CEEYU GENERAL TERMS AND CONDITIONS
THIS AGREEMENT IS A BINDING CONTRACT AND GOVERNS THE USE OF AND ACCESS TO THE SERVICES BY YOU, END-USERS AND/OR LEGAL CUSTOMER REPRESENTATIVES WHETHER IN CONNECTION WITH A PAID SUBSCRIPTION FOR OR FREE USE OF THE CEEYU SERVICES.
By accepting this Agreement, either by accessing or using a Service, authorizing or permitting any user to access or use a Service or by signing an Offer made by CEEYU or an authorised CEEYU Channel Partner, You agree to be bound by this Agreement as of the date of such access or use of the Service or signature of the Offer. If You are entering into this Agreement on behalf of a company, organization or another legal entity (“Customer”), You are agreeing to this Agreement for that Entity and representing to CEEYU that you have the authority to bind such entity and its affiliates to this Agreement, in which case the terms “Customer”, “Subscriber,” “You,” or “Your” herein refers to such entity and its affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the Services.
Customer and CEEUY shall each be referred to as a “Party” and collectively referred to as the “Parties” for purposes of this Agreement. CEEYU is company incorporated and existing under the laws of Belgium with company number 0753.427.407 whose registered office is at Guldensporenlaan 24, 2820 Bonheiden, Belgium
The purpose of this Agreement is to establish the terms and conditions under which Customer obtains CEEYU Services and Professional Services as described in a Service Order, Statement of Work or other documents signed or agreed to by the Customer. In the event of any inconsistency or conflict between the terms of the General Terms and Conditions and the terms of any Service Order or Statement of Work, the terms of the Service Order or Statement of Work shall prevail.
ONLY FOR ONLINE SUBSCRIPTIONS - Following online registration for/subscription to the service, CEEYU reviews the identity of the Customer within 10 calendar days following the registration. CEEYU reserves the right to not provide the service to Customer for a variety of reasons (eg. CEEYU suspects Customer will use the Service for illegitimate purposes, Customer is a direct competitor of Ceeyu, etc.) and the present agreement becomes void. Ceeyu is not required to justify this action to the Customer. In case of a paid subscription and in case the customer has already paid upfront for this subscription, CEEYU will refund the funds within 14 Calendar days.
This agreement is valid for Orders from January 1st 2023.
1.1 “Agreement”: this contract, its annexes (including any Orders) in relation to this contract.
1.2 “CEEYU Platform”: www.ceeyu.io
1.3 “Domain”: A specific digital domain (including IP addresses and other encountered resources where applicable) of Customer or its Vendor, onboarded by Customer in accordance with article 4 “Onboarding of a Domain” for the purpose of having its digital footprint, vendor risk management and/or security rating evaluated in accordance with this Agreement.
1.4 “False Positives”: Findings which do not relate to the Customer
1.5 “False negatives”: Findings which relate to the Customer but are not detected by the scanning tool.
1.6 “Force Majeure”: the situation in which one of the Parties is impeded in the performance of the Agreement, either in whole or in part and temporarily or permanently, beyond the control of the Party or Parties. Without limitation, the following events shall be deemed to constitute Force Majeure: governmental decision, act or omission (e.g. delay or failure to issue, or withdrawal of any license, permit or authorisation), war declared or not, embargo, hostilities, act of the public enemy, riots, terrorist attacks, strike, general transport problems, civil commotion, sabotage, natural disasters, unfavourable weather conditions, earthquakes, fire, flood, lightening, hurricanes, explosion, epidemics, quarantine restrictions, disturbance in supplies from normally reliable sources (e.g. electricity, water, fuel and the like), power failures, failures of the internet, computer network or telecommunication facilities, the unavailability of servers of third parties, failures in equipment, goods, software, hardware or other materials of third parties of which the Customer prescribes the use to CEEYU, Bugs in third party equipment, goods, software, hardware or other materials in general, hacking, (distributed) denial of service attacks, viruses, delay or failure from a subcontractor or third party Vendor due to Force Majeure as defined hereinabove.
1.7 “Order”: An order placed by Customer for the purpose of receiving the services described under this Agreement. An order may be placed by signature of an order form by both Parties, by Customer’s acceptance of a valid quote from CEEYU, by email to CEEYU with reference to a valid quote or subscription level advertised on www.ceeyu.io/pricing, or online on www.ceeyu.io. Orders can be placed directly with CEEYU, or through an authorised sales partner of CEEYU.
1.8 “Vendor”, “Vendor”, Third Party”: a third party to this Agreement, that is onboarded by Customer under this Agreement.
2.1 CEEYU is company active in ICT security, more specifically, the field of digital footprints and the analysis of its security consequences for companies. CEEYU provides to its customers a clear and concise overview of their or their Vendors’ digital footprint, the security consequences in the form of a security rating, and allows customers to evaluate vendor risk, based on a security rating.
2.2 Your company’s digital footprint is the set of data, exposed on the Internet, that defines the presence of your company on that medium. It is composed out of the domains, subdomains, applications, email, web, and application systems, and any other branded activities. But also of the names and email addresses, physical addresses, and any other information or personally identifiable information linked to your company, brand, or employees. Your footprint might not only leak personal data (PII), but might also leak technical insecurities allowing malicious third parties to exploit them or leverage them to incorporate in more sophisticated attacks.
2.3 The security rating is a quantification ranging from A to F, or in percentages, or any scale defined by Ceeyu, derived from a calculation performed on your digital footprint. It is an objective indication of your company’s external security posture.
2.4 Third Party Risk Management allows you, through the objective security ratings, and a self-assessment questionnaire, to get to know your riskiest third parties and work with them to improve their security posture, and thus, decrease the risk they pose to your business.
3. OUR SERVICES
3.1 Under this Agreement, CEEYU will execute and analyze digital footprint scans in order to provide the Customer with a security rating on its Domains in scope and in order to contribute to the Customer’s Third Party Management (“Services”).
3.2 Assessment of the digital footprint implies that CEEYU will have the Domain(s) scanned by means of automatic tools. CEEYU shall, to the best of its abilities, strive not to intervene with the proper functioning of the Domain(s). Data will be collected passively or actively and non-intrusively (unless otherwise requested from the Customer e.g. for vulnerability scans) through publicly-available intelligence sources. CEEYU does not enter company networks or other restricted areas to collect data and calculate security ratings.
3.3 CEEYU will, to its best endeavors, verify the quality of the data in order to minimize the amount of False Positives and False Negatives. For this purpose, Ceeyu might add or remove data relevant to the Customer or request additional information to the Customer. Customer has the possibility to further validate the quality of its data through the Platform and can assign False Positives and request False Negatives to be rectified. Where applicable, once (1) per month, CEEYU will process the newly assigned False Positives and False Negatives and CEEYU will recalculate the security rating, if relevant.
3.4 Customer’s onboarded Vendor(s), will be requested to fill in a self-assessment form in relation to security. Based on the digital footprint and results of the self-assessment (where applicable), CEEYU will provide Customer with a security rating of its Domain(s) in scope. The security rating is identified based on several risk parameters, visible to Customer through the Platform. Since security rating and ICT in general are continuously evolving matters, the security parameters taken into account, may vary from time to time.
3.5 As a part of the Services, CEEYU will allow the Customer access to the CEEYU Platform, in accordance with article 4.6 “Use of the CEEYU Platform”. The CEEYU Platform allows Customer to:
(a) Get an overview of its digital footprint;
(b) View CEEYU’s security evaluation of that digital footprint (the security rating); and
(c) Have an overview of its Vendor risks.
4. ONBOARDING OF DOMAINS AND VENDORS
4.1 Customer may at its own discretion onboard Domain names, to have them scanned and included on the CEEYU Platform, by concluding (an) Order(s) or by adding the domain in the Ceeyu application.
4.2 Customer also has the opportunity to onboard Vendors and receive their security rating. In this event, Ceeyu will analyse the concerned Vendor’s primary Domain, excluding any additional domains the applicable Vendor might use (except where expressly agreed otherwise in writing).
4.3 Where Customer onboards a Vendor, Customer automatically provides CEEYU the permission to inform the applicable Vendor that it was submitted on the CEEYU Platform by Customer. Where Customer wishes to remain anonymous towards the Vendor, Customer must explicitly indicate so in the Order.
4.4 Onboarded Vendors will have the opportunity to see their security rating (A-F), but will not see additional information, such as their digital footprint or the calculating basis for security rating (unless they are a customer of CEEYU as well).
4.5 CEEYU will show the encountered data as-is and as-found and is not responsible for the correctness, remediation, or correction of the applicable data, nor for improvement of Vendor’s or Customer’s security posture.
4.6 Vendors that are onboarded by Customer will be requested to fill in a security related self-assessment form. Where such is completed, the results of the Vendor’s self-assessment will be taken into account in the security evaluation. Customer understands that the fulfillment of the self-assessment depends on voluntary cooperation of the concerned Vendor and CEEYU cannot oblige the Vendor to participate. Customer will be notified where a Vendor refuses to submit a self-assessment form. This will however not release Customer from payment of the applicable fees for onboarding of the Vendor and the rating will be based on all other elements available hereunder.
4.7 The Customer may only perform active scans ("Active Assessments") on domains, subdomains and IP addresses for which the underlying IT and network systems are under its control. The Customer is fully liable for damages caused to third parties as a result of failure to comply with this obligation.
5. USE OF THE CEEYU PLATFORM
5.1 CEEYU created an online application (the CEEYU Platform) where Customer can consult its digital footprint, its security ratings, the data its was derived from, and where Customer can initiate and review vendor risk assessments.
5.2 CEEYU and its licensors remain at all times the owner of all intellectual property rights on the CEEYU Platform. As from payment of the applicable Subscription Fee, CEEYU provides to the Customer a temporary, revocable, limited, personal, non-exclusive, worldwide license to access the CEEYU Platform, during the Subscription Cycle and for the purpose of this Agreement and in accordance with its provisions. Subscription periods are divided into one (1) year cycles.
5.3 Customer’s login credentials will be received after complete payment of the applicable invoices and may at all times be suspended in the event of failure to pay an invoice on its due date.
5.4 To the extent allowed under applicable law, the CEEYU Platform is provided on an as-is and as-available basis, without warranties of any kind, whether express or implied.
5.5 CEEYU reserves the right to modify the Platform and its functionalities (e.g. implementation of new features, possibilities for reports, etc.) from time to time, as it sees fit, without prior notification being required, provided that the crucial functionalities of the platform shall be maintained.
Where a crucial functionality will no longer be provided, Customer will be notified at the latest three (3) months in advance, by email or registered letter. Where Customer reasonably believes that the Services provided to it hereunder will be affected in a negative way, by removal of such crucial functionality, Customer may terminate this Agreement, including any pending Orders, with one (1) month prior notice via registered letter to CEEYU. In this event, the Fee for the remaining term, will be credited and reimbursed pro-rata.
A list of crucial functionalities are provided for in Annex 2 to this Agreement.
6. RIGHTS AND OBLIGATIONS OF THE PARTIES
6.1 CEEYU shall carry out its Services with care and diligence and in compliance with all applicable regulations. Unless otherwise stated in the Agreement, CEEYU’s obligations are obligations of means. CEEYU will make fair interpretations of the discovered data and accurately calculate the security rating.
6.2 In providing its Services, CEEYU will at all times use its best endeavours to mitigate any possible harm (obligation to limit damages).
6.3 Given the fact that ICT is a continuously growing and changing matter, CEEYU does not guarantee that the Services are 100% conclusive and will reveal all security vulnerabilities publicly known at the time of the assessment. Also, since the digital footprint is created by an automated scanning tool, it is under the current state of techniques impossible to ensure that all data is accurate. False Positives and False Negatives may occur. The Services are provided “as is” to the Customer, without express or implied warranty or condition of any kind. CEEYU disclaims any warranties of merchantability, fitness for a particular purpose or non-infringement.
6.4 The Customer bears at all times the responsibility for its existing infrastructure (including, but not limited to: hardware, software, websites, databases, monitoring and security procedures, adequate system management, etc.) and the proper functionality and safety of all of its working materials.
6.5 The Customer is solely responsible for setting up procedures which allow for reconstruction of lost or altered files, data or programs at any time, regardless of the cause of loss or alteration. Customer must make back-up copies of its computer programs, files and data, on a daily basis.
6.6 The Customer is solely responsible for its use of the Services and must not misuse the Services.
7. CALCULATION OF THE SECURITY RATING
7.1 At any time and upon its sole discretion, CEEYU may modify the algorithm for calculation of the security ratings and interpretation of self-assessment forms. This modification may be based on:
(a) Data collected by CEEYU during the term proceeding the modification;
(b) Developments in ICT security, such as the development of new technologies, evolution of systems, knowledge, etc., that might influence security scores or that allow to take account of additional (types of) data;
(c) In-house knowledge and expertise.
7.2 The fact that changes will be made in the algorithm and the likewise effects thereof on the Crucial Functionalities, will be announced to Customer at least three (3) months in advance. During such term, Customer will have the opportunity to communicate to CEEYU any questions or issues that may arise in relation hereto.
8.1 The Customer undertakes the obligation to pay the fees as set out in CEEYU’s quote/Order in accordance with the Agreement. In absence of a quote specific for the Customer, the subscription level referred to in the Order and the prices listed on www.ceeyu.io/pricing will apply.
8.2 An extension of the subscription period takes place tacitly, taking into account the notice period described below. CEEYU’s pricing model is based on:
- An annual subscription fee for Customer’s access to the CEEYU Platform, depending of the number of Vendors, Domains and user accounts and number of optional features.
- One off fees for the provision of professional services, if any.
8.3 The fees are in EUROS and do not include VAT and other present or future applicable taxes.
8.4 CEEYU may, without prior notification, adjust the fees annually in January, based on the following formula: New price = Initial price * (0.2 + 0.8 * (New index/Initial index)). For which the following definitions apply:
- Initial price: price at the start of the Agreement;
- Initial index: the index published by Agoria "reference national average wage cost" of the month preceding the signing of the Agreement;
- New Index: the index published by Agoria “reference national average wage cost” of the month preceding the indexation.
8.5 In the event (a) fundamental change(s) in circumstances occur(s), which affect(s) the agreed price and which was/were both unforeseeable at the time the price was set and affect the contractual equilibrium, upon request by either Party, the Parties will meet to seek for an equitable amendment of the Agreement. If the Parties are unable to reach a consensus within thirty (30) calendar days from the request to amend the Agreement, either Party has the right to terminate the Agreement by sending a registered letter with a notice of thirty (30) calendar days, and this without giving rise to any compensation due.
9. INVOICING AND PAYMENT
9.1 Unless agreed otherwise, invoices shall be payable in advance and within thirty (30) calendar days from the date of invoice.
9.2 Absence of a written protest of an invoice within eight (8) business days from the date of sending of the invoice, implies irrevocable acceptance of the invoice by the Customer and the therein-mentioned services.
9.3 From the moment of expiry of the payment term conventional late payment interest shall be due, by operation of law and without any prior formal notice, equal to the yearly interest rate as stipulated in article 5 of the Belgian Act of 2 August 2002 combating late payment in commercial transactions (Wet Betalingsachterstand 02/08/2002, B.S 07/08/2002). This interest is calculated as from the deadline for payment of the invoice up until the date of full payment.
9.4 In the event of late payment of an invoice:
- CEEYU is entitled to increase the amount of invoice by 15% as compensation;
- all costs, the extrajudicial collection of the invoice, and the costs of legal proceedings and enforcement are to be borne by the Customer;
- all claims against the Customer not yet due are immediately incurred, due and payable; and
- CEEYU is entitled to suspend the performance of all Services without prior notification.
- The Customer is not entitled to settlement or suspension of a payment.
- If, to CEEYU’s opinion, the Customer’s creditworthiness so dictates, CEEYU may, even after the signing of the Agreement, require the Customer to provide security or collateral for the payment of the Services yet to be provided, and CEEYU may suspend performance as long as such security or collateral has not been provided.
10.1 Confidential information is defined as all information of any form whatsoever (oral, written, graphic, electronic, etc.) exchanged between the Parties in the context of this Agreement, which is marked by the Parties as confidential or should reasonably, by its nature, be considered as confidential.
10.2 Each Party must keep all confidential information received from the other Party in the performance of this Agreement confidential, except to the extent necessary for the provision of the services to the Customer. Additionally, the Parties may only use the confidential information for the purposes of this Agreement. The Parties may not disclose the confidential information to third parties without written consent of the other Party unless required to do so by law or by a court order, provided that the receiving Party notifies the disclosing Party, to the extent it is permitted to do so, as soon as reasonably possible. The disclosure shall be limited to the largest extent possible.
10.3 The obligation of confidentiality shall continue to exist for a period of three (3) years from termination of this Agreement, regardless of the cause of the termination of the Agreement.
10.4 The following are not considered to be confidential information:
(a) information obtained in a lawful manner from a third party not bound by any confidentiality obligation or secrecy;
(b) information already known to a Party before its disclosure in the context of this Agreement;
(c) information independently developed by a Party, without breaching this Agreement;
(d) information publicly available without the intervention or fault of the Party that received it;
11. DATA PROTECTION
11.1 Each Party shall at all times adhere to its respective obligations under applicable data protection legislation, such as but not limited to, Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
11.2 If one Party processes personal data on behalf of the other, the Parties shall enter into a data protection agreement, that will be annexed to and will form a complete and inherent part of this Agreement.
12. USE OF ANONYMIZED DATA
12.1 Parties agree that CEEYU may collect and process anonymized information and data of Customer and Vendors, for the purpose of e.g. improving its algorithm and services on a continuous basis, creation of whitepapers, etc.. Customer’s name will not be mentioned, and the confidentiality of its data will be assured.
13. INTELLECTUAL PROPERTY RIGHTS
13.1 No ownership to intellectual property rights shall be transferred to the other Party under this Agreement. CEEYU or its licensors remain at all times the owner of all intellectual property rights on the materials used to provide the services.
13.2 CEEYU reserves all rights in its reports, data, whitepapers, and analyses. Any reports or documents provided by Ceeyu to Customer, whether made available in paper, through download, visible to Customer through the CEEYU Platform or otherwise, are intended for Customer’s internal use only and may not be disclosed to any third party without prior written consent of CEEYU, except for the applicable Vendor to which a report or security rating relates.
14. RESPONSIBILITY TOWARDS VENDORS
14.1 Solely Customer is responsible to ensure that the Vendor(s) Customer onboards agree to the security assessments as provided by CEEYU under this Agreement.
14.2 CEEYU is not responsible for any discussions between Customer and the concerned Vendor(s) in relation to the result of the security ratings provided. Upon reasonable request from the Customer, CEEYU may agree to explain to the concerned Vendor the basis for the security rating(s) performed.
14.3 Where Customer would decide to terminate a contract with and onboarded Vendor or otherwise terminate or decide not to enter into a cooperation with an onboarded Vendor, in relation to or as a consequence of the provided security rating and other results received from CEEYU hereunder, CEEYU may not be held liable for the consequences thereof. Customer shall defend and indemnify CEEYU from any and all third party complaints, claims, legal filing and/or (other) damages CEEYU would incur in this respect.
15. TERM AND TERMINATION
15.1 This Agreement shall commence when duly signed by both Parties and shall continue in effect for an indefinite term.
15.2 Under and as a part of this Agreement, Parties shall conclude one or several Orders, which will be concluded for a fixed term and/or for a certain assignment. The Order will automatically be terminated upon termination of the agreed term or completion of the agreed assignment, as would be applicable.
15.3 Each Party may terminate the Agreement for convenience with prior written notice of one (1) month to the other Party. This termination shall have no effect on any ongoing Order.
15.4 In the absence of prior termination, this Agreement shall automatically be renewed, unless Parties explicitly agree otherwise in writing.
15.5 Without prejudice to its other rights and remedies under this Agreement and under applicable law, each Party may, at its own discretion, suspend the execution of the Agreement or terminate the Agreement by operation of law and with immediate effect, without prior notice being required and without judicial intervention, by the mere sending of a registered letter to the other Party:
(a) in the event the other Party has requested deferment of payment, is declared bankrupt, files for bankruptcy or has an involuntary petition in bankruptcy filed against it, admits its inability to pay its debts as they mature, has a receiver appointed over its assets, has any significant portion of its assets attached, has an unstable credit or is manifestly insolvent;
(b) in the event of dissolution and/or liquidation of the other Party's company;
(c) if part or whole of the other Party’s assets are executive and/or precautionary seized or in the event of other executive or protective measures against the other Party’s assets;
(d) in the event of proof or serious suspicion of fraud committed by the other Party;
(e) if the other Party commits a demonstrated material fault or contractual shortcoming and fails to remedy such fault or shortcoming within a period of thirty (30) calendar days after being notified by registered letter of default by the Party invoking the fault or shortcoming. Extension of the aforementioned period for remediation will not be refused on unreasonable grounds if the Party in default has commenced remedying the default during this thirty day period and is making reasonable efforts to continue to do so.
15.6 Upon termination or expiration of the Agreement, all sums owed by the Customer shall automatically become due and payable on the effective date of termination, even if longer terms had been provided previously.
16.1 The liability that CEEYU may incur derives from a best-efforts obligation and the Customer will have to provide proper proof of such liability.
16.2 Insofar as maximally permitted by applicable law, the total liability of CEEYU shall be limited, per contract year, to the lower of the following amounts: (1) 5000 EUR or (2) the amount which the Customer is due for the specific provision of Services that gave rise to the damages (excluding VAT). If the performance of Services should run over several years, CEEYU, can maximum be held for the value of the amounts invoiced under this Agreement for the performance of the specific services which gave rise to the damages, (excluding VAT) over a period of twelve (12) months prior to the day the damage in fact occurred.
16.3 The Customer must inform CEEYU in writing of any event that may lead to the latter's liability and of any disadvantage and/or loss the Customer suffers, within the shortest possible time and at the latest within fifteen (15) calendar days from the occurrence of this event or disadvantage, or, at least, from the moment the Customer was aware or should have been aware of this event, disadvantage or loss. This to enable CEEYU to determine the origin and cause(s) of the damage(s) within a reasonable period of time. To the largest extent permitted by law, in the event of failure to comply with the written notification, CEEYU reserves the right to refuse any compensation and to reject any liability.
16.4 Under no circumstances shall CEEYU be liable for (i) indirect, incidental or consequential damages, including but not limited to financial or commercial losses, loss of profit, increase of general expenses, lost savings, diminished goodwill, damages resulting from business interruption or interruption of operation, damages resulting from claims of customers of the Customer, disruptions in planning, loss of anticipated profit, loss of capital, loss of customers, missed opportunities, loss of data, loss of advantages, or corruption and/or loss of files resulting from the performance of the present Agreement, (ii) damages resulting from a fault or negligence of the Customer, (iii) compensation of any direct and indirect damages caused by the use of the result of the Services, (iv) compensation of any direct and indirect damages caused in whole or in part by software or hardware supplied or created by third parties, or any other element introduced into the Customer’s business after the signing of the Agreement, and (v) all third party claims brought against the Customer.
16.5 The limitations of liability as set out herein shall not apply with respect to damages caused by fraud, wilful intent, death or personal injury.
16.6 If Customer has a dispute with one or more Vendors in relation to CEEYU’s Services hereunder, including Vendor’s security rating, Customer shall defend and indemnify CEEYU against all third party claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.
17. FORCE MAJEURE
17.1 Neither Party is obliged to fulfil any obligation if prevented from doing so by Force Majeure.
17.2 If a situation of Force Majeure lasts longer than sixty (60) calendar days, either Party is entitled to terminate the Agreement in writing. In that event, all performances already rendered under the Agreement will be settled in proportion to the state of completion, without the Parties owing anything to each other beyond this proportionate compensation.
18.1 The Customer shall not recruit or hire, directly or indirectly, any person assigned by CEEYU to the performance of the Services during the term of the Agreement and for twelve (12) months after the termination of the Agreement for any reason, without prior written consent from CEEYU.
19.1 This Agreement is non-exclusive and nothing in this Agreement shall be deemed to restrict the right of either Party to enter into similar agreements with any third party (without restriction as to number, location and subject matter of such agreement) or to deal with or provide products and/or services to any third party. Nothing in this Agreement shall be deemed to constitute a partnership, joint venture, association, or fiduciary relationship between the Parties, nor shall anything in this Agreement be deemed to create an agency relationship between the Parties. Each Party shall be entirely free and independent in the performance of this Agreement.
19.2 CEEYU may include the Customer in its customer list, publish a brief description of the assignment and use the Customer's name and brand for publicity purposes and PR activities.
19.3 The present Agreement is governed by Belgian law, with exclusion of the Vienna Sales Convention of 11 April 1980 (CISG).
19.4 In the event of disputes concerning the implementation and/or interpretation of the present Agreement which cannot be resolved amicably, only the Courts of Antwerp (division Antwerp) will be competent.
19.5 Any claim of the Customer relating to the delivered Services expires six (6) months after the date the Customer becomes aware or reasonably could have become aware of the event causing damage and giving rise to the claim.
19.6 Neither this Agreement nor the rights or obligations arising from it may be wholly or partly transferred without the express written consent of both Parties.
19.7 The nullity of any provision or part of a provision under this Agreement will by no means affect the validity of the rest of the invalid clause, nor of the other clauses of the Agreement. Parties will make every effort to replace the invalid clause with a valid one with the same, or largely the same, economic impact as the invalid clause, in mutual consent.
19.8 Neither Party to this Agreement shall be deemed to have waived any right or claim under this Agreement or in relation to a breach of the other Party, unless this waiver has been expressly communicated in writing. Even if a Party, in the application of this paragraph, waives a specific right or claim under this Agreement, such waiver can never be interpreted as a waiver of any other right or claim under this Agreement even if both cases demonstrate large similarities.
19.9 Barring any stipulation to the contrary, all legal remedies provided in the Agreement are cumulative and in addition to (and not in replacement of) any other legal remedies available to the Parties.
19.10 In the event of conflict between the different documents of the Agreement, the following order of precedence:
a) the Data Processing Agreement
b) the Orders
c) the other annexes
d) the body of this Agreement
19.11 This Agreement, its annexes (including the Orders) together contain the representation of all rights and obligations of the Parties and replace all previous agreements and proposals, whether made orally or in writing. Deviations and additions to this Agreement are only valid if agreed between the Parties in writing. The applicability of the Customer's purchase- or other terms and conditions is expressly excluded, even if these conditions would state otherwise.
19.12 All provisions of the Agreement which are expressly marked to survive the termination (including dissolution) or expiry of the Agreement, as well as all provisions of which compliance after termination of the Agreement is intended, shall survive the Agreement and will remain fully in force. Shall in any case survive the termination of the Agreement (not limitative): all provisions relating to liability, confidentiality and data protection.
19.13 In addition to the means of evidence explicitly allowed under applicable law, parties can validly invoke the following means of evidence: copies or reproductions in any form whatsoever (photographs, screenshots, scans, ...), via data carrier and email. This regardless of the value or nature of what a party intends to prove. Such evidence has the same evidential value as a (other) written evidence in accordance with the provisions of the (Belgian) Civil Code.
19.14 In the event a signed copy of the Agreement has been sent by e-mail with a “.pdf” or “jpeg” data file or via another exact copy, the signature contained therein will create a valid and binding commitment for the signatory (or in whose name and on whose behalf the signature has been placed) with the same value, impact and effect as if it was original.
19.15 The titles and headings in this Agreement are solely indicative and do not in any way affect the content or scope of the provisions or the rights and obligations derived therefrom.
19.16 CEEYU may use sub-contractors for the performance of its obligations under this Agreement without prior authorization from the Customer. CEEYU remains liable for the performance of its obligations by its sub-contractors.
ANNEX 1 – DATA PROCESSING AGREEMENT
THIS DATA PROCESSING AGREEMENT (the “DPA”) is entered into between the Customer, hereinafter the ‘Data Controller’, and CEEYU hereinafter the ‘Data Processor’. The Controller and Processor may be referred to together as the ‘Parties’ or individually as the ‘Party’.
FOR THESE REASONS, THE PARTIES HAVE AGREED AS FOLLOWS:
1.1 “Agreement”: the contractual relationship between the Data Controller and the Data Processor via which the Data Processor provides services to the Data Controller and thereby Processes Personal Data on behalf of the Data Controller, including any Orders in relation to this Agreement.
1.2 “Annex”: the annex to this DPA, which forms an integral part thereof and which describes the further details with respect to the Processing of the Personal Data.
1.3 "Controller", "Processor", "Process", "Data Subjects", "Personal Data", "Personal Data Breach", "Special categories of personal data", "Supervisory Authority" (or any of the equivalent terms): have the meaning set forth under the applicable Data Protection Regulation;
1.4 "Data Protection Regulation": all applicable data protection legislations including Regulation (EU) 2016 of the European Parliament and of the Council from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"), and any changes to or the replacement of the previous legislation, if applicable;
1.5 "DPA": this Data Processing Agreement in which the general rules are laid down with regard to the conditions pursuant to which the Data Processor will perform the activities for the Processing of Personal Data on behalf of the Data Controller;
1.6 "Services": the services provided by the Data Processor to the Data Controller, as stipulated in the Agreement;
1.7 "Subprocessor": an external processor appointed by the Data Processor or by another subprocessor of the Data Processor who processes Personal Data as part of the Processor's role in the context of this DPA;
Other capitalized terms have the definitions provided for them in the Agreement or as otherwise specified below.
2. PURPOSE OF THE DATA PROCESSING AGREEMENT
2.1 The Data Processor will process certain Personal Data in the performance of Services on behalf of the Data Controller and in accordance with (i) the documented instructions of the Data Controller, (ii) other modalities as set out in this DPA and in the Agreement and; (iii) the obligations set forth in the applicable Data Protection Regulation that applies directly to Data Processors.
2.2 This DPA is a data processing agreement within the meaning of Article 28 General Data Protection Regulation, which places certain obligations upon the Data Controller to ensure that any Data Processor it engages provides sufficient guarantees to ensure that the processing of the Personal Data carried out on its behalf is secure.
2.3 This DPA forms an integral part of the Agreement.
2.4 Except as expressly stated otherwise in this DPA, in the event of any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall take precedence.
3. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
3.1 The Data Controller is responsible for complying with all its obligations as set out in the Data Protection Regulation, in particular for justification of any transmission of Personal Data to the Data Processor and its approved Subprocessors, including, but not limited to, providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under the Data Protection Regulation.
3.2 The Data Controller must designate a single point of contact (hereinafter: the "Data Protection SPOC") for matters relating to Personal Data Processing on the basis of this DPA. The Data Protection SPOC must be duly authorised by the Data Controller to discuss confidential matters with the Data Processor and to provide the Data Processor with instructions regarding the Personal Data Processing activities under this DPA. All decisions and instructions of the Data Protection SPOC must be approved in advance by the Data Controller and the Data Processor can fully rely on all communication and decisions taken by the Data Protection SPOC for data processing. The Data Protection SPOC name and coordinates are to be conveyed to Ceeyu.
3.3 The Data Controller is at all times responsible for the security of its existing infrastructure (including, but not limited to: hardware, software, websites, databases, monitoring and security procedures, adequate system management, etc.). Therefore the Data Controller must implement Technical and Organisational Measures to protect its Personal Data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure and/or access and evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary. These Technical and Organisational measures must ensure an adequate level of protection, taking into account the state of the art, the costs of the implementation of the measures and risks associated with the Processing.
4. RIGHTS AND OBLIGATIONS OF THE DATA PROCESSOR
4.1 The Data Processor is responsible for compliance with the provisions of this DPA and the obligations set out in the applicable Data Protection Regulation that apply directly to processors.
4.2 The Data Processor will only process Personal Data on documented instruction of the Data Controller, in accordance with the Agreement and this DPA, unless required to do so by Union or Member state law to which the Data Processor is subject.
4.3 If the Data Processor considers that the instructions of the Data Controller violate the applicable Data Protection Regulation, the Data Processor shall immediately inform the Data Controller thereof, unless the law forbids such disclosure on important reasons of public interest.
4.4 The Data Processor guarantees that the persons in its organisation, who are authorised to Process Personal Data, have committed themselves to observe confidentiality or are bound by an appropriate statutory confidentiality obligation.
4.5 The Data Processor shall at all times implement appropriate technical and organisational measures and in particular, the following Technical and Organisational Measures, which are approved by the Data Controller before the start of the Processing, to protect Personal Data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to Personal Data:
(a) The Processor is responsible for implementing and monitoring security for its part of the network. The different network domains, including access control, are separated.
(b) The Processor is not responsible for the regulation of the software of third parties with the applicable Data Protection Regulation.
(c) The Processor shall ensure the confidentiality of the data, and implement a process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing.
4.6 In the event the Data Controller requires stricter Technical and Organisational Measures – than those mentioned in article 5.5 of the DPA – as a result of the policy, guidelines, regulations or las, etc. applicable to the Data Controller, the Data Controller shall inform the Data Processor thereof. The Data Processor shall implement these stricter Technical and Organisational Measures, insofar as this is technically possible for the Data Processor. Otherwise, the Parties shall, in mutual consultation, find a suitable solution. Any deviations or additions resulting from a specific request from the Data Controller shall be added in the Annex. The Data Processor is entitled to compensation for these extra required or stricter Technical and Organisational Measures.
4.7 At the request of the Data Controller and taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor will provide all reasonable assistance to the Data Controller to enable the Data Controller to meet its obligations in relation to (i) the security of the Processing, (ii) communication of a Personal Data Breach to the Data Subject and notification of a Personal Data Breach to the Supervisory Authority (iii) the performance of a data protection impact assessment and the prior notification to the Supervisory Authority. The Data Processor is entitled to compensation for such assistance based on its hourly rates or other rates agreed between the Parties.
5. RIGHTS OF DATA SUBJECTS
5.1 The Data Processor shall, at the written and detailed request of the Data Controller, and taking into account the nature of the Processing, reasonably assist the Data Controller by enacting appropriate Technical and Organisational Measures, insofar as possible, to comply with the obligation of the Data Controller to reply to requests pertaining to the exercise of the Data Subject’s rights. For the avoidance of doubt, the Data Controller is responsible for handling and responding to such requests. The Data Processor shall be entitled to reasonable compensation for the assistance provided pursuant to this Article.
6. THE USE OF SUBPROCESSORS BY THE DATA PROCESSOR
6.1 The Data Controller agrees to the use of the Subprocessors by the Data Processor. The Data Processors maintains a list of the Subprocessors it engages, and provides the Data Controller a copy thereof after its written request.
6.2 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Data Controller the opportunity to object to such changes. Within five (5) days of notification of the involvement of a certain Subprocessor, the Data Controller may object to the use of the involved Subprocessor. In this case, the Parties shall jointly agree whether (i) the Subprocessor will still be deployed, (ii) the Subprocessor will be replaced by another Subprocessor selected by the Data Processor, or (iii) the Subprocessor will not be appointed (or no Personal Data will be disclosed to such Subprocessor), until reasonable steps have been taken to deal with the objections of the Data Controller and until the Data Controller has received reasonable explanations about the steps taken. It is possible that the Data Processor will not be able to guarantee continuous delivery of services in case of disagreements regarding a Subprocessor, and Data Processor cannot be held liable for such implementation delays due to discussions related to the Subprocessor.
6.3 The Data Processor shall impose on its sub-processors the same data protection obligations as set out in this DPA. Where the sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of those obligations.
6.4 The Data Processor confirms that the Subprocessor was elected in consideration of the suitability of the Technical and Organisational Measures used by the Subprocessor.
7. AUDIT RIGHTS
7.1 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with its obligations under the Applicable Data Protection Regulation. At the request of the Data Controller, the Data Processor can demonstrate compliance with its obligations under this DPA by providing the Data Controller with the latest certifications and/or summary audit reports on the Technical and Organisational Measures. The Data Controller may ask additional questions and the Data Processor must reasonably cooperate with the Data Controller by providing additional information. The Data Processor may charge the Data Controller for its cooperation at the rates stipulated in the Agreement or according to its usual hourly rates.
7.2 If such certifications and/or summary audit reports are not available, the following procedure shall apply: at the request of the Data Controller, the Data Processor shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Such an audit may not take place more than once per contract year. Data Controller shall provide Data Processor with at least thirty (30) days prior written notice of its intention to perform an audit. The notification must include at least the name of the auditor, a description of the purpose and the scope of the audit. The audit will take place during the regular business hours as applicable at the location of the Data Processor.
7.3 The audit may be performed by an internal auditor or an external auditor chosen by the Data Controller, provided that the external party cannot be considered a competitor of the Data Processor or provided there is no conflict of interest. The Data Processor has the right to approve the auditor in advance.
7.4 The Data Processor may limit the access of the Data Controller to the premises of the Data Processor to a space provided by the Data Processor and the auditor may not copy or delete documents from the Data Processor without the prior approval and consent of the Data Processor.
7.5 The Data Controller shall guarantee that the audit is carried out in such a way that the inconvenience for the Data Processor and its company is kept to a minimum.
7.6 The Data Controller will impose sufficient confidentiality obligations on its auditors. In addition, the Data Processor has the right to require the auditors to sign a non-disclosure agreement before the start of the audit, in a form set out by the Data Processor. In all cases, it is essential to protect the confidential information of the Data Processor.
7.7 The Data Controller must, or will request that its external auditors, send a draft version of the audit report to the Data Processor. The Data Processor has the right to submit its comments within a timeframe as agreed between the Parties. The auditor shall take the comments of the Data Processor into account and include these comments in its final report submitted to the Data Processor.
7.8 All audit costs are exclusively borne by the Data Controller. Furthermore, the Processor shall be entitled to reasonable compensation for the assistance provided under this article.
8. PERSONAL DATA TRANSFERS
8.1 Personal data processed in the context of this DPA may not be transferred to a country outside the European Economic Area without the prior written consent of the Data Controller. In the event that the Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data are adequately protected. In order to achieve this, the Parties shall, unless agreed otherwise, rely on the EU standard contractual clauses for the transfer of Personal Data.
9.1 The Data Processor can only be held liable for an infringement of this DPA that is directly attributable to it, or the provisions that apply directly to the Data Processor on the basis of the Data Protection Regulation.
9.2 If the Data Processor and the Data Controller are held jointly liable by the Data Subject, the Data Controller will fully reimburse the Data Subject. The Data Controller is entitled to compensation from the Data Processor insofar as there is an attributable and proven shortcoming by the Data Processor in regards to the DPA or Data Protection Regulation that is specifically aimed at the Data Processor, insofar as (i) the Data Controller has fulfilled its own obligations as set out in this DPA or the applicable Data Protection Regulation and (ii) in relation to the impact ratio of the proven error of the Data Processor. Such compensation is subject to the liability limit as stated in Article 9.3 of this DPA.
9.3 The liability provision set out in the Agreement is fully applicable. In the event no limitation of liability was agreed in the Agreement, the liability that Data Processor may incur shall in any event be limited to the value of the Agreement.
9.4 This clause 9 applies to the largest extent permitted by law.
10. TERMINATION AND CONSEQUENCES
10.1 This DPA ends automatically after the last of the following events: (i) termination of the Agreement; or (ii) at the date of the last processing activity.
10.2 After termination of this DPA, the Data Processor shall cease its Processing activities. In case of partial termination of the Agreement, the Processing shall cease for activities that are affected by the partial termination at the time of the partial termination or at another time stipulated in agreement between the Parties.
10.3 The Data Processor will, at the discretion of the Data Controller, delete or return all Personal Data relating to the terminated Services (in so far as these Personal Data are not required for non-terminated Services in case of partial termination) and delete existing copies as far as technically possible. The Data Processor may keep copies if the storage of Personal Data is required for legal or regulatory reasons. The Data Processor shall be entitled to reasonable compensation for the destruction and/or return of the Personal Data.
11.1 If a provision of this DPA is proven to be invalid or unenforceable in whole or in part, it will be regarded as severable (insofar as it is invalid or unenforceable) and the validity of the other provisions of this DPA and the remainder of the provisions in question will remain unaffected. If the invalid provision is of fundamental importance for achieving the goal of this DPA, the Parties shall negotiate in good faith to remedy the invalidity, illegality or unenforceability of the provision or otherwise change this DPA to achieve its purpose.
11.2 This DPA can only be changed with a written amendment, signed by the authorised representatives of both Parties.
DPA Annex 1. Description of the processing
The data processing performed by the Data Processor on behalf of the Data Controller relates to the provision of a Third Party Risk Management SaaS platform.
The data processing activity consists of ingesting Vendoremployee contact details at both the Customer and the Vendor and answers to the questionnaires sent out using CEEYU’s SaaS platform.
The categories of Personal Data processed are: name and surname, email address and phone number of the employee, company contact details (address, telephone number, e-mail address).
The Data Subjects are: employees, customers, Vendors
DPA ANNEX 2. SPOC
The Controller communicates the person responsible as SPOC for the protection of the Personal Data to Ceeyu within 2 weeks after the start of the Contract.
The Processor appoints the following person as SPOC for the protection of the Personal Data:
(a) Jimmy Pommerenke, CEO
(b) [email protected], +32 473 350 184
ANNEX 2 - CRUCIAL FUNCTIONALITIES
The crucial functionalities as referenced in article 5.5 of this Agreement, are the following:
1) The ability to view one’s digital footprint as discovered by Ceeyu (taking into account the FP/FN clause). Ceeyu is free to add/remove data to this view as it see fit, as long as it supports the ability to have an overview of the DF and the ability to calculate ratings.
2) The ability to view one’s security rating. A calculation based on a part of the digital footprint data. Ceeyu is free to alter the scale and the rating algorithm, but will always provide a form of rating.
3) The ability to view the rating score of its vendors. Idem, the rating is based on part of the data and the algorithm is subject to change.
ANNEX 3 - TERMS AND CONDITIONS PROFESSIONAL SERVICES
The Ceeyu Professional services are subject to the following terms and conditions.
For "Third Party Onboarding Support":
1) Responsibilities Customer.
- The Customer himself creates the Supplier on Ceeyu.be. If this functionality would not (yet) be available, the Customer provides Ceeyu with all data that would allow unambiguous identification of the Supplier (name, address, VAT number).
- The Customer is responsible for providing personal contact details of at least one contact person at the Supplier. Should these details prove to be incorrect, the Customer shall be responsible for providing the correct details.
- If the contact person at the Supplier does not respond, then the Customer is responsible for providing Ceeyu with the details of another contact person.
2) Responsibilities Ceeyu.
- Ceeyu follows up the creation of an account on the Ceeyu platform and the completion of an initial questionnaire by the Supplier contact person. For this, Ceeyu emails and calls the contact person designated by the Customer. Ceeyu calls the contact person at least 5 times during business hours and leaves a voicemail each time.
- If the contact person designates another person, Ceeyu will follow up on the onboarding of this new contact person as described above.
For "Periodic Risk Review:
1) Customer Responsibilities.
The Customer is present during the Risk Review meeting scheduled by Ceeyu. If the Customer cannot attend, he can request up to 48h in advance to reschedule the meeting.
2) Responsibilities Ceeyu
Ceeyu schedules a recurring Risk Review meeting with the Customer.
- The meeting takes place digitally, Ceeyu chooses the platform through which the meeting will take place.
- In preparation for the Risk Review meeting, Ceeyu prepares a list of the 5 most important risks based on the data available on the Ceeyu platform.
- Ceeyu provides a video recording of the meeting and makes it available to the client after the meeting.
- Ceeyu provides the client with a concise summary of the risks and actions discussed after each Risk Review meeting.
For "Ask a security expert":
1) Responsibilities Customer.
- The Customer is responsible for clearly defining the question/problem.
- The Customer submits the question to Ceeyu via email at [email protected]
- The Customer accepts that Ceeyu cannot provide an answer if the question concerns a provider or software-specific implementation.
2) Responsibilities Ceeyu
Ceeyu answers the question within 24h during business days.