LearningStone Data Processing Agreement
This data processing agreement is applicable to all processing of personal data to be undertaken by LearningStone (a trade name of Maximonster Interactive Things BV registered with the Chamber of Commerce under number 50474324, (hereinafter: Processor) for the benefit of another party (hereinafter: Controller) to whom it provides services through the online platform LearningStone (hereinafter: The Platform). The Controller is represented by the person who creates a LearningStone workspace and signs the agreement (the LearningStone Workspace administrator).
The controller signs this agreement electronically when creating or updating a new workspace subscription as a step in the subscription wizard. The name of the signer is recorded with a timestamp in the Workspace license record.
Article 1. Purposes of processing
1.1. Processor hereby agrees under the terms of this Data Processing Agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of:
- storing data in the ‘cloud’ for the benefit of Controller or the clients of Controller, and associated online services;
- providing and managing an online learning and collaboration environment by Processor for Controller;
- the management of the online member administration of the Controller, plus those purposes that are reasonably related or agreed upon with further agreement;
- the transmission of newsletters and other messages for Controller;
- the processing and storing of interactions between members of a sub-environment (hereafter: Workspace) of the Controller such as dialogues, posts, and comments and uploads by members.
1.2. The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. Processor shall not process the personal data for any other purpose unless with Controller’s consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement. Processor however is permitted to use personal data for quality assurance purposes, including surveys to data subjects and statistical research purposes regarding the quality of Processor’s services.
1.3. All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.
Article 2. Processor obligations
2.1. Regarding the processing operations referred to in the previous clause, Processor shall comply with all applicable laws and regulations as detailed in General Data Protection Regulation (GDPR).
2.2. Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data Processing Agreement.
2.3. All obligations for Processor under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.
2.4. Processor shall inform Controller without delay if in its opinion an instruction of Controller would violate the legislation referred to in the first clause of this article.
2.5. Processor shall provide reasonable assistance to Controller in the context of any privacy impact assessments to be made by Controller.
Article 3. Transfer of personal data
3.1. Processor may process the personal data in any country within the European Union.
3.2. Transfer to countries outside the European Union is not permitted.
3.3. Processor shall report to Controller of the countries involved.
Article 4. Allocation of responsibilities
4.1. Processor shall make available IT facilities to be used by Controller for the purposes mentioned above. Processor shall not itself perform processing operations unless separately agreed otherwise.
4.2. Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by third parties and/or for other purposes, the Processor does not accept any responsibility.
4.3. Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.
Article 5. Involvement of sub-processors
5.1. Processor shall involve third parties in the processing under this Data Processing Agreement as stipulated in the annex and will inform Controllers of significant changes.
5.2. In any event, Processor shall ensure that any third parties are bound to at least the same obligations as agreed between Controller and Processor.
5.3. Processor represents and warrants that these third parties shall comply with the obligations under this Data Processing Agreement and is liable for any damages caused by violations by these third parties as if it committed the violation itself.
Article 6. Security
6.1. Processor shall use reasonable efforts to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed).
6.2. Processor shall implement at least the specific security measures as summarized in the security annex attached to this agreement. Processor has the right to unilaterally improve or otherwise change the security annex if so needed.
6.3. Processor does not warrant that the security is effective under all circumstances. If any security measure explicitly agreed in this Data Processing Agreement is missing, then Processor shall use best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.4. Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties’ compliance with these security measures.
Article 7. Notification and communication of data breaches
7.1. Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller within a reasonable period after becoming aware of an actual or threatened security or personal data breach.
7.2. A notification under the previous clause shall be made only for actual breaches with severe impact .
7.3. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- include the name and contact details of the person responsible for data protection or an alternative contact person.
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 8. Processing requests from data subjects
8.1. In the event a data subject makes a request to exercise his or her legal rights under data protection legislation to Controller, the parties shall jointly consult on how to handle the request. Controller shall however retain final responsibility on the request.
Article 9. Confidentiality obligations
9.1. All personal data that Processor receives from Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. Processor shall not use this information for any goals other than for which it was obtained, not even if the information has been converted into a form that is no longer related to an identified or identifiable natural person.
9.2. The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.
Article 10. Audit
10.1. Controller has the right to have audits performed on Processor by an independent third party bound by confidentiality obligations to verify compliance with the Data Processing Agreement, and all issues reasonably connected thereto.
10.2. This audit may be performed in case a substantiated allegation of misuse of personal data has arisen.
10.3. Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.
10.4. The audit findings shall be assessed by Processor and implemented if and to the extent deemed reasonable by Processor.
10.5. The costs of the audit shall be borne by Controller.
Article 11. Liability
11.1. The liability of parties for any damages as a result of a reputable failure to comply with this Data Processing Agreement, unlawful acts or otherwise, is limited to direct damages per event (a sequence of successive events counting as one event), up to the amount received by the other Party for all activities under this Data Processing Agreement for the month prior to the event. Any liability of the parties for direct damages shall in any event never be more than EUR 10.000,00.
11.2. Direct damages shall include only:
- damages to physical objects;
- reasonable and proven costs to cause the party in question to regain compliance with this Data Processing Agreement;
- reasonable costs to assess the cause and extent of the direct damage as meant in this article; and
- reasonable and proven costs that Controller has incurred to limit the direct damages as meant in this article.
11.3. Any liability for indirect damages by the Parties for indirect damages is excluded. Indirect damages are all damages that are not direct damages, and thus including but not limited to consequential damages, lost profits, missed savings, reductions in goodwill, standstill damages, failure to meet marketing requirements, damages as a result of using data prescribed by Controller, or loss, corruption or destruction of data.
11.4. No limitation of liability shall exist if and to the extent the damages are a result of intentional misconduct or gross negligence on the part of the party in question or its directors.
11.5. Unless a failure by the party in question is incapable of redress, any liability shall exist only if the other party puts the responsible party on notice of default, including a reasonable term for addressing the failure, and the responsible party fails to comply even after this term. The notice shall contain a detailed description of the failure to ensure that the responsible party has a reasonable opportunity to address the failure.
11.6. Any claim for damages either party to the other that is not specifically notified in detail shall be extinguished by the passage of twelve (12) months after the date its cause first arose.
Article 12. Term and termination
12.1. This Data Processing Agreement enters into force upon signature by the parties and on the date of the last signature.
12.2. This Data Processing Agreement is entered into for the duration of the cooperation between the parties.
12.3. Upon termination of the Data Processing Agreement, regardless of reason or manner, Processor shall - at the choice of Controller - return in original format or destroy all personal data available to it.
12.4. Processor is entitled to amend this Data Processing Agreement from time to time. Processor shall notify the Controller of amendments at least three months prior to their taking effect. Controller may terminate if the amendments are unacceptable to it.
Article 13. Applicable law and competent venue
13.1. This Data Processing Agreement and its execution are subject to Dutch law.
13.2. Any disputes that may arise between the parties in connection with this Data Processing Agreement shall be brought to the competent court for the place of business of Processor.
The controller signs this agreement electronically when creating a new Workspace on the Platform and / or confirming new conditions as a step in the subscription wizard. The name of the signer is recorded with a timestamp in the Workspace license record.
Processor: LearningStone by Maximonster Interactive Things
Represented by: Michiel Klønhammer
Date: Date timestamp on The Platform
Appendix 1: Stipulation of personal data and data subjects
In the context of Article 1.1 of the Processor Agreement, the processor will process the following (special) personal data on behalf of the Processing Officer. The details of individual member accounts are managed by the respective account holders (the members) after they accept an invitation and can be viewed and modified by these members at any time. When a member is removed from a group space, all personal data will be removed from that groupspace.
- Phone numbers
- Social media accounts (through a connection for login, no passwords)
- E-mail address (unsubscribing possible without logging in)
- IP address
- Birth dates
- Profile photos
- name and address details
- The details of other members of group rooms that a person is in.
- Members of collaborative group spaces can share the following information: uploads (including video and images), text and interactions with other members.
- Workspaces administrators (multiple group spaces) can share files, texts and interactions with an entire Workspace or - when done on a public page - with the entire world.
The Platform offers paid services and will ask for data for invoicing. The Platform only asks for bank account numbers when this is strictly necessary for payments. The account numbers and associated data of the account holder are entered directly into the system provided by payment provider Stripe when creating or updating an account and are not stored by Het Platform. For more information on the security and retransmission of data by Stripe: https://stripe.com/privacy-shield-policy
Of the categories of people involved:
- People who are invited to become a member the platform (pending invitations)
- Account holders / Group space members within the learning environment
Appendix 2: Technical and organizational security measures
Privacy by design
The Platform is designed so that users can easily distinguish between public and private areas with a clear division of roles for the members of a Platform Workspace. Each Workspace has one or more public pages managed by the Workspace administrators. The Workspaces contain group spaces. Workspace administrators can access all group spaces in a Workspace and share data between the group spaces within a Workspace. Members of a group space can only access the information within that group space. Only members of collaborative group spaces can see each other and exchange information with each other.
Administrators, coaches or members can log in to the application with an account on the Platform. This is a unique username and password. This password is never visible, is never mailed and can never be seen by employees of controller. It is also possible to use an external login such as the Facebook or LinkedIn login. No data is transferred to Facebook or LinkedIn outside of the authorization request.
Secure hosting location
The Platform is hosted in a secure data center in the Netherlands. See Sub Processors.
No unnecessary data collection
No unnecessary data is required by the application (e.g. gender, age, etc.) though individual administrators may ask members to enter such information. No financial data, figures or health data are stored by the Platform, but it is possible that the individual administrators or group members within the Workspace will enter this information.
Permanently deletion of data
The Controller can ask the Processor to permanently remove a Workspace. This deletes the member accounts completely unless they also are used by the members in another Workspace. In that case only the link with that account and all data that is added within the Workspace will be deleted.
No direct links
It is not possible to consult information outside the security system using direct links.
The servers are only accessible by a limited number of employees who have signed an agreement about security and confidentiality with the Processor.
It is possible that employees of the Processor will look at content and data entered within a Workspace, group space or individual account by the Controller or the clients of the Controller for support purposes. This is done with the utmost confidentiality and never shown to third parties.
All data from the Platform is backed up daily, after encryption via AES256, and stored at a remote location. These backups are only available to a limited number of employees of the Processor and are only used in emergencies. It is possible that data loss will occur during a restore.
Individual media items on the Platform can be deleted and cannot be restored by the members of the group.
Backups are deleted after one year.
The login page and all pages of the application are protected by an SSL-certificate.
Automatic pen testing
The Platform's servers are automatically tested for penetration options every week.
Appendix 3: Sub-Processors
Processor uses the following Sub-Processors for the Platform. It is possible that this list will be expanded in the future.
- Trans-IP Netherlands: hosting and back-up services.
For more information. http://www.transIP.nl
- Google Analytics: page statistics and possibly IP numbers are tracked and analyzed. As a European company, the processor falls under the modified processor agreement of Google and has restricted its data sharing with Google. For more information see: https://support.google.com/analytics/answer/3379636?hl=en
- Stripe: For subscriptions to our services by Workspace administrators, we use payment provider Stripe which is located in Ireland and exchanges data with their US office with a privacy shield.
For more information on the security and transmission of data by Stripe: https://stripe.com/privacy-shield-policy
- Embedded media: The Platform makes it possible to embed media such as YouTube and Vimeo in a page. By looking at these media, the underlying services obtain information such as location data from the users.
- To manage and contact our contacts and clients we use Pipedrive (a CRM, see https://www.pipedrive.com/en/privacy), Outfunnel (email with analytics, https://outfunnel.com/privacy), and MailChimp (email with analytics, see https://mailchimp.com/legal/privacy).
- We link to contacts and clients with LinkedIn. Individual users may link with our page’s on LinkedIn. LinkedIn offers tracking analytics to show which users go to our website. For more information see: https://www.linkedin.com/legal/privacy-policy
November 20th 2019: added sub processors Pipedrive, Outfunnel, MailChimp, LinkedIn.
June 10th 2018: introduction paragraph: Maximonster Interactive Things BV, was replaced by “LearningStone, a trade name by Maximonster Interactive Things BV.”
April 24th 2018: original version