General Terms and Conditions

Article 1: Definitions

1. Except and to the extent that capitalized terms elsewhere in these Terms and Conditions (hereinafter: “Terms”), the terms defined with a capital letter have the following meanings:

Article 2: Applicability

1. These Terms apply to and form part of all Agreements where Embrace provides its services to the Client. The provisions of these Terms apply in full to any (agreement concerning the execution of the) Agreement for the benefit of the Client.
2. The applicability of any general or specific terms or conditions of the Client, under whatever name, that differ from these Terms and Conditions, is expressly excluded.
3. The Parties can only deviate from these Terms and Conditions in writing and explicitly.
4. If any provision of these Terms is void or annulled, the other provisions of these Terms will remain in full force and effect. In that case, Embrace and Client will consult with the aim of agreeing on new provisions of the same purport as much as possible to replace the invalid or nullified provisions.
5. Embrace is authorized to unilaterally change the provisions of these Terms at any time. As soon as the amended Terms and Conditions have been announced to the Client, they will apply between Embrace and Client.
6. In the event of a conflict between any provision of the Agreement and these Terms, the provisions of the Agreement will prevail over the provisions of these Terms unless the Agreement deviates from the Terms to the detriment of Embrace.
7. The provisions of these Terms do not affect Embrace's rights under the law.

Article 3: Conclusion of the Agreement

1. All offers, offers and other expressions made by Embrace are without obligation, unless otherwise expressly stated in writing. Agreements and acceptances of offers and offers by the Client are considered irrevocable.
2. The Client guarantees the accuracy and completeness of the information provided by or on behalf of Embrace to Embrace on which Embrace based its offer, with the exception of obvious typing errors.
3. An Agreement is only concluded between Embrace and Client when the offer has been signed (digitally) by the Client or Embrace has executed the Agreement.
4. The content of the Agreement appears from the offer and, in the absence thereof, from what Embrace has done to deliver the Application (s).
5. If and insofar as the proper execution of the Agreement requires, Embrace has the right to have certain work performed by (a) third party (s), whether or not affiliated with it, at any time. The applicability of articles 7:404, 7:407 paragraph 2 and 7:409 of the Civil Code is expressly excluded.

Article 4: Pricing, Invoicing and Payment

1. The Client owes the fee included in the Agreement for the Application (s).
2. All prices mentioned by Embrace are in euros and exclude import and export duties, sales tax (if applicable) and any government levies and/or taxes.
3. Embrace charges the Client for the amounts due per year, in advance. For this purpose, Embrace will send an invoice to the Client. Payment must be made within 30 days of the invoice date. This period is the payment deadline and is therefore a deadline.
4. In the event of a periodic payment obligation on the part of the Client, Embrace may, in writing and in accordance with the index or other measure included in the Agreement, adjust the applicable prices and rates for the period specified in the Agreement. If the Agreement does not expressly provide for the possibility to adjust prices or rates, Embrace may change the applicable prices and rates in writing, subject to a period of at least three months. In the latter case, if the Client does not wish to agree to the adjustment, the Client is entitled to terminate the Agreement in writing within thirty days of notification of the adjustment with effect from the date on which the new prices and/or rates would come into effect.
5. The Client is not entitled to suspend any payment or to set off amounts due.
6. If the Client does not pay the amounts due or does not pay them on time, then the Client will be in default immediately, without the need for a reminder or notice of default. The Client owes the statutory commercial interest on the outstanding amount from the moment he is in default, until full payment of the amount due in full. If the payment is not made within one month after the day on which the payment should have been made at the latest, the statutory interest rate will be increased by 3% as of the day on which this month has expired.
7. If the Client fails to pay the claim after a reminder or notice of default, Embrace can hand over the claim and, in addition to the total amount due (including additional interest), the Client will also be obliged to pay all reasonable judicial and extrajudicial costs, including all costs calculated by external experts. This does not affect Embrace's other legal and contractual rights.
8. If Embrace has borne (un) costs without a price having been agreed, Embrace is entitled to charge the Client the actual costs and/or the usual rates for this.
9. Embrace is always authorized to set off everything that the Client owes against the Client's counterclaims.

Article 5: Commencement, duration and end of the Agreement

1. The execution of the Agreement commences within a reasonable period of time after entering into the Agreement. If no commencement date has been agreed in the Agreement, Embrace will immediately start executing the Agreement. The Client shall ensure that it has the facilities necessary to use the Application (s) immediately after entering into the Agreement.
2. If and insofar as the Agreement between the Parties is a continuing performance agreement, the Agreement has been entered into for the agreed period, failing which the term of three (3) years applies.
3. The term of the fixed-term Agreement is each time tacitly extended by 1 year, unless the Client or Embrace terminates the Agreement in writing with a notice period of three months before the end of the relevant period, unless otherwise agreed.

Article 6: Implementation of the Agreement

1. Embrace executes the Agreement on the basis of an obligation to do its best and it undertakes to deliver the Application (s) in accordance with a professional acting carefully.
2. Any agreed terms do not count as fatal terms as Embrace depends on various factors and circumstances, such as: the quality of the data and information provided by the Client and the cooperation of the Client and relevant third parties.
3. Embrace delivers the Application (s) on behalf of the Client. The Client may only use the Application (s) for the benefit of its own company or organization, only to the extent necessary for the use intended by Embrace. The Client is not free to let third parties make use of the Application (s) provided by Embrace.
4. Embrace is not obliged to follow instructions from the Client when executing the Agreement, especially if this concerns instructions that change or supplement the content or scope of the Application (s) to be delivered. If such instructions are followed, the relevant work will be reimbursed in accordance with Embrace's usual rates at that time.
5. Embrace may make changes to the content or scope of the Application (s). If such changes are substantial and result in a change in the procedures applicable to the Client, Embrace will inform the Client about this as soon as possible. The costs of this change are borne by the Client. In that case, the Client can terminate the Agreement in writing by the date on which the change takes effect, unless this change is related to changes in relevant legislation or other regulations issued by competent authorities or the Contractor bears the costs of this change.
6. Embrace may continue to execute the Agreement using a new or modified version of the Application (s). Embrace is not obliged to maintain, change or add certain properties or functionalities of the Application (s) specifically for the Client.
7. Embrace may temporarily discontinue all or part of the Application (s) for preventive, corrective or adaptive maintenance or other forms of service. Embrace will not let the decommissioning take longer than necessary and, if possible, allow it to take place at times when the Application (s) is usually used least intensively.

Article 7: Embrace liability

1. Embrace's total liability due to an attributable shortcoming in the fulfillment of the Agreement or on any legal basis, is limited to compensation for damage as detailed in this article.
2. Embrace's liability for whatever reason is limited per Application and per event to compensation for direct damage up to a maximum of the amount of the compensation for one year (excluding VAT) specified in the Agreement. However, under no circumstances will compensation for direct damage exceed €250,000 (two hundred and fifty thousand euros) during the entire term of this Agreement. A series of related events counts as one event.
3. Direct damage only includes:
   1. the reasonable costs that the Client should incur to make Embrace's performance comply with this Agreement; however, this damage will not be reimbursed if the Client has terminated this Agreement.
   2. reasonable costs incurred to determine the cause and extent of the damage, insofar as the determination relates to direct damage within the meaning of this Agreement;
   3. reasonable costs incurred to prevent or limit damage, insofar as the Client demonstrates that these costs have led to the limitation of direct damage within the meaning of this Agreement.
   4. Fines imposed on the Client by the Data Protection Authority, insofar as they were imposed due to a violation of the laws and regulations attributable to Embrace regarding the processing of personal data in the context of the Processing Agreement agreed by the Parties and/or failure to comply with obligations under this Processing Agreement by Embrace.
   5. claims from those involved within the meaning of the AVG reimbursed by the Client for damage suffered by those involved, insofar as this damage is the result of a shortcoming attributable solely to Embrace under the Processing Agreement.
4. Embrace's liability for indirect damage, including consequential damage, lost profit, missed savings and damage due to business interruption, is excluded.
5. Insofar as services and/or products from third parties hired/purchased by Embrace for the execution of the Agreement with the Client, including companies affiliated with Embrace, Embrace will never accept more liability than it can assert against the third party or affiliate in question. Embrace only accepts liability towards the Client as soon as it has received compensation for the damage from the third party or affiliated company it has engaged.
6. Damage due to death, physical injury or material damage to property is limited to €1,250,000.
7. Damage caused by acts or omissions on the part of the Client or third parties: (i) in violation of instructions provided by Embrace and/or (ii) in violation of the Agreement and these Terms and damage as a direct or indirect result of incorrect, incomplete and/or incorrect information provided to Embrace by or on behalf of the Client is not eligible for compensation.
8. The exclusions and limitations of Embrace's liability described in articles 7.2 through 7.7 do not affect Embrace's other exclusions and limitations of liability described in these Terms in their entirety.
9. The exclusions and restrictions described in articles 7.2 to 7.7 will expire if and insofar as the damage is the result of intent or deliberate recklessness on the part of Embrace's management.
10. Unless compliance by Embrace is permanently impossible, Embrace's liability for an attributable shortcoming in the fulfillment of an Agreement will only arise if Client gives Embrace a written notice of default without delay, setting a reasonable period of time for the shortcoming to remedy the shortcoming, and Embrace continues to imputably fail to comply with its obligations even after that period. The notice of default must contain as complete and detailed a description as possible of the shortcoming, so that Embrace is given the opportunity to respond appropriately.
11. The condition for any right to compensation is always that the Client reports the damage to Embrace in writing as soon as possible after its occurrence, and in any case within two months. Any claim for compensation against Embrace expires as soon as twelve months after the claim arose, unless the Client has filed a legal claim for compensation for the damage before the expiry of that period.
12. The provisions of this article, as well as all other limitations and exclusions of liability mentioned in these Terms, also apply to all (legal) persons employed by Embrace and its suppliers in the execution of the Agreement.
13. The Client indemnifies Embrace against all third-party claims, including, but not limited to, third parties and employees of the Client engaged by the Client, for compensation for any damage resulting from or related to the (execution of the) Agreement with/by Embrace.
14. In the event of a legally valid appeal for force majeure as referred to in article 11, the Client cannot claim compensation for the damage suffered by him.

Article 8: Termination and termination of the Agreement

1. Each of the Parties has the authority to terminate the Agreement due to an attributable shortcoming in the fulfillment of the Agreement only if the other Party, always after giving as detailed a written notice of default as possible, setting a reasonable period of time to remedy the shortcoming, imputably fails to comply with essential obligations under the Agreement. Payment obligations of the Client and all obligations to cooperate and/or provide information by the Client or a third party to be engaged by the Client are in all cases as essential obligations under the Agreement.
2. If, at the time of termination, the Client has already received performance in execution of the Agreement, these performances and the related payment obligations will not be the subject of cancellation, unless the Client proves that Embrace is in default with regard to the essential part of those performances. Amounts that Embrace invoiced before termination in connection with what it has already properly performed or delivered in execution of the Agreement remain due in full, subject to the provisions of the previous sentence, and become immediately due and payable at the time of termination.
3. The Client is not entitled to terminate an Agreement that has been entered into for a definite period of time, or an Agreement that ends by completion, prematurely.
4. Each of the Parties can terminate the Agreement in writing in whole or in part with immediate effect without notice of default if the other party is granted a suspension of payment - whether or not temporarily - if bankruptcy is filed against the other Party, if the other Party's business is liquidated or terminated other than for the purpose of reconstruction or merger of companies. Embrace can also terminate the Agreement in whole or in part with immediate effect without notice of default if the decisive control over the Client's business changes directly or indirectly. Embrace is never obliged to make any refund due to the termination as referred to in this article paragraph. In the event that the Client is irrevocably bankrupt, the Client's right to use the Embrace Application (s) will then end without the need for an act of termination on the part of Embrace.
5. Obligations that, by their nature, are intended to continue after the end of the Agreement remain in full force and effect even after the end of the Agreement and apply to the Client and its legal successors.

Article 9: Suspension

1. Embrace is authorized to suspend compliance with the obligation under the Agreement if the Client does not fulfill the obligations under the Agreement, does not fully or not timely, or if Embrace has good reason to fear that the Client will (will) fail to fulfil its obligations.
2. Embrace can retain the data, documents and/or databases received or realized under the Agreement, despite an existing obligation to issue or transfer, until Client has paid all amounts due to Embrace.

Article 10: Changes and additional work

1. If, at the request or with the prior consent of the Client, Embrace has performed work or other performance that falls outside the content or scope of the agreed work and/or performance, these activities or performances will be reimbursed by the Client at the agreed rates and, failing that, at Embrace's usual rates. Embrace is not obliged to comply with such a request and it may require that a separate written Agreement be concluded for this purpose.
2. The client realizes that changes and additional work (may) lead to the shifting of any deadlines and dates. New terms and dates specified by Embrace replace the previous ones.
3. Insofar as a fixed price has been agreed for the Agreement, Embrace will inform the Client in writing about the financial consequences of the additional work or performance as referred to in this article upon request.

Article 11: Force majeure

1. Neither Party is obliged to comply with any obligation, including any legal and/or agreed warranty obligation, if it is prevented from doing so as a result of force majeure. Force majeure on the part of Embrace includes: (i) force majeure on the part of any Embrace suppliers; (ii) government measures; (iii) electricity failure; (iv) failure of the internet, data network or telecommunications facilities; (v) unavailability of employees; (vi) (cyber) crime, (cyber) vandalism, war or terrorism.
2. In the event of force majeure, Embrace has the right to suspend the execution of the Agreement without Embrace being obliged to pay any compensation.
3. In the event of force majeure, the Client is in no way entitled to compensation or the right to perform work to implement the Agreement.
4. If a force majeure situation lasts longer than sixty days, each of the Parties has the right to terminate the Agreement in writing. In that case, what has already been performed under the Agreement will be settled proportionally without the Parties owing each other anything.

Article 12: Security

1. If Embrace is obliged to provide a form of information security under the Agreement, the security will comply with the security specifications agreed in writing between the Parties. If an explicitly described method of security is missing, the security will meet a level that, given the state of the art, the implementation costs, the nature, scope and context of the information to be secured to Embrace, the purposes and normal use of its Application (s) and the likelihood and seriousness of foreseeable risks, is not unreasonable.
2. The access or identification codes, certificates or other means of security provided to the Client by or on behalf of Embrace are confidential and will be treated as such by the Client and will only be made known to authorized staff from the Client's own organization. Embrace is entitled to change assigned access or identification codes and certificates. The Client is responsible for managing authorizations and providing and timely withdrawal of access and identification codes.
3. If the security or testing thereof relates to software, equipment or infrastructure that has not been supplied to the Client by Embrace itself, the Client guarantees that all necessary licenses or approvals have been obtained to perform the said service. Embrace is not liable for damage caused in connection with the performance of this service. The Client indemnifies Embrace against any legal claim for whatever reason in connection with the performance of this service.
4. Embrace is entitled to adjust the security measures from time to time if this is necessary as a result of changed circumstances.
5. Embrace can provide instructions to the Client with regard to security that aim to prevent or minimize incidents or the consequences of incidents that may affect security. If the Client does not or does not follow such instructions from Embrace in a timely manner, Embrace is not liable and Client indemnifies Embrace for any damage that may occur as a result.
6. Embrace is always allowed to make technical and organizational provisions to protect data files, websites, software provided or other works to which the Client is provided with (direct or indirect) access, also in connection with an agreed limitation in the content or duration of the right to use these objects. The Client will not remove such technical provision (s) or allow it to be circumvented.
7. At the request of the Client, a certified ICT security company may, after signing Embrace's indemnification statement, examine the Application (s) for external security aspects. The costs for the audit are for the Client, the costs of implementing any necessary improvements are for Embrace.

Article 13: Intellectual Property

1. All intellectual property rights to the (read: customization) developed under the Agreement and/or the Application (s), websites, databases, equipment, training material or other materials such as analyses, designs, documentation, reports, offers, as well as preparatory material thereof, are exclusively owned by Embrace, its licensors or service suppliers. The Client only obtains the user rights that are expressly granted by these Terms and Conditions, the Agreement concluded in writing between the Parties and mandatory law. A right to use vested in the Client is non-exclusive, non-transferable, non-pledgeable and non-sublicensable.
2. If Embrace is willing to commit to transfer any intellectual property rights, such a commitment can only be made in writing and expressly. If the Parties agree in writing that an intellectual property right with regard to software, databases, equipment, know-how or other works or materials specifically developed by the Client will be transferred to the Client, this does not affect Embrace's right or ability to use and/or exploit the components, designs, algorithms, documentation, works, protocols, standards and the like underlying that development for other purposes, either for itself or for third parties. Embrace also has the right to use and/or exploit the general principles, ideas and programming languages used for the production or development of any work for other purposes for itself or for third parties without any restrictions. Nor does the transfer of an intellectual property right affect Embrace's right to make developments for itself or a third party that are similar or derived from those that have been or are being done on behalf of the Client.
3. The Client will not remove or (have) changed any indication (s) about the confidential nature or concerning copyrights, brands, trade names or any other intellectual property right from the software, data files, equipment or materials.
4. The Client guarantees that no third-party rights preclude the provision to Embrace of equipment, software, data files and/or other materials, designs and/or other works for the purpose of use, maintenance, processing, installation or integration, including having the appropriate licenses. The Client indemnifies Embrace against any claim by a third party based on the fact that such provision, use, maintenance, editing, installation or integration infringes any rights of that third party.
5. Embrace is never obliged to carry out data conversion, unless this has been expressly agreed in writing with the Client.
6. Embrace is entitled to use the Client's logo, logo or name in its external communication.

Article 14: Confidentiality

1. The Client and Embrace ensure that all information received from the other Party that is known or reasonably should be known to be confidential remains confidential. This prohibition does not apply if and insofar as providing the relevant information to a third party is necessary pursuant to a court order, a legal requirement, on the basis of a statutory order from a government authority or for the proper execution of the Assignment. The Party that receives confidential information will only use it for the purpose for which it was provided. In any case, information is considered confidential if it has been designated as such by one of the Parties.
2. The Client acknowledges that the Application (s) made available by or via Embrace are always confidential and that it contains trade secrets of Embrace and/or its suppliers.

Article 15: Delivery and Acceptance

1. Delivery terms stated by Embrace are indicative and do not count as a deadline, unless the Parties have agreed in writing.
2. An adjustment of the Client's wishes may lead to an adjustment of the delivery period. Furthermore, work performed outside the content or scope of the agreed work will be reimbursed by the Client at Embrace's usual rates.
3. The assignment is deemed to be completed upon completion of the work by Embrace to the Client.
4. As long as the order has not been completed until acceptance and/or has not been paid in full, the Client is not allowed to use the Embrace Application.
5. Embrace will set up the Application to be accessed via the internet, and configure it according to the Client's wishes. The Agreement includes these wishes of the Client.
6. The Client will fully cooperate in the implementation of the Application.
7. Embrace will deliver the Application if, in its professional opinion, it meets the description set out in the Agreement or is suitable for use. The Client will evaluate and approve or reject the delivered goods within five working days of delivery in accordance with the criteria set out in the Agreement. If the Client does not reject what has been delivered within this period, or takes the work into operational use, the delivered work is deemed to have been accepted.
8. If the Application is delivered in phases, after completion of each phase, the Client must approve or reject the part of the work of that phase in the manner specified in the previous paragraph. The client may not base a rejection at a later stage on aspects that were approved in an earlier phase.
9. If the Client rejects the delivered goods in whole or in part, Embrace will make every effort to remove the reason for rejection as soon as possible. Embrace can do this by reviewing the result or stating with motivation why the reason is not true. The client then has ten working days to approve or reject the revision or motivation. If Embrace has been given the opportunity to modify the work at least twice and one of the parties no longer considers further adjustment useful, both parties have the right to terminate the order for the rejected part of the Agreement.
10. Rejection is only possible in the event of serious errors that make normal use of the Application reasonably impossible. If objections concern only minor aspects, the work is deemed to have been accepted subject to the condition that these objections are resolved within a reasonable time.
11. Embrace is not liable for errors discovered after acceptance, unless Embrace knew or should have known them upon delivery.

Article 16: Account Management

1. In order to use the Application, the Client needs an account. Embrace will provide Client with login details for an administrator account, which will allow the Client to create end-user accounts and manage the Application itself.
2. The main account will be activated after verification.
3. The Client is prohibited from creating accounts for non-employees (except when it comes to seconded or guest users). The Client is responsible for managing the accounts, both links and cleaning/archiving created users.
4. Embrace can set a limit on the number of end users who can use the Application.
5. The Client is responsible for choosing the username and password for the account, as well as the user names and passwords of the end users. The client and/or the end users are also responsible for adequate security by means of a strong password. The Client will choose strong passwords for all accounts and change them regularly. Embrace can enforce that Client's expectations meet the latest quality and safety requirements.
6. All actions that take place on the management environment after logging in with a Client account are deemed to take place under the responsibility and supervision of the Client. In case of suspicion of abuse, the Client must inform Embrace as soon as possible, after which Embrace will take appropriate measures. Embrace is not liable for any damage caused by the measures taken in the context of abuse.
7. If the Client's login details have been leaked, or the Client suspects that his account is being misused, he must immediately change the password for the account and inform Embrace about the situation.

Article 17: Permitted use

1. Embrace can set a limit on the amount of data traffic, storage and server capacity that the Client may or can actually use via the Application. If the Parties have not made any agreements about this, a fair use limit applies.
2. In any case, there is no longer fair use if the Client uses more than a maximum of twice as much data traffic and storage as other Embrace customers would do in a similar situation.
3. Embrace is entitled to check whether the Client's use of the delivered goods is in accordance with the agreement. This applies, among other things, to the nature of the use of the provided Application.
4. If it appears that there is use by the Client that differs from the Agreement, the Client will reimburse the (un) costs incurred by Embrace to detect that use in accordance with the usual rates. If the Client does not agree to this, it is entitled to terminate the agreement on the date that the adjusted price applies.
5. Embrace is not liable if the Application is not accessible or does not function properly if the applicable usage limits are exceeded.
6. For the Application to be delivered, the Client will only appoint designated and authorized users who use Embrace products in accordance with the manner stated in the offer.
7. The Client guarantees that the Application will not be used for activities that are contrary to any applicable laws or regulations. In addition, it is expressly prohibited (whether lawful or not) to provide or distribute materials via the Application that:
   1. contain malicious content (such as malware or other malicious software);
   2. Invade third party rights (such as Intellectual Property Rights), or are undeniably libelous, defamatory, insulting, discriminatory, or hate speech;
   3. Include information about or may be helpful in violating third party rights, such as hacking tools or explanations about computer crime that are intended to (cause) the reader to commit criminal behavior and not to defend themselves against it;
   4. Invade the privacy of third parties, including, but not limited to, disseminating the personal data of third parties without permission or necessity;
   5. Include hyperlinks, torrents or references to (sites of) materials that infringe copyrights or other Intellectual Property Rights.

Article 18: Exit plan

1. In the context of the continuity of the use and provision of information by the Client, in the event of intended termination of the Agreement, Parties will consult within five (5) Working Days after written notice about the transfer of data, knowledge and information to the Client or a third party to be appointed by the Client. The initiative for this lies with the Client. The parties will agree on the period and way in which the transfer will take place.
2. Upon termination of an Agreement, Embrace can make the following files available to the Client:
   1. Client data in a transferable format;
   2. documentation in the context of the configuration and layout;
   3. all other data files built up with ICT performance.
3. All exit-oriented activities carried out by Embrace under this article will be charged at the then applicable rates on a post-calculation basis.
4. In the event that the Client has not indicated immediately after the termination of the Agreement, subject to paragraph 1, that it wishes to transfer the data mentioned above, Embrace is entitled to remove and destroy the data that is stored, edited, processed or otherwise entered using the Application immediately from the server.
5. Embrace does not guarantee the completeness of the information requested in the event of an exit.

Article 19: Privacy and Data Processing

1. Within the framework of the Agreement, Embrace processes personal data within the meaning of the Client's General Data Protection Regulation (“AVG”). This personal data will be processed in accordance with Embrace's Privacy Statement, as well as applicable laws and regulations.
2. If, in the opinion of Embrace, this is relevant to the execution of the Agreement, Client will inform Embrace in writing about how the Client executes its obligations under the legislation in the field of personal data protection.
3. The Client indemnifies Embrace against claims from persons whose personal data has been or is being processed for which the Client is responsible by law, unless the Client proves that the facts underlying the claim are attributable to Embrace.
4. The responsibility for the data processed by the Client using an Embrace Application lies with the Client. The client guarantees to Embrace that the content, use and/or processing of the data are not unlawful and do not infringe any rights of a third party. The Client indemnifies Embrace against any legal claim by a third party, for whatever reason, in connection with this information or the execution of the Assignment.
5. If, pursuant to a request or authorized order from a government agency or in connection with a legal obligation, Embrace performs work with regard to data of the Client, its employees or users, all associated costs may be charged to the Client.
6. A processing agreement forms part of the Agreement and is included as Annex 1.

Article 20: Transferability, rights and obligations

1. The Client is not allowed to transfer any rights or obligations arising from the Agreement, in whole or in part, to a third party without Embrace's prior written consent.
2. However, Embrace is allowed to transfer rights or obligations under the Agreement to, or have them taken over by, a third party without the prior consent of the Client. The Client hereby cooperates in advance with Embrace in any contractual transfer of the legal relationship from the Agreement by Embrace to a third party.

Article 21: Applicable law and dispute resolution

1. The Agreement and all agreements arising from or related thereto, as well as these Terms and Conditions, are governed exclusively by Dutch law, excluding Dutch private international law and the Vienna Sales Convention.
2. All disputes, including disputes considered as such by only one of the Parties, that may arise as a result of and in connection with the Agreement, resulting agreements and/or these Terms, will be submitted exclusively to the competent court of the Northern Netherlands District Court, location Groningen.

Article 22: Advice and consultancy

The provisions contained in this article apply if Embrace provides services in the field of advice and consultancy, which are not carried out under the direction and supervision of the Client.

Implementation of advice and consultancy services

1. Embrace will carry out the advice and consultancy services completely independently, at its own discretion and not under the supervision and direction of the Client.
2. Embrace is not bound by a lead time of the Agreement because the course of the Agreement in the field of consultancy or advice depends on various factors and circumstances, such as the quality of the data and information that the Client provides and the cooperation of the Client and relevant third parties.
3. Embrace's services are only provided on Embrace's usual working days and times.
4. The use that the Client makes of advice and/or consultancy report issued by Embrace is always at the Client's risk. The burden of proof that (the manner of) advice and consultancy services do not comply with what has been agreed in writing or what can be expected of a reasonably acting and competent contractor lies entirely with the Client, without prejudice to Embrace's right to provide evidence to the contrary by all means.
5. Without Embrace's prior written consent, the Client is not entitled to notify a third party about Embrace's working methods, methods and techniques and/or the content of Embrace's advice or reports. The Client will not provide Embrace's advice or reports to a third party or otherwise make it public.
6. For the advice and consultancy services, the Client owes the fee included in the Agreement. At Embrace's discretion, the fee to be paid is calculated based on: (i) an hourly estimate and the associated costs in the Agreement or (ii) subsequent calculation. If the hours and costs estimated in the Agreement are exceeded, the costs of such an overrun will be charged to the Client on the basis of subsequent calculation.

Appendix 1: Data Processing Agreement

This processing agreement is an annex to every agreement (hereinafter: the Agreement) between Client (hereinafter: Controller) and Embrace (hereinafter: Processor) and where
the General Terms and Conditions apply.

The terms in this Data Processing Agreement have the meaning that Article 4 of the GDPR gives them. In addition, the definitions (always marked with a capital letter) as included in the Terms apply.

1. Processing of Personal Data

1. With regard to the Processing of Personal Data carried out on its behalf, the Controller is the controller within the meaning of Article 4, paragraph 7, GDPR. Processor is a processor within the meaning of Article 4, paragraph 8, GDPR.
2. Processor only processes the Personal Data on the basis of written instructions from the Controller, subject to different legal obligations. An overview of the nature and purpose of the Processing, as well as the categories of Personal Data and data subjects, is set out in Appendix A to this Data Processing Agreement.
3. The Controller guarantees to Processor that the Processing of the Personal Data instructed to Processor complies with applicable Privacy Laws and does not infringe any rights of a Third Party.
4. Processor undertakes to act in accordance with the applicable Privacy Legislation, including in any case the AVG and the Implementation Act.
5. Processor has no control over the purpose and means of Processing Personal Data and does not make independent decisions about the use of the Personal Data, the provision to third parties and the duration of the storage of the Personal Data.
6. Processor undertakes not to use the Personal Data obtained from the Controller for purposes or in any other way than for the purpose (s) for which the data was provided to Processor or became known to him.
7. Processor only provides access to the Personal Data to its employees to the extent necessary to provide the services under the Agreement.
8. Processor will not provide Personal Data to a Third Party unless the provision takes place in the context of the execution of the Agreement and/or this Processor Agreement, an explicit written order from the Controller, pursuant to a legal obligation or by order of a judicial or administrative authority.
9. If Processor is of the opinion that, under a legal obligation, it must make Personal Data available to a competent authority, it will do so after notifying the Controller. It will inform the Controller of the legal obligation in writing as soon as possible, providing all relevant information that Controller reasonably needs to take the necessary measures to determine whether provision can take place and, if so, under what conditions.
10. Processor will cooperate with the Controller to the extent necessary to provide the Controller with the opportunity to fulfill its obligations under the
    To comply with privacy laws. Any costs that Processor incur in connection with this may be charged by Processor to Controller.
11. If, in its opinion, a request or instruction from the Controller violates the GDPR or other applicable Privacy Legislation, Processor will notify Controller.

2. Security measures and control

1. Taking into account the state of the art, the implementation costs, as well as the nature, scope, context and processing purposes, and the risks that the processing entails for those involved, Processor will take all appropriate technical and organizational measures with regard to the Personal Data processed on behalf of the Controller to ensure a level of security appropriate to the risk, which, where appropriate, include the following:
   1. measures to ensure that only authorized personnel have access to the Personal Data for the purposes set out in Appendix A;
   2. measures to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful Processing, access or disclosure;
   3. measures to identify weaknesses with regard to the Processing of Personal Data in the systems used to provide the services to the Controller;
   4. measures to ensure the timely availability of the Personal Data, as further detailed in Appendix B.
2. The security measures to be taken into account by Processor are further described in Appendix B.
3. The controller has the right, once a year or if there is a concrete suspicion of non-compliance, to (show) compliance with the above described under 2.1. If the Controller so requests, Processor enables the Controller to check this (or have it checked). Any costs that Processor must incur to comply with such a request may be charged by Processor to Controller.
4. The parties are aware of the independent control powers of the Data Protection Authority and will provide this supervisor with access and cooperation in an investigation with regard to the Personal Data processed under this Processing Agreement. Any costs that Processor must incur to comply with such a request may be charged by Processor to Controller.
5. Controller agrees that the Processor's Application will process Personal Data that is not controlled by Processor.
   Unless otherwise agreed in this Data Processing Agreement, the Controller is responsible for:
   
   • the data entered into the Application and determining the accuracy and legality of that data; and
   • the secure use of the Application, including the security of account information, etc. that the Controller uses to access the Application, the storage of any copies of data outside the Application, and the protection of the security of the Personal Data during transit to and from the Application.

3. Data breaches

1. Processor enables the Controller to take appropriate next steps with regard to a Data Breach, including being able to assess a Data Breach and being able to inform Supervisor (s) and Data Subjects in a timely and adequate manner and provides the Controller with all reasonably necessary cooperation to this end. In any case, the Processor will provide information regarding the following:
   • the nature of the Data Breach, including, where possible, the categories of Data Subjects concerned and, approximately, the number of data subjects involved;
   • the (possibly) affected Personal Data and, approximately, the amount of Personal Data affected;
   • the established and expected consequences of the Data Breach for the Processing of Personal Data and the persons involved; and
   • the measures that Processor has taken and will take to address the Data Breach, including, where appropriate, measures to limit any negative consequences of the Data Breach.
2. If Processor has become aware of a Data Breach, Processor will inform Processing Manager immediately after discovery and Processor will take all necessary measures to prevent or limit (further) violations or breaches concerning the Processing of the Personal Data.
3. In the event of a Data Breach, the Controller will comply with legal reporting obligations. At the request of the Controller, Processor will assist and advise Processing Manager in this regard. For this support, Processor will charge a reasonable fee to
   Controller, unless otherwise agreed in the Agreement.

4. Data subject rights

1. A complaint, objection or request from a Data Subject regarding the Processing of the Personal Data will be forwarded by Processor without delay to the Controller, who is responsible for handling the complaint, objection or request.
2. On request, Processor will provide the Controller with all reasonable cooperation to enable the Controller to comply with the obligations under the applicable Privacy Legislation within the legal period, in particular but not limited to the rights of Data Subjects, such as a request for access, correction, addition, deletion, blocking, objection to the Processing of, or a request for portability of, Personal Data. Any costs associated with the support of Processor may charge the Processor to the Controller.

5. Liability

1. The parties expressly agree that the provision of the Agreement applies to liability.

6. Term, change and termination

1. The term of this Data Processing Agreement is equal to the term of the Agreement concluded between the Parties, including any extensions thereof. In the event of a conflict between provisions of this Processor Agreement and the Agreement, the provisions of this Processor Agreement prevail.
2. Controller and Processor will consult with each other about changes to this Processor Agreement if a change in (the interpretation of) regulations, or a change in the services provided by the Controller or Processor give reason to do so. An amendment to this Data Processing Agreement can only be agreed in writing.
3. This Data Processing Agreement ends by operation of law upon termination of the Agreement. The termination of this Processor Agreement will not release the Parties from their obligations arising from this Processor Agreement, which, by their nature, are deemed to continue even after termination.
4. Upon termination of the Processor Agreement, or if applicable at the end of the agreed retention periods, Processor will, at the discretion of the Controller, destroy or return the Personal Data to Controller, unless the Personal Data needs to be kept longer, such as in the context of (legal) obligations.

7. Confidentiality and the use of Sub-Processors

1. The Processor has general permission from the Controller to engage Sub-Processors to execute the Agreement. Processor will inform the Controller in writing at least 20 business days in advance about the intended addition/replacement of Sub-Processors, so that the Controller can object to the addition/change.
2. In the event that Processor engages a Sub-Processor, an agreement will also be concluded between the two. Processor will impose similar obligations, including in particular the obligation to apply appropriate technical and organizational measures, on the Sub-Processor.
3. The Sub-Processors engaged by Processor when entering into the Agreement and this Processing Agreement are listed in Appendix C.
4. Processor ensures that anyone, including its employees and Sub-processors, involved in Processing the Personal Data treats this information confidentially.
5. The confidentiality obligation referred to in this article does not apply to the extent that the Controller has expressly given written permission to provide the Personal Data to a Third Party, if providing the Personal Data to a Third Party is necessary due to the nature of the services to be provided by Processor to the Controller, or if there is a legal obligation to provide the Personal Data to a Third Party.

8. Transfer of personal data

1. Transfers of Personal Data to a country outside the European Economic Area (“EEA”) or to an international organization are made only in accordance with this Data Processing Agreement and the GDPR.

9. Final provisions

1. This Data Processing Agreement is governed exclusively by Dutch law.
2. All disputes that arise as a result of this Processing Agreement will be settled in the same way as included in the Agreement.

Appendix A: Processing and purposes

1. Description of services provided

Social: This digital workspace makes it easy for employees to ask questions, share ideas and collaborate with colleagues. Gather ideas and perspectives from experts and create their own knowledge base. Know what's going on, share information, and collaborate on a project. Whether the employee is on the road or just in the office, access to the digital workplace anytime, anywhere. Manage all information, communication, and documentation in one place.

Customers: This customer tracking system offers everything you need to provide tenants with the best possible service. The communication that takes place via various channels, such as the chat function (real-time) in Embrace portals, telephony (via call center or telephone system in the browser) or WhatsApp (messaging tool), come in at one central location. Customer conversations are automated where possible and personal answers are provided where necessary. The conversation history with the customer is collected on one timeline to know what is going on and to be able to provide appropriate help. Use customer cards to view customer details and request previous contact moments.

Housing: With this residential space distribution system, homes, short-stay homes and student accommodation can be rented out even faster. Indicate digitally what the rental must comply with and the rest will be arranged automatically. The home seeker can then immediately get to work himself. From searching to finding, from a personal page. At a glance, insight is gained into data and the status of objects, of one housing association or an entire region, by means of a clear dashboard.

Portals: With this customer portal, tenants can manage their own affairs with self-service scenarios. Portals seamlessly connects self-service with knowledge. Through this customer portal, tenants can find answers to most questions in the knowledge base, and/or submit a request, after which they are kept informed of every step in the process via Track and Trace. Each time the customer logs into the portal, all fields are automatically filled with that customer's data (customer recognition).

2. Data processing principles

The Personal Data is processed on the basis of one or more of the following principles:

• The execution of an agreement;
• Consent;
• Complying with a legal obligation;
• A legitimate interest.

3. Retention periods

The Personal Data is kept by Processor in accordance with the AVG and specific mandatory legal retention periods. The data is not kept longer than is strictly necessary to achieve the purposes for which the data was collected and to comply with legal obligations.

4. Purposes of Processing

The Processor is a supplier of a digital product and/or digital service, namely the provision of digital workplaces (“Social”) and/or digital customer tracking system (“Customers”) and/or digital living space distribution system (“Housing”) and/or
customer portal (“Portals”). The purpose of data processing in the context of services is:

• to provide, maintain and facilitate Embrace's Services in accordance with the agreements made between Processor Manager and Processor.
• to provide the Data Controller with access to and maintain access to the data of Social and/or Customers and/or Housing and/or Portals;
• the security, control and prevention of misuse and improper use and the prevention of inconsistency and unreliability in the Processed Personal Data;

Article 5.1 and/or 5.2 and/or 5.3 and/or 5.4 of this annex, depending on the Application to be purchased by the Controller, forms part of the Processor Agreement between Controller and Processor with regard to data processing.

5.1 Categories and Types of Personal Data Social

In any case, the Data Subjects include internal and/or external users of the customer. The following categories of Personal Data, from the categories of Data Subjects, are at least possible* processed:

• Basic information, such as first and last name, job title, date of birth and profile picture;
• Contact details, such as email address, telephone number, working hours, department and absence assistant;
• All other Personal Data that we obtain for the purposes listed below.

The Data Controller can make certain choices in Social with regard to the Personal Data that is processed.

5.2 Categories and Types of Personal Data Customers

In any case, those involved include tenants, employees, suppliers, contractors, stakeholders, maintenance companies, etc. The following categories of Personal Data, from the categories of Data Subjects, are at least possible* processed:

• Basic information, such as first and last name, place of residence, date of birth, and marital status;
• Contact information, such as phone number and email address;
• Financial information, such as IBAN/bank account number;
• All other Personal Data that we obtain for the purposes listed below.

The Data Controller can make certain choices in Customers with regard to the Personal Data that is being processed.

5.3 Categories and types of Personal Data Housing

In any case, those involved include home seekers and (potential) tenants. The following categories of Personal Data, from the categories of Data Subjects, are in any case processed:

• Basic information, such as first and last name, place of residence, date of birth, state pension age and living situation;
• Contact information, such as phone number and email address;
• Financial information, such as IBAN/bank account number;
• All other Personal Data that we obtain for the purposes set out above.

5.4 Categories and Types of Personal Data Portals

In any case, the Data Subjects include the tenants and employees of the Controller himself. The following categories of Personal Data, from the categories of Data Subjects, may in any case be processed:

• Basic information, such as first and last name;
• Contact information, such as phone number and email address;
• All other Personal Data that we obtain for the purposes listed below.

Appendix B: Security Measures

Embrace processes Personal Data on behalf of its customers, and is therefore obliged to take technical and organizational measures. These implemented measures are necessary to ensure the provisions of data protection legislation, in particular the General Data Protection Regulation (abbreviated: AVG), and are only necessary if the effort is commensurate with the intended protection purpose. Embrace has taken the following security measures, among others: