Data Processing Agreement

This processing agreement (hereinafter the “Agreement”) with regard to the processing of Personal Data (as defined hereinafter) is entered into between:

i) INTUO, a Belgian company (limited liability), with registered seat at Ottergemsesteenweg Zuid 808, box 336, 9000 Ghent, Belgium, registered with the Crossroadbank of enterprises under number 0541.977.305 and hereby represented by […] (hereinafter “INTUO” and/or the “PROCESSOR”); and

ii) You and/or Your Company, being a customer of INTUO (hereinafter the “CUSTOMER” and/or “CONTROLLER”) and the party for which INTUO performs certain Services (as defined hereinafter) based upon the Platform License Agreement entered in between INTUO and the CUSTOMER. The CONTROLLER and the PROCESSOR will be referred together as the “Parties” and individually as a “Party” hereafter.

This Agreement regarding the processing of Personal Data was drafted and entered into in order for the Parties to comply with the obligations set forth in the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 april 2016 (hereafter the “GDPR”). This Agreement contains the rights and obligations of the CONTROLLER and the PROCESSOR with regard to the processing of Personal Data.


ARTICLE 1: DEFINITIONS

For the purpose of this Agreement, the following definitions apply:

  1. “Agreement” shall have the meaning of the term given in preamble C;
  2. “Confidential Information” shall mean all information that is disclosed to the other Party in writing or in any material form under this Agreement and that is identified as confidential or can be identified as confidential given the nature of the data or the nature of the circumstances that require the disclosure, such as, but not limited to product information, customer lists, price lists and financial information;
  3. “Controller” shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data carried out under his authority, for the purposes of this Agreement understood to be the CONTROLLER;
  4. “Data Subject” shall mean an identified or identifiable natural person;
  5. “Employee” means an individual who is hired by an employer and has entered into or works under a contract of employment for the provision of labour services in exchange for a wage or a fixed payment. An Employee does not provide professional services as part of an independent business. Agents, distributors, advisors, consultants, freelancers, (independent) (sub)contractors or any other third party are not considered Employees for the purposes of this Agreement;
  6. “Personal Data” shall mean all information relating to a Data Subject;
  7. “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
  8. “Processor” shall mean a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the controller, such as PROCESSOR;
  9. “Security Measures” shall mean those measures aimed at protecting Personal Data against accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission;
  10. “Services” shall mean the services performed by PROCESSOR in accordance with the Platform License Agreement;
  11. “Subprocessor” shall mean any processor engaged as a subcontractor by the PROCESSOR and who agrees to process Personal Data for and on behalf of the CONTROLLER in accordance with this Agreement;
  12. “Supervisory Authority” shall mean an independent public authority which is established by a member state pursuant to Article 51 of the Regulation;
  13. “Third Party” shall mean any party who is not a Data Subject, Controller, Processor or Subprocessor under this Agreement or a person who is authorised to process Personal Data under the direct authority of the CONTROLLER or PROCESSOR;

Any other terms used but not defined will have the same meaning as in the Platform License Agreement.


ARTICLE 2: SUBJECT-MATTER OF THE AGREEMENT

  1. The CONTROLLER wishes to entrust the PROCESSOR with the processing of Personal Data. The PROCESSOR shall process the Personal Data in name of and on behalf of the CONTROLLER. For the performance of Services, the CONTROLLER is responsible for the processing of personal data, and the PROCESSOR is a data processor.
  2. The PROCESSOR performs the Services in accordance with the provisions of this Agreement.
  3. Both Parties explicitly commit to comply with the provisions of the relevant applicable data protection laws and shall not do or omit anything that may cause the other Party to infringe the relevant and applicable data protection laws.
  4. Processing Activities. The processing carried out by the PROCESSOR in name and on behalf of the CONTROLLER relates to the Services performed by the PROCESSOR. The Processing Activities consist of:
    • Creating accounts for the CONTROLLER’s Employees to have access to the Services;
    • Organizing continuous performance management: keeping track of personal objectives, 1on1s and feedback for every CONTROLLER’s Employee.
    • Organizing online training, keeping track of all courses offered to the CONTROLLER’s Employees and enrollments in those courses.
    • Measuring engagement on a continuous basis using either INTUO’s set of questions or a self chosen set of questions;
    • Big data analysis and statistical and scientifical studies
  5. Categories of Personal Data. The Personal Data that are processed are:
    • Email address
    • First name
    • Last name
    • By using the Learn module:
      • Course Enrollments
      • Session Enrollments
      • Quiz results and reviews
      • Video engagement data
      • Slide engagement data
      • Text engagement data
      • Badges
      • Certifications
    • By using the Perform module:
      • Check-in data
      • OKR data
      • Feedback and Praise
    • By using the Engage module:
      • Answers and feedback on engagement questions

    Optional (thus not required by the supplier and only applicable if the CONTROLLER or a natural person chooses to complete these):

    • Birthday
    • Middle name
    • City + Postal Code
    • Country
    • Street Name + Number
    • Job Title
    • Department
  6. Data Subjects. The Data Subjects are
    • Present and former job candidates of CONTROLLER,
    • Employees, contractors, agents and other collaborators of CONTROLLER and of the CONTROLLER’s customers for which the CONTROLLER provides HR services, as well as third parties who are appointed by the aforementioned persons as family members or Contact Persons.
  7. Purposes. The PROCESSOR shall only use the Personal Data to ensure a good performance of Services as part of the Platform License Agreement in accordance with the provisions of this Agreement.
  8. Only those Personal Data which are mentioned in Article 2.5 may and shall be processed by the PROCESSOR. Furthermore, Personal Data shall only be processed in light of the purposes which are determined in this Article by the Parties.
  9. Both Parties shall undertake to adopt appropriate measures to ensure that the Personal Data are not used improperly or acquired by an unauthorised Third Party.

ARTICLE 3: DURATION OF THE PROCESSING

  1. This agreement shall apply as long as the PROCESSOR processes Personal Data in name of and on behalf of the CONTROLLER as part of the Platform License Agreement.
  2. In the event of a breach of this Agreement or the applicable provisions of the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the Personal Data with immediate effect.
  3. In the event of the end of the Agreement, or in the event of the Personal Data no longer being relevant for the performance of the Services, the PROCESSOR shall anonymise or pseudonymise to a maximum extent the Personal Data it has received or obtained in the performance of the Services and this solely for the following internal purposes:
    • To further improve the services (including but not limited to the Services) delivered by the PROCESSOR.

ARTICLE 4: CONTROLLERS’ INSTRUCTIONS

  1. The PROCESSOR processes the Personal Data only on the documented instructions of the CONTROLLER and in any case in accordance with the agreed Processing Activities as set out in Article 2.4 of this Agreement in order to perform the Services. The PROCESSOR shall not further process the Personal Data subject to this Agreement in a manner which is incompatible with these instructions and the provisions laid down in this Agreement.
  2. The CONTROLLER can make limited changes to the instructions unilaterally. The PROCESSOR shall be consulted before any significant changes are made to the instructions. Changes affecting the core of the Agreement must be agreed upon by both Parties.
  3. The PROCESSOR processes the Personal Data in accordance with Article 4.1 of this Agreement, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which PROCESSOR is subject; in such a case, the PROCESSOR shall inform the CONTROLLER of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

ARTICLE 5: ASSISTANCE TO THE CONTROLLER

  1. Compliance with legislation. The PROCESSOR shall assist the CONTROLLER in ensuring compliance with its obligations pursuant to the Regulation, taking into account the nature of processing and the information available to the PROCESSOR.
  2. Personal Data Breach. In the case of a Personal Data Breach related to the subject of the processing of this Agreement, the PROCESSOR shall notify the CONTROLLER without undue delay after becoming aware of a Personal Data Breach.

    This notification shall at least include following information:
    (a) The nature of the Personal Data Breach;
    (b) The categories of Personal Data that are affected;
    (c) The categories and approximate number of Data Subjects concerned;
    (d) The categories and approximate number of personal data records concerned;
    (e) The likely consequences of the Personal Data Breach;
    (f) Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  3. In case the PROCESSOR makes use of a Subprocessor, the PROCESSOR shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The PROCESSOR shall promptly relay the information received from the Subprocessor to the CONTROLLER.
  4. The PROCESSOR and its Subprocessor(s) shall appoint among their Employee a single point of contact who shall be responsible for all communication between the PROCESSOR, the Subprocessor(s) and the CONTROLLER in the event of an incident which has led or may lead to an accidental or non-authorised destruction or loss or a non-authorised access, alteration or transmission of the Personal Data processed on behalf of CONTROLLER.
  5. The CONTROLLER shall exclusively decide, at its own discretion and in compliance with the relevant and applicable data protection laws, whether or not Data Subjects whose Personal Data have been impacted by a Personal Data Breach shall be notified of this. It is the responsibility of the CONTROLLER to notify the Supervisory Authority of a Personal Data Breach.
  6. The Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach.
  7. Data Processing Impact Assessment. Furthermore, the PROCESSOR shall assist the CONTROLLER as it carries out a Data Protection Impact Assessment in accordance with Article 35 of the Regulation. However, the PROCESSOR, at its own discretion, is free to charge additional costs for the performance of these services. These costs shall at all times be in relation to the delivered performances.

ARTICLE 6: INFORMATION OBLIGATIONS

    The PROCESSOR shall provide the CONTROLLER, at any time upon request of CONTROLLER (however such request needs to be made giving the PROCESSOR a reasonable delay to comply with such request), with all information the CONTROLLER requires, at minimum with the information as determined by the provisions of this clause:

    • All relevant details regarding its own corporate structure, as well as accurate and up-to-date identifying information on all of PROCESSORS’ entities involved in the processing of Personal Data, including the location of their main establishment;
    • Without prejudice to what has been agreed in Article 9, the aspects of the processing that rely or intend to rely on the Services of a Subprocessor, as well as the identification data of a Subprocessor including the location of its main establishment, and the PROCESSOR shall relay to the CONTROLLER the agreement with the Subprocessor(s) which pertains or is relevant to the processing of Personal Data, unless where such agreement with the Subprocessor(s) contains Confidential Information, in which case it may remove such Confidential Information;
    • Geographical details of processing locations, including back-up and redundancy facilities;
    • The physical, organisational, technical and logical Security Measures that the PROCESSOR and its Subprocessor(s) have implemented, as set out in Article 11 of this Agreement.

Article 7: PROCESSORS’ obligations

  1. The PROCESSOR shall handle all reasonable requests of the CONTROLLER concerning the processing of Personal Data related to this Agreement, immediately or within a reasonable time (depending on the legal obligations defined in the Regulation) and in a proper manner.
  2. The PROCESSOR guarantees that there are no obligations that arise from any applicable legislation that make it impossible to comply with the obligations of this Agreement.
  3. The PROCESSOR undertakes to not process Personal Data for another purpose than the performance of the Services and the compliance with the responsibilities of this Agreement in accordance with the documented instructions of the CONTROLLER; if the PROCESSOR, for any reason, cannot comply with this requirement, he shall notify the CONTROLLER without delay thereabout. The PROCESSOR shall notify the CONTROLLER without delay if he is of the opinion that an instruction from the CONTROLLER violates the applicable legislation related to data protection.
  4. The PROCESSOR shall ensure that the access to, the inspection, the processing and the disclosure of Personal Data shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e. data are only disclosed to the persons that require Personal Data for the performance of the Services).
  5. The PROCESSOR shall undertake to not disclose Personal Data to other persons than the Employees of the CONTROLLER who need the Personal Data to comply with the obligations of this Agreement, and shall ensure that the relevant Employee shall commit themselves to confidentiality or are under a statutory obligation of confidentiality unless such disclosure is foreseen under the Platform License Agreement.
  6. As of the 25th of May 2018 the PROCESSOR has the obligation to create and maintain a record of processing activities related to this Agreement; the PROCESSOR shall make the record available upon first request of the CONTROLLER, an auditor appointed by the CONTROLLER and/or the Supervisory Authority.

ARTICLE 8: CONTROLLERS’ OBLIGATIONS

  1. The CONTROLLER shall render all assistance needed and shall cooperate in good faith with the PROCESSOR in order to ensure that all processing of Personal Data complies with the requirements of the Regulation particularly with the principles relating to processing of Personal Data.
  2. The CONTROLLER shall agree with the PROCESSOR on appropriate communication channels in order to ensure that instructions, directions and other communications regarding Personal Data that are processed by the PROCESSOR on behalf of the CONTROLLER is well-received between the Parties. The CONTROLLER shall notify the PROCESSOR of the identity of the single point of contact at the CONTROLLER that the PROCESSOR is required to contact in application of this Article 8.2.
  3. The CONTROLLER warrants that it shall not issue any instructions, directions or requests to the PROCESSOR, which do not comply with the provisions of the Regulation.
  4. Without prejudice to Article 14.2 of this Agreement, the CONTROLLER shall render the assistance needed for the PROCESSOR and/or its Subprocessor(s) to comply with a request, order, inquiry or subpoena directed at the PROCESSOR or its Subprocessor(s) by a competent national governmental or judicial authority.
  5. The CONTROLLER warrants that it shall not issue instructions, directions or requests to the PROCESSOR which would require the PROCESSOR and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the PROCESSOR and/or its Subprocessor(s) are subject.
  6. The CONTROLLER warrants that it shall cooperate in good faith with the PROCESSOR in order to mitigate the adverse effects of a security incident impacting Personal Data processed by the PROCESSOR and/or its Subprocessor(s) on behalf of the CONTROLLER.

ARTICLE 9: THE USE OF SUBPROCESSORS

  1. The PROCESSOR shall not engage another processor without prior specific or general written authorisation of the CONTROLLER. In the case of general written authorisation, the PROCESSOR shall inform the CONTROLLER of any intended changes concerning the addition or replacement of other processors, thereby giving the CONTROLLER the opportunity to object to such changes.
  2. Without prejudice to the foregoing, the Parties agree that the PROCESSOR shall not be required to disclose the identity of each Subprocessor (categories of Subprocessor shall suffice in combination with the information set forth in Article 6 and 7 with regard to Subprocessors or as set forth in Annex 1). Notwithstanding the above, the CONTROLLER can at all times request the PROCESSOR to disclose the identity of a Subprocessor and the PROCESSOR shall do so if such disclosure does not constitute a breach of any confidentiality engagement or trade secret provision the PROCESSOR has entered into with the relevant Subprocessor. If the PROCESSOR cannot disclose the identity of a Subprocessor, the PROCESSOR shall be obliged to provide a formal justification in writing.
  3. The PROCESSOR shall ensure that its Subprocessors will be bound to the same obligations with respect to Personal Data as to which the PROCESSOR is bound by this Agreement.
  4. The PROCESSOR shall relay the purposes determined and instructions issued by the CONTROLLER in an accurate and prompt manner to the Subprocessor(s) when and where these purposes and instructions pertain to the part of the processing in which the Subprocessor(s) is(are) involved.
  5. As part of this Agreement the PROCESSOR makes use of the following categories of Subprocessors in order to ensure the performance of the Services to the Data Subjects.
    • Hosting Provider
    • Video Processor
    • Technical Log Processor
    • Capturing of CONTROLLERs product feedback
    • Logging of technical errors
    • Interaction with chatbots

ARTICLE 10: RIGHTS OF THE DATA SUBJECTS

  1. Taking into account the nature of the processing, the PROCESSOR assists the CONTROLLER by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the CONTROLLER’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the Regulation.
  2. With respect to any request from Data Subjects regarding their rights concerning the processing of Personal Data pertaining to them by the PROCESSOR and/or its Subprocessor(s), the following conditions apply:
    • The PROCESSOR shall on a best efforts basis promptly inform the CONTROLLER of any request made by a Data Subject with regard to the Personal Data the PROCESSOR and/or its Subprocessor(s) processes on behalf of the CONTROLLER, without giving any consequence to such request unless explicitly authorised by the CONTROLLER to do so;
    • The PROCESSOR shall promptly comply and shall require its Subprocessor(s) to promptly comply with any request made by the CONTROLLER in order for the CONTROLLER to comply with a request made by the Data Subject who wishes to exercise one of its rights;
    • The PROCESSOR shall ensure that both it and its Subprocessor(s) have the technical and organisational capabilities required to block access to Personal Data and to physically destroy data with no means of recuperation if and when such request is made by the CONTROLLER;
    • The PROCESSOR shall, upon simple request of the CONTROLLER and upon best efforts basis render all assistance required and provide all information necessary for the CONTROLLER to defend its interests in any proceedings – legal, arbitral or others – brought against the CONTROLLER or its Employee for any violation of fundamental rights to privacy and protection of Personal Data of Data Subjects.

ARTICLE 11: SECURITY MEASURES

  1. Throughout the term of this Agreement the PROCESSOR shall have in place and maintain appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the Data Subject.

    The PROCESSOR shall amongst others have in place technical and organisational measures against unauthorised and unlawful processing, and shall on a regular basis evaluate and adjust if required, the appropriateness of the Security Measures.
  2. More in particular, the PROCESSOR shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, according to Article 32 of the Regulation.
  3. In assessing the appropriate level of security, account was taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
  4. The CONTROLLER reserves the right to suspend and/or terminate the Platform License Agreement, where the PROCESSOR can no longer provide for technical and organisational measures appropriate to the risk of processing.
  5. The PROCESSOR has implemented, amongst others, but not limiting to, the following general physical, logical, technical and organisational security measures:

    • the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control)
    • the prevention of systems Processing Personal Data from being used without authorization (logical access control)
    • ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control)
    • ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control)
    • ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from systems Processing Personal Data (entry control)
    • ensuring that Personal Data Processed are Processed solely in accordance with the instructions (control of instructions)
    • ensuring that Personal Data are protected against accidental destruction or loss (availability control)
    • ensuring that Personal Data collected for different purposes can be processed separately (separation control)

    A more detailed overview of the technical and organizational measures is set forth in Annex 2 of the Agreement.

Article 12: Audit

  1. The PROCESSOR acknowledges that the CONTROLLER is under the supervision of several/a Supervisory Authority/ies. The PROCESSOR acknowledges that the CONTROLLER and any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the PROCESSOR, during the term of this Agreement to assess whether the PROCESSOR is compliant to the Regulation and the provisions of this Agreement. The PROCESSOR shall provide the necessary cooperation.

    This right to audit shall not be used more than one time per calendar year, unless the CONTROLLER and/or the Supervisory Authority has reasonable grounds to assume that the PROCESSOR acts in conflict with this Agreement and/or the provisions of the Regulation.
  2. On written request of the CONTROLLER, the PROCESSOR will provide an independent third party, certified auditor or, appointed by the CONTROLLER or the involved Supervisory Authority access to the relevant parts of the administration of the PROCESSOR and all locations and information of interest of the PROCESSOR (and those of its agents, subsidiaries and sub-contractors) to determine if the PROCESSOR is compliant with the Regulation and the provisions of this Agreement. On request of the PROCESSOR, the concerned parties shall agree a confidentiality agreement.
  3. The CONTROLLER shall take all appropriate measures to minimise any obstruction caused by the audit on the daily functioning of the PROCESSOR or the Services performed by the PROCESSOR.
  4. If there is agreement between the PROCESSOR and the CONTROLLER on a material shortcoming in the compliance with the Regulation and/or the Agreement, as revealed in the audit, the PROCESSOR shall recover this failure as soon as possible. The Parties can agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.
  5. The CONTROLLER will bear the costs of any performed audit in the meaning of this Article. Although, when the audit has revealed that the PROCESSOR is manifestly not compliant to the Regulation and/or the provisions of this Agreement, the PROCESSOR shall bear the costs of such audit.

Article 13: Transfer to Third Parties

  1. The transfer of Personal Data to Third Parties in any manner possible is prohibited, unless it is legally required or in case the PROCESSOR has obtained the explicit consent of the CONTROLLER to do so. In case a legal obligation applies to transfer Personal Data, which is subject to this agreement, to Third Parties, the PROCESSOR shall prior to the transfer notify the CONTROLLER.

Article 14: International transfer

  1. The Parties agree that Personal Data can only be transferred to and/or kept with the recipient outside the European Economic Area (EEA) in a country that not falls under an adequacy decision issued by the European Commission by exception and only if necessary to comply with the obligations of this Agreement. Such transfer shall be governed by the terms of a data transfer agreement containing standard contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC), or by other mechanisms foreseen by the applicable data protection law.
  2. The PROCESSOR shall prior to the international transfer inform the CONTROLLER about the particular measures taken to guarantee the protection of the Personal Data of the Data Subject in accordance with the Regulation.

Article 15: Conduct in relation to national governmental and judicial authorities

  1. The PROCESSOR shall inform the CONTROLLER immediately of any request, order, inquiry or subpoena by a competent national governmental or judicial authority directed at the PROCESSOR or its Subprocessor which entails the communication of Personal Data processed by the PROCESSOR or a Subprocessor for and on behalf of the CONTROLLER or any data and/or information associated with such processing.
  2. Without prejudice to article 15.1 of this Agreement, the PROCESSOR warrants that there are no obligations of applicable statutory law, which make it impossible for the PROCESSOR to comply with its obligations under this Agreement.

Article 16: Intellectual Property Rights

  1. All Intellectual Property Rights as regards to the Personal Data and as regards to the databases which contain these Personal Data are reserved to the CONTROLLER, unless otherwise contractually agreed upon between the Parties. Nothing in this Agreement shall constitute a transfer of any Intellectual Property Rights from the CONTROLLER to the PROCESSOR unless otherwise contractually agreed upon between the Parties.

Article 17: Confidentiality

  1. The PROCESSOR commits itself to handle the Personal Data and its processing with utter confidentiality. The PROCESSOR shall guarantee the confidentiality with measures that are not less restrictive than the measures he uses to protect his own confidential material, including Personal Data.
  2. The PROCESSOR ensures that employees or the Subprocessors authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Article 18: Liability

  1. Without prejudice to the Platform License Agreement, the PROCESSOR is liable for the damage caused by processing only where it has not complied with the obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the CONTROLLER.
  2. A Party is liable (contractual or in tort/delict (including default) or by any means associated with this Data Protection Agreement, including liability for severe misconduct) for verified shortcomings attributable to her. The liability of the Parties for a breach under this Agreement, shall be limited to suffered foreseeable, direct and personal damages, with the exclusion of consequential damage (even if informed about the possibility of such consequential damage or if the likelihood of such consequential damage was reasonably foreseeable), where ‘’consequential damage’’ means: damage or loss that did not derive directly and immediately from a breach of contract and/or extracontractual non-performance, but instead indirectly and/or after a certain lapse of time, including, but not limited to loss of income, interruption or stagnation of operations, increase of staff costs and/or the costs of staff cuts, damage consisting of or as a result of claims from third parties, lack of expected savings or advantages and loss of data, profit, time or income, loss of orders, loss of customers, increase of overhead costs, consequences of a strike, irrespective of the causes.
  3. If it appears that both the CONTROLLER and the PROCESSOR are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.
  4. In any event shall the total liability of the PROCESSOR under this Agreement be limited to the cause of damage and to the amount that equals to the total amount of license fees paid by the CONTROLLER to the PROCESSOR for the delivery and performance of the Services for a period not more than twelve months immediately occurring prior to the cause of damages. In no event shall the PROCESSOR be held liable if the PROCESSOR can prove to not be responsible for the event or cause giving rise to the damage.

Article 19: Mediation and jurisdiction

  1. The PROCESSOR agrees that if the Data Subject invokes against it claims for damages under this Agreement, the PROCESSOR will accept the decision of the Data Subject:
    • To refer the dispute to mediation by an independent person;
    • To refer the dispute to the relevant courts in Ghent, Belgium.
  2. The Parties agree that the choice made by the Data Subject will not prejudice the Data Subject’s substantive or procedural rights to seek remedies in accordance with other provisions of applicable national or international law.
  3. Any dispute between the Parties regarding the terms of this Agreement shall be brought before the competent courts as determined in the Platform License Agreement.

Article 20: Termination of the Agreement

  1. This Agreement shall apply as long as the PROCESSOR processes Personal Data on behalf of the CONTROLLER.
  2. In the event of breach of this Agreement or the Regulation, the CONTROLLER can instruct the PROCESSOR to stop further processing of the information with immediate effect.
  3. The PROCESSOR shall not store the data any longer than needed to perform the Service for which the data is provided. At the choice of CONTROLLER, the PROCESSOR shall delete or return all the Personal Data to the CONTROLLER after the end of the provision of Services in relation to processing, and deletes existing copies, and will certify that it has done so, unless Union or Member State law requires storage of the Personal Data. The Personal Data shall be provided to the CONTROLLER without charge, unless otherwise agreed upon.


Annex 1 – List of current Sub-processors

Name of IT / System / Software /paper records Data controller or data processor? Primary Data Center Location Used in Product Module Categories of Personal Data
Amazon Web Services (sub-)processor Frankfurt, Germany Suite All
Freshdesk (sub-)processor United States of America (Privacy Policy) Suite Name, Email
LogDNA (sub-)processor United States of America (Privacy Policy) Suite User ID, IP address
Mandrill (sub-)processor United States of America (Privacy Policy) Suite Name, Email
Mixpanel (sub-)processor United States of America (Privacy Policy) Suite Name, Email
OneSignal (sub-)processor United States of America (Privacy Policy) Perform User ID
Pingdom (sub-)processor United States of America (Privacy Policy) Suite N/A
Productboard (sub-)processor European Economic Area and United States of America (Privacy Policy) Suite Name of Company
Rustici Software (sub-)processor AWS US-East-1 (Privacy Policy) Learn (SCORM only) User ID
Sentry (sub-)processor United States of America (Privacy Policy) Suite User ID
Slack (sub-)processor United States of America (Privacy Policy) Perform N/A
Skylight (sub-)processor United States of America (Privacy Policy) Suite None
Stripe (sub-)processor Countries in which Stripe operates (Privacy Policy) Learn Name, Email
Twilio (sub-)processor United States of America (Privacy Policy) Suite Phone Number
Wistia (sub-)processor United States of America (Privacy Policy) Learn Email

Annex 2 - Technical and Organizational Measures

Intuo is ISO27001 certified and has undergone an ISO27001 (phase 1 & 2) and GDPR audit. Most relevant information is included in the table, and extra documentation or information is available on request. All requests should be carried out to the Technical Security Officer (philip@intuo.io).

Domain Practices
Information Security Management and Governance We have implemented an Information Security Management System (ISMS) under ISO27001. This contains, but is not limited to, an information security policy for all our employees. The policy is attached. Also, in order to provide information security, management measures are implemented that reduce the risks. These risks and the likelihood of them occurring are included in the ISO27001 ISMS.
Human Resources Security We keep all confidential data in our HRIS and comply with ISO27001 for which our Organisation Security Officer is responsible.
Asset Management Our assets (both digital and non-digital) are maintained under our data classification policy
Information Access Control We have a few policies in place that works according to the principle of least privilege, both for our supplied applications, general information and own data. Access to our own systems, hosted with Amazon (AWS), are restricted to the CTO, Head of Support, Development Lead and Head of System Administration and use of passwords are expressly forbidden. We solely use public/private key pairs to authenticate with our servers.

The access rights per user are determined in accordance with the established access policy. Specific questions about information access and its policies can be carried out to the Security Information Officer (philip@intuo.io).
Physical and Environmental Security The office space of INTUO

INTUO leases an office space in the Ghelamco Arena, Ottergemsesteenweg Zuid 808 in Gent. The access policy of the entire office environment is explained in the document “Rules and agreements with employees”, chapter “Access policy & password management”.

Working from home

Employees of INTUO have the option to work from home. Some contractors work from abroad, they have access to all applications and information needed for their job.

Working at client locations

Some employees of INTUO work at client locations for short periods of time.

External locations

Employees can perform business activities at external locations for INTUO. Examples of such locations include public transport, hotels or restaurants.

The rules for working from home, at client locations and external locations are included in the “Information Security Policy” document.
Operations Security This falls under the scope of our ISMS (ISO27001) completely with our Operational Security Officer (OSO).
Communications Security All communication falls under our data classfiication policy. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted (also at-rest) and secured behind VPN & VPC firewalls.

Our own offices use a network protected by a redundant Fortinet 200D Firewall, placed in the datacentre in Merelbeke, connected to the Ghelamco Arena via Dark Fiber. More information about this connection is given in the document “Continuity and Security measures”, also part of the ISMS of our ISO27001 certification.
System Acquisition, Development & Maintenance Every system that will potentially be implemented or acquired will go through a DPIA risk analysis. Questions asked contain (but not limited to) whether the data is stored in the EU, if the system is GDPR compliant, if backups are available, which uptime availability the supplier offers etc.

When we develop and maintain our own systems, we follow a similar process where we evaluate access control, information security, communications security etc. We backup and test our systems, just in case. Production data is automatically backed up daily. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention for all systems is seven (7) days. Our production applications are deployed in multiple availability zones and leverage AWS Multi­AZ technology which can sustain the loss of an entire data center in a region.

Intuo’s products run on world­ class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Our data centers are located in Frankfurt, Germany and data never leaves Europe. Amazon data centers provide physical security 24/7, state­ of­ the­ art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB and Yelp. Amazon maintains security certifications with:

  • SOC 1 / ISAE 3402
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • CSM Levels 1­5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001

Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data.
Supplier Relationships All suppliers are analysed through our DPIA and whether they store critical (i.e. personal) data. With critical suppliers, we maintain SLAs.
Information Security Incident Management We maintain an information security indicident document, in accordance to the ISO27001 certification.

Any employee, supplier or other third party that comes into contact with company information and/or systems should report any threat, event or incident with potential adverse effects as soon as possible by contacting the Operational Security Officer and the Technical Security Officer.
Business Continuity Management The measures taken regarding Business Continuity Management (BCM) are described in our ISO27001 documentation. Emphasis is placed on the availability of networks, and systems and applications that ensure the availability of information.
Compliance We have undergone a GDPR compliancy audit and DPIA. We do regular internal ISO27001 audits to check compliance and have a yearly external ISO27001 audit.