Portal Delivery Terms

For the performance of the SurePay IBAN-Name Check Service via Portal Solution. Version 1.5-2023

Portal Delivery Terms 2023

IBAN-Name Check Services via Portal Terms of Delivery of SurePay BV, having its registered office in Utrecht, and for this agreement with place of business at Nicolaas Beetsstraat 222 3511 HG Utrecht, registered with the Chamber of Commerce, number 77251733,

1. General Conditions:
1.1 The Agreement
1.1.1 These terms of delivery shall apply to any delivery of IBAN-Name Check services by SurePay to Customer taking place via the SurePay IBAN-Name Check Portal (hereafter: “Agreement”). The Agreement between SurePay and Customer can be concluded by the mediation of a Partner or Software Supplier whereto the Agreement will also entail the agreement in place between Partner or Software Supplier and Customer.

1.1.2 Any other (general) terms and conditions of SurePay and/or Customer do not apply to the Agreement.

1.1.3 The Agreement shall be exclusively governed by Dutch law. Any dispute between SurePay and Customer with regard to the Agreement shall exclusively be submitted to the courts of Utrecht, the Netherlands.

1.1.4 SurePay is allowed to assign the Agreement to a third party. By signing this Agreement, Customer consents with such future assignment.

1.1.5 In agreeing with these terms and conditions, Customer’s employee does so on behalf of Customer and not as an individual. It shall be implied that Customer’s employee was permitted to do so by the Customer entity for the purpose of the provision of the Services by SurePay as set out herein.

1.2 Fees, Invoicing and Payments
1.2.1 The arrangements regarding fees, invoices and payments are described in the Service Fee sheet at: https://surepay.nl/en/pricing/

1.2.2 SurePay can change the fees at any given moment without prior notice during the term of the Agreement.

1.2.3 Payable invoices shall be paid within 10 days after the date of the invoice. If Customer fails to pay the amounts due or to pay the amounts due in a timely manner, SurePay shall be entitled to revoke Customer’s access to SurePay’s services without a demand or notice of default being required.

1.2.4 The invoicing process shall take place as follows:

1. The invoice contains the total amount charged for the Service.

2. Monthly invoicing for the first subscription month shall be done pro rata.
3. Monthly invoicing of the subscription costs takes place afterwards on the basis of the rates agreed between the Customer and the Service Provider.
4. At the end of each calendar month or upon termination of the agreement, a subsequent calculation takes place for the subscription Rate, based on the actual volume and the associated subscription fee.

5. Invoices are sent monthly, within 10 working days after the last day of the month and the invoice must be paid within 10 days.

6. Monthly checks that have not been consumed cannot be transferred to the next month.

1.3 Terms and termination
1.3.1 The Agreement shall come into effect and shall be entered into for the period Customer uses the Services. SurePay shall be authorised to either wholly or partially terminate the Agreement at its convenience at any moment, giving Customer a term of notice of one month.

1.3.2 Each party shall be authorised to either wholly or partially terminate the Agreement starting immediately, without further notice and without prior legal intervention, if:

the other party fails to comply with its obligations under the Agreement, unless the failure, in view of its special nature or limited significance, does not justify this dissolution and its consequences; insofar the non-compliance is not permanent, the authority to terminate does not arise until compliance with the obligations remains forthcoming after the expiration of a 30 days term specified in a written final notice.

the other party applies for a suspension of payments; – the other party has been declared bankrupt; – the other party is a legal person that is being dissolved.

1.3.3 SurePay shall be authorised to either wholly or partially dissolve this agreement starting immediately, without further notice and without prior legal intervention, if shares in or parts of the control over Customer’s company are transferred to a third party or if the other party has been accused of Fraud or Misuse of the Service.

1.3.4 SurePay shall be authorised to either wholly or partially terminate the Agreement starting immediately, without further notice and without prior legal intervention, without being liable to pay any damages or costs to Customer, if any party that provides SurePay with the data that are used by SurePay to perform its services towards Customer, does not allow SurePay to use such party’s data for the provisioning of the services to Customer.

1.3.5 SurePay shall be authorised to either wholly or partially terminate the Agreement starting immediately, without further notice and without prior legal intervention, without being liable to pay any damages or costs to Customer, when Customer does not pay the amounts due for the use of the SurePay services in line with Article 1.2.3.

1.3.6 In the event of termination, Customer will immediately discontinue use of the services. The termination of the Agreement does not relieve parties from the obligations under the Agreement, which by their nature continue, such as – but not limited to – the provisions with regard to confidentiality, liability, intellectual property, applicable law and competent court.

1.3.7 The Effective Date of this Agreement shall be the first day of the month of final signature (e.g. 17 September means the Effective Date is 1 September).

1.4 Collaboration
1.4.1 In order to facilitate the proper execution of the Agreement by SurePay, Customer shall at all times provide SurePay with all data or information that SurePay for that purpose deems to be useful, necessary and desirable and to give its full cooperation in a timely manner.

1.4.2 Customer shall bear the risk of the selection, the use, the application and the management within its organization of the IBAN Name Check services to be provided by SurePay. Customer itself shall arrange for the correct implementation and commissioning and for the procurement and application of the correct settings to the hardware, software, websites, cloud services, data files and other products and materials it uses in conjunction with the services.

1.4.3 If use is made of cloud computing, data or telecommunication facilities, including the internet, during the execution of the Agreement, Customer shall be responsible for selecting the correct resources required for this purpose and for ensuring that these are available in full and in a timely manner. SurePay shall under no circumstances be liable for losses or costs arising as a result of transmission errors, breakdowns or the non-availability of these facilities.

1.5 Use of third parties
1.5.1 SurePay is authorised to subcontract its obligations. With regard to third parties engaged by it, SurePay bears full responsibility for proper performance of the obligations under the Agreement.

1.6 Confidentiality and processing of personal data
1.6.1 Both parties recognise that the nature of the information that they receive within the scope of the implementation of the Agreement is strictly confidential. Confidential information is understood to mean: the content of the Agreement as well as all data and information (including computer software) provided within the scope of the Agreement, as well as data and information derived from processing confidential information received. Personal Data (defined in article 1.6.4) and information regarding business relations of the Customer Group are always confidential information.

1.6.2 Parties shall in no manner whatsoever, directly or indirectly, orally or in writing or otherwise, reveal confidential information to third parties, other than after prior written permission of the other party.

1.6.3 With regard to any confidential information from a party that – in whatever form or on whatever data carrier whatsoever – is held by or has been provided to the other party, the receiving party shall be obliged:

A. to observe all reasonable technical, physical and organisational measures for safe processing, keeping or storage;

B. not to use the confidential information for any other purpose than the implementation of the Agreement;

C. not to hold the confidential information any longer than is reasonably necessary for the execution of the agreed obligations and to return the confidential

information, including information derived from the confidential information and copies made, to the disclosing party immediately after full compliance with the said obligations or, after permission has been granted, to destroy it;

D. to have the agreed obligations executed only by persons which the receiving party in all fairness considers to be reliable and are contractually bound to respect the confidential nature of the confidential information under terms equivalent to these of the Agreement.

E. to notify the disclosing party promptly, about any security incident (which includes unauthorized use of confidential information or any data breach). In the event of a security incident, the receiving party is obliged to (i) take as soon as possible all necessary actions to rectify the security, (ii) keep the disclosing party informed about the situation, (iii) provide to the disclosing party immediately all requested information and assistance required to settle the incident and (iv) provide all necessary assistance to the disclosing party to comply with the statutory obligation to report data breaches.

F. to promptly notify the disclosing party about any legally binding request for disclosure of the confidential data by a competent authority unless such notification is prohibited;

G. to cooperate in the exercise of supervision by or on behalf of the disclosing party of storage and usage of confidential information;

H. Unless explicitly agreed otherwise, the disclosing party remains entitled to the confidential information and owner of the data carriers.

1.6.4 Without prejudice to articles 1.6.1, 1.6.2 and 1.6.3, SurePay shall process personal data, as defined in article 4 sub 1 of the General Data Protection Regulation (“GDPR’’), in a proper and careful manner and in accordance with the applicable legislation and regulations regarding the protection of personal data, as well as the applicable privacy and data protection regulations of the Customer Group. If and insofar – within the scope of the implementation of the Agreement – personal data is processed on behalf of Customer or parts of the Customer Group, the Agreement shall also apply as a data processing Agreement as specified in the GDPR.

1.6.5 The provisions of articles 1.6.1, 1.6.2 and 1.6.3 do not apply to confidential information that:

A. Is or becomes public in any other way than as a result of an accountable failing of the receiving party with regard to the Agreement;

B. Comes from a third party that does not have a requirement of confidentiality towards the revealing party with regard to this information;

C. Is or has been developed or learned independently by the receiving party, without using the provided information and without accountable failing of the receiving party with regard to the Agreement;

D. The receiving party is obliged to provide in order to comply with any legal obligations or judicial claims.

1.6.6 Parties can disclose confidential information to their employees, who have a need to know such information, provided that such employees, are contractually bound to respect the confidential nature of this information under terms equivalent to these of the Agreement.

1.6.7. Where Parties agree via written communication that a Data Processing Agreement is necessary for the execution of this Agreement, the Data Processing Agreement under Chapter 4 of this Agreement shall be considered in effect.

1.7 Publicity
1.7.1 Customer shall, without prior written permission of SurePay, not mention the existence of a relationship with SurePay in publications or advertising. Each permission shall apply until it is cancelled.

1.8 Legal Regulations
1.8.1 Both parties shall ensure that they will comply with all applicable rules and legislations that apply to the delivery and use of the IBAN-Name Check service.

1.9 Liability
1.9.1 The total aggregate liability of SurePay due to an attributable failure to perform the Agreement or due to any other reason, explicitly including any failure to comply with a guarantee obligation agreed with Customer, shall be limited to compensation of the direct damage or loss not exceeding the total amount annually paid by Customer to SurePay under the Agreement.

1.9.2 The liability of SurePay for indirect damage or loss, resulting loss, loss of profit, loss of savings, reduced goodwill, loss due to business interruption, loss as a result of claims from the Customer’s customers, loss in connection with the use of items, materials or software and/or services provided by third parties that SurePay is instructed to obtain by Customer and loss in connection with the engagement of secondary suppliers by SurePay on Customers instructions shall be excluded. The liability of SurePay due to the scrambling, destruction or loss of data or documents shall be excluded as well.

1.9.3 The exclusions and restrictions referred to in article 1.9.1 and 1.9.2 shall no longer apply if and in so far as the loss is the result of intentional acts or deliberate recklessness on the part of SurePay’s management.

1.9.4 A condition for the existence of any right to compensation shall in all cases be that Customer notifies SurePay in writing of the loss or damage as soon as possible after it occurs. Any claims for damages against SurePay shall expire by the mere lapse of twenty-four months from the date on which the claim arose.

1.10 Audit
1.10.1 Upon request of SurePay, Customer shall immediately lend its full cooperation to any investigations to be conducted by or on behalf of SurePay in relation to Customer’s compliance with the agreed restrictions on use. At the first request of SurePay, Customer shall grant SurePay, or an auditor engaged by SurePay access to its buildings and systems. SurePay shall maintain the confidentiality of all company information to be regarded as confidential that SurePay obtains from or on the premises of Customer within the context of this type of investigation, insofar as this information does not relate to the use of the software itself.

1.11 Security Measures
1.11.1 The following is explicitly required from Customer

The Customer shall have only one account per permitted User, this account shall have a single password and shall not be shared between the staff of the Customer. If the Customer wishes to have multiple accounts, this is possible by adding Users. Customer is responsible for safeguarding the User identity and Data;
Migration of a User shall be possible only in coordination with SurePay;
Customer shall ensure that all SurePay Data and User access is deleted upon termination of the Agreement; Customer shall ensure that its Users do not upload or submit any files which contain malware, bugs or other code insertions;
Customer shall not, and shall ensure that its Users do not, access or use the Portal in any manner by VPN or when having an active VPN connection.

1.11.2 Customer shall follow the Portal protocol and ensure that it complies with built in structures and checks by SurePay. This shall include, but not be limited to the verification of the User before they are added to the Portal as well as following password policy.

1.11.3 Failure to comply with these Security Measures as set forth in this Article 1.11 may result in the potential suspension and/or termination of the Agreement by SurePay with immediate effect and without SurePay being liable in any way for the damages flowing from such suspension and/or termination.

2. Special Provisions: Delivery of Services

2.1 Subject
2.1.1 The services to be provided are the IBAN-Name Check Services. SurePay delivers the Service to Customer through a Partner or directly via the Portal. Customer may use the Service exclusively to verify account details of Subjects with the ultimate goal of preventing fraud and mistakes in Customer’s payments (e.g. credit transfers or direct debits). To do so, Customers, directly or through a Partner, sends a Request to SurePay, that includes:

IBAN;
User input (name)

SurePay will validate the Request against the SurePay-database by means of the Portal. This database contains data of Dutch Banks (IBANs and names), the Dutch Chamber of Commerce and other data sources. SurePay will send a Response to Customer via the Portal, containing a name matching result and additional information on the account. SurePay may provide different types of Responses, depending on the Request content, as outlined in the Portal Specifications, which are subject to change.

2.1.2 Customer shall obtain a non-exclusive, non-transferable license to verify account details of Subjects with whom Customers have established/will establish a payment relation with the ultimate goal to prevent fraud and mistakes in Customer’s payments, and for which the right of use is limited to Customer’s own organizational purposes. Explicitly excluded is any usage of the Response by Customer other than described herein, such as in any case, but not limited to:

licensing, selling, leading, transferring, displaying, reproducing, or distributing (the deliverables of) the Service, or use the Service for any commercial purpose (i.e. to resell the responses obtained through the IBAN- based check services to third parties);
modifying, translating, adapting, merging, disassembling, improving or reverse engineering any part of (the deliverables of) the Service or its derivatives;
building a shadow database based on the responses;
using the Service with an intent to create similar products or services to what SurePay offers.

The Agreement does not imply a transfer by SurePay of any patent rights, copyrights or brand rights to the services made available.

2.1.3 When SurePay receives a Request, SurePay obtains the right to use the Request to perform the Service. The right of use includes storage, transportation, processing of the Request data involved. SurePay is allowed to log the Request for incident management and fraud monitoring purposes for a maximum of 30 days.

2.1.4 SurePay reserves the right to suspend or terminate the delivery of the Service without Customer’s prior consent, a.o. in case:

the Service runs the risk of being hacked;
and/or other emergency circumstances arise (f.i. changing laws and regulations) under which SurePay cannot reasonably be expected to continue delivering the Service.

2.1.5 In delivering its Service, SurePay relies on data retrieved from several external sources. SurePay cannot vouch for the correctness of those sources and therefore SurePay does not guarantee that a person can be identified correctly based on the responses obtained from the Service, nor that a suggested name is correct or adequate.

2.1.6 Customer recognises that the intellectual property rights on the software belonging to the computer system managed by SurePay (hardware including system and processing software used for the delivery of the services) rest with SurePay or with its suppliers of IT products.

2.1.7 If Customer requires any additional documentation, besides the documentation agreed upon or easily available to Customer on relevant websites and via other sources, SurePay shall be permitted to charge Customer for additional work and documentation required. This fee shall not exceed more than EUR 150 per hour of added work.

2.2. Customer Responsibilities
Customer guarantees it is entitled to deliver the data incorporated in Requests to SurePay.

In case a Software Supplier is involved by Customer in connection with the receipt of the Service or in storing the Responses on behalf of Customer, Customer is required to sign a contract with these Software Suppliers in order to impose these terms and conditions upon them and their sub-contractors. Customer is amongst others required:

to comply with their legal obligations, in particular regarding, but not limited to, the transparency requirements under data protection law;
to ensure that the SurePay data included in the SurePay Responses is stored in the European Economic Area.

Customer is allowed to save the SurePay Responses in its address book or environment with similar functionality.

3. Definitions

Term

Definition

Service

The IBAN Name Check Service as defined herein.

Customer

A Customer is defined as the party who ultimately benefits from the Service: who wants to have the details checked from its clients, suppliers, creditors and debtors in order to reduce fraudulent and misdirected payments and to that end has a contractual relationship with SurePay for the delivery of the Service.

Partner

The party with whom SurePay closes an agreement and who wishes to intermediate with respect to the delivery of the Service to Customers through its distribution network. 

Software Supplier

The party that integrates the Service into its platform and delivers its platform services to Customers. This party is a subcontractor of the Customer. The Software Supplier can store SurePay Data on behalf of Customer, in which case Customer and Software Supplier have closed a data processing agreement.

Subject

The party who’s IBAN and name are sent to SurePay in a request in order to have them checked. They are or want to become an end customer, supplier, creditor and/or debtor of Customer. 

SurePay

Data that is contained in the body of the SurePay responses, e.g. the result of the name matching, information about the IBAN and personal data of the subject such as name details.

4. Data Processing Agreement

1. Definitions

In this Data Processing Agreement, the terms Data Subject, Record, Data Breach, Processor, Controller and Personal Data shall have the meaning assigned to them by the GDPR.

2. Data Protection

The following arrangements shall apply for processing of personal data as defined in the GDPR:

A. SurePay processes personal data on behalf of Controller or parts of the Controller Group within the scope of the Agreement. This agreement shall be regarded as a data processing contract as defined in article 28 of the GDPR;

B. SurePay shall process personal data in a proper and careful manner and in accordance with the GDPR and all other applicable laws and regulations;

C. Processing of personal data shall exclusively take place for the proper performance of the Agreement, and in accordance with the written instructions of Controller as laid down in the Agreement;

D. The terms of the Agreement apply in full to this Data Processing Agreement. Likewise, the provisions of all Appendices to this Data Processing Agreement form an integral part of this Data Processing Agreement. Insofar as there are any inconsistencies between the Agreement and this Data Processing Agreement, the Agreement shall prevail, unless this Data Processing Agreement explicitly states that it varies from the Agreement, indicating the specific element affected.

3. SurePay’s Obligations

2.1 SurePay has no independent control over the Personal Data and shall process this Personal Data only by order of the Controller and in accordance with the latter’s written instructions in the Agreement and the agreed purposes and means by which personal data is processed. SurePay may not process the relevant Personal Data for its own benefit, for the benefit of third parties or for other purposes, except where such permission has been granted by Controller.

2.2 SurePay is explicitly prohibited from processing the Personal Data or allowing the Personal Data to be processed in any way other than described in the Agreement or this Data Processing Agreement.

2.3 At the request of Controller, SurePay will provide all reasonably necessary assistance, for instance: provide all co-operation so that the data subjects receive: access to their personal data at their request or have personal data removed or corrected.

4. Duty to cooperate regarding Data Subject’s Right of Access

3.1 SurePay shall fully cooperate with Data Subjects and Controller to allow Data Subjects, at their request, to (i) access their Personal Data, (ii) have Personal Data deleted or corrected, and/or (iii) obtain proof that Personal Data has been deleted or corrected if it is incorrect, or if the Principal disputes the Data Subject’s claim, to record the fact that the Data Subject considers its Personal Data to be incorrect. SurePay shall for this purpose always redirect Data Subjects to Controller since SurePay is unable to make these modifications itself.

4. Sub-Processing

4.1 SurePay shall exclusively allow the Personal Data to be accessed by those employees, agents and/or third parties for whom access to the Personal Data is necessary for the proper performance of the Agreement.

4.2 SurePay shall ensure that the employees, agents and/or third parties it enlists shall comply with the obligations regarding protection and confidentiality determined in this Data Processing Agreement and in the Agreement and shall bear full responsibility for this compliance.

4.3 SurePay will, when enlisting a new sub-processor related to the processing Controller’s data, inform Controller of said new sub-processor as far as possible in advance. If Controller wishes to object to SurePay’s use of said sub-processor, Controller can raise a formal written objection. Controller can then terminate the Agreement subject to the conditions and penalties set out in the Agreement.

5. Personal Data Transfers

5.1 Any transfer of Personal Data to Processor or any Third Party in a Non-Adequate Country shall be governed by adequate protection mechanism, for instance: the terms of the EC Standard Contractual Clauses. SurePay shall ensure that all Sub-Processors in a Non-Adequate Country sign the EC Standard Contractual Clauses or have other adequate protection mechanisms in place to protect the Personal Data. Processor and Controller shall work together to apply for and obtain any permit, authorisation or consent that may be required under Data Protection Law in respect of the implementation of this Clause 5.1 .

6. Technical and Organisational security measures for Personal Data

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, SurePay shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

6.2 In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised Disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

6.3 SurePay works in accordance with ISO27001 and has an appropriate security policy in writing that has been implemented for the Processing of Personal Data and in any event describes the measures stated in this Clause 6.

7. Notifications of Disclosures and Personal Data Breaches

7.1 SurePay shall without undue delay and, where feasible, not later than 48 hours after having become aware of it, notify Controller in accordance with Clause 12 if:

A. it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing, except where Processor is otherwise prohibited by law from making such disclosure;

B. it intends to Disclose Personal Data to any competent public authority, if permitted by law; or

C. it detects or reasonably suspects that a Personal Data Breach has occurred.

Where a notification pursuant to this Clause is not made within 48 hours, it shall be accompanied by valid reasons for the delay.

7.2 A notification pursuant to Clause 7.1 (c) shall include (i) the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (ii) the date and time upon which the Personal Data Breach occurred, (iii) a description of the likely consequences of the Personal Data Breach, (iv) whether and, if so, which measures were taken to mitigate possible adverse effects of the Personal Data Breach and (v) any further information necessary for Controller to comply with Personal Data Breach notification requirements under Data Protection Law.

7.3 SurePay is not responsible for legitimate grounds of Data Processing under this Agreement. The purpose and grounds for Processing Personal Data under this Agreement are decided by the Controller. As such, SurePay is not responsible for any and all Personal Data Breaches resulting out of / or other non-compliance by Controller with GDPR legislation or other applicable privacy regulations. Controller takes full responsibility for said infringements of data protection regulations.

8. Notification of non-compliance and right to suspend or terminate

8.1 SurePay shall as soon as reasonably possible notify Controller if SurePay:

A. cannot for any reason comply with its obligations under the Annex;

B. becomes aware of any circumstance or change in Data Protection Law that is likely to have a substantial adverse effect on SurePay’s ability to meet its obligations under the Annex or Agreement; or

C. believes that an instruction by Controller related to the Processing infringes Data Protection Law.

8.2 Without prejudice to the termination clause(s) of the Agreement, SurePay may temporarily suspend the Processing in whole or in part if it, for any reason, is unable to meet its obligations under the Annex until such time that the non-compliance is remedied. This shall be governed by clauses in the Agreement.

9. Return and deletion of Personal Data

9.1 Where reasonably possible, all Personal Data shall be immediately returned to Controller, or destroyed by SurePay, upon termination of the Agreement except to the extent the Agreement or Data Protection Law provides otherwise. In that case, SurePay shall no longer Process the Personal Data, except to the extent required by the Agreement or Data Protection Law, or where it is not reasonably possible to destroy such data due to technical constraints. SurePay shall not retain Personal Data any longer than specified under the Agreement and in this Data Processing Agreement.

10. Inspection or audits by public authorities

10.1 In addition to the audit obligations laid down in the Agreement, either Party shall submit its relevant Processing systems, facilities and supporting documentation to an inspection or audit relating to the Processing by a competent public authority if this is necessary to comply with a legal obligation. In the event of any inspection or audit, each Party shall provide all reasonable assistance to the other Party in responding to that inspection or audit. If a competent public authority deems the Processing unlawful, the Parties shall take immediate action to ensure future compliance with Data Protection Law.

11. Term and Termination

11.1 This Data Processing Agreement shall be in effect jointly with the Agreement. Where the Agreement were to be terminated, this Data Processing Agreement shall be considered terminated as well.

11.2 Clause 11.1 shall not apply to those clauses which are reasonably understood to survive the termination of the Agreement, and are necessary for the final execution and applicability of Data Protection laws. Neither shall Clause 11.1 adversely affect any of the obligations and severable clauses contained in the Agreement.

12. Notices

12.1 All notices, confirmations and other statements made by the Parties in connection with this Annex shall be in writing and shall be in accordance with the relevant clauses of the Agreement.

13. Prevalence of the Agreement

13.1 In the case of conflict between the provisions contained in this DPA and the clauses as provided per the Agreement and its appendices. This DPA shall take precedence over the body of the Agreement and its appendices to the extent that it is required by relevant Data Protection legislation.

14. Jurisdiction

14.1 The jurisdiction to which this DPA is subject shall be same jurisdiction as is mentioned in the Agreement. If no explicit jurisdiction is decided upon in the Agreement, the exclusive jurisdiction over this DPA shall be Dutch law (including non-contractual disputes and claims). The sole competent court shall in that case be the courts of Utrecht, the Netherlands.

Annex 1 to the Data Processing Agreement

A. Categories of Data Subjects

The Personal Data being Processed concerns – to the extent relevant for the performance of the Agreement – the following categories of Data Subjects:

Existing and prospective customers, creditors and debtors of Controller or their employees;
Data Subjects making requests, enquiries, or providing information.

B. Categories of Personal

The Personal Data being Processed concern – to the extent relevant for the performance of the Agreement – the following categories of Personal Data:

A. Personal Details and Contact Information: Name; address; email; telephone details and other contact information.

B. Professional Details: Title; company and department or other professional affiliation.

C. Operational Data: Bank account number, User ID, usage data, access logs, activity logs, and electronic content produced by Data Subjects; IP address and other device identifiers.

D. Other Personal Data: Such other Personal Data that the Data Subject may provide within the context of the Agreement, or that are relevant to SurePay’s relationship with the Data Subject or that the Data Subject chooses to provide to SurePay, such as reviews, opinions and complaints about SurePay’s products and services.

Purposes of the Processing

The Personal Data being Processed concern – to the extent relevant for the performance of the Agreement – the following purposes:

Communications: Facilitating communication between the Parties and their personnel in the context of the execution of the Agreement.
Business Operations: Providing products and services under the Agreement, including the operating and managing of the relevant IT and communications systems.
Compliance: Complying with legal, tax and other requirements, such as recordkeeping and reporting obligations.