Data Processing Agreement

This Data Processing Agreement (hereinafter: the “Data Processing Agreement”) forms part of the Agreement with the Customer, in addition to the General Terms and Conditions and the Software Licence of Chapps.

Considerations

In the context of providing the Services to the Customer, Chapps will have access to Personal Data and/or will otherwise need to process such Personal Data, for which the Customer is responsible as the “Controller” within the meaning of the General Data Protection Regulation of 27 April 2016 (the Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or the “GDPR”).

By means of this Data Processing Agreement, the Parties wish to set out in writing their mutual agreements regarding (i) the management, security and/or Processing of such Personal Data and (ii) the Parties’ obligation to comply with the Privacy Legislation.

Please note that this Data Processing Agreement only concerns the role of Chapps as Processor and not as Controller. For more information on Chapps’ processing of Personal Data (of its customers) in its capacity as Controller, we refer to our Privacy Policy.

THEREFORE, THE PARTIES HAVE AGREED AS FOLLOWS

1 DEFINITIONS

In this Data Processing Agreement, the following terms (when capitalised) shall have the meanings set out in this article.

“Agreement”, “Customer”, “Customer Account”, “Customer Data”, “Party/Parties”, “Services”, “Software Licence”, “Chapps”, “Chapps Apps” and “Chapps Software” have the meaning ascribed to them in the General Terms and Conditions and the Software Licence.

For the sole purpose of this DATA PROCESSING AGREEMENT, “Customer Personal Data” means all Personal Data for which the Customer acts as the “Controller” and which Chapps expects to process on behalf of the Customer in the context of providing its Services, a non-exhaustive list of which can be found in Schedule I. For the avoidance of doubt, this definition is broader than the one used in the Service Terms.

“Controller”, “Data Subject”, “Data Breach”, “Personal Data”, “Processor” and “Process/Processing” have the meaning ascribed to them in the GDPR.

Integration: A software integration between the Chapps Software and a third-party application enabled through the API (application programming interface) of the Chapps Software.

Optional Integration: an Integration that the Customer selects and activates at its own initiative and which can be deactivated by the Customer during the Term.

Standard Integration: an Integration that is automatically activated when using the Services and which cannot be deactivated by the Customer during the Term.

Sub-processor: any Processor engaged and authorised by Chapps under this Data Processing Agreement because it requires logical access to certain Customer Personal Data and must process such data in order to provide components of the Services and technical support. This includes, but is not necessarily limited to, all Standard Integrations that process Customer Personal Data.

This Data Processing Agreement includes the following schedules:

  • Schedule I:
    Overview of (i) the Personal Data the Parties expect to be processed, (ii) the categories of Data Subjects whose Personal Data the Parties expect to be processed, (iii) the use (i.e. the method(s) of Processing) of the Personal Data, (iv) the purposes and means of such Processing, and (v) the period(s) during which the (various types of) Personal Data will be stored.
  • Schedule II:
    Overview and description of the security measures implemented by Chapps in the context of this Data Processing Agreement.
  • Schedule III:
    List of Chapps’ sub-processors.

2 CAPACITY OF THE PARTIES

The Parties acknowledge and agree that, with regard to the Processing of Customer Personal Data, the Customer is considered the “Controller” and Chapps the “Processor”. Chapps may also engage one or more Sub-processors in accordance with the requirements set out in Article 6.

3 USE OF SERVICES

3.1 The Customer expressly acknowledges that:

  • Chapps acts solely as a facilitator of its Services. The Customer is therefore solely responsible for the use it makes of the Services;
  • The Customer is solely responsible for complying with all laws and regulations (including but not limited to retention periods) that apply to it when using the Services.

3.2 In case of misuse of the Services by the Customer, the Customer agrees that Chapps can never be held liable in this respect, nor for any damage arising from such misuse.

3.3 The Customer therefore undertakes to indemnify Chapps in the event such misuse occurs, as well as for any claim by a Data Subject and/or third party resulting from such infringement.

4 SUBJECT MATTER

4.1 The Customer acknowledges that as a result of the use of the Services, Chapps will process Customer Personal Data.

4.2 Chapps shall Process the Customer Personal Data in a proper and careful manner and in accordance with the Privacy Legislation and other applicable regulations on the Processing of Personal Data. In particular, Chapps shall, when performing the Services under the Agreement, make all its expertise available to perform the Services professionally and diligently, as may be expected from a specialised and reliable processor.

4.3 Notwithstanding the foregoing, Chapps shall only process the Customer Personal Data upon request of the Customer and in accordance with its instructions, as described in Schedule I, unless otherwise required by law.

The Customer, as Controller, is the owner of and retains full control over (i) the Processing of Customer Personal Data, (ii) the types of Customer Personal Data, (iii) the purpose of the Processing, and (iv) whether such Processing is proportionate (non-exhaustively).

Furthermore, the Customer is solely responsible for complying with all (legal) obligations in its capacity as Controller (including but not limited to retention periods) and is solely responsible for the accuracy, quality and legality of the Customer Personal Data entered into the Chapps Software and the manner in which the Customer Personal Data was obtained. Responsibility and control in relation to the Customer Personal Data under this Data Processing Agreement therefore never rest with Chapps.

5 SECURITY MEASURES

Taking into account the state of the art, Chapps implements appropriate technical and organisational measures to protect (i) the Customer Personal Data—including protection against careless, improper, unauthorised or unlawful use and/or Processing, and against accidental loss, destruction or damage—and (ii) the confidentiality and integrity of the Customer Personal Data, as set out in Schedule II.

6 SUB-PROCESSORS

6.1 The Customer acknowledges and agrees that Chapps may engage other Sub-processors under the Agreement. In such case, Chapps will ensure that the Sub-processors are bound by obligations at least equivalent to those to which Chapps is bound under this Data Processing Agreement.

6.2 The list of all Sub-processors is provided in Schedule II. This list will include the identity and country of establishment of such Sub-processors. It will always include all Standard Integrations that process Customer Personal Data. The Parties agree that the providers of Optional Integrations are not Sub-processors within the meaning of this Data Processing Agreement. If the Customer uses Optional Integrations to personalise the Customer Account, a separate commercial relationship is established between the Customer and the provider of the Optional Integration. Chapps does not verify whether and how the Customer uses these Optional Integrations and bears no risk in this regard. The Controller is solely responsible for these Optional Integrations. Chapps recommends that the Customer concludes a separate data processing agreement with the providers of the Optional Integrations it selects.

6.3 Chapps undertakes to inform the Customer in writing of any intended changes to the list (e.g. if it adds or replaces a Sub-processor).
The Customer has the right to object to a new Sub-processor.
If the Customer wishes to exercise its right to object, it must notify Chapps in writing and provide justified grounds for the objection within ten (10) days following receipt of Chapps’ notice (cf. Article 6.3).

6.4 If the Customer objects to a new Sub-processor and the objection is not considered unreasonable, Chapps will use reasonable efforts to resolve the Customer’s objection in consultation with the Customer.
However, if Chapps fails to resolve the objection, the Customer may terminate the Agreement, provided that:

  • the Customer cannot use the Services without relying on the Sub-processor in question; and/or
  • the termination concerns only those Services that Chapps cannot provide without relying on the Sub-processor in question;

and by notifying Chapps of this in writing within a reasonable period.

7 DATA PROTECTION OFFICER

7.1 Chapps has appointed a Data Protection Officer (DPO).

7.2 This Data Protection Officer can be contacted at privacy@chapps.com.

8 TRANSFER OF CUSTOMER PERSONAL DATA OUTSIDE THE EEA

Any transfer of Customer Personal Data outside the EEA to a recipient whose domicile or registered office is not covered by an adequacy decision of the European Commission shall be governed by the conditions of a data transfer agreement which (i) contains standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or (ii) other mechanisms provided under the Privacy Legislation and/or other applicable rules relating to the Processing of Personal Data.

9 CONFIDENTIALITY

9.1 Chapps will treat the Customer Personal Data confidentially and will not disclose or transfer any Customer Personal Data to third parties without the Customer’s prior written consent, unless:

  • In case of an explicit written deviation from this confidentiality obligation;
  • The disclosure is required by law or by a judicial or governmental order (of any kind). In such case, Chapps will discuss the scope and method of disclosure with the Customer.

9.2 Chapps will ensure that its personnel involved in the performance of the Services under the Agreement are aware of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities and have signed a written confidentiality agreement. Chapps will ensure that this confidentiality obligation remains in force after the termination of their employment.

9.3 Chapps will ensure that access to Customer Personal Data is restricted to personnel who provide the Services under the Agreement pursuant to the Data Processing Agreement.

10 NOTIFICATION

10.1 Chapps will use its best efforts to inform the Customer within a reasonable period when it:

  • Receives a request for information, summons or request for inspection or audit from the competent authority regarding the Processing of Customer Personal Data;
  • Intends to disclose Customer Personal Data to a competent authority;
  • Detects or reasonably suspects a Data Breach concerning the Customer Personal Data.

10.2 In the event of a Data Breach, Chapps undertakes to:

  • Notify the Customer without undue delay after identifying the Data Breach, and provide assistance to the Customer, as far as reasonably possible, regarding its reporting obligations under the Privacy Legislation;
  • Take appropriate and corrective measures as soon as reasonably possible to end the Data Breach and prevent and/or limit any future Data Breach.

11 RIGHTS OF DATA SUBJECTS

11.1 If the Customer—when using the Services—does not have the ability to correct, modify, block or delete Customer Personal Data as required by the Privacy Legislation, Chapps will—where legally permitted—comply with any commercially reasonable request from the Customer to facilitate such operations.
Where legally permitted, the Customer shall be responsible for all costs arising from such assistance by Chapps.

11.2 Chapps will, where legally permitted, promptly notify the Customer when it receives a request from a Data Subject concerning the access, correction, modification or deletion of the Data Subject’s Personal Data. Chapps will not respond to such a request without the Customer’s prior written consent, except to confirm that the request concerns the Customer, with which the Customer hereby agrees.

Chapps will provide commercially reasonable cooperation and assistance to the Customer in relation to handling a Data Subject’s request for access to their Personal Data, where legally permitted and where the Customer does not have access to such Personal Data through its use of the Services.
Where legally permitted, the Customer shall be responsible for all costs arising from such assistance by Chapps.

12 RETURN AND DELETION OF CUSTOMER PERSONAL DATA

12.1 Chapps offers the Customer, as far as possible, the ability to delete Personal Data from the Customer Account during the term of the Agreement. This enables the Customer to fulfil its responsibilities regarding data minimisation and storage limitation as Controller.

12.2 Upon termination of the Software Licence, the Customer has the opportunity to export the Customer Personal Data (as well as any other data, personal or non-personal) from the Customer Account upon request and subject to a fee for the services required for this export. This must be done before the end of the Software Licence. Once the Software Licence ends, Chapps will first perform a “soft deletion” of the Customer Personal Data for a period of thirty (30) calendar days. During this period, it is only possible to restore the Customer Account or provide an export of the Customer Data with Chapps’ intervention. Chapps may charge costs for this.

Subsequently, thirty (30) days after the end of the Software Licence, Chapps will delete the Customer Personal Data permanently (“hard deletion”). After a hard deletion, it is no longer possible to restore the Customer Account or provide an export of the Customer Data.

13 AUDIT

13.1 Chapps undertakes to provide the Customer with all information necessary to verify that Chapps complies with the provisions of this Data Processing Agreement.

13.2 In this respect, Chapps will allow the Customer (or a third party engaged by the Customer) to carry out inspections—including audits—and provide the necessary cooperation. Where legally permitted, the Customer shall be responsible for all costs arising from such assistance by Chapps. In all cases, the inspections must be carried out during normal business hours at the relevant facility, in accordance with Chapps’ policies, and must not unreasonably hinder Chapps’ business operations.

14 MISCELLANEOUS PROVISIONS

14.1 This Data Processing Agreement remains in force as long as the Agreement is in effect. The provisions of this Data Processing Agreement apply insofar as necessary for its completion and to the extent intended to remain in force after its termination (including but not limited to Articles 9 and 15).

14.2 If one or more provisions of this Data Processing Agreement are found to be wholly or partially invalid, unlawful or unenforceable, the remainder of that provision and of this Data Processing Agreement shall remain fully in force as if no invalid, unlawful or unenforceable provision had been included. Furthermore, if applicable, the Parties shall negotiate to replace the invalid provision with an equivalent clause consistent with the spirit of this Data Processing Agreement. If the Parties cannot reach an agreement, the competent court may moderate the invalid provision to what is (legally) permitted.

14.3 Deviations, amendments and/or supplements to this Data Processing Agreement are only valid and binding insofar as they are accepted in writing by both Parties. The Parties may not directly or indirectly transfer this Data Processing Agreement or the corresponding rights and obligations existing between them without the prior written consent of the other Party.

14.5 Repeated failure by a Party or both Parties to enforce any right or provision of this Data Processing Agreement shall only be considered as a tolerance of a particular situation and shall not constitute a waiver.

14.6 This Data Processing Agreement prevails over any other data processing agreement between the Parties and over any conflicting provisions relating to the Processing of Customer Personal Data in other agreements or written communications between the Parties.

15 APPLICABLE LAW AND JURISDICTION

All issues, questions and disputes regarding the validity, interpretation, enforcement, performance or termination of this Data Processing Agreement shall be governed by and interpreted in accordance with Belgian law, without giving effect to any choice of law or conflict of law rules or provisions (Belgian, foreign or international) that would result in the application of the laws of any jurisdiction other than Belgium.

15.1 All disputes regarding the validity, interpretation, enforcement, performance or termination of this Data Processing Agreement shall be exclusively submitted to the courts of the jurisdiction in which Chapps’ registered office is located.

SCHEDULE I:

Processing of Personal Data by Chapps

This document contains an overview of the Personal Data that Chapps must process on behalf of the Customer under the Agreement, as well as the relevant categories of Data Subjects, the method(s) of Processing Personal Data, the means and purposes of Processing, and the retention period of the Personal Data.

  1. Processed Personal Data

    a) User Personal Data:
  • First name
  • Last name
  • Email address
  • Telephone number
  • User role
  • Profile picture
  • Signature
  • Other personal data, depending on the Customer’s use of the Services (for example, uploading documents containing Personal Data; entering descriptions in free fields containing Personal Data).

b) Personal Data of third parties (e.g. customers, prospects, business partners, customers of the Customer):

  • First name
  • Last name
  • Email address(es)
  • Telephone number(s)
  • Fax number(s)
  • Address(es)
  • Gender
  • Language
  • Date of birth
  • Place of birth
  • National register number (Belgium)
  • ID card number
  • IBAN and BIC
  • Image
  • Other Customer Personal Data, depending on the Customer’s use of the Services (for example, adding custom fields to enter more Customer Personal Data, entering descriptions in free fields containing Customer Personal Data).

Chapps does not expect under any circumstances to collect special categories of Personal Data as defined in the Privacy Legislation, including but not limited to: information about the Data Subject’s health, race, political opinions, religious or other beliefs, sexual orientation, etc. The Customer is fully responsible for any Processing of such sensitive data through the Customer Account and the Services.

  1. Categories of Data Subjects
  • Users
  • Customers of the Customer
  • Service providers of the Customer
  • Business partners of the Customer
  • Other Data Subjects whose Personal Data is entered into the Chapps Software by the User.
  1. Use of Personal Data, Means and Purposes of Processing

Use of Personal Data:

  • Making Customer Personal Data easily available, editable, exportable and analysable in the Customer Account;
  • Storing Customer Personal Data in the cloud;
  • Creating back-ups of Customer Personal Data for disaster recovery purposes.

Means of Processing:

  • The Chapps Software;
  • The Standard Integrations.

Purposes of Processing:

  • Adding Customer Personal Data for follow-up
  • Follow-up in the context of the Customer’s property management
  • Drafting inspection reports by the Customer
  • Drafting documents by the Customer
  • Follow-up of rental files
  • Creating and managing notifications by Customers of the Customer
  • Storing and keeping documents
  • Scheduling and tracking appointments
  1. Retention period

Chapps retains the Customer Personal Data for as long as the Agreement is in effect, unless the Customer deletes or requests earlier deletion.

If the Agreement is terminated, Chapps will first soft delete all Customer Personal Data. Subsequently, no earlier than thirty (30) and no later than three (3) months after termination of the Agreement, Chapps will permanently delete the Customer Personal Data (“hard deletion”).

In some cases, Chapps will first apply soft deletion before permanently deleting the Customer Personal Data. Chapps chooses soft deletion to allow the reversal of potential errors by the Customer and to enable restoration of the Customer Personal Data and reactivation of the Customer Account within 30 days after deactivation.

After termination of the Agreement, Chapps is entitled to retain anonymous and anonymised Customer Data (or parts thereof) for research, training, educational, statistical or commercial purposes.

SCHEDULE II:

Security of Personal Data by Chapps

This document contains the technical and organisational security measures implemented by Chapps to support its (Processing) activities as required by the Privacy Legislation.

  1. (Physical) access control to processing infrastructure

The servers for apps, web applications, communications, media storage and databases of Chapps are located in secure data centres in Belgium, managed by Accenture, with whom Chapps has signed a Data Processing Agreement to comply with the standards and requirements of the Privacy Legislation.

  1. (Logical) access control to systems for the Processing of Personal Data

Chapps has implemented appropriate measures to prevent its systems for the Processing of Personal Data from being used by unauthorised persons.

This is achieved through:

  • Identification of the terminal and/or terminal user of Chapps’ systems;
  • Automatic shutdown of the user terminal when not in use. Identification and password are required to regain access;
  • Automatic user lockout after multiple incorrect password attempts. Events are logged and regularly checked;
  • Access control through firewall, router and VPN to protect private networks and back-end servers;
  • Ad-hoc infrastructure security reviews;
  • Regular security risk assessments by internal staff and external auditors;
  • Providing and securely storing identification codes;
  • Role-based access control according to the principle of granting only strictly necessary rights;
  • Logging access to host servers, applications, databases, routers, switches, etc.;
  • Using commercial and customised tools to collect and examine Chapps Software and system logs for anomalies.
  1. Availability control

Chapps has implemented appropriate measures to ensure that Customer Personal Data is protected against accidental destruction or loss.

This is achieved through:

  • Redundant infrastructure;
  • Constant evaluation of data centres and ISPs to optimise bandwidth, latency and disaster recovery isolation for its customers;
  • Hosting data centres in secure, carrier-neutral shared facilities with physical security, redundant power supply and redundant infrastructure;
  • Service Level Agreements with ISPs to guarantee maximum availability;
  • Rapid switching in case of issues.
  1. Transmission control

Chapps has implemented appropriate measures to prevent unauthorised persons from reading, copying, modifying or deleting Customer Personal Data during transmission or during transport of data carriers.

This is achieved through:

  • Use of suitable firewall and encryption technologies to protect the ports and channels through which data is transferred;
  • Encrypting Customer Personal Data during transmission using current versions of TLS or other security protocols employing strong encryption algorithms and keys;
  • Protecting internet access to account management interfaces for employees via encrypted TLS;
  • End-to-end encryption of shared screens for remote access, support or real-time communication.
  1. Input control

Chapps has implemented appropriate measures to ensure that it is possible to verify whether and by whom Customer Personal Data has been entered or deleted in systems for the Processing of Personal Data.

This is achieved through:

  • Authentication of authorised employees;
  • Protection measures for entering Customer Personal Data into memory and for reading, modifying and deleting stored Customer Personal Data, including documenting or recording significant changes to account data or settings;
  • Separation and protection of all stored Customer Personal Data through database schemas, logical access controls and/or encryption;
  • Use of credentials to identify users;
  • Physical security of the location where data processing takes place;
  • Session time-outs.
  1. Control and monitoring

Chapps does not access Customer Personal Data except:

  • To provide the necessary Services under the Agreement;
  • To carry out security checks;
  • To assist the Customer;
  • To conduct usage research and statistical analysis;
  • As required by law;
  • Or upon request of the Customer.

This is achieved through:

  • Individual assignment of system administrators;
  • A strict access management policy providing access rights proportionate to the employee’s function;
  • Taking appropriate measures to log system administrator access to the infrastructure.

SCHEDULE III:

Sub-processors

Below is a list of Sub-processors trusted by Chapps NV. They have been carefully selected to ensure they meet the high standards for processing your data.

Legal entity – Purpose – Hosting location – Address

Accenture NV – Cloud infrastructure: hosting and data storage – Belgium – EU – Picardstraat 11 bus 100, 1000 Brussels, Belgium

Teamleader NV – Customer management, invoicing and payments – Ireland – EU – Dok Noord 3A / 101, 9000 Ghent, Belgium

Freshworks Inc. – Support tickets, Support Center website – EU – 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, United States

Hubspot Ireland Limited – Processing leads, CRM, marketing activities, communication, online appointments, sales follow-up – Ireland – EU – One Sir John Rogerson’s Quay, Dublin 2, Ireland

Aareon Deutschland GmbH – API integration with data exchange between the Chapps Software and the Aareon ERP software systems – Germany – EU – Isaac-Fulda-Allee 6, 55124 Mainz, Germany

UTS innovative Softwaresysteme GmbH – API integration with data exchange between the Chapps Software and the KARTHAGO ERP software – Germany – EU – Richmodstraße 6, 50667 Cologne, Germany

Thurnherr SA – API integration with data exchange between the Chapps Software and the immob10 software – Switzerland – Morgenstraße 121, P.O. Box 753, 3018 Bern, Switzerland

Informant Software B.V. – API integration with data exchange between the Chapps Software and the Informant software – Netherlands – EU – Kwaklaan 9, 2291 AT Wateringen, Netherlands

Pararius B.V. – API integration with data exchange between the Chapps Software and the Pararius software – Netherlands – EU – Blaak 555, 3011 GB Rotterdam, Netherlands

Vlaams Energiebedrijf NV – Exchange of energy meter readings via a REST API with the VEB back office – Belgium – EU – Havenlaan 88, 1000 Brussels
Free trial Pricing Testimonials FAQ
icon-language
English
icon-language
Deutsch
icon-language
Français
icon-language
Nederlands