Data Processing Agreement

This document is an annex to the Terms and Conditions

This data processing annex (the “Data Processing Annex”) describes specific terms in respect of the processing of Personal Data (as defined hereafter) by Settlefin in connection with the provision of Software Service under this Agreement as may be provided to the Customer by Settlefin in connection with this Agreement, the terms of which are incorporated herein by reference (the “Services”). In the event of a conflict between this Agreement and any provision of this Data Processing Annex, the latter shall govern. Capitalized terms not otherwise defined herein, shall have the meaning specified in this Agreement.


1. Definitions and interpretation


1.1. Definitions

For the purpose of this Data Processing Annex, the following terms shall have the following meaning:

“Contact Person” means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services;

“Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data. In this Agreement and its execution, the Customer is the Data Controller;

“Data Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller. In this Agreement and its execution, Settlefin is the Data Processor;

“Data Protection Legislation” means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”), together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time, as well as any implementing or supplementary legislation, including any other applicable data protection or privacy legislation;

“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1;

“Personal Data” means any information relating to a Data Subject. The relevant categories of Personal Data that are provided to Settlefin by, or on behalf of the Customer are identified in Annex 1;

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services;

“Processing”, “Process(es)” or “Processed” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Services” has the meaning set forth in the preamble of this Data Processing Annex;

“Standard Contractual Clauses” means the standard contractual clauses (as amended from time to time) of which the European Commission on the basis of the implementing decision on standard contractual clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of personal data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship;

“Sub-processor” means any subcontractor engaged by Settlefin to perform a part of the Services and who agrees to receive Personal Data intended for Processing on behalf of the Customer in accordance with the Customer’s instructions and in connection with and for the purpose of the provision of the Services;

“Terms and Conditions” means the sales terms and conditions of Settlefin applicable to all contracts relating to the use of the Services (including any quotation submitted by Settlefin to the Customer in relation to the provision of the Services), which have been accepted by the Customer.


1.2. Interpretation

In case of any doubt or differences between this Data Processing Annex and the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.


2. Specification of the Data Processing

2.1. Any Processing of Personal Data in connection with and for the purpose of the Services shall be performed in accordance with the applicable Data Protection Legislation.

2.2. For the performance of the Services, Settlefin is a Data Processor acting on behalf of the Customer, who is the Data Controller.

2.3. As a Data Processor, Settlefin will only act upon the Customer’s written instructions. This Agreement is the Customer’s complete instruction to Settlefin with regard to the Processing of Personal Data. Any additional or alternate instructions must be jointly agreed by the Parties in writing. The following is deemed an instruction by the Customer to Process Personal Data: (1) Processing in connection with and for the purpose of the Services and (2) Processing initiated by the Customer’s users in their use of the Services.

2.4. Settlefin shall immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.

2.5. A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Schedule 1 to this Data Processing Annex.


3. Data Subjects’ Rights

3.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the Customer shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

3.2. Should a Data Subject directly contact Settlefin wanting to exercise his individual rights such as requesting a copy, correction or deletion of his Personal Data or wanting to restrict or object to the Processing activities, Settlefin shall inform the Customer of such request within five (5) business days and provide the Customer with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. Settlefin shall promptly direct such Data Subject to the Customer. In support of the above, Settlefin may provide the Customer’s basic contact information to the requestor. The Customer agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.

3.3. Insofar as this is possible, Settlefin shall cooperate with and assist the Customer by appropriate technical and organizational measures for the fulfilment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights.


4. Consultation and Correction of Personal Data

4.1. Settlefin will provide the Customer, in its role of Data Controller, with access to Personal Data Processed for the purpose of the provision of the Services in order to allow the Customer to consult and correct such Personal Data.


5. Disclosure

5.1. Settlefin will not disclose Personal Data to any third party, except (1) as the Customer directs, (2) as stipulated in any agreement entered into between the Parties in connection with and for the purpose of the Services, (3) as required for Processing by approved Sub-processors in accordance with article 8, or (4) as required by law, in which case Settlefin shall inform the Customer of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest.

5.2. Settlefin represents and warrants that persons acting on behalf of Settlefin and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of this Data Processing Annex, (ii) are subject to user authentication and log on processes when accessing the Personal Data and (iii) are adequately informed of the requirements under Data Protection Legislation. Settlefin shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.


6. Deletion and Return of Personal Data

6.1. At the latest within thirty (30) calendar days upon termination of the Services, Settlefin shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all Personal Data is deleted and unrecoverable or it shall return all Personal Data to the Customer, at the choice of the Customer. All existing copies will be deleted by Settlefin. Data used to verify proper data processing in compliance with the assignment and data that needs to be kept to comply with relevant legal and regulatory retention requirements may be kept by Settlefin beyond termination or expiry of the Services only as long as required by such laws or regulations.

6.2. Upon a written request submitted by the Customer no later than five (5) calendar days prior to termination of the Services, Settlefin will provide the Customer with a readable and usable copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or destruction.


7. Location of Processing

7.1. Settlefin will store Personal Data at rest within the territory of the European Union.

7.2. Any Processing of Personal Data by Settlefin personnel or subcontractors not located within the European Union or any country for which the European Commission has issued an adequacy decision may be undertaken only following prior written approval of the Customer and the execution of one of the then legally recognized data transfer mechanisms, such as an additional data processing agreement governed by the Standard Contractual Clauses.


8. Use of Sub-processors

8.1. The Customer acknowledges and expressly agrees that Settlefin may use third party Sub-processors for the provision of the Services.

8.2. Any such Sub-processors that provide services for Settlefin and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the services Settlefin has entrusted them with and will be prohibited from Processing such Personal Data for any other purpose. Settlefin remains fully responsible for any such Sub-processor’s compliance with Settlefin's obligations under this Agreement. Settlefin shall, prior to the entrusting of services to such Sub-processor, carry out any reasonable due diligence on such Sub-processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this Agreement, and provide evidence of such due diligence to the Customer where requested by the Customer or a regulator.

8.3. Settlefin will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Agreement, including the obligations imposed by the Standard Contractual Clauses, as applicable.

8.4. Settlefin shall make available to the Customer the current list of Sub-processors for the Services identified in Schedule 2 to this Data Processing Annex. Such Sub-processors list shall include the identities of those Sub-processors and their country of location. Settlefin shall provide the Customer with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services under this Agreement.

8.5. If the Customer objects to the use of a new Sub-processor that will be processing the Customer’s Personal Data, then the Customer shall notify Settlefin in writing within twenty-one (21) calendar days after receipt of Settlefin's written request to that effect. In such a case, Settlefin will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Customer’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned. If Settlefin is unable to make available or propose such change within sixty (60) calendar days, the Customer may terminate the Services. To that end, the Customer shall provide written notice of termination that includes the reasonable motivation for non-approval.


9. Technical and Organizational Measures

9.1. Settlefin has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction, and, as appropriate, the technical and organizational measures described in art. 32 GDPR. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. These measures shall include the following measures:

(i) the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control);
(ii) the prevention of systems Processing Personal Data from being used without authorization (logical access control);
(iii) ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
(iv) ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
(v) ensuring the establishment of an audit trail to document whether and by whom Personal Data has been entered into, modified in, or removed from systems Processing Personal Data (entry control);
(vi) ensuring that Personal Data is solely Processed in accordance with the Customer’s written instructions (control of instructions);
(vii) ensuring that Personal Data is protected against accidental destruction or loss (availability control); and
(viii) ensuring that Personal Data collected for different purposes can be processed separately (separation control).

9.2. The present technical and organizational measures are described in Schedule 3 to this Data Processing Annex. Settlefin shall adapt these measures systematically to the development of regulations, technology and other aspects and supplemented with the applicable technical and organizational measures of Sub-processors, as the case may be. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking also into account the state of technology and the cost of their implementation. 9.3. Upon the Customer’s request, Settlefin must provide the Customer within fourteen (14) calendar days of receipt by Settlefin of the Customer's request with an updated description of the implemented technical and organizational protection measures.


10. Personal Data Breaches

10.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, Settlefin shall notify the Customer without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) such Personal Data Breach, providing the Customer with sufficient information and in a timescale, which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum specify:

(i) the nature of the Personal Data Breach;
(ii) the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
(iii) the likely consequences of the Personal Data Breach;
(iv) as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
(v) the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.

10.2. Settlefin shall without undue delay further investigate the Personal Data Breach and shall keep the Customer informed of the progress of the investigation and take reasonable steps to further minimize its impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.

10.3. A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.


11. Data Protection Impact Assessment and Prior Consultation

11.1. Settlefin shall use commercially reasonable efforts to assist the Customer with any data protection impact assessments required in virtue of article 35 GDPR and with any prior consultations of the Customer’s supervisory authority, as required in virtue of article 36 GDPR, in both instances regarding the Processing of Personal Data by Settlefin on behalf of the Customer in connection with the Services.


12. Other Responsibilities

12.1. The Customer shall comply with all applicable laws and regulations, including the Data Protection Legislation.

12.2. The Customer remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.

12.3. The Customer shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.

12.4. With regard to components that the Customer provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the Customer’s personnel, the Customer shall implement and maintain the required technical and organizational measures for protection of Personal Data.


13. Notifications

13.1. Settlefin shall cooperate as requested by the Customer to enable the Customer to comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, which shall include the provision of:
(i) all data requested by the Customer (which is not otherwise available to the Customer) within the reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to the relevant Data Subject(s); and
(ii) where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the Data Protection Legislation statutory timescales.

13.2. Any notification under this Agreement, including a Personal Data Breach notification, will be delivered to one or more of the Customer’s Contact Persons via email possibly supplemented by any other means Settlefin selects. Upon request of the Customer, Settlefin shall provide the Customer with an overview of the contact information of the registered Customer’s Contact Persons. It is the Customer's sole responsibility to timely report any changes in contact information and to ensure the Customer’s Contact Persons maintain accurate contact information.


14. Term and Termination

14.1. The Data Processing Annex enter into force on the Effective Date of this Agreement and remain in force until Processing of Personal Data by Settlefin is no longer required in the framework of or pursuant to the provision of the Services.

14.2. The Data Processing Annex cannot be rescinded or terminated separately from the provision of this Agreement.


Schedules


Schedule 1: Details of the Personal Data Processing

1. Data Subjects

End users of the Services provided by Settlefin to the Customer (“End Users”).Optionally, natural persons that are party to or signatory of, or otherwise referred to in, a document that is included in the data and content made available by the Customer to Settlefin in the framework of or pursuant to the provision of the Services (“Content Data Subjects”).

2. Categories of Personal Data

Settlefin shall Process (a subset of) the following categories of Personal Data from End Users:

  • Email address

  • First name

  • Last name

The following optional Personal Data from End Users may be Processed by Settlefin (only if and insofar the Customer or a natural person chooses to complete these when subscribing to the Services):

  • Job title

  • Telephone number

  • Department

  • Country

The following optional Personal Data from Content Data Subjects may be Processed by Settlefin (only if and insofar the Customer chooses to make such data available when subscribing to or receiving the Services):

  • First name

  • Middle name

  • Last name

  • Address

  • National registry number

  • Identity card or passport number

  • Date of birth

  • Place of birth

  • Name of spouse

  • Matrimonial property regime

In providing the Services Settlefin does not focus on Personal Data from Content Data Subjects, nor is such Personal Data required for the Customer to enjoy the benefit of the Services. In order to enable the provision of the Services by Settlefin to the Customer, the Customer will make available to Settlefin data and content which optionally may include Personal Data from Content Data Subjects.The Controller acknowledges and agrees that it is strictly prohibited to make any other categories of Personal Data from Content Data Subjects available to Settlefin.

3. Purposes of Processing of Personal Data

Personal Data will be Processed for the purpose of the performance of the Services.


Schedule 2: List of current Sub-processors


AWS

Subject: Employees, customers & end-users
Purpose:
Cloud infrastructure services for hosting and storage
Duration: Duration of the services agreement
Location: EU (Frankfurt)


Google (G Suite)

Subject: Employees, customers & end-users
Purpose:
Productivity tools (email, documents, calendar)
Duration: Duration of the services agreement
Location: EU


Azure OpenAI Service

Subject: Employees, customers & end-users
Purpose: AI and machine learning services for processing data
Duration: Duration of the services agreement
Location: EU


Schedule 3: Technical and Organizational Measures

Settlefin conforms to ISO27001 and is in an ongoing certification process.


DOMAIN PRACTICES

Data access control
(i) Settlefin has policies in place that work according to the principle of least privilege, both for our supplied applications, general information and own data. Use of passwords is expressly subject to a password management policy described in Settlefin'S information security policy. The access rights per user are determined in accordance with the established access policy (based on RACI/orgchart). Only the CTO has access to the password management system itself.
(ii) Settlefin applies multi-factor authentication on its systems.

Data transfer control
(i) All data (internal and external data flows) is encrypted at rest and in transit via a secure connection and encrypted via SSL/HTTPS, the most common and trusted communications protocol on the Internet. Settlefin has a cryptography policy in place in which all encryption initiatives are described.

Physical access control
This section solely refers to the rules that apply to all employees of Settlefin in the area of physical information security. Rules governing the access to Customer Data, made accessible by the Customer to Settlefin and enabling the subsequent use by the Customer of the Software Service, are described in more detail under the section ‘Data access control’.
(i) The office space of Settlefin
The access policy of the entire office environment is explained in Settlefin's information security policy.
(ii) Working from home
Employees of Settlefin have the option to work from home. Employees must at all times comply with the rules and guidelines set out in Settlefin's information security policy.
(iii) Working at client locations
Employees working at client locations must at all times comply with the rules and guidelines set out in Settlefin's information security policy.
(iv) External locations
Employees can perform Settlefin's business activities at external locations. Examples of such locations include public transport, hotels or restaurants. Employees must at all times comply with the rules and guidelines set out in Settlefin's information security policy.

Confidentiality & Integrity
(i) Settlefin uses multi-factor authentication for all its employees and contractors. Furthermore, all its employees and contractors are also required to comply with Settlefin's password management policy contained in its information security policy.
(ii) There is a strict IAM (Identity Access Management) that makes sure that data is only accessible by profiles who need access to better serve our customers.

Anonymisation & Pseudonymisation
(i) After the processing purpose or the retention period has ended, Settlefin will automatically delete all user data.

Encryption
(i) Customer Data is stored on AWS in Dublin, Ireland. Our data will be residing in AWS RDS.Amazon uses the industry standard AES-256 encryption algorithm to encrypt the entire Settlefin database at rest. In addition, Settlefin uses encryption keys to encrypt individual Customer Data (relating to one specific Customer). These keys are stored in Secrets Manager and are encrypted at rest through AWS KMS. In AWS KMS hardware security modules (HSMs) are used to protect the confidentiality and integrity of the keys.

Transmission control
(i) All personal data is made available via a secure connection and encrypted via SSL/HTTPS, the most common and trusted communications protocol on the Internet.
(ii) It is not allowed to use USB-sticks, portable hard disks or other mobile storage devices.
(iii) Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall rule by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted (also at-rest) and secured behind VPN & VPC firewalls.All details are set out in Settlefin's information security policy.

Access requests
(i) Settlefin has a data subject access request procedure in place providing guidelines on the processing of requests from data subjects to receive confirmation that their Personal Data is being processed and to access their Personal Data.

Data removal
Reference is made to Article 6.1 of this Data Processing Annex.

Availability control & recoverability
(i) Settlefin takes daily back-ups of Personal Data and content uploaded to its system, so that it has the ability to restore and access Personal Data in the event of a physical or technical incident. Settlefin's back-up policies are further set out in its disaster recovery and outage plan. Back-ups are retained for one (1) week.
(ii) Settlefin periodically and by random sampling retrieves back-ups, opens them on a separate system, and compares them to the original files to check the integrity of its back-ups, as per the guidelines set out in its disaster recovery and outage plan.

Training
(i) Staff is continuously trained with regard to the Information Security and Data Protection Legislation (part of on-boarding and coaching process). For example, staff has to fulfill annual Information Security training in which Data Protection Legislation is covered.
(ii) Settlefin staff receive phishing simulations (emails, Whatsapp images,...) to raise awareness of the threats of phishing.

Prevention of incidents
(i) In case of a suspected data breach, Settlefin will act at all times in accordance with its incident response plan.
(ii) Settlefin composes a Incident Response Team (IRT) that must ensure that necessary readiness for a personal data breach response exists, along with the needed resources and preparation (such as call lists, substitution of key roles, desktop exercises, plus required review of company policies, procedures and practices).
(iii) Settlefin leverages AWS Guardduty, threat detection service that continuously monitors our AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
(iv) Settlefin makes use of vulnerability scanning via Dependabot. Tickets get automatically created in our ticketing system which are assigned to developers and depending on the vulnerability, immediately picked up.
(v) Settlefin leverages Snyk in order to conduct static code scans that create vulnerability findings. According to our Secure Development Policy, tickets get automatically created in our ticketing system which are assigned to developers and depending on the vulnerability, immediately picked up.
(vi) Settlefin has a well-defined Software Development Life Cycle (SDLC) with incident prevention built in. Developers create PRs (Pull Requests). PRs get thoroughly reviewed and need to be approved by at least 2 engineers. PRs need to comply with the Definitions of Done (DoD). These include writing e.g. automated tests or integration tests.
(vii) Settlefin periodically executes an OWASP ZAP (DAST) scan.
(viii) Settlefin uses Github as distributed version control system.

Evaluation
Settlefin carries out a bi-annual review of their technical and organisational measures on effectiveness and plausibility. Settlefin regularly tests, assesses and evaluates the effectiveness of technical and organisational measures to secure processing.

Data Protection Officer
Settlefin's CTO (Brecht Carnewal) is appointed as data protection officer. He may be contacted with any requests or queries regarding technical and organisational measures (dpo@settlefin.com).