Auftragsverarbeitungsvertrag

Momoyoga attaches great importance to the correct handling and protection of personal data.

Momoyoga develops software for organizing a yoga studio. Momoyoga processes data for the proper functioning of the software. Momoyoga is therefore a data Processor. The yoga studio that makes use of the software processes data from its members, and is therefore a data Controller.

1. In this agreement, Momoyoga is also referred to as "we", "our", or "Processor".
2. In this agreement, the studio is also referred to as "you", "your", or "Controller".

The legal relationship between you and Momoyoga is subject to Dutch law, our General Terms and Conditions, and our Privacy Statement. In addition, the European Union General Data Protection Regulation ("GDPR") applies to the processing of your Personal Data.

By agreeing to this Processor Agreement, you agree to the following:

Taking into account that:

• The Controller wishes to make use of the services of the Processor, namely to make available, (further) develop, manage and maintain the software, and that parties have concluded an agreement to this end (the "Agreement");
• Parties have furthermore concluded this agreement to comply with the obligations arising from the GDPR ("Processor Agreement");
• The Processor will process personal data for the benefit of the Controller "Personal Data");
• The parties wish to establish a number of conditions that apply to their relationship in connection with the aforementioned activities on behalf of and for the benefit of the Controller;
• The definitions of the terms processor, controller, personal data, data subject, and processing used in this Processor Agreement are in accordance with the definitions as used in Article 4 of the GDPR;
• The parties are aware that this Processor Agreement is valid from the day of signing and parties intend to comply with all applicable legislation.

Subject

1. As Controller, you are responsible for the processing of Personal Data in the context of the execution of the Agreement. Momoyoga has no control over the Personal Data.
2. The Processor processes Personal Data only on behalf of the Controller in the context of the execution of the Agreement, in accordance with the purposes and means determined by the yoga studio.
3. The Controller guarantees that his instructions will result in data processing by the Processor that comply with all applicable regulations, and will not infringe any third party rights.

Technical and organizational facilities

1. The Controller will make Personal Data available for processing to the Processor via input into the Processor software only if the Controller has ensured that all required security measures have been taken to provide an adequate level of protection in accordance with the provisions of Article 32 of the GDPR regarding the current state of technology, cost of implementation, risks involved in the processing, and the nature of the data to be protected.
2. The Controller is entitled to check measures taken by the Processor and the level of compliance with Processor obligations.
3. In the event that the Processor is aware of a security breach as described in Article 4 Paragraph 12 of the GDPR ("Data Breach"), the Processor will inform the Controller as soon as possible, within 24 hours after the Data Breach was discovered.
4. The Controller is responsible for reporting a Data Breach to the relevant national data protection authority.
5. If, despite measures taken by the Processor in collaboration with the Controller, a Data Breach occurs, the Processor cannot be held liable for any damages suffered by the Controller as a result of the Data Breach.

Engaging third parties

1. The Processor will not outsource any obligations arising from the Agreement to third parties, unless the Controller gives prior written permission.
2. The Processor will oblige any sub-processor to comply with the provisions of the Processor Agreement. The Processor remains accountable at all times for the acts or omissions of the sub-processor.

Transfer to third parties

1. The Processor is not permitted to pass on Personal Data to and/or store it in countries outside the European Union, unless the Processor has explicit written permission from the Controller, and it is permitted on the basis of applicable (European) privacy legislation, for instance if the receiving country offers an adequate level of privacy protection, or an unmodified model contract approved by the European Commission is used, with due observance of the other provisions of the Processor Agreement.

Assistance

1. The Processor is never liable for consequential damage, including financial loss, loss of profit, and immaterial damage. In particular, the Processor is not liable for damage in connection with and/or as a result of:
   • Termination or modification of the service provided;
   • Communication defects related to hardware, software, network or other computer problems;
   • The use of data or data files prescribed by the Controller;
   • Loss, corruption, or destruction of data or data files;
   • Inaccessibility of the service of the Processor.
2. Insofar as the performance of the Processor Agreement is not permanently impossible, the Processor is liable for shortcomings in the fulfillment of the Processor Agreement only if the Controller declares the Processor in default in written, and a reasonable period is given for fixing the shortcomings, and after that period the shortcomings remain. The notice of default must contain a complete and detailed description of the shortcoming, so that the Processor is able to respond adequately.
3. The primary condition for any claim is a written notice of the shortcomings from the Controller to the Processor as soon as possible after the occurrence of the shortcomings. Any claim will lapse permanently 6 months after the shortcoming arises.

Confidentiality

1. The Processor, as well as all employees who have access to Personal Data, will keep all data with which they come into contact secret, unless they are required by law to divulge information.
2. The Processor will ask all employees involved in the execution of the Agreement to sign a confidentiality statement for this purpose. The Processor will take any measure necessary to guarantee that confidentiality is upheld.

Return and deletion

1. After termination of the Agreement, depending on the choice of Controller, the Processor will delete all Personal Data or deliver all Personal Data back to the Controller and will delete existing copies, unless the continued storage of the Personal Data is required under law.

Liability

1. The Processor is never liable for consequential damage, including financial loss, loss of profit, and immaterial damage. In particular, the Processor is not liable for damage in connection with and/or as a result of:
   • Termination or modification of the service provided;
   • Communication defects related to hardware, software, network or other computer problems;
   • The use of data or data files prescribed by the Controller;
   • Loss, corruption, or destruction of data or data files;
   • Inaccessibility of the service of the Processor.
2. Insofar as the performance of the Processor Agreement is not permanently impossible, the Processor is liable for shortcomings in the fulfillment of the Processor Agreement only if the Controller declares the Processor in default in written, and a reasonable period is given for fixing the shortcomings, and after that period the shortcomings remain. The notice of default must contain a complete and detailed description of the shortcoming, so that the Processor is able to respond adequately.
3. The primary condition for any claim is a written notice of the shortcomings from the Controller to the Processor as soon as possible after the occurrence of the shortcomings. Any claim will lapse permanently 6 months after the shortcoming arises.

Compliance and supervision

1. The Controller is entitled, at his own expense, to check the level of compliance with Processor obligations by the Processor, on the condition that the Controller notifies the Processor of this five working days in advance, and on the condition that the Controller responsible for the inspection follows reasonable instructions from the Processor, and the inspector does not unreasonably disrupt the operations of the Processor.

Other provisions

1. In the event of a conflict between (one or more provisions of) the Processor Agreement with (one or more provisions from) other agreements between the Controller and the Processor, the Processor Agreement shall prevail.
2. The Processor Agreement has a term equal to the Agreement and cannot be terminated prematurely, and ends automatically when the Agreement ends. Provisions of the Processor Agreement which by their nature, for instance in the context of winding down the Processor Agreement, are intended to remain applicable after the end of the Processor Agreement, remain in full force after termination of the Processor Agreement.
3. Modification of the Processor Agreement is only possible by written agreement by both parties.
4. In the event any provision of the Processor Agreement is declared void, or a change in (a provision of) the Processor Agreement is necessary due to changed circumstances for compliance with privacy legislation, the other provisions will remain in full force. Parties will then determine a new provision to replace the void/voided provision, or amend the Processor Agreement in order to bring it in line with privacy legislation, in which case the purport of the void/voided provision must be maintained as much as possible.
5. Dutch law applies to the Processor Agreement.
6. Disputes between the Controller and the Processor will only be submitted to the competent court in the court district Zeeland-West-Brabant.