The platform

A black and white icon of a computer and a cell phone.
A black and white icon of a gear and a diagram.
A black and white drawing of a cube with arrows around it.
A black and white icon of a person surrounded by gears and clocks.

Fininly

A black and white logo with the letter f on a white background.
A black and white drawing of three people standing next to each other.
A line drawing of a statue of a man with a crown on his head.
A black and white icon of a person talking on a phone.

The platform

A clipboard with a check mark and a magnifying glass next to it.
A black and white icon of a server on a white background.
A black and white drawing of a judge 's gavel and a block.
A black and white icon of a website with a shield and a check mark.

Resources

A black and white icon of a computer screen with a speech bubble and a pencil.
A black and white icon of a price tag with a euro sign on it.
A group of people standing next to each other with a gear in the middle.
A black and white drawing of a person wearing a headset.

Surpass competition

To accelerate revenue generation in a competitive landscape, swift action is essential. It’s crucial to have an operating model that is both agile and quick to market.


Fininly’s approach ensures a seamless, uninterrupted pathway to innovation and rapid market entry.

BOOK A DEMO
Logo

General Data Protection Regulation.

Protection of personal data is a top priority for Fininly and we always adhere to the General Data Protection Regulation (GDPR) that came into effect on May 25th 2018. A GDPR requirement is that we must describe how we ensure GDPR compliance and commit to this in a data processor agreement with our customers. The following Data Processor Agreement will govern this important part of our relationship with our clients.

Data Processing Agreement

Between:

Fininly B.V.

Rokin 95

1012 KM Amsterdam

The Netherlands

KvK registration 69720541 

("Fininly")

And:

Each individual Fininly Customer that Fininly processes data for and that has not otherwise entered into a valid data processor agreement with Fininly.

(the “Customer”).

1. INTRODUCTION


  1. This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from Fininly's processing of Personal Data on behalf of Customer under the order form, service agreement or other agreement between the Parties (“the Agreement”). All capitalised terms not defined in this DPA shall have the meaning set forth in the Agreement.
  2. The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term of the Agreement, the DPA will prevail. If and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement or the DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.
  3. If Applicable Data Protection Law is amended, replaced or repealed, the parties shall, where necessary, negotiate in good faith a solution to enable the processing of Personal Data to be conducted in compliance with Applicable Data Protection Law.

2. PURPOSE, SCOPE AND RESPONSIBILITIES


  1. Fininly shall only process personal data in accordance with the terms of this DPA.
  2. The parties agree Customer is the Data Controller of Customer Personal Data. Fininly is the Data Processor of Customer Personal Data, except where Fininly acts as a Data Controller processing Customer Personal Data in accordance with Section 2.9.
  3. Fininly shall process Customer Personal Data for the limited purpose of performing the obligations set out under the Agreement and only in accordance with Customer's lawful instructions or otherwise necessary to comply with Applicable Data Protection Law. Data may, for that purpose, be processed by any of Fininly’s entities in accordance with Section 7.
  4. Customer shall ensure that its instructions to Fininly comply with all laws and regulations applicable to Customer Personal Data, and that the processing of Customer Personal Data following Customer's instructions will not cause Fininly to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data provided to Fininly in accordance with this DPA.
  5. Personal Data processed by Fininly shall include such actions as may be specified in the Agreement. Further data processing outside the scope set out in this Section 2 shall require mutual written agreement of the parties.
  6. If Fininly becomes aware that any instruction given by Customer breaches Applicable Data Protection Law, Fininly shall immediately inform Customer of this, giving details of the breach or potential breach.
  7. The term of this DPA shall continue until the later of the following: the termination of the Agreement or the date at which Fininly ceases to process Personal Data for Customer.
  8. In no event will the data processed by Fininly include financial data or Sensitive Data.
  9. The parties acknowledge and agree that Fininly may process Customer Personal Data for its own legitimate business operations as independent Data Controller, provided the data processing is limited to one of the following purposes: i) billing and account management; ii) internal reporting; iii) fraud and cyber-attacks prevention pertaining to the provision of the Services; iv) optimisation and maintenance of the Services; and v) compliance with legal and tax requirements.
  10. The types and categories of Customer Personal Data processed by Fininly, and the purpose of such processing is set out in Exhibit 1.

3. OBLIGATIONS OF FININLY AS DATA PROCESSOR


Fininly warrants that it will: 


​i) comply with Applicable Data Protection Law relevant to Fininly's obligations under the Agreement; 


​ii) implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the data subjects; and 


​iii) make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA; and reasonably cooperate with any audits performed by Customer or its independent auditor, at Customer’s own expense and no more than once a year, of facilities under the control of Fininly, in accordance with Section 10.2 of the Agreement. 

4. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

  1. Fininly will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Law.
  2. Fininly will ensure that it and its Sub-processors will at all times comply with the minimum data security requirements set out in Exhibit 2, which may , from time to time, be updated, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
  3. Customer has evaluated the security measures implemented by Fininly and agrees that they provide an appropriate level of protection for Customer Personal Data. 

5. PERSONNEL

  1. Fininly shall ensure that any personnel required to access Customer Personal Data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.
  2. Fininly shall ensure that its personnel required to access Customer Personal Data are informed of the confidential nature of Customer Personal Data and the security procedures applicable to the processing of or access to Customer Personal Data.
  3. Fininly’s personnel’s confidentiality obligations will survive the termination of the personnel engagement and the term of this DPA. 

6. ASSISTANCE TO THE CUSTOMER AS DATA CONTROLLER


  1. Fininly shall provide reasonable and timely assistance, by appropriate technical and organizational measures to Customer to enable them to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, Regulator or other third party in connection with the processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Fininly, Fininly shall promptly inform Customer providing full details of the same, unless prohibited by the applicable law.
  2. Fininly shall reasonably assist Customer with its obligation to conduct any data protection impact assessment required by Applicable Data Protection Law. 

7. SUB-PROCESSORS


  1. The Sub-processors, approved by Customer, are listed here. Customer hereby gives a general authorization for the engagement of additional Sub-processors for the purpose of performing its obligations under the Agreement, provided Fininly shall:
  2. maintain an up-to-date list of its Sub-processors on at https://www.Fininly.com/data-processing-agreement/ (or any future website used by Fininly);
  3. provide at least 30 days prior notice (except to the extent a 30 days’ notice is not possible due to an emergency concerning Service availability or security) to Customer of any change to its Sub-processors via Fininly’s usual e-mail notification process;
  4. execute a written agreement that obligates the Sub-processor to (i) protect Customer Personal Data to the same extent required of Fininly by the Agreement; and (ii) comply with Applicable Data Protection Law.
  5. If Customer objects to such new Sub-processor on reasonable grounds within 30 days of receiving notice, the parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and Fininly decides to proceed with such Sub-processor, Customer may terminate the Agreement with 30 days prior written notice. Neither of the Parties shall be considered in breach of contract in the event of such termination. Customer acknowledges that Fininly provides a standardized service to all customers which does not allow using different Sub-processors for different customers and, therefore, that the inability to use a particular new or replacement Sub-processor for the Services to the Customer may result in delay in performing the Services, inability to perform the Services or increased fees. Fininly will notify Customer in writing of any change to Services or fees that would result from Fininly’s inability to use a new or replacement Sub-processor to which Customer has reasonably objected. If Customer does not object to a new Sub-processor's engagement within 30 days, that new Sub-processor shall be deemed accepted.
  6. Fininly shall be liable for the acts or omissions of its Sub-processors to the same extent that Fininly would be liable if performing the Services of each Sub-processor directly under the terms of this DPA. 

8. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS


  1. Customer acknowledges and agrees that Fininly may transfer and process Customer Personal Data to its authorized Sub-processors in third countries for the provision of the Services. Any transfer of Personal Data to third countries or international organisations by Fininy shall always take place in compliance with EU Data Protection Law, UK Data Protection Law and this DPA.
  2. Any transfer of Customer Personal Data made from EEA, Switzerland or United Kingdom to a Restricted Country will be subject to the Standard Contractual Clauses (together with the UK Addendum, where UK Data Protection Law applies) and any other supplementary measures required to enable the lawful transfer of Customer Personal Data. The Parties agree to promptly undertake to amend this DPA if necessary to incorporate an updated data transfer mechanism to maintain compliance with EU Data Protection Law and UK GDPR.
  3. If any Customer Personal Data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Customer has informed Fininly of such data transfer restrictions or prohibitions, Customer and Fininly shall ensure an appropriate transfer mechanism (satisfying the country’s data transfer requirements) is in place, as reasonably requested by Customer and mutually agreed upon by both Parties, before transferring or accessing Customer’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not apply to Customer’s or its Affiliates’ Authorised Users who have access to the Services and Customer Data, and Fininly shall not be held responsible for actions of Customer or its Affiliates’ Authorised Users. Neither Customer nor its Authorised Users shall be entitled to use the Services in any country with data localization laws that would require Customer’s environment to be hosted in said country. 

9. OBLIGATIONS OF THE CUSTOMER


  1. Customer and Fininly will be separately responsible for conforming with Applicable Data Protection Law, as applicable to each.
  2. Customer will inform Fininly in writing without undue delay following Customer’s discovery of a failure to comply with Applicable Data Protection Law with respect to processing of Personal Data in accordance with this DPA.
  3. Customer shall be responsible for providing accurate and relevant contact details at the time of entering into the Agreement and thereafter to assist with Fininly’s notification obligations.
  4. Customer represents and warrants it has provided and will continue to provide all notices and has obtained and will continue to obtain all consents and rights required under Applicable Data Protection Law for Fininly to process Customer Personal Data for the purposes of this Agreement. 

10. NOTIFICATION OF DATA BREACH


  1. Fininly shall without undue delay, and no later than 48 hours, notify Customer in writing of any identified Data Breach.
  2. The notification referred to in section 10.1. will, to the extent possible:
  3. describe the nature of the Data Breach including the categories and approximate number of data subjects concerned and the categories and approximate amount of Personal Data impacted,
  4. provide the Fininly contact details where more information can be obtained,
  5. describe the likely consequences of the Data Breach, and
  6. describe the measures taken or proposed to be taken by Fininly to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. 

11. ADDITIONAL ASSIGNMENTS


  1. In respect of tasks assigned to Fininly, that are not an obligation under this DPA and go beyond Fininly’s statutory obligations, Fininly shall be entitled to charge Customer for the additional resources, time and material necessary to fulfill the required task(s), unless such services are already included in the Services provided under the Agreement.
  2. Fininly will notify Customer in advance of such additional charges and, to the extent possible, provide Customer with a quote of the expected costs.
  3. If Customer does not agree to the costs, Fininly is not required to perform the additional assignment. 

12. DELETION AND RETURN OF PERSONAL DATA


  1. Following the expiration or earlier termination of the Agreement, Fininly will retain Customer Data in a limited function account, securely isolated and protected from any further processing, for 90 days. Once the 90-day retention period ends, Fininly shall disable Customer’s account and delete all Customer Personal Data associated with it, or irreversibly anonymise them in such a manner that the data subject is not identifiable, unless Fininly is permitted or required by applicable law, or authorized under this DPA, to retain such data. At all times during the term of the Agreement, Customer will have the ability to access, extract and delete Customer Personal Data stored in its tenant.
  2. Upon Customer’s request, Fininly shall certify in writing the destruction or complete anonymisation of Customer Personal Data. 

3. LAW ENFORCEMENT REQUESTS


  1. If a court, law enforcement authority or intelligence agency contacts Fininly with a demand for Customer Personal Data, Fininly will first assess if it is a legitimate order. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, Fininly will promptly notify Customer and provide a copy of the request, unless legally prohibited from doing so.
  2. Fininly shall only cooperate with the issued request or order if legally obliged to do so and, where possible, Fininly shall judicially object to the request or order or the prohibition to inform Customer about this or to follow the instructions of Customer. Fininly shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order. 

14. JURISDICTION SPECIFIC TERMS


To the extent Fininly processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Exhibit 3 (Jurisdiction Specific Terms) of this DPA, the terms specified in Exhibit 3 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA. 

15. LIABILITY


Each party's liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. 

16. LEGAL VENUE AND APPLICABLE LAW


  1. This DPA shall be governed by Dutch Law.
  2. Any claim or dispute arising from or in connection with this DPA must be settled by the Amsterdam Court as first instance. 

17. DEFINITIONS

The terms “Data Controller”“Data Processor”“data subject”“processing” and “process” shall have the meaning given in Applicable Data Protection Law. 


“Applicable Data Protection Law” means any applicable law which applies to each party in any territory in which they process Personal Data and which relates to the protection of individuals with regards to the processing of Personal Data and privacy rights, and may include EU Data Protection Laws, UK Data Protection Laws, Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”), the California Consumer Privacy Act, as amended by the California Privacy Right Act of 2020 and its implementing regulation (“CCPA”); the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”), the Virginia’s Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut’s Act Concerning Data Privacy and Online Monitoring (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”). 


“Customer Personal Data” means the Personal Data that is generated by or provided to Fininly by, or on behalf of, Customer through use of the Services. 


“Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Fininly. 


“EU Data Protection Laws” means all data protection laws and regulation applicable to the European Economic Area (“EEA”) and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national law implementing the Directive and the Swiss Federal Data Protection Act (“Swiss DPA”). 


“Personal Data” means any information defined under Applicable Data Protection Law as “personal data”, “personal information”, “personally identifiable information” or any other similar term relating to an identified of identifiable natural person. 


“Regulator” means any local, national or multinational agency, department, official, public of statutory person or any regulatory or supervisory authority for administering, providing guidance on, supervising and enforcing Applicable Data Protection Law. 


“Restricted Country” mean a country, territory or jurisdiction which (i) when GDPR applies, is not covered by an adequacy determination by European Commission, as described under the GDPR, (ii) when Swiss DPA applies, is not included on the list of adequate jurisdictions published by the Swiss Regulator or (iii) when UK Data Protection Law applies, is not recognized as providing an adequate level of protection for Personal Data pursuant to Section 17A of the UK GDPR. 


​“Sensitive data” means any (i) special categories of Personal Data defined under EU Data Proteciton Law and UK Data Protection Law, (ii) data relating to criminal convictions and offences defined under EU Data Proteciton Law and UK Data Protection Law or (iii) within the definition of ’sensitive personal information” under the CCPA. 


​“Standard Contractual Clauses” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries (“EU SCCs”) and (ii) where the Swiss DPA applies, the standard data protection clauses issued, approved or otherwise recognized by the Swiss Regulator (“Swiss SCCs”), each as amended, supplemented or replaced from time to time. 


“Sub-processor” mean any Fininly Affiliate and any sub-contractor engaged by Fininly in the processing of Customer Personal Data under the terms of the Agreement and this DPA. 


“UK Addendum” mean the UK Addendum issued by the United Kingdom Regulator under section 119A(1) of the Data Protection Act 2018, being an addendum to the Standard Contractual Clauses. 


“UK Data Protection Law” means all data protection laws and regulation applicable to the United Kingdom, including the United Kingdom's Data Protection Act 2018 and the GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), each as amended, supplemented or replaced from time to time. 

Signed for and on behalf of Fininly


Date: February 27, 2024


Arthur van Cadsand

Name: Arthur P. van Cadsand

Title: CEO | CISO

Share by: