This Data Processing Agreement (‘DPA’) is incorporated into and is subject to the terms and conditions of the agreement(s) (‘Agreement’), concluded with regard to the use of the software-as-a-service, the TimeMoto Cloud, (‘SaaS’) services including the TimeMoto general terms and conditions, between TimeMoto B.V., having its registered and business office at Heliumstraat 14, 2718 SL Zoetermeer, the Netherlands, hereinafter (‘Processor’), and the customer entity that is a party to the Agreement hereinafter (‘Controller’); each hereinafter (‘Party’), together (‘the Parties’).

WHEREAS:

A.   Controller has the right to use the SaaS for the duration of the Agreement, whereby Processor processes Personal Data on behalf of and on account of Controller;

B.   Controller and Processor have confirmed their arrangements regarding the processing of Personal Data by Processor, as instructed by Controller, into this DPA.

THEREFORE, THE PARTIES AGREE AS FOLLOWS:

Article 1       Definitions

1.1   ‘Personal Data’ refers to any information directly or indirectly relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.2   ‘Data Subject’ refers to any natural person(s) whose Personal Data is processed.

1.3   ‘Controller’ refers to the natural or legal entity that determines the purpose and means for the processing of Personal Data. In the context of this DPA, this is the customer entity that is a party to the Agreement.

1.4   ‘Processor’ refers to the natural or legal entity processing data on behalf of the Controller. In the context of this DPA, this is TimeMoto B.V.

1.5     ‘Sub-processor’ means any third party engaged by Processor to assist in fulfilling Processor’s obligations pursuant to the Agreement or this DPA. Sub-processors shall exclude Processor’s employees, contractors, or consultants.

1.6   ‘Special Categories of Personal Data’ refers to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a Data Subject’s sex life or sexual orientation.

1.7   ‘Security Incident’ means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorised disclosure of or access to, Controller Personal Data.

1.8     ‘Data Protection Legislation’ refers to the applicable laws that govern the protection of Personal Data and data privacy. This primarily includes the legislation applicable to the processing of Personal Data in the EU and the United Kingdom, such as the General Data Protection Regulation, the ePrivacy Directive, the Data Protection Act 2018, the UK General Data Protection Regulation, the Privacy and Electronic Communications Regulation 2003, as well any national laws implemented in connection with the aforementioned legislation.

Article 2       Subject of the DPA

2.1   This DPA applies to the SaaS services and activities carried out by Processor on behalf of Controller under the Agreement, which includes the specific SaaS licence details, general terms and conditions and terms of use.

2.2   This DPA replaces all prior understandings between the Parties about the processing of Personal Data. Where any provision of this DPA contradicts or amends earlier agreements on the processing of Personal Data, the provisions of this DPA prevail unless otherwise expressly provided for in this DPA.

2.3   Following this DPA, Processor processes Personal Data on behalf of Controller and under Controller’s responsibility. 

2.4   All appendices are attached to this DPA and form an integral part thereof.

2.5   All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement.

Article 3       Obligations of the Parties

3.1   Processor processes Personal Data exclusively for the purposes described in the Agreement and as detailed in Appendix A.

3.2   Processor will process Personal Data only in accordance with and under the strict instructions of Controller. Processor has no independent control of Personal Data that it processes. Processor may not process Personal Data for its own benefit, the benefit of third parties or other purposes, except with Controller’s prior written permission or where required by law. For the avoidance of doubt, this DPA shall not apply to instances where TimeMoto B.V. is independently the data controller.

3.3   Controller may give such instructions provided in this DPA and the Agreement as well as further instructions. Any instruction will be provided in writing, unless the urgency or other specific circumstances require another (e.g., oral, electronic) form. Specifications and/or further instructions issued in another form than writing, shall be confirmed by Controller in writing without delay.  

3.4    Controller shall not provide (or cause to be provided) any Special Categories of Personal Data to Processor for processing under the DPA. Processor shall have no liability whatsoever for such Personal Data, whether in connection with a Security Incident or otherwise.

3.5    Controller is responsible for assessing whether the data processing is legitimate and based on valid legal grounds, and for securing the rights of the data subjects.

Article 4       Confidentiality

4.1   Processor shall keep Personal Data confidential and shall not disclose Personal Data in any way to its employees and/or third parties, except where, (i) it is necessary that employees and/or third parties need to have knowledge of Personal Data for the purpose of execution of the Agreement, or (ii) it is required by law.

4.2   Processor shall provide its employees and/or third parties access to Personal Data only to the extent necessary to perform the processing necessary for the execution of the Agreement. Processor ensures that any persons authorised to process Personal Data are under an appropriate statutory or contractual obligation of confidentiality.

Article 5       Sub-processors

5.1   Controller gives general authorisation to Processor for the addition or replacement of existing Sub-processors under the conditions set out in this DPA. Processor informs Controller of any intended changes concerning the addition or replacement of Sub-processors that will process Personal Data subject to this Agreement. Controller may object to such changes, but the objection may not be unreasonable.

5.2    Processor shall choose any Sub-processor diligently with special attention to its good standing and experience with the provision of the subcontracted services and the suitability of its technical and organisational measures. Processor remains responsible for any acts or omissions of its Sub-processors in the same manner as for its own acts and omissions hereunder. Processor shall enter into a written data processing agreement with all permitted Sub-processors. Processor shall ensure that all Sub-processors are contractually bound to the same or higher obligations with respect to the processing as to which Processor is bound under this DPA.

5.3   When a new Sub-processor is engaged during the term of this DPA, Processor shall, within a reasonable timeframe before the new Sub-processor processes any Personal Data of Controller, inform Controller of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by contacting the Controller’s account owner(s), as listed in the account set up by Controller when registering the TimeMoto product.

5.4    Controller may object in writing to Processor’s appointment of a new Sub-processor within five (5) calendar days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Processor will, at its sole discretion, either not appoint such Sub-processor, or permit Controller to suspend or terminate the affected service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Controller prior to suspension or termination)

5.5    The Sub-processors engaged by Processor are detailed in Appendix B of this DPA.

Article 6       Security Incident

6.1   Processor has implemented technical and organisational security measures as detailed in Appendix C, including procedures directed at reasonably detecting and acting on Security Incidents, for ensuring an appropriate level of protection for the processing of Personal Data within the scope of the Agreement.

6.2   Upon receiving knowledge of a (potential) Security Incident of Controller’s Personal Data, Processor will notify Controller promptly and without undue delay through Controller’s account owner(s).

6.3.   The notification mentioned in paragraph 6.2 above shall contain, to the extent it is available, the following information: 

1.      The day and time that Processor received knowledge of the Security Incident;

2.      The nature of the Security Incident;

3.      The moment, or the most likely moment or period, the Security Incident has occurred and how long it lasted;

4.      The range of Personal Data of Controller (possibly) involved in the Security Incident;

5.      The possible consequences/risks of the Security Incident for the privacy of the Data Subjects, i.e., those involved;

6.      The contact point(s) from where more information about the Security Incident can be obtained;

7.      The recommended measures to reduce the negative consequences of the Security Incident;

8.      The measures that Processor has taken or proposes to take to remedy the Security Incident.

9.      All other information that is relevant to assess the Security Incident.

6.4   With respect to each Security Incident referred to in paragraph 6.2 above, Processor shall provide all assistance to Controller that can reasonably be expected of Processor, including the provision of adequate information and support regarding the provision of information referred to in paragraph 6.3 above, inquiries from authorities, limiting the impact of a Security Incident on the privacy of the Data Subject (s) and/or limiting Controller’s damage as a result of the Security Incident.      

6.5    Controller is solely responsible for complying with Security Incident or other incident notification laws applicable to Controller and fulfilling any third-party notification obligations related to any Security Incident.

Article 7       Exporting Personal Data

7.1   Processor or any Sub-processor engaged by Processor shall only transfer Personal Data to countries outside the European Economic Area (EEA) and United Kingdom, including for the provision of Personal Data, in accordance with the standards of data protection set forth by the Data Protection Legislation.

Article 8       Right to audit

8.1   Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Controller in order to assess compliance with this DPA.

8.2   Controller shall procure that its representatives conducting the audit use all reasonable efforts to minimise any disruption to Processor’s business in relation to Processor’s support of the audit.

8.3    Support with audits may be requested no more than once annually or as required by the Data Protection Legislation or by a competent supervisory authority.

8.4   Controller shall be responsible for any costs arising out of or in connection with the audit unless such audit identifies non-compliance by the Processor with its information security obligations under the Data Protection Legislation or under this DPA, in which case Processor may share in reasonable costs after consulting with Controller. Controller may create an audit report summarising the findings and observations, treating it as confidential information not to be disclosed to third parties except when strictly necessary, e.g., to Controller's legal counsel, consultants, data protection officer, employees, affiliates or as required by law or a competent supervisory authority, or with the Processor’s consent to the disclosure.

8.5   Processor is not required to disclose or give access to Controller or an appointed auditor:

1.      Any (personal) data that concerns a different Processor customer;

2.      Processor’s internal, business sensitive or financial information; or

3.      Any information that, in Processor's reasonable opinion, could compromise the security of Processor or Processor’s premises, or cause Processor to breach its legal or contractual obligations.

Article 9       Inspection or audits by public authorities

9.1   Processor shall submit its relevant processing systems, facilities and supporting documentation to an inspection or audit relating to the Processing by a competent public authority if this is necessary to comply with a legal obligation. In the event of any inspection or audit, each Party shall provide all reasonable assistance to the other Party in responding to that inspection or audit. If a competent public authority deems the Processing in relation to the DPA unlawful, the Parties shall take immediate action to ensure future compliance with the applicable data protection laws.

Article 10     Cooperation enquiries and Data Subject rights

10.1  Controller is primarily responsible for handling and responding to requests made by Data Subjects. Controller is obliged to determine whether or not a Data Subject has a right to exercise any such Data Subject rights as set out in the Data Protection Legislation and to give specifications to Processor to what extent the assistance specified in paragraph 10.3 of this Article is required.

10.2 As part of the service provided under the Agreement, Processor provides Controller with a number of self-service features, that Controller may use to retrieve, correct, delete, or restrict the use of end user Personal Data, which Controller may use to assist it in connection with its obligations with respect to responding to requests from Data Subject via the Controllers customer account at no additional cost. In addition, Processor shall take reasonable technical and organisational measures to assist Controller in the fulfilment of the obligation to respond to requests for exercising the Data Subject rights as described in the Data Protection Legislation insofar as this is possible. 

10.3 Processor will provide its prompt and full cooperation insofar as this is possible, ultimately within ten (10) working days, with enquiries of Controller related to the Processing under the DPA, including but not limited to any complaints, requests or enquiries received from Data Subjects. Processor shall not respond to Data Subjects directly except where specifically instructed by Controller.

10.4 In case Controller requires additional or amended technical and organisational measures in order to respond to Data Subject rights, which go beyond the assistance provided by Processor pursuant to paragraph 10.2 and 10.3 above, Processor will inform Controller on the costs to implement such additional or amended technical and organisational measures. Once Controller has confirmed to bear such costs, Processor will implement such additional or amended technical and organisational measures to assist Controller to respond to Data Subjects’ requests.

Article 11     Data protection impact assessments

11.1 Processor will assist Controller with its obligation to carry out a data protection impact assessment and prior consultation with supervisory authorities that relates to the services provided by Processor to Controller under this DPA by means of providing the necessary and available information to Controller. If Processor has to incur additional costs by doing so, the parties shall discuss the issues in good faith and reach an agreement about that.

Article 12     Government agencies’ requests

12.1  Processor will only act on a request from a government agency to provide (access to) Personal Data if required by law and the request meets legal requirements, including the principles of proportionality and subsidiarity.

12.2  Processor informs Controller of a government agency request to process Personal Data unless the government agency request expressly prohibits such notification. 

Article 13     Liability and indemnification  

13.1 Each Party is liable for its obligations set out in this DPA and in the Data Protection Legislation. Any liability arising out of or in connection with a violation of the obligations of this DPA or under the Data Protection Legislation, shall follow, and be governed by, the liability provisions set forth in, or otherwise applicable to, the Agreement, unless otherwise provided within this DPA. If the liability is governed by the liability provisions set forth in, or otherwise applicable to, the Agreement, for the purpose of calculating liability caps and/or determining the application of other limitations on liability, the liability occurring under this DPA shall be deemed to occur under the relevant Agreement.

13.2  Controller will defend, indemnify, and hold harmless Processor from all claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys' fees, and legal expenses) arising out of or resulting from any claim, allegation, demand, suit, action, order or any other proceeding by a third party (including supervisory authorities) that arises out of or relates to the violation of Controllers obligations under this DPA or the Data Protection Legislation.

Article 14     Return and destruction of Personal Data

14.1  Upon termination of the Agreement, Controller may download the Personal Data including any copies thereof at its choice. Controller may request Processor to securely destroy the Personal Data, except to the extent the Agreement or the Data Protection Legislation provide otherwise. In that case, Processor shall no longer process the Personal Data, except to the extent required by the Agreement or the Data Protection Legislation. Processor provides Controller with a number of self-service features, that Controller may use to extract their Personal Data independently.

14.2 In case Controller requires additional or amended technical and organisational measures in order to receive Personal Data, which go beyond the reasonable assistance provided by Processor pursuant to paragraph 14.1 above, Processor will inform Controller of the costs to implement such additional or amended technical and organisational measures. Once Controller has confirmed to bear such costs, Processor will implement such additional or amended technical and organisational measures to assist Controller to receive a copy of their Personal Data.

14.3  If Controller does not request, within thirty (30) days of the termination of the DPA, Processor to return or destroy the Personal Data, Processor may destroy the Personal Data. In such a case the Processor will destroy the Personal Data at the latest within ninety (90) days of termination of the DPA.

Article 15     Term and termination

15.1  This DPA enters into force as soon as Processor commences Personal Data processing on behalf of Controller following acceptance of the DPA.

15.2  This DPA is effective for as long as the Agreement continues. Upon termination of the Agreement, this DPA ends by operation of law.

15.3  Any obligations under this DPA that by their nature are intended to survive after termination of the Agreement will continue to apply after termination.

Article 16     Changes and Renegotiations

16.1  Processor may make changes to these terms from time to time. If any changes are made, Controller will be provided with a notice of such changes through Controller’s account owner(s) or offering an in-product notification or other practical communication channel. Unless Processor states otherwise in the notice, the amended terms will be effective as of the moment Controller’s Agreement renews. Renewal of the Agreement confirms Controller’s acceptance of the changes. If Controller does not agree to the amended terms, it must stop using Processor’s services by terminating the Agreement in accordance with the termination rights.

16.2  The Parties hereby agree in advance to changes in the DPA as a result of changes to the legal framework for protection of Personal Data that are strictly necessary for compliance with the relevant laws and regulations or the interpretation thereof or the policies of the authorities.

Article 17     Contact persons

17.1  For any questions or complaints regarding this DPA, the Processor’s customer services can be contacted via the contact details as follows:

Role: Customer Service

Contact Us Page: https://www.timemoto.com/contact-sales  

Article 18     Miscellaneous

18.1  This DPA is governed by Dutch law.

18.2  Disputes arising from this DPA are submitted by exclusion to the agency competent to hear and decide on disputes arising from the Agreement. Failing such agency, the competent court agreed upon in the Agreement will have exclusive jurisdiction.

18.3  Any standard terms and conditions of Controller are not applicable to this DPA and are explicitly dismissed by Processor. In case of any conflict between this DPA and the Agreement, the DPA prevails.

APPENDIX A – INFORMATION ABOUT THE PROCESSING

A.1. Processor have defined, designed, and developed a time tracking solution called TimeMoto using intelligent clocking systems. The solution facilitates easy and secure clocking of time with an accompanying TimeMoto Cloud that allows organisations to manage real-time data, including work schedules, overtime, and absences. The purpose(s) of the Processor’s processing of Personal Data on behalf of the Controller is:

-            End user account creation and set up.

-            Time registrations and scheduling.

-            Registering absence and overtime.

-            Generating reports.

A.2. The processing includes the following types of Personal Data:

·      Regarding TimeMoto Clocks

Fingerprint and facial ID, pin, badge ID.

TimeMoto B.V. does not process this data in the capacity as a Processor and is therefore outside the scope of this DPA. TimeMoto does not have access to this data.

·      Regarding TimeMoto Cloud

First and last name, time records  Email address, account password, Time Clock end user ID, time zone, language, employee number / second employee number, badge number (number of the badge the end user might use for identification at the Time Clock(s), end user status, activity dates, pay template (containing all information about the employee's pay and overtime rules), work schedule, hourly rate, holiday/vacation profile, other reasons of leave (e.g., sickness) without revealing specific sickness of health information, Flexibank indicating accumulated leaves, emergency team member (emergency team members have the authority to trigger fire roll calls to alert Controller’s staff on-site in case of an emergency), department, locations where employees can use time clocks to record their working time, end user privileges, clocking in/out location.

A.3. The processing includes the following categories of Data Subjects:

-            Controller’s employees’,

-            Consultants, interim professionals, interns, or any other person who may be granted access by the Controller.

APPENDIX b – SUB-PROCESSORS

Name:          Microsoft Azure

Role:            Sub-processor

Activities:     Hosting service for EU and United Kingdom customers is in the EU (the Netherlands).

Name:          Utilus

Role:            Sub-processor

Activities:     Product development and maintenance of the software and the infrastructure.

Name:          Sendgrid

Role:            Sub-processor

Activities:     Sending of transactional emails (access to email data) such as activation, password reset, reporting from notifications.

Name:          Hibernating Rhinos

Role:            Sub-processor

Activities:     Database services.

APPENDIX c – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Processor takes appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful processing. These measures, the implementation costs as well as the nature, the size, the context, and the processing objectives, offer an appropriate level of security. The measures are also aimed at preventing the unnecessary collection and further processing of Personal Data. The security measures include the following:  

A.   Confidentiality of Data: 

1.    Measures for physical access to the hardware 

The Processor applications are hosted in high security data centres located in the EU (the Netherlands). The data centres are equipped with strict physical access controls such as: 

-       Physical access to the data centres is only granted to appointed and registered customers’ and data centres’ personnel;

-       Visitors must be announced upfront to the data centre management for access clearance;

-       Visitors to the data centres must identify themselves with a legally valid ID document and a personal access badge issued in name;

-       A log is held of all visits;

-       The racks in which the servers are mounted, are locked. Key management is in place;

-       Intrusion prevention measures and connection to alarm centre.

2.    Measures for physical access to the office of Processor’s external IT partner 

-       Visitors must be announced upfront to the IT partner’s management;

-       Visitors to the premises of the IT partner must be accompanied by a member of IT partner’s personnel at all times;

-       No production data is held at the IT partner’s premises; 

-       Intrusion prevention measures and connection to alarm centre.

3.    Measures for access control at the server level 

-       Access to servers through VPN (Virtual Private Network) requires individual credentials, and the VPN is only accessible on client systems in a dedicated network for which a password-based network authentication is required. Only authorised personnel have the necessary credentials, and an authorisation matrix is in place;        

-       VPN management runs through separate network management system, which is only accessible to Authorised personnel. Authorisation matrix is in place;     

-       Access to the servers is logged and back-traceable.

4.    Measures for access control at the data level  

-       Access to data requires authorisation keys, which credentials are managed via an authorisation matrix;

-       Software version control and DTAP (Design, Test, Accept & Production) protocols are in place.

5.    Measures for copying methods and security 

-       All back-ups are encrypted and held in a separate location;

-       All passwords and credentials are securely encrypted and stored with a clear structure and hierarchy and only accessible to Authorised personnel;

-       All relevant personnel members have signed a non-disclosure agreement and have consented to the code of conduct concerning data security and integrity;

-       All servers have valid SSL certificates;

-       Secure VPN tunnels are hashed with encryption standards such as AES256 and/or 3DES and PFS (see A.3);

-       Firewalls are in place to protect the servers from external attacks;

-       Biometric data is always safely encrypted into hashed text strings, which are not back traceable to individual biometric data. No master biometric data is kept on any products of the TimeMoto suite;

-       Only certain roles have the rights within the system to delete profiles;

-       An activity log of who initiated the deletion of a profile; in situations where a backup is intentionally and possibly maliciously deleted, the system would allow for a log of who executed the deletion.

B.   Integrity of data: 

-        The interfaces between terminals and servers are secured with HTTPS connections;

-        Only that personal data is processed that require a proper execution of the agreement’s purpose (first and last names, email addresses and time registration data (presence, absence, project times, days off, holidays, absenteeism));

-        VPN tunnels in place to access servers (see A.3);

-        Back-traceable logs in place for terminal to server communication, server access, database access.

C.   Availability of data: 

-        Servers have an uptime of 99,95%;

-        Periodic test restores of backups are executed;

-        Redundant hardware and connections are in place;

-        Data centres are equipped with several UPS (Uninterruptible Power Supplies) and backing diesel generators to guarantee power redundancy.