Silverfin - Data Processor Addendum
Last update: 1 September 2024
Pursuant to the Agreement, Silverfin provides the Silverfin Platform and the Service (both as defined below) to the Customer (as defined below). The provision of the Silverfin Platform and the Service leads to the collection and processing of Personal Data (as defined below) by Silverfin, in its capacity as a data processor, on behalf of the Customer. Therefore, Silverfin provides the Customer with this Data Processing Addendum (“DPA”) which sets out (i) how Silverfin shall manage, process and secure the Personal Data; as well as (ii) all parties’ obligations to comply with the Privacy Legislation (as defined below).
By concluding the Agreement with Silverfin, the Customer has indicated that it has read, understands and accepts the terms and conditions of this DPA, which forms an integral part of said Agreement.
This DPA may be updated from time to time by Silverfin, in which case Silverfin shall notify the Customer through its Website (as defined below) or the Silverfin Platform. In any event, the latest version of this DPA can always be accessed on the Website, as well as on the Silverfin Platform.
You can find our archived Silverfin DPA here. The current Silverfin DPA can be found in pdf format here.
1. DEFINITIONS
1.1. Capitalized terms shall have the meaning as set out below:
Affiliate: | unless otherwise defined in the Agreement, a business entity that (in)directly controls, is controlled by or is under common control (i.e. the direct of ownership of more than 50% of the voting securities of a business entity) with such party; |
Agreement: | the combined term for the (i) Terms of Use; (ii) Silverfin proposal; (iii) additional orders; and (iv) documents to which reference is made in the Terms of Use; |
Authorized Users: | individuals authorized by the Customer to have access to and make use of the Service and the Silverfin Platform; |
Customer: | the party with whom Silverfin has concluded the Agreement, including its Participating Affiliate(s); |
Data Subject: | The natural person to whom the Personal Data relates, as described in Annex I; |
End Customer: | the end customers of the Customer and their affiliates, advisors, representatives, officers, directors, employees, agents and consultants which may be serviced or processed through the Service by the Customer; |
Participating Affiliate: | an Affiliate of the Customer that has not entered into a separate Agreement with Silverfin and has been authorized to access and use the Service under an existing Agreement between Silverfin and the Customer; |
Personal Data: | personal data (within the meaning of Privacy Legislation), as described in Annex I; |
Silverfin Platform: | the Silverfin platform as described and represented via www.silverfin.com; |
Service: | the online service of Silverfin, including the integrations, features and modules as set out in the Agreement; |
Privacy Legislation: | the (supra)national privacy legislation applicable to the processing of personal data by the Customer or Silverfin within the scope of the Agreement, such as, but not limited to: (i) the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR”); (ii) United Kingdom (UK) Data Protection Act 2018; (iii) the Belgian Privacy Law of 30 July 2018; (iv) the ePrivacy Directive 2002/58/EC of 12 July 2002, including future amendments and revisions thereof; and/or (v) (future) national legislation regarding the implementation of the GDPR; |
Silverfin: | Silverfin NV, a limited liability company with registered office at Gaston Crommenlaan 12, 9050 Gent, registered with the Crossroad Database for Enterprises under number 0524.802.662; |
Sub-processor: | Affiliates of Silverfin and other third parties engaged by Silverfin to process the Personal Data on behalf of the Customer and in accordance with the Customer’s instructions, as identified in Annex III; |
Website: | the Silverfin website, namely: https://www.silverfin.com. |
1.2. The (uncapitalized) terms “(data) controller”; “personal data”; “personal data breach”; “process”; “processing”; “(data) processor” shall have the meaning attributed to them in the Privacy Legislation.
2. ROLE OF THE PARTIES
2.1 The parties acknowledge that with regard to the processing of Personal Data under the Agreement, the Customer shall be considered the ‘data controller’ and Silverfin ‘data processor’ in accordance with the Privacy Legislation. Further, Silverfin may engage (a) Sub-processor(s) pursuant to the provisions of Section 7.
2.2 Each party shall comply with its respective obligations under the Privacy Legislation with respect to the processing of the Personal Data.
3. SUBJECT MATTER
3.1 The Customer acknowledges that by making use of the Silverfin Platform and/or Service, pursuant to the Agreement, it may provide (certain sets of) the Personal Data to Silverfin for processing. The nature and purpose of said processing, as well as a description of the Personal Data and categories of Data Subjects processed under the Agreement are further specified in Annex I.
3.2 Silverfin shall process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules/best-practices concerning the processing of personal data.
3.3 More specifically, Silverfin shall
- during the performance of the Service, provide all its know-how in order to perform the Agreement according to the rules of art, as it fits a specialised and ‘good’ data processor; and,
- shall adopt, to the best of its abilities, the necessary security measures (cfr. Annex II) and provide all its know-how in order to perform the Service in accordance with the rules of art.
3.4 The Customer keeps full control concerning the following: (i) how the Personal Data must be processed by Silverfin; (ii) the types of Personal Data processed; (iii) the categories of Data Subjects whose Personal Data is subjected to the processing; (iv) the purpose of the processing; and (v) the fact whether such processing is proportionate.
3.5 This DPA is without prejudice to the provisions of the Silverfin Terms of use with regard to ‘Data Protection’.
4. INSTRUCTIONS FROM / RESPONSIBILITY OF THE CUSTOMER
4.1 Instructions. Silverfin shall only process the Personal Data upon the Customer’s request and in accordance with the Customer’s lawful instructions in Annex I, unless any legal obligation states otherwise. Silverfin shall inform the Customer, if in its opinion, the instructions infringe the Privacy Legislation. If the Customer subsequently cannot guarantee the validity or legality of the instruction or fails or refuses to change the unlawful instruction so that it no longer violates the Privacy Legislation, Silverfin shall be entitled to (i) suspend/refuse the performance of said instruction and (ii) at its discretion, to either continue to process the Personal Data in accordance with previously provided instructions or to stop the processing altogether, until the Customer has revised its instruction so that it no longer violates the Privacy Legislation.
4.2 Responsibilities. Furthermore, the Customer acknowledges that it is responsible for:
- the accuracy, quality and legality of (the collection and transfer of) the Personal Data;
- compliance with all transparency and lawfulness requirements under the Privacy Legislation for the collection and processing of the Personal Data and the transfer thereof to Silverfin; and,
- ensuring compliance of its instructions (cfr. Annex I) with the Privacy Legislation.
4.3 Customer shall inform Silverfin without undue delay if it is not able to comply with its responsibilities under this Section or the Privacy Legislation.
5. USE OF THE SILVERFIN PLATFORM AND THE SERVICE
5.1 In relation to (the processing of) the Personal Data, the Customer recognizes that:
Silverfin acts as a facilitator of the Service. Therefore, the Customer shall be responsible on how and to what extent it makes use thereof;
it is responsible for all acts and omissions of Authorized Users (i.e. in case the Authorized User does (not) take sufficient measures to protect its account on the Silverfin Platform);
Silverfin allows the Customer to make adjustments and/or changes to the Personal Data and shall never consult or adjust such Personal Data itself, unless the Customer requests Silverfin to do so;
it is responsible for the material and/or data (including Personal Data) provided by the Data Subject. The Customer is, as controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;
it shall comply with all laws and regulations (such as, but not limited to: with regard to the retention period or rights of the Data Subject) imposed on it by making use of the Service.
5.2 In case of any misuse of the Service or the Silverfin Platform by the Customer or its Authorized Users in relation to the Personal Data and/or under this DPA or the Privacy Legislation, Silverfin can never be held liable in this respect nor for any damage that would occur.
5.3 The Customer shall avoid any misuse of the Service and the Silverfin Platform in relation to the Personal Data and/or under this DPA or the Privacy Legislation. Therefore, the Customer shall safeguard Silverfin when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.
6. SECURITY
7. SUB-PROCESSORS
7.1 Approval of Sub-processors
7.1.1 The Customer acknowledges and agrees that Silverfin may engage Sub-processors in connection with provision of the Service (and the performance of the Agreement). In such a case, Silverfin shall ensure that the Sub-processors are at least bound by the same obligations by which Silverfin is bound under this DPA.
7.1.2 Silverfin has currently appointed as Sub-processors its Affiliates and other third parties as listed in Annex III.
7.1.3 Silverfin shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Service/processing of the Personal Data itself, directly under the terms of this DPA.
7.2 Update of Sub-processor list
7.2.1 Silverfin shall:
- update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.);
- clearly indicate the changes in the list; and,
- add a timestamp (i) when the list was updated, and (ii) when the change of the Sub-processor went or will go into effect.
7.2.2 Silverfin shall notify the Customer (e.g. on the Website or through the Silverfin Platform) when changes to the list are made.
7.3 Objection
7.3.1 If the Customer wishes to exercise its right to object to a new Sub-processor, it shall notify Silverfin in writing (cfr. Section 15) and based on reasonable grounds by the latest within thirty (30) days after the notification. If the Customer fails to object within the aforementioned timeframe it shall be deemed to have waived its right to object and to have authorized Silverfin to engage the new Sub-processor.
7.3.2 In the event aforementioned objection is not found unreasonable by Silverfin, parties will discuss the Customer’s concerns with a view to achieving a reasonable solution. Such solution may include, at Silverfin’s discretion, to (i) make available to the Customer a change in the Service; or (ii) recommend a commercially reasonable change to the Customer’s use of the Service to avoid the processing of the Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.
7.3.3 If the parties are, however, unable to come to a solution within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Service (in whole or partly) if:
- the Service/Silverfin Platform cannot be used by the Customer without appealing to the objected new Sub-processor; or,
- such termination solely concerns that part of the Service which cannot be provided by Silverfin without appealing to the objected new Sub-processor;and this by providing written notice thereof to Silverfin (cfr. Section 15) within a reasonable time.
7.3.4 Termination of the Service within the meaning of Section 7.3.3 shall be without liability to either party (but without prejudice to any fees incurred by the Customer prior to suspension or termination of the Service).
8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
8.1 The Personal Data shall be primarily processed within the European Economic Area (“EEA”) and in North-America (in which case Section 8.2 applies).
8.2 The Customer recognizes that Silverfin is entitled to transfer and store the Personal Data to countries outside the EEA for the purpose of providing the Service and fulfilling its obligations under the Agreement, and provided that such transfer/storage is done in accordance with the Privacy Legislation regarding additional safeguards. In particular, any transfer of Personal Data outside the EEA by Silverfin to a third party whose domicile or registered office is in a country which does not fall under an adequacy decision enacted by the European Commission, shall be additionally subject to one or more of the listed EU-approved safeguards:
- closing a data transfer agreement with the third country recipient, which shall contain the standard contractual clauses, as referred to in the ‘European Commission implementing decision of 4 June 2021 (Decision (EU) 2021/914) on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council’, including the performance of a transfer impact assessment. Before the transfer takes place, the recipient of the Personal Data/Sub-processor of Silverfin in the third country has to guarantee Silverfin that an adequate level of privacy compliance is ensured in this third party country; and/or
- binding corporate rules. As it is the case for standard contractual clauses, the recipient of Personal Data/Sub-processor of Silverfin in the third country has to guarantee Silverfin that an adequate level of privacy compliance is ensured in the third party country; and/or,
- certification mechanisms.
8.3 In the event the transfer (or disclosure) of the Personal Data to a third country is required by EU law, EU member state law or law of the United Kingdom to which Silverfin is subject to, Silverfin shall inform the Customer of that legal requirement before the transfer/disclosure, unless that law prohibits such information on important grounds of public interest.
9. CONFIDENTIALITY
9.1 Silverfin shall maintain the Personal Data confidential and thus not disclose nor transfer the Personal Data to third parties, without the Customer’s permission, unless when such disclosure and/or transfer is required by law or by a court or other government decision (of any kind). In such case Silverfin shall, prior to any disclosure and/or announcement, inform the Customer in full transparency on the scope and manner thereof.
9.2 Silverfin ensures the Customer that individuals engaged in the performance of the Service (such as, personnel, representatives, officers, directors, agents, advisors, affiliates and consultants) are (i) informed of the confidential nature of the Personal Data; (ii) are well aware of their responsibilities; and (iii) are bound by written confidentiality agreements. Silverfin ensures that such confidentiality obligations survive the termination of their employment or service contract.
9.3 Silverfin ensures the Customer that the access of its personnel to the Personal Data is limited to such personnel performing the Service in accordance with this DPA.
10. NOTIFICATION OBLIGATIONS AND ASSISTANCE
10.1 Notification. Silverfin shall use its best efforts to inform the Customer as soon as reasonably possible when it:
- receives a request for information, a subpoena or a request for inspection or audit from a competent public authority (incl. supervisory authority) in relation to the processing of the Personal Data;
- receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation (cfr. Section 10.3);
- has the intention to disclose Personal Data to a competent public authority (incl. supervisory authority); or,
- determines or reasonably suspects a personal data breach has occurred in relation to the Personal Data.
10.2 Personal data breach. In case of a personal data breach, Silverfin:
- shall notify the Customer without undue delay after becoming aware of this personal data breach and, to the extent possible, provide the information as required by Privacy Legislation (e.g. Article 33.3 GDPR). Upon request of the Customer, Silverfin shall provide – to the extent possible – assistance with respect to the Customer’s reporting obligation under the Privacy Legislation;
- undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the personal data breach (if such has occurred under its responsibility) and to prevent and/or limit any future personal data breaches.
10.3 Rights of Data Subjects
10.3.1 Silverfin shall promptly notify the Customer if it receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation. Silverfin shall not respond to any such Data Subject request without the Customer’s prior written consent, except to confirm that the request relates to the Customer to which the Customer hereby agrees.
10.3.2 If a Data Subject requests to exercise his/her/their rights, it is the Customer’s responsibility to assist the Data Subject in its request. Only if the Customer does not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), Silverfin shall assist the Customer (as long as commercially reasonable).
10.3.3 Notwithstanding the foregoing, the Customer remains responsible for compliance of such Data Subject requests.
10.4 Data Protection Impact Assessment. Taking into account the nature of the processing and to the extent that (i) a data protection impact assessment is required under Privacy Legislation and (ii) the required information is reasonable available to Silverfin and the Customer does not otherwise have access to said information, Silverfin shall – upon request of the Customer – provide reasonable assistance to the Customer with the execution of a data protection impact assessment and possible prior consultation with the competent supervisory authorities. To the extent permitted by the Privacy Legislation, the Customer shall be responsible for any costs arising from Silverfin’s provisions of such assistance.
11. LIABILITY
11.1 Both parties are solely liable for all damage and/or claims of the other party or Data Subjects and fines of competent supervisory authorities that are the result of a party’s own breach of or non-compliance with (i) the provisions of this DPA, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Each party shall indemnify the other party in this regard.
11.2 In case of a proven breach by Silverfin of its obligations under this DPA or under the Privacy Legislation, Silverfin shall:
- be liable for the proven direct damages incurred by the Customer;
- not be liable for indirect, immaterial and/or consequential damages, including (but not limited to: loss of profit, loss of opportunities, loss of and/or damage to data, loss of reputation, sanctions, and unforeseeable damages).
Silverfin’s liability towards the Customer shall in any case be limited to the total amount paid by the Customer to Silverfin during the last twelve (12) months under the Agreement.
12. TERM
12.1 The total term of this DPA shall be the term of the Agreement. If no term is determined, this DPA shall remain in force as long as the Service has not come to an end.
13. RETENTION, RETURN AND DELETION OF PERSONAL DATA
13.1 Silverfin shall only retain the Personal Data as long as needed to provide the Service or for the term of the Agreement (cfr. Section 12). The Customer accepts that Silverfin may create back-ups of the Personal Data stored on the Silverfin Platform.
13.2 Upon termination of the Service or the Agreement, the following shall apply:
- the Service and Silverfin Platform shall be deactivated. Any Personal Data, stored on the Silverfin Platform shall as from that moment no longer be available to the Customer;
- the Customer may request the Personal Data to be returned (‘export’) within two (2) months following the end of the Agreement or the Service, upon which Silverfin shall assess whether such export is possible from a technical perspective. In any event, Silverfin may, at its sole discretion, determine the format of the export. Silverfin reserves the right to charge any costs relating to such exports to the Customer.
- after said two (2) month-period, the Personal Data on the Silverfin Platform shall be deleted within one (1) month , unless it is required by applicable law to retain the Personal Data.
- the Personal Data may be present on back-ups. The Personal Data shall be deleted once the last back-up containing the Personal Data is rotated.
13.3 Please note that data or material provided to or submitted to Silverfin by the Customer during the use of the Service that does not contain Personal Data may be further stored by Silverfin following the termination of the Agreement or the Service.
14. COMPLIANCE / INSPECTIONS
14.1 Compliance. Upon the Customer’s request, Silverfin shall make available to the Customer all information necessary and to the extent as requested by law to demonstrate its compliance with its obligations under this DPA.
14.2 Inspections
14.2.1 Silverfin shall allow the Customer (or a third party on its behalf) to carry out inspections – such as, but not limited to: an audit – and shall provide the necessary assistance thereto.
14.2.2 However, the Customer shall limit its initiatives to perform an inspection to a maximum of once a year. The Customer must notify Silverfin at least thirty (30) working days in advance. The performance of inspections may in any case not cause any delay in the performance of the Service by Silverfin.
14.2.3 The Customer shall impose sufficient confidentiality obligations on its (internal/external) auditors. As to ensure the confidentiality of other Silverfin customers, Silverfin has the right to require from the Customer and its auditors to sign a non-disclosure agreement before the start of the inspection and to limit the scope of the inspection or the access of the Customers to certain premises
14.2.4 All inspection costs are exclusively borne by the Customer, except if (and to the extent that) a severe security incident/personal data breach (at Silverfin/under Silverfin’s responsibility) or a violation of this DPA is determined during the inspection.
15. NOTIFICATION / CONTACT SILVERFIN
15.1 Notifications by the Customer under this DPA and/or any questions or concerns with regard to the provisions of this DPA must be directed at legal.notices@silverfin.com.
16. GOVERNING LAW & JURISDICTION
16.1 This DPA, including its Annexes, shall be governed by the law and subject to the jurisdiction clause as provided in the Agreement.
Annex I – Data Processing
1. OVERVIEW OF THE PERSONAL DATA
Data Subjects – Category 1 | |
❑ Name | ❑ Company |
❑ Surname | ❑ Financial data (e.g. accounting data and tax data including relating to personal income tax such as data relating to income, investment, loans, mortgages, donations, subsidies, pension) |
❑ Residence Address | ❑ Email address |
❑ Telephone number | ❑ Any other personal data filled in by the Customer or Authorized User of the Silverfin Platform in a free form field |
Data Subjects – Category 2 | |
❑ Name | ❑ Company |
❑ Surname | ❑ Financial data |
❑ Residence Address | ❑ Email address |
❑ Telephone number | ❑ Any other personal data filled in by the Customer or Authorized User of the Silverfin Platform in a free form field |
Data Subjects – Category 3 | |
❑ Email address | ❑ Electronic identification data (IP address; log-in data, usage data, browser data, cookies, geolocation information, passwords, analytic data….) |
2. OVERVIEW OF THE DATA SUBJECTS
Category 1 | |
❑ End Customers | ❑ Directors of End Customers |
❑ Employees of End Customers | ❑ Shareholders of End Customers |
❑ Suppliers of End Customers (or their employees / representatives) | ❑ Customers of End Customer (or their employees / representatives) |
Category 2 | |
❑ Shareholders of Customer | ❑ Directors of Customer |
❑ Suppliers of Customer (or their employees / representatives) | |
Category 3 | |
❑ Authorized Users | ❑ Employees of Customer |
3. NATURE OF THE PROCESSING
❑ Collecting | ❑ Consulting |
❑ Sorting | ❑ Comparing |
❑ Structuring | ❑ Interconnecting |
❑ Modifying | ❑ Communicating |
❑ Saving | ❑ Restricting |
❑ Transferring | ❑ Deleting |
4. MEANS OF PROCESSING
❑ Through the Silverfin Platform | ❑ Electronic communication |
5. PURPOSE OF THE PROCESSING
Providing the Service and access to/use of the Silverfin Platform pursuant to the Agreement.
6. DURATION
For the term of the Agreement (cfr. Silverfin’s Terms of Use applicable to the Customer). Upon termination of the Agreement (for whatsoever reason), access to the Silverfin Platform shall be deactivated and the Personal Data shall either be deleted or returned to the Customer as provided in Section 13.
Annex II – Security
Annex III – Sub-processors
1. AFFILIATES
Name | Nature of processing | Territory |
Silverfin Software Ltd. | Support Services | United Kingdom (London) |
Silverfin Software B.V. | Support Services | The Netherlands (Amsterdam) |
Silverfin Software S.à.r.l | Support Services | Luxembourg |
2. OTHER SUB-PROCESSORS – SILVERFIN PLATFORM
Last updated: 1 May 2024 (updates in bold)
Data subject: Category 2 and 3
Name | Nature of processing | Territory |
ActiveCampaign, LLC. (Postmark) |
Sending emails in connection to the provision of the Silverfin Platform | United States |
AirByte | Data Integrations | United States |
Amazon AWS S3 | Database storage | EEA |
Datadog Inc. | Infrastructure monitoring | EEA |
Delighted LLC | Customer feedback (NPS) | United States |
Fireflies | Customer relationship management | United States |
Fivetran, Inc. | Data transfer and integration of data sources | United States |
Freshworks Inc. (Freshdesk) |
Customer onboarding/support | EEA |
Functional Software Inc. (Sentry) |
Error logging in connection with the provision of the Silverfin Platform | United States |
Google Ltd. |
Cloud Infrastructure Hosting;
Centralized logging in connection to the provision of the Silverfin Platform Business suite Automation |
EEA |
Heap Inc. | Product analytics | United States |
HubSpot Inc. | Customer relationship management | United States |
LogRocket | Product analytics | United States |
Looker Data Sciences, Inc. | Business & finance data analytics/metrics | United States |
Metabase | Data analytics and infrastructure monitoring | United States |
Planhat | Customer success management | EEA |
Salesforce | Customer relationship management | United States |
Showpad Inc. | Customer onboarding | EEA |
Userlane GmbH | Customer onboarding | EEA |
Data subject: Category 1
Name | Nature of processing | Territory |
AirByte | Data Integrations | United States |
Amazon AWS S3 | Database storage | EEA |
Bright Data Ltd | Data collection | Israel |
Datadog Inc. | Infrastructure monitoring | EEA |
Fivetran, Inc. | Data transfer and integration of data sources | United States |
Freshworks Inc. (Freshdesk) |
Customer onboarding/support | EEA |
Functional Software Inc. (Sentry) |
Error logging in connection with the provision of the Silverfin Platform | United States |
Google Ltd. |
Cloud Infrastructure Hosting;
Centralized logging in connection to the provision of the Silverfin Platform Business suite Automation |
EEA |
LogRocket | Product analytics | United States |
Looker Data Sciences, Inc. | Business & finance data analytics/metrics | United States |
Metabase | Data analytics and infrastructure monitoring | United States |