1 General
1.1 This Agreement sets forth the terms upon which Fenestrae provides Customer with the Service that Customer purchased directly from Fenestrae or from a Fenestrae authorized reseller. Customer may only use the Service if these terms have agreed with.
1.2 Additions to or deviations from this Agreement shall only apply where agreed in writing between the parties.
1.3 The applicability of any of Customer’s purchasing or other conditions is expressly rejected.
1.4 If you register for a free trial, proof of concept or not-for-resale license of the Service, the applicable provisions of this agreement will also govern the provided Service.
2 Definitions
2.1 Agreement means this Online Services Agreement, the data processing agreement included as annex 1 to the body of this agreement, and if applicable, the Service Level Agreement and any Order Document.
2.2 Customer means the legal entity that ordered the Service and is registered as such in the customer administration systems of Fenestrae.
2.3 Customer Data means any data, information or materials provided or submitted by Customer to Fenestrae in the course of using the Service.
2.4 Documentation means all Fenestrae's standard user documentation, in electronic format, which may be delivered/made available to Customer under the Agreement.
2.5 Order Document means, if applicable, the initial order document for the Service and any subsequent order documents, whether submitted in writing or by electronic means, specifying amongst other things the number of licenses and other services contracted for, the applicable fees and the license period(s) (as applicable).
2.6 Production Use means use of the Service solely to operate Customer's ordinary business for the benefit of Customer and/or its Users.
2.7 Service means the remote access to and availability of the Technology via the internet or another network, as well as the automatic processing of Customer Data using the Technology.
2.8 Service Level Agreement means the document updated from time to time by Fenestrae that sets out the service levels applicable to the Service.
2.9 Technology means all of Fenestrae's proprietary technology, including but not limited to the scan, capture, fax, mobile messaging, unified communications, document processing technology and associated algorithms, user interfaces, know-how, techniques, designs, look and feel and Documentation developed, operated and maintained by Fenestrae, and made available by Fenestrae to Customer in providing the Service.
2.10 User(s) mean(s) people within the organization of Customer who are authorized to use the Service and have been supplied by Customer (or by Fenestrae at Customer's request) with user access and identification codes.
3 Service; Grant of License
3.1 Subject to the terms and conditions of the Agreement and subject to full payment of the related fees, Fenestrae provides Customer with the Service and grants Customer a non-exclusive, non-transferable, non-sublicensable periodic license to use the Service and the Technology for Production use by its Users. Any further use is solely permitted if expressly agreed upon in writing by Fenestrae.
3.2 Customer shall not make the Service and the Technology available to any third party, make derivative works based upon the Technology, or commercially exploit the Service and/or Technology.
3.3 Customer is responsible for use of the Service by its Users, regardless of whether or not there is (still) a relationship of authority between Customer and these Users. Customer shall ensure that Users shall at all times comply with the Agreement, applicable laws and regulations, including without limitation those related to data privacy and electronic communications.
3.4 The Service and Technology may not be used in the course of operating power stations, mass transportation systems or for any (direct) medical systems and/or instruments.
3.5 Customer is responsible for the manner in which the results obtained through the use of the Service are used. Fenestrae is not responsible for checking the accuracy and completeness of the results of the Service. Customer itself shall regularly check the results of the Service.
3.6 Fenestrae is permitted to install technical provisions for the purpose of protecting the Service and the Technology in relation to an agreed restriction of the right to use the Service and the Technology. Customer shall under no circumstances be permitted to circumvent such technical provisions or to arrange for this to be carried out.
3.7 Customer shall ensure that the Users treat the access and identification codes necessary to access and use the Service as confidential and with due care and shall ensure that these codes are only supplied to authorised employees. Fenestrae is entitled to change the access or identification codes assigned to Users. Customer shall notify Fenestrae immediately of any unauthorized use of any access and identification codes or any other known or suspected breach of security. Fenestrae is under no circumstances liable for any damage or costs arising from the use or misuse of access or identification codes, except where misuse was possible as a result of an act or omission on the part of Fenestrae.
3.8 Fenestrae is not obliged to have a backup centre or other backup facilities. It is Customer's own responsibility to make backups of or otherwise secure its Customer Data.
4 Provision of the Service
4.1 Fenestrae shall make reasonable efforts to provide the Service with due care and, in accordance with the Service Level Agreement if applicable. We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Fenestrae is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Customer Data stored. We recommend that you regularly backup your content that you store on the Service or store using third-party apps and services.
4.2 If Fenestrae carries out work relating to the Customer Data pursuant to a request or an authorised order from a government agency or in connection with a statutory obligation, Customer shall be invoiced for all of the associated costs (including but not limited to, research costs, consultancy costs, legal costs, support and administrative expenses).
4.3 Fenestrae may continue to provide the Service using a new or amended version of the Technology. Fenestrae is not be obliged to maintain, change or add certain features or functionalities of the Service or the Technology specifically for the Customer.
4.4 Fenestrae may (temporarily) suspend the Service in full or in part without any liability to the Customer: (a) for the purpose of carrying out preventive, corrective or adaptive maintenance, in which event Fenestrae shall not suspend the Service for longer than necessary and shall arrange for this to take place outside of office hours where possible and, according to the circumstances, upon advance notice to Customer; (b) if Fenestrae reasonably believes that the Service is being used (or has been or will be used) in violation of the Agreement; (c) if Fenestrae discovers that Customer has used similar services abusively in the past; (d) if Customer doesn't cooperate with Fenestrae's reasonable investigation of any suspected violation of the Agreement; (e) if Fenestrae reasonably believes that the Service has been accessed or manipulated by a third party without Customer's consent; (f) if Fenestrae reasonably believes that suspension of the Service is necessary to protect its network or Fenestrae's other customers; (g) if a payment for the Service is overdue; or (h) if suspension is required by law.
4.5 Fenestrae shall give Customer reasonable advance notice of a suspension under the preceding Clause and a chance to cure the grounds on which the suspension is based, unless Fenestrae determines, in its reasonable commercial judgment, that a suspension on shorter or contemporaneous notice is necessary.
4.6 Any periods of decommissioning announced in advance due to maintenance work or to circumstances outside of Fenestrae's sphere of influence, including without limitation the circumstances set out in clause 4.4, will not be taken into account when assessing availability of the Service. The assessment will be based on the Service as a whole during the term of the Agreement. Barring proof to the contrary, the availability and service level measured by Fenestrae shall be conclusive evidence.
4.7 The Service is subject to usage limits, including, the quantities specified in the Order Document, on invoices or in the Documentation. Unless otherwise specified a quantity refers to either the number of devices, users or pages. If Customer exceeds the contractual usage limit, Customer agrees to reduce Customer’s usage upon request so that it conforms to that limit. If Customer does not abide by a contractual usage limit, as reasonably determined by Fenestrae, Customer will execute an Order Document for additional quantities of the applicable Service promptly upon Fenestrae’s request, and pay any invoices for excess usage. When customer neglects to issue a reasonable timely Order Document Fenestrae has the right (i) to switch off the Services when the limit has been reached and (ii) fully or partially dissolve the Agreement without any obligation to pay damages
4.8 Any Service, not explicitly limited in the Order Document, invoice or Documentation is limited to fair usage and legitimate use only. Not considered to be legitimate use are the following non-exhaustive practices: using the Service for professional mailrooms, re-selling services, automated email services, sharing subscriptions between multiple devices or connect automated input processes to the service.
4.9 The Service may contain features designed to interoperate with non-Fenestrae applications. To use such features, Customer may be required to obtain access to non-Fenestrae applications from their providers, and may be required to grant Fenestrae access to Customer’s account(s) on the non-Fenestrae applications. If the provider of a non-Fenestrae application ceases to make the non-Fenestrae application available for interoperation with the corresponding Service features on reasonable terms, Fenestrae may cease providing those Service features without entitling Customer to any refund, credit, or other compensation.
5 Intellectual Property Rights
5.1 All intellectual property rights and similar rights to the Service and the Technology made available to Customer on the basis of the Agreement shall remain exclusively vested in Fenestrae and/or its licensors. Customer shall only acquire those rights of use that are explicitly granted in the Agreement. Any rights of use granted to Customer are non-exclusive, non-transferable and non-sublicensable.
6 Representations, Limited Warranty and Liability
6.1 Each party represents that its has validly entered into this Agreement and has the legal power to do so and bind itself and his company, legal entity and affiliates by this agreement.
6.2 The Service and the Technology are provided "as is", without any warranties. Fenestrae expressly does not warrant that the Service is free of defects and will at all times be provided without interruptions. Fenestrae shall endeavour to fix any defects within a reasonable period of time, but expressly does not warrant that defects will be fixed. Fenestrae does not warrant either that the Service will be adapted according to changes in relevant laws and regulations in a timely manner.
6.3 To the maximum extent allowed by law, Fenestrae (also for the benefit of its licensors) excludes liability for all damages, including but not limited to any loss of profit, loss of savings, reduced goodwill, loss due to business interruption and loss as a result of claims from Customer's own customers, as well as any other indirect or consequential damages, arising out of or related to the use of or inability to use the Service or the Technology, even if Fenestrae has been advised of the possibility of such damages. Fenestrae's liability due to the scrambling, destruction or loss of Customer Data is also expressly excluded.
6.4 If, in deviation of the preceding Clause, Fenestrae is held liable, whether in contract, tort, or otherwise, Fenestrae's liability to Customer will in no event exceed the total amount of the fees paid for the Service in the twelve months preceding the first incident out of which the liability arose.
6.5 A condition for the existence of any right to compensation shall in all cases be that Customer notifies Fenestrae in writing of the damage as soon as possible after it occurs. Any claims for damages against Fenestrae shall expire by the mere passage of twenty four months from the date on which the claim arose.
7 Processing of Customer Data
7.1 All Customer Data submitted by or on behalf of Customer to the Service shall remain the sole property of Customer or its licensors. This does not affect Fenestrae's rights in the Technology and Service.
7.2 The Customer Data may contain personal data within the meaning of the applicable data protection law. With regard to the processing of such personal data as contained in the Customer Data on behalf of the Customer, Fenestrae is to be considered the data processor under the applicable data protection law, and the data processing agreement included as annex 1 to the body of this Agreement applies to the processing of such personal data by Fenestrae on behalf of Customer.
7.3 Responsibility for the Customer Data processed using the Service shall rest solely with Customer. Customer guarantees to Fenestrae that the content, the use and/or the processing of the Customer Data is not unlawful and does not infringe the rights of third parties. Customer indemnifies Fenestrae against legal claims, of whatever nature, by third parties in relation to the Customer Data submitted to the Service. For avoidance of doubt, individuals whose personal data is recorded or processed within the context of the processing of the Customer Data, are also considered third parties in the meaning of this clause.
7.4 Insofar Fenestrae determines the purposes and means of the processing of certain types of Customer Data, Fenestrae may be considered the data controller under the applicable data protection law and the data processing agreement as included in annex 1 to this Agreement shall not apply to such processing of personal data by or on behalf of Fenestrae. Fenestrae will be the data controller in case of (i) correspondence between Fenestrae and Customer and a contact person within the Customer’s organisation, (ii) monitoring by or on behalf of Fenestrae of the use of the Service by User(s), and (iii) the processing of Customer Data to improve, develop, and enhance the Service, in accordance with the Agreement. Fenestrae will, as data controller, process such personal data in accordance with the applicable data protection law. Customer shall fully cooperate with Fenestrae if necessary to comply with applicable data protection requirements, including but not limited to informing the User(s) or other data subjects on the processing of their personal data by Fenestrae as data controller.
8 Termination
8.1 Either party shall only be authorized to terminate the Agreement as a result of an attributable failure to perform the Agreement, if the other party, in all cases following written notice of default providing as many details as possible and setting a reasonable term in which the breach can be remedied, attributably fails to meet its fundamental obligations arising from the Agreement, unless otherwise specified in the Agreement. Sections 6:265 et all of the Dutch Civil Code shall not apply. Customer's obligations to obey the restrictions on its rights of use shall in all cases be regarded as fundamental obligations arising from the Agreement.
8.2 If Customer has already received the Service for the purpose of executing the Agreement at the time of termination as referred to in the preceding Clause, the Service and the related payment obligation, if any, cannot be revoked unless Customer is able to demonstrate that Fenestrae is in default in respect of a substantial part of the Service. Any amounts invoiced before termination in connection with the Service, shall remain due in full, subject to due observance of the provisions of the preceding sentence, and shall become immediately due and payable at the time of termination.
8.3 Either of the parties shall be entitled to terminate the Agreement in part or in full, with immediate effect, in writing without notice of default if the other party is granted a moratorium of payments, provisionally or otherwise, if a winding-up petition is filed in respect of the other party, or if the other party’s company is wound up or terminated for reasons other than reconstruction or the merger of companies. Fenestrae shall under no circumstances be obliged to reimburse any sums of money that have already been received or to pay any compensation in the event of such termination.
8.4 Upon termination or expiration of the Agreement Customer must cease all use of the Service and the Technology and shall remove and destroy all copies of the Documentation.
8.5 Upon termination or expiration of the Agreement other than reason of Customer's attributable failure to perform the Agreement, Fenestrae will make available to Customer or to any third party designated by Customer a file of the Customer Data within 30 days of termination if Customer so requests at the time of notification of termination. In such event, Fenestrae shall not be obliged to carry out data conversion. In any other event of termination, Fenestrae shall have no obligation to maintain any Customer Data or to forward any Customer Data to Customer or any third party designated by Customer.
8.6 Any provision of the Agreement that is by nature intended to survive the termination or expiration of the Agreement, shall remain in full force and effect after any such termination or expiration.
9 Force Majeure
9.1 In the event that Fenestrae fails to perform the obligations under the Agreement, or fail to perform such obligations in good time or properly, as a result of force majeure within the meaning of Section 6:75 of the Dutch Civil Code, such obligations will be suspended until such time Fenestrae is able to perform these obligations in the agreed manner.
9.2 In the event that the situation referred to in paragraph 1 above occurs, Fenestrae shall be entitled to terminate the Agreement partly or in whole in writing and with immediate effect, without any right to any compensation otherwise existing.
10 Applicable Law and Disputes
10.1 The Agreement will be governed in all respects by the laws of The Netherlands without reference to any choice of law provisions. Any dispute that may arise in connection with the interpretation or implementation of the Agreement shall be submitted to a court of competent jurisdiction located in The Hague. Both Parties hereby waive any applications of the United Nations Convention on Contracts for the International Sale of Goods (as promulgated in 1980 and any successor or subsequent conventions) with respect to the performance or interpretations of the Agreement.
11 Miscellaneous
11.1 Customer shall not be entitled to sell and/or transfer the rights and/or obligations arising from the Agreement to a third party without Fenestrae's prior written approval. Fenestrae shall be entitled to sell and/or transfer the rights and/or obligations arising from the Agreement to a third party without Customer's prior written approval, but only in the context of an acquisition (assets or shares), reconstruction, merger or demerger.
11.2 Customer agrees to comply with all European Union and foreign export control laws or regulations applicable to the Service. Customer shall promptly notify Fenestrae of any export restrictions that may apply to Customer. The Service provides technology that may be subject to export controls regulations. Customer acknowledges and agrees that the Service shall not be used in or by, and none of the underlying information or technology may be transferred or otherwise exported or re-exported to any embargoed country or a national or resident thereof. Country embargoes are subject to change without notice. By using the Service, Customer warrants that it and its Users are not located in, under the control of, or a national or resident of an embargoed country. Customer agreed to comply strictly with all applicable export laws and assumes sole responsibility for obtaining licenses to export or re-export as may be required.
11.3 The Service, content, other Technology Fenestrae make available, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. Customer shall not permit Users to access or use any Service or content in a U.S. embargoed county or in violation of any U.S. export law or regulations.
11.4 If any provision of this Agreement is null and void or is voided, the other provisions of this Agreement will remain fully in effect. In this case, Fenestrae and Customer will consult with one another to agree new provisions to replace the void or voided ones. In doing so, the purpose and meaning of the void or voided provision will be taken into account as far as possible.
Fenestrae © 2017
ANNEX 1: DATA PROCESSING AGREEMENT
1 General
1.1 This Data Processing Agreement is an annex to the body of the Agreement.
1.2 In the context of the execution of the Agreement, Fenestrae will process Personal Data as data processor on behalf of and for the benefit of Customer, who shall be the data controller as set forth in the applicable data protection law.
1.3 The arrangements between the parties relating to the processing of the Personal Data, whereby Fenestrae is acting as a data processor and Customer as data controller, are laid down in this Data Processing Agreement in accordance with applicable data protection law.
2 Order of precedence
2.1 This Data Processing Agreement sets aside any (oral and/or written) arrangements of an earlier date relating to the processing of Personal Data between Customer acting as data controller, and Fenestrae acting as a data processor in respect of the Personal Data.
2.2 In case of any discrepancies between the provisions of this Data Processing Agreement, the body of the Agreement, the Service Level Agreement, and/or Order Document, the provisions of this Data Processing Agreement shall prevail, unless explicitly stipulated otherwise in this Data Processing Agreement.
3 Definitions
3.1 All definitions included in the body of the Agreement shall also apply to this Data Processing Agreement, unless stipulated otherwise in this Data Processing Agreement. In addition thereto the following definitions apply to this Data Processing Agreement.
3.1.1 Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in the Service;
3.1.2 Data Processing Agreement: this data processing agreement, including schedules thereto, and any later versions thereof;
3.1.3 Data Subject: the person to whom the Personal Data relate, as meant under applicable data protection law;
3.1.4 Employees: the employees and other persons engaged by Fenestrae for the performance of the Agreement;
3.1.5 Non EEA Entity: any (third party) entity engaged by Fenestrae as subcontractor, incorporated and/or processing the Personal Data controlled by Customer in a country outside the European Economic Area (EEA) not being a country that has been deemed to provide an adequate level of data protection by way of decision of the European Commission and that has not adhered to the EU-US / Swiss-US Privacy Shield;
3.1.6 Personal Data: any data relating to an identified or identifiable living natural person (Data Subject) as part of the Customer Data and as meant under applicable data protection law, processed by Fenestrae or its subcontractors on behalf of Customer, in its position as data processor, in relation to the execution of the Agreement.
4 Subject of this Data Processing Agreement
4.1 Customer guarantees that it processes or shall have processed the Personal Data in accordance with the applicable law. Customer shall upon first request of Fenestrae promptly provide all relevant information to Fenestrae in writing. Fenestrae is not responsible or liable for compliance with Customer's obligations under the applicable law.
4.2 As data processor, Fenestrae shall only process Personal Data on behalf of Customer and in accordance with its documented instructions of Customer. The Agreement, including this Data Processing Agreement, the Service level Agreement and/or any Order Documents, and the Customer's use, including Customer's settings, of the Service are Customers' complete instructions to Fenestrae. Fenestrae shall inform Customer if, in its opinion, any of the instructions of Customer infringes the applicable data protection law. Fenestrae shall have no independent say in relation to the Personal Data that it processes. Fenestrae shall not process the Personal Data for its own or any third party's benefit or purposes, or for other purposes, unless otherwise agreed upon or required by the applicable law.
5 Processing of the Personal Data as data processor
5.1 Schedule A to this Data Protection Agreement contains a description of the processing of Personal Data by Fenestrae as data processor in connect with the provision of the Service to Customer.
5.2 Taking into account the nature of the data processing and the information available to Fenestrae, Fenestrae will insofar this is (technically) possible and necessary under applicable data protection law assist Customer in the execution of data protection impact assessments, including prior consultation of the competent governmental authority. Fenestrae may charge Customer an additional fee for such assistance.
5.3 Fenestrae's Employees are obligated to maintain the security and confidentiality of the Personal Data in line with this Data Processing Agreement and are bound by appropriate confidentiality obligations. Schedule A lists the groups of Employees of Fenestrae that may have access to the Personal Data and describes the types of Personal Data and the data processing activities these persons may perform.
6 Subcontractors
6.1 Fenestrae may engage subcontractors (sub data processors). Fenestrae shall inform Customer in a manner determined by Fenestrae of intended new subcontracts that will process Personal Data on behalf of Customer. Customer hereby agrees to the use of the following (sub) subcontractors by Fenestrae in relation to the processing of Personal Data:
6.1.1 Microsoft Corporation, in relation to the provision of Microsoft's Azure cloud services, including its relevant subcontractors as published from time to time by Microsoft Corporation.
6.2 In case of subcontracting of the processing of Personal Data, Fenestrae will conclude a written sub data processing agreement with such subcontractor including at least the same level of protection as set forth in the relevant provisions of this Data Processing Agreement. Fenestrae remains responsible and liable for fulfillment of its obligations under this Data Processing Agreement.
7 Security Measures
7.1 Fenestrae has implemented and will maintain appropriate technical and organizational security measures to ensure an appropriate level of security in relation to the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Customer is independently responsible for determining whether the implemented measures meet Customer's requirements. The technical and organizational security measures (to be) implemented by Fenestrae are:
7.1.1 Physical measures for protecting access are in place including a lobby with manned security/reception desk;
7.1.2 Logical access control based on physical identification – badge access to the office area limited to authorized individuals;
7.1.3 Fire detection and suppression systems. Alarms for intrusion detection;
7.1.4 Automatic logging of access gained to data, including inspection procedures when there are anomalies;
7.1.5 Fenestrae only uses reputable subcontractors for the processing of Personal Data which provide specific services and implement appropriate security measures, which include organizational and human resources security, limited physical access to facilities and components, access and event logging, protection from disruptions, access (authorization) control, and information security incident management.
8 Reporting of Data Breaches
8.1 If Fenestrae becomes aware of a Data Breach of which Customer was not yet informed, Fenestrae will inform Customer without undue delay thereof in a manner determined by Fenestrae. In this respect, Fenestrae may make use of the contact details of the contact person(s) of Customer listed known to Fenestrae or of a User. Customer shall be solely responsible to ensure that the contact details of the appropriate contact persons of Customer are up-to-date and accurate. Should Fenestrae not reach the given or appropriate contact person of Customer in time, this shall be at risk of Customer.
8.2 Upon becoming aware of a Data Breach by Fenestrae, Fenestrae will investigate the Data Breach, take reasonable steps to remediate or minimize the damage resulting from the Data Brach, and on reasonable request by Customer provide reasonable detailed information to Customer about the impact of the Data Breach on Customer and the affected Data Subjects or as necessary for composing the relevant documentation in relation to the Data Breach. Customer remains responsible for the obligation under applicable data protection law to keep an internal overview of Data Breaches that have occurred.
8.3 The obligation of Fenestrae to notify Customer of a Data Breach and to take action in relation to a Data Breach does not lead to an acknowledgment of any defect or liability on the side of Fenestrae in relation to that Data Breach.
8.4 When Customer itself is aware of a Data Breach relevant for the provision of the Service by Fenestrae, Customer shall inform Fenestrae immediately thereof, including which measures have been or will be taken by Customer.
9 Audit rights of Customer
9.1 Fenestrae conducts reviews of its technical and organizational security measures taken in relation to the processing of Personal Data. Upon the request of Customer, Fenestrae will provide Customer the security report it has drawn up upon completion of such review. In such security report, Fenestrae will include information on the status of the processing facilities and the security measures that have been taken.
9.2 If Customer desires to change its instruction to have its audit rights exercised in accordance with article 9.1 of this Data Processing Agreement, Customer has the right to change this instruction in writing and may at its own expenses and upon prior consultation with Fenestrae perform an audit on the Service to examine whether the reasonable technical and organizational security measures that have been taken in relation to the Personal Data processed in the context of this Data Processing Agreement are in line with the measures as described in article 7 of this Data Processing Agreement. Fenestrae may charge an additional fee to Customer for any assistance in accommodating an audit.
9.3 Fenestrae will make available to Customer the information reasonably necessary to demonstrate compliance with Customer 's obligations to conclude a data processing agreement in line with the relevant requirements in this respect under the applicable data protection law. In consultation with Fenestrae, Customer may engage a third party expert to perform its audit rights, provided that such third party will be bound by appropriate confidentiality obligations.
9.4 Customer shall ensure that the execution of an audit by or on behalf of Customer does not cause any delay or disruptions in the Service or other activities of Fenestrae.
9.5 If the Standard Contractual Clauses apply, then nothing in this section of the Data Processing Agreement modifies the Standard Contractual Clauses or affects any competent governmental authority's or data subject’s rights under the Standard Contractual Clauses.
10 Transfer of the Personal Data outside the EEA
10.1 Personal Data may be transferred by Fenestrae or its subcontractors to a Non EEA Entity in the context of execution of the Agreement.
10.2 The transfer of Personal Data may be legitimized based upon the EU-US Privacy Shield where it concerns a transfer to an entity located in the US that is self-certified to the EU-US Privacy Shield and the transfer falls within the scope of such registration. Microsoft Corporation is certified to the EU-US Privacy Shield.
10.3 As the case may be, the transfer may instead be legitimized by the unchanged EU-recommended controller-to-processor Standard Contractual Clauses without optional clauses. These Standard Contractual Clauses shall be deemed incorporated by reference herein and apply between Customer and the Non EEA Entity, if and to the extent Personal Data to which the data protection laws of a member state of the EEA applies are transferred from the EEA to a Non EEA Entity. The applicable Standard Contractual Clauses incorporated herein in accordance with this article, is agreed in the name and on behalf of the Non EEA Entity by Fenestrae acting as the Non EEA Entity's attorney.
10.4 Unless otherwise agreed by the Parties, (i) the Standard Contractual Clauses shall be governed by the applicable law of the EEA member state in which the Customer, as the data exporter, has its relevant establishment in relation to the processing of the Personal Data, (ii) the Customer shall be deemed to be the data exporter and the relevant Non EEA entity the data importer, and (ii) Schedule A and article 7 of this Data Processing Agreement (Security Measures) shall be deemed to be the appendices 1 and 2 of the applicable Standard Contractual Clauses.
10.5 Nothing in the Agreement, including this Data Processing Agreement shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses. Customer acknowledges it has had the opportunity to review the Standard Contractual Clauses or to request a full copy from Fenestrae.
11 Requests of Data Subjects
Taking into account the nature of the data processing and the information available to Fenestrae, Fenestrae will, at its election and only upon request of Customer and insofar this is (technically) possible and necessary under applicable data protection law, (i) provide Customer the technical means for the fulfilment of its obligations to respond to Data Subjects' requests for the exercising of their rights, or (ii) provide reasonable assistance in providing the Personal Data or making the required corrections, deletions, or blockages on Customer's behalf and instructions. Fenestrae may charge Customer an additional fee for such assistance.
12 Indemnity
Customer shall indemnify Fenestrae against any claim by a third party, including by any of the Data Subjects or governmental authorities, imposed against Fenestrae as a result of a breach of the applicable law which can be attributed to Customer or any of its employees, agents, or contractors.
13 Term and Termination
13.1 This Data Processing Agreement enters into force on the date that Fenestrae first processes the Personal Data on behalf of Customer in the performance of the Agreement.
13.2 This Data Processing Agreement shall remain in effect for the duration of the Agreement. In the event the Agreement ends, this Data Processing Agreement ends as well by operation of law, without further legal action.
13.3 Unless Fenestrae is required by the applicable law to retain the Personal Data, Fenestrae will no more than 180 days after termination of this Data Processing Agreement ensure at the choice of Customer that (i) the Personal Data will be returned or provided to Customer, or (ii) the Personal Data will be destroyed, on Customer's request in writing.
13.4 Any obligation arising from this Data Processing Agreement that by nature has post-contractual effect shall continue to be in effect after the termination of this Data Processing Agreement.
14 Deviations and Renegotiation
14.1 Customer shall promptly inform Fenestrae on any changes that are or could be relevant for the Agreement and/or the processing of the Personal Data.
14.2 Parties are entitled to renegotiate this Data Processing Agreement, if this would reasonably result from a change in circumstances.
Schedule A Overview of the data processing activities
|
Purposes of the processing of Personal Data |
Duration of the processing of Personal Data |
Categories of Data Subjects |
Types of Personal Data processed by Fenestrae |
Groups of Employees of Fenestrae who may have access to the Personal Data |
Data processing activities that these persons may perform with the Personal Data |
|
Performance of the Service |
The duration of data processing of Personal Data in general is for the term of the Agreement; plus a 180 days retention period |
Users (Customer's employees) and other Data Subjects as may be contained in the Customer Data. |
Contact, access, identification, use and logging details of User(s). Any other Personal Data as may be contained in the Customer Data, for example as included in documents submitted by or on behalf of Customer. |
Fenestrae ICT Administrators |
System control for the service areas of: Performance · Quality · Authentication · Security · Disaster Recovery · Backup and roll back |
|
Customer support |
The duration of data processing of Personal Data in general is for the term of the Agreement; plus a 180 days retention period |
Users (Customer's employees) and other Data Subjects as may be contained in the Customer Data. |
Contact, access, identification, and use and logging details of User(s). Any other Personal Data as may be contained in the Customer Data, for example as included in documents submitted by or on behalf of Customer. |
Fenestrae Service Center |
Supporting & logging services for the areas of: · SLA & KPI monitoring · Processing error resolving · Service setup assistance · Service testing · Sending of system notifications |
|
Account management |
The duration of data processing of Personal Data in general is for the term of the Agreement; plus a 180 days retention period |
Users (Customer's employees) and other Data Subjects as may be contained in the Customer Data. |
Contact, access, identification, and use and logging details of User(s). Any other Personal Data as may be contained in the Customer Data, for example as included in documents submitted by or on behalf of Customer. |
Fenestrae order processing and finance department |
Accounting services for the areas of: · Billing & billing questions · Account setup · Account suspension, disabling and removing · Setup and change customer authentication · Retrieving Business Intelligence information of service use |
