Considerations

This Data Processing Agreement (hereafter: “DPA”) is an annex to the NextFluent AssessFluence Terms of Service (available here). Together, the Terms of Service and the DPA constitute the Agreement with the Customer.

Within the context of the performance of the Services for the Customer, NEXTFLUENT shall have access to Personal Data and/or will have to Process these Personal Data, for which the Customer is responsible as ‘Controller’ in accordance with (i) the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the Processing of personal data and on the free movement of such data or ‘GDPR’) and (ii) all Belgian laws regarding the implementation of the GDPR (hereafter jointly referred to as the “Privacy Legislation”).

Through this DPA Parties wish to determine in writing their mutual agreements with regard to (i) managing, securing and/or Processing of such Personal Data and (ii) Parties’ obligation to comply with the Privacy Legislation.

Note that this DPA deals only with NEXTFLUENT’s role as Processor and not as a Controller. For more information about NEXTFLUENT’s Processing of Personal Data in its capacity as a Controller, please refer to the Privacy Statement.

1. Definitions

In this DPA, the following concepts have the meaning described in this article (when written with a capital letter):

‘Agreement’, ‘Customer’, ‘Customer Account’, ‘Customer Account Data’, ‘Party’ / ‘Parties’, ‘Services’, ‘Subscription’, ‘NEXTFLUENT’, ’Term’ and ‘Tool’ shall have the meaning given to them in the Terms of Service.

For the purpose of this DPA only, ‘Personal Customer Account Data’ shall mean all Personal Data for which the Customer is responsible as ‘Controller’ and which NEXTFLUENT expects to Process on behalf of the Customer in the context of providing its Services, a non-limitative list of which can be found in Overview I. For the avoidance of any doubt, this definition is broader than the one used in the Terms of Service, because it also includes certain Personal Data of Users. 

‘Controller’, ‘Data Subject’, ‘Data Breach’, ‘Personal Data’, ‘Processor’ and ‘Process/Processing’ shall have the meaning given to them in the Privacy Legislation. 

Integration: A software integration between the Tool and a third-party application that is enabled through the Tool’s application programming interface (“API”).

Standard Integration: An Integration which is automatically enabled when using the Services and which the Customer cannot disable during the Term.

Sub-Processor: Any Processor engaged by NEXTFLUENT and authorized under this DPA to have logical access to and Process certain Personal Customer Account Data in order to provide parts of the Services and technical support. This includes, but is not necessarily limited to all Standard Integrations which Process Personal Customer Account Data.

This DPA includes the following overviews:

Overview I: Overview of (i) the Personal Data which Parties expect to be subject of the Processing, (ii) the categories of Data Subjects which Parties expect to be subject of the Processing, (iii) the use (i.e. the way(s) of Processing) of the Personal Data, (iv) the goals and means of such Processing and (v) the term(s) during which the (different types of) Personal Data shall be stored;

Overview II: Overview and description of the security measures taken by NEXTFLUENT under this DPA.  

2. Roles of the Parties

Parties acknowledge and agree that with regard to the Processing of Personal Customer Account Data, the Customer shall be considered ‘Controller’ and NEXTFLUENT ‘Processor’. Further, NEXTFLUENT is allowed to engage Sub-Processor(s) pursuant to the requirements set forth in Article 6.

3. Use of the Services

3.1 The Customer acknowledges explicitly that:

NEXTFLUENT purely acts as a facilitator of its Services. Hence, the Customer shall be solely responsible for the use it makes of the Services; 

It shall be solely responsible to comply with all laws and regulations (such as but not limited to the retention period) imposed on it when using the Services.

3.2 In case of misuse by the Customer of the Services, the Customer agrees that NEXTFLUENT can never be held liable in this respect nor for any damage that would occur from such misuse.

3.3 The Customer therefore undertakes to safeguard NEXTFLUENT when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

4. Object

4.1 The Customer acknowledges that as a consequence of using the Services, NEXTFLUENT shall Process Personal Customer Account Data.

4.2 NEXTFLUENT shall Process the Personal Customer Account Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.

More specifically, NEXTFLUENT shall – during the performance of the Services under the Agreement – provide all its know-how in order to perform the Services according to the rules of art, as it fits a specialized and ‘good’ Processor.

4.3 Nonetheless, NEXTFLUENT shall only Process the Personal Customer Account Data upon request of the Customer and in accordance with its instructions, as described in Overview I, unless any legislation states otherwise.

4.4 The Customer, as Controller, owns and retains full control concerning (i) the Processing of Personal Customer Account Data, (ii), the types of Personal Customer Account Data Processed, (iii), the purpose of Processing and (iv) the fact whether such Processing is proportionate (non-limitative).

Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller (such as but not limited to the retention period) and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Customer Account Data, entered into the Tool, and the means by which it acquired such Personal Customer Account Data. The responsibility and control concerning the Personal Customer Account Data, subject to this DPA, shall thus never be vested in NEXTFLUENT.

5. Security of Processing

Taking into account the state of the art, NEXTFLUENT implements appropriate technical and organizational measures for the protection of (i) Personal Customer Account Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Customer Account Data, as set forth in Overview II.

6. Sub-Processors

6.1 The Customer acknowledges and agrees that NEXTFLUENT may engage Sub-Processors in connection with the Agreement. In such a case, NEXTFLUENT shall ensure that the Sub-Processors are at least bound by the same obligations by which NEXTFLUENT is bound under this DPA.

6.2 NEXTFLUENT undertakes to make a list of all Sub-Processors available in the Customer Account. Such a list shall include the identities of those Sub-Processors and their country of location. This list will always include all Standard Integrations which Process Personal Customer Account Data. 

The Parties agree that the providers of Optional Integrations are not Sub-Processors within the meaning of this DPA. If Customer uses Optional Integrations to customize the Customer Account, a separate commercial relationship is established between the Customer and the provider of the Optional Integration. NEXTFLUENT does not control if and how the Customer uses these Optional Integrations, and thus NEXTFLUENT has no ownership to risk in this regard. The Controller is solely responsible for these Optional Integrations. NEXTFLUENT recommends that Customer enters into a separate data Processing agreement with the providers of the Optional Integrations it selects.

6.3 NEXTFLUENT undertakes to inform the Customer in writing of any intended change to the aforementioned list (e.g. adding or replacing a Sub-Processor). 

The Customer is entitled to oppose a new Sub-Processor.

If the Customer wishes to exercise its right to object, the Customer shall notify NEXTFLUENT in writing and in a reasoned manner by the latest within ten (10) days upon receipt of NEXTFLUENT’s notice (cfr. Article 6.3).

6.4 In the event the Customer objects to a new Sub-Processor and such objection is not found unreasonable, NEXTFLUENT, in consultation with the Customer, will make all reasonable efforts to resolve the Customer’s objection.

If NEXTFLUENT is, however, unable to resolve the Customer’s objection, the Customer may terminate the Agreement on the condition that:

• The Services cannot be used by the Customer without appealing to the objected new Sub-Processor; and/or 
• Such termination solely concerns the Services which cannot be provided by NEXTFLUENT without appealing to the objected new Sub-Processor; 
• And this by providing written notice thereof to NEXTFLUENT within a reasonable time.

7. Data Protection and Security Queries

7.1 Any queries and/or questions about data protection and security should be addressed to: security@nextfluent.com

8. Transfer of Personal Customer Account Data outside the EEA

Any transfer of Personal Customer Account Data outside the EEA to a recipient which residence or registered office does not fall under an adequacy decision issued by the European Commission, shall be governed by the terms of a data transfer agreement, which shall contain (i) standard contractual clauses pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 or (ii) other mechanisms foreseen by the Privacy Legislation and/or and other applicable rules concerning the Processing of Personal Data.

9. Confidentiality

9.1 NEXTFLUENT shall maintain the Personal Customer Account Data confidential and thus not disclose nor transfer any Personal Customer Account Data to third parties, without the prior written agreement of the Customer, unless:

• In case of an explicit written deviation from this confidentiality obligation (e.g. in the Terms of Service);
• Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case NEXTFLUENT shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.

9.2 NEXTFLUENT shall ensure that its personnel, engaged in the performance of the Services under the Agreement, are informed of the confidential nature of the Personal Customer Account Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. NEXTFLUENT shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

9.3 NEXTFLUENT shall ensure that its access to Personal Customer Account Data is limited to such personnel performing the Services under the Agreement in accordance with the DPA.

10. Notification

10.1 NEXTFLUENT shall use its best efforts to inform the Customer within a reasonable term when it: 

• Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Customer Account Data;
• Has the intention to disclose Personal Customer Account Data to a competent public authority;
• Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Customer Account Data.

10.2 In case of a Data Breach, NEXTFLUENT:

• Notifies the Customer without undue delay after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
• Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

11. Rights of the Data Subjects

11.1 To the extent the Customer – in its use of the Services – does not have the ability to correct, amend, block or delete Personal Customer Account Data, as required by Privacy Legislation, NEXTFLUENT shall – to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions. 

To the extent legally permitted, the Customer shall be responsible for any costs arising from NEXTFLUENT’s provision of such assistance.

11.2 NEXTFLUENT shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. NEXTFLUENT shall, however, not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees. 

NEXTFLUENT shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Services. 

To the extent legally permitted, the Customer shall be responsible for any costs arising from NEXTFLUENT’s provision of such assistance.

12. Return and deletion of Customer Account Data

12.1 NEXTFLUENT provides the Customer as much as possible with the option to delete Personal Data from the Customer Account during the lifetime of the Agreement. This allows the Customer to meet its own responsibilities regarding data minimization and storage limitation as a Controller.

12.2 Upon termination of the Subscription, the Customer has the possibility to export the Personal Customer Account Data (as well as other data, both personal and non-personal) from the Customer Account through the available export tools. This should be done before the Subscription ends.

12.3 Once the Subscription ends, NEXTFLUENT shall first soft delete the Personal Customer Account Data during a period of thirty (30) calendar days. Restoring the Customer Account or providing an export of the Customer Account Data during this period of time can only be done with the assistance of NEXTFLUENT, whereby NEXTFLUENT can charge costs for the efforts made.

NEXTFLUENT shall subsequently hard delete the Personal Customer Account Data at the earliest thirty (30) days and at the latest three (3) months after the Subscription has ended. Once the Personal Customer Account Data has been hard deleted, restoring the Customer Account or providing an export of the Customer Account Data is no longer possible.

13. Control

13.1 NEXTFLUENT undertakes to provide the Customer with all information required by the Customer to allow verification whether NEXTFLUENT complies with the provisions of this DPA.

13.2 In this respect NEXTFLUENT shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.

To the extent legally permitted, the Customer shall be responsible for any costs arising from NEXTFLUENT’s provision of such assistance.

In any case, inspections must be conducted during regular business hours at the applicable facility, subject to NEXTFLUENT’s policies, and may not unreasonably interfere with NEXTFLUENT’s business activities.

14. Miscellaneous

14.1 The DPA lasts as long as the Agreement has not come to an end. The provisions of this DPA shall apply to the extent necessary for the completion of this DPA and to the extent intended to survive the end of this DPA (such as but not limited to Article 9 and 15).

14.2 If one or more provisions of this DPA are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this DPA shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such an event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this DPA. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.

14.3 Deviations, alterations and/or additions to this DPA shall only be valid and binding to the extent that they have been accepted in writing by both Parties.

14.4 This DPA and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other Party.

14.5 (Repeated) non-enforcement by a Party or by both Parties of any right or provision of this DPA, can only be regarded as a toleration of a certain state, and does not lead to forfeiture.

14.6 This DPA takes precedence over any other DPA between the Parties as well as over any conflicting provisions regarding the Processing of Personal Customer Account Data in other agreements or written communication between the Parties.

15. Applicable law and jurisdiction

15.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be governed by and construed in accordance with Belgian law, without giving effect to any other choice of law or conflict-of-laws rules or provisions (Belgian, foreign or international) that would cause the laws of any country other than Belgium to be applicable.

15.2 Any dispute concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be submitted to the exclusive jurisdiction of the courts of NEXTFLUENT’s registered office.

Overview I – Processing of Personal Customer Account Data by NEXTFLUENT

This document entails an overview of the Personal Data NEXTFLUENT is expected to Process on behalf of the Customer in the context of the Agreement as well as the categories of Data Subjects involved, the way(s) of Processing) of Personal Data, the means and purposes of Processing and the term during which the Personal Data shall be stored.

The Customer acknowledges that the summary, as mentioned above, provides a general overview of the Personal Customer Account Data which NEXTFLUENT expects to Process in the context of the Agreement. NEXTFLUENT may also Process certain additional Personal Customer Account Data it receives from providers of Optional Integrations selected by the Customer. The Personal Customer Account Data NEXTFLUENT expects to Process as well as the purposes of Processing depend on the concrete Optional Integration. For the sake of clarity, this overview does not cover all possible situations.

I. Personal Data Processed

Personal Data of Users:

• Signature
• Profile picture
• Other Personal Data, depending on the use of the Services by the Customer (e.g. uploading or providing documents which contain Personal Data; entering descriptions of free fields such as in projects, reports and user profiles which contain Personal Data; etc.)

Personal Data of third parties (e.g. business partners, clients and customers of the Customer, referred to as ‘customers’ and ‘users’ in the Tool):

• First name
• Last name
• E-mail address(es)
• Primary address
• Language
• Other Personal Customer Account Data, depending on the use of the Services by the Customer (e.g. adding of custom fields to enter more Personal Customer Account Data; uploading or providing documents which contain Personal Customer Account Data; entering descriptions of free fields such as in projects, reports and user profiles which contain Personal Customer Account Data; etc.)

NEXTFLUENT does not, under any circumstances, expect to collect any special categories of Personal Data as defined in the Privacy Legislation, including, but not limited to: information about the Data Subject’s health, race, political opinions, religious or other beliefs, sexual orientation, etc. The responsibility for any Processing of such sensitive data through the Customer Account and Services rests entirely with the Customer.

II. Categories of Data Subjects

• Users;
• Customers of the Customer;
• Business partners of the Customer;
• Service providers of the Customer;
• Other Data Subjects whose Personal Data are entered into the Tool by Users.

III. The use of Personal Data, means and purposes of Processing

Use of Personal Data:

• Make the Personal Customer Account Data readily available, editable, exportable and analyzable for the Customer in the Customer Account;
• Store the Personal Customer Account Data in the cloud;
• Make back-ups of the Personal Customer Account Data for disaster recovery purposes.

Means of Processing:

• The Tool;
• The Standard Integrations.

Purposes of Processing:

• Adding of Personal Customer Account Data to the CRM section in order to follow-up sent emails and management of contacts and companies
• Management of Users / teams of Users
• Creation and management of support tickets (including statistics thereof)
• Creation and management of Campaigns 
• Saving and collecting documents

IV. Retention period:

NEXTFLUENT shall retain the Personal Customer Account Data as long as the Agreement is ongoing, unless the Customer performs or requests an earlier deletion. 

Once the Agreement has ended, NEXTFLUENT shall first soft delete any Personal Customer Account Data. NEXTFLUENT shall subsequently hard delete the Personal Customer Account Data at the earliest thirty (30) days and at the latest three (3) months after the Agreement has ended.

In some cases, NEXTFLUENT will first apply ‘soft deletion’ before permanently (hard) deleting the Personal Customer Account Data. NEXTFLUENT opts for ‘soft deletion’ in order to be able to reverse potential mistakes/errors made by the Customer and to be able to recover the Personal Customer Account Data and reactivate the Customer Account within 30 days after deactivation thereof.

Upon termination of the Agreement, NEXTFLUENT shall be entitled to retain the anonymous and anonymized Customer Account Data (or part thereof) for research, training, educational, statistical and commercial purposes.

Overview II – Description of security measures

This document entails the technical and organizational security measures implemented by NEXTFLUENT in support of its (Processing) activities, as set forth by the Privacy Legislation.

I. Access Control of Processing Areas (Physical)

Web applications, communications and database servers of NEXTFLUENT are located in secure data centers in Belgium, which are operated by Google with whom NEXTFLUENT has signed the ‘Google Cloud Data Processing Addendum’ in order to be compliant with the standards and obligations as set forth in the Privacy Legislation.

II. Access Control to Personal Data Processing Systems (Logical)

NEXTFLUENT has implemented suitable measures to prevent its Personal Customer Account Data Processing systems from being used by unauthorized persons.

This is accomplished by:

• Establishing the identification of the terminal and/or the terminal user to the NEXTFLUENT systems;
• Automatic time-out of user terminal if left idle. Identification and password required to reopen;
• Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis;
• Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers;
• Ad hoc monitoring infrastructure security; 
• Regularly examining security risks by internal employees;
• Issuing and safeguarding of identification codes; 
• Role-based access control implemented in a manner consistent with principle of least privilege;
• Access to host servers, applications, databases, routers, switches, etc. is logged;
• Making use of commercial and custom tools to collect and examine the Tool and system logs for anomalies.

III. Availability Control

NEXTFLUENT leverages Google Cloud Platform (GCP) to host and operate its services, benefiting from Google’s extensive global infrastructure to ensure high availability and resilience. To safeguard Personal Customer Account Data against accidental destruction or loss, the company has implemented the following measures:

• Utilization of Google Cloud’s Redundant Infrastructure: Data is stored and processed across multiple geographically dispersed regions and zones within Google Cloud to ensure redundancy and fault tolerance.
• Continuous Monitoring and Optimization: The company regularly evaluates its cloud configurations, network performance, and GCP service status to optimize performance in terms of bandwidth, latency, and disaster recovery.
• Leveraging Google Cloud’s Security and Infrastructure Features: Data is stored in Google’s secure, ISO-certified data centers that are physically protected, equipped with redundant power supplies, and have robust infrastructure redundancy.
• Service Level Agreements (SLAs): The company relies on Google Cloud’s SLA commitments to ensure a high level of uptime and availability for its services.
• Rapid Failover and Disaster Recovery Capabilities: Google Cloud’s built-in failover and replication features enable quick recovery in the event of a service disruption, supported by the company’s own disaster recovery plans.
• Additional Customer-Specific Measures: The company may implement supplementary backup and recovery procedures, such as regular data snapshots and automated backups, to further enhance data availability and resilience.

IV. Transmission Control

NEXTFLUENT has implemented suitable measures to prevent Personal Customer Account Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

This is accomplished by:

• Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
• Personal Customer Account Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys;
• Protecting web-based access to account management interfaces by employees through encrypted TLS
• End-to-end encryption of screen sharing for remote access, support, or real time communication.

V. Input Control

NEXTFLUENT has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Customer Account Data have been input into Personal Data Processing systems or removed.

This is accomplished by:

• Authentication of the authorized personnel;
• Protective measures for Personal Customer Account Data input into memory, as well as for the reading, alteration and deletion of stored Personal Customer Account Data, including by documenting or logging material changes to account data or account settings;
• Segregation and protection of all stored Personal Customer Account Data via database schemas, logical access controls, and/or encryption;
• Utilization of user identification credentials;
• Physical security of Google data processing facilities;
• Session timeouts.

VI. Monitoring

NEXTFLUENT does not access Personal Customer Account Data, except:

• To provide the required Services under the Agreement; 
• To do security checks;
• To provide assistance to the Customer; 
• To do usage research and statistical analysis;
• As required by law; or 
• Upon request of the Customer.

This is accomplished by:

• Individual appointment of system administrators;
• A strict access control policy which provides for access rights in proportion to the employee’s role;
• Adoption of suitable measures to register system administrators’ access logs to the infrastructure.