Data Processing Agreement

Disclaimer: This document has been translated directly from nl-NL (Dutch). In the event of any discrepancies between this translation and the original Dutch version, the Dutch version shall prevail.

Applicability

This Data Processing Agreement ("DPA") applies to any organisation that (i) has signed a Cooperation Agreement (Samenwerkingsovereenkomst) with Vive Invest B.V., or (ii) has accepted Vive's General Terms and Conditions (including via online onboarding). In both cases the Organisation accepts this DPA without a separate signature being required.

‍

Article 1. Definitions

In this agreement the following terms have the meanings set out alongside them:

‍

Article 2. Subject matter and scope

2.1 This DPA governs the processing of personal data by Vive as processor on behalf of the Organisation, in performance of the Cooperation Agreement (Samenwerkingsovereenkomst).

2.2 The nature, purpose and categories of the processing, as well as the retention periods, are described in Annex 1.

2.3 The processing relationship has two concurrent dimensions, as further elaborated in Article 3.

‍

Article 3. Processing relationship: phases and transition

Key point‍

The DPA has two concurrent processing dimensions. Dimension A: personal data of individual Participants, for which Vive is processor until the moment the Privacy Statement is accepted; thereafter Vive is data controller. Dimension B: employer data that the Organisation continues to supply — including after Participants have been onboarded. Both fall within the scope of this DPA.

Phase 1 — Pre-account phase: Vive as processor

3.1 In the pre-account phase Vive processes personal data of Participants solely as processor for the Organisation, insofar as necessary to invite Participants and prepare them for participation in the scheme (regeling). KYC identification and identity verification take place during the onboarding process and fall outside this phase.

3.2 The Organisation is data controller for this processing and determines the purposes and means in accordance with the description in Annex 1.

Phase 2a — Post-account phase: Vive as data controller for personal account data

3.3 Once the Participant accepts Vive's Privacy Statement at the start of the onboarding process, Vive processes the personal data provided by the Participant as data controller. This occurs prior to the signing of the Client Agreement (Klantovereenkomst): the onboarding process includes the processing of identity data, bank details and Wwft information, which Vive does not process as processor for the Organisation but as data controller on its own legal basis. From the moment the Privacy Statement is accepted, Vive's Privacy Statement and other documentation apply to that processing.

3.4 The processing of biometric data or biometric verification outcomes during onboarding for the purpose of identity establishment and fraud prevention does not form part of the processing that Vive carries out as processor for the Organisation. For this processing Vive acts independently as data controller. Vive independently determines the purpose, design and legal basis of this processing, provides the Participant with the required privacy information and independently ensures compliance with Article 9 GDPR, insofar as that article applies. The Organisation has no right of instruction with respect to this processing and bears no responsibility for it.

3.5 The transition to data controller status applies exclusively to personal data that the Participant provides directly during and after onboarding. The Organisation no longer has any right of instruction over this data.

3.6 The Organisation informs Participants in advance about the transition to a direct client relationship with Vive. Vive actively informs Participants at the start of the onboarding process.

Phase 2b — Ongoing: Vive as processor for employer data

3.7 Notwithstanding the foregoing, Vive also continues to act as processor for the Organisation after a Participant has been onboarded, insofar as the Organisation supplies personal data of that Participant in the context of the ongoing employment relationship and the scheme. This includes, among other things:

• contribution amounts and instructions from the Organisation;
• HR changes (changes to employment, salary, pension basis (pensioengrondslag), termination of employment);
• reports that Vive generates at the request of the Organisation regarding participation in the scheme.

3.8 This DPA continues to apply to the employer data referred to in Article 3.7 for as long as the Cooperation Agreement (Samenwerkingsovereenkomst) remains in force.

Vive Custody B.V.

3.9 Vive Custody B.V. does not process personal data of individual Participants during the pre-account phase or the onboarding process and does not act as sub-processor of Vive Invest in those phases. Once the Participant has signed the Client Agreement (Klantovereenkomst) and the custody relationship commences, Vive Custody acts as independent data controller for the processing in the context of its licensed custodian services under the Wft and MiFID II. In that capacity Vive Custody is subject to statutory custody and reporting obligations towards the AFM and DNB. This processing falls outside the scope of this DPA.

3.10 Requests from the Organisation for erasure or return of personal data (Article 15) relate exclusively to data that Vive has processed as processor for the Organisation and that has not been integrated into the Participant's personal account or into the custody records of Vive Custody.

‍

Article 4. Duration

4.1 This DPA applies for the duration of the Cooperation Agreement (Samenwerkingsovereenkomst) and terminates by operation of law upon its termination, without prejudice to the provisions of Article 15 on data retention after termination.

4.2 Obligations that by their nature are intended to survive termination — including confidentiality, security, retention and erasure — shall remain in full force and effect.

‍

Article 5. Processing on instruction

5.1 Vive processes personal data solely on the basis of documented instructions from the Organisation, unless a legal obligation requires otherwise.

5.2 If a legal obligation requires processing without instruction, Vive shall inform the Organisation in advance, unless the law prohibits disclosure.

5.3 If Vive is of the opinion that an instruction conflicts with the GDPR or other applicable privacy legislation, it shall notify the Organisation in writing without delay and shall not carry out the instruction until the conflict has been resolved or the Organisation has expressly upheld the instruction.

‍

Article 6. Confidentiality

6.1 Vive ensures that persons with access to personal data are bound by a contractual or statutory duty of confidentiality, and that access is limited to what is strictly necessary for the performance of their duties (need-to-know).

‍

Article 7. Security

7.1 Vive implements appropriate technical and organisational measures in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, the nature and purposes of the processing, and the risks to data subjects. An overview is included in Annex 3.

7.2 Vive evaluates and updates the security measures periodically, and in any event following each security incident or relevant change in the processing environment.

‍

Article 8. Sub-processors

8.1 Vive may engage sub-processors in accordance with Article 28(4) GDPR. The current list is included in Annex 2. Vive concludes an agreement with each sub-processor containing at least equivalent data protection obligations and remains fully liable towards the Organisation for the acts of its sub-processors.

8.2 Any proposed addition or replacement of a sub-processor shall be published at least thirty (30) calendar days in advance on www.viveapp.com/documents and actively communicated to the Organisation's contact person.

8.3 The Organisation may lodge a reasoned written objection within the notice period. If the Parties are unable to reach agreement, the Organisation shall have the right to terminate the Cooperation Agreement (Samenwerkingsovereenkomst).

‍

Article 9. Rights of data subjects

9.1 Vive provides the Organisation with the necessary assistance in responding to GDPR requests from Participants that relate to personal data processed by Vive as processor for the Organisation.

9.2 If Vive receives a GDPR request that relates to data for which the Organisation is data controller, Vive shall refer the data subject to the Organisation and inform the Organisation within five (5) working days.

9.3 GDPR requests that relate to personal data for which Vive is data controller (post-account phase, see Article 3.3) are handled independently by Vive on the basis of the Privacy Statement.

‍

Article 10. DPIA and prior consultation

10.1 Vive provides the Organisation with all reasonable assistance in carrying out a Data Protection Impact Assessment (DPIA) as referred to in Article 35 GDPR, insofar as that DPIA relates to processing for which Vive acts as processor.

10.2 If the Organisation is required under Article 36 GDPR to consult the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Vive shall also provide assistance with that consultation by supplying the necessary information about its processing activities and security measures.

‍

Article 11. Data breaches

11.1 Vive shall inform the Organisation without delay, and no later than forty-eight (48) hours after discovery, of a security breach involving personal data that Vive processes as processor for the Organisation, providing the information referred to in Article 33(3) GDPR insofar as available at that time.

11.2 Vive shall assist the Organisation with the notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and with any communication to data subjects in accordance with Articles 33 and 34 GDPR.

11.3 Vive maintains an internal incident register of security incidents, including those that are not subject to a notification obligation.

‍

Article 12. Transfers outside the EEA

12.1 Vive shall not transfer personal data outside the European Economic Area unless (i) the Organisation has given written consent and (ii) the conditions of Chapter V GDPR have been met.

12.2 An overview of the appropriate safeguards per sub-processor — including Standard Contractual Clauses and accompanying Data Processing Agreements — is included in Annex 2.

‍

Article 13. Compliance and audit

13.1 Vive shall make available to the Organisation an annual compliance report, consisting of documented security measures (Annex 3) and, where available, the most recent external audit report or certification report.

13.2 Vive is actively working towards external certification. The current roadmap envisages ISO 27001 certification as a first step, followed by ISAE 3402 in the longer term. Once a certification is available, the corresponding report shall replace the documentation referred to in Article 13.1.

13.3 If the Organisation wishes to receive additional written information regarding compliance, Vive shall respond to such requests within twenty (20) working days, insofar as the requested information is not confidential vis-à-vis other clients.

13.4 If the Organisation, after reviewing the documentation referred to in Articles 13.1 and 13.2, has reasonable grounds to believe that Vive is not fulfilling its obligations, the Parties may by mutual agreement arrange a limited, targeted audit, carried out by a jointly appointed independent auditor. The audit shall take place no more than once per calendar year with a notice period of at least thirty (30) working days. The Organisation shall bear the reasonable costs.

13.5 Vive is not obliged to cooperate with audits that disproportionately disrupt its business operations or jeopardise the confidentiality of other clients' data. In such cases Vive shall provide a written justification for its refusal and propose an alternative form of verification.

‍

Article 14. Liability

14.1 The Parties shall be liable towards data subjects in accordance with Articles 82–84 GDPR.

14.2 Vive shall not be liable for damage arising exclusively from compliance with instructions from the Organisation that conflict with the GDPR, provided that Vive has notified the Organisation of the conflict in accordance with Article 5.3.

‍

Article 15. Data retention upon termination

Scope

‍The Organisation's right of erasure has a limited scope in practice. The personal data that Vive processes in the context of the Cooperation Agreement (Samenwerkingsovereenkomst) is overwhelmingly subject to statutory retention obligations or has become part of the direct client relationship between Vive and individual Participants.

15.1 The Organisation's right of erasure relates exclusively to contact details — name and email address, telephone number — of Participants who were invited to the scheme but never commenced the onboarding process at Vive (i.e. never accepted Vive's Privacy Statement). Once a Participant has accepted the Privacy Statement, Vive is data controller for the data provided by that Participant and the Organisation no longer has any right of instruction over it.

15.2 The remaining personal data cannot be erased at the request of the Organisation, for the following reasons:

• Transaction and contribution data, KYC/CDD information and tax data are subject to statutory retention obligations under the Wft, MiFID II, the Wwft and tax legislation, typically five to seven years after the end of the relevant transaction or business relationship.
• Personal data that has become part of a Participant's personal account is processed by Vive as data controller. The Organisation has no right of instruction over that data; it falls exclusively under Vive's Privacy Statement and the rights of the Participant as data subject.
• Data held by Vive Custody in the context of its custodian services falls under Vive Custody's own data controller responsibility and is subject to its AFM/Wft obligations.

15.3 Vive shall erase the contact details referred to in Article 15.1 within thirty (30) calendar days of termination of the Cooperation Agreement (Samenwerkingsovereenkomst) and shall confirm this in writing to the Organisation.

15.4 Upon termination Vive shall provide the Organisation with a concise overview of (i) which data will be erased, (ii) which data will be retained and on what legal basis, and (iii) when the retention periods are expected to expire.

‍

Article 16. Final provisions

Amendment

16.1 Vive reserves the right to amend this DPA by publishing a new version on www.viveapp.com/documents, with a notice period of thirty (30) calendar days. An amendment shall only take effect if the Organisation has not lodged a reasoned written objection within the notice period.

16.2 Materially significant amendments — including changes to purposes, categories of personal data, retention periods or the sub-processor list — shall be actively communicated to the Organisation's contact person with a notice period of sixty (60) calendar days.

16.3 If the Organisation objects and the Parties are unable to reach agreement, the Organisation shall have the right to terminate the Cooperation Agreement (Samenwerkingsovereenkomst).

Governing law and dispute resolution

16.4 This DPA is governed by the laws of the Netherlands.

16.5 Disputes arising from or in connection with this DPA shall be submitted to the competent court in Amsterdam.

‍

Appendix 1 — Description of the processing

Explanatory note

The legal bases in this annex are included as a reference for the bases applied by the Organisation as data controller. The determination and justification of the legal basis is the responsibility of the Organisation.

Phase 1 — Pre-account phase (Vive as processor for the Organisation)

‍

Phase 2b — Post-account phase: ongoing employer data (Vive as processor for the Organisation)

‍

Appendix 2 — Sub-processors

The processing operates across two levels. Vive Invest engages Vive Technology B.V. as direct sub-processor. Vive Technology in turn engages sub-sub-processors for specific technical functions. Vive Invest remains fully responsible for the entire processing chain.

Unless stated otherwise, personal data is stored within the EEA. Changes are published in a timely manner on www.viveapp.com/documents.

Level 1 — Direct sub-processors of Vive Invest

Vive Custody B.V. (Chamber of Commerce number (KvK) 88103315) is not a sub-processor of Vive Invest. Vive Custody does not process personal data of individual Participants prior to the signing of the Client Agreement (Klantovereenkomst). From the moment of signing, Vive Custody acts as independent data controller under the Wft and MiFID II. See Article 3.9.

Level 2 — Sub-sub-processors (engaged by Vive Technology B.V.)

SCCs = EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Vive Technology has concluded a processing agreement with each sub-sub-processor in accordance with Article 28 GDPR.

‍

Appendix 3 — Security measures

Technical measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Multi-factor authentication (MFA) for all employees and administrators.
• Access control based on need-to-know (RBAC).
• Logging and monitoring of access to personal data.
• Periodic penetration tests and vulnerability assessments.
• Encrypted back-ups.

Organisational measures

• Privacy policy and periodic awareness training for employees.
• Confidentiality agreements (geheimhoudingsverklaringen) with employees and contractors.
• Vive Invest B.V. Data Breach Procedure and separate incident register (Art. 33–34 GDPR).
• Procedure for handling GDPR requests from data subjects (including DPIA assistance in accordance with Article 10).
• Privacy contact: Ramses van de Nes (COO) — ramses@viveapp.com.
• Record of processing activities (Art. 30 GDPR).