Data Processing Agreement

This data processing agreement (“Agreement”) forms part of the terms and conditions and applies insofar as Seviranta — a trade name of 1Star BV, Zonnehorst 5, 7207 BT Zutphen, Netherlands, Chamber of Commerce (KvK) 65195876 (“Processor”) — processes personal data on behalf of the Customer (“Controller”) in the context of the paid service. Terms have the meaning set out in the General Data Protection Regulation (“GDPR”).

1. Subject matter, nature and duration

Processor processes personal data solely to provide the agreed service: testing and continuously monitoring the Customer's website(s) for accessibility, retaining the associated Reports/Dossier, and managing the account and billing. The Agreement lasts as long as Processor processes personal data for the Customer.

2. Types of personal data and data subjects

• Data: account and contact details (name, email address, company name), billing details (invoice address, VAT number) and usage/subscription data. The scanned web pages are public and are tested solely on a technical level for accessibility.
• Data subjects: the Customer's contact persons and users.
• No special categories of personal data are processed.

3. Instructions

Processor processes the personal data solely on the basis of the Customer's documented instructions — including this Agreement and the use of the service — unless a legal obligation provides otherwise. If Processor believes an instruction infringes the GDPR, it will say so.

4. Confidentiality

Processor ensures that persons processing the personal data are bound to confidentiality.

5. Security

Processor takes appropriate technical and organisational measures (GDPR art. 32), including encryption in transit (TLS), encrypted storage of passwords, access on a need-to-know basis (least privilege), row-level access control in the database, and processing preferably within the EU.

6. Sub-processors

The Customer gives general authorisation for engaging sub-processors. Processor imposes on each sub-processor at least the same obligations as in this Agreement, and primarily selects partners with EU data storage. Functionally, these include: a database/authentication/storage partner, scan and monitoring infrastructure, website hosting, a payment provider, a provider for transactional email and an infrastructure/security partner.

A current list of the specific sub-processors (with name, function and location) is available to the Customer on request. In the event of an intended change of sub-processors, Processor informs the Customer in advance so that it can object.

7. Assistance

Taking into account the nature of the processing, Processor provides the Customer with reasonable assistance in responding to data-subject requests (access, rectification, erasure, etc.) and in complying with the obligations under GDPR art. 32–36 (security, data breaches, data protection impact assessment).

8. Data breaches

Processor informs the Customer without undue delay after becoming aware of a personal data breach, with the relevant information available, so that the Customer can meet its notification obligation.

9. Return and deletion

On termination, Processor deletes the personal data or returns it, at the Customer's choice, except for data Processor is legally required to retain (such as invoices under the tax retention obligation). The Customer can export the Dossier itself before termination.

10. Audits

Processor makes available to the Customer the information needed to demonstrate compliance with this Agreement and cooperates with reasonable audits, by appointment and with due regard for confidentiality and the continuity of the service.

11. Transfers outside the EEA

If a sub-processor processes data outside the European Economic Area, this is done with appropriate safeguards as required by the GDPR (for example, the European Commission's standard contractual clauses).

12. Applicable data protection law (international regimes)

This Agreement is drafted with the GDPR as the highest standard. Insofar as other data protection law applies to a processing activity, the provisions of this Agreement also apply mutatis mutandis under that law — including the UK GDPR (United Kingdom), the Swiss act (nFADP) and applicable US state laws (such as the CCPA/CPRA). For international transfers, the corresponding recognised mechanisms apply insofar as relevant: the EU standard contractual clauses (SCCs), the UK International Data Transfer Addendum (IDTA) and the Swiss addendum. Processor prefers EU data storage.

13. California (CCPA/CPRA)

Insofar as Processor processes personal data covered by the California Consumer Privacy Act (CCPA), as amended by the CPRA, Processor acts as a “service provider”. Processor: (a) does not sell or share this data (no “sale” or “share” within the meaning of the CCPA); (b) processes it solely for the business purposes described in this Agreement and not for its own commercial purposes; (c) does not retain, use or disclose it outside the direct business relationship with the Customer; and (d) provides the Customer with reasonable assistance with data-subject requests under the CCPA.

14. Closing

In case of conflict between this Agreement and the terms and conditions, this Agreement prevails as regards the processing of personal data. This Agreement is governed by Dutch law. Questions or a signed copy? info@seviranta.com.