‍

Data Processing Agreement

Processing of Personal Data

‍

Introduction

This Processing Agreement is part of the Main Agreement between Apostle Technologies B.V. (from now on: "Apostle" or "Processor") and the natural or legal person with whom Apostle agrees to the provision and use of the Apostle software (from now on: "Customer" or "Controller"). Together, the Controller and Processor are called the "Parties".

For the use of the Apostle software, the Parties have entered into an agreement to which the Apostle General Terms and Conditions also apply (collectively: "Main Agreement"). Apostle will process personal data on behalf of the Controller to perform the Main Agreement. By Applicable Law, the Parties enter into this agreement, which sets out their respective rights and obligations about processing personal data (the "Processing Agreement"). The Main Agreement and the Processing Agreement jointly determine the subject matter and duration of the Processing of Personal Data.

‍

Article 1: Details of Processing

Apostle processes personal data on behalf of the Controller in the context of the services described in the agreement:

The Apostle software lets brand ambassadors easily submit content, edit content, and present it to groups of brand ambassadors. Creators use the Apostle software app (available for IOS and Android). Publishers use the app and receive the proposed messages by email.

Further elaboration of the processing:

• The nature of the processing: Employee Advocacy software.
• Purpose(s) of the processing: Sharing content on employees' personal social media networks to increase awareness and visibility (branding).

Types of personal data processed ("Personal Data"):

‍

Apostle may use the Controller's anonymised data for analytical and statistical purposes to improve its services.

Storage periods: All data is stored according to GDPR guidelines within the European Union. All communication within the Apostle software system is via HTTPS or SSL connections. Once a user is removed from the system, all information about the user is deleted except information about sent emails, which is automatically deleted within 30 days.

Sub-processors: Apostle maintains an up-to-date list of sub-processors at https://trust.apostlesocial.com/subprocessors. The Customer will be informed of any intended changes and has the right to object within 30 days.

‍

Article 2: Instructions

Apostle will only process the Personal Data:

• Based on written instructions from the Controller.
• Within the framework of the execution of the Agreement.

Apostle will inform the Controller immediately if, in its opinion, instructions are contrary to the GDPR or otherwise unreasonable.

‍

Article 3: Transfer of Personal Data Outside the European Union

1. Apostle may process Personal Data in European Economic Area (EEA) countries. Transfer to countries outside the EEA is only allowed with the Controller's prior written consent.
2. Apostle shall inform the Controller of the country where personal data are processed.

‍

Article 4: Confidentiality and Special Personal Data

1. Personal data is confidential information.
2. Apostle may only give employees and third parties access to Personal Data when necessary for the Agreement's performance. Apostle guarantees that all of them are obligated to maintain the confidentiality of the Personal Data they have access to.
3. Our databases and applications are hosted in AWS data centres in Frankfurt, Germany. These data centres pass strict safety requirements and certifications, such as ISO 27001, ISO 27017, and ISO 27018, and are also GDPR-compliant.

‍

Article 5: Confidentiality

1. Apostle will ensure that appropriate technical, physical and organisational measures are taken to secure the Personal Data against loss or any form of unlawful processing when executing the Agreement. These measures guarantee an appropriate security level because of the risks involved in the processing and the nature of the Personal Data to be protected, taking into account the state of the art, context and purpose of the processing and the costs of implementing the measures.
   
   The measures shall include, where appropriate, the following:

• Pseudonymization and encryption.
• The ability to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of the processing systems and services.
• The ability to restore the availability of and access to the Personal Data promptly in the event of a physical or technical incident.
• A procedure for regular testing, evaluation, and assessment of the effectiveness of technical and organisational measures in secure processing.

2. Apostle will report any changes in the security measures to the Controller.

‍

Article 6: Reporting of Data Leaks

1. Apostle shall inform the Controller's contact person as soon as possible, in any event within 24 hours of discovery, of any breaches relating to Personal Data (Data Leaks). A Data Leak will be notified to the contact person of Processing Responsible via e-mail.
2. In the event of a data breach, Apostle shall immediately take remedial action. Apostle will fully cooperate with the Controller in setting up and implementing a response plan. Apostle shall assist the Controller in adequately informing the individuals and the supervisory authority or authorities.
3. Apostle will provide the Controller with all relevant information when reporting, including in any case:
   a) The nature of the breach and the country (and, if concerned, the Sub-processor) where it has taken place.
   b) What Personal Data are involved.
   c) Where possible, the categories of data subjects and the approximate number of data subjects concerned.
   d) The name and contact details of the data protection officer of Apostle or another contact point where further information can be obtained.
   e) Whether the Personal Data has been encrypted, hacked or otherwise made unintelligible or inaccessible.
   f) The measures that Apostle has already taken or proposes to take to terminate the breach, limit its consequences and prevent any recurrence in the future.
   
   If all the information cannot be provided at once, it may be provided in stages without unreasonable delay.
4. Apostle shall keep records of all breaches involving Personal Data of the Processing Party and the measures taken, and shall allow the Controller to inspect these upon request.

‍

Article 7: Engaging Third Parties

1. Apostle may make use of Sub-processors in the course of providing its services. The Sub-processors Apostle engaged when entering into this Processing Agreement are listed in the table in Article 1. The Controller has the right to object in writing to any new or amended Sub-processor(s), stating reasons, within two weeks of the notification of Apostle to this effect. If the Controller objects, the Apostle and the Controller will consult to find a solution.
2. Apostle guarantees correct compliance with the obligations of this Processor Agreement by these Sub-processors and, in the event of errors by these Sub-processors, will be liable to Processor itself for all damages as if it had committed the error(s) itself.
3. Apostle shall ensure that Subprocessors are contractually bound to the same personal data protection obligations as Apostle is bound under the Agreement, in particular the obligation to provide adequate guarantees regarding the application of appropriate technical and organisational measures so that the processing will meet the legal requirements.

‍

Article 8: Cooperation With Complaints and Requests

1. Apostle will deal promptly and appropriately with questions and requests from the Controller regarding the processing under the Agreement.
2. Apostle shall inform the Controller directly of any complaints or queries from the Controller's customers. Apostle shall not address the Controller's customers directly unless the Controller has specifically instructed it to do so.
3. Apostle will, as far as possible, enable the Controller to comply with the rights of data subjects, such as the right to inspect, correct or delete data within the statutory time limits. Apostle has taken appropriate technical and organisational measures (including procedures).

‍

Article 9: Others

1. Upon termination of the Agreement, Apostle shall, at the option of the Controller, return or destroy the Personal Data and all copies thereof to the Controller, except where the Agreement or applicable law indicates otherwise. Apostle shall promptly confirm in writing to the Controller that it has returned or destroyed all Personal Data and copies thereof without unreasonable delay after termination of the Agreement.

Audits:

2. The Controller has the right to have an independent external auditor or its internal audit department audit compliance with the processing agreement. If this is reasonably possible, an audit will be announced in advance. Apostle will cooperate with an audit.
3. Suppose an audit reveals that Apostle must comply with the obligations in this Processor Agreement. In that case, Apostle will always bear the reasonable audit costs incurred by the Processor.
4. Apostle will support the Controller in fulfilling the obligations of the Controller under Sections 32 to 36 of the GDPR, should this be necessary.