Skip to content
Close
Search
en-nl
nl
Contact
Contact: +47 21 98 24 74E-mail: support@acendy.nl
Start a free trial
Contact: +47 21 98 24 74E-mail: support@acendy.nl
en-nl
nl
Start a free trial

Data Processing Agreement
Acendy
Data Processing Agreement
Content
slander...

Data Processing Agreement


This Data Processing Agreement forms part of the Terms of Service or other written or electronic agreement between the customer ("Controller") and Acendy ("Acendy" or "Processor") for the purchase and/or demonstration of services from Acendy to reflect the agreement between the parties with respect to the Processing of Personal Data.


1. Introduction

1.1. Both parties confirm that the undersigned has the power of attorney to enter into this Data Processing Agreement ("Agreement"). This Agreement forms part of and governs the processing of personal data associated with the following service agreements ("Service Agreements") between the Parties:

  • Terms of Service (TOS).

1.2. If the Controller changes the contact person(s), the Processor must be notified in writing.

2. Definitions

2.1. The definition of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Processing of Personal Data, Data Subject, Controller and Processor is equivalent to how the terms are used and interpreted in applicable privacy legislation, including the EU 2016/679 General Data Protection Regulation ("GDPR").

3. Scope

3.1. The Agreement governs the Processing of Personal Data by the Processor on behalf of the Controller and outlines how the Processor will contribute to ensuring privacy on behalf of the Controller and its registered Data Subjects, through technical and organizational measures in accordance with applicable privacy legislation, including the GDPR.

3.2. The purpose of the Processing of Personal Data by the Processor on behalf of the Controller is the performance of the Service Agreement(s).

3.3. This Agreement supersedes any conflicting provisions relating to the Processing of Personal Data in the Service Agreements or in other prior agreements or written communications between the Parties. This Agreement shall be valid for as long as agreed in Exhibit A.


4. Rights and Obligations of the Processor.

4.1. The Processor shall process Personal Data only on behalf of and in accordance with the written instructions of the Controller. By entering into this Agreement, the Controller instructs the Processor to process Personal Data in the following manner; i) only in accordance with applicable law, ii) in fulfillment of all obligations pursuant to the Services Agreement, iii) as further specified through the Controller's normal use of the Processor's services and iv) as specified in this Agreement.

4.2. The Processor has no reason to believe that legislation applicable to it prevents the Processor from carrying out the instructions set forth above. The Processor shall, upon becoming aware thereof, notify the Processor of any instructions or other Processing Activities by the Processor that, in the Processor's opinion, violate applicable privacy laws.

4.3. The categories of Data Subjects and Personal Data subject to Processing under this Agreement are set forth in Exhibit A.

4.4. The Processor shall ensure the confidentiality, integrity and availability of Personal Data in accordance with the privacy laws applicable to The Processor. The Processor shall implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the state of the art and the cost of implementation in relation to the risk posed by the Processing and the nature of the Personal Data to be protected.

4.5. The Processor shall assist the Controller with appropriate technical and organizational measures, to the extent possible and taking into account the nature of the Processing and the information available to the Processor, in complying with the Controller's obligations under the applicable privacy legislation with respect to the request of Data Subjects, and general compliance with privacy legislation under the GDPR Articles 32 to 36.

4.6. If the Processor requires information or assistance regarding security measures, documentation or other forms of information regarding the way the Processor processes Personal Data, and such requests go beyond the standard information provided by the Processor to comply with applicable privacy laws as a Processor, the Processor may charge the Processor for such request for additional services.

4.7. The Processor and its personnel shall ensure confidentiality with respect to the Personal Data subject to Processing in accordance with the Agreement. This provision shall also apply after termination of the Agreement.

4.8. The Processor shall, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about privacy incidents.

Further, to the extent appropriate and lawful, the Processor shall notify the Controller of;

  1. (i) requests for disclosure of Personal Data received from a Data Subject,
  2. (ii) requests for disclosure of Personal Data by governmental authorities, such as the police.

4.9. The Processor shall ensure that persons entitled to process Personal Data have committed to confidentiality or are subject to appropriate legal obligations of confidentiality.

4.10. The Processor shall not respond directly to requests from Data Subjects unless authorized to do so by the Controller. 4.10.1. The Processor shall not disclose any information related to this Agreement to governmental authorities, such as the police, including Personal Data, unless required to do so by law, such as through a court order or similar warrant.

4.11. The Controller has no control over whether and how the Controller uses third party integrations through the Controller's API or similar, and thus the Controller has no ownership risk in this regard. The Controller is solely responsible for third-party integrations.

4.12. The Processor may process Personal Data about users and the Controller's use of the Service when necessary to obtain feedback and improve the Service. The Controller grants the Processor the right to use and analyze aggregated data on system activities related to your use of the Services for the purpose of optimizing, improving or expanding the way the Processor provides the Services and to enable the Processor to create new features and functionalities in connection with the Services. Acendy is considered the Controller for such processing and the processing is therefore not subject to this Agreement.

4.13. In using the Services, the Controller will add data to the Software ("Customer Data"). The Controller acknowledges and does not object to the Processor using Customer Data in an aggregated and anonymized format for customer service improvement, research, training, educational and/or statistical purposes.


5. Rights and obligations of the Processor.

5.1. By signing this Agreement, the Controller confirms that:

  • The Controller has the legal authority to process and disclose the Personal Data in question to the Processor (including any sub-processors used by the Processor).
  • The Controller is responsible for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor.
  • The Controller has fulfilled its obligations to provide relevant information to Data Subjects and authorities regarding the processing of Personal Data in accordance with mandatory data protection legislation.
  • The Controller, when using the services provided by the Processor under the Services Agreement, shall not disclose Sensitive Personal Data to the Processor, unless expressly agreed upon in Exhibit A to this Agreement.

6. Use of sub-processors and data transfers.

6.1. In connection with the provision of services to the Controller in accordance with the Services Agreements and this Agreement, the Controller shall use sub-processors and the Controller gives its general consent to the use of sub-processors. Such sub-processors may be other companies within the Visma Group or external third-party sub-processors. All sub-processors are listed in Appendix B. The Processor shall ensure that sub-processors agree to assume responsibilities consistent with the obligations in this Agreement.

6.2 An overview of the current sub-processors with access to Personal Data can be found in the Visma Trust Centre on this website: https://www.visma.com/trust-centre/product-search/. For the Acendy product and service, search Mystore.no AS. The Processor may engage other Visma Group companies based in the EU/EEA as sub-processors without the Visma company being listed in the Trust Centre and without prior approval or notification to the Controller. The Processor may request more detailed information about sub-processors.

6.3. If the sub-processors are located outside the EU or EEA, the Controller authorizes the Processor to ensure proper legal grounds for the transfer of Personal Data outside the EU / EEA on behalf of the Controller, below by entering into EU Standard Contractual Clauses (SCCs).

6.4. The Controller shall be notified in advance of changes to sub-processors processing Personal Data. If the Controller objects to a new sub-processor within 30 days of notification, the Processor and the Controller shall review documentation of the Sub-processor's efforts to comply with applicable privacy laws. If the Controller still objects and has reasonable grounds to do so, the Controller may not reserve its right to object to the use of such subprocessor (particularly due to the nature of online standard software), but the Customer may terminate the Service Agreement for which the subprocessor in question is used.


7 Security

7.1. The Processor is committed to a high level of security of its products and services. The Processor provides its security level through organizational, technical and physical security measures, in accordance with the requirements on information security measures as set out in the GDPR Article 32.

7.2. The Service Agreement shall specify the measures or other data security procedures that the Processor implements when Processing Personal Data. The Controller is responsible for the appropriate and adequate security of the equipment and IT environment under its responsibility

8. Audit Rights

8.1. The Controller may conduct an audit of the Processor's compliance with this Agreement up to once a year. If required by laws applicable to the Processor, the Processor may request more frequent audits. To request an audit, Processor shall submit a detailed audit plan to Processor at least four weeks prior to the proposed audit date, describing the proposed scope, duration and start date of the audit. If the audit is performed by a third party, it should be mutually agreed upon by the parties as a main rule. However, if the processing environment is a multitenant or similar environment, the Controller shall authorize the Processor to decide for security reasons that the audits be performed by a neutral third party auditor of the Processor's choice.

8.2. If the requested scope of the audit has been addressed in an ISAE, ISO or similar assurance report performed by a qualified third-party auditor within the previous 12 months, and the Processor confirms that there are no known material changes to the audited measures, the Processor agrees to accept these findings rather than requiring a new audit of the measures covered by the report.

8.3. In any event, Audits shall be conducted during normal business hours at the affected facility, subject to Processor's policies, and shall not unreasonably interfere with Processor's business operations.

8.4. Processor shall be responsible for all costs arising from audits requested by Processor. Costs may be charged for requests for assistance from the Processor.

9. 9. Duration and termination

9.1. This Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller following the Service Agreements or as otherwise agreed in Exhibit A.

9.2. This Agreement shall automatically terminate upon termination of the Services Agreement. Upon termination of this Agreement, Processor shall delete or return Personal Data processed on behalf of Controller in accordance with the applicable provisions of the Services Agreement. Such deletion shall take place as soon as reasonably possible, unless EU or local law requires further storage. Unless otherwise agreed in writing, the cost of such actions will be based on; i) hourly rates for the time spent by the Processor and ii) the complexity of the requested process.

10. Changes and Modifications.

10.1. Amendments to the Agreement shall be signed by both Parties to be valid.

10.2. If any provision of this Agreement becomes void, it shall not affect the remaining provisions. The Parties shall replace the void provision with a lawful provision that reflects the purpose of the void provision.

11 Liability

11.1. For the avoidance of doubt, the Parties agree and acknowledge that each Party shall be liable for and shall be held liable for directly paying administrative fines and damages to data subjects imposed on the Party by data protection authorities or competent courts under applicable privacy laws. Liability issues between the Parties shall be governed by the liability clauses in the Service Agreement between the Parties.

12 Applicable law and jurisdiction

12.1. This Agreement shall be subject to the applicable law and legal venue as set forth in the Service Agreement between the Parties.


Appendix A - Data Subjects, Types of Personal Data, Purpose, Nature, Duration

A.1 Categories of data subjects.

  • end users of the customer
  • employees of the customer
  • contact persons of the customer

A.2 Categories of Personal Data

  • contact information such as name, phone, address, email, etc.
  • job information such as position, company, etc.
  • economic information such as salary, transactions, order information, working hours, etc.

A.3 Special Categories of Personal Data (Sensitive Personal Data).

In order for the Processor to be allowed to process such data on behalf of the Controller, the types of Sensitive Personal Data in question must be specified below by the Controller.

The Controller is also responsible for informing the Processor of, and specifying below, additional types of Sensitive Personal Data in accordance with applicable privacy laws.

The Processor shall process information on behalf of the Controller with respect to: Yes No
racial or ethnic origin, or political, philosophical or religious beliefs, x
health information, x
sexual orientation, x
union membership x
genetic or biometric data x

A.4 Purpose of processing

The purpose of the processing of personal data by the Data Controller on behalf of the Controller is:
The provision of services in accordance with the Service Agreement.

A.5 Nature of processing.

The processing of personal data by the Processor on behalf of the Controller primarily involves (the nature of the processing):
storing/hosting, recording, testing, modifying/editing, reporting, transmitting.

A.6 Duration of processing:

The duration of processing of personal data is 12 months after termination of the Service Agreements.


Appendix B - List of sub-processors.

The Processor's sub-processors with access to the Processor's Personal Data are always up to date at: https://www.visma.com/trust-centre/product-search/


The Processor may engage other EU/EEA based companies of the Visma group as sub-processors without the Visma company being listed above and without prior approval or notification to the Controller. This is usually for the purpose of development, support, business operations, etc.