INTRODUCTION
This Data Processing Agreement ("DPA") applies to all processing of personal data by Send AI B.V.
("Provider" or "Processor") on behalf of users of Provider's services ("Customer" or "Controller").
‍
By using the services provided by Send AI B.V., having its registered office and place of business in (1013
NJ) Amsterdam at the address Barentszplein 6G, Customer agrees to be bound by the terms of this DPA.

WHEREAS:
A This DPA applies to and forms part of all agreements between Provider and Customer relating to the provision of services by Provider;
B Customer has engaged Provider to provide certain services as described in the agreement between the parties;
C In providing such services, Provider will process personal data on behalf of Customer;
D Customer determines the purposes and means for which the personal data will be processed;
E Provider is willing to process such personal data and to comply with obligations regarding security and other aspects of the General Data Protection Regulation ("GDPR");
F Provider will not process the personal data for its own purposes;
G Customer qualifies as a controller within the meaning of Article 4(7) GDPR;
H Provider qualifies as a processor within the meaning of Article 4(8) GDPR;
I Where this DPA refers to Personal Data, this means personal data within the meaning of Article 4(1) GDPR;
J The Parties, taking into account the requirement of Article 28(3) GDPR, wish to establish their rights and obligations in writing through this DPA.

THEREFORE, THE PARTIES AGREE AS FOLLOWS:
‍
1. PURPOSE OF PROCESSING
1.1 Scope of Processing. Provider undertakes to process Personal Data on behalf of Customer under the terms of this DPA. Processing shall take place exclusively within the framework of performing the MSA and this DPA pursuant to Article 28(3) GDPR.
1.2 Limitation of Purpose. Provider is prohibited from processing the Personal Data for any purpose other than that determined by Customer. The purpose of the processing is to provide the services requested by Customer as described and established in the MSA. This includes, among other activities, storing personal data through hosting and cloud storage and securing such data, making available a VPS, setting up and maintaining a network, and other related activities.
1.3 Categories of Data Subjects. The categories of data subjects whose Personal Data are collected include personal data of Customer's (future and/or potential) employees and (potential) clients, website or web application visitors, suppliers, account holders, and/or other persons or relations of Customer
with whom Provider comes into contact when processing Personal Data on behalf of Customer.
1.4 Categories of Personal Data. The categories of personal data that may be processed are: contact and address details, financial data, personnel files and/or numbers, client or identification number(s), date of birth, IP address and other location data, content of emails, chat messages, contact forms, and other (personal) data that is stored or processed via Provider's services.
1.5 Processing Limitations. Provider shall not process the personal data for any purpose other than as determined by Customer. Customer shall inform Provider of the processing purposes insofar as these are not already mentioned in this DPA.
1.6 Processing Control. Provider has no control over the means for processing and storage of the personal data. Customer is responsible for determining the purpose of the processing and must clearly establish this purpose.
1.7 Processing Method. The processing will take place both manually and (semi)automatically.
1.8 Ownership of Data. The personal data to be processed on b ehalf of Customer remains the property of Customer and/or the data subjects concerned.
‍
2. TERM AND TERMINATION
2.1 Term. This DPA is effective from the moment Customer starts using Provider's services and remains in effect for the duration of the service relationship.
2.2 No Early Termination. This DPA cannot be terminated separately from the service relationship.
‍2.3 Amendments. Provider reserves the right to amend this DPA due to changes in legislation or other relevant circumstances. Customer will be notified of any material changes, and continued use of the services constitutes acceptance of such changes.
2.4 Automatic Termination. This DPA shall automatically terminate when the service relationship terminates.
2.5 Return or Deletion of Data. Once the DPA has been terminated, for whatever reason and in whatever manner, Provider shall – at Customer's choice – either return all Personal Data in its possession in original or copy form to Customer and/or delete or destroy such original Personal Data and any copies within a period of maximum 28 days. Any costs associated with this shall be borne by Customer.
2.6 Survival. The provisions regarding confidentiality, liability, and dispute resolution shall remain in full force after termination of this DPA.
‍
3. OBLIGATIONS OF PROCESSOR
3.1 Compliance with Legislation. Provider is obligated to comply with applicable laws and regulations, in particular the GDPR and the GDPR Implementation Act, governing the processing of Personal Data.
3.2 Database Restrictions. Provider is prohibited from enriching its own database(s) and/or files with any (personal) data from Customer's database(s), except where Provider needs to create temporary database(s) and/or files for the proper processing of Personal Data. The temporary files shall be deleted
as soon as they are no longer needed for processing.
3.3 Information Provision. Provider shall inform Customer at Customer's first request about measures taken regarding its obligations under this DPA.
3.4 Processing Instructions. If Customer provides instructions regarding the processing of Personal Data to Provider, Provider must follow these instructions if necessary for proper processing, unless these instructions conflict with laws and regulations and any applicable professional codes of conduct. Only Customer is authorized to give its exclusive judgment on this matter.
3.5 Extension of Obligations. All obligations that rest on Provider also apply to the persons who process Personal Data under Provider's authority (with Customer's express consent), including employees and engaged third parties of Provider.
3.6 Access Limitations. Provider is responsible for ensuring that only employees and/or third parties have access to Personal Data for whom such access is necessary for the performance of the agreement. These employees and/or third parties work under Provider's responsibility.
‍3.7 Customer Access. Customer has no access to the Personal Data held by Provider. Provider is obligated to cooperate with Customer's requests regarding inspection and audits.
3.8 Non-transferability. This agreement is not transferable, unless expressly agreed otherwise.

4. INTERNATIONAL DATA TRANSFERS
4.1 Transfer Restrictions. Provider will not transfer any Personal Data processed on behalf of Customer to countries or international organizations outside the European Economic Area (EEA) without appropriate safeguards as required by Articles 44 through 50 of the GDPR. Provider will maintain an up-to-date list on its website of the locations where Customer data is processed.
4.2 Notification of Intended Transfers. If Provider intends to process Personal Data in a new country or through a new international organization outside the EEA, Provider will update its website with this information and notify Customers. The transfer will include appropriate safeguards in accordance with
GDPR requirements.

5. PROCESSOR RESPONSIBILITIES
5.1 Scope of Services. Provider shall perform the activities for Customer as specified in Article 1.2 of this agreement as well as other activities as set out in the MSA.
5.2 Processing Responsibility. Provider is responsible for the processing of the Personal Data under this DPA, in accordance with Customer's instructions. For other processing of Personal Data, including but not limited to the collection of Personal Data by Customer, processing for purposes not communicated by Customer to Provider, processing by third parties and/or for other purposes, Provider is equally responsible.

6. SUB-PROCESSORS
6.1 Engagement Restrictions. Provider may engage sub-processors to perform specific processing activities. Provider will maintain a list of current sub-processors on its website (https://trust.send.ai/subprocessors) and will notify Customers of any intended changes concerning the addition or replacement of sub-processors. If Customer objects to a new sub-processor, Customer should notify Provider in writing within 10 business days after being notified of the change. If no objection is received, consent is deemed given. Provider remains responsible and liable for the actions of its sub-processors.

7. SECURITY MEASURES
7.1 Security Obligation. Provider shall endeavor to take sufficient and appropriate organizational and technical measures against any form of unlawful processing with respect to the processing of Personal Data to be carried out by it. The measures taken by Provider are:
(a) Data Encryption. All personal data is encrypted both during storage (at rest) and during transfer (in transit) using modern encryption protocols such as AES-256 and TLS.
(b) Access Controls. Access to personal data is limited to authorized employees through a strict access control system, using multi-factor authentication (MFA) and strict role-based access control (RBAC).
(c) Secure Backups. Regular automated backups of data are made, which are stored encrypted at a physically separate location. These backups are only accessible to authorized persons.
(d) Logging and Monitoring. An extensive system for logging and monitoring has been set up to detect and address suspicious activities or irregularities in data processing immediately. Irregularities areautomatically reported to our security team for further analysis.
(e) Training and Awareness. All employees of the processor are regularly trained in the importance of data protection and privacy regulations. This also includes awareness of phishing, social engineering, and the safe handling of personal data.
7.2 Security Level. The security level of the measures must at least meet a level that is not unreasonable in terms of the associated costs, sensitivity of the relevant Personal Data, and the state of technology and risks. Provider does not guarantee that the security measures taken will be effective under all
circumstances. In consultation, parties may take other additional or further security measures.
7.3 Security Updates. Provider has its own responsibility to inform itself and/or its employees and engaged third parties of all protocols, (security) policies, and other instructions that enable and promote safe processing.
7.4 Responsibility. Provider is responsible and liable for its part of the processing.
7.5 Data Breach Notification. In the event of a breach in the security of Personal Data that could cause damage or have adverse consequences for the protection of Personal Data, Provider must inform Customer immediately, but no later than within 12 hours after Provider could reasonably have been aware of this. Customer will then inform the Data Protection Authority within 12 hours and any data subjects as soon as possible about the breach. Provider's notification obligation only applies if a data breach has occurred.
7.6 Minimum Information. Pursuant to Provider's notification obligation, the notification of a breach must include at least the following components:
(a) the nature of the breach in relation to personal data, where possible stating the categories of data subjects and personal data in question and, approximately, the number of data subjects and personal data registers concerned;
(b) the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) the likely consequences of the breach in relation to personal data, as well as the possible cause of the data breach;
(d) the measures that Provider has proposed or taken to address the breach in relation to personal data, including, where appropriate, measures to limit its possible adverse effects.
7.7 Register of Breaches. Customer shall maintain a register of all breaches (including incidents) in accordance with Article 33(5) GDPR.
7.8 Prevention Measures. If a breach of Personal Data security has occurred at Provider, Provider is obligated to take appropriate measures at its own expense to prevent future incidents and/or breaches.

8. CONFIDENTIALITY
8.1 Confidentiality Obligation. Provider and its employees as well as third parties engaged by Provider are obliged to maintain confidentiality of all personal data, sensitive information, and/or business data obtained through this agreement. The confidentiality obligation does not apply if Customer has given express written permission to Provider to share this data and information with third parties, or if there is a legal obligation to provide the data and information to a third party. After the termination of this agreement, parties remain obliged to comply with this confidentiality obligation. If a party is required by law to provide information to a third party, the disclosing party is obliged to inform the other party of this without delay, but no later than within 24 hours, in writing.
8.2 Referral to Customer. If and insofar as possible, Provider can refer the relevant (government) agency that requests information directly to Customer. Provider can provide Customer's contact information to this (government) agency.

9. RIGHT OF DATA SUBJECTS
9.1 Request Handling. In the event that Provider receives a request for access from a data subject or an authorized authority, Provider shall handle this request as soon as possible, but no later than within 5 working days. If it is not possible to handle the request itself, the request shall be forwarded to Customer within 5 working days. Provider must, if requested, cooperate in the execution of the request. The (reasonable) costs that Provider must incur for the cooperation shall be borne by Customer.
9.2 Other Rights of Data Subjects. The provisions of Article 9.1 apply mutatis mutandis if a data subject wishes to exercise other rights such as his/her right to rectification, erasure, restriction of processing, data portability, objection, and rights in the case of automated individual decision-making, as laid down in Sections 3 and 4 of the General Data Protection Regulation.

10. LIABILITY
10.1 Processing Responsibility. Provider is responsible for the processing of Personal Data and guarantees that the processing is lawful and does not infringe the rights of data subjects. Provider is only liable for damage resulting from its acts and/or omissions, or non-compliance with legal regulations, but only with respect to Customer's direct damage.
10.2 Liability Limitation. Provider is only liable up to a maximum of one time the value of the assignment. All consequential and/or indirect damage is expressly excluded from Provider's liability.
10.3 Processor-Specific Liability. Notwithstanding the provisions of this article, Provider is liable for the damage caused by processing when it has not complied with specific obligations of the GDPR directed to the Processor or when it has acted contrary to the lawful instructions of Customer.10.4 Liability Exclusion. Provider is not liable for the damage if it can prove that it is not in any way responsible for the event giving rise to the damage.
10.5 Total Liability Cap. The total liability of Provider under this agreement towards Customer and third parties collectively is limited to the total amount paid by Customer to Provider under the MSA in the twelve (12) months preceding the incident giving rise to the liability. In no event shall Provider's aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, exceed this amount.
10.6 Notice of Default Procedure. Unless performance by Provider is permanently impossible, Provider is only liable for an attributable failure in the performance of the (data processor) agreement if Customer has given Provider immediate written notice of default, but no later than within 48 hours, allowing Provider to remedy the defect within a reasonable period, and Provider continues to attributably fail in the performance of its obligations after that reasonable period. The notice of default must be as complete and detailed as possible, so that Provider has the opportunity to respond adequately.
10.7 Claim Expiration. Customer is obliged to report any claim for damages against Provider in a specified and explicit manner, on penalty of expiration of the claim after the lapse of six (6) months after the claim arose.

11. INDEMNIFICATION
11.1 Customer Indemnification. Customer indemnifies Provider against claims, fines, and/or penalties from or on behalf of the Data Protection Authority and/or other authorities, where it has been established that the violations fall under the responsibility of Customer.
11.2 Recovery Rights. Provider can recover imposed fines and/or penalties from Customer if it can be held responsible for the violations.

12. MISCELLANEOUS
12.1 Partial Invalidity. If any provision of this agreement proves to be invalid or is annulled, the remaining provisions shall remain fully in force. Parties shall then enter into consultation in order to agree on a new provision concerning the invalid or annulled provision, whereby the purpose and meaning of the invalid or annulled provision shall be taken into account as much as possible.
12.2 Cooperation for Amendments. Parties grant each other full cooperation to adapt this agreement and make it suitable for any new or amended privacy legislation.

13. GOVERNING LAW AND DISPUTE RESOLUTION
13.1 Governing Law. This agreement is governed by Dutch law.
13.2 Jurisdiction. All disputes arising between parties that arise from or relate to this data processor agreement shall be settled by the competent court of Amsterdam.

14. ACCEPTANCE
By using the services of Send AI B.V., Customer accepts and agrees to the terms of this DPA. No signatures are required for this DPA to be effective and binding on both Provider and Customer.
‍
EFFECTIVE DATE: This DPA is effective from the date Customer begins using Provider's services.

DISCLAIMER: This document constitutes a legal agreement between Send AI B.V. and users of its services. If you have questions about this DPA or require modifications to these standard terms, please contact us at support@send.ai.