This privacy policy (“Privacy Policy”) is applicable to all processing activities of Backbone (as defined below) as a data controller.
Please read this Privacy Policy together with our Cookie Policy. Backbone may update this Privacy Policy in the future: the latest version can always be found on our Website. You can find our archived Privacy Policies in pdf format here.
Validity and acceptance of the Terms and Conditions
1.1. The current terms and conditions of Backbone AI BV (the “Terms and Conditions”) apply to all contracts a relating to the use of the Software Service (as defined hereafter) between Backbone AI BV, a company organized and existing under the laws of Belgium, with registered office at Avenue Louise 304 bus 6.3, 1000 Brussel (Belgium), registered with the Belgian Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen or KBO) under number BE 1029.843.555 (LER Brussels, section Brussels) (“Backbone”) and the Customer as indicated on the signature block of this agreement (the “Customer”), except when special agreements between Backbone and the Customer stipulate otherwise.
1.2. The Terms and Conditions are deemed accepted by the Customer, even when they are conflicting with the Customer’s general or special purchasing terms and conditions. The fact that Backbone did not explicitly reject the terms and conditions of the Customer referred to in any contract cannot be interpreted by the Customer as an acceptance by Backbone of such terms and conditions.
1.3. In the event of any conflict between the Terms and Conditions or other document submitted by the Customer, the Terms and Conditions shall prevail, and such conflicting terms in the Customer’s documents are hereby rejected by Backbone.
1.4. The designated person, officer, director, employee, or any other person who represents or acts on behalf of the Customer, is deemed to have the necessary mandate to legally bind the Customer.
1.5. At the request of the Customer, Backbone may deliver services to the Customer to support the Software Service.
Definitions
2.1. In addition to terms defined elsewhere in these Terms and Conditions, the following capitalised terms and expressions shall have the following meanings, unless the context otherwise requires:
“Affiliate” means an affiliate (verbonden vennootschap) within the meaning of article 1:20 of the Belgian code of companies and associations;
“Agreement” means these general Terms and Conditions (including the annexes and schedules) between Backbone and the Customer;
“Confidential Information” means any and all information of a confidential nature, disclosed by either Party (or on its behalf) to the other Party, whether orally, in writing or in any format or medium and whether prior to or after the Effective Date. Confidential Information of Backbone will be deemed to include the Licensed Software, the Software Service and any pricing, terms, attachments, appendices and all information related to the Software Services associated with this Agreement. Confidential Information of the Customer will in any event include the Customer Data. “Confidential Information” does not include any information that the receiving Party can demonstrate is: (a) rightfully known prior to disclosure; (b) rightfully obtained from a Third Party authorized to make such a disclosure, without breach of the terms and conditions of this Agreement; (c) independently developed by the receiving Party as demonstrated by contemporaneous documents; (d) available to the public without restrictions; (e) approved for disclosure with the prior written approval of the disclosing Party; or (f) disclosed by court order or as otherwise required by law, provided that the Party required to disclose the information provides prompt advance notice to enable the other Party to seek a protective order or otherwise prevent such disclosure;
“Customer Data” means the information processed by Backbone stemming from the Customer’s enabled Data Sources;
“Data Sources” means any medium of data through which the Customer sends data onto the Backbone platform;
“Documentation” means any documentation provided by Backbone concerning the use of the Software Service;
“Downtime” means any period of time in which the Software Service is not functioning in a material way or is not generally available, other than such periods which have been previously agreed with the Customer or periods of maintenance;
“Effective Date” means the date on which the Customer has countersigned the Terms and Conditions;
“Integration Date” means the date on which the integration of the Customer’s first data repository with the Licensed Software is activated;
“Intellectual Property Rights” means any and all now known or hereafter existing (a) rights associated with works of authorship, including copyrights, design rights, mask work rights, and moral rights; (b) trademark or service mark rights; (c) trade secret rights, know-how; (d) patents, patent rights, and industrial property rights; (e) layout design rights, design rights, (f) trade and business names, domain names, database rights and any other industrial or intellectual proprietary rights or similar right (whether registered or unregistered); (g) all registrations, applications for registration, renewals, extensions, divisions, improvements or reissues relating to any of these rights and the right to apply for, maintain and enforce any of the preceding items, in each case in any jurisdiction throughout the world;
“Licensed Software” means Backbone’s compliance automation solution which is provided as a service;
“Login” means an identifying e-mail address that when combined with an authorized Password will permit access to the Software Service. Permitted Users will choose their own Logins but each Login must conform to syntax rules required by Backbone;
“Password” a key code that when combined with an authorized Login will permit access to Software Service. Permitted Users will choose their own Passwords but each Password must conform to syntax rules required by Backbone;
“Party” or “Parties” means Backbone and/or the Customer;
“Permitted Users” means the users employed by or retained through the Customer, or by any Third Parties engaged by the Customer, that have been identified to Backbone and provided with a Password to access the Software Service pursuant to this Agreement;
“Permitted Sites” means the specific physical or virtual production sites monitored by the Licensed Software;
“Permitted Standards” means the regulatory, contractual, or other compliance frameworks, standards, or requirements — whether international, national, local, or imposed by the Customer’s own clients — that the Customer is obliged to comply with and that have been identified to Backbone in connection with the use of the Software Service pursuant to this Agreement;
“Software Service” means the provision of the Licensed Software by Backbone to the Customer under this Agreement, including any other services provided by Backbone to the Customer under this Agreement;
“Term” means the Initial Term, together with any Renewal Term(s), as applicable;
“Third Party” means any legal or natural person that is not a Party or a Permitted User; and
“Virus” means a virus, cancelbot, worm, logic bomb, Trojan horse or other harmful component of software or data.
License by Backbone to the Customer
3.1. Integration
Backbone will use reasonable efforts to assist the Customer with the integration of its contract repository with the Licensed Software by the Integration Date. The Customer acknowledges that Backbone’s ability to assist the Customer in relation to such integration is in part dependent upon Customer’s timely cooperation with Backbone as well as the accuracy and completeness of any information and data that the Customer provides to Backbone in this respect.
3.2. License
Subject to the terms and conditions of this Agreement Backbone grants the Customer, as from the effective date and until the expiry of the Term, a non-exclusive, limited, non-transferable license to allow the Permitted Users to access and use the Software Service, without the right to sublicense (other than to Affiliates). The aforementioned license is granted as of the Effective Date. Backbone reserves the right to make, in its sole discretion, any material or non-material changes and/or updates to the functionality of the Licensed Software from time to time without prior approval of the Customer, provided that such changes do not materially downgrade any of the (on the Effective Date) existing functionalities. Backbone will notify the Customer of material changes via email or via notification in the Licensed Software.
3.3. Permitted Usage
To access and use the Licensed Software, the Customer must set up an administrator account. When setting up the administrator account, the Customer must provide current, complete, and accurate information. The Customer will identify Permitted Users who will be able to set up Logins to use the Software Service for the purposes permitted by this Agreement. The Customer will maintain a list of Logins, using the administrator account. It is strictly forbidden that one Login us used by more than one Permitted User. The Customer will take such actions as are necessary in order for it to maintain the confidentiality of, and prevent the unauthorized use of, each Password and Login. The Customer will immediately notify Backbone in writing if the Customer determines, or has reason to believe, that an unauthorized employee or unauthorized Third Party has gained access to a Password or Login. The Customer authorizes Backbone to rely upon any information and/or instructions set forth in any data transmission using the assigned Password or Login, without making further investigation or inquiry, and regardless of the actual identity of the individual transmitting the same, in connection with the operation of Backbone. Use of the assigned Password or Login, whether or not authorized by the Customer, will be solely the responsibility of and the risk of the Customer. The Customer will indemnify, defend, and hold harmless Backbone from any claim, proceeding, loss or damages based upon any use, misuse, or unauthorized use of Customer’s Passwords and Logins.
3.4. Restrictions
The Customer, nor any Permitted User is allowed to use the Licensed Software or a component thereof in a manner not authorized by Backbone. Within the limits of the applicable law, the Customer, nor any Permitted User is permitted to (i) copy the Licensed Software, (ii) modify, translate or otherwise create derivative works of the Licensed Software, (iii) disassemble, decompile or reverse engineer the object code or source code of the Licensed Software, (iv) publish, or otherwise make available to any Third Party any benchmark testing information or results, (v) export or re-export the Licensed Software in violation of any local or international law or regulation, (vi) intentionally distribute any Virus, or other items of a destructive or deceptive nature or use the Licensed Software for any unlawful, invasive, infringing, defamatory or fraudulent purpose, or (vii) remove or in any manner circumvent any technical or other protective measures in the Licensed Software.
License by the Customer to Backbone
4.1. Backbone acknowledges and agrees that the Customer remains at any time the sole owner of (or where applicable, must ensure it has a valid license to) the Customer Data.
4.2 The Customer grants Backbone, for the Term, a non-exclusive, worldwide, royalty-free right and license to use, copy, store, modify, transmit and display the Customer Data to the extent necessary to provide the Software Service under this Agreement. For the avoidance of doubt, Backbone shall not use Customer Data, whether anonymized or de-aggregated, to modify or update either any large language model or Licensed Software for the benefit of Backbone or any Third Party.
4.3 The Customer may from time to time provide suggestions, comments for enhancements or functionality or other feedback, excluding Customer Data, to Backbone with respect to the Software Service (“Feedback”). Backbone, in its sole discretion, shall determine whether or not to proceed with the development of the requested enhancements, new features or functionality. The Customer hereby grants Backbone a royalty-free, fully paid up, worldwide, transferable, sublicensable, irrevocable, perpetual license to to use and/or incorporate Feedback into Licensed Software and to (a) copy, distribute, transmit, display, perform, and create derivative works of the Feedback; and (b) use the Feedback and/or any subject matter thereof, including without limitation, the right to develop, manufacture, have manufactured, market, promote, sell, have sold, offer for sale, have offered for sale, import, have imported, rent, provide and/or lease products or services which practice or embody, or are configured for use in practicing, the Feedback and/or any subject matter thereof.
4.4 Backbone reserves the right, but is not obliged, to review and remove any Customer Data which are deemed to be in violation with the provisions of this Agreement, any rights of Third Parties or any applicable legislation or regulation, or are otherwise inappropriate.
Intellectual property
5.1. Customer acknowledges and agrees that this Agreement is not a sale of the Licensed Software or any rights therein, and that Backbone and its suppliers shall at all times retain all Intellectual Property Rights in and to the Licensed Software, including any and all updates, enhancements, derivatives, modifications or improvements thereof created by or on behalf of Backbone. All rights in and to the Licensed Software not expressly granted to the Customer in this Agreement are reserved by Backbone. No license is granted to the Customer except as to the use of the Licensed Software as expressly stated herein. Backbone’s name, Backbone’s logo, and the product names associated with the Software Service are trademarks of Backbone or Third Parties, and they may not be used without Backbone’s prior written consent.
5.2. Customer acknowledges and agrees in particular that the source code from the Licensed Software is and remains a confidential and proprietary trade secret of Backbone.
5.3. Customer further acknowledges that Backbone will have the right to use techniques, methodologies, tools, ideas and other know-how gained during the Term, in the furtherance of its own business and to perfect all other Intellectual Property Rights related thereto.
Warranties
6.1 By both Parties
The Customer and Backbone represent and warrant to each other that they have the authority to enter into this binding Agreement. The Customer and Backbone will perform their obligations under this Agreement in a good and workmanlike manner.
6.2 By the Customer
The Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability and copyright of all Customer Data. The Customer warrants that the provided Customer Data shall not (i) infringe any Intellectual Property Rights of Third Parties; (ii) misappropriate any trade secret; (iii) be deceptive, defamatory, obscene, pornographic or unlawful; (iv) contain any Viruses, whether or not intended to damage the Licensed Software; or (v) otherwise violate the rights of a Third Party. Any use of the Licensed Software in violation of these representations and warranties by the Customer or any Permitted User constitutes unauthorized and improper use of the Software Service.
6.3 By Backbone
Backbone is the owner of or is licensed to use the Licensed Software. Except as expressly provided in this Agreement and to the extent permitted under applicable law, Backbone expressly disclaims all warranties, express or implied, including but not limited to any warranties of merchantability, non-infringement, satisfactory quality and fitness of the Licensed Software and the Software Service for a particular purpose. In particular, Backbone does not warrant that the Licensed Software is error-free or that the use of the Software Service shall be uninterrupted, that Backbone will detect any or every defect in Customer’s systems or that any or all problems with respect to the Licensed Software or Software Service can be solved, and hereby disclaims any and all liability on account thereof. The Licensed Software and the Software Service will be provided by Backbone under this Agreement on an “as-is” and “as available” basis. However, Backbone undertakes to use all commercially reasonable efforts to remedy bugs reported by the Customer, to provide the Software Service without any material Downtime, and, to the extent such Downtime occurs, to resolve such Downtime as soon as possible. To the best of Backbone’s knowledge, the Licensed Software does not contain any malicious code,viruses, cancelbot, worm, logic bomb, Trojan horse or other harmful component of software.
Liability
7.1. To the maximum extent permitted under applicable law, the maximum liability of the Parties arising out of this Agreement shall not in any event exceed the Fees paid by the Customer to Backbone for the use of the Licensed Software during the preceding twelve (12) month period, except (i) in respect of the indemnification obligations set forth in article 8 of these Terms and Conditions, or (ii) in case of fraud or willful misconduct.
7.2. In no event will Backbone, its licensors or its suppliers have any liability to the Customer for any consequential or incidental losses, including but not limited to lost profits, loss of business, loss of use or of data, any unauthorized access to, alteration, theft or destruction of Customer’s or its trading partners’ computers, computer systems, data files, programs or information, or costs of procurement of substitute goods or services, or for any indirect, special or consequential damages however caused and under any theory of liability and whether or not Backbone has been advised of the possibility of such damage.
Confidential Information
8.1. Under no circumstances may either Party disclose any pricing or business terms related specifically to this Agreement, or any negotiations thereof, to any Third Party (including, but not limited to, competitors, industry analysts, press or media).
8.2. Neither Party will use any Confidential Information of the disclosing Party except as expressly permitted in this Agreement or as expressly authorized in writing by the disclosing Party. Each Party will use the same degree of care to protect the disclosing Party’s Confidential Information as it uses to protect its own Confidential Information of like nature, but in no circumstances less than reasonable care. Neither Party is allowed to disclose the other Party’s Confidential Information to any person or entity other than the receiving Party’s officers, employees, consultants and legal advisors who have a need to know such Confidential Information and who are bound by similar confidentiality obligations as those set out in this Agreement. Each individual or entity receiving Confidential Information pursuant to this subsection must have entered into a written confidentiality agreement the sole objectives of which are to further the intent of this article 10. The Customer will not disclose, orally or in writing, any benchmark tests of the Licensed Integration to any Third Party. Each Party agrees to notify the other Party of any unauthorized use or disclosure of Confidential Information and to provide reasonable assistance to such other Party, and its licensors, in the investigation and prosecution of such unauthorized use or disclosure.
Data Protection
9.1. The Customer agrees and acknowledges that personal data (other than personally identifiable information of Permitted Users, IP addresses and other unique, non-personal identifiers such as Cookie IDs which are necessary for the provision of services under this Agreement) is processed by Backbone only if and insofar the Customer chooses to make such data available when subscribing to or receiving the Software Service.
9.2. If, and to the extent, Backbone processes any personal data on the Customer’s behalf when performing its obligations under this Agreement, the Parties record their intention that the Customer shall be the data controller and Backbone shall be a data processor and in that personal data will be processed in accordance with the provisions set forth in the Data Processing Annex attached to these Terms and Conditions.
Term and termination
10.1. Term. This Agreement shall enter into force and shall take effect as from the Effective Date and shall expire one year after the Effective Date (the “Initial Term”).
10.2. Termination for material breach. Either Party may terminate this Agreement by written notice to the other Party if the other Party materially breaches this Agreement and fails to cure such breach within thirty (30) calendar days from receipt of a default notice.
10.3. Insolvency. Either Party may terminate this Agreement by written notice to the other Party, effective as of the date of delivery of such notice, if the other Party becomes the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding or otherwise liquidates or ceases to do business.
10.4. Upon termination of this Agreement for whatever reason (i) the Customer shall promptly pay Backbone all Fees and other amounts earned by or due to Backbone pursuant to this Agreement, up to and including the date of termination, (ii) all user rights granted to the Customer pursuant to this Agreement, including the rights to use the Licensed Integration as per article 3, shall automatically terminate. Termination of this Agreement on whatever ground shall be without prejudice to any right or remedy that has accrued prior to the actual termination.
10.5. The provisions of this Agreement that are expressly or implicitly intended to survive termination shall survive any expiration or termination of this Agreement.
Miscellaneous
11.1. Applicable law and Jurisdiction. This Agreement will be interpreted fairly in accordance with its terms, without any strict construction in favor of or against either Party and in accordance with Belgian law, without giving effect to any laws of conflict. The competent courts of Antwerp will have exclusive jurisdiction over any dispute or controversy arising from or relating to this Agreement or its subject matter.
11.2. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) will be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.
11.3. No Agency. No joint venture, partnership, employment, or agency relationship exists between Customer and Backbone as a result of this Agreement or use of the Licensed Software.
11.4. No Waiver. The failure of a Party to enforce any right or provision in this Agreement will not constitute a waiver of such right or provision unless acknowledged and agreed to by that Party in writing.
11.5. Force Majeure. If the performance of this Agreement by either Party is prevented, hindered, delayed or otherwise made impracticable by reason of any flood, riot, fire, judicial or governmental action, labor disputes, act of God, power failures, cyber crime, unauthorized access to Backbone’s information technology systems by Third Parties, or any other causes beyond the control of such Party, that Party will be excused from such to the extent that it is prevented, hindered or delayed by such causes.
11.6. References. The Customer hereby authorizes Henchman to make public reference to the Customer as a customer of Henchman and to use the Customer’s name and logo, which remain trademarks of the Customer, on its website for this purpose only (for the avoidance of doubt, without, in any event, disclosing any Confidential Information) . Henchman has the right to publish the collaboration with the customer on LinkedIn after the agreement is signed and thus prior to go-live (Example post). Other public references to the Customer will not be made without the Customer’s prior consent. After a successful deployment of the Henchman product, the Customer can be contacted by Henchman to take part in future reports, blog posts, testimonials/videos, and reference calls (maximum 2 per calendar quarter).
11.7. Assignment. This Agreement may not be assigned by the Customer without the prior written approval of Backbone but may be assigned by Backbone to (i) a parent company or subsidiary, (ii) an acquirer of all or substantially all of Backbone’s assets involved in the operations relevant to this Agreement, or (iii) a successor by merger or other combination. Any purported assignment in violation of this article will be void. This Agreement may be enforced by and is binding on permitted successors and assigns.
11.8. Notice. Each Party must deliver all notices or other communications required or permitted under this Agreement in writing to the other Party at the address listed on the first page of this Agreement by courier, by certified or registered mail (postage prepaid and return receipt requested), or by a nationally-recognized express mail service. Notice will be effective upon receipt or refusal of delivery. If delivered by certified or registered mail, any such notice will be considered to have been given five (5) calendar days after it was mailed, as evidenced by the postmark. If delivered by courier or express mail service, any such notice shall be considered to have been given on the delivery date reflected by the courier or express mail service receipt. Each Party may change its address for receipt of notice by giving notice of such change to the other Party.
11.9. Entire Agreement. This Agreement, together with any applicable Documentation, comprises the entire agreement between the Customer and Backbone and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the Parties regarding the subject matter contained herein. No amendment to or modification of this Agreement will be binding unless in writing and signed by an authorized representative of each Party.
Data Processing Annex
This data processing annex (the “Data Processing Annex”) describes specific terms in respect of the processing of Personal Data (as defined hereafter) by Backbone in connection with the provision of Software Service under this Agreement as may be provided to the Customer by Backbone in connection with this Agreement, the terms of which are incorporated herein by reference (the “Services”). In the event of a conflict between this Agreement and any provision of this Data Processing Annex, the latter shall govern. Capitalized terms not otherwise defined herein, shall have the meaning specified in this Agreement.
Definitions and interpretation
1.1. Definitions. For the purpose of this Data Processing Annex, the following terms shall have the following meaning:
“Contact Person” means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services;
“Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data. In this Agreement and its execution, the Customer is the Data Controller;
“Data Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller. In this Agreement and its execution, Backbone is the Data Processor;
“Data Protection Legislation” means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”), together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time, as well as any implementing or supplementary legislation, including any other applicable data protection or privacy legislation;
“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1;
“Personal Data” means any information relating to a Data Subject. The relevant categories of Personal Data that are provided to Backbone by, or on behalf of the Customer are identified in Annex 1;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services;
“Processing”, “Process(es)” or “Processed” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Services” has the meaning set forth in the preamble of this Data Processing Annex;
“Standard Contractual Clauses” means the standard contractual clauses (as amended from time to time) of which the European Commission on the basis of the implementing decision on standard contractual clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725
article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of personal data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship;
“Sub-processor” means any subcontractor engaged by Backbone to perform a part of the Services and who agrees to receive Personal Data intended for Processing on behalf of the Customer in accordance with the Customer’s instructions and in connection with and for the purpose of the provision of the Services;
“Terms and Conditions” means the sales terms and conditions of Backbone applicable to all contracts relating to the use of the Services, which have been accepted by the Customer.
1.2. Interpretation. In case of any doubt or differences between this Data Processing Annex and the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
Specification of the Data Processing
2.1. Any Processing of Personal Data in connection with and for the purpose of the Services shall be performed in accordance with the applicable Data Protection Legislation.
2.2. For the performance of the Services, Backbone is a Data Processor acting on behalf of the Customer, who is the Data Controller.
2.3. As a Data Processor, Backbone will only act upon the Customer’s written instructions. This Agreement is the Customer’s complete instruction to Backbone with regard to the Processing of Personal Data. Any additional or alternate instructions must be jointly agreed by the Parties in writing. The following is deemed an instruction by the Customer to Process Personal Data: (1) Processing in connection with and for the purpose of the Services and (2) Processing initiated by the Customer’s users in their use of the Services.
2.4. Backbone shall immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.
2.5. A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Schedule 1 to this Data Processing Annex.
Data Subjects’ Rights
3.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the Customer shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
3.2. Should a Data Subject directly contact Backbone wanting to exercise his individual rights such as requesting a copy, correction or deletion of his Personal Data or wanting to restrict or object to the Processing activities, Backbone shall inform the Customer of such request within five (5) business days and provide the Customer with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. Backbone shall promptly direct such Data Subject to the Customer. In support of the above, Backbone may provide the Customer’s basic contact information to the requestor. The Customer agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.
3.3. Insofar as this is possible, Backbone shall cooperate with and assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights.
Consultation and Correction of Personal Data
4.1. Backbone will provide the Customer, in its role of Data Controller, with access to Personal Data Processed for the purpose of the provision of the Services in order to allow the Customer to consult and correct such Personal Data.
Disclosure
5.1. Backbone will not disclose Personal Data to any third party, except (1) as the Customer directs, (2) as stipulated in any agreement entered into between the Parties in connection with and for the purpose of the Services, (3) as required for Processing by approved Sub-processors in accordance with article 8, or (4) as required by law, in which case Backbone shall inform the Customer of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest.
5.2. Backbone represents and warrants that persons acting on behalf of Backbone and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of this Data Processing Annex, (ii) are subject to user authentication and log on processes when accessing the Personal Data and (iii) are adequately informed of the requirements under Data Protection Legislation. Backbone shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.
Deletion and Return of Personal Data
6.1. At the latest within thirty (30) calendar days upon termination of the Services, Backbone shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all Personal Data is deleted and unrecoverable or it shall return all Personal Data to the Customer, at the choice of the Customer. All existing copies will be deleted by Backbone. Data used to verify proper data processing in compliance with the assignment and data that needs to be kept to comply with relevant legal and regulatory retention requirements may be kept by Backbone beyond termination or expiry of the Services only as long as required by such laws or regulations.
6.2 Upon a written request submitted by the Customer no later than five (5) calendar days prior to termination of the Services, Backbone will provide the Customer with a readable and usable copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or destruction.
Location of Processing
7.1. Backbone will store Personal Data at rest within the territory of the European Union.
7.2. Any Processing of Personal Data by Backbone personnel or subcontractors not located within the European Union or any country for which the European Commission has issued an adequacy decision may be undertaken only following prior written approval of the Customer and the execution of one of the then legally recognized data transfer mechanisms, such as an additional data processing agreement governed by the Standard Contractual Clauses.
Use of Sub-processors
8.1.The Customer acknowledges and expressly agrees that Backbone may use third party Sub-processors for the provision of the Services.
8.2. Any such Sub-processors that provide services for Backbone and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the services Backbone has entrusted them with and will be prohibited from Processing such Personal Data for any other purpose. Backbone remains fully responsible for any such Sub-processor’s compliance with Backbone’s obligations under this Agreement. Backbone shall, prior to the entrusting of services to such Sub-processor, carry out any reasonable due diligence on such Sub-processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this Agreement, and provide evidence of such due diligence to the Customer where requested by the Customer or a regulator.
8.3. Backbone will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Agreement, including the obligations imposed by the Standard Contractual Clauses, as applicable.
8.4. Backbone shall make available to the Customer the current list of Sub-processors for the Services identified in Schedule 2 to this Data Processing Annex. Such Sub-processors list shall include the identities of those Sub-processors and their country of location. Backbone shall provide the Customer with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services under this Agreement.
8.5. If the Customer objects to the use of a new Sub-processor that will be processing the Customer’s Personal Data, then the Customer shall notify Backbone in writing within twenty-one (21) calendar days after receipt of Backbone’s written request to that effect. In such a case, Backbone will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Customer’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned. If Backbone is unable to make available or propose such change within sixty (60) calendar days, the Customer may terminate the Services. To that end, the Customer shall provide written notice of termination that includes the reasonable motivation for non-approval.
Technical and Organizational Measures
9.1. Backbone has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction, and, as appropriate, the technical and organizational measures described in art. 32 GDPR. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. These measures shall include the following measures:
the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control);
the prevention of systems Processing Personal Data from being used without authorization (logical access control);
ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
ensuring the establishment of an audit trail to document whether and by whom Personal Data has been entered into, modified in, or removed from systems Processing Personal Data (entry control);
ensuring that Personal Data is solely Processed in accordance with the Customer’s written instructions (control of instructions);
ensuring that Personal Data is protected against accidental destruction or loss (availability control); and
ensuring that Personal Data collected for different purposes can be processed separately (separation control).
9.2. The present technical and organizational measures are described in Schedule 3 to this Data Processing Annex. Backbone shall adapt these measures systematically to the development of regulations, technology and other aspects and supplemented with the applicable technical and organizational measures of Sub-processors, as the case may be. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking also into account the state of technology and the cost of their implementation.
9.3. Upon the Customer’s request, Backbone must provide the Customer within fourteen (14) calendar days of receipt by Backbone of the Customer's request with an updated description of the implemented technical and organizational protection measures.
Personal Data Breaches
10.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, Backbone shall notify the Customer without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) such Personal Data Breach, providing the Customer with sufficient information and in a timescale, which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum specify:
the nature of the Personal Data Breach;
the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
the likely consequences of the Personal Data Breach;
as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.
10.2. Backbone shall without undue delay further investigate the Personal Data Breach and shall keep the Customer informed of the progress of the investigation and take reasonable steps to further minimize its impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
10.3. A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
11.1. Backbone shall use commercially reasonable efforts to assist the Customer with any data protection impact assessments required in virtue of article 35 GDPR and with any prior consultations of the Customer’s supervisory authority, as required in virtue of article 36 GDPR, in both instances regarding the Processing of Personal Data by Backbone on behalf of the Customer in connection with the Services.
Other Responsibilities
12.1. The Customer shall comply with all applicable laws and regulations, including the Data Protection Legislation.
12.2. The Customer remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
12.3. The Customer shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
12.4. With regard to components that the Customer provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the Customer’s personnel, the Customer shall implement and maintain the required technical and organizational measures for protection of Personal Data.
Notifications
13.1. Backbone shall cooperate as requested by the Customer to enable the Customer to comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, which shall include the provision of:
all data requested by the Customer (which is not otherwise available to the Customer) within the reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to the relevant Data Subject(s); and
where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the Data Protection Legislation statutory timescales.
13.2. Any notification under this Agreement, including a Personal Data Breach notification, will be delivered to one or more of the Customer’s Contact Persons via email possibly supplemented by any other means Backbone selects. Upon request of the Customer, Backbone shall provide the Customer with an overview of the contact information of the registered Customer’s Contact Persons. It is the Customer's sole responsibility to timely report any changes in contact information and to ensure the Customer’s Contact Persons maintain accurate contact information.
Term and Termination
14.1. The Data Processing Annex enter into force on the Effective Date of this Agreement and remain in force until Processing of Personal Data by Backbone is no longer required in the framework of or pursuant to the provision of the Services.
14.2. The Data Processing Annex cannot be rescinded or terminated separately from the provision of this Agreement.
SCHEDULES
Schedule 1: Details of the Personal Data Processing
Data Subjects
End users of the Services provided by Backbone to the Customer (“End Users”).
Optionally, natural persons that are party to or signatory of, or otherwise referred to in, a document that is included in the data and content made available by the Customer to Backbone in the framework of or pursuant to the provision of the Services (“Content Data Subjects”).
Categories of Personal Data
Backbone shall Process (a subset of) the following categories of Personal Data from End Users:
Email address
First name
Last name
The following optional Personal Data from End Users may be Processed by Backbone (only if and insofar the Customer or a natural person chooses to complete these when subscribing to the Services):
Job title
Telephone number
Department
Country
The following optional Personal Data from Content Data Subjects may be Processed by Backbone (only if and insofar the Customer chooses to make such data available when subscribing to or receiving the Services):
First name
Middle name
Last name
Address
National registry number
Identity card or passport number
Date of birth
Place of birth
Name of spouse
Matrimonial property regime
In providing the Services Backbone does not focus on Personal Data from Content Data Subjects, nor is such Personal Data required for the Customer to enjoy the benefit of the Services. In order to enable the provision of the Services by Backbone to the Customer, the Customer will make available to Backbone data and content which optionally may include Personal Data from Content Data Subjects.
The Controller acknowledges and agrees that it is strictly prohibited to make any other categories of Personal Data from Content Data Subjects available to Backbone.
Purposes of Processing of Personal Data
Personal Data will be Processed for the purpose of the performance of the Services.
Schedule 2: List of current Sub-processors
Amazon Web Services
Subject-matter: Backbone’s main database where all our proprietary software has been developed.
Nature/Purposes: Processing/indexing and, afterwards storage of Quality Management System so customers can easily access it via their browser.Type of Personal Data: processes and policies which might include some Personal Data but this is limited by nature (names, addresses,...)
Categories of Data Subjects: Data Subjects whose Personal Data are mentioned in the Customer Data
Duration: duration of the Software Service being provided by Backbone under this Agreement.
Location: Dublin, Ireland
Schedule 3: Technical and Organizational Measures
Data access control: (i) Backbone has policies in place that work according to the principle of least privilege, both for our supplied applications, general information and own data. Use of passwords is expressly subject to a password management policy described in Backbone’s information security policy. The access rights per user are determined in accordance with the established access policy (based on RACI/orgchart). Only the CTO has access to the password management system itself.
(ii) Backbone applies multi-factor authentication on its systems.
Data transfer control: (i) All data (internal and external data flows) is encrypted at rest and in transit via a secure connection and encrypted via SSL/HTTPS, the most common and trusted communications protocol on the Internet. Backbone has a cryptography policy in place in which all encryption initiatives are described.
Physical access control: This section solely refers to the rules that apply to all employees of Backbone in the area of physical information security. Rules governing the access to Customer Data, made accessible by the Customer to Backbone and enabling the subsequent use by the Customer of the Software Service, are described in more detail under the section ‘Data access control’.
(i) The office space of Backbone
The access policy of the entire office environment is explained in Backbone’s information security policy.
(ii) Working from home
Employees of Backbone have the option to work from home. Some contractors may work from abroad, they have access to all applications and information needed for their job. Employees must at all times comply with the rules and guidelines set out in Backbone’s information security policy.
(iiii) Working at client locations
Employees working at client locations must at all times comply with the rules and guidelines set out in Backbone’s information security policy.
(iv) External locations
Employees can perform Backbone’s business activities at external locations. Examples of such locations include public transport, hotels or restaurants. Employees must at all times comply with the rules and guidelines set out in Backbone’s information security policy.
Confidentiality & Integrity: (i) Backbone uses multi-factor authentication for all its employees and contractors. Furthermore, all its employees and contractors are also required to comply with Backbone’s password management policy contained in its information security policy.
(ii) There is a strict IAM (Identity Access Management) that makes sure that data is only accessible by profiles who need access to better serve our customers.
(ii)
Anonymisation & Pseudonymisation: (i) After the processing purpose or the retention period has ended, Backbone will automatically delete all user data.
Encryption: Customer Data is stored on AWS in Dublin, Ireland. Our data will be residing in AWS RDS.Amazon uses the industry standard AES-256 encryption algorithm to encrypt the entire Backbone database at rest. In addition, Backbone uses encryption keys to encrypt individual Customer Data (relating to one specific Customer). These keys are stored in Secrets Manager and are encrypted at rest through AWS KMS. In AWS KMS hardware security modules (HSMs) are used to protect the confidentiality and integrity of the keys.
Transmission control: (i) All personal data is made available via a secure connection and encrypted via SSL/HTTPS, the most common and trusted communications protocol on the Internet.
(ii) It is not allowed to use USB-sticks, portable hard disks or other mobile storage devices.
(iii) Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall rule by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted (also at-rest) and secured behind VPN & VPC firewalls.
All details are set out in Backbone’s information security policy.
Access requests: (i) Backbone has a data subject access request procedure in place providing guidelines on the processing of requests from data subjects to receive confirmation that their Personal Data is being processed and to access their Personal Data.
Data removal: Reference is made to Article 6.1 of this Data Processing Annex.
Availability control & recoverability: (i) Backbone takes daily back-ups of Personal Data and content uploaded to its system, so that it has the ability to restore and access Personal Data in the event of a physical or technical incident. Backbone’s back-up policies are further set out in its disaster recovery and outage plan. Back-ups are retained for one (1) week.
(ii) Backbone periodically and by random sampling retrieves back-ups, opens them on a separate system, and compares them to the original files to check the integrity of its back-ups, as per the guidelines set out in its disaster recovery and outage plan.
Training: Backbone is continuously training the staff with regard to the Information Security and Data Protection Legislation (part of on-boarding and coaching process). For example, Backbone staff has to fulfill annual Information Security training in which Data Protection Legislation is covered. In addition, Backbone has a partnership with Phished, a company that has training the awareness for the threat of phishing at its customers as a core focus. For example, Backbone staff receive phishing simulations (emails, Whatsapp images,...) in order to keep them aware of the threats of phishing.
Prevention of incidents: (i) In case of a suspected data breach, Backbone will act at all times in accordance with its incident response plan.
(ii) Backbone composes a IncidentResponse Team(IRT) that must ensure that necessary readiness for a personal data breach response exists, along with the needed resources and preparation (such as call lists, substitution of key roles, desktop exercises, plus required review of company policies, procedures and practices).
Evaluation: Backbone carries out a bi-annual review of their technical and organisational measures on effectiveness and plausibility. Backbone regularly tests, assesses and evaluates the effectiveness of technical and organisational measures to secure processing.
Signature
Backbone AI BV
Louis Opsomer
