Version 01 — Effective date: 1 September 2024
Integrated B2B terms for consultancy services, Software / Opportunity Management Tool (OMT), and SampX managed commerce operations.
10 ops B.V., trading as 10ops, registered with the Dutch Chamber of Commerce under number 94854742, VAT number NL866914572B01, having its registered office at De Lirp 8, 6419 EW Heerlen, the Netherlands with notice email legal@10-ops.com. Effective date: 01/09/2024.
Agreement: the agreement between 10ops and Client consisting of the proposal, order form, statement of work, service schedule, DPA, SLA, these Terms, and any amendments.
Client: the legal entity acting in the course of business that contracts with 10ops.
Consultancy Services: advisory, implementation, training, research, facilitation, project execution, opportunity management, and related professional services.
Software / OMT: the Opportunity Management Tool and any related portal, dashboard, API, documentation, configuration, or hosted environment made available by 10ops.
SaaS Services: access to and use of the Software as a hosted or cloud-based service.
SampX Services: managed e-commerce, marketplace, data, order, fulfilment, logistics, and customer support services performed by 10ops on behalf of Client.
Deliverables: reports, analyses, presentations, configurations, implementation outputs, training materials, and other agreed work product expressly identified as deliverables.
Third-Party Services: software, hosting, cloud tools, payment providers, marketplaces, carriers, warehousing, fulfilment, and other services not owned and operated by 10ops.
Confidential Information: all non-public commercial, technical, financial, legal, operational, and strategic information disclosed by one party to the other.
Personal Data, Controller, Processor, Data Subject, and Processing have the meanings given in the GDPR.
Business Day: a day other than a Saturday, Sunday, or public holiday in the Netherlands.
Force Majeure Event: any event beyond a party's reasonable control, including internet outages, cyber incidents, utility failures, war, strikes, emergency government measures, supplier failures, pandemics, sanctions, or carrier disruptions.
These Terms apply to all offers, quotations, order forms, statements of work, services, Software, and SampX Services provided by 10ops.
Any terms and conditions of Client are expressly rejected unless expressly accepted in writing by 10ops.
Precedence: (i) these Terms; (ii) signed order form or statement of work; (iii) signed schedule or SLA; (iv) signed DPA; (v) purchase order for administrative purposes only.
Notwithstanding the foregoing, the provisions relating to fees and payment, intellectual property, confidentiality, data protection, warranties and disclaimers, indemnities, limitation of liability, suspension, termination, governing law and dispute resolution shall prevail over any order form, statement of work, schedule, purchase order, procurement portal terms, email or other Client document unless the relevant document expressly identifies the clause being amended and expressly states that it overrides that specific clause.
Electronic acceptance, including e-signature, click acceptance, emailed approval, and procurement portal acceptance, is binding.
These Terms may only be varied by a written agreement signed by authorized representatives of both parties.
All quotations and proposals are non-binding unless expressly stated otherwise.
The Agreement is formed when a proposal or order is signed, accepted electronically, or when 10ops starts performance at Client's request.
Scope, timelines, budgets, and staffing are based on assumptions known at the time of contracting and may be adjusted if inputs, dependencies, or scope change.
Any change request may lead to revised fees, milestones, acceptance criteria, and resource commitments.
Unless expressly agreed otherwise, all services are performed on a best-efforts basis and not as a result obligation. No obligation of 10ops shall be interpreted as an obligation to achieve a specific result unless the Agreement expressly states: "this obligation is a result obligation." Any deadlines, estimates, forecasts, business cases, opportunity assessments, market analyses, sales expectations, implementation plans, or commercial projections are indicative only unless expressly agreed otherwise in writing.
10ops does not guarantee any specific strategic, commercial, financial, operational, deal, sales, margin, or efficiency result.
10ops may use subcontractors, affiliates, and Third-Party Services in performing the Agreement.
10ops may refuse instructions that are unlawful, unsafe, non-compliant, unethical, or materially outside the agreed scope.
Analyses, reports, recommendations, forecasts, market assessments, business cases, opportunity assessments, rankings, scores, dashboards, models, financial projections, commercial projections and other outputs provided by 10ops are based on information available at the time, Client inputs, assumptions, third-party information, public sources, professional judgement and, where applicable, automated or AI-assisted tools.
Such outputs are intended solely as decision-support information and shall not be construed as guarantees, commitments or predictions of future results.
10ops does not warrant that any such output is complete, accurate, current, error-free or suitable for a specific business, commercial, investment, legal, regulatory or operational purpose.
Client remains solely responsible for independently validating all outputs and for all business, investment, commercial, operational, legal and strategic decisions made based upon them.
Consultancy Services may include advisory work, market analysis, training, workshops, implementation support, project execution, and business development support.
Deliverables, configurations, reports, analyses, workshops, training materials, data outputs, dashboards, implementation outputs, and other work products are deemed accepted upon the earliest of: a. written approval by Client; b. use in business operations; c. sharing with third parties; d. publication, implementation, upload, or deployment; or e. expiry of 10 Business Days after delivery without a substantiated written rejection.
Rejection is only valid if Client identifies a material non-conformity against expressly agreed written specifications. General dissatisfaction, changed business priorities, internal disagreement, or comments on style, format, assumptions, or commercial conclusions do not constitute valid rejection.
Minor defects or comments do not justify rejection and will be addressed through reasonable clarification or correction where applicable.
10ops retains the right to reuse general know-how, methods, templates, models, and experience developed during the performance of services, provided no Client Confidential Information is disclosed.
Subject to timely payment and compliance with the Agreement, 10ops grants Client a limited, non-exclusive, non-transferable, non-sublicensable right during the term to access and use the OMT for its internal business purposes.
Client shall not copy, modify, reverse engineer, decompile, lease, sublicense, resell, or use the OMT to build a competing service, except to the extent mandatory law expressly permits such limitations to be overridden.
Client must keep credentials secure and ensure that access is limited to authorized users.
Unless stated in a signed SLA, 10ops does not guarantee uninterrupted or error-free operation, feature permanence, or specific uptime levels.
Planned maintenance, emergency patching, updates, and security actions may temporarily affect availability.
10ops may change, enhance, replace, or discontinue features, provided the core contracted functionality is not materially withdrawn without reasonable notice.
10ops is not responsible for the availability, pricing, legality, security, or continuity of Third-Party Services or APIs, including changes imposed by those providers.
If a Third-Party Service materially changes, 10ops may adjust dependent functionality without liability, subject to good-faith change management.
SampX Services may include webshop operations, marketplace support, order administration, content operations, fulfilment coordination, logistics coordination, returns coordination, reporting, and customer support operations.
Unless expressly agreed otherwise, 10ops acts only as service provider and/or disclosed agent on behalf of Client and not as seller of record, merchant of record, importer of record, exporter of record, manufacturer, or owner of the goods.
Client remains solely responsible for product quality, product safety, conformity, labeling, product claims, recalls, warranties, destination-country permissibility, CE marking where relevant, and all sector-specific legal compliance.
If 10ops coordinates warehousing, transport, customs, or fulfilment services, it may do so via Third-Party Services and subcontractors selected by 10ops.
All freight, storage, fulfilment, customs, packaging, duties, taxes, and return costs are for Client's account unless explicitly agreed otherwise in writing.
Visible loss, shortages, or transport discrepancies must be reported within 2 Business Days after delivery; hidden damage or stock discrepancies within 5 Business Days after discovery, without prejudice to shorter mandatory time limits imposed by carriers or subcontractors.
Refunds, chargebacks, fraud losses, product liability claims, and consumer claims remain at Client's risk unless a written schedule expressly reallocates them.
Client shall provide timely, accurate, complete information, decisions, materials, data, approvals, and access reasonably required for performance.
10ops may rely on information and instructions supplied by Client and is not obliged to independently verify their completeness, accuracy, or legality.
Client is responsible for its internal systems, network security, user access controls, endpoint security, back-ups, and lawful use of the Services and Software.
Any delay, cost increase, loss of productivity, resource reallocation, remobilization, schedule impact or service interruption caused wholly or partially by Client acts or omissions shall entitle 10ops to adjust timelines, milestones, delivery dates, resource commitments and fees.
Where Client delays provision of information, access, approvals, decisions, feedback, systems, personnel or other dependencies required for performance, all affected deadlines and delivery dates shall automatically be extended by at least the duration of the delay.
If a Client-caused delay exceeds ten (10) Business Days, 10ops may reallocate personnel and resources and revise schedules, availability and fees accordingly.
Fees are as specified in the applicable order form, statement of work, subscription schedule, or price schedule.
All prices are exclusive of VAT and other taxes, withholding taxes, duties, customs charges, levies, bank costs, and pass-through Third-Party charges unless expressly stated otherwise.
10ops may invoice subscriptions in advance, time-and-materials monthly in arrears, projects by milestone, and pass-through charges as incurred.
Invoices are payable within 14 days of invoice date unless explicitly agreed otherwise.
Client shall not withhold, delay, suspend, reduce or set off any payment due to alleged disputes, counterclaims, internal approval processes, procurement procedures, purchase order requirements, vendor onboarding delays, procurement portal issues, invoice-routing errors or administrative matters.
The absence of a purchase order number, procurement system approval or similar administrative requirement shall not relieve Client from its obligation to pay invoices when due.
If Client requires specific invoicing or procurement procedures, Client remains solely responsible for ensuring such procedures are completed in time to allow payment by the due date.
If Client fails to pay on time, 10ops may charge statutory commercial interest and reasonable collection costs and may suspend access and services until outstanding amounts are paid.
10ops may index or adjust recurring fees annually to reflect inflation, wage growth, supplier cost increases, or expanded compliance obligations upon at least 30 days' prior notice.
All intellectual property rights in the Services, Software, templates, methods, models, documentation, improvements, and generic know-how remain vested in 10ops or its licensors.
Except where expressly stated otherwise, payment of fees does not transfer ownership of intellectual property rights to Client.
Subject to full payment, Client receives a non-exclusive right to use Deliverables and the Software solely for its internal business purposes under the Agreement.
Feedback, ideas, and suggestions supplied by Client may be used by 10ops without restriction or additional compensation.
Each party shall keep the other party's Confidential Information confidential and use it only for the purposes of the Agreement.
This obligation does not apply to information already lawfully known, independently developed, lawfully received from a third party without duty of confidence, or that becomes public without breach.
Disclosure required by law, court order, stock exchange rules, or regulatory requirement is permitted, provided prior notice is given where legally allowed.
Each party shall comply with applicable data protection law, including the GDPR.
Where 10ops processes Personal Data on behalf of Client, the parties shall enter into a Data Processing Agreement; if no standalone DPA is signed, the fallback DPA in the package shall apply as incorporated by reference.
Client warrants that it has a lawful basis for all Personal Data made available to 10ops and that its instructions are lawful.
10ops will apply commercially reasonable technical and organizational measures proportionate to the nature of the relevant Services and risks.
Internet-based systems can never be guaranteed fully secure; 10ops does not warrant absolute security.
10ops warrants that it will perform services with reasonable skill and care expected from a professional service provider in its field.
Except as explicitly stated, the Services, Deliverables, Software, and SampX Services are provided "as is" and "as available".
10ops disclaims implied warranties to the maximum extent permitted by law, including fitness for a particular purpose, merchantability, non-infringement, uninterrupted operation, or suitability for a result not expressly agreed in writing.
Client remains responsible for verifying outputs, recommendations, configurations, and operational decisions before use in production or business-critical decisions.
Client shall indemnify and hold harmless 10ops, its affiliates, directors, employees, and subcontractors against third-party claims, losses, damages, fines, costs, and expenses arising from Client products, product defects, labeling, warranty claims, recalls, product content, product compliance, export/customs issues, sanctions issues, tax/VAT issues, chargebacks, fraud, consumer claims, or Client's breach of law or third-party rights.
10ops shall defend Client against a third-party claim that the unmodified OMT, as delivered by 10ops and used in accordance with the Agreement, directly infringes a third party's intellectual property right in the EU or U.S., subject to prompt notice, control of defense by 10ops, and Client's cooperation.
10ops has no liability for infringement claims caused by Client specifications, Client data, Client instructions, third-party combinations, customizations not made by 10ops, or continued use after notice to stop.
If an infringement claim appears likely, 10ops may procure continued use rights, modify or replace the affected functionality, or terminate the relevant affected part and refund prepaid unused fees for that affected part. This is Client's exclusive remedy for such claims.
Nothing in the Agreement excludes or limits liability to the extent prohibited by applicable law, including liability for wilful misconduct or gross negligence of 10ops management where such exclusion is not legally permitted.
Subject to the previous sentence, the aggregate liability of 10ops, its affiliates, directors, officers, employees, contractors and subcontractors arising out of or in connection with the Agreement shall not exceed the lower of: (i) the fees actually paid to 10ops by Client under the affected Agreement during the twelve (12) months immediately preceding the event giving rise to the claim; or (ii) EUR 50,000.
For purposes of calculating the liability cap, fees exclude VAT, taxes, customs duties, pass-through charges, media spend, marketplace fees, payment provider fees, fulfilment costs, logistics costs, software license costs, hosting costs, reimbursed expenses and any other third-party costs.
If a claim relates only to a specific project, schedule, statement of work, or subscription, the liability cap is limited to the fees paid for that specific part in the twelve months preceding the event.
To the maximum extent permitted by law, 10ops is not liable for indirect or consequential loss, loss of profits, loss of revenue, loss of opportunities, loss of savings, business interruption, loss of goodwill, loss or corruption of data, or third-party claims except where expressly covered by an indemnity or DPA.
For SampX Services, 10ops is not liable for product liability, recall costs, tax or customs assessments, fraud, chargebacks, counterfeit claims, destination-country restrictions, or delay/non-performance of carriers, warehouses, customs agents, payment providers, and marketplaces.
Client must notify 10ops of any claim in writing as soon as reasonably possible and, in any event, within 30 days after becoming aware of the event. Any claim lapses if not brought within 12 months after Client became aware, or reasonably should have become aware, of the damage and 10ops' possible liability.
Neither party is liable for delay or non-performance caused by a Force Majeure Event.
The affected party shall inform the other party as soon as reasonably practicable.
If the Force Majeure Event continues for more than 60 days, either party may terminate the affected part of the Agreement by written notice without liability for damages.
10ops may suspend services or access immediately if Client fails to pay undisputed invoices, materially breaches the Agreement, exposes 10ops to compliance or security risk, or issues unlawful instructions.
Either party may terminate for material breach not cured within 30 days of written notice.
Either party may terminate immediately if the other party enters insolvency, liquidation, cessation of business, or a similar procedure.
Upon termination, accrued payment obligations remain due, Client must cease use of the Software, and 10ops may disable access after a reasonable offboarding period.
Unless otherwise agreed in writing, 10ops may delete Client data 30 days after termination, subject to legal retention, evidence preservation, archival backups, and security obligations.
Unless Client objects in writing, 10ops may identify Client's name and logo in general client reference lists. Press releases require prior written consent unless disclosure is mandated by law or stock exchange rules.
Client may not assign the Agreement without 10ops' prior written consent, except to an affiliate as part of an internal reorganization where the assignee remains creditworthy.
10ops may assign the Agreement to an affiliate or in connection with a merger, sale, or reorganization and may use subcontractors and Third-Party Services.
During the term of the Agreement and for a period of twelve (12) months thereafter, Client shall not directly or indirectly solicit, hire, engage, employ or contract with any employee, contractor, consultant, advisor, freelancer or subcontractor of 10ops who was involved in the performance of the Agreement.
In the event of breach of this clause, Client shall immediately pay 10ops liquidated damages equal to twelve (12) months of the relevant individual's gross annual compensation or, for contractors and consultants, twelve (12) months of their average fees charged to 10ops.
This shall not affect 10ops' right to recover additional damages to the extent permitted by law.
The Agreement and all non-contractual obligations connected with it are governed by Dutch law, excluding the CISG.
All disputes shall be submitted exclusively to the competent court in [competent court in the Netherlands, e.g., Amsterdam or Limburg], unless 10ops elects another competent forum permitted by law.
If any provision is invalid or unenforceable, the remaining provisions remain in force and the parties shall replace the invalid provision with one that most closely reflects the original commercial intent.
Failure or delay to enforce a right does not constitute waiver.
The English version prevails unless another language version is expressly agreed to prevail.
Updated versions of these Terms may apply to renewals, new orders, and recurring services upon prior notice, provided no already vested rights are impaired.
Version 01 — Effective date: 1 September 2024
These Terms of Use ("Terms of Use") govern access to and use of the Opportunity Management Tool (OMT) provided by 10 ops B.V. ("10ops").
These Terms apply to all individual users ("User") accessing the OMT on behalf of a client organization ("Client"). By using the OMT, Users agree to comply with these Terms.
These Terms complement the agreement between 10ops and the Client, including the Master Terms & Conditions, SaaS Schedule, and DPA. In case of conflict, the client agreement prevails.
Users must use individual credentials, keep them confidential, and report unauthorized access. The Client is responsible for granting and revoking access.
Users may use the OMT only for internal business purposes of the Client and in a lawful and professional manner.
Users shall not misuse the system, including reverse engineering, unlawful data use, system disruption, unauthorized sharing, or using the tool for competing products.
Users are responsible for accurate data entry, compliance with law, and proper use of outputs.
The Client and its Users remain solely responsible for all information, content, documents, data, files, records, personal data and materials uploaded, entered, imported, processed or stored within the OMT ("Client Content").
10ops is not responsible for verifying the legality, accuracy, completeness, ownership or reliability of Client Content.
Client warrants that it possesses all rights, permissions, licenses, consents and legal bases necessary to upload and use Client Content within the OMT.
Client shall not upload any content that infringes intellectual property rights, confidentiality obligations, privacy rights, export restrictions, sanctions regulations or other applicable laws.
Client shall indemnify and hold harmless 10ops against any third-party claim arising from Client Content, Client instructions or Client's use of the OMT.
Users must protect credentials, follow security practices, and report incidents. 10ops may enforce security actions.
All IP rights remain with 10ops. Users receive no ownership rights and must not alter IP notices.
The OMT is provided as available. Features and availability may change due to maintenance or updates.
10ops may monitor use of the OMT for security, compliance, capacity planning, maintenance, misuse prevention and service improvement purposes.
10ops may investigate suspected misuse, security incidents, fraud, excessive usage, unlawful behavior, intellectual property infringement or violations of these Terms.
Users shall cooperate with reasonable investigations relating to platform security or misuse.
10ops may immediately suspend, restrict, disable or terminate access to the OMT, without prior notice and without liability, where 10ops reasonably believes that:
(a) these Terms have been violated;
(b) the security, integrity or availability of the OMT may be affected;
(c) unlawful, fraudulent or abusive activity may be occurring;
(d) a legal, regulatory, sanctions, compliance or reputational risk exists;
(e) continued access could expose 10ops, other users or third parties to risk.
10ops may remove, quarantine or restrict access to data, content or accounts where reasonably necessary to protect the security, integrity or lawful operation of the OMT.
Third-party services may be used and are not controlled by 10ops.
The OMT is a decision-support platform only.
Information, dashboards, analytics, reports, rankings, opportunity scores, recommendations, forecasts, assessments, workflows and other outputs generated by or through the OMT are provided for informational purposes only.
Such outputs may depend on User input, Client input, assumptions, third-party information, imported data, algorithms, configurations or automated processes and may be incomplete, inaccurate or outdated.
10ops does not warrant that any output, recommendation, score, analysis, report or assessment generated by the OMT is accurate, complete, error-free, fit for a particular purpose or suitable for any business, commercial, investment, operational, legal, regulatory or strategic decision.
Users and Clients remain solely responsible for independently verifying all information and for all decisions, actions and omissions taken based on the OMT.
Use of the OMT does not constitute professional, legal, financial, tax, technical, investment or regulatory advice.
10ops may update these Terms. Continued use implies acceptance.
For questions: legal@10-ops.com
Version 01 — Effective date: 1 September 2024
At 10 ops BV, we are committed to safeguarding your personal information and ensuring your privacy is protected. This Privacy Notice explains how we collect, use, share, and protect your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant legislation.
We collect personal data that you voluntarily provide to us when you:
The types of personal data we may collect include:
We use your personal data for the following purposes:
We do not sell your personal data. We may share your information with third parties under the following circumstances:
We implement reasonable technical and organizational measures to protect your personal data from unauthorized access, loss, or misuse. Despite our efforts, no security measures are 100% secure, and we cannot guarantee the absolute security of your data.
Depending on your location and applicable law, you may have the following rights regarding your personal data:
To exercise any of these rights, please contact us at Privacy@10-ops.com.
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Once data is no longer needed, we securely delete or anonymize it.
We use cookies and similar tracking technologies to enhance your experience on our website and analyze usage. You can manage your cookie preferences through your browser settings.
We may update this Privacy Notice from time to time. Any changes will be posted on this page, and the "Effective Date" at the top will reflect the date of the latest revision. We encourage you to review this notice periodically to stay informed of how we protect your personal data.
For questions: legal@10-ops.com
Version 01 — Effective date: 1 September 2024
Article 28 GDPR compliant companion agreement.
Drafting note: This document is a commercially robust template starting point for B2B use by 10ops. It is not legal advice and should be reviewed by Dutch counsel before first use, especially for listed companies, U.S. customers, public procurement, regulated products, and cross-border data transfers.
This Data Processing Agreement is entered into between 10 ops B.V. as Processor and the Client identified in the relevant order form or master agreement as Controller, unless the parties expressly agree another role allocation in writing.
This DPA governs the Processing of Personal Data by Processor on behalf of Controller under the principal agreement.
If there is a conflict between this DPA and the principal agreement regarding Personal Data Processing, this DPA prevails to the extent of the conflict.
Subject matter: provision of consultancy services, OMT SaaS services, and/or SampX managed commerce and logistics support as described in the principal agreement.
Duration: for the term of the principal agreement plus the period required for return, deletion, backup retention, legal retention, and any agreed transition support.
Nature and purpose: hosting, support, administration, analytics, communication, reporting, project delivery, workflow handling, e-commerce operations support, fulfilment coordination, and related service delivery activities as instructed by Controller.
Categories of data subjects may include Controller personnel, prospects, customers, suppliers, business contacts, site users, marketplace contacts, or other individuals whose data Controller instructs Processor to handle.
Types of Personal Data may include names, business contact details, account identifiers, transactional metadata, opportunity records, order information, support correspondence, and other data supplied by Controller. Special categories of data should not be processed unless expressly agreed in writing and supported by an adequate legal basis and security plan.
Processor shall process Personal Data only on documented instructions from Controller unless required by Union or Member State law.
Processor shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
Processor shall implement appropriate technical and organizational measures under Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.
Processor shall assist Controller, taking into account the nature of the Processing and information available to Processor, with responding to requests from Data Subjects and with Controller's obligations under Articles 32 to 36 GDPR, insofar as legally required and reasonably possible.
If Processor believes an instruction infringes applicable data protection law, Processor may inform Controller and may suspend the relevant Processing until clarified.
Controller warrants that it has a valid legal basis for the Processing and for providing the Personal Data to Processor.
Controller is responsible for the accuracy, quality, and legality of the Personal Data and the means by which Controller acquired the data.
Controller is responsible for notices, consents where applicable, legal assessments, records of processing, DPIAs, transfer assessments, and internal governance unless expressly agreed otherwise.
Controller shall not instruct Processor to process Personal Data in a manner that violates applicable law.
Controller grants Processor a general authorization to engage subprocessors for hosting, infrastructure, support tooling, communications, analytics, security, fulfilment support, and other legitimate service delivery needs.
Processor shall impose data protection obligations on subprocessors that are not less protective than those in this DPA, to the extent required by Article 28 GDPR.
Processor remains responsible for the performance of subprocessors as required by GDPR.
Processor shall maintain a current list of material subprocessors on its website or provide such list upon request.
Processor shall provide at least thirty (30) days' notice of any addition or replacement of a material subprocessor.
Controller may object within thirty (30) days on reasonable and documented data-protection grounds.
If the parties cannot resolve the objection, either party may terminate the affected services without liability.
Where Personal Data is transferred outside the EEA, Processor shall ensure an appropriate transfer mechanism is in place, such as adequacy regulations or the European Commission's standard contractual clauses, as applicable.
The parties shall cooperate in good faith if supplementary transfer measures or transfer impact assessments are reasonably required.
Processor shall maintain technical and organizational measures appropriate to the risks, which may include access control, MFA/SSO options where available, least-privilege principles, encryption or pseudonymization where appropriate, secure development and change practices, logging as reasonably appropriate, vulnerability management, backup routines, and incident response procedures.
Controller acknowledges that no measure can guarantee absolute security and that security obligations are obligations of means, not strict guarantees of result.
Controller acknowledges that security is a shared responsibility. Controller remains responsible for:
Processor shall not be responsible for security incidents resulting from Controller's systems, devices, credentials, networks, users or configurations.
Processor shall notify Controller without undue delay and, where reasonably possible, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Controller.
Such notice will include, to the extent available, the nature of the breach, likely consequences, and measures taken or proposed to address the breach.
Processor's notification of a Personal Data Breach is not an admission of fault or liability.
Processor shall make available to Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR.
Audits by Controller or its auditor are limited to once per year, during normal business hours, with at least 30 days' notice, subject to confidentiality safeguards, no access to other clients' information, and reimbursement of reasonable costs where legally permissible.
Processor may satisfy audit requests by providing certifications, reports, policies, summaries, or independent assurance artifacts where appropriate.
Assistance beyond Processor's standard obligations, including bespoke legal questionnaires, excessive audit support, legacy data exports, regulator interactions, or extensive Data Subject request handling, may be charged at Processor's then-current professional services rates unless the need arose from Processor's proven breach of this DPA.
Processor may satisfy security, compliance and audit requests through provision of certifications, security summaries, policies, reports, questionnaires or other reasonable compliance documentation.
Controller shall not require Processor to disclose confidential security information, source code, penetration test reports, information relating to other customers or security information that may increase security risk.
Upon termination of the principal agreement, Processor shall, at Controller's choice, delete or return Personal Data after the end of the provision of services relating to Processing, unless Union or Member State law requires storage.
Processor may retain Personal Data in archival backups, legal hold systems, security logs, and evidential records for the period reasonably required under applicable law, security practice, or legitimate defense of claims, provided such retained data remains protected and is not actively processed for other purposes.
Unless otherwise agreed, customer data shall be deleted within thirty (30) days after termination, subject to backup cycles, legal retention obligations and legitimate claim-preservation requirements.
Except where prohibited by applicable law, all exclusions, limitations and caps of liability contained in the principal agreement shall apply equally to this DPA and any claims arising from processing of Personal Data.
No party limits liability where such limitation is prohibited by applicable law.
The parties acknowledge that the Services are primarily designed for business-to-business use.
The parties expect that the majority of Personal Data processed consists of business contact information, professional profile information, customer relationship information and other low-risk business data.
Controller shall not intentionally upload special category personal data, health data, biometric data, genetic data, criminal records data, children's data or other highly sensitive personal data unless expressly agreed in writing.
Business purpose(s):
Systems / modules used:
Categories of data subjects:
Types of personal data:
Special categories data:
Processing of special category personal data, criminal records data, health data, biometric data, genetic data, data relating to children and similar sensitive personal data is not intended and is prohibited unless expressly agreed in writing between the parties.
Where such processing is expressly approved, the parties shall document appropriate safeguards, security measures and legal bases prior to processing.
Retention logic:
Personal Data shall be retained during the term of the Agreement.
Upon termination or expiry of the Agreement, Personal Data shall be returned or deleted in accordance with the Agreement and applicable law.
Processor may retain Personal Data in archival backups, security logs, disaster recovery systems, legal hold systems and evidential records for the period reasonably necessary to satisfy legal, regulatory, security, audit and claim-preservation requirements.
Unless otherwise agreed, active Customer Data shall be deleted within thirty (30) days following termination of the Services, subject to backup cycles and legal retention obligations.
International transfers:
Personal Data may be processed within the European Economic Area.
Where Personal Data is transferred outside the EEA, Processor shall ensure that an appropriate transfer mechanism is in place, including an adequacy decision, Standard Contractual Clauses or another lawful transfer mechanism recognized under applicable data protection law.
International transfers may occur through approved subprocessors, support services, cloud infrastructure providers and security service providers engaged by Processor.
Approved subprocessors specific to this client:
Unless otherwise agreed in writing, the following categories of subprocessors may be engaged:
Non-exhaustive list: Microsoft Azure, Microsoft 365, SharePoint, Teams, Outlook, Dify.
The parties acknowledge that 10ops generally acts as Processor where it processes Personal Data on behalf of Client through OMT or managed services.
For certain consultancy engagements, strategic advisory services, business development activities or independent analyses, the parties may act as independent Controllers. The specific role allocation shall be determined by the nature of the relevant Processing activity.