Data Processing Agreement May 30, 2024
DATA PROCESSING AGREEMENT (DPA)
Version: 30 May 2024
Introduction
This DPA, along with its annexes, is an addendum to the contract (the “Agreement”) between Alleo B.V. (“Alleo”) and Alleo Platform Transactions B.V. (“Alleo Platform Transactions”), acting as service providers, and the client listed in the Agreement (the “Client”). The DPA is employed by both Alleo and Alleo Platform Transactions, thus the DPA applies individually to the Agreement between Client and Alleo, and to the Agreement between Client and Alleo Platform Transactions. Both Alleo and Alleo Platform Transactions are autonomous contracting parties, not accountable for each other’s actions.
While delivering the services outlined in the Agreement, Alleo and Alleo Platform Transactions may handle personal data on behalf of the Client. In such scenarios, Alleo and Alleo Platform Transactions are designated as Processors, and the Client as Controller. In this DPA, references to “Processor” shall denote either Alleo or Alleo Platform Transactions, as applicable (depending on the specific Agreement utilized), and references to Controller denote the Client.
Article 1. Definitions
In this DPA, capitalized terms shall have the following meanings:
Autoriteit persoonsgegevens: the Dutch data protection regulatory body responsible for upholding compliance with applicable privacy laws and statutes.
GDPR: Refers to the General Data Protection Regulation (Regulation (EU) 2016/679 dated April 27, 2016).
Data Subject(s): An individual or individuals to whom the Personal Data pertains.
Annex(es): Each annexure associated with this DPA, which are fundamentally connected to this DPA.
Third Party/Third Parties: Any individual, legal entity, governmental body, department, or other entity, excluding the Processor and the Controller and their personnel, assigned to handle Personal Data.
EEA: European Economic Area.
Incident: An occurrence whereby or resulting in Personal Data being destroyed, altered, lost, and/or unjustly disclosed to a Third Party, or enabling such a Third Party to gain unauthorized access to Personal Data.
Log: The (computer) file(s) where processing activities are automatically documented.
Personal Data: Any information related to an identified or identifiable individual (i.e., Data Subject) that the Processor handles for the Controller
Sub-processor: A party engaged by the Processor to fulfill its duties as per the Agreement. The Sub-processor primarily handles Personal Data.
DPA: This current Data Processing Agreement and its Annexes.
Article 2. General Provisions
2.1. The Controller decides the purpose and the method of processing activities, thus falling under the scope of article 4 (7) GDPR. The Processor is solely appointed to handle Personal Data per the written guidelines of the Controller, thereby falling under article 4 (8) GDPR.
2.2. The Processor will furnish the Controller with all needed information to adhere to relevant privacy laws and statutes.
Article 3. Processing of Personal Data
3.1. The Processor shall process Personal Data for the Controller in alignment with relevant privacy laws and statutes. Annex 1 provides an overview of the type(s) of Personal Data processed, the categories of Data Subjects, and the purpose and methodology by which/for which Personal Data is handled.
3.2. The Processor will handle Personal Data solely as per the Controller’s directions, deviating only if legally mandated.
3.3. The Processor is constrained to processing Personal Data for its initial purpose, unless statutory requirements force otherwise.
3.4. The Processor shall not impart Personal Data to a Third Party without written directives and/or consent from the Controller. The Processor may also share data with a Third Party when legally obligated.
3.5. Processor ensures Personal Data isn’t handled outside the EEA without the Controller's written consent. Signing the DPA implies consent to data transfer to non-EEA nations named in Annex 1.
3.6. With Controller approval for outside EEA processing, the Processor will implement suitable safeguards, including using EU’s standard contractual clauses and/or processing or transferring Personal Data upon adequacy decisions (article 45 GDPR) and/or approved certification mechanisms (article 42 GDPR).
Article 4. Technical and Organizational Measures
4.1. Under article 32 GDPR, Parties will sustain suitable technical and organizational measures ensuring a proper security level for the risk(s). Annex 2 provides an outline of measures adopted by the Processor, reviewed periodically, and amended as needed.
4.2. Implementing security measures, the Processor considers the state-of-the-art, implementation costs, and the processing nature, scope, context, and purposes alongside risk likelihood and severity for the Data Subject's rights and freedoms.
4.3. The Processor records all processing activities in its systems (e.g., Log) and will promptly provide the Logs upon the Controller's request.
Article 5. Assistance
5.1. The Processor provides necessary aid to the Controller in fulfilling GDPR obligations, e.g., concerning security, data breaches, and impact assessments, based on Processor's role and available information, such as where the Controller lacks access, with Processor charging reasonable internal costs and expenses for compliance to this article.
5.2. Upon receiving a Data Subject's request, like for information, access, correction, erasure, processing restriction, and/or data portability (article 13 – 20 GDPR), or any other invoked right, the request is swiftly forwarded to the Controller.
5.3. The Processor offers all feasible aid to the Controller post-receiving a Data Subject request, to enable the Controller's statutory regulatory compliance.
Article 6. Audits
6.1. The Controller may, at their expense and reasonable intervals, audit the Processor’s processing activities, with Processor aiding the audit reasonably, including access to Alleo B.V.'s operating buildings, databases, and/or Controller’s data/information provision post consultation.
6.2. Recommendations from the audit, conceived in consultation with the Controller, are promptly implemented by the Processor, bearing costs only if changes arise from non-compliance with DPA's security demands.
6.3. The Processor cooperates reasonably if Autoriteit Persoonsgegevens or any supervisory authority examines its processing activities, alerting the Controller swiftly about such investigation.
Article 7. Incidents
7.1. Upon detecting a security incident potentially causing a personal data breach (as per GDPR), Processor – post self-investigation – alerts the Controller promptly, latest within 72 hours of awareness on the potential breach.
7.2. The Processor exercises all feasible actions to mitigate Incident consequences and/or preclude new incidents, helping the Controller assess the Incident for statutory obligations on notifying competent supervisory bodies or informing Data Subjects.
Article 8. Sub-processors
8.1. The Controller consents to the Processor's engagement of Sub-processors for Agreement enforcement, and a Sub-processors list is presented at Agreement inception in Annex 1. The Processor wishes to engage or replace a Sub-processor, informing the Controller thereof invites Controller's objection within 14 days post-notification, with non-objection signaling approval.
8.2. The Processor enters Accord-compliant contracts with engaged Sub-processors, applying substantially equivalent terms from this DPA.
Article 9. Confidentiality
9.1. The Processor maintains confidentiality for all Personal Data received from the Controller, adhering to Processor's General Terms & Conditions confidentiality provisions.
Article 10. Term and Termination
10.1. This DPA activates upon Agreement inception, remaining active while the Agreement persists, ceasing upon Agreement termination. Ongoing obligations sustain between Parties after DPA termination and/or end (by law).
10.2. Post-Agreement termination, Processors permanently erase all Controller-handled personal data, unless the Controller requests within 30 days from termination for processor-supplied Personal Data in a structured, machine-readable format – or other designated Third Party – in which case Processor provides data.
10.3. After Personal Data is transferred to the Controller, Processor ensures remnant Personal Data is destroyed unless legally mandated longer retention, and similarly ensures Sub-processors erase data.
10.4. In bankruptcy, this DPA perseveres between Parties, sustaining processing continuity for initially provided Personal Data.
ANNEX 1 – PROCESSING DETAILS
Categories of Data Subjects
Individuals pertinent to the Personal Data include:
Controller’s Employees;
Types of Personal Data
Processor-handled Personal Data types:
If Alleo is Processor
Persistent Personal Data processing by Alleo B.V. includes:
Forename;
Surname;
DOB
Employment Start Date;
Location;
IP address;
Business email;
Personal email upon controller request;
Benefit Transactions Executed;
Employee ID.
Processing of following Personal Data occurs if Alleo product module is Agreement-included:
Flexible Salary Module
Gross hourly pay;
Gross monthly salary;
Holiday entitlement (gross);
Statutory leave balance;
Non-statutory leave balance.
If Alleo Platform Transactions are Processors:
Persistent Personal Data processing by Alleo Platform Transactions B.V. includes:
Forename;
Surname;
Business email;
Personal email (if Controller requested);
Benefit Transactions Executed.
Nature and Purpose of Processing
Processor processes Personal Data for these purposes:
If Alleo is Processor:
Service delivery per Agreement, notably offering Alleo Platform for Controller's employee benefits management, employee account creation/management within Alleo Platform, third-party benefits acquisition and facilitation (including associated Personal Data transfer,)
Personal Data backend storage within Alleo Platform;
Utilizing backend-stored Personal Data via Alleo platform for presenting to users;
Controller's employee support concerning Alleo platform usage;
Communicating Alleo platform functionalities and updates with Controller’s employees;
Analyzing patterns to enhance Alleo platform’s performance, user experience, and service proposition;
Monitoring and assuring platform security and integrity, including unauthorized access prevention and incident resolution;
Supplying Controller with a web portal for employee usage analysis and Alleo platform management.
If Alleo Platform Transactions are Processors:
Processing and managing benefits purchase data for Controller's benefit invoicing/set-off per Agreement;
Personal Data is not processed for these purposes:
Conducting non-anonymous benefit usage analysis/report;
Sharing data with third parties without employee consent.
Retention Period for Personal Data
Following business relationship cessation, Controller has thirty (30) days (“Retention Period”) for export or deletion instruction for Personal Data. During this period, Controller may direct the Processor to either: a. Export Personal Data to a commonly used, machine-readable format, or b. Erase Personal Data.
Upon either receiving deletion request from Controller or Retention Period expiration, whichever precedes, Processor within 30-day max: a. Permanently erases/destroys all Personal Data, or b. Anonymizes Personal Data assuring no subject identification.
Processor confirms written completion action compliance ten (10) days post-action completion.
Legal retention mandate with extended period results in Personal Data removal/destruction after said period concludes.
Processing outside of EEA
Personal Data processing occurs in these outside-EEA countries:
None.
Information regarding the Sub-processors
Processor employs these Sub-processors for Agreement enforcement:
Sub-processor | Location | Scope of Service |
|---|---|---|
Amazon Web Services | Ireland | Hosting and infrastructure services, data storage, compute resources |
Intercom | Ireland | Customer support and engagement platform, live chat, email messaging |
Google Workspaces | Europe | Productivity and collaboration tools: email, document storage, video conferencing, calendar services |
Slack | Germany | Team collaboration and communication platform: messaging, file sharing, project collaboration |
Firebase Analytics | Europe | Mobile and web application analytics: user interactions, engagement, performance tracking |
Contact Details
For inquiries or comments on this DPA and its Annexes, contact the representative of:
Sven Cune
COO/DPO
security@alleo.nl
ANNEX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES
This Annex outlines Processor-implemented technical and organizational measures safeguarding Personal Data. Amendment and/or expansion of included measures occur as needed. Controller finds measures fitting for risk mitigation associated with outsourcing processing activities to the Processor.
Technical Measures
Processor uses Amazon Web Services as a cloud provider. Certifications include ISO/IEC 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v4.0.
Processor employs encryption at rest and transit for storage systems, particularly AWS RDS and AWS S3, secured with AES-256.
Human Error Risk Mitigation
Passwords and credentials for internal systems are stored in auditable password manager applications.
Internal data requests are thoroughly reviewed for data preservation and audit trail maintenance.
Cloud Service Access
Services are behind a Virtual Private Cloud accessible solely by credential-equipped Alleo system engineers.
Hardening Policies
Processor utilizes CVE scanners for software package/image evaluations, promoting safe builds in the production environment.
Auditing and Monitoring
Processor maintains constant security levels through platform monitoring for the following:
SSL Certificates for our API
AWS Audit trail for resource access
Server level resource access
Database connection access
Data access is limited to system engineers and trained, permission-granted staff.
Mobile application-Alleo API communication is secured via HTTPS, ensured via JWT (JSON Web Token) authentication.
Employee equipment is enrolled into JAMF MDM, encrypted, remotely accessible, lockable and erasable upon loss/damage, complemented by intruder.io scanner-based real-time security for customer-facing services.
Organizational Measures
An Incident Response Plan offers guidance for employees or responders identifying/responding to security incidents.
Alleo provides employee guidance in phishing and social engineering identification.
Personal data access by Alleo employees begins only post-explicit authorization.
An exit procedure details technical steps for denying various systems and office access to ex-employees.
Internal Information Security Policy.
Security guidelines applying to all employees include:
Google Workspaces 2FA/MFA enforcement requiring setup within 24 hours post-account provisioning.
Google SSO usage for account logins with 2FA/MFA enablement.
Secure work devices with passwords, preventing unattended and unlocked exposure.
Avoid leaving passwords/important notes around the office.
Prevent unauthorized office access.
Store all passwords/sensitive data in 1password.
Beware of phishing/scamming attempts; avoid suspicious link clicks.
Avoid clear text password sharing via email, SMS, or Slack; employ 1password.
Avoid storing sensitive customer data (emails, names, other PII) on personal devices.
