Terms and Conditions

Version 1.0 — in effect since 7 July 2026.

These Terms and Conditions apply to all services provided by RR7349 BV, with registered office at Jean Béthunestraat 9, 9040 Ghent, Belgium, registered with the Crossroads Bank for Enterprises under number BE0719.615.977 (hereinafter “RR7349”), to its clients (hereinafter each a “Client”; RR7349 and the Client hereinafter jointly the “Parties”).

These Terms and Conditions are supplemented for each project by a Quote accepted by the Client (Annex II), which sets out at least the scope, timing and price of the project. By accepting a Quote that refers to these Terms and Conditions, the Client also accepts these Terms and Conditions in their entirety.

These Terms and Conditions are drawn up in Dutch. The Dutch-language version is at all times the legally binding and leading version. Any translations into other languages, such as this English translation, are provided for information purposes only; in the event of any conflict, ambiguity or discrepancy between the Dutch text and a translation, the Dutch text shall always prevail (see also article 17.12). The leading Dutch version is available at staticshift.be/nl/av/.

RECITALS

  • RR7349 specialises in building, hosting and maintaining websites;
  • The Client may engage RR7349 for this purpose, as concretely described in the Quote;
  • These Terms and Conditions set out the mutual rights and obligations of the Parties.

1. Definitions

In this Agreement, all capitalised terms have the meaning assigned to them in Annex I (Definitions) or in the provision or section in which they are defined. Where this Agreement refers to a clause, part or annex, this means a clause, part or annex of this Agreement, unless indicated otherwise.

2. Subject Matter

This Agreement describes the terms under which RR7349 will provide services in respect of the Client’s Website, as well as the terms under which the exchange and processing of data, including Personal Data, between the Parties will take place.

3. Intentions

The Parties shall perform this Agreement in good faith and to the best of their ability, as may be expected of a professional service provider. The Parties undertake to act fairly, equitably and professionally in serving the Client’s interests with regard to the Website.

4. Ownership and Rights of Use

RR7349 retains ownership of the Platform (including RR7349’s code, templates, infrastructure and blueprints).

The Client retains ownership of the content of the Website (texts, images, logos).

Under the Full-upfront model, the Client acquires full ownership of the Dist/Map of the live Website upon acceptance and full payment.

Under the Subscription model, the Client has a Right of Use to the Dist/Map of the live Website for the duration of the agreement, and may acquire full ownership after payment of the Transfer Fee as set out in Annex III.

5. Obligations of RR7349

RR7349 undertakes a best-efforts obligation and provides the services with the diligence of a normal, reasonable and prudent service provider, in accordance with the service level described in the Quote (Annex II).

RR7349 may engage subcontractors to perform its obligations. RR7349 remains fully responsible and liable to the Client for the correct performance of the services by its subcontractors, as if RR7349 had performed them itself.

Insofar as subcontractors act as sub-processors of personal data within the meaning of the GDPR, Annex IV (the data processing agreement, including an overview of the sub-processors for the relevant project) applies. RR7349 will inform the Client in advance of any addition or replacement of sub-processors, and give the Client the opportunity to object within a period of 30 days, in accordance with the provisions of the data processing agreement.

6. Obligations of the Client

The Client undertakes to:

  • provide, within a reasonable time and at the latest within the timeframes stated in the Quote, all content, access and information that RR7349 reasonably needs for the performance of this Agreement, and to warrant its accuracy and completeness;
  • refrain, when supplying content, from infringing any third-party rights (including intellectual property rights, image rights and privacy rights) or supplying unlawful content, and to indemnify RR7349 against any third-party claims arising therefrom;
  • upon activation of the new Website, arrange for the necessary DNS changes to be made (or have them made) with the party managing those DNS settings, within a reasonable time after receiving the required technical instructions from RR7349. Taking over management of the DNS settings is not part of this Agreement, but may be the subject of a separate, additional service;
  • use the login credentials provided by RR7349 securely, confidentially and with due care, and notify RR7349 immediately in case of (suspected) misuse;
  • pay invoices at the agreed times and in accordance with the payment terms set out in Annex III;
  • in general, provide all reasonable cooperation necessary for the proper performance of this Agreement.

Delays in the performance of this Agreement resulting from the Client’s failure to fulfil, or timely or correctly fulfil, the above obligations are not attributable to RR7349 and entitle RR7349 to extend the agreed timeframes accordingly.

7. Financial Arrangements

RR7349 will provide the services to the Client on the financial terms set out in Annex III.

In the event of non-payment of an invoice on the due date, and after a notice of default that has not been remedied within 15 days, the Client shall automatically and without further notice of default owe the following amounts:

  • late payment interest equal to the interest rate determined in accordance with the Act of 2 August 2002 on combating late payment in commercial transactions, calculated from the due date until the date of full payment;
  • a fixed fee for collection costs of €40, in accordance with article 6 of the aforementioned act, without prejudice to RR7349’s right to claim additional, actually incurred damages if the actual collection costs exceed this amount.

Without prejudice to any other rights or remedies available to RR7349, RR7349 is entitled, after the above-mentioned notice of default has expired without payment, to suspend performance of its obligations under this Agreement (in whole or in part), without this giving rise to any form of compensation in favour of the Client.

RR7349 shall notify the Client in writing in advance of such suspension, stating the outstanding amounts and the period within which payment must be made to avoid or lift the suspension.

The suspension does not affect the Client’s payment obligations, including any costs arising from the suspension and resumption of the service.

If the non-payment continues for a period of 60 days after the suspension, RR7349 is entitled to terminate the Agreement with immediate effect and without judicial intervention, without prejudice to its right to damages.

9. Communication

The Parties shall each appoint a fixed point of contact for all communication regarding the performance of this Agreement. The contact details of the appointed contact persons shall be communicated in writing to the other Party. Changes to the contact details or the appointed contact persons must be communicated in writing to the other Party as soon as possible.

10. Term and Termination of the Agreement

With regard to the one-off services (including the build and migration of the Website as described in the Quote), the agreement is of fixed duration until the end of the period for reporting any defects following delivery of the relevant services.

With regard to the services following delivery (including Hosting, CMS and Maintenance as described in the Quote), the agreement is of fixed duration for successive periods of 1 year commencing on the Commencement Date. The agreement may be terminated annually by either Party in writing, without stating reasons and without compensation, subject to a notice period of 3 months before the renewal date of the Agreement. In the absence of timely termination, the Agreement is tacitly renewed for a new period of 1 year, under the same conditions.

During the notice period, the provisions of this agreement remain fully in force and the Parties continue their performance in good faith.

11. Termination for Breach

11.1. Termination after notice of default. Each of the Parties has the right to terminate this agreement by operation of law and without prior judicial intervention if the other party fails to fulfil its contractual obligations. Such termination may only take place after the defaulting party has been given written notice of default by registered letter, and has failed to remedy the shortcoming within a period of 30 calendar days.

11.2. Immediate termination without notice of default. By way of derogation from the preceding paragraph, the aggrieved party may terminate the agreement with immediate effect and without any compensation if:

  • the shortcoming of the other party is of such a nature that it makes any remedy impossible or definitively and irreparably harms further professional cooperation (e.g. gross negligence, fraud or a serious breach of confidentiality);
  • the other party has permanently ceased performance of its obligations;
  • the other party is declared bankrupt, becomes subject to judicial reorganisation proceedings or is placed in liquidation;
  • for RR7349, if the Client is in a continuing state of non-payment, as described in article 7.

11.3. Consequences of termination. In the event of termination for breach, the aggrieved party reserves the right to claim compensation for all damage suffered, including costs incurred and lost profits, directly or indirectly resulting from the breach. Services already rendered up to the date of termination remain payable.

12. Consequences of Termination of the Agreement

12.1. Surviving provisions. Termination of this Agreement, on whatever grounds, does not affect rights and obligations which by their nature are intended to remain in force after termination. This includes, in particular but not exclusively:

  • the provisions on Intellectual Property and Confidentiality;
  • the arrangements on Liability.

12.2. Transition period. Upon termination of the agreement, RR7349 shall, for a period of a maximum of 30 days after the end date, provide the necessary cooperation for a transfer to a new service provider or to the Client itself, according to the following terms:

  • Content and media: full transfer;
  • Configuration files: full transfer;
  • Dist/Map: full transfer, if the Client owns it in accordance with the possibilities set out in article 15;
  • Docker configuration: full transfer, if the Client owns the Dist/Map, in accordance with the possibilities set out in article 15.

13. Liability & Indemnification

RR7349 shall not be liable to the Client (whether in contract or in tort) under this Agreement for any indirect, incidental, punitive or consequential damages, nor for damage caused by the Client’s own content on the Website.

Without prejudice to any mandatory legal provisions, RR7349’s contractual and non-contractual liability for damage arising from or in connection with this Agreement is limited to fifty thousand euros (€50,000) or the total amount (excluding VAT) invoiced to the Client in the 24 months preceding the event giving rise to the damage, whichever of these two amounts is lower. RR7349 undertakes to maintain, for the entire duration of the Agreement, adequate general liability insurance covering the risks of its activities. RR7349 shall, at the Client’s first request, promptly provide a valid certificate of insurance showing the coverage, the insured amounts and the term of the policy.

The limitations of liability set out in this article do not apply if the damage results from fraud, deceit, intentional misconduct, gross negligence and/or wilful recklessness.

With regard to the processing and exchange of Personal Data as described in article 14 of this Agreement, and without prejudice to the foregoing, RR7349 is liable exclusively for damage resulting from the processing of Personal Data if it has failed to comply with the specific obligations of the GDPR or has acted in breach of this Agreement.

14. Processing of Personal Data

The principles, terms and arrangements regarding the processing of Personal Data on the Platform are set out in Annex IV of this Agreement. The Client, as operator of the Platform, acts as Controller and RR7349 as Processor.

15. Intellectual Property Rights

15.1. Platform. RR7349 retains full ownership of all intellectual property rights in the Platform on which the Website operates.

15.2. Dist/Map — right of use (subscription model). If a subscription model is chosen as set out in the Quote, the Client obtains, for the duration of the Agreement, a non-exclusive, non-transferable and non-sublicensable right of use to the Dist/Map, solely for the use, exploitation and maintenance of the Website as provided for in this Agreement. Upon termination of the Agreement, for whatever reason, this right of use automatically lapses, unless the Client has previously acquired ownership of the Dist/Map in accordance with article 15.3.

15.3. Dist/Map — transfer of ownership. The Client has the option to acquire ownership of the Dist/Map: (i) if a Full-upfront model is chosen, after full payment and acceptance as set out in the Quote; or (ii) after payment of the Transfer Fee as set out in Annex III. Upon acquisition of ownership under this article, RR7349 transfers to the Client all economic copyrights in the Dist/Map, including the right of reproduction, the right of adaptation and processing, and the right of distribution, for the full term of protection of these rights and worldwide. This transfer relates exclusively to the Dist/Map and leaves RR7349’s ownership of the Platform, as set out in article 15.1, fully intact. Insofar as the Dist/Map contains open source components, these remain subject to the applicable open source licences, as specified in the Quote.

15.4. Client’s Own Content. Own Content added by the Client to the Website (including texts, images and logos) remains the Client’s property. The Client grants RR7349 a non-exclusive licence to use, reproduce, adapt and process the Own Content, solely to the extent necessary for the performance of this Agreement. The Client warrants that it is entitled to supply and permit the use of the Own Content as provided for in this Agreement, in accordance with article 6.

15.5. Background Rights. This Agreement does not affect the ownership of any Background Rights of the Parties. All Background Rights remain the property of the Party contributing them to the Project. Each Party grants the other Party a non-exclusive, non-transferable right of use to its Background Rights, insofar as these are incorporated in the Platform, the Dist/Map or any other result of the Project, and solely to the extent necessary for the use of the Website in accordance with this Agreement.

15.6. Indemnification. RR7349 warrants that the Platform and the Dist/Map, with the exception of the Client’s Own Content and Background Rights, do not infringe third-party intellectual property rights, and indemnifies the Client against any resulting third-party claims. The Client warrants that its Own Content and the Background Rights it contributes do not infringe third-party intellectual property rights, and indemnifies RR7349 against any resulting third-party claims. These indemnities are subject to the limitations of liability set out in article 13.

15.7. Moral Rights. To the extent permitted by law, RR7349 waives the exercise of its moral rights in the Dist/Map vis-à-vis the Client, to the extent necessary for the normal use, adaptation and exploitation of the Website by the Client.

16. Confidentiality Obligations

The Receiving Party shall not use the Confidential Information of the Disclosing Party, except as necessary for the performance of this Agreement. Furthermore, the Receiving Party shall not disclose the Confidential Information of the Disclosing Party to third parties, except to its employees and subcontractors who need to know it for the performance of this Agreement. Such employees and subcontractors must be bound by written agreements with use and disclosure restrictions at least as protective as those set out in this article.

Without prejudice to the definition of Confidential Information in Annex I, the Client’s Confidential Information includes in particular the Client’s business data, including but not limited to the Dist/Map, configuration data and login credentials. RR7349 uses this information exclusively for the performance of this Agreement, without prejudice to RR7349’s specific obligations regarding login credentials as set out in article 6.

The Receiving Party shall use all reasonable efforts to safeguard the confidentiality of the Disclosing Party’s Confidential Information, but in no event less than the efforts it customarily uses for its own Confidential Information of a similar nature and importance. These obligations apply for the entire duration of this Agreement and remain in force thereafter for 3 years after its termination.

The Receiving Party shall inform the Disclosing Party without undue delay as soon as it discovers that the Disclosing Party’s Confidential Information may have been stolen, leaked or otherwise compromised, without prejudice to the specific notification obligations regarding Personal Data set out in Annex IV.

The obligations of this article do not apply to Confidential Information:

  • that is already in, or enters, the public domain without breach of this Agreement by the Receiving Party;
  • that the Receiving Party lawfully receives from a Third Party without any restriction on use or disclosure;
  • that the Receiving Party was already aware of before receiving it from the Disclosing Party, without any breach of confidentiality; or
  • that the Receiving Party independently develops without reference to the Disclosing Party’s Confidential Information.

The Receiving Party may disclose the Disclosing Party’s Confidential Information where necessary to comply with a court order or another legal obligation of a public authority. Before doing so, the Receiving Party shall seek the highest possible degree of protection and, where possible, notify the Disclosing Party in writing in advance, so that it has a reasonable opportunity to protect itself against the court order or legal obligation.

Upon termination of this Agreement, and at the Disclosing Party’s first written request, the Receiving Party shall, at the Disclosing Party’s choice, return or destroy all Confidential Information, except for copies it must retain pursuant to a legal or regulatory obligation, without prejudice to the obligations of this article applying to the copies thus retained.

17. Miscellaneous Provisions

17.1. Independent contractors. Both Parties are independent contractors, and nothing in this Agreement shall be interpreted as creating a partnership, joint venture or agency relationship between the Parties. Neither Party is authorised to enter into contracts or assume obligations in the name of or on behalf of the other Party, nor shall either Party represent to third parties that it has such authority.

17.2. No implied rights. Other than as expressly provided in the Agreement, nothing in the Agreement shall be construed as granting a Party any further or implied right or licence to any Intellectual Property Right or application thereof (including, but not limited to, patent applications or patents) held by or in the name of the other Party or controlled by the other Party, or to any Confidential Information received from the other Party.

17.3. Annexes. The Parties agree that all Annexes form an integral part of this Agreement. In the event of any conflict between the articles of this Agreement and such Annexes, the articles of such Annexes shall prevail. This Agreement comprises: Annex I (Definitions), Annex II (Quote), Annex III (Financial Terms) and Annex IV (Data Processing Agreement).

17.4. Precedence of the Agreement. In the event of any conflict, ambiguity or discrepancy between the provisions of this agreement (including its annexes) on the one hand, and the provisions of a pre-contractual document (including a draft quotation or e-mail correspondence) on the other hand, the provisions of this agreement and its annexes shall always prevail. Insofar as an element is not, or not fully, regulated in this agreement or its annexes, such a pre-contractual document may be used for interpretation or supplementation, provided this is not contrary to the provisions of this agreement.

17.5. Force Majeure. With the exception of payment obligations, neither Party shall be held in default with regard to its obligations under this Agreement insofar as proper performance or compliance with such an obligation is prevented or delayed by a cause beyond the reasonable control of that Party (“Force Majeure”), including, but not limited to:

  • war and other hostilities, riots, accidents;
  • trade disputes, strikes or lockouts;
  • floods, fire, explosions;
  • terrorist attacks;
  • acts or restrictions by public authorities imposing or restricting import or export;
  • large-scale power or internet outages that are not limited to the infrastructure of the affected Party or its subcontractors individually;
  • cyberattacks, insofar as the affected Party demonstrates that it had implemented and complied with the security measures reasonably to be expected at the time of the attack;
  • or any other cause beyond the control of the Party concerned.

For the avoidance of doubt: outages, disruptions or shortcomings of individual hosting, cloud or infrastructure providers on which a Party relies for the performance of this Agreement are not considered Force Majeure, and do not affect the responsibility of the Party concerned for the correct performance of the services by its subcontractors.

The affected Party shall notify the other Party in writing within 10 working days of the occurrence of the Force Majeure event, stating the nature, expected duration and consequences of the Force Majeure situation. Both Parties shall make every reasonable effort to minimise the consequences of the Force Majeure situation and to perform their respective obligations under this Agreement as far as possible in their original form.

If the Force Majeure situation continues uninterrupted for more than 50 days, either Party has the right to terminate the Agreement, or the part thereof affected by the Force Majeure, in writing with immediate effect, without prior judicial intervention and without a right to compensation for the other Party. Such termination does not affect the Client’s payment obligations for services already delivered prior to the occurrence of the Force Majeure.

17.6. Notices. All notices, requests, demands and other communications under this Agreement must be made in writing and shall be deemed to have been duly made on the date of service if personally served on the Party to whom notice is to be given, or on the third day after dispatch if sent to the Party to whom notice is to be given, by priority mail, registered or certified, prepaid and properly addressed. Notices by e-mail may be used for routine communication and notification, provided they are sent to the official e-mail addresses designated by each Party for this purpose.

17.7. Assignment of the Agreement.

17.7.1. General prohibition on assignment. Neither Party is entitled to assign or transfer the Agreement or its rights or obligations hereunder, in whole or in part, without the prior written consent of the other Party.

17.7.2. Assignment to affiliated parties. Notwithstanding the foregoing, a Party may assign or transfer this Agreement, in whole or in part, without the prior written consent of the other Party, to an affiliated party under its control.

17.7.3. Transfer of the business by RR7349. By way of derogation from paragraph 1, the Client’s prior written consent is not required if RR7349 transfers the Agreement in the context of a merger, demerger, contribution of a business branch, or transfer of the entire business or a branch of the business in which this Agreement is housed (hereinafter: the “Business Transfer”). In such a case, the Agreement, together with all rights and obligations arising therefrom, passes automatically to the transferee (hereinafter the “Transferee”). If the Transferee is an affiliated party under the same control as RR7349 prior to the Business Transfer, within the meaning of article 17.7.2, the notification obligation of article 17.7.5 does not apply, and RR7349 shall inform the Client of the identity of the Transferee purely for information purposes.

17.7.4. Change of Control. “Change of Control” means: the acquisition by a third party, whether or not acting in concert with others, of direct or indirect (joint) control over RR7349 within the meaning of article 1:14 et seq. of the Belgian Code of Companies and Associations. A Change of Control does not affect the continued existence of the Agreement, which remains fully in force between the Client and RR7349.

17.7.5. Notification. RR7349 shall notify the Client in writing of any Business Transfer or Change of Control, stating at least the identity of the Transferee or, as the case may be, the third party acquiring the (joint) control, and the date on which the event has taken place or will take place. This notification shall be made no later than 30 days before the effective date of the event, or, if that date is not reasonably known in advance, without delay and in any event no later than within 30 days after its effective date.

17.7.6. Right of termination. After receipt of the notification referred to in 17.7.5, the Client has the right to terminate the Agreement in writing, without stating reasons and without a right to compensation for RR7349, the Transferee or the third party that has acquired the (joint) control. This right of termination must be exercised within a period of 30 days after receipt of the notification, failing which this right lapses and the Agreement continues, with the Transferee as a Party, where applicable.

17.7.7. Further assignment by the Transferee. Except as provided in this article, the Transferee may not further assign or transfer the Agreement without the prior written consent of the Client, in accordance with 17.7.1.

17.8. Waivers. If a Party fails to enforce an obligation of another Party, or delays doing so, or fails to exercise a right under this Agreement, or delays doing so, such failure or delay shall not affect its right to enforce that obligation and shall not constitute a waiver of that right. A Party’s waiver of a provision of this Agreement shall not, unless expressly stated otherwise, constitute a waiver of that provision on any future occasion.

17.9. Severability. If a provision of this Agreement is wholly or partly unlawful, the other provisions of this Agreement and the remainder of the unlawful provision shall remain in force, and the validity and enforceability of that provision shall not be affected. The Parties shall use all reasonable efforts to replace an invalid or unenforceable provision with a valid and enforceable replacement provision whose effect approximates as closely as possible the intended effect of the invalid or unenforceable provision.

17.10. Dispute Resolution. The Parties undertake to attempt to resolve any conflicts or disputes arising between the Parties during the term of the Agreement through negotiation and compromise. If the Parties are unable to reach agreement on a matter relating to this Agreement within thirty (30) days, they undertake to initiate a mediation procedure in accordance with the Belgian Judicial Code prior to any court proceedings. If such mediation does not lead to an amicable settlement within thirty (30) days of its commencement, either Party may initiate court proceedings in accordance with article 17.11.

17.11. Governing Law and Jurisdiction. The Agreement is governed by, and shall be construed and interpreted in accordance with, Belgian law. The courts of Antwerp have exclusive jurisdiction over any dispute arising from or related to the Agreement.

17.12. Language. This Agreement is drawn up in Dutch. Where translations exist for information purposes, the Dutch-language text shall always prevail in the event of any conflict.


Annex I — Definitions

Commencement Date — The date on which the last of the Parties signed this Agreement.

Background Rights — The information, data, Know-how, software, technology, materials and Intellectual Property Rights of a Party, generated before or outside the Project, which a Party contributes for the performance of the Services.

Addendum — An addendum to this Agreement.

Disclosing Party — A Party that discloses Confidential Information to a Receiving Party.

Annexes — The annexes included in this Agreement, which form an integral part of this Agreement.

Configuration Files — Astro configuration files, css files, docker files, tina configuration files and GitHub Workflows.

Dist / Map — The set of files that make up the Website at a given time, including both hand-written source code and compiled, built or otherwise generated files, and the associated configuration and deployment files (including, but not limited to, the Astro source code and configuration, the CSS files, the Docker files, the TinaCMS configuration and the GitHub Workflows). The Dist/Map is, upon transfer, transferred in its entirety to the Client, excluding the Platform with which it is generated and managed.

Indexation Mechanism — New Amount = (Base Amount × New Index) / Commencement Index. The Commencement Index is the index figure for the month preceding the signing of this Agreement. The New Index is the index figure for the month preceding the anniversary of the indexation.

Intellectual Property Rights — All now known or later additional (a) copyrights, related rights and moral rights; (b) trademark or service mark rights; (c) trade secret rights, know-how, expertise; (d) patents, patent rights and industrial property rights, design rights, supplementary protection certificates; (e) trade and business names, domain names, database rights, lease rights and all other industrial and intellectual property rights or similar rights (whether registered or not); (f) all registrations, registration applications, renewals, extensions, divisions, improvements or reissues relating to these rights and the right to apply, maintain and enforce any of the foregoing, in each case and in each jurisdiction worldwide, for as long as such protection applies.

Know-how — Non-patented technical and/or other information, including, but not limited to, information relating to inventions, discoveries, concepts, methodologies, models, research, development and testing procedures, the results of experiments, tests and trials, production processes, techniques and specifications, quality control data, analyses, and reports that are not in the public domain.

Receiving Party — A Party that receives Confidential Information.

Agreement — These Terms and Conditions between RR7349 and the Client regarding the development, ownership and exploitation of the Platform, including all its Annexes, including the project-specific Quote.

Personal Data — Any information relating to an identified or identifiable natural person (“data subject”).

Platform — The set of source code, software, templates, prompts, frameworks, automation and generation tools, technical infrastructure, architecture, blueprints, methodologies and other technical or creative elements that have been developed, compiled or applied by RR7349, whether before, during or independently of the performance of this Agreement, and which RR7349 uses to generate, create, build, host, operate and/or manage the Dist/Map, excluding the Dist/Map, the Client’s Own Content and the Client’s Background Rights. The Platform remains at all times the exclusive property of RR7349 and is not transferred to the Client.

Confidential Information — All information of a non-public, confidential or proprietary nature, whether commercial, financial or technical, or client-, supplier-, product- or production-related or otherwise, including but not limited to samples, specifications, patent applications, process designs, process models, materials and ideas, disclosed by the Disclosing Party to the Receiving Party.

Annex II — Quote

This Annex does not exist as fixed text. It is replaced for each project by the Quote accepted by the Client, which forms an integral part of the Agreement (article 17.3) and sets out at least the scope and technology, the milestones and acceptance criteria, the arrangements regarding hosting, CMS and maintenance, the price, and the project-specific processing activities for Annex IV.

Annex III — Financial Terms

The specific amount and model (Full-upfront one-off, or Subscription per month) are determined per project in the Quote. The Full-upfront amount is payable upon signing of the Agreement; the Subscription amount is payable monthly in advance.

The monthly fee for Hosting, CMS, Maintenance and Support is determined in the Quote and is payable monthly in advance. It is indexed annually on the anniversary of the Commencement Date, in accordance with the Indexation Mechanism (Annex I). RR7349 shall notify the Client in advance of the indexed fee.

The applicable hourly and daily rate for Change Requests and additional work is determined in the Quote. Additional work outside the scope described in the Quote shall only be carried out following the Client’s prior written approval, stating the scope and the price.

Should the Client, under a subscription model, wish to acquire ownership of the Dist/Map in accordance with article 15 (“Intellectual Property Rights”), the Client shall owe the following Transfer Fee: the base amount set out in the Quote, reduced by the number of months already paid multiplied by the monthly fee, with a minimum of €250. Included in the transfer: the Dist/Map (the live website); the configuration files; and the docker-compose.yml file and the OpenTofu configuration. Conditions for transfer: all outstanding invoices must have been paid in full in advance; the transfer commences within two (2) working days of receipt of payment; an expedited transfer (delivery within 48 hours) may be requested against an additional fee as set out in the Quote.

Invoices are payable within thirty (30) days of the invoice date. In the event of late payment, the provisions of article 7 (“Financial Arrangements”) apply.

Annex IV — Data Processing Agreement

For the Services that involve the processing of Personal Data, the Client acts as Controller and RR7349 as Processor, in accordance with Regulation (EU) 2016/679 (GDPR). This Annex governs the rights and obligations of both Parties in respect of that processing. The specific processing activities, categories of Personal Data, data subjects and Sub-processors for a given project are set out in the Quote (Annex II).

1. Definitions

In addition to the definitions in Annex I, the following apply to this data processing agreement: Controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data carried out under its supervision; Data Subject — an identified or identifiable natural person; Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; Processor — a natural or legal person authorised to process personal data on behalf of the Controller, such as RR7349; Security Measures — measures intended to protect Personal Data against accidental or unlawful destruction or loss, as well as unauthorised access, alteration or disclosure; Sub-processor — any processor engaged by the Processor as a subcontractor who agrees to process Personal Data for and on behalf of the Controller in accordance with this Annex; Supervisory Authority — an independent public authority established by a Member State pursuant to article 51 GDPR; Third Party — any party that is not a Data Subject, Controller, Processor or Sub-processor under this Annex; Significant Sub-processor — a Sub-processor that provides significant services or infrastructure in respect of the Services (e.g. a cloud provider or integrated software application).

2. Subject Matter of the Agreement

The Controller wishes to entrust the processing of Personal Data to the Processor. The Processor processes the Personal Data in the name and on behalf of the Controller, and performs the Services in accordance with the provisions of this Annex. Both Parties expressly undertake to comply with the relevant applicable data protection legislation and to refrain from any act or omission that could cause the other Party to breach that legislation. The processing activities, the categories of Personal Data and the Data Subjects covered by this Annex for a specific project are set out in the Quote.

If the Processor offers Matomo Analytics in connection with the Website, the default setting is that no Personal Data is processed (applying IP anonymisation and a cookieless configuration). If the Controller changes this default setting (including, but not limited to, disabling IP anonymisation), the Controller shall, from that moment, be solely and fully responsible for compliance with its obligations under the GDPR in relation to that processing, including, but not limited to, placing a cookie banner, drawing up and maintaining a privacy policy, obtaining valid consent, and reporting any data breaches. In that case, the Processor shall not act as processor within the meaning of this Annex with regard to the Personal Data thus processed under the changed setting, and shall not be liable for any fine, damage or third-party claim directly resulting from this change by the Controller.

3. Duration of the Processing

This Annex remains applicable for as long as the Processor processes Personal Data in the name and on behalf of the Controller in the context of the Agreement. If the Agreement ends, this Annex also ends. In the event of a breach of this Annex or the applicable provisions of the Regulation, the Controller may instruct the Processor to immediately cease the processing of Personal Data. When the Agreement ends or the Personal Data is no longer relevant for the performance of the Services, the Processor shall anonymise and pseudonymise the Personal Data it has received or obtained as far as possible, solely for internal purposes to further improve the Services it provides.

4. Instructions of the Controller

The Processor shall process Personal Data only on the basis of the Controller’s written instructions and in any case in accordance with the agreed processing activities. The Processor shall not further process the Personal Data in a manner incompatible with those instructions. The Controller may unilaterally make limited changes to the instructions; the Processor shall be consulted before significant changes are made, and both Parties must agree to changes affecting the main provisions of the Annex. If the Processor is required, under Union or Member State law, to carry out different processing, it shall inform the Controller of that legal requirement prior to the processing, unless that legislation prohibits such notification on important grounds of public interest.

5. Assistance to the Controller

The Processor shall assist the Controller in fulfilling its obligations under the Regulation, taking into account the nature of the processing and the information available to it.

In the event of a Personal Data Breach, the Processor shall inform the Controller without undue delay, with at least: the nature of the breach; the categories of Personal Data and the categories and (approximate) number of Data Subjects concerned; the likely consequences; and the measures proposed or taken. If the Processor engages a Sub-processor, it shall impose the same notification obligation on the Sub-processor and shall immediately forward any information received to the Controller. The Processor and its Sub-processor(s) shall designate a single point of contact among their employees for all communication in the event of such an incident. Only the Controller decides whether Data Subjects affected by a Breach are informed thereof, and is responsible for notifying the Supervisory Authority. The Parties shall cooperate in good faith to limit any possible adverse consequences.

The Processor shall also assist with a data protection impact assessment (DPIA, art. 35 GDPR); it may, at its own discretion, charge costs for this that are proportionate to the services rendered.

6. Information Obligations

At any time, at the Controller’s request (allowing the Processor a reasonable period to respond), the Processor shall provide: relevant information about its own corporate structure and the identification details of the entities involved in the processing of Personal Data, including the location of their head office; the aspects of the processing for which it uses or wishes to use a Sub-processor and the identification details thereof (the agreement with the Sub-processor may be stripped of Confidential Information); geographical information on the locations of the processing, including back-up and destruction possibilities; and the physical, organisational, technical and logical Security Measures taken by it and its Sub-processor(s) (article 10).

7. Obligations of the Processor

The Processor shall handle, immediately or within a reasonable period and properly, all reasonable requests from the Controller relating to the processing of Personal Data. It shall ensure that no obligations under applicable law prevent it from complying with this Annex, shall process Personal Data solely for the performance of the Services and in accordance with the written instructions, and shall notify the Controller without delay if it considers an instruction to be in breach of applicable data protection legislation. It shall ensure that access to, inspection, processing and provision of Personal Data only takes place in accordance with the principle of proportionality and the need-to-know principle, and that every employee who has access is bound by confidentiality. Since 25 May 2018, the Processor keeps a register of the processing activities relating to this Annex, and shall make it available upon first request to the Controller, an auditor appointed by it and/or the Supervisory Authority.

8. Obligations of the Controller

The Controller shall provide all necessary assistance to the Processor and cooperate with it in good faith to ensure compliance with the Regulation for every processing of Personal Data. It shall agree appropriate communication channels with the Processor and designate a single point of contact. It warrants that it will only give instructions that comply with the Regulation, and that it will not give instructions that would require the Processor or its Sub-processor(s) to breach mandatory legislation applicable to them. Without prejudice to article 14, it shall provide the necessary assistance to the Processor and/or its Sub-processor(s) to respond to a request, order, investigation or subpoena from a competent national administrative or judicial authority, and shall cooperate in good faith to limit the adverse effects of a security incident.

9. Use of Sub-processors

The Controller acknowledges and agrees that the Processor engages Sub-processors to provide the Services, and hereby gives its general written consent to this Annex. The Processor shall inform the Controller of intended additions or replacements of Significant Sub-processors, with the possibility to object; categories of Sub-processors suffice in this respect in combination with the information set out in articles 6 and 7 — the identity of a Significant Sub-processor shall be provided upon request, unless this would breach a confidentiality or trade secret provision with that Sub-processor, in which case the Processor shall provide written justification. The Processor shall ensure that its (Significant) Sub-processor(s) are bound by the same obligations regarding Personal Data as it is under this Annex, and shall promptly and accurately pass on the Controller’s purposes and instructions to them, insofar as relevant.

10. Security Measures

The Processor shall, during the term of this Annex, implement and maintain appropriate technical and organisational measures so that the processing complies with the Regulation and the rights of the Data Subject are safeguarded, including measures against unauthorised or unlawful processing, and shall regularly assess and, if necessary, adapt the adequacy of such measures. In particular, it shall take appropriate measures to ensure a level of security appropriate to the risk, in accordance with article 32 GDPR, taking into account the processing risks (in particular destruction, loss, alteration, or unauthorised disclosure of, or access to, Personal Data, whether accidental or unlawful). The Controller reserves the right to suspend and/or terminate the Agreement if the Processor can no longer provide a level of security appropriate to the processing risk.

The Processor shall take, among others but not exclusively, the following general physical, logical, technical and organisational security measures: encryption via HTTPS/TLS (mandatory); security headers (CSP, X-Content-Type-Options, HSTS); access control (basic auth for CMS/admin); data minimisation (no unnecessary storage of personal data, IP anonymisation); limited log retention (automatically deleted); and processing in EU data centres.

11. Audit

The Processor acknowledges that any competent Supervisory Authority has the right, during the term of this Annex and during the Processor’s normal office hours, to carry out an audit at any time to assess compliance with the Regulation and this Annex; the Processor shall provide the necessary cooperation. The Processor shall have an independent audit carried out by an auditor every two (2) years; the final result (excluding confidential information) shall be provided to the Controller upon first request, at the Processor’s expense. The Controller is only entitled to request an audit itself for legitimate, written, substantiated and demonstrated reasons (a (strong suspicion of) a personal data breach that has not been reported or remedied, destruction of confidential Personal Data, or a material breach of an obligation of the Processor under this Annex). Upon written request, the Processor shall provide an independent third party, a recognised auditor or an auditor appointed by the Controller or the Supervisory Authority with access to the relevant parts of its administration and to all information and locations relevant thereto (and to those of its agents, subsidiaries and subcontractors); at the Processor’s request, the parties concerned shall enter into a confidentiality agreement. The Controller shall minimise the disruption caused by the audit to the Processor’s day-to-day operations. In the event of a material shortcoming revealed by the audit, the Processor shall remedy it as soon as possible, possibly in accordance with an agreed remediation plan. The Controller shall bear the costs of each audit, unless it appears that the Processor has manifestly failed to comply with the Regulation and/or this Annex — in which case the Processor shall bear the costs.

12. Transfer to Third Parties

The transfer of Personal Data to Third Parties, in any manner whatsoever, is prohibited, unless legally required or with the express consent of the Controller. If a legal obligation applies to such a transfer, the Processor shall notify the Controller thereof prior to the transfer.

13. International Transfer

Personal Data may only be transferred to and/or stored with a recipient outside the European Economic Area (EEA) — in a country not covered by an adequacy decision of the European Commission — if this is necessary to comply with the obligations of this Annex, and only subject to the conditions of an agreement for the transfer of personal data containing standard contractual clauses as published in the European Commission Decision of 4 June 2021 (Decision (EU) 2021/914), or via another mechanism provided for by applicable data protection legislation. The Processor shall notify the Controller, prior to the international transfer, of the specific measures taken to safeguard the protection of the Data Subject’s Personal Data.

14. Conduct with Regard to National Public Authorities and Judicial Authorities

The Processor shall immediately notify the Controller of any request, order, investigation or subpoena addressed to it or its Sub-processor by a competent national administrative or judicial authority that involves the disclosure of Personal Data processed by it or a Sub-processor, or of data/information relating to that processing. Without prejudice to article 4, the Processor warrants that no obligations exist under applicable law that make it impossible for it to comply with its obligations under this Annex.

15. Intellectual Property Rights

Nothing in this Annex constitutes a transfer of Intellectual Property Rights, whether from the Controller to the Processor or vice versa, unless otherwise contractually agreed between the Parties.

16. Confidentiality

The Processor undertakes to treat the Personal Data and its processing as strictly confidential, with measures no less restrictive than those it uses to protect its own confidential material, including Personal Data. It warrants that the employees or Sub-processors authorised to process are bound by confidentiality or subject to an appropriate statutory duty of confidentiality.

17. Liability

The Controller is liable for damage caused by processing that is in breach of the Regulation. Without prejudice to the Agreement, the Processor is only liable for damage caused by processing if it has failed to comply with the obligations of the Regulation specifically addressed to processors, or if it has acted outside or in breach of the lawful instructions of the Controller.

A Party is liable (in contract, in tort — including breach of contract — or in any other manner in connection with this Annex, including liability for gross negligence) for verified shortcomings attributable to it. This liability is limited to foreseeable, direct and personal damage suffered, excluding consequential damage (even if informed of the possibility of such consequential damage or if its likelihood was reasonably foreseeable) — where “consequential damage” means: damage that does not directly and immediately result from breach of contract and/or non-contractual non-performance, but instead indirectly and/or over time, including but not limited to loss of income, interruption or stagnation of business operations, increase in staff costs and/or costs of staff reduction, damage arising from or as a result of third-party claims, failure to achieve expected savings or benefits, loss of data, profit, time or income, loss of orders, loss of clients, increase in overhead costs, and the consequences of a strike, regardless of its cause.

If both the Processor and the Controller are found to be responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and shall pay compensation in proportion to their individual share of responsibility.

The Processor’s total liability under this Annex is in any event limited to the amount equal to the total amount of fees paid by the Controller to the Processor for the provision and performance of the Services during a period of no more than twelve months immediately preceding the event giving rise to the damage. The Processor shall not be held liable if it can prove that it is not responsible for the event or cause giving rise to the damage.

18. Mediation and Jurisdiction

If a Data Subject brings a claim for damages against the Processor under this Annex, the Processor agrees to accept the Data Subject’s decision to submit the dispute to an independent person for mediation, or to the courts in Belgium. This choice by the Data Subject does not affect its substantive or procedural rights of recourse under other applicable national or international legislation. Disputes between the Parties themselves regarding the terms of this Annex shall be brought before the competent courts as set out in article 17.11 of the Agreement.

19. Termination of the Agreement

This Annex remains applicable for as long as the Processor processes Personal Data on behalf of the Controller. In the event of a breach of this Annex or the Regulation, the Controller may instruct the Processor to immediately cease processing. The Processor shall not retain the data for longer than necessary for the performance of the Services for which it was provided. At the Controller’s choice, the Processor shall, after the relevant Services have been performed, delete all Personal Data or return it, remove all existing copies and declare that it has done so — unless retention is required under Union or Member State law. The Personal Data shall be provided to the Controller free of charge, unless otherwise agreed.