- Full Funnel B.V., registered with the Chamber of Commerce under number 82495750, having its registered office in Amsterdam (1043 AH) at Rhôneweg 20, represented by Mr. D. de Vries, hereinafter also referred to as: “Full Funnel” or “Processor”.
- Controller and Full Funnel have entered into an agreement for the provision of services whereby Full Funnel, on the instructions of Controller, processes Personal Data for which Controller is responsible.
- Controller and Full Funnel wish to lay down in this agreement the mutual rights and obligations for the Processing of Personal Data by Full Funnel in accordance with the relevant laws and regulations.
1. Parties have agreed te following:
- The words or phrases used in this Agreement will have the following meanings, unless the AVG or the AVG Implementation Act provide otherwise:
- Data Subject: the person to whom (a) Personal Data relates;
- Main Agreement: the agreement(s) for the delivery and installation of goods at/for Processor, under which Processor has instructed Full Funnel to perform Processing;
- Agreement: this Data Processing Agreement (DPA);
- Personal Data: any information regarding an identified or identifiable natural person that Full Funnel processes or should process under the Main Agreement;
- Processing/Processing: all acts or series of acts performed on Personal Data, whether or not by automated means, such as collecting, recording, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, matching or combining, blocking, erasing or destroying;
- AVG: General Data Protection Regulation (European Union Regulation 2016/679 of 27 April 2016).
- Unless the Parties have agreed otherwise in writing, the provisions of this Agreement shall apply to any Processing by Full Funnel pursuant to the Main Agreement between Controller and Full Funnel. The agreements in this Agreement take precedence over all provisions in already concluded agreements, including the Main Agreement.
3. Processing by Full Funnel
- Full Funnel takes the protection of Personal Data seriously and will therefore, as far as reasonably possible, ensure compliance with the conditions imposed on the processing of Personal Data under the AVG, the AVG Implementation Act and other relevant laws and regulations.
- Full Funnel will only process personal data to the extent necessary to fulfil its obligations under the Main Agreement.
- Full Funnel shall only process the Personal Data on behalf of and in accordance with the instructions of Controller and for the purpose specified in this Agreement and the Main Agreement. Full Funnel shall not independently decide on the use and duration of storage of the Personal Data. Furthermore, Full Funnel shall not have Personal Data processed by third parties for a purpose other than the performance of the Main Agreement. The principles set out in this Article will only be deviated from if the (Dutch) law or authorities require it.
- In order to be able to execute the agreement, Full Funnel must process the personal data listed in Appendix 1.
- Full Funnel shall retain the Personal Data for the duration listed in Appendix 2.
- The Personal Data to which Full Funnel has access pursuant to the Main Agreement is treated with the utmost care. In order to ensure the security of the Personal Data as much as possible, Full Funnel only provides access to the Personal Data to its employees to the extent necessary to perform the services under the Main Agreement. Full Funnel and its associated persons shall of course maintain secrecy with regard to the Personal Data processed under this Agreement.
- The processing of personal data by or on behalf of Full Funnel shall only take place outside the European Economic Area (EEA) if the conditions set out in Article 44 of the AVG are met.
- It is possible that Full Funnel is obliged to provide Personal Data to a third party pursuant to an order of a judicial or administrative authority. In such a case, Full Funnel shall notify Controller within 7 working days of receiving such an order and before Full Funnel has acted on the order, to allow Controller to object to or appeal against the injunction. The responsibility for seeking legal remedies against such order shall expressly rest with Controller. If the relevant law pursuant to which the order was made prohibits Full Funnel from notifying Controller on compelling public interest grounds, notification shall not take place.
- If Full Funnel is of the opinion that by virtue of a legal obligation Personal Data must be made available to a competent authority, Full Funnel will notify Controller in writing, after which, at the request of Controller, the relevant legal obligation will also be mentioned and relevant information will be provided. The notification shall not take place if the relevant legislation prohibits notification on the grounds of compelling reasons in the public interest.
- Full Funnel will inform Controller of all requests regarding access to Personal Data received directly from a Data Subject.
- For its services Full Funnel makes use of the services of third parties who can therefore be regarded as sub-processors. In selecting these parties, Full Funnel applies the highest standards with regard to the processing of Personal Data. The standards applied by Full Funnel include the provision of adequate guarantees regarding the application of appropriate technical and organisational measures by the sub-processor so that the processing complies with the legal obligations and the protection of the rights of the Data Subjects is guaranteed. Upon request, Full Funnel shall provide the data of the sub-processors. Controller gives general consent to the use of sub-processors. The sub-processors are listed in Appendix 3.
- Controller hereby agrees and gives its consent in a general sense, as referred to in paragraph 2 of Article 28 of the AVG, to future increases or changes in the Full Funnel workforce and to the performance of Processing by other or new Full Funnel employees.
4. Duty to notify data breach
- Full Funnel shall notify Controller, after Full Funnel becomes aware of it, of any breach of security (of any nature whatsoever) that (partly) relates to or may relate to the processing of Personal Data. Full Funnel will inform Controller, if possible, of (i) the nature of the breach; (ii) the Personal Data (possibly) affected; (iii) the established and expected consequences of the breach for the processing of Personal Data and the persons involved; and (iv) the measures Full Funnel has taken and will take to limit the negative consequences of the breach.
- In order to promote the service provision by Full Funnel and the security of Personal Data, Controller is obliged to inform Full Funnel as soon as possible, but within 24 hours, of any leak of Personal Data of which it has become aware. Controller is liable and indemnifies Full Funnel for all damages that arise or have arisen from Controller’s negligence regarding this obligation.
- The responsibility for reporting a data breach to the authorities and/or to Data Subjects will at all times rest with the Controller.
5. Security measures and inspection
- In order to ensure that the Personal Data are protected as much as possible, Full Funnel takes measures to secure Personal Data against loss or any form of unlawful processing. If additional measures are desired by Controller, it can be discussed with Full Funnel whether the desired measures are possible and/or effective and at what cost the additional measures can be offered. If one of the security measures of Full Funnel is changed, this will become part of the policy of Full Funnel for the protection of personal data processed on behalf of Controller, which can be provided to Controller on request. In this respect, Full Funnel will at least take the following technical and organisational measures, as set out in Appendix 4.
- Full Funnel has confidence in the security measures taken and offers Controller the opportunity to inspect the compliance of the security measures by Full Funnel or to have them inspected by a neutral and expert investigative body. Of course, the investigation is subject to the condition that confidentiality of Personal Data and of the findings of the investigation is guaranteed towards third parties. Full Funnel can obviously not have inspections carried out at sub-processors.
- Because the inspections referred to in Article 5.2 are burdensome for Full Funnel’s business operations, the parties agree that these inspections will only take place after Controller has requested and assessed the similar inspection reports present at Full Funnel and provides sufficiently weighty, reasonable arguments that justify an inspection initiated by Controller. An inspection is justified if the similar inspection reports present at Full Funnel do not or insufficiently provide conclusive information on Full Funnel’s compliance with this Agreement. The inspection initiated by the Controller shall take place two weeks after prior announcement by the Controller and no more than once a year.
- All costs, fees and expenses in connection with the inspection, including personnel costs and other internal costs, such as loss of earnings, incurred by Full Funnel in supporting the inspection shall be borne by Controller.
- Controller will provide Full Funnel with a copy of the inspection report immediately upon receipt.
6. Security measures and inspection
- The Controller agrees and warrants that the provision of the Personal Data pursuant to this Agreement will comply with the AVG, the AVG Implementation Act and other relevant laws and regulations. Controller is responsible for the supervision thereof, by means of the measures it is entitled to.
7. Security measures and inspection
- All processing takes place under the responsibility of the Controller. Full Funnel is not liable for damages, unless the damage is due to intent or deliberate recklessness on the part of Full Funnel. In the event that Full Funnel is liable to Processor or Data Subject, this liability is limited to the amount paid by the insurer of Full Funnel. If the insurer of Full Funnel does not pay out, the liability of Full Funnel is limited to an amount equal to 15% of the invoice amount for the past six months. Liability of Full Funnel for consequential damages, including but not limited to: loss of sales or profits and reputational damage, is excluded.
- Controller is obliged to inform Full Funnel as soon as possible, but within 72 hours after Controller has detected/discovered or reasonably could have detected/discovered any alleged claim against Full Funnel. After the information has been provided, Full Funnel shall, if it considers itself to be liable for this, mitigate and remedy the damage free of charge in a reasonable manner. Only when this remedy fails to effectively remedy the damage is Controller entitled to compensation for the damage it has suffered. When Controller has informed Full Funnel too late about the damage/liability, the right to any remedy lapses. The burden of proof that the damage is attributable to Full Funnel lies with the Controller.
8. Security measures and inspection
- The Agreement is entered into for an indefinite period of time and ends when the Main Agreement ends.
- Unless the parties agree otherwise in writing, in the event of termination of the Agreement Full Funnel shall – insofar as possible – return to Controller all Personal Data made available to it within a period of 4 weeks and destroy all digital copies of Personal Data. If, in the opinion of Full Funnel, a legal obligation prohibits or restricts the return or destruction of all or part of the Personal Data by Full Funnel, it shall inform Controller in writing of the applicable laws and regulations.
9. Security measures and inspection
- Due to the confidential nature of the service, the parties shall not assign the rights and obligations under this agreement to third parties without the written consent of the other party.
- If one or more provisions of this Agreement are found to be invalid, the Agreement shall remain in force for the rest. The parties shall consult on the provisions found to be invalid with a view to adopting a replacement regulation which shall be legally valid and, as far as possible, consistent with the purpose of the regulation to be replaced.
- In the event that the European Commission and/or the Personal Data Authority, or their legal successors, decide to adopt standard contractual stipulations as referred to in Article 28 (7) and (8) of the AVG, these standard contractual stipulations will apply between the parties from the moment that they take effect. If the provisions deviate from the relevant provisions of the Agreement, they will replace them.
10. Applicable law and disputes
- Dutch law applies to this Agreement.
- All disputes arising from or related to this Agreement shall be submitted exclusively to the competent court of the district in which Full Funnel has its registered office.
Appendix 1: Specification of Personal Data and Data Subjects
Full Funnel will, under the Agreement, process the following personal data on behalf of Controller:
- Name and address information;
- Phone number;
- Email address;
- Job title;
- Customer number;
- Order history;
- Date of birth;
- Contact moments;
- Marital Status;
- Internet protocol address (IP address);
- Identification Cookie;
- Ad ID of phone;
- Other relevant data shared by the data subject.
Of the categories of Data Subjects:
- Employees of Controller;
- Principals of Controller;
- Employees of processor;
- Sub-processors of processor;
- Other Data Subjects connected to Controller.
Controller warrants that a valid ground within the meaning of Article 6 AVG is present for the processing of the personal data described in this Annex and indemnifies Full Funnel against any liability in this regard. In addition, the Controller warrants that the personal data and categories of data subjects described in this Annex are complete and accurate, and indemnifies Full Funnel against any claims resulting from deficiencies and incorrect representation by Controller.
Appendix 2: Retention period of Personal Data
Full Funnel will retain the Personal Data in accordance with the overview below.
|Category of Data Subjects||Data||Purpose||Retention period|
Appendix 3: Sub-processors
- Google LLC;
- Microsoft Corporation;
- Zapier Inc.;
- Made I.T.;
- ClickUp, Inc;
- Stripe Payments Europe, Ltd.;
- PandaDoc, Inc.;
- Skype Communications S.a.r.l.;
- Zoom Video Communications Inc.;
- DigitalOcean, Inc.;
- Twilio Sendgrid;
- Help Scout;
- HubSpot, Inc.;
- CHARGEBEE INC.;
- Laurium Design Ltd (Client Portal);
- Loom, Inc.;
- Grammarly, Inc.;
- Hootsuite Inc
Appendix 4: Security measures
- Up-to-date antivirus software on all our computers;
- All our accounts are secured with 2FA (two factor authentication);
- Physical entrances to our office are always locked when we are not present;
- All our passwords are reset regularly;
- Twice a year we perform our own security audit;
- We ensure that our employees only need access to sensitive data as necessary to complete the agreement.