1. Applicability and definitions.
This User Agreement between Catermonkey B.V. on the one hand and User on the other hand regarding access to and use of the Catermonkey platform. Catermonkey is a software as a service (SaaS) solution serving:
- the development and management of orders and customer data, and
- automating (in part) the administrative process of order processing
Any purchase or other terms and conditions of User or any third party shall not apply, and their applicability is expressly rejected by Catermonkey. Any deviations from this User Agreement are valid only if expressly agreed upon in writing.
Catermonkey hereby grants User a limited, non-transferable, non-exclusive license to use Catermonkey, limited to the term of this User Agreement.
User is not permitted to sublicense to third parties (including but not limited to group companies) except with Catermonkey’s prior written approval.
Catermonkey allows Users to build their own database within the Catermonkey platform. User has exclusive rights with respect to the contents of this Database. The User alone is responsible for the use and content of the Database. Catermonkey uses an external backup service, backups of the Database are made on a 30-day cycle. Thus, there is a 30-day retention.
The contents of the Database are accessible only to the User. User is then exclusively responsible for the content and use of the Database. User indemnifies Catermonkey upon first request for all claims (and all damages arising from such claims) originating from third parties (including but not limited to candidates of User) related to, or arising from, (the use of) the Database (including claims based on the Personal Data Protection Act and/or the General Data Protection Regulation).
Catermonkey obtains and processes only the generic data specified below from the Catermonkey platform (including metadata related to the Database). The identity of these visitors are not traceable to a natural person by User. Catermonkey processes and uses this data solely to optimize and improve the Catermonkey platform. Under no circumstances will Catermonkey provide data derived from the Database to other parties. Catermonkey only obtains access to the following data:
- Through which website the visitor comes to the website;
- How often repeat visits are made by visitor;
- Data about which browser the user has.
Catermonkey’s development team may look into the database for development purposes or technical troubleshooting, but will never do so for the purpose of using the NAW data, for purposes other than improving the application.
Prior to the expiration of this Use Agreement and during the Term at User’s request, Catermonkey will provide a copy of the Database to User in CSV file format. Under no circumstances shall Catermonkey be bound to any data conversion with respect to the Copy. User is not entitled to request Catermonkey to provide a Copy more than once every 12 months, except in cases of good cause (at Catermonkey’s reasonable discretion). The Export file consists of:
- All orders
- All accumulated customer data
- All products and ingredients
4. Use and security
Use of Catermonkey requires users to open an account. User is responsible for providing users with current, complete and accurate data. User is responsible for maintaining the confidentiality of passwords and accounts. User is fully responsible for all activities undertaken pursuant to these accounts.
User is responsible for the use of Catermonkey’s exchange and communication facilities by User’s users. User warrants that the exchange and communication facilities will not be used inappropriately, in violation of laws or regulations, or in violation of third party (privacy or intellectual property) rights.
For optimal performance of Catermonkey, Catermonkey optimizes its application for the most common browsers. And only on the last two releases of these browsers. Does user, use a browser older than the second last version then user experience may be less. In some cases, certain features may not work. This is where Catermonkey delivers best-effort service. Imperfections will be attempted to be prevented as much as possible by professional practices and testing, and, if still present, will be resolved as soon as possible after detection.
Catermonkey’s liability for damages resulting from an attributable failure to perform this User Agreement or in tort or otherwise is limited per event (a series of consecutive or related events is considered a single event) to compensation for direct damages, up to a maximum amount equal to EUR 500 (five hundred Euros). “Direct damages” include only the following damages:
- Damage directly inflicted on tangible property and/or personal injury;
- Reasonable and demonstrable costs incurred by the User to mitigate direct damages;
- Reasonable and demonstrable costs incurred by the User to compel Catermonkey to (re)comply properly with the User Agreement.
Catermonkey’s liability for all other (indirect) damages (such as but not limited to consequential damages, lost profits or revenues, damages caused by data loss or data corruption) is excluded.
The exclusions and limitations do not apply to the extent that the damage is the result of intentional and/or deliberate recklessness on the part of Catermonkey’s management.
Any claim for damages not brought within 12 (twelve) months of its occurrence shall lapse by operation of law.
6. Personal data
7. Intellectual property
All intellectual property rights related to the Catermonkey solution, as well as all software, information, and graphics that are part of Catermonkey, are the exclusive property of Catermonkey (Catermonkey IP). These may not be copied or used in any way (other than for Catermonkey’s regular use) without Catermonkey’s express written permission.
In the event Catermonkey faces an infringement claim or action by a third party that results or could result in the use of the Catermonkey IP being restricted or prohibited, Catermonkey is entitled to terminate this User Agreement in writing effective immediately.
User hereby grants Catermonkey the right to use its (brand) name and logo(s) on Catermonkey’s website and/or any resellers, however, solely to indicate for promotional purposes that User is a Catermonkey customer.
8. Applicable law and dispute resolution
A. User may store and manage Personal Data in Catermonkey. Catermonkey Processes such Personal Data on behalf of User. Catermonkey qualifies as a Processor.
Security incident has the meaning ascribed to it in Article 7.1(a).
Data subject means a natural person who can be directly or indirectly identified, in particular by means of an identification number or one or more factors characterizing his/her physical, physiological, mental, economic, cultural or social identity.
EEA means European Economic Area.
Privacy Laws means all laws and regulations, including laws and regulations of the Netherlands, the European Union, the EEA and their member states, applicable to the Processing of Personal Data and the interception of communications under this Agreement, including but not limited to the General Data Protection Regulation.
Subprocessor means a subcontractor engaged by Catermonkey that, as part of its role as a subcontractor under this Processor Agreement, will Process Personal Data.
Supervisor means the Personal Data Authority.
Controller means the entity that determines the purpose and means of Processing Personal Data.
Processor means the entity that Processes Personal Data on behalf of the Controller.
Processing means any operation or collection of operations performed on Personal Data by Catermonkey under this Processor Agreement, whether or not by automatic means, such as: collection, recording, organization, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or other making available, matching or combination, blocking, deletion or destruction.
Request means a request by a Data Subject to access, correct, amend, transfer or delete that person’s Personal Data.
2. Processing of Personal Data.
2.1 Both Parties will fulfill their obligations under the Privacy Law.
Roles of the parties
2.2 The parties acknowledge that with respect to the Processing of Personal Data, User qualifies as the Controller and Catermonkey as the Processor.
Personal Data Processing.
2.3 Catermonkey will only Process Personal Data on behalf of, and in accordance with the instructions of, User. User hereby instructs Catermonkey to Process Personal Data for the following purposes:
- (a) Processing by the Catermonkey platform, on behalf of User (for example, if User stores, modifies, or deletes personal data);
- (b) Processing to the extent necessary for the performance of this Processing Agreement;
- (c) Processing to comply with reasonable instructions provided by User (e.g., via email), to the extent that such instructions are consistent with the terms of the User Agreement and the Privacy Law and are technically reasonably practicable.
2.4 Catermonkey is also entitled to Process Personal Data if required to comply with disclosure requests enforceable under applicable law, provided that in such a case Catermonkey:
- (a) Notifies User where reasonably permitted of the request, the Personal Data involved, response time, identity of the requester and the legal basis of the request; and
- (b) where reasonably permitted, will await User’s instructions before releasing the information.
Scope and purpose; categories of Personal Data and Data Subjects
Restriction of disclosure
2.6 Other than as expressly permitted under this Processor Agreement, Catermonkey will not share Personal Data with third parties without User’s consent. Catermonkey will keep all Personal Data confidential.
3. Rights of Data Subjects.
3.1 At the time User receives a request from a Data Subject to modify, block, delete, or provide Personal Data, User may independently comply with such requests by using Catermonkey’s functionality. If this is not possible, Catermonkey will cooperate where reasonably possible to enable User to still comply with the Data Subject’s Request.
Requests from Concerned Parties
3.2 Catermonkey will notify User as soon as possible at the time it receives a Request from Data Subject regarding Personal Data. Catermonkey shall in such an event provide all reasonably necessary cooperation to User to enable User to comply with the Data Subject’s Request through the Candidate Portal.
Complaints or other requests
3.3 Catermonkey will notify User as soon as possible upon receipt of a question or complaint from Data Subjects regarding:
- (a) Users obligations under Privacy Law;
- (b) Personal data; or
- (c) a possible breach of this Processor Agreement,
and shall cooperate where reasonably possible at User’s request.
4 Staff of Catermonkey
4.1 Catermonkey warrants that its personnel involved in the Processing of Personal Data are aware of the confidential nature of Personal Data, are adequately qualified with respect to their responsibilities under this Agreement and under the Privacy Law, and will treat Personal Data confidentially.
4.2 Catermonkey will ensure that only its personnel responsible for Processing Personal Data have access to Personal Data.
Appointment of Subprocessors
5.1 User hereby authorizes Catermonkey to engage one or more Subprocessors to Process Personal Data, provided that:
- (a) Catermonkey informs User to employ the following sub-processors;
- Amazon Web Services
- (b) Catermonkey shall enter into a Subprocessor Agreement with each Subprocessor that provides substantially equivalent protection to this Processor Agreement and, in any event, complies with the Privacy Laws.
Responsibility of Subprocessors
5.2 Catermonkey is responsible and liable for:
- (a) Catermonkey’s performance of its obligations under this Processor Agreement, including when it outsources such performance to a third party;
- (b) coordinating Subprocessors, at no additional cost to User; and
- (c) any act, omission or default of its Subprocessors and personnel in the performance of obligations under this Agreement as if it were Catermonkey’s own act, omission or default.
- (a) implements and manages an information security program consistent with Privacy Law, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the security measures listed in Exhibit 1;
- (b) maintain proper records of all Processing of Personal Data (including a current log of Personal Data accessed or accessed by Catermonkey personnel at any time during the term of this Agreement), what Processing was performed, which Subprocessors were involved, and the geographic location of the Processing; and
- (c) adapt technical and organizational security measures in accordance with any technological developments.
6.2 User has assessed the security measures listed in Exhibit 1 and acknowledges that they are appropriate taking into account the state of the art, implementation costs and the nature, scope, context and purposes of Catermonkey’s Processing of Personal Data, as well as the risks associated with the Processing of Personal Data
7. Management and reporting of Security Incidents.
- (a) promptly notifies User by email and/or telephone, but in any event no later than within 24 hours, upon the occurrence of any incident that has resulted, or is reasonably likely to result, in the loss, theft, deletion, disclosure or damage of Personal Data and/or unauthorized use or access to Personal Data (a Security Incident );
- (b) provide all cooperation and information reasonably requested by User with respect to a Security Incident, including, as soon as possible following, and in any event within two (2) Business Days of Catermonkey’s discovery of the Security Incident:
- (i) A description of the Security Incident, including the categories of and estimated number of Affected Persons;
- (ii) a description of the Personal Data affected, including the categories and estimated number of Personal Data affected;
- (iii) if known, information on the likely consequences of the Security Incident;
- (iv) a description of how the Security Incident is being investigated and the mitigation measures already in place and to be implemented; and
- (v) Whether a Supervisor, the Data Subjects themselves and/or the media have been informed or are otherwise aware of the Security Incident, and their response(s).
7.2 Catermonkey will report the Security Incident to User in writing. In urgent cases, Catermonkey will also notify User by phone, SMS or WhatsApp, provided that such notification is followed up as soon as possible thereafter by a written confirmation from Catermonkey to User.
8.1 At User’s request, subject to appropriate confidentiality obligations, Catermonkey will cooperate no more than once per calendar year in an audit of Catermonkey’s data processing activities by an impartial expert (e.g., an auditor) engaged at User’s expense to verify Catermonkey’s compliance with its obligations in accordance with this Processor Agreement.
9. Return and deletion of Personal Data.
10. Transfer outside the EEA.
10.1 Catermonkey will not Process Personal Data outside the EEA without the prior written consent of User.
11. Cooperation and support in dealing with Supervisors.
11.1 Catermonkey will notify User as soon as possible if it receives a request from a Supervisor that relates to the Processing of Personal Data, unless prohibited by applicable law or by the Supervisor.
11.2 User shall take up such requests with the Supervisor itself unless the Supervisor requests Catermonkey to handle a request. The parties will inform and assist each other in dealing with such requests whenever possible and permitted.
13. Duration and termination
13.2 This Processor Agreement shall terminate by operation of law when Catermonkey ceases to process Personal Data provided to it as User’s Processor, unless otherwise agreed in writing between the Parties.
13.3 Upon termination of this Agreement in accordance with Article 13 or otherwise, all rights and obligations of the Parties under this Agreement (other than the rights and obligations set forth in Article 4 (_Rights of Data Subjects_), Article 4.1 (_Confidentiality_), Article 9 (_Return and Deletion of Personal Data_), Article 12 (_Liability_) shall terminate, provided that nothing in this Article 13 shall affect any rights or obligations under this Processor Agreement that arose prior to such termination.
14. Applicable law and disputes.
14.1 Any dispute regarding the (performance of) this Processor Agreement as well as any tort related to it shall be governed exclusively by Dutch law.
14.2 The Hague District Court shall have exclusive jurisdiction to hear any dispute, or any tort, arising out of this Processor Agreement.
Appendix 1 to the Processor Agreement.
Data processing details
This Schedule is part of the Agreement and must be completed by the Parties.
User is Controller.
Catermonkey B.V. is a Processor.
The Personal Data Processed relates to the following categories of Data Subjects:
(potential) candidates, employees, and users (including User).
Categories of Personal Data
- Contact information, including your address (and proof of address) and other contact information (e.g., email and phone information);
- Customer data of customers of User
- Communication with customers of User.
- Internal notes related to customers.
The Personal Data Processed is subject to the following processing activities:
Catermonkey stores and allows User to store, access, modify and delete the data. Catermonkey also offers functionality to automate certain operations.
Overview of security measures:
1. Virtual access control
Technical and organizational measures to prevent unauthorized use of data processing systems include:
- Encrypted passwords
- Automatic blocking/logout after 10 hours of no activity.
3. Data access management.
Technical and organizational measures to ensure that persons authorized to use a data processing system have access to such Personal Data only in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:
- Internal policies and procedures regarding passwords and periodic refreshing of passwords with access to Personal Data;
- Differentiated access rights (profiles, roles);
4. Disclosure Management
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and to verify to which companies or other legal entities Personal Data is provided, including:
- SSL encryption in all connections between our server(s) and browsers/API clients
- Standard best-practices for the Linux servers for data security.
5. Access control Technical and organizational measures to control whether data has been entered, modified or deleted (erased) on or from data processing systems and by whom, including:
- Logging and reporting systems;
6. Availability Control Technical and organizational measures to ensure that Personal Data is protected against accidental destruction or loss (physical/logical) including:
- 30-day retention on daily backups
8. Separation control Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately, including:
- Separation/isolation of databases by Catermonkey customer.
- Separation of functions (production/testing);