • Entry controlled via electronic access control terminals.
  • Continual high definition video surveillance.
  • All personnel movements recorded and documented.

Data security

  • Regular encrypted backups.
  • Data is deleted when no longer needed.
  • Software development
  • All developers are familiar with the OWASP Top Ten web application security risks. All software must pass automated tests before deployment. Data privacy is always a fundamental requirement for the Platform's software.

General Organizational measures

Staff with access to Personal Customer Data only process that data when instructed to do so and only within the scope of the instructions.

Staff (each to the extent applicable) are trained on: responsibilities as a Controller and Processor under GDPR; staff responsibilities for Protecting Personal Customer Data, including the collection, processing and use of Personal Customer Data only within the framework and for the purposes of their duties (e.g. Service provision); proper procedures to identify callers; proper procedures to identify social engineering and phishing attacks; security policies. Personal Customer Data is only accessed as needed and only when approved by the Controller (e.g. for support), or by technical staff for necessary support and maintenance of the Platform. Staff confidentiality agreements. Only designated staff can access production systems. Personal Customer Data used for internal purposes only e.g. as part of the respective Customer relationship, may be transferred to a Third Party such as a Subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.

The transfer of Personal Customer Data to a Third Party (e.g. customers, sub-contractors, service providers) is only made for the specific purposes. If Personal Customer Data is transferred to companies located outside the EEA, the Processor shall take appropriate safeguards for such transfer. Despite the above described measures, the Controller acknowledges that there are always risks associated with sending Personal Customer Data over the internet and that the security and protection of Personal Customer Data can never be fully guaranteed, nor can it be guaranteed that unauthorized Third Parties will never be able to defeat those measures or use the Personal Customer Data processed by the Processor for improper purposes.

For transfers to (sub-) processors: Processor uses its best efforts to ensure that its Sub-Processors undertake to implement (to the extent applicable) mutatis mutandis the technical and organizational measures as defined in this Annex 1, or such other measures resulting in an equivalent or higher level of protection of the transferred Personal Customer Data, as deemed useful or necessary by such Sub-Processors.

Annex 2 – Appendix to Standard Contractual Clauses (if applicable)

APPENDIX

A. LIST OF PARTIES

Data exporter: means The Processor acting as a Processor

Data importer: means the Controller acting as a Controller

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

See Article 1.6 of the DPA

Categories of Personal Data transferred

See Article 1.5 of the DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). On a continuous basis, whenever necessary for the performance of the Services. Nature of the processing See Article 1.4 of the DPA

Purpose(s) of the data transfer and further processing See Article 1.7 of the DPA

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Personal Data is not retained any longer than necessary, and for a maximum period of one (1) year after termination of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Competent Supervisory Authority” means the data protection authority in the European Economic Area (EEA) responsible for monitoring compliance with the GDPR in relation to the data processing activities covered by this DPA.

D. TECHNICAL AND ORGANISATIONAL MEASURES

The technical and organizational measures implemented by the Processor and its Sub-Processors are described in Annex 1 to the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The Processor may engage Sub-Processors to provide the Services, according to the categories set forth in Article 8.5 of this DPA.

Sub-processor: Amazon Web Services, Inc. d/b/a AWS

Subject Matter:  Infrastructure & Hosting: Provides cloud computing services, hosting, and infrastructure for data storage, processing, and application hosting.

Hosting location: United States

Sub-processor: MongoDB Inc.

Subject Matter:  Infrastructure & Hosting: Offers a NoSQL database platform for structured and unstructured data storage, retrieval, querying, and indexing.

Hosting location: United States

Sub-processor: Twilio, Inc.

Subject Matter:  Functionality: To send notifications via SMS.

Hosting location: United States

Sub-processor: Mailgun Technologies, Inc.

Subject Matter:  Functionality: To send notifications via email.

Hosting location: United States

Sub-processor: LogRocket, Inc.

Subject Matter:  Usage Analytics: To monitor user interactions and log events such as user clicks and navigation. While Logrocket's primary purpose is to assist The Processor in improving the functionality and user experience of the Platform, its functionality may incidentally involve the processing of Personal Customer Data (e.g. contained within screen recordings).

Hosting location: United States

Sub-processor: Intercom, Inc.

Subject Matter:  Customer Support: To provide a live chat within the Platform and facilitate the submission of support tickets. While Intercom’s primary purpose is to offer customer support to Active Users, its functionality may incidentally involve the processing of Personal Customer Data (e.g. contained within chats or support tickets).

Hosting location: United States