Vinact General Terms And Conditions And Data Processing Agreement

This document sets out the arrangements applicable to the agreement that you, the Customer (hereinafter: the “Customer”), will enter into with Vinact in respect of your use of Vinact services. This document contains:

  1. the general terms and conditions of Vinact (hereinafter: the “General Terms and Conditions”);
  2. the data processing agreement (hereinafter: the “Data Processing Agreement”) applicable when Vinact processes personal data on the instructions of the Customer.

Part I: General Terms and Conditions

Definitions

  1. The following definitions will apply for the terms used in these General Terms and Conditions:

Services

All services (to be) made available and/or work (to be) carried out by or on behalf of Vinact in any way, including SaaS Services and Other Services;

Customer

Each natural person or legal entity with whom or which respectively Vinact wishes to enter into a legal relationship and/or with whom or which it has entered into such a relationship (including users of the Trial Account referred to in Article 2);

Supplier

Each licensor, subcontractor and/or other kind of Vinact supplier;

Agreement

Each agreement and/or other kind of legal relationship between the Parties in respect of the provision of Services and related subjects;

Other Services

All services of whatever nature, excluding SaaS Services, to be provided to the Customer by and/or on behalf of Vinact;

Party and/or Parties

The Customer and/or Vinact;

SaaS Services

All Software-as-a-Service (SaaS) services and related services to be made available or provided to the Customer by or on behalf of Vinact via the internet;

Vinact

Vinact B.V., a private limited company with its principal place of business in Amsterdam (chamber of commerce number 75045877), or another legal entity that wishes to enter into, enters into or has entered into any legal relationship with the Customer and has declared these General Terms and Conditions applicable to the said legal relationship;

Fee

The fee(s) due to Vinact from the Customer in consideration of the Agreement or as described in these General Terms and Conditions;

Working Day

A calendar day from 09.30 hours to 18.00 hours, excluding weekends and public holidays.

  1. These General Terms and Conditions will apply to all Agreements. Other general terms and conditions, including the general terms and conditions of the Customer, will be expressly rejected. It will only be possible to deviate from these General Terms and Conditions if expressly agreed on between the Parties in writing.
  2. The Agreement between the Customer and Vinact will be formed by the Customer registering online via the Vinact website, on which website the Customer will be able to create an account and take out a subscription.
  3. The Agreement will be entered into for an indefinite period of time. Each Party will be able to terminate the Agreement with due observance of a notice period of at least one (1) month.
  1. Vinact will offer the Customer the opportunity of a free trial of the SaaS Services (hereinafter: ‘Trial Account’) before entering into an Agreement. No Fee will be due from the Customer for this Trial Account and it will be available to the Customer for a trial period of fourteen (14) days.
  2. When the trial period ends, Vinact will have the right to remove data belonging to the Customer without prior warning, unless the Parties have entered into an Agreement in due time.
  1. Vinact will start to provide Services after forming an Agreement with the Customer.
  2. Services will be provided on an ‘as is’ basis and will be deemed to have been accepted unconditionally at the time of their provision (in the case of SaaS Services: when access is provided to these Services). Use of the Services by the Customer and the (direct and indirect) consequences of their use will be at the expense and risk of the Customer.
  3. Vinact will be entitled to change, replace, suspend or block (access to the) Services for a number of reasons, including scheduled (maintenance and related) downtime of the SaaS Services. Vinact will give the Customer as much advance notice of downtime as possible. The obligation for the Customer to pay the Fee to Vinact will continue to apply in full.
  4. Should there be a failure in the provision of SaaS Services to the Customer on Working Days, the Customer is to contact the Vinact support desk. The Customer will not be required to pay a Fee for the use of support, provided its usage is on a fair use basis.
  1. Unless agreed otherwise, the Customer will periodically be required to pay a Fee in accordance with the rates that Vinact has determined and announced. Unless stated otherwise in writing, all rates will be exclusive of taxes (VAT, for example) and other levies payable by law.
  2. The Customer will pay all Vinact invoices within thirty (30) days of the invoice date at the latest. The Customer will not be entitled to suspend or offset the payments due for invoices.
  3. Vinact will be entitled to adjust Fees and rates once per agreement year, subject to reasonable limits. Vinact will inform the Customer of the above in writing at least one (1) calendar month before the adjustment in question enters into force. The Customer will be entitled to terminate the Agreement with Vinact within one (1) month of the date on which a price increase is announced.
  4. If the Customer fails to pay the amounts due within the period of time referred to in Article 4.2, the Customer will - without any further notice of default being necessary and without prejudice to any other rights that Vinact has - (i) be required to pay statutory interest on the amount due and (ii) Vinact will be entitled (without prejudice to the other rights it has) to suspend performance of the Agreement. The Customer will be obliged to reimburse Vinact for all collection costs that Vinact is forced to incur, subject to a minimum of 15% of the amount to be collected (regardless of the amount thereof) or € 250 if higher.
  1. The Customer will undertake to ensure that the data it provides to Vinact is correct in every respect. The Customer will be obliged to notify Vinact immediately of changes to the said data.
  2. The Customer him/her/itself will be responsible for (the security of) data that gives access to the Vinact environment, particularly being the use of strong passwords. The Customer him/her/itself will be responsible for use of the Services, data and content and for maintaining the confidentiality of access to and use of the aforementioned. The Customer will be obliged to use the Services subject to the limits of the provisions of the Agreement, these General Terms and Conditions and the applicable statutory regulations, including personal data legislation.
  3. The Customer will indemnify Vinact against claims from third parties that ensue from performance of the Agreement and/or use of the Services by the Customer.
  1. Vinact will make qualified individuals available for the provision of Services and endeavour to provide the said Services to the best of its ability.
  2. Vinact will strive to ensure the availability of the SaaS Services twenty-four (24) hours per day, seven (7) days per week. However, Vinact will not guarantee that the Services will work without interruption and/or errors. If the Services are not available, the obligation of the Customer to pay the Fee will continue to apply in full, unless the non-availability lasts more than one (1) Working Day. Where the latter is the case, Vinact will apply a discount on the Fee in proportion to the duration of the non-availability of the Services.
  3. Vinact will not be liable for any losses resulting from shortcomings on the part of its Suppliers. The Customer will give Vinact the authority (authorisation) to accept any liability limitations of third parties on behalf of the Customer.
  4. With the exception of the provisions of these General Terms and Conditions and the Agreement, all explicit and/or implicit stipulations, guarantees, terms and conditions and obligations in respect of the fulfilment by Vinact of its statutory or non-statutory obligations under any Agreement, will be excluded, insofar as permitted by law.
  1. Vinact will make qualified individuals available for the provision of Services and endeavour to provide the said Services to the best of its ability.
  2. Vinact will strive to ensure the availability of the SaaS Services twenty-four (24) hours per day, seven (7) days per week. However, Vinact will not guarantee that the Services will work without interruption and/or errors. If the Services are not available, the obligation of the Customer to pay the Fee will continue to apply in full, unless the non-availability lasts more than one (1) Working Day. Where the latter is the case, Vinact will apply a discount on the Fee in proportion to the duration of the non-availability of the Services.
  3. Vinact will not be liable for any losses resulting from shortcomings on the part of its Suppliers. The Customer will give Vinact the authority (authorisation) to accept any liability limitations of third parties on behalf of the Customer.
  4. With the exception of the provisions of these General Terms and Conditions and the Agreement, all explicit and/or implicit stipulations, guarantees, terms and conditions and obligations in respect of the fulfilment by Vinact of its statutory or non-statutory obligations under any Agreement, will be excluded, insofar as permitted by law.
  1. The Customer is and will continue to be the entitled party to all rights and powers with regard to all data and information belonging to the Customer. Vinact and its Suppliers will be the exclusive entitled parties to every part of their respective Services (and related intellectual property rights), including the associated technical information, codes, documentation, functionalities and related data, information and knowledge. The Customer will exclusively gain the non-transferable and non-exclusive right to use (hereinafter: “Right to Use”) the Services for its normal activities for the term of the Agreement. The Customer will not gain any other rights (to use) and/or any other powers with regard to the (intellectual property rights to the) Services.
  2. The aforementioned Right to Use will solely comprise the right to load the Services and provide them for the number and type of users and use for which the Customer has entered into a subscription. If Vinact observes that the Customer is making the Services available to more or other users than those permitted under the Agreement, or is otherwise using the Service in a manner that is not permitted, Vinact will be entitled to charge the Customer extra Fees with retrospective effect, separate to the right of Vinact to demand (additional) compensation and take other legal measures in this situation. Vinact will be permitted to take technical measures (including modules and/or user keys) to secure the Services and limit their use.
  3. Services that Vinact has not developed and belong to the Supplier for this reason will be subject to the terms and conditions of the said Supplier.
  1. Vinact will not be liable for any loss that ensues from or is the result of the temporary non-availability, poor performance and/or (temporary) loss of (parts of) the Services.
  2. Where other types of loss are concerned, Vinact will only be liable for attributable direct loss. In this context, the term “direct loss” will solely be understood to mean: (a) the reasonable costs incurred to identify the cause and extent of the loss, (b) the reasonable and necessary costs incurred to bring defective performance by Vinact in compliance with Agreement, and (c) the reasonable costs incurred to prevent or limit loss. The liability of Vinact for all forms of loss other than those referred to above, such as indirect loss, including but not limited to consequential loss, lost sales or profits, loss of customers, reputational loss, intangible loss, lost savings, missed orders, loss of investments or loss due to business interruption, will be excluded. The liability of Vinact for direct loss, costs or other disadvantage under the Agreement, including the Vinact Data Processing Agreement, or loss that ensues from a wrongful or unlawful act committed by the Customer will always be limited to the Fee for which Vinact invoiced the Customer in respect of the Services, excluding VAT, for a period of six (6) months directly preceding the loss-causing event, subject to a maximum of € 20,000.
  3. The Customer will only have a right to compensation if the Customer notifies Vinact of the loss applicable in writing within thirty (30) days of the date on which the Customer could reasonably have discovered the inception of the loss.
  4. Nothing in these General Terms and Conditions will limit the liability of Vinact for loss ensuing from intent or gross negligence on its part.
  1. Each Party will have the right to dissolve the relevant Agreement by registered letter with immediate effect, without any further notice of default and without any prior judicial intervention, if (i) the other Party requests a moratorium on payments or is declared bankrupt, or (ii) the other Party is a legal entity and is put into liquidation.
  2. Each Party will be able to terminate the Agreement with due observance of a notice period of at least one (1) month.
  3. After the Agreement is terminated, in any manner whatsoever, provisions that are evidently intended to continue to apply will do so in full, including the provisions of Articles 7, 8 and 9 at the very least.

Final provisions

  1. Vinact will be entitled to amend these General Terms and Conditions from time to time. All such amendments will be communicated to the Customer by e-mail at least one (1) month before an amendment enters into effect.
  2. Vinact will be entitled to subcontract and/or transfer all or some of its rights and obligations under any Agreement.
  3. These present General Terms and Conditions, the Agreement and the Data Processing Agreement in Part II and/or the performance thereof will be governed exclusively by Dutch law. The applicability of the Vienna Convention on Contracts for the International Sale of Goods (CISG) will be excluded.
  4. Any disputes arising from these General Terms and Conditions, the Agreement and the Data Processing Agreement in Part II and/or the performance thereof and/or in connection with any of the aforementioned will be submitted exclusively to the competent court in Amsterdam.

Part II: Data Processing Agreement

Whereas

  1. Vinact offers the Customer software for the purpose of accounting on the one hand and calendar, client and appointment management on the other hand, amongst other things, and may process personal data for the Customer in this capacity;
  2. the Customer and Vinact have entered into an Agreement on the basis of which the Customer will be able to use the services provided by Vinact; this Data Processing Agreement is one of these services;
  3. the Customer will be deemed to be the controller, within the meaning of Article 4, opening words, and Article 7 of the General Data Protection Regulations, where the processing of personal data is concerned;
  4. Vinact will be deemed to be the processor, within the meaning of Article 4, opening words, and Article 8 of the GDPR, where the storage and processing of personal data are concerned.

Article 1 Definitions

  1. The following definitions will apply for the terms used in this Data Processing Agreement. All of these terms will be written with initial capitals and be defined as follows regardless of whether they are used in the singular or plural: General Terms and Conditions: the Vinact general terms and conditions, which will form an inextricable part of the Agreement; Schedule: a schedule to the Data Processing Agreement that forms an inextricable part of the Data Processing Agreement; Agreement: the agreement entered into between the Customer and Vinact for the use of Vinact services, including any further agreements; Personal Data: all data that is directly or indirectly traceable to a natural person as referred to in the first section of Article 4, and (1) of the GDPR; Sub-Processor: the subcontractor engaged by Vinact that processes Personal Data under this Data Processing Agreement at the expense of the Customer as referred to in Article 28(4) of the GDPR; Processing: the processing of Personal Data as referred to in the first section of Article 4, and (2) of the GDPR; Data Processing Agreement: the present agreement, which forms part of the Agreement.
  2. The provisions of the Agreement and the General Terms and Conditions will apply in full to this Data Processing Agreement. Where the Agreement or General Terms and Conditions contain provisions on the Processing of Personal Data, the provisions of this Data Processing Agreement will prevail.

Article 2 Processing on the instructions of the Customer

  1. In this Data Processing Agreement, Vinact will undertake to Process Personal Data as instructed by the Customer. See Schedule 1 for an overview of the type of Personal Data, categories of data subject and the purposes for which the Processing of Personal Data takes place. The Customer will guarantee that the Personal Data, categories of data subject and purposes described in Schedule 1 are complete and correct and indemnify Vinact against any shortcomings and claims that are the result of incorrect representation by the Customer.
  2. Vinact will only process Personal Data on the basis of this Data Processing Agreement and the instructions of the Controller. Vinact will not process Personal Data for other purposes or its own purposes. Vinact will not have any control over the purpose for which Personal Data is processed and the resources used to do this. The Customer will have sole responsibility for these Processing Operations.
  3. The Customer will guarantee that the content and use of and instruction to process Personal Data are in compliance with all applicable legislation and regulations and do not violate any rights of third parties. The Customer will indemnify Vinact against all claims of third parties, the data protection supervisor in particular, that ensue from non-fulfilment of this guarantee in some way. If Vinact believes that an instruction from the Customer constitutes a violation of the GDPR or other privacy legislation by which it is bound, Vinact will immediately notify the Customer of this situation.
  4. Vinact will undertake to solely process Personal Data for the purpose of the activities named in this Data Processing Agreement and/or the Agreement. Vinact will guarantee that it will not use the Personal Data that is processed under this Data Processing Agreement without the express and written instructions of the Customer, unless a statutory provision requires Vinact to process the said Personal Data. In this situation, Vinact will notify the Customer of the aforementioned statutory provision before Processing starts, unless legislation prohibits a communication of this nature for important reasons of public interest.

Article 4 Confidentiality

  1. Vinact will ask all of its employees who are involved in performance of the Agreement to sign a non-disclosure agreement, which agreement may or may not be included in the employment contracts entered into with the said employees. At the very least, the non-disclosure agreement will stipulate that employees are to maintain the confidentiality of Personal Data.

Article 5 Transfer

  1. Vinact will only be permitted to transfer Personal Data outside the European Economic Area with due observance of the relevant legal obligations.

Article 6 Third parties and subcontractors

  1. Vinact will be permitted to use the Sub-Processors named in Schedule 3 under this Data Processing Agreement and the Agreement. If Vinact wishes to engage a different Sub-Processor, Vinact will inform the Customer of the changes envisaged. The Customer will be required to object to these changes within five (5) working days. Vinact will respond to any objection by the Customer within five (5) working days.
  2. When Vinact engages a Sub-Processor to carry out specific Processing activities at the expense of the Customer, the same data protection obligations will be imposed on the Sub-Processor as those set out in this Data Processing Agreement.

Article 7 Liability

  1. As regards the liability of Vinact under this Data Processing Agreement, the provisions of Article 9 of the General Terms and Conditions, which Article relates to the limitation of liability, will apply in full.

Article 8 Data breaches

  1. If Vinact learns of a Personal Data breach (as defined in the GDPR; hereinafter: “data breach”), it will i) notify the Customer of this breach without unreasonable delay and provide information about the nature of the breach and, where possible, the number of data subjects and the expected consequences of the data breach, ii) take all reasonable measures to address the data breach, including limiting any adverse consequences of the data breach, and prevent similar data breaches in the future, and iii) notify the Customer of these measures.
  2. Vinact will assist the Customer and help it fulfil his/her/its legal obligations in respect of the data breach observed.
  3. Vinact will help the Customer comply with the obligation the Customer has to report data breaches to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens (AP)) and, if applicable, the data subjects referred to in Articles 33 and 34 of the GDPR.
  4. Vinact will not be liable for the incorrect and/or late fulfilment of the reporting obligation of the Customer as referred to in Articles 33 and 34 of the GDPR.

Article 9 Assisting the Customer

  1. Wherever reasonably possible, Vinact will help the Customer fulfil its obligation under the GDPR to comply with requests from data subjects who wish to exercise their rights, in particular the right to access (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to be forgotten (Article 17 of the GDPR), the right to restriction of processing (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object (Articles 21 and 22 of the GDPR). Vinact will forward complaints or requests from data subjects about the Processing of Personal Data to the Customer as soon as possible, who/which will then be responsible for handling the said complaints or requests. Vinact will be entitled to charge the Customer for any costs Vinact incurs in respect of its cooperation.
  2. Wherever reasonably possible, Vinact will help the Customer fulfil his/her/its obligation under the GDPR to perform a data protection impact assessment (Articles 35 and 36 of the GDPR). In this situation, the Parties will make further (written) agreements with each other.
  3. Vinact will make available to the Customer all information reasonably necessary to demonstrate that Vinact is meeting its obligations under the GDPR.
  4. A maximum of once per calendar year, Vinact will enable the Customer - with the consent of Vinact and for a reasonable period of time - to check compliance with the Data Processing Agreement, particularly the security measures that Vinact has taken. An audit of this nature will always be at the expense of the Customer and carried out in a manner that has as little impact as possible on the normal business operations of Vinact. Vinact will be entitled to charge the Customer for any costs incurred in respect of the provisions of this article.
  5. The audit in Article 9.4 will only take place after the Customer has requested and assessed similar audit reports present at Vinact and puts forward reasonable arguments to justify the initiation of an audit by the Customer. An audit of this nature will be justified if the similar audit reports present at Vinact provide little or no information that demonstrates compliance with this Data Processing Agreement.

Article 10 Termination

  1. This Data Processing Agreement will remain in force while Vinact processes Personal Data on behalf of the Customer. After terminating this Data Processing Agreement, Vinact will, when requested to do so by the Customer, erase all Personal Data or return it to the Customer, and delete existing copies, unless Vinact is required by law to continue to save (some of the) Personal Data.
  2. Any obligations arising from this Data Processing Agreement that are intended to remain in place after this agreement is terminated will continue to exist after this agreement is terminated.

SCHEDULE 1 OVERVIEW OF PERSONAL DATA

Types of personal data

  1. Name and address details
  2. Financial data
  3. Depending on the service provided to the Customer: medical data and treatment data
  4. Photographs
  5. Calendar items
  6. Messages

Changes will only be made to Personal Data in consultation between Vinact and the Customer.

Categories of data subject

  1. Clients and patients of the Customer
  2. Employees of the Customer

Purposes for which Personal Data will be processed

  1. Vinact will provide the Customer access to and allow him/her/it to use Vinact software for the purpose of his/her/its day-to-day activities, including calendar management, his/her/its customer base, treatments, cash register, accounts and inventory.

SCHEDULE 2 BREAKDOWN OF SECURITY IN PLACE

  1. Employees at Vinact will only have access to customer data of the Customer if the Customer has expressly given its consent for employees to have access to this data in the system
  2. Regular internal audits and code reviews
  3. Encrypted SSL connection
  4. Passwords are stored in an encrypted format
  5. The Customer is able to prevent unwanted access in a number of ways. For example, by automatically logging someone out in the event of inactivity, two-factor authentication and IP whitelisting
  6. Extensive technical measures to secure access to Vinact servers
  7. Various measures against SQL injections, cookie and session hijacking and Cross-site scripting (XSS)
  8. Automatic security updates for application code and infrastructure software
  9. All data is saved in an encrypted format
  10. Application and infrastructure set up on the basis of the zero-trust principle
  11. Firewall at infrastructure level with deep package analysis (AWS WAF)

SCHEDULE 3 BREAKDOWN OF SUB-PROCESSORS

  1. Amazon AWS: the overall infrastructure
  2. Google Ireland Limited: appointment platform
  3. Cloudinary: file uploads like Customer photos
  4. Mailgun: e-mail
  5. MessageBird: text messages
  6. Spryng: text messages
  7. Intercom: support and marketing
  8. Mollie: payment gateway
  9. Stripe: payment gateway
  10. Datadog: logging and monitoring