Data Processing Agreement
1. Subject matter and duration
1.1. This Agreement regulates the processing of personal data by the Processor on behalf of the Controller, in accordance with Article 28 of the General Data Protection Regulation (“GDPR”).
1.2. The duration of this Agreement follows the duration of the main agreement (including the Software License Agreement and the General Terms and Conditions). The processing operations commence upon activation of the services and end upon the deletion or return of all personal data as provided in Article 12.
2. Description of the processing
2.1. Categories of data subjects
- tenants and co-tenants;
- owners and landlords;
- inspectors and employees of the Controller;
- suppliers and external contacts in the context of inspections;
- contact persons at Homeowners’ Associations (HOAs/VMEs), social housing companies, or government bodies.
2.2. Categories of personal data
The data is determined by the Controller and may include, but is not limited to:
- identification data (last name, first name, address, contact details);
- data regarding properties and locations to be inspected;
- photos, videos, and inspection reports;
- digital signatures;
- internal remarks and references;
- user accounts and log data.
2.3. Types of processing
- collecting, recording, and storing;
- accessing, using, and processing for inspection purposes;
- organizing, structuring, and reporting;
- transferring to the Controller or its systems;
- backup, archiving, and secure deletion.
2.4. Purposes
- performing, documenting, and tracking digital inspections and inspection reports;
- management and tracking of real estate;
- compliance with legal obligations regarding inspections and documentation;
- providing evidence in the context of renting and managing real estate.
3. Obligations of the Processor
The Processor undertakes to:
3.1. process personal data solely on the documented instructions of the Controller, unless required to do otherwise by a legal obligation;
3.2. not use the personal data for its own purposes;
3.3. ensure that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.4. implement appropriate technical and organizational security measures in accordance with Article 32 of the GDPR, including, but not limited to:
- encryption of data during transfer and, where possible, at rest;
- access control and logging;
- use of secure data centers;
- protection against malware and unauthorized access;
- monitoring of systems and security incidents.
3.5. assist the Controller in fulfilling its obligation to respond to requests for exercising the data subject’s rights (access, rectification, erasure, restriction, portability, objection);
3.6. assist the Controller, where necessary, with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities;
3.7. not carry out any processing outside the EU/EEA unless the conditions of Chapter V of the GDPR are met;
3.8. maintain an up-to-date record of processing activities carried out on behalf of the Controller.
4. Personal data breaches
4.1. The Processor shall notify the Controller in writing without undue delay, and in any event no later than 24 hours, after becoming aware of any confirmed or reasonably suspected personal data breach concerning personal data processed under this Agreement.
4.2. To the extent possible, the notification shall at least:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and data records concerned;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken to address the personal data breach and to mitigate its possible adverse effects.
4.3. The Processor shall fully cooperate with the Controller in evaluating the breach, making notifications to supervisory authorities and – if required – to data subjects, as well as in any further investigations and corrective actions.
5. Subprocessors
5.1. The Processor may engage subprocessors for the performance of this Agreement, provided that these subprocessors are contractually bound by the same data protection and security obligations as set out in this Agreement, in accordance with Article 28(4) of the GDPR.
5.2. The Processor shall maintain an up-to-date list of subprocessors (see Annex I – List of Subprocessors). This list shall contain at least the legal entity, the purpose of the processing, the hosting or processing location, and the address of the subprocessor.
5.3. The Processor shall inform the Controller at least 30 days prior to adding or replacing a subprocessor. This notification shall be provided via e-mail or through a notice within the application.
5.4. The Controller has the right to object, with motivated reasons, within this timeframe if the subprocessor provides insufficient guarantees regarding privacy or information security, or if the subprocessor processes personal data in a country without an adequate level of protection and without a valid transfer mechanism.
5.5. If an objection is admissible, the parties shall consult with each other to find an appropriate solution. If no solution is found within 15 days, the Controller may terminate the affected service(s) or restrict the processing so that the relevant subprocessor is not used.
5.6. The Processor remains fully liable for the acts and omissions of all its subprocessors. A breach by a subprocessor shall be considered a breach by the Processor itself.
5.7. If a subprocessor processes personal data outside the EU/EEA, the Processor guarantees that a valid mechanism for international transfers is used and that supplementary measures are taken if necessary.
5.8. The Controller may, upon request, receive a copy of the relevant data processing agreements between the Processor and its subprocessors, provided that commercially sensitive information may be redacted.
5.9. The Processor shall not engage subprocessors for any purposes other than those necessary for the performance of the Chapps services.
6. International transfers
6.1. If personal data is processed outside the EU/EEA under this Agreement, the parties shall ensure that the transfer complies with Chapter V of the GDPR.
6.2. The Processor shall, upon request, transparently communicate the countries where personal data is stored or processed.
7. Rights of data subjects
7.1. The Controller is primarily responsible for handling requests from data subjects regarding their rights under the GDPR.
7.2. The Processor shall assist the Controller, free of charge and within a reasonable timeframe (maximum 5 working days), with requests regarding access, rectification, erasure, restriction, data portability, or objection.
8. Security
8.1. The Processor implements security measures appropriate to the risk, including:
- access management based on the “need-to-know” and “least privilege” principles;
- a strong password and authentication policy;
- encrypted communication (e.g., TLS) and, where possible, encrypted storage;
- firewalls, network segmentation, and monitoring;
- periodic evaluation and adjustment of the security measures.
- 8.2. The Processor shall provide the Controller, upon request, with a description of the primary technical and organizational security measures.
9. Audit and inspection
9.1. The Controller has the right, a maximum of once a year or in the event of a justified suspicion of a breach, to conduct or mandate an audit or inspection regarding compliance with this Agreement.
9.2. Audits shall be conducted with reasonable prior notice and without causing unreasonable disruption to the Processor’s business activities.
9.3. The Processor may provide alternative evidence, such as recent external audit reports or certifications, provided these adequately cover the relevant security aspects.
10. Confidentiality
10.1. The Processor shall treat all personal data processed on behalf of the Controller as strictly confidential.
10.2. The Processor ensures that all employees, consultants, or other persons acting under its responsibility and having access to personal data are subject to an appropriate obligation of confidentiality.
11. Liability
11.1. Each party is liable for damages resulting from its own breach of the GDPR or this Agreement, to the extent such damages are attributable to it.
11.2. Except in the case of intent or gross negligence, the total liability of the Processor arising out of or in connection with this Agreement is in any event limited to the amounts actually paid by the Controller to the Processor for the relevant services during the twelve (12) months preceding the event causing the damage.
11.3. Neither party is liable for indirect damages, consequential damages, loss of profits, or loss of opportunities, unless mandatory law dictates otherwise.
12. End of processing
12.1. Upon termination of the main agreement, the Processor shall, at the choice of the Controller, delete or return the personal data. For the return (data export), the timeframes, conditions, and any fees as explicitly agreed upon in Article 10 of the Software License Agreement shall apply.
12.2. Unless a valid request for a data export is submitted in a timely manner, the Processor shall permanently delete all personal data no later than 30 days after the end of the subscription or the services, unless a legal retention obligation requires a longer retention period.
12.3. The Processor can provide a written confirmation of the deletion upon request.
13. Applicable law and jurisdiction
13.1. This Agreement is governed exclusively by Belgian law.
13.2. All disputes arising out of or in connection with this Agreement shall fall under the exclusive jurisdiction of the courts of Antwerp.
14. Order of precedence and relationship to other documents
14.1. In the event of contradictions or inconsistencies between the documents forming the contractual relationship, the following mandatory order of precedence shall apply (in descending order of priority):
- The service proposal signed by you (quote/offer);
- This Data Processing Agreement (exclusively insofar as it concerns the processing of personal data);
- The General Terms and Conditions;
- The Software License Agreement;
- The Privacy Policy.
14.2. This Agreement supersedes all previous data processing agreements between the parties regarding the same services.
15. Amendments
15.1. The Processor may amend this Agreement if required by laws and regulations, security requirements, or operational circumstances.
15.2. Where reasonably possible, amendments will be communicated at least 30 days in advance via the Chapps website or other customary communication channels.
15.3. If an amendment has a substantial impact on the rights or obligations of the Controller, the Controller may terminate the agreement with respect to the affected services prior to the effective date of the amendment.
16. Language and interpretation
This Data Processing Agreement may be made available in multiple languages. In the event of contradictions, interpretation differences, or inconsistencies between a translated version and the Dutch version, the Dutch version shall prevail exclusively.
Annex I – List of Sub-processors
Below is the list of sub-processors engaged by Chapps NV. These sub-processors have been carefully selected to meet
Chapps’ high standards for security and data protection.
| Legal entity | Purpose of processing | Hosting location | Address |
|---|---|---|---|
| Combell NV | Cloud infrastructure: hosting and data storage | Belgium, EU | Skaldenstraat 121, 9042 Ghent, Belgium |
| Teamleader NV | Customer management, invoicing and payments | Ireland, EU | Dok Noord 3A / 101, 9000 Ghent, Belgium |
| Hubspot Ireland Limited | Lead processing, CRM, marketing activities, communication, online appointments, sales follow-up, support | Ireland, EU | One Sir John Rogerson’s Quay, Dublin 2, Ireland |
| Aareon Deutschland GmbH | API integration and data exchange between Chapps software and Aareon ERP systems | Germany, EU | Isaac-Fulda-Allee 6, 55124 Mainz, Germany |
| UTS innovative Softwaresysteme GmbH | API integration and data exchange between Chapps software and KARTHAGO ERP software | Germany, EU | Schanzenstraße 6-20, 51063 Cologne, Germany |
| Thurnherr SA | API integration and data exchange between Chapps software and immob10 software | Switzerland | Morgenstraße 121, P.O. Box 753, 3018 Bern, Confoederatio Helvetica |
| Informant Software B.V. | API integration and data exchange between Chapps software and Informant software | Netherlands, EU | Kwaklaan 9, 2291 AT Wateringen, Netherlands |
| Pararius B.V. | API integration and data exchange between Chapps software and Pararius software | Netherlands, EU | Blaak 555, 3011 GB Rotterdam, Netherlands |
| Vlaams Energiebedrijf NV | Exchange of energy meter readings via REST API with the VEB back office | Belgium, EU | Havenlaan 88, 1000 Brussels, Belgium |
| Enloc AG | Exchange of energy meter readings via REST API with the Enloc back office | Germany, EU | Am Schießhaus 1-3, 01067 Dresden, Germany |