This Data Processing Addendum ("DPA") is incorporated by reference into, and subject to the General Terms and Conditions of Service (“Agreement”) and our Privacy Policy (“Policy”) between Referral Factory BV (“we, “us,” or “our”) a Dutch limited with registration number KVK 71193529 and its registered address: Prinsengracht 301-G 1016 GX Amsterdam, the Netherlands, and the party to the Agreement ("Customer" or "you"). Referral Factory and Customer hereinafter also referred to as “Party” and “Parties.”

The Standard Contractual Clauses (“SCC”), as issued by the European Commission (“EC”) on June 4th, 2021, are an integral part of this DPA and incorporated by reference. Customer must be aware of the latest version of these Standard Contractual Clauses.

This DPA applies to any law, regulation or government directive related to the processing of all personally identifiable data and/or information (“Customer Data”) belonging to an individual (“Data Subject”) that is uploaded to our dashboard as part of our services to you. We may amend the Agreement and Privacy Policy from time to time. Your continued use of our services after any change of this DPA shall constitute your consent to such changes.

2.1. Scope and Roles. This DPA applies when Customer Data is processed by Referral Factory, its employees, affiliates, or contractors, and Customer has uploaded Customer Data as part of the Agreement. Customer understands and agrees that Referral Factory will only act as Data Processor. Customer acknowledges that it acts as Data Controller and remains responsible and liable for Customer Data.

2.2. Dashboard Tools. Referral Factory must make available to Customer dashboard controls and tools so that Customer can rectify and/or delete inaccurate or outdated Customer Data. Customer represents it is aware of these dashboard tools where both Customer and end-user are able to manage Data Subject’s privacy rights.

a. Subject Matter. The subject matter of data processing under this DPA and any other agreement is Customer Data.

b. Duration. The duration of the data processing under this DPA is determined by Customer, and follows the term of the Agreement.

c. Purpose. The purpose of the data processing under this DPA is to provide the services requested by Customer, offered to Data Subject and provided by Referral Factory.

d. Nature of the Processing. The storage, processing, and any other activities as described in the Agreement between Parties.

e. Type of Customer Data. Customer Data uploaded to Referral Factory’s dashboard under Customer’s account(s).

f. Categories of Data Subjects. Data Subjects may include Customer’s clients or customers, employees, suppliers, contractors, affiliates, and end-users.

g. Compliance. Each Party must comply with all applicable laws, rules, and regulations that are binding on Parties.

3.1. Duties. Customer and Referral Factory have implemented and will maintain the technical and organizational measures described in the relevant sections in this DPA. Parties have implemented and will maintain the technical and organizational measures mentioned in this section.

4.1. Authorised Sub-Processors. Customer authorizes Referral Factory’s use of sub-processors to provide processing activities on Customer Data in accordance with this DPA. Our Privacy Policy is available on: (https://referral-factory.com/privacy), and lists third-party sub-processors that are currently engaged by Referral Factory. Each time Referral Factory engages a sub-processor, Referral Factory will update the Privacy Policy.

4.2. Objection. In the event Customer objects to Referral Factory’s sub-processor(s) it may terminate the Agreement pursuant to its terms and conditions by sending a notice to Referral Factory.

4.3. Obligations and Responsibility. Referral Factory must restrict sub-processors access to Customer Data to the extent that is necessary to maintain services and dashboard access, and in accordance with Referral Factory’s legal obligations under this DPA.

4.4. Sub-Processor Level of Protection. Referral Factory will enter into a written agreement with each sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Referral Factory, must ensure the Sub-processor is bound by the same data protection obligations as Referral Factory.