Data Processing Addendum

Date: February 14, 2022

This Data Processing Addendum (the “Addendum”), including all of the appendices, for part of the Terms & Conditions or any other written agreement between (a) Innomated B.V., a company registered under the laws of the Netherlands at Overschiestraat 59, 1062XD Amsterdam, under company number 83247092 (the “Processor”), and (b) the legal entity registering for the use of the Processor’s services (the “Controller”).
The Processor and Controller are hereinafter jointly referred to as the “Parties”.
This Addendum will apply to all forms of processing of personal data that the Processor carries out on behalf of the Controller.
The Addendum is incorporated by reference to Cleaner Mails Terms and Conditions available at:

Article 1. General

In this Addendum, capitalized terms have the meaning included in the General Data Protection Regulation EU 2016/670 (the “GDPR”), unless otherwise defined herein.


Processor undertakes to process certain Personal Data on the conditions of this Addendum on behalf of the Controller. Processing will only take place on the basis of the purposes as agreed between the Parties.


The purpose of processing of Personal Data under this Addendum will be the delivery of services by the Processor, which include, but are not limited to, the verification of email addresses.


The Processor may only process Personal Data in compliance with the terms of this Addendum.


The Controller is solely and absolutely entitled to determine which types of Personal Data from which categories of data subjects are to be processed by the Processor.


The Processor may not process the Personal Data for any other purpose than as determined by the Controller.


The Processor will store and process the Personal Data only on servers located within the European Union.

Article 2. Processor Obligations

The Processor hereby agrees that it will comply with any and all applicable laws, including the GDPR, and that Personal Data is processed in a proper, careful, and transparent manner.


The Processor will inform the Controller, at Controller’s first request, about the measures Processor has taken with regard to its obligations under this Addendum.


The obligations of the Processor arising from this Addendum also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.


The Processor will only give access to the Personal Data to those employees, subcontractors, or other persons under their management and supervision insofar as this is necessary for the performance of the Addendum.


The Processor must immediately notify the Controller if, in Processor’s opinion, an instruction from the Controller is contrary to the GDPR or this Addendum.


The Processor will, insofar as it is within its power, provide assistance to the Controller for the purpose of performing data protection impact assessments (DPIAs). The Processor may charge the reasonable costs it incurs in this context to the Controller.

Article 3. Processing of Personal Data

The Processor will process Personal Data that is entered by the Controller through the Processor’s services. This may include Personal Data relating to third-party Data Subjects. The main categories of Personal Data that will be processed are email addresses.


These email addresses belong to individuals and businesses who are part of the Controller’s email list and are submitted for verification under the Processor’s services.


Special categories of Personal Data as defined under Article 9(1) of the GDPR are not processed under this Addendum.


The Processor shall process the Personal Data under this Addendum only for as long as necessary in accordance with the purpose as detailed in this Addendum.

Article 4. Transfer of Personal Data

Processor may process personal data in countries within the European Union. Transfer to countries outside the European Union is also permitted, provided the legal conditions for this are met.


At the request of the Controller, the Processor shall report to the Controller which country or countries Personal Date is processed in.

Article 5. Division of responsibility

The Processor processes Personal Data under this Addendum, in accordance with the instructions of the Controller and under the explicit ultimate responsibility of the Controller.


The Controller guarantees that the content, the use and the assignment for the processing of the Personal Data as referred to in this Addendum are not unlawful and do not infringe any right of third parties.

Article 6. Engaging third parties or subcontractors

The Controller hereby grants the Processor permission to engage sub-processors for the processing of Personal Data if such sub-processors are located within the EU. If the Processor wishes to add new sub-processors located outside the EU, the Controller must agree in writing. In the event that the Controller has objections to engaging any third party, a suitable solution must be sought in mutual consultation. If the Parties cannot come to an appropriate solution, the Controller may terminate this Addendum if the use of a specific notified third party is unacceptable to Controller.


Processor will in any case ensure that these third parties assume at least the same obligations in writing as agreed between Controller and Processor. Such obligation must be laid down in a written processing Addendum between the Processor and this sub-processor.


Processor guarantees compliance with the obligations under this Addendum by these third parties and in the event of errors of these third parties is itself liable for all damage as if it had committed the error(s) itself.


Processor shall remain fully responsible and liable for the fulfillment of its obligations under this Addendum and/or applicable law.

Article 7. Security

Processor will endeavor to take sufficient technical and organizational measures with regard to the processing of Personal Data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, damage, disclosure, or modification of the Personal Data).


The Processor will make every effort to ensure that its security processes meet a level that is not unreasonable by reference to the type, scope, context, and purposes of processing, the sensitivity of the Personal Data involved, and the costs associated with implementation.


In its determination of appropriate technical and organizational security measures, the Processor shall at least implement such measures that comply with applicable privacy and data protection laws and regulations, and which guarantee the availability, integrity and confidentiality of Personal Data.


The minimum technical and organizational measures implemented by the Processor shall be to:


Protect information from unauthorized access or misuse;


Ensure the confidentiality of information;


Maintain the integrity of information;


Maintain the availability of information systems;


Comply with regulatory, contractual, and legal requirements;


Maintain physical, logical, environmental, and communicative security;


Regularly test and evaluate whether these measures are effective at securing the Personal Data;


Dispose of Personal Data in an appropriate and secure manner when no longer in use.


The following measures have been implemented by the Processor in order to ensure and evaluate the security of the Personal Data:

a. Technical measures such as:

Encryption of Personal Data;


Use of firewalls;


Use of access controls;


Processor will periodically review its measures against the industry security standards.

b. Organizational measures such as:

Awareness and training for any and all staff who may get into contact with any Personal Data;


Reviewing and auditing functions, activities, and systems against procedures and regulations;


Due diligence checks on all business partners such as suppliers and service providers;


Use of policies and procedures with all staff to ensure the high level of security is implemented organization-wide.

Article 8. Duty to report

The Controller is at all times responsible for reporting a data breach (a data breach is understood to mean: a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized provision of or unauthorized access to forwarded, stored or otherwise processed Personal Data, as referred to in Article 4 (12) of the GDPR, unless it is unlikely that the data breach constitutes a risk to the rights and freedoms of natural persons) to the supervisor and/or those involved. In order to enable the Controller to comply with this legal obligation, the Processor will inform the Controller of any data breach without unreasonable delay, but in any case, within 24 hours after the (suspected) data breach has become known to the Processor.


The duty to report includes in any case reporting the fact that there has been a data breach. In addition, the duty to report includes:


the (alleged) nature of the data breach, stating, where possible, the categories of data subjects and personal data registers concerned and, approximately, the number of data subjects and personal data registers concerned;


the name and contact details of the data protection officer or other contact point where more information can be obtained;


the likely consequences of the data breach;


the measures (provisional and proposed) that the Processor has proposed or taken to address the data breach, including, where appropriate, the measures to limit any adverse consequences thereof.

Article 9. Handling requests from data subjects

In the event that a data subject submits a request to exercise his/her legal rights to the Processor, the Processor will forward the request to the Controller, and the Controller will further process the request. Processor may inform the data subject of this. The Processor will, insofar as this is within its power, assist the Controller in handling requests. The Processor may charge the additional costs it incurs in this context to the Controller.

Article 10. Confidentiality

All Personal Data that the Processor receives from the Controller and/or collects in the context of this Addendum, is subject to a duty of confidentiality. Processor may not use this information for any purpose other than that for which it has been obtained and for which the Controller has expressly given consent.


The Processor shall oblige its employees, subject to mandatory legal obligations, to maintain confidentiality with regard to all Personal Data that the Processor receives from the Controller and of which they become aware. The Personal Data will only be disclosed to those employees and/or third parties who must necessarily take note of the Personal Data.


This duty of confidentiality does not apply to the extent that the Controller has given explicit permission to provide the information to third parties; if the provision of the information to third parties is logically necessary in view of the nature of the assignment given and the implementation of this Addendum, or; if there is a legal obligation to provide the information to any third party.

Article 11. Audit

The Controller has the right to have audits carried out by an independent auditor to check compliance with all terms in this Addendum. The Controller will announce the audit to the Processor in advance, with due observance of a period of at least two weeks.


The findings resulting from the audit will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by either party or by both Parties jointly.


The costs of the audit will be borne by the Processor if it appears that work has not been carried out in accordance with this Addendum, and/or if substantial errors are found, which can be attributed to the Processor. In any other case, the costs of the audit will be borne by the Controller.

Article 12. Liability

The Processor’s liability for damage as a result of an attributable shortcoming in the fulfillment of this Addendum, or arising from tort, contract, or otherwise, is limited per event (a series of consecutive events counts as one event) to the compensation of direct damage.


Direct damage is exclusively understood to mean all damage consisting of:


damage caused directly to material objects (“property damage”);


reasonable and demonstrable costs to remind the Processor to properly comply with the Addendum;


reasonable costs to determine the cause and extent of the damage insofar as it relates to the direct damage as referred to here; and


reasonable and demonstrable costs incurred by the Controller to prevent or limit the direct damage as referred to in this Article.


The liability of the Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and thus in any case, but not limited to, consequential damage, lost profit, lost savings, reduced goodwill, damage due to business interruption, damage due to not achieving marketing objectives, damage related to the use of data or data files prescribed by the Controller, or the loss, mutilation or destruction of data or data files and any fines imposed on the Controller by the Dutch Data Protection Authority.


The exclusions and limitations referred to in this Article will lapse if and insofar as the damage is the result of intent or willful recklessness on the part of the Processor.


The exclusions and limitations referred to in this Article will lapse if and insofar as the damage is the result of intent or willful recklessness on the part of the Processor.


Any claim for compensation by the Controller against the Processor that is not specified and explicitly reported will lapse within twelve (12) months after the claim arose.


The Parties hereby indemnify each other for all claims, actions, losses, damages, and expenses resulting from a breach of this Addendum or the GDPR by the indemnifying party.

Article 13. Duration and Termination

This Addendum will come into full force and effect when the Controller signs the Addendum, albeit electronically.


This Addendum has been entered into for the duration as determined in the Main Addendum between the Parties and, in the absence thereof, in any case for the duration of the collaboration.


As soon as this Addendum is terminated, for whatever reason and in any way, the Processor will either return all Personal Data in its possession in original or copy form to the Controller and/or permanently destroy the original and copies of the Personal Data, whichever is requested by the Controller.

Article 14. Final Provisions

This Addendum, its interpretation, and its implementation are exclusively governed by Dutch law.


Insofar as the rules of mandatory law do not prescribe otherwise, all disputes that may arise as a result of this Addendum will be submitted to the competent Dutch court.


In the event of any inconsistency between this Addendum and the applicable Terms and Conditions, this Addendum shall prevail.


If one or more provisions of the Addendum prove to be void or not legally valid, the remainder of this Addendum will remain in full force and effect. The Parties will jointly replace the voided or invalidated provisions with a provision that best matches the original provision.


The Parties will cooperate fully with each other in order to adjust this Addendum and to update it to incorporate new or amended legislation. Any modification of this Addendum must be agreed to in writing by both Parties.