1. Introduction
1. This Privacy Policy is an integral part the Ultimo Master Agreement (‘Agreement’) between Customer and Ultimo if and to the extent a SaaS Order Form thereunder has been agreed upon.
2. This Privacy Policy describes the related applicable proceedings regarding personal data processing and data management and which appropriate protection and security measures Ultimo has taken into account whilst processing Personal Data. This Privacy Policy governs the above data processing, data protection, data management and related matters when using SaaS and how a person who is accessing and using SaaS on behalf of Customer (‘User’) can exercise its rights regarding its Personal Data, in accordance with the General Data Protection Regulation (‘GDPR‘) and otherwise related laws and regulations.
2. Personal Data
1. Regarding SaaS Customer is data controller and Ultimo is data processor, as defined in the GDPR. If and to the extent that Personal Data of Users are involved when using SaaS such information will be processed by Ultimo on behalf of Customer under the applicable SaaS Order Form under the Agreement in a proper, careful and safe manner by using the GDPR principles of privacy and security by design and by default, and within the limits of the statutory regulations and the rightful objectives of Ultimo and Customer respectively.
2. Personal Data is defined as set forth in the GDPR. Regarding SaaS, the Personal Data processed are the following categories: first name and last name, email address, and Customer company name.
3. Customer respectively User are responsible for any Personal Data Customer or User provides to Ultimo, introduces in the SaaS or in any other way share, discloses or stores during its access or use of SaaS. Furthermore, Customer is responsible for all User accounts and Customer procures that any User has agreed to choose a strong and secure password, keep User’s password secure, confidential, minimalizes the use of Personal Data, and also otherwise maintains due care while accessing and using SaaS.
4. Customer and User are not entitled to misuse or to perform any disproportionate behavior in connection with SaaS, and to comply with the applicable laws and regulations, including but not limited to personal data protection under the GDPR. Customer procures that any User has agreed thereto.
3. Personal Data Processing
1. Ultimo will only store, use and otherwise process Personal Data on behalf of Customer for the purposes within its normal business activities regarding the provision of SaaS as set forth in the applicable SaaS Order From under the Agreement and will protect any Personal Data in the SaaS as described in this Privacy Policy and in accordance with the GDPR.
2. The purpose and legitimate interest for processing Personal Data per category are: Personal Data as set forth in article 2.2 will be processed and collected when a User signs-up and creates an account, Ultimo needs to process and collect Personal Data for the purposes to give Users access and the right to use SaaS within the terms of the applicable SaaS Order Form under the Agreement, to identify and verify Users or to provide some support Services for using SaaS.
3. The Personal Data will be subject to the following basic processing activities: storage, structuring, consultation, and use. The objective of processing of Personal Data by Ultimo is solely for the performance of the SaaS and related Services, such as implementation, consultancy, data migration or (remote) support services, to Customer pursuant to the applicable SaaS Order From under the Agreement.
4. Ultimo currently makes sure of the following sub-processors of the SaaS processing activities:
Internet services and hosting provider: MS Azure, Sentia Netherlands B.V., and;
Update support: NetRom
Any related entities of Ultimo.
4. Personal Data Management
1. Ultimo shall provide Customer with commercially reasonable cooperation and assistance in order to handling a request for access by a User (as Data Subject under the GDPR) to inspection, correction or deletion of Personal Data of such Data Subject or to the transmission of its Personal Data directly from Ultimo to another service provider in accordance with the GDPR. Ultimo shall not respond to any such Data Subject’s request without Customer’s prior written consent.
2. The Personal Data will be stored as long as User will have an User account as administered by Customer and as long as the applicable SaaS Order Form under the Agreement between Customer and Ultimo is valid, except for mandatory retention obligations under applicable law.
3. Customer is entitled to download any of the Personal Data up to fourteen (14) Business Days after the date of termination as applicable under the SaaS Order Form under the Agreement, which Ultimo will make available in a BAK file or other generally available format if and to the extent used by Ultimo at that time.
5. Personal Data Protection
1. Customer understands that the technical processing of Personal Data of an User is fundamentally necessary in order to run, monitor or perform SaaS as well as to take technical and organizational security measures. Customer expressly consents to the processing and storage of Personal Data of any User, which is end-to-end encrypted, and Customer procures that User has acknowledged and it understands that this will involve transmission over the internet, and over various networks.
2. Ultimo will take commercially reasonable efforts to implement and maintain to the extent necessary appropriate technical and organizational security measures as specified in article 32 of the GDPR in general and in this Privacy Policy in particular. The technical and organizational security measures implemented by the Ultimo are in accordance with the ISO27001 and ISAE3402 Type 2 certificates, and other relevant security certification standards, which include that access controls will be regularly verified by means of penetration testing, transport layer security (TLS) is implemented, access to SaaS is limited to only authorized Users, and authorized employees of Ultimo for update, maintenance, testing and support purposes. These measures will be updated from time to time.
6. Security
1. Customer understands that the technical processing and transmission of Customer’s data is fundamentally necessary in order to run, monitor or perform SaaS as well as to take technical and organizational security measures. Customer expressly consents to the processing and storage of User’s data, which is end-to-end encrypted, and User acknowledges and understands that this will involve transmission over the internet, and over various networks.
2. All Personal Data collected by using the SaaS will remain within the European Union. The hosting servers for SaaS are currently located in Amsterdam and Schiphol-Rijk, The Netherlands.
3. Ultimo shall maintain a security incident response procedure to recognize and address any security incident relating to the Personal Data. Only Ultimo’s authorized employees responsible for the maintenance or helpdesk support will have remote access to the Personal Data stored in SaaS of Ultimo after prior request and approval of Customer.
4. In case Ultimo discovers a security breach that may adversely affect the protection of personal data processed by Ultimo on behalf of Customer, Ultimo will notify Customer, to the extent permitted by law, as soon as reasonably possible. Ultimo will cooperate with Customer on the investigation of the data breach. Customer shall be responsible to notify the relevant authority in case of a data breach that are required to be submitted to the applicable data protection authority under the GDPR.