1. General
- Words like IXON, we, us, or our in this Data Processing Agreement, shall refer to:
- IXON B.V., a Dutch corporation, if your company is located outside of the United States of America and Canada; IXON B.V. has a principal place of business at the Zuster Bloemstraat 20, 5835 DW, in Beugen, the Netherlands, and is registered with the Dutch Chamber of Commerce under file number 62729918.; or
- IXON Inc., a Delaware corporation, if your company is located within the United States of America or Canada, IXON Inc.; IXON Inc. has a mailing address at 228 E. 45 Street, Suite 9E, New York, NY 100017, USA.
- If your company is located outside of the United States of America and Canada, this agreement is between you and IXON B.V. If your company is located within the United States of America or Canada, this agreement is between you and IXON Inc.
- We offer cloud-based services on our IXON Cloud for remote access to, as well as monitoring of, machines and systems connected to the internet via an edge gateway. These services may also be provided on a white label basis. In any case accounts are needed to be able to login to and use our cloud-based services. For this purpose, certain personal data of our customer’s employees, the personnel of our customer’s clients, and/or third parties given access by you or your clients is processed by us.
- Words like you, your and customer in this Data Processing Agreement shall refer to you or our customer who has executed an agreement with us for the provision of certain services. You acknowledge and agree that the resulting processing of personal data is subject to the General Data Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: ‘GDPR’). This Data Processing Agreement applies insofar you can be qualified as a ‘Data Controller’ under the GDPR, and we can be qualified as a ‘Data Processor’ under the GDPR.
- We are entitled to change this Data Processing Agreement with your consent. Consent to such a change shall be deemed to have been given if we notify you of the amendment in writing (which includes email) and you do not object to the amendment within four weeks of receiving the amendment notification. Parties agree not to amend this Data Processing Agreement in a way that detracts from the fundamental rights or freedoms of data subjects.
- Unless we expressly agree to their validity in writing, your deviating, conflicting or supplementary terms or conditions shall not become part of any agreement between you and IXON, even if we do not expressly object to their inclusion.
- Where, in this Data Processing Agreement, reference is made to terms that are defined in the GDPR, such as ‘data controller’, ‘data processor’ and ‘personal data’, such terms shall have the meanings given to them in the GDPR.
- In the event of a contradiction between these terms and the provisions of related agreements between the Parties, existing at the time these terms are agreed or entered into thereafter, this Appendix, meaning only the terms of ‘Appendix I: Data Processing Agreement’ and expressly not of the Terms of Use, shall prevail.
- Appendix II: Technical and Organizational Measures and Appendix III: List of sub-processors form an integral part of this Data Processing Agreement.
2. Description of processing
- IXON undertakes to process personal data on behalf of you, the data controller, in accordance with the conditions laid down in this Data Processing Agreement, unless required to do so by Union or Member State law to which we are subject. The processing will be executed: (i) within the framework of the agreements between you and us, including our Terms of Use, and (ii) for all such purposes reasonably related thereto and as may be agreed to subsequently.
- The personal data processed by us, and the categories of data subjects to whom the personal data relates, are specified below:
Categories of data subjects:
- Your (external) personnel who you instruct and allow to use our services.
- Personnel and/or external personnel of your clients who you provide (white labeled, if applicable) services to.
- Third parties who are given access to our services by your or your clients.
Categories of personal data: - Device information (IP address, MAC address, browser data), name, email address, the date and time of visit and location.
Duration of processing: - As long as needed to perform our obligations under any agreement between you and IXON.
- At your choice, we will delete or return all the personal data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
- We shall refrain from making use of the personal data for any other purpose than as agreed upon with you. You shall inform us of any processing purposes which are not clearly mentioned in this Data Processing Agreement or which are not a logical consequence of the agreed upon services.
- We shall not take any unilateral decisions about the processing of personal data for other purposes. The control over the personal data processed under this Data Processing Agreement rests with you as the data controller. All personal data processed on your behalf shall remain your property or the property of the relevant data subjects.
3. Obligations & Responsibilities
- Regarding the processing of personal data mentioned in the previous article, we shall use all commercially reasonable efforts to ensure compliance with applicable laws and regulations governing the protection of personal data, such as the GDPR.
- A list of technical and organizational measures we use to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons, can be found in Appendix II: Technical and Organizational Measures.
- Our obligations arising from this Data Processing Agreement also apply to those processing personal data under our authority, including but not limited to our employees.
- We will provide any reasonably necessary assistance if a data protection impact assessment, or a prior consultation with a supervisory authority, is necessary with respect to the processing of personal data.
- As the processor of personal data, we are responsible for the processing that takes place within the scope of this Data Processing Agreement and your reasonable instructions. We are not responsible for other processing of personal data, including but not limited to, your collection of personal data and processing for purposes that are not mentioned in this Data Processing Agreement.
- You represent and warrant that you have a valid legal basis to process, and have us process, the personal data. Furthermore, you represent and warrant that the content, the use and the instruction to process the personal data within the meaning of this Data Processing Agreement are not unlawful and do not infringe any rights of a third party. In this context, you indemnify us and hold us harmless from and against claims and actions of such third parties relating to the processing of personal data. When, in our opinion, an instruction is manifestly in breach of the GDPR, we shall immediately inform you.
- On request, you shall make a copy of these terms available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information you may redact part of the text of these terms prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
4. Transfer of personal data
- You hereby grant us permission to process the personal data in countries within the European Economic Area. In addition, we may transfer the personal data to a country outside the European Economic Area provided that such country guarantees an adequate level of protection and/or all other obligations under this Data Processing Agreement and the GDPR are complied with.
- At your request, we shall inform you about the countries in which the personal data is processed. You are always entitled to object to any processing of personal data outside of the European Economic Area. We shall take such objections seriously and will try to find a reasonable solution. If we cannot come to a solution that is acceptable for both parties, and the continued transfer of personal data is in breach of any privacy legislation applicable to you as a controller, then you are entitled to terminate your agreements with us.
5. Third parties and subcontractors
- You hereby grant us general permission to engage third parties (sub-processors) within the scope of the services we provide to you. At your request, we shall inform you about the engaged sub-processors and/or any plans to engage new sub-processors. A list of used sub-processors can be found in Appendix III.
- In any case, we shall proactively inform you of any intended changes concerning the engagement of new sub-processors. When we have informed you about such a change in sub-processors, you shall have one month to object in writing to our communicated intentions. If you object to our intention to engage a new sub-processor, then the parties agree to engage in good faith discussions to resolve the matter. If the parties do not reach an agreement on our intention to engage the sub-processor, then we may engage the relevant new sub-processor and you will be entitled to terminate your agreement with us by the date on which the new sub-processor is engaged. If you do not object to our communicated intentions within the four-week term, then you shall be deemed to have no objections to the change in sub-processors.
- When engaging sub-processors, we shall ensure that such sub-processors will be obliged to agree in writing to duties which are substantially the same as agreed in this Data Processing Agreement.
- We shall remain fully responsible to you for the performance of the sub-processor’s obligations under its contract with us. We shall notify you of any failure by the sub-processor to fulfill its obligations under that contract.
6. Security
- Parties shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter ‘data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. We shall implement the technical and organizational measures specified in Appendix II to ensure the security of the personal data.
- We shall grant access to the personal data to members of our personnel only to the extent strictly necessary for the implementation, managing and monitoring of our services. We shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- We shall periodically review and update our technical and organizational security measures to make sure that these measures remain at an appropriate level considering changes (if any) in the state of technology and the nature of the personal data. We do not warrant that the security measures are effective under all circumstances. At your request, we shall provide you with our latest information regarding our implemented security measures.
7. Data breaches
- In the event of a personal data breach concerning personal data processed by us under these terms, we shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects. We will notify you of the breach without undue delay but at least within forty-eight (48) hours upon its discovery. You, as the controller of the personal data, shall solely decide whether or not to notify the data subjects and/or the relevant supervisory authorities about the data breach.
- If required by applicable laws and/or regulations, we shall provide all reasonable cooperation in notifying the relevant authorities and/or data subjects. However, you remain the responsible party for any statutory notification obligations in respect thereof.
In case of a data breach, we shall provide you with the information necessary for you to comply with your legal notification obligations towards data subjects and/or authorities. The notification obligation includes in any event the duty to report the fact that a breach has occurred, including details regarding:
-
- the (suspected) cause of the breach;
- the contact point where more information can be obtained;
- the approximate number of data subjects and number of personal data records concerned;
- the (currently known and/or anticipated) consequences thereof;
- the (proposed) solution;
- the measures that have already been taken.
-
8. Requests from data subjects
- We shall promptly notify you of any request we have received from a data subject. You shall then be responsible for properly handling the request. We may notify the data subjects of the fact that their requests have been forwarded and will be handled by you.
- When necessary, we shall assist you in fulfilling your obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
9. Non-disclosure and confidentiality
- All personal data received by us from you within the framework of this Data Processing Agreement is subject to a duty of confidentiality. With regards to sub-processors engaged within the scope of this Data Processing Agreement or other providers of professional services, exchanging the confidential personal data is only allowed if such sub-processor or third party is also legally bound to a similar obligation of confidentiality.
- This duty of confidentiality will not apply if you (i) have expressly authorized the provision of such information to third parties, (ii) where the provision of the information to third parties is reasonably necessary taking into account the nature of the instructions and the implementation of this Data Processing Agreement, or (iii) if there is a statutory obligation to provide the information to a third party.
10. Audit
- In order to confirm compliance with all points in this Data Processing Agreement, and article 28 of the GDPR when applicable, you shall be entitled to have audits carried out. You may choose to conduct the audit by yourself or mandate an independent auditor who is bound to confidentiality. The costs of the audit will be borne by you.
- The audit will only take place after you have requested and assessed similar audit reports made available by us and provide reasonable arguments to conduct an audit. Such an audit is justified when the audit reports provided by us give no or insufficient information regarding our compliance with this Data Processing Agreement. The audit initiated by you will take place no more than once a year and only after you have provided two weeks prior notification.
- We will cooperate with the audit and will make available any reasonably necessary information, including supporting information such as system logs and employees as timely as possible.
- The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented by us.
11. Duration and termination
- This Data Processing Agreement is entered for the duration set out in the agreement between you and us. If no clear term has been agreed upon, then this Data Processing Agreement will apply as long as we process personal data on your behalf. If we no longer process personal data on your behalf, then this Data Processing Agreement is automatically terminated.
- This Data Processing Agreement cannot be terminated unilaterally by either Party if such termination would lead to non-compliance with applicable privacy legislation.
- Upon termination of the Data Processing Agreement, the Parties shall discuss and agree if any personal data still in our systems should be deleted or returned to you.
- Parties shall provide their full cooperation in amending this Data Processing Agreement insofar necessary because of any amended privacy laws and regulations.
12. Miscellaneous
- This Data Processing Agreement forms an integral part of the agreement between you and us. All rights and obligations under our Terms of Use, including the limitations on liability and applicable law, apply mutatis mutandis to this Data Processing Agreement.
- In case of a dispute between a data subject and one of the parties as regards to compliance with these terms, that party shall use its best efforts to resolve the issue amicably in a timely fashion. The parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- These terms shall be governed by Dutch law. The parties shall try to solve any dispute between them amicably. In case either party wishes to take a dispute to court, then such dispute shall exclusively to the competent court in the district of Oost-Brabant location 's-Hertogenbosch.
Want to save these data processing agreement? Download the PDF version here.
Contact us
Our team is ready to answer any question. We love to help you.