Login

Data Processing Agreement

Version: 1 December 2025
This Data Processing Agreement (“Agreement”) forms an integral part of the contractual relationship between:Chapps NV, Picardstraat 7 bus 100, 1000 Brussels, Belgium, company number
BE 0599.927.776 (hereinafter the “Processor”),

and the customer who enters into a contractual relationship with Chapps regarding the use of the Chapps applications
(hereinafter the “Controller”).

This Agreement applies whenever the Processor processes personal data on behalf of the Controller in the context of
the provision of software and cloud services by Chapps.

1. Subject Matter and Term

1.1. This Agreement governs the processing of personal data by the Processor for the benefit of the
Controller in accordance with Article 28 of the General Data Protection Regulation (“GDPR”).

1.2. The term of this Agreement follows the term of the main agreement (including the Software License Agreement and the General Terms and Conditions). Processing starts upon activation of the services and ends with the
deletion or return of all personal data as set out in Article 12.

2. Description of the Processing

2.1. Categories of Data Subjects

The processing may concern in particular the following categories of data subjects:

  • tenants and co-tenants;
  • owners and landlords;
  • inspectors and staff of the Controller;
  • suppliers and external contacts in the context of inspections;
  • contacts at owners’ associations, social housing companies or public authorities.

2.2. Categories of Personal Data

The specific data are determined by the Controller and may include in particular:

  • identification data (name, first name, address, contact details);
  • data relating to properties and locations to be inspected;
  • photos, videos and inspection reports;
  • digital signatures;
  • internal notes and references;
  • user accounts and log / audit trail data.

2.3. Types of Processing

  • collecting, recording and storing;
  • retrieving, using and processing for inspection purposes;
  • organising, structuring and reporting;
  • transmitting to the Controller or its systems;
  • back-up, archiving and secure deletion.

2.4. Purposes of Processing

  • performing, documenting and following up digital inspections and inspection reports;
  • management and follow-up of real estate assets;
  • compliance with legal obligations regarding inspections and documentation;
  • evidence in connection with the letting and management of real estate.

3. Obligations of the Processor

The Processor undertakes to:

  • 3.1. process personal data solely on the documented instructions of the Controller, unless Union
    or Member State law requires otherwise;
  • 3.2. not use personal data for its own purposes;
  • 3.3. ensure that all persons acting under its authority who have access to personal data are
    contractually bound by a duty of confidentiality;
  • 3.4. implement appropriate technical and organisational measures as required under Article 32 GDPR,
    including, among others:

    • encryption of data in transit and, where possible, at rest;
    • access control and logging;
    • use of secure data centres;
    • protection against malware and unauthorised access;
    • monitoring of systems and security incidents;
  • 3.5. assist the Controller in responding to requests from data subjects (access, rectification,
    erasure, restriction, portability, objection);
  • 3.6. where necessary, cooperate in data protection impact assessments (DPIAs) and communications
    with supervisory authorities;
  • 3.7. not carry out processing outside the EU/EEA unless the conditions of Chapter V GDPR are fulfilled;
  • 3.8. maintain an up-to-date record of processing activities for the processing carried out on behalf
    of the Controller.

4. Personal Data Breaches

4.1. The Processor shall notify the Controller without undue delay and in any event within 24 hours
in writing of any personal data breach that has been detected or is reasonably suspected and that concerns personal
data processed under this Agreement.

4.2. The notification shall include, to the extent possible, at least:

  • the nature of the personal data breach and, where possible, the categories and approximate number of data subjects
    concerned and the categories and approximate number of personal data records concerned;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the Processor to address the personal data breach and mitigate its
    possible adverse effects.

4.3. The Processor shall fully cooperate with the Controller in assessing the breach, in making any
required notifications to supervisory authorities and—where required—to data subjects, as well as in any further
investigations and remedial actions.

5. Sub-processors

5.1. The Processor may engage sub-processors to perform this Agreement, provided that such
sub-processors are contractually bound by the same data protection and security obligations as those set out in this
Agreement, in accordance with Article 28(4) GDPR.

5.2. The Processor keeps an up-to-date list of sub-processors (see
Annex I – List of Sub-processors). This list includes at least:

  • the legal entity;
  • the purpose of the processing;
  • the hosting or processing location;
  • the address of the sub-processor.

5.3. The Processor shall inform the Controller at least 30 days prior to adding or replacing a
sub-processor. Notice shall be given by e-mail or by a notification in the application.

5.4. The Controller has the right to raise a reasoned objection within this period if:

  • the sub-processor does not provide sufficient guarantees regarding data protection and information security; or
  • the sub-processor processes personal data in a country without an adequate level of protection and without a valid
    transfer mechanism.

5.5. If an objection is admissible, the parties shall seek an appropriate solution. If no solution is
found within 15 days, the Controller shall be entitled to:

  • terminate the affected service(s); or
  • restrict the processing so that the relevant sub-processor is not used.

5.6. The Processor shall remain fully liable for the acts and omissions of all sub-processors. Any
breach by a sub-processor shall be deemed a breach by the Processor.

5.7. Where a sub-processor processes personal data outside the EU/EEA, the Processor shall ensure that:

  • a valid mechanism for international data transfers is used (such as EU Standard Contractual Clauses or an
    adequacy decision); and
  • additional measures are taken where necessary (for example, encryption, pseudonymisation and contractual security
    safeguards).

5.8. The Controller may, upon request, receive a copy of the relevant data processing agreements
between the Processor and its sub-processors, with commercially confidential information redacted.

5.9. The Processor shall not engage sub-processors for purposes other than those necessary for the
provision of the Chapps services.

6. International Data Transfers

6.1. Where personal data under this Agreement are processed outside the EU/EEA, the parties shall
ensure that such transfers comply with Chapter V GDPR (such as adequacy decisions, EU Standard Contractual Clauses or
other mechanisms approved by the European Commission).

6.2. The Processor shall, upon request, provide transparent information about the countries in which
personal data are stored or processed.

7. Rights of Data Subjects

7.1. The Controller is primarily responsible for handling requests from data subjects regarding their
rights under the GDPR.

7.2. The Processor shall assist the Controller free of charge and within a reasonable time (maximum 5 business days) with:

  • requests for access and rectification;
  • requests for erasure or restriction of processing;
  • requests for data portability;
  • objections to specific processing operations.

8. Security of Processing

8.1. The Processor shall implement security measures appropriate to the risk, including in particular:

  • access control based on “need-to-know” and “least privilege” principles;
  • a strong password and authentication policy;
  • encrypted communications (e.g. TLS) and, where possible, encrypted storage;
  • firewalls, network segmentation and monitoring;
  • regular review and adjustment of security measures.

8.2. Upon request, the Processor shall provide the Controller with a description of the main technical
and organisational security measures.

9. Audit and Inspection

9.1. The Controller is entitled, at most once per year or in case of a substantiated suspicion of a
breach, to have an audit or inspection carried out with regard to compliance with this Agreement.

9.2. Audits shall be conducted with reasonable prior notice and in a manner that does not
unreasonably disrupt the Processor’s business operations.

9.3. The Processor may provide alternative evidence, such as recent external audit reports or
certifications, to the extent that these sufficiently cover the relevant security aspects.

10. Confidentiality

10.1. The Processor shall treat all personal data processed on behalf of the Controller as strictly
confidential.

10.2. The Processor shall ensure that all employees, consultants or other persons acting under its
responsibility and having access to personal data are bound by an appropriate confidentiality obligation.

11. Liability

11.1. Each party shall be liable for damage arising from its own breach of the GDPR or this
Agreement, to the extent that such damage is attributable to it.

11.2. Except in cases of intent or gross negligence, the total liability of the Processor arising
from or in connection with this Agreement is limited to the amounts actually paid by the Controller for the relevant
services during the twelve (12) months preceding the event giving rise to the claim.

11.3. Neither party shall be liable for indirect or consequential damages, loss of profits or loss of
opportunities, unless mandatory law provides otherwise.

12. End of Processing

12.1. Upon termination of the main agreement or upon the Controller’s explicit written request, the
Processor shall, at the Controller’s choice:

  • delete all personal data; or
  • return all personal data to the Controller; or
  • first return and then delete all personal data.

12.2. The Processor shall permanently delete all personal data no later than 30 days after the end of
the subscription or the services, unless a statutory retention obligation requires longer storage.

12.3. Upon request, the Processor may provide the Controller with written confirmation of the deletion.

13. Governing Law and Jurisdiction

13.1. This Agreement shall be governed exclusively by Belgian law.

13.2. All disputes arising out of or in connection with this Agreement shall be subject to the
exclusive jurisdiction of the courts of the judicial district of Halle-Vilvoorde (Belgium).

14. Order of Precedence and Relation to Other Documents

14.1. In the event of any conflict between this Data Processing Agreement and the main agreement, the following order of precedence shall apply:

  1. this Data Processing Agreement;
  2. the Software License;
  3. the General Terms and Conditions;
  4. the offer or service proposal accepted by the customer.

14.2. This Agreement replaces all previous data processing agreements between the parties with regard to the
same services.

15. Amendments

15.1. The Processor may amend this Agreement where required by changes in legislation, security
requirements or operational needs.

15.2. Where reasonably possible, amendments shall be announced at least 30 days in advance via the
Chapps website or other customary communication channels.

15.3. If an amendment has a substantial impact on the rights or obligations of the Controller, the
Controller may terminate the Agreement with respect to the affected services before the effective date of the
amendment.

16. Language and Interpretation

This Data Processing Agreement may be made available in several languages. In the event of any conflict, difference
in interpretation or inconsistency between a translated version and the Dutch version, only the Dutch
version shall prevail.

Annex I – List of Sub-processors

Below is the list of sub-processors engaged by Chapps NV. These sub-processors have been carefully selected to meet
Chapps’ high standards for security and data protection.

 

Legal entity Purpose of processing Hosting location Address
Accenture NV Cloud infrastructure: hosting and data storage Belgium, EU Picardstraat 11 bus 100, 1000 Brussels, Belgium
Teamleader NV Customer management, invoicing and payments Ireland, EU Dok Noord 3A / 101, 9000 Ghent, Belgium
Freshworks Inc. Support tickets, Support Center website EU 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States
Hubspot Ireland Limited Lead processing, CRM, marketing activities, communication, online appointments, sales follow-up Ireland, EU One Sir John Rogerson’s Quay, Dublin 2, Ireland
Aareon Deutschland GmbH API integration and data exchange between Chapps software and Aareon ERP systems Germany, EU Isaac-Fulda-Allee 6, 55124 Mainz, Germany
UTS innovative Softwaresysteme GmbH API integration and data exchange between Chapps software and KARTHAGO ERP software Germany, EU Schanzenstraße 6-20, 51063 Cologne, Germany
Thurnherr SA API integration and data exchange between Chapps software and immob10 software Switzerland Morgenstraße 121, P.O. Box 753, 3018 Bern, Switzerland
Informant Software B.V. API integration and data exchange between Chapps software and Informant software Netherlands, EU Kwaklaan 9, 2291 AT Wateringen, Netherlands
Pararius B.V. API integration and data exchange between Chapps software and Pararius software Netherlands, EU Blaak 555, 3011 GB Rotterdam, Netherlands
Vlaams Energiebedrijf NV Exchange of energy meter readings via REST API with the VEB back office Belgium, EU Havenlaan 88, 1000 Brussels, Belgium
Enloc AG Exchange of energy meter readings via REST API with the Enloc back office Germany, EU Am Schießhaus 1-3, 01067 Dresden, Germany

Create your test account

Complete this form and you will receive an email with directions for accessing your account.

We need to know this for legal reasons.
chevron

Choose a product

Select the product you would like to test

Please note that in Belgium and Luxembourg, the Rental Inspector is only available to social housing companies, public authorities and organisations that rent out their own properties. The Rental Inspector is therefore not available to property agents, surveyors or other real estate experts.

Add-on selected, please combine with another product.

No trials available

There are no product trials available for your selected country.

User details

Vital information required to set up your user account

This is the email address you will use to log in to your account.

This email address has already started a trial, sign in here.

Checking email address...

chevron

Company Details

Some finishing details required to wrap-up account creation

This is the country your business is registered and operates in.

To change country

chevron
The previous email address was for the user (eg sarah@business.com), the email address required here is for the business itself (eg info@business.com).

This email address has already started a trial, sign in here.

Checking email address...

Success!

Your test account has been created, check your email for the activation link.

Error!

There was a problem creating your account. Please try again. If the problem persists please contact support@chapps.com

Download the app

The registration for your selected product is done in-app. Scan the QR code to download the app and continue.

Download chevron_right_white_2
Select country Please select the country your business headquarters is located in.

  • Country not found

Select product Please select the product you are interested in
chevron