Data processing agreement

This Data Processing Agreement (together with its appendices, hereinafter referred to as the “Addendum”) is incorporated into the Agreement(s) (as defined below) between iO and the counterparty (“Customer”). 

1. Overview

The DataProcessing Agreement is an agreement within the meaning of Article 28(3) of theGDPR (as defined below). This Addendum describes the parties’ obligations,including applicable privacy, data security, and data protection laws, withrespect to the processing and security of Personal Data when using the Services(as defined below). This Addendum will be effective on the Addendum EffectiveDate (as defined below).

If you areaccepting this Addendum on behalf of Customer, you warrant that: (a) you havefull legal authority to bind Customer to this Addendum; (b) you have read andunderstood this Addendum; and (c) you agree, on behalf of Customer, to be boundby this Addendum. If you do not have the legal authority to bind Customer,please do not accept this Data Processing Agreement.

2. Definitions and interpretation

“AddendumEffective Date” means the date on which Customer accepted, or the partiesotherwise agreed to, this Addendum. Either through acceptance of the Terms andConditions, quotation, or automatically when making use of the Services.

“Agreement”means the contract under which iO has agreed to provide the applicable Servicesto Customer.

“EEA” meansthe European Economic Area.

“GDPR”means Regulation (EU) 2016/679 of the European Parliament and of the Council of27 April 2016 on the protection of natural persons with regard to theprocessing of personal data and on the free movement of such data, andrepealing Directive 95/46/EC.

“iO” refersall companies that are part of the group of enterprises under the by Belgianlaw established holding company iO Group NV, with enterprise number0712.677.311, and acts as a Data Processor

“Services”means iO’s AI tool Bonzai, and any related technical support. Bonzai is anartificial intelligence orchestration platform developed by iO which managesand integrates multiple underlying software tools.

“Customer”means the party that has entered into an agreement with iO for the use ofBonzai and acts as a Data Controller

“Sub-Processor”means a third party authorized as another Data Processor under this Addendum toprocess Customer’s Personal Data in order to provide parts of the Services (ifapplicable).

Any termsnot defined in this DPA have the meaning given to them in the GDPR.

3. Duration and Application

3.1 Effective date. This Addendum will be effective on the Addendum Effective Date.

3.2 Scope. This Addendum applies solely to Customer's use of the Services under the Agreement. To the extent Customer has separate agreements with iO for other services, those agreements (including any existing data processing terms) remain in full force and effect and are not modified by this Addendum.

3.3 Expiration. The Addendum ends by operation of law when iO ceases to process Personal Data on behalf of Customer in connection with the Services.

3.4 Survival. Certain rights and obligationscontinue to exist after the termination or cancellation of the Addendum. Thisconcerns at least confidentiality, liability, and applicable law. These rightsand obligations remain valid for five years after termination or cancellation,or for as long as necessary.

4. Processing of Personal Data

4.1 Roles. iO is a Data Processor and Customer is, as applicable, a Data Controller or Data Processor of Personal Data. 

4.2 Compliance. Each party will comply with the obligations applicable to it under the relevant data protection legislation with respect to the processing of Customer’s Personal Data.

5. Customer's Responsibility

5.1 Lawful basis warranty. The Customer warrants that all Personal Data provided to iO for processing under this Addendum is based on a lawful basis as required under Article 6 GDPR, and where applicable, Article 9 GDPR for special categories of Personal Data. The Customer represents that it has conducted all necessary assessments to determine the appropriate lawful basis for each processing activity.

5.2 Information obligations. The Customer confirms that it has fulfilled all transparency requirements under Articles 13 and 14 GDPR, including providing Data Subjects with adequate information about the processing purposes, legal basis, and the involvement of iO as a Data Processor, prior to sharing Personal Data with iO.

5.3 Purpose compatibility. The Customer warrants that the processing by iO is compatible with the original purposes for which the Personal Data was collected, or that an appropriate legal basis exists for the new processing purpose.

5.4 Data quality assurance. The Customer ensures that all Personal Data provided to iO is accurate, up-to-date, and limited to what is necessary for the provision of the Services under the Agreement.

5.5 Indemnification. The Customer shall indemnify and hold iO harmless from and against any and all claims, fines, penalties, damages, costs, and expenses (including reasonable legal fees) arising from or related to:
(a)    the absence of a lawful basis for the processing of Personal Data;
(b)    breach of information obligations towards Data Subjects;
(c)    unlawful provision of Personal Data to iO;
(d)    violation of purpose limitation requirements under the GDPR.

5.6 Processing limitation. iO shall process Personal Data solely in accordance with the Customer's documented instructions and the terms of this Addendum. iO bears no responsibility for the lawfulness of the original data collection by the Customer or any third party.

6. iO’s Rights and Obligations

6.1 Customer’s instructions. By agreeing to this Addendum, Customer instructs iO to process Customer’s Personal Data only in accordance with applicable law and to provide the Services. 

6.2 Compliance with instructions. The Customer agrees that iO will only process Personal Data at the express written request of the Customer and for these purposes specified by the Customer. For this, the Customer will determine the purpose and means used for the processing in Annex 1 of this Addendum.  iO will comply with the instructions and shall not use the Personal Data for any other purpose than agreed upon, unless prohibited by applicable laws.

6.3 Access to Personal Data. iO shall grant access to the Personal Data it processes to the Customer upon first request.

6.4 Government requests. iO may be approached by an authority/governmental body regarding the processing of Personal Data. The Customer will be informed immediately, unless this is not permitted by law.

6.5 Change procedure. iO reserves the right to change this Addendum. iO will inform Customer at least 30 days before the change will take effect.

6.6 Security measures. iO warrants to the Customer that:

  • the technical and organisational measures (as described in Annex 3) provide an appropriate and adequate level of protection, and

  • the technical and organisational measures comply with legal requirements.

7. Customer’s Rights and obligations

7.1 Controller Customer. Only the Customer is authorized to determine the purpose and means, for the processing of Personal Data.

7.2 Audit rights. The Customer may periodically check (or have checked) whether this Addendum is being complied with. iO shall cooperate fully in this respect. The Customer shall only conduct an audit (or have an audit conducted) upon written notice to iO in advance within a reasonable time frame and with a reasonable time for preparation. The costs shall be borne by the Customer. The Customer shall impose confidentiality on any third party engaged.

7.3 Consent management. The possibility exists that a Data Subject may have to give consent for the processing of Personal Data. The Customer shall ensure this in a timely manner and keep a record of the consent granted. Any withdrawal of consent will be communicated to iO by the Customer in a timely manner.

7.4 Processor customers. If Customer acts as a Data Processor, it:
(e)    warrants on an ongoing basis that the relevant Data Controller has authorised: (i) the purpose and means of processing, (ii) Customer’s appointment of iO as another Data Processor, and (iii) iO’s engagement of Sub-Processors as described in Annex 2;
(f)    Customer will forward to the relevant Data Controller promptly and without undue delay any notice provided by iO; and
(g)    Customer may make available to the relevant Data Controller any information made available by iO under Annex 2 and 3.

8. Data Transfers

8.1 International transfers. iO will not transfer the Personal Data to countries outside the EEA, unless iO has the Customer’s permission, and this is permitted under the applicable regulations (provided that the country of destination offers an appropriate level of the protection).

8.2 Transfer mechanism. The Customer and iO may depend on a mechanism that allows international data processing (outside the EEA). This mechanism may be changed, revoked, or invalidated. The Customer and iO will then consult to remain in compliance with the law. Processing of Personal Data outside the EEA will only take place with the written authorization of the Customer.

8.3 Intra-group transfers. iO is entitled to exchange the Personal Data it processes with parent, subsidiary, or sister companies within its group in the EEA. 

9. Sub-Processors

9.1 Engagement of Sub-Processors. Customer specifically authorizes iO’s engagement of the Sub-Processors as disclosed in Annex 2 of this Addendum. In addition, the Customer gives general written authorizes to engage any other third parties as Sub-Processors. 

9.2 Sub-Processor obligations. iO shall require any Sub-Processor to comply with the provisions of this Addendum. iO remains responsible for the Sub-Processor. iO shall notify the Customer in the event of a change in the Sub-Processors engaged.

9.3 Suppliers. iO may use Suppliers. These Suppliers will work under the same terms and conditions as the (own) employees of iO. Such Suppliers will not be considered a third party or Sub-Processor, as the case may be. 

10. Assistance by iO and Rights of Data Subjects

10.1 Assistance obligation. iO will assist the Customer in complying with legal obligations concerning the Processing of Personal Data and act as soon as possible. In any event, this concerns the following matters:

  • the written provision of information about Personal Data;

  • access, correction, anonymisation, pseudonymisation or erasure of Personal Data;

  • implementing and testing technical and organisational measures;

  • carrying out a data protection impact assessment.

10.2 Data Subject requests. iO will immediately inform the Customer of a Data Subject’s request concerning that Data Subject’s Personal Data. The Customer will then handle this request.

10.3 Assistance costs. iO may charge reasonable costs to the Customer for providing assistance based on this provision.

11. Confidentiality

11.1 Confidentiality duty. iO will maintain the confidentiality of all Personal Data received from the Customer and impose a duty of confidentiality on all persons employed in the performance of this Addendum or the Services.

11.2 Access control. iO shall provide access to Personal Data to employees or Suppliers only when necessary. 

11.3 Duration. The duty of confidentiality applies from the time the information is exchanged until five years after the termination of the Addendum. The Parties may jointly decide to disclose information or part of it.

12. Security breaches

12.1 Notification. iO will report any Personal Data Breach(es) to the Customer without undue delay. This means any accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, the Personal Data. Any of these situations will be handled in the same way.

12.2 Breach details. iO will in any event report the following details:

  • the type of breach, the categories of Data Subjects and records concerned and, where possible, the approximate number of Data Subjects and records involved;
  • the name and contact details of the contact person for more information;
  • the probable consequences of the breach;
  • the measures proposed or taken to address the breach, including those limiting any adverse effects.

12.3 Cooperation. iO will provide all necessary cooperation to the Customer in the event of a security breach.

12.4 Record keeping. iO will keep a record of security breaches, including the facts, consequences and measures taken. iO will submit these records to the Customer on the first request.

12.5 Disclosure. The Customer will first consult iO before a security breach is publicly disclosed. The Parties will liaise about how this external communication will be made.

13. Liability

13.1 Liability application. Any limitations of liability agreed in the Agreement also apply to the Addendum.

14. Other provisions

14.1 Assignment. The Parties will not assign any rights and/or obligations under this Addendum to third parties. This will not apply if the other Party gives its prior written permission.

14.2 Business transfer. Transfer of the business operations by one Party is subject to the permission of the other Party. This permission will not be withheld on unreasonable grounds. In the event of a transfer of business operations, iO will give sufficient guarantees to ensure compliance with this Addendum.

14.3 Amendment. All modifications to this Addendum will be laid down in writing.

14.4 Severability. Any void or voidable provisions will not affect the validity of other provisions. This will be replaced by a new provision in consultation. The new provision will be as close as possible to the purport of the old provision.

14.5 Dispute resolution. The Parties will endeavour to resolve all disputes arising out of or in connection with this Addendum in a reasonable manner. Any disputes that cannot be resolved will be submitted to the competent court where iO has its registered office.

14.6 Governing law. This Addendum is governed by the laws of the country where the relevant iO entity has its registered office.

Annexes

  1. Description of the processing activities
  2. List of Sub-Processors
  3. Overview of technical and organisational measures

Annex 1: Description of the processing activities

1. Introduction

This Annex describes the agreements between the Customer and iO regarding the Processing of Personal Data. 

Data Subjects

iO will process all input that contains Personal Data used by the end users (i.e. Customer’s employees, contractors, consultants, and advisors) of the Services.

Duration

The duration of the Processing is linked to the duration and performance of this Addendum of which this annex is a part.

Types and Categories of Personal Data

The types and categories of Personal Data include any Personal Data which Customer provides to iO through (the use of) the services.

iO’s Data Protection Officer

Maxim Gernay 

legal@iodigital.com 

Annex 2: List of Sub-Processors

This Annex lists the Sub-Processors that are being used by the Data Processor when providing services to the Data Controller. The Parties may revise the list from time to time.

  • Amazon AWS Bedrock
  • Microsoft Azure OpenAI
  • Google Cloud

 

Entity Adress Company number Location of data processing
Amazon Web Services EMEA SARL   38 Avenue John F. Kennedy, L-1855, Luxembourg B186284 Luxemburg, Ireland
Microsoft Ireland Operations, Ltd. South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland 256796 Ireland
Google Cloud EMEA Limited 70 Sir John Rogerson’s Quay, Dublin 2, Ireland 660412 Ireland

Annex 3: Technical and organisational measures

1. Security Policies and standards

  • iO has an internal formal security policy and security procedures in accordance with ISO 27001. These policies and procedures are regularly reviewed and updated to any changing market standards.

2. Roles and organisation

  • Security responsibilities are defined in different roles and assigned accordingly.
  • There is a separation between those responsible for software development, system administration and operational use of the systems as necessary.
  • iO has an Information Security Management System in line with ISO 27001, where necessary policy guidelines are updated on a regular basis, risk management is carried out and compliance is checked.
  • Risk management is done according to internationally recognised methods or standards.

3. Personnel

  • Internal and external employees at iO are made aware of information security and, in particular, of the importance of confidentiality and security of processed personal data, on an ongoing basis.
  • iO provides training to raise awareness among all employees (including independent service providers) regarding the security guidelines and security procedures and their role therein.
  • Employees of iO are bound by a confidentiality obligation included in the employment contract.

4. Asset Management

  • iO has a central organized asset management system.
  • The rules for the use of these assets are defined and clearly communicated through policies.

5. Physical safety

  • The premises of iO where the processing of information and data occur, have access that is secure, up-to-date and at least at an acceptable frequency according to current industry standards.
  • The entrance to the building is equipped with camera surveillance with an alarm and fire detection system.

The server rooms have specific physical protection measures that are kept up-to-date and at least at an acceptable frequency according to current industry standards. Only authorised personnel have access to these premises.

6. Operational security

  • iO implements anti-virus and anti-malware measures to prevent the falsification or theft of data using malicious software. These protection measures are updated regularly and at least at an acceptable frequency according to current industry standards.
  • iO has a process for managing access requests to data. Employees' access is limited to the information necessary to perform their respective functions. These accesses are also kept up-to-date (and, more specifically, promptly deleted in case of job change or departure). Administrator rights on the systems are strictly limited to the most-needed individuals and are only used to the extent that these accesses are required (need-to-know basis).

  • iO has a password policy that complies with current industry recommendations on logical security (incl. special characters and/or minimum length, regular password changes). 

  • Two factor authentication: all externally accessible systems including, personal mail, personal Facebook, ERP system, Jira (ticketing system), CRM, .... are additionally protected by a 2FA implementation so that simply obtaining a username and password combination is not sufficient to access these systems. All shared resources in use by the organisation such as LinkedIn, Facebook, Youtube, etc are also secured by 2FA.

7. Security in terms of communication

  • iO uses security measures to protect the transmission of information through the use of secure protocols and access control.
  • The certificates and passwords used for these secure protocols are kept in a secure environment. All accesses and manipulations to these are logged.

8. Sub-Suppliers

  • Agreements with subSuppliers and suppliers include requirements to address information security risks in line with the law. Audits of suppliers and subSuppliers are put in place to ensure the agreed level of service and security.
  • Only carefully audited suppliers are selected.

9. Development and maintenance of applications or systems

  • iO ensures that security requirements are met during software and system development and maintenance.
  • Change management procedures are documented.
  • iO keeps the development and test environments separate from the production environment if necessary and is consulted with the Customer and has a controlled process to exchange information between the environments. Under no circumstances will production data be used to test the systems and software in the development and test environments.
  • iO monitors the security of the systems and ensures that tests are carried out prior to their commissioning.

10. Incident management

  • iO has a documented incident management procedure. This procedure is communicated to staff and authorised third parties. iO appoints privacy and information security contact points that can be reached in case of an incident.
  • iO conducts regular incident testing.

11. Continuity

  • iO mitigates security risks through proper maintenance and redundancy as far as software is concerned.
  • When required, data are systematically backed up. These backups are kept in separate secure premises.
  • iO establishes a recovery plan for the redundancy and backup systems. If required (loss, damage, theft, etc.), this recovery is carried out.
  • iO has implemented procedures to take into account, during data recovery, any previous exercise of a personal data protection right that could affect the recovered data.

12. Audit

Customer is free to perform, or have a third party perform, audits of the business processes, procedures and execution thereof for the purpose of compliance with the conditions set out in the contract or to identify information security risks.