1. Introduction
This processor agreement applies to the processing of personal data by Babbels, a trade name of Klout BV. It supplements the main agreement between the customer and Klout BV and is intended to set out the rights and obligations with regard to the processing of personal data, as required under the General Data Protection Regulation (GDPR).
2. Definitions
In this processing agreement, the following terms have the meanings defined below:
- Babbles: The name under which Klout BV, established in Middelburg and registered with the Chamber of Commerce under number 87452782, offers its WhatsApp integration services within Microsoft Teams. Babbels is a trade name of Klout BV
- Klout: Klout develops customized solutions focused on the Microsoft 365 platform.
- User: Any natural person or legal entity that uses the Babbels service. This includes both the customer—the legal entity purchasing the Service—as well as the employees or other persons designated by the Customer who access and use the Service on behalf of the Customer.
- Customer: The legal entity that has entered into an agreement with Babbels to use the service. This agreement is only entered into with the customer and not with individual users within the customer's organization. The customer is responsible for the management and compliance with the terms of use by all users within its organization and ensures the correct use of the service by these users. The customer remains liable at all times for the use of the service by the users within its organization.
3. Purposes of processing
3.1 Klout BV processes personal data exclusively for the performance of its services, as described in the main agreement. The processing of personal data by Babbels takes place in accordance with the instructions of the user and exclusively for the provision of the WhatsApp integration in Microsoft Teams.
3.2 The data is processed in accordance with the GDPR, whereby the user determines for what purposes and in what manner the personal data is processed.
3.3 If the database is hosted by the customer itself, Babbels will not process personal data. In this case, the customer acts as the sole controller for data storage and processing, and no personal data is stored or managed by Babbels.
4. Obligations of Babbels
4.1 Babbels keeps track of all processing activities that it carries out on behalf of the user. This overview is regularly updated and checked. Babbels also takes specific technical and organizational measures to ensure the security of personal data, such as:
- Encryption: Data storage is encrypted using AES-256.
- Access control: Multi-factor authentication (MFA) is used for access to systems.
- Risk assessments: Babbels performs periodic penetration tests and risk assessments.
4.2 Babbels only processes personal data that are necessary for the provision of the services. Personal data are not stored longer than necessary, unless otherwise required by law.
4.3 Our data is fully secured using HTTPS for encrypted communication between client and server. Each request is protected using secure JWT (JSON Web Token) authentication and authorization (via Microsoft Graph API) so that only authorized users have access. Data is secured during transmission and storage according to strict protocols.
5. Sub-processors
5.1 Babbels may engage sub-processors for the performance of the processing activities. Babbels will provide the user with a list of sub-processors upon request. The user has the right to object to new sub-processors before they are engaged. Babbels will inform the user in a timely manner of any changes regarding sub-processors, so that the user can respond to this.
5.2 Babbels will ensure that all sub-processors that are engaged comply with the same data protection obligations as included in this agreement. If a new sub-processor is engaged, Babbels will also ensure that the user is informed and has the opportunity to object.
5.3 Subprocessors and security overview
| Sub-processor | Used service | Type data | Data transfer | Data storage |
| Microsoft | Cloud and data center services (Azure) | Microsoft tenant ID, email address, user ID, first name, last name, job title, departments, groups | Encrypted transfer via HTTPS | Storage in data centers with AES-256 encryption, use of multi-factor authentication (MFA) |
| Meta | WhatsApp API Integration | Sender's name and phone number, text messages, audio messages, WhatsApp phone number, general company information (name, address, Chamber of Commerce number, VAT number) | Data transfer via API to Microsoft tenant, no storage at Meta | No storage, all data is forwarded to Microsoft via API. Images and attachments are only stored on Meta servers for 30 days and then deleted. |
| Altassian | Ticketing and Incident Management System (Jira) | Change, incident and improvement data, user information (name, email) | Encrypted transfer via HTTPS | Storage in secure cloud environments according to GDPR standards |
6. Rights of data subjects
6.1 Babbels will support the user in fulfilling requests from data subjects, such as access, correction, deletion or restriction of their personal data. This includes helping to verify the identity of the data subject and providing the requested information in a timely manner. If the user is unable to process these requests themselves via the functionalities of the service, Babbels will take the necessary steps to handle the requests from data subjects within the legally set time limits, in accordance with the GDPR.
7. Incidents and data breaches
7.1 In the event of a data breach, Babbels will notify the user without undue delay and ideally as soon as possible after discovery, including details of the nature of the breach, the data affected and the measures taken to prevent further damage. Notifications to the user will in any case take place within 72 hours after discovery of the data breach. Babbels will indemnify the user against any fines resulting from a breach of GDPR legislation and actively supports the performance of a risk analysis. The incident management step-by-step plan includes direct notification to the data subjects, a risk analysis and measures to prevent recurrence. Specific parties involved in notifications include internal security teams and legal representatives.
7.2 Babbels will work with the user to ensure that notifications to supervisory authorities and data subjects are carried out in a timely manner as required under the GDPR. This will be done using a structured incident management roadmap aimed at limiting further risks and preventing future incidents.
8. Termination of processing
8.1 After termination of the main agreement between the user and Babbels, Babbels will delete or return all personal data it processes on behalf of the user to the user and provide the user with confirmation of the deletion, unless there is a legal obligation to retain the data. This data deletion will be done in consultation with the user, with room for additional instructions from the user on how the data should be deleted. All data will be deleted or returned within a period of 30 days after termination of the agreement. Babbels will document the deletion of personal data and inform the user of this in writing.
9. Supervision and audits
9.1 The user has the right, in consultation with Babbels, to perform audits or have them performed by an independent third party to determine compliance with this processing agreement. Babbels will provide all reasonable cooperation to enable audits, provided that the user performs these audits annually and informs Babbels in writing in advance. In addition, the user may perform unforeseen audits if specific circumstances arise that give rise to this, with a minimum prior notice period of 7 days to Babbels.
The costs for conducting these audits, including the costs for an independent third party, will be borne entirely by the user, unless otherwise agreed in writing with Babbels.
9.2 The audits can be performed annually. The user has the right to draw up a recovery plan in case of shortcomings, and Babbels is obliged to remedy the shortcomings found within an agreed period.
10. Liability
10.1 Babbels is liable for damages resulting from non-compliance with this processing agreement, unless Babbels can demonstrate that the damage is not attributable to it. Babbels' total liability with regard to direct damages is limited to the amount paid out by the insurer, without further limitation in the event of violation of laws and regulations such as the GDPR. Babbels ensures that it is adequately insured for the term of the agreement and will, at the user's request, provide proof of insurance coverage.
10.2 Babbels is not liable for indirect damage, consequential damage, loss of profit, missed savings, or damage resulting from business stagnation. This exclusion of liability does not apply in the event of intent or gross negligence on the part of Babbels or its managers. In addition, Babbels will make every effort to indemnify the user against claims from third parties resulting from violations of the GDPR, insofar as these violations are attributable to Babbels.
11. Applicable law
11.1 This processor agreement is governed by Dutch law. Any disputes will be submitted to the competent court in the Netherlands.
12. Contact
If you have any questions about this processing agreement, please contact Klout BV via info@klout.nl. You can also reach us on telephone number +31 85 0 084 084 for direct support.