ATLAS Access – Data Processing Agreement

This Data Processing Agreement (DPA) supplements TKH Security’s Software Licensing Agreement between Customer and TKH Security B.V. and describes the responsibilities of the Customer (Controller) and TKH Security B.V. (Processor) regarding the processing of personal data.

Controller and Processor are also referred to hereinafter individually as: “Party” and jointly as: “Parties”

Whereas Parties take the following into consideration:

Processor will perform services on behalf of Controller, as described in the ATLAS Access – Software Licensing Agreement (Main Agreement);
Processor obtains and/or gains access to Personal Data in executing the Main Agreement;
Processor is to be considered a “processor” within the meaning of the General Data Protection Regulation (GDPR) and Controller is to be considered a “controller” within the meaning of the GDPR;
The GDPR obligates Controller to enter into a processing agreement, such as this one, with Processor;

Parties declare to have agreed upon the following:

Definitions
The concepts that are used in this Agreement are identical to the concepts as defined in the GDPR, unless stated otherwise hereinafter.

Agreement: this processing agreement including any appendices.

Autoriteit Persoonsgegevens (The Dutch Data Protection Authority (the Dutch DPA)): The supervisory authority regarding the compliance with the GDPR as specified in Article 51 GDPR.

Breach: breach in connection with personal data.

Data Subject: the natural person to whom the personal data relates.

Personal Data: any information that relates to an identified or identifiable living individual which is collected for the purpose of the use of the Service(s) as defined in the Main Agreement.

Sub-processor(s): natural or legal person which processes part of the Processor’s processing tasks on behalf of Processor.
Type of Personal Data and categories of Data Subjects
1. Processor processes on behalf of Controller the categories of personal data as set out in Appendix 1.
Data Subjects’ rights and obligations
1. At the request of and at the expense of Controller, Processor will do whatever Controller deems necessary in order to satisfy a request from a Data Subject to fulfil his/her rights. Among other things, these rights include, but are not limited to, the Data Subject’s right of access, right to erasure, right to restriction of processing and the right to data portability.
Instructions from Controller
1. Processor will only process the personal data on behalf of and for the Controller and on the basis of written instructions given by the Controller, unless specified otherwise by law.
2. Processor will comply with a legal obligation or court order and will, in such a case, notify Controller in advance, unless such is not permitted pursuant to the law or the court order.
3. Processor will immediately notify Controller if, in the opinion of Processor, an instruction from Controller would result in a breach of the law and/or court order, with the understanding that the responsibility and liability for the processing will fully remain with Controller.
4. Processor will not process the personal data for its own purposes and/or provide it to third parties, except insofar as such provision is permitted by the Main Agreement.
5. Processor shall itself process the personal data to which he has access on the basis of the Main Agreement. Processing of the personal data by a Sub-processor is only permitted after prior written consent by Controller.
6. If Processor, with due observance of the provision in Article 4.5, engages a Sub-processor, Processor will impose obligations regarding data protection on the Sub-processor with a protection level as specified in Article 28 paragraph 3 in conjunction with paragraph 4 GDPR.
7. Processor is at all times obligated to continue to store and to process the personal data within the European Economic Area, subject to prior and written consent from Controller obtained for that purpose, to which consent Controller may attach conditions and which consent Controller may withhold for reasons of its own.
8. Parties agree that the party/parties as set out in Appendix 2 will act as Sub-processor for Processor and obtain access to personal data.
9. Processor will store the personal data on servers with the party as set out in Appendix 2.
10. Processor explicitly has no control over the purpose of and means of processing of the personal data which it processes in the execution of the Main Agreement.
11. Processor will adhere to the GDPR and other applicable laws and regulations, more specifically to the laws and regulations regarding the protection of personal data.
12. Processor will perform at least the following tasks regarding personal data when executing the Main Agreement:
  - storage of the personal data;
  - making back-ups of the personal data;
  - provision of the personal data to Controller;
  - guaranteeing the access to the personal data exclusively for Controller or Data Subjects via Controller; 4.13 Processor will refrain from any actions which may restrict the Controller’s or the Data Subjects’ abilities and rights to freely access the personal data.
13. Processor will not hold any personal data except
Security measures and audits
1. Processor is obligated to ensure that appropriate, technical and organisational measures are in place in order to secure the personal data against loss or against any form of unlawful Processing, as specified in Article 32 GDPR. In any event, Processor will at all times continue to satisfy appropriate security measures as specified in Article 32 GDPR and will in general ensure at all times an appropriate security level given the nature of the data and the risk of the Processing. The security plan included in Appendix 3 to this Agreement will be part of this Agreement and the measures stated therein must be maintained as a minimum level of protection.
2. Processor will take all necessary measures to prevent unnecessary collection and further processing of the personal data, other than which is required for the execution of the Main Agreement.
3. Upon Controller’s first request, Processor will offer, at Controller’s expense, all cooperation which may reasonably be required to provide in order to enable Controller to check (or to have checked) as well as to examine (or to have examined) whether the processing of the personal data occurs as agreed upon and whether Processor has taken all of the appropriate, technical and organisational security measures against loss or against any form of wrongful processing.
4. Controller is entitled to check (or to have checked) the fulfilment of the provisions of this Agreement once per year at the most, unless, in Controller’s opinion, an interim audit is desirable for an important reason. Controller is entitled to perform this audit itself or to have it performed by an independent chartered accountant, chartered computer scientist or an auditor certified for this purpose. Controller will bear the costs of such an audit. The costs of the Processor’s personnel who guide the audit are at Controller’s expense. An audit may not unnecessarily disrupt the Processor’s business activities. Controller will announce the audits in writing to Processor at least ten days before they commence, providing a description of the elements to be audited, unless Controller desires to perform (or to have performed) an audit as specified in the second sentence of this Article 5.4 for substantial reasons.
5. In the event of a Breach, Processor will notify Controller of this Breach and the (expected) consequences as quickly as possible – but no later than withing 48 hours – after its discovery In such an event, the Processor will provide additional information on the nature of the Breach, the name and contact information of the data protection officer or other person of contact, the probable consequences of the Breach, the manner in which it will address the Breach and the manner in which it will restrict adverse consequences of the Breach. The Processor states the time frame within which it will take these measures. Upon Controller’s first request, Processor will also grant all reasonable co-operation regarding a notification to the Dutch Data Protection Authority.
6. Processor will also immediately notify Controller of any Breaches, including the facts regarding the Breach in connection with personal data, the corresponding consequences and the corrective measures taken. This documentation must enable the Dutch Data Protection Authority to verify compliance with Article 33 GDPR.
7. In the case that Processor neglects to take reasonable measures against a Breach and fails to take relevant measures within a time frame set by Controller, Controller is entitled to have those measures executed at Processor’s expense. Processor is obligated to grant its full co-operation in this matter.
8. Processor will, taking into account the nature of the processing and the information made available to it, assist Controller at Controller’s expense, in the fulfilment of its duties in accordance with the GDPR, including without being limited to its duty to secure, its notification duty, the execution of a data protection impact assessment and a prior consultation when processing with a high risk.
Confidentiality
1. Processor guarantees that it will at all times act in accordance with its legal duties on confidentiality, including without being limited to the duty of confidentiality as specified in Article 90 of the GDPR. Processor will not directly or indirectly make available the personal data to third parties, unless specified otherwise in the Main Agreement, by the law or a court order.
2. Processor will (contractually) obligate its subordinates who have access to the personal data, as well as the third parties it engages which have such access, to confidentiality as required by the GDPR and this Agreement.
3. Processor is obligated to immediately report to Controller any request for disclosure or issuance of personal data.
Destruction and backup
1. In the event of termination of this Agreement, Processor will, while charging the costs, make available to Controller the personal data along with any other processed data in an electronic file format, commonly used in the market.
2. Subject to its otherwise binding legal obligations, Processor is obligated, upon first written request after termination of the Main Agreement, to destroy all of Controller’s Personal Data.
Liability
1. Processor is liable for any damage that results from the non-fulfilment of this Agreement or any requirements specified in applicable laws and/or regulations, including without being limited to the GDPR, and indemnifies Controller for damages and costs – including without being limited to costs of legal assistance – in this regard, up to a maximum of one time the amounts invoiced by Processor based on the Main Agreement in the year prior to the claim, except in the case of intent or conscious recklessness on the side of Processor.
2. If Controller is sued by Data Subject or a third party for damages which the Data Subject or third party is alleged to have suffered in connection with the processing of the personal data, Controller has a right of recourse against Processor if Processor failed in the fulfilment of any obligations based on the law or this Agreement, up to a maximum of one time the amounts invoiced by Processor based on the Main Agreement in the year prior to the claim, except in the case of intent or conscious recklessness on the side of Processor.
3. Controller indemnifies Processor for claims from Data Subjects and third parties, including imposed penalties and due damage compensation, insofar as these claims are based on or caused by breaches by Controller of the applicable laws and regulations, including the GDPR.
Final provisions
1. Processor is not permitted to (completely or partially) transfer or outsource to third parties its obligations that stem from this Agreement, unless Controller has provided prior written consent for this purpose and subject to the provisions in the Main Agreement.
2. Parties explicitly agree that the Controller’s general terms and conditions (of purchase) are not applicable to this Agreement.
3. This Agreement will be entered into for the duration of the term of the Main Agreement.
4. This Agreement takes effect after signing of the Agreement by both Parties.
5. In the event that one or more provisions of this Agreement should turn out to be null or void, the other provisions of this Agreement will remain fully in force. In that event, Parties are obligated to replace a void provision with a provision which is legally binding and deviates as little as possible – given the purpose and intent of this Agreement – from the void provision.
6. This Agreement can only be prematurely terminated in whole or in part if Parties agree to such in writing. In absence of such written consent, this Agreement cannot be wholly or partially dissolved extrajudicially. If this Agreement contains any provisions which are, by their nature, intended to persist after termination, then these will fully remain in force.
7. Changes or additions to this Agreement are only binding if they have been agreed to in writing.
8. If laws and regulations change in such a manner that the Agreement no longer satisfies the requirements laid down in laws and/or regulations, Parties will adjust the Agreement in mutual consultation in accordance with these amended laws and/or regulations.
Applicable law and choice of court
1. This Agreement, as well as all legal relationships to which the Agreement is applicable or that should stem from the Agreement, are governed by Dutch law.
2. Any disputes which might arise between Parties in connection with or as a result of this Agreement will be submitted to the court of The Hague (Den Haag), The Netherlands.

List Appendices:

• Appendix 1 – Categories of Data Subjects and Personal Data

Processing	Purpose	Categories of Data Subjects	Categories of Personal Data	Transfer to third country
Storage of personal data	Hosting	Customer’s end users	See Appendix 1A	No
Access to personal data	Conducting service and maintenance on the technical systems: • diagnosing and solving malfunctions; • updating new software versions; • placement of patches and hotfixes; • back-ups; • moving technical	Customer’s end users	See Appendix 1A	No

• Appendix 1A – ATLAS Microsoft Entra ID permissions

ATLAS MS EntraID permissions

• Appendix 2 – Sub-processor(s)

Party	Address	Place of business	Place of data center
Amazon Web Services EMEA SARL	38 Avenue John F. Kennedy, L-1855	Luxembourg	Frankfurt am Main – Germany

• Appendix 3 – Security Plan

Applied security measures

Responsibilities for information security have been assigned.
Changes in data or in information processing are carried out exclusively under a change management procedure.
The Processor has trained selected and screened employees and has experience in the field (including adequate security of the information).
The Processor is certified to be able to professionally offer and support its security services and products to the customer.
The Processor periodically conducts its own internal audits to ensure the necessary proof of conformity to standards and requirements.
The Processor has coordinated adequate procedures regarding communication, support and management acts accordingly.
Established security policies that are also implemented.
Physical access security measures, including organizational control.
Burglar alarm.
Measures against malicious software.
Safe for storage of data files.
Adequate logical access control using 2-factor authentication, biometrics, etc.
Automatic logging of data access, incl. a control procedure.
Control of assigned authorizations.
Encryption of personal data during transmission.
Encryption of personal data during storage.
Business continuity management, continuity plans.
Back-up and recovery procedure.