Data Processing Terms

C-Facts Data Processing Terms

Article 1. Definitions

1. Data subject, processor, third party, personal data, personal data breach, processing, and controller: the terms as defined and described in Article 4 GDPR;
2. Parties: C-Facts and Client jointly.
3. Principal Agreement: the agreement(s) between the Client and C-Facts on basis of which C-Facts processes personal data and to which these Data Processing Terms apply. For the sake of clarity the term Principal Agreement includes also order confirmations that have been established by means of signed quote by Client or a quote that is confirmed by means of an order (PO, purchase order).
4. Data Processing Terms: the terms as stated here (including the Appendices) which apply to the Principal Agreement as concluded between Client and C-Facts and these terms reflect the mutual rights and obligations with regard the processing of personal data;
5. Schedule: a schedule to these Data Processing Terms, which schedule forms an integral part of these Data Processing Terms.
6. Data breach: a breach with regard personal data, as defined in Article 4 under 12 GDPR;
7. Service: C-Facts’s Software as a Service solution that offers transparency in public cloud usage and commerce. natural person or legal person who purchases the Service from C-Facts and/or has commissioned the performance of work or the provision of services and resources.
8. C-Facts: The limited liability Company “C-Facts B.V.”, Chamber of Commerce number 75177757, incorporated under the laws of the Netherlands, having its registered office in HILVERSUM, at Franciscusweg 14.
9. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Article 2. Applicability

1. These Data Processing Terms apply to all personal data processed by C-Facts in the context of the execution of the Principal Agreement or ensuing or related agreements.
2. These Data Processing Terms set out the rules for processing personal data as referred to in article 28 paragraph 3 of the General Data Protection Regulation. These terms shall be hereinafter referred to as “Data Processing Terms”. The Data Processing Terms form an integral part of the Principal Agreement.
3. In the context of the processing of personal data, Parties recognize and distinguish the following roles in accordance with the GDPR (including the associated responsibilities): the Client is the controller or processor, C-Facts is considered as processor or sub-processor, a third party contracted by C-Facts that processes the personal data will be considered as a sub-processor or a sub-sub-processor.

Article 3. Processing personal data

1. In case Client purchases the Service from C-Facts, then he also grants the order to process the personal data.
2. C-Facts processes the personal data of Client, as recorded in Schedule 1, during carrying out the in the Principal Agreement agreed upon work duties and rendering the in the Principal Agreement agreed upon services only on behalf of Client.
3. C-Facts is not allowed to process the personal data of Client, or provide the personal data of Client to third parties for its own purposes, other than agreed upon. Processing of personal data by C-Facts will only take place at request and on instructions of Client.
4. Unless otherwise agreed or supplemented, C-Facts processes the personal data in accordance with the purposes as determined and described in Schedule 1.
5. In case Client’s instructions cannot be followed up within the framework of the work and services as agreed upon in the Principal Agreement, the Parties will discuss the (financial) consequences of following up the by Client given instructions.
6. C-Facts will inform Client if an instruction in the opinion of C-Facts is in conflict with the applicable laws and regulations regarding the processing of personal data.
7. In case the Principal Agreement is changed or amended in such a way that Schedule 1 needs amendments or changes, Parties agree upon an addendum to update Schedule 1.
8. For the processing of personal data, C-Facts puts technology and/or software at the disposal of Client, which means can be used by Client for the set purposes. Therefore, Client determines itself the purposes and means and C-Facts is considered as a passive processor.
9. Client shall ensure that the use of the technology and/or software intended for this purpose in such a way that it processes the personal data with the aforementioned means in accordance with the relevant legislation and/or regulation regarding data processing and the predetermined legitimate purposes for processing.
10. If and insofar the Client is obliged by law or (internal) regulations to involve a representative advisory board in the implementation of the Service, then it shall ensure that the relevant boards or persons are informed about the purpose and resources of the Service and are consulted adequately insofar as relevant in this context.

Article 4. Retention periods

1. C-Facts shall not process personal data for longer than strictly necessary in the context of providing the Service and/or carrying out work and in accordance with the retention periods which Client determines itself in the Service. In no event C-Facts shall process personal data longer than until the end of this Data Processing Terms.
2. Unless Parties agreed upon retention periods, it will be considered that the processing of personal data is no longer necessary if the Principal Agreement has been terminated.
3. After the personal data have been deleted and/or destroyed in accordance within the way and terms agreed upon with the Client, C-Facts cannot be held responsible and liable for the removal or destruction of the (personal) data.

Article 5. Confidentiality

1. Each of the Parties will take all reasonable measures in order to ensure the confidentiality of confidential information to the extent that this is possible in connection with the performance of the Principal Agreement.
2. The personal data provided by Client to C-Facts, will not be disclosed to third parties without prior approval of Client, unless there is a written consent by the Client, or unless it is necessary for the execution of the agreed upon activities and services, the performance of a legal obligation, a request from an authority, or judicial ruling.
3. C-Facts ensures that the personal data of Client will only be disclosed to personnel of C-Facts on need to know basis, and that the personal data will only be disclosed to personnel assigned with carrying out the in the Principal Agreement agreed upon work duties or with rendering in the Principal Agreement agreed upon services.

Article 6. Technical and organizational measures

1. Parties ensure that they will adhere to relevant legislation and regulation regarding processing personal data, in particular the GDPR.
2. C-Facts takes and implements appropriate technical and organizational measures to secure the personal data against any unlawful processing. These measures ensure, taking the current state of technology and the costs of implementing those measures into account, an adequate level of protection, considering the risks of processing, and the nature of, the personal data. The measures are also aimed at preventing unnecessary processing of personal data.
3. In order to fulfill the aforementioned obligation C-Facts The Processor has taken the following measures, within his possibilities and based on a best effort practice:

• Encryption (encoding) of digital files containing personal data;
• Making use of logical access control, including strong passwords;
• Measures that allow for personal data to be stored on a secured server;
• Measures that ensure that only authorised persons have access to the personal data of the Controller;
• Contingency plan
• Incidents procedure

4. Client takes appropriate technical and organizational measures in accordance with GDPR to protect personal data against loss or against any form of unlawful processing. These measures ensure, taking into account the current state of the technology and the cost of implementation, a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. The measures are also aimed at unnecessary collection and further processing of personal data. An example is: (i) business processes that comply with the relevant legislation in this area processing of personal data; (ii) authorization models where staff which has nothing has to do with certain personal data, does not have access to such data (iii); security of workstations; (iv) an adequate password policy. Client must also ensure that they use an adequate policy in respect of (private) use of internet and e-mail in the workplace, stipulating that when using applications personal data can be logged.
5. Client will inform C-Facts about the technical and organizational measures taken by it as referred to in the aforementioned paragraph prior to start with the agreed upon work duties and services. It is the responsibility of Client to inform C-Facts timely about any new or amended policy regarding the technical and organizational measures which Client is required to take pursuant to legislation and/or regulation and business practices.
6. The Client estimates itself and judges independently whether a Data Protection Impact Assessment (DPIA) as referred to in article 35 of the GDPR is required. In case C-Facts deems that in a specific case a DPIA should be carried out, C-Facts informs and requests Client to carry out a DPIA.
7. In case the Client has carried out a Data Protection Impact Assessment (PIA) regarding processing personal data, Client will, prior to starting with the agreed upon work duties and/or services, provide C-Facts with a copy of the results and the measures that are taken or will be taken.

Article 7. Audit

1. For the duration of the applicability of these Data Processing Terms, Client is entitled to audit the measures taken by C-Facts by an independent auditor, provided that: (i) the audit was announced at least two (2) week in advance by Client; (ii) the costs for the audit (including the independent auditor and the time of the staff of C-Facts supporting the auditor, against the hourly rates of that specific staff) are borne by Client; and (iii) the result will be discussed with C-Facts.
2. Before Client conducts an audit, Client first consults and assesses the available (audit) reports present at C-Facts. If Client after he take notice of the reports still considers that the consulted reports are insufficient, he will state in the request the reasons and arguments which -in his opinion- an audit still justified. An audit as referred to here can only be carried out under the cumulative conditions as mentioned in the aforementioned article.
3. C-Facts and Client may as a result of the audit enter into consultation in order to implement further or additional measures and/or agree upon new terms.  

Article 8. Third parties – sub-processors

1. C-Facts may, in the course of executing the Principal Agreement, use sub-processors. Client hereby grants C-Facts general consent to enable sub-processors. The list of sub-processors is attached to these Data Processing Terms in Schedule 2. C-Facts may at its own discretion and judgment change and/or extend the list. In case C-Facts expands or changes the list with new sub-processors, Client will be notified at least two (2) weeks prior to using the intended sub-contractor, and given the opportunity to object to the proposed new sub-processors within 14 business days.
2. C-Facts and Client search for reasonable solutions to take the concerns of Client away. In case Client and C-Facts cannot agree upon a workable solution.
3. C-Facts is not allowed, without consent of Client, to transfer personal data outside of the E.U. / E.E.R. This does not apply for transfer to sub-processors as recorded in Schedule 2.
4. C-Facts enters -if and insofar as possible- into sub processing agreement with the aforementioned sub-processors.
5. C-Facts cannot warrants that it will be notified by sub-processor regarding changes of the sub-sub-processors.
6. In case C-Facts engages third parties with which C-Facts cannot or barely can negotiate the conditions, then in the event of any damage C-Facts cannot be held liable for more than it has been able to recover from those third parties.

Article 9. Data breaches and rights of data subjects

1. In case C-Facts suspects or knows that personal data of Client is compromised, due to a data or security breach, C-Facts notifies Client immediately, at least within forty-eight (48) hours.
2. Client assess itself whether it should notify data subjects and/or supervisory authorities. Client is and remains responsible for the mandatory obligation to notify these actors.
3. In case a data subject invokes his or her rights under the General Data Protection Regulation, it will forward the request to Client. Client will follow up the request of the data subject. C-Facts may inform data subject about the forward, and will wait further instructions from Client.
4. Upon first request of Client: (i) C-Facts provides information requested by Client with regard to the processing of personal data of Client; and (ii) C-Facts will support and be cooperative to Client if and insofar necessary to fulfill its obligations under the applicable laws and regulations regarding the processing of personal data. The second sentence of article 1.3 mutatis mutandis also applies here.

Article 10. Liability

1. In case of an imputable failure to comply with these Data Processing Terms or any relevant legislation regarding processing of personal data by C-Facts, the liability of C-Facts for damages is limited to what is agreed upon the Principal Agreement regarding limitation of liability. In case the cause of the damages is attributable to a third party as mentioned in paragraph 1, the liability of C-Facts is limited to what it is able to actually recover from that third party.

Article 11. Other stipulations

1. Client warrants that the contents, the agreed upon use and the assignment to process personal data as mentioned in these Data Processing Terms, is not unlawful and will not infringe any right of third parties. Client indemnifies and holds C-Facts harmless for all claims related hereto.
2. These Data Processing Terms are applicable for the duration C-Facts in the context of the Principal Agreement carries out work or renders services for Client. After the duration of the Principal Agreement, C-Facts destroys the personal data of Client, or, upon request of Client, provides the personal data of Client to Client, prior to destroying the personal data. Upon first request of Client, C-Facts provides Client a declaration stating that the personal data was destroyed.
3. Client is responsible for how it provides C-Facts the personal data. Therefore, it is the responsibility of Client to check whether the way of providing to C-Facts complies with relevant legislation and/or (internal compliancy) regulation. Hereby the Client will respect the applicable C-Facts guidelines for data delivery. If the delivery by the Client does not fit with the applicable guidelines of C-Facts, it has the right to refuse the way of delivery and/or demand a delivery that is complaint with the delivery guidelines of C-Facts. Client indemnifies and holds C-Facts harmless for all claims and/or damages in case the personal data is not provided to C-Facts in accordance with the relevant legislation and/or (internal compliancy) regulation.
4. These Data Processing Terms is governed by the Laws of the Netherlands.
5. Disputes arising out of or in connection with or as a result of these Data Processing Terms will be solely submitted to the court of Rotterdam, the Netherlands.
6. These Data Processing Terms cannot be seen separately from the Principal Agreement. In case of conflicting wording between wat is stated in these Data Processing Terms and the Principal Agreement, what is stated in these Data Processing Terms prevails.
7. These Data Processing Terms also apply to subsidiaries of Parties.

SCHEDULE 1 | PROCESSED PERSONAL DATA AND PURPOSE OF PROCESSING PERSONAL DATA

Description purposes and method of processing:

In accordance with the provisions of the Principal Agreement C-Facts shall solely process and use the personal data for:

• Offering the services and functionalities of the product C-Facts
• Ensure the security of the C-Facts service
• Monitor the performance of the service
• Improving the service. This includes analyzing the use of functionalities and parts of the C-Facts services

C-Facts does this through automated processing in the C-Facts software. The ultimate goal of processing personal data is to provide C-Facts users with the C-Facts service.

Categories of data subjects:

The following categories of persons will be involved in the processing of personal data:

• Users of customers who purchase the C-Facts services
• People who have contact with C-Facts, for example for technical support or project management

Categories of personal data:

Category A: Controller (buyer of the services):

• Company name
• Company address details
• Customer primary contact first and last name
• Customer primary contact email
• Customer primary contact phone
• Customer primary contact function
• Customer primary contact gender
• Role
• Subscription type (active/inactive)
• Workspace name
• Login details AWS API Key
• Login details google API Key
• Login details Oracle API Key
•  Cloud cost data  and licenses

CATEGORY B: Relations (data subjects) of the Controller:

• Company name;
• Company address details
• Customer primary contact first and last name
• Customer primary contact email
•  Customer primary contact phone
• Customer primary contact function
• Customer primary contact gender
•  Role
• Subscription type (active/inactive)
• Workspace name
• Login details AWS API Key
• Login details google API Key
• Login details Oracle API Key
• Azure usage data on category, subcategory and category name level
• Microsoft license data
• Azure usage and license rating and pricing

The Controller guarantees that only personal data that is required for the Processor will be provided.

Data generated during the use of C-Facts:

• The IP address of the computer or smartphone that was used to contact C-Facts web services.
• What functionalities of the C-Facts web services are used.
• Safety logs of certain actions.
• Cookies
• A profile photo that is set for an account. (if possible)
• Last known location of user.

(Groups) authorized employees who process personal data:

In the table below, the job roles and / or job groups that have access to certain Personal Data and afterwards indicate which processing operations they may perform with regard to the Personal Data.