Skip to main content
All CollectionsTerms & Policies
Everspring - General Data Protection Regulation (GPDR)
Everspring - General Data Protection Regulation (GPDR)
Bas den Hoed avatar
Written by Bas den Hoed
Updated over a year ago

Article 1 - About this Processing Agreement

1. This Processor Agreement (“Processor Agreement”) is a legal agreement that is an inseparable part forms part of and applies in addition to the existing Flora Logistics Service Agreement ("Service Agreement"), which is concluded by and between the Customer as data controller and Flora Logistics who provides the contracting party of the Customer as processors has been concluded in connection with the provision of services, including

various data processing services.

2. By signing the Services Agreement, you accept the Processor Agreement, which is incorporated herein by reference included.

3. This Processor Agreement consists of:

a. the main text of the Data Processing Agreement;

b. Appendix 1 - Description of Flora Logistics' Security Measures;

Article 2 - Denities

1. The terms used in this Processing Agreement have the same meaning as the terms used in the Services agreement, unless expressly stated otherwise. If there are any contradictions or inconsistencies between the Services Agreement and this Processor Agreement, this Processor Agreement shall prevail.

Article 3 - Description of Personal Data

1. When performing the Services, Flora Logistics may have access to information relating to identified or identifiable individuals (“Personal Data”) or otherwise receive or process this information.

2. Depending on how the Customer wishes to use the Services, Flora Logistics may use the following types of Personal Data process:

a. First and last name;

b. Contact information (email address, residential address, telephone number);

c. Language;

d. Date of birth;

e. IP address;

f. Geolocation data (with the exception of nationality);

g. Government issued identification numbers (e.g. social security number);

h. Financial information;

i. Bank account information;

3. Flora Logistics may also process other types of Personal Data if the Customer has chosen to use such Collect and submit personal data to our Services. The Services do not require any other types Personal data to function properly. Flora Logistics disclaims all liability for damage or claims in connection with Customer's choice to enter non-mandatory Personal Data into the Services.

4. Personal Data about the following categories of persons are processed:

1. Owners of companies that register for the Services of Flora Logistics.

2. Employees and other persons authorized by Customer who have access to the Services and theseuse ("End Users").

3. Individuals whose Personal Data is processed using the Services, including

customers and suppliers of the Customer.

Article 4 - Purposes of processing

1. Flora Logistics is a provider of a software platform for active buyers and sellers of floriculture products with e-commerce and related activities.

2. Flora Logistics processes Personal Data on behalf of the Customer in order to provide these services to the Customer pursuant to the Services Agreement and any additional purposes ordered by Customer in using the Services.

3. When Flora Logistics acts as a processor of the Personal Data, Flora Logistics may only process Personal Data on behalf of the Customer and only for the purposes set out in this Processor Agreement and the Services Agreement established purposes.

Article 5 - Responsibilities regarding data processing

a. Customer is the (“controller”) of all Personal Data it collects through the Services.

The Customer assures that it is entitled to process and pass on the Personal Data to Flora Logistics so that Flora Logistics may lawfully process the Personal Data on behalf of the Customer, as intended by this Processing Agreement.

b. Flora Logistics acts as a ("processor") of the data collected by the Customer through the use of the Services Personal data.

c. Customer acknowledges that Flora Logistics hereby grants written permission:

a. that affiliated companies of Flora Logistics can act as (‘sub-processors’) of Flora Logistics; and

b. that Flora Logistics may engage sub-processors to the extent necessary to perform the Services. The list of Flora Logistics's authorized sub-processors can be found on the website of Flora Logistics (www.floralogistics.nl), and Customer acknowledges that these sub-processors are essential to the provision of the Services. FloraLogistics will inform the Customer if it adds, replaces or changes sub-processors by updating the aforementioned list. The Customer may object to the changes on justified grounds within 30 calendar days after the change grounds and in accordance with the principles of good faith, reasonableness and fairness. Customer acknowledges that if the Customer objects to the use of a sub-processor by Flora Logistics, Flora Logistics does not will be obliged to provide the Customer with the Services for which Flora Logistics uses that sub-processor.

Article 6 - Data processing

1. Flora Logistics ensures that all processing is done fairly, lawfully and in accordance with the obligations of this Processor Agreement as well as with applicable GDPR legislation. In particular:

1. Instructions from the controller

Flora Logistics processes Personal Data only on the basis of the documented instructions of the Customer; if Flora Logistics is obliged to process additional Personal Data in accordance with a applicable law or applicable regulation, Flora Logistics shall release the Customer from any such legal obligation prior to such processing, unless applicable law or regulation forbids him to do so;

2. Provide appropriate protection

Flora Logistics ensures appropriate protection of Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, especially if at the processing Personal data is transmitted through a network, and against all other unlawful forms of processing;

3. Security Guarantees

Flora Logistics complies with the security standard shown in Annex 1, whereby the state of the art, implementation costs and the nature, scope, context and purposes of processing are taken into account taken;

4. Information Sharing

Flora Logistics does not share Personal Data with a third party or unauthorized persons, unless the Customer has given prior written consent to such communication and subject to the conditions laid down in Article 6 of this Processor Agreement;

5. Confidentiality

Flora Logistics keeps Personal Data in strict confidentiality and requires of its employees and all other persons under its control who will have access to Personal Data or

will otherwise process Personal Data, that they adhere to the same degree of confidentiality in accordance with the requirements of this Data Processing Agreement (including during the term of their employment or hiring and thereafter);

6. Data Subject Requests

Flora Logistics takes appropriate measures to support the Customer in meeting its requirements obligations as controller when responding to requests from individual data subjects to exercise their rights under applicable data protection law. In addition, Flora

Logistics inform the Customer without undue delay if it receives a request from an individual regarding Personal data, including but not limited to requests for access to the information, requests to rectify the information, request to block, erase or transfer Personal Data, and will not respond to such requests unless expressly authorized by Customer or unless it is obliged to do so under an applicable data protection law or a law of the European Union or a Member State that applies to Flora Logistics. In addition, Flora Logistics ensures that the implements technical and organizational measures to support the Customer in complying with its obligation to respond to such requests from an individual in relation to processed Personal data. Flora Logistics will timely and properly request information and questions from the Customer in connection with the processing of Personal Data under this Data Processing Agreement handling and providing other reasonable assistance and support;

7. Customer Compliance Support

Flora Logistics will support the Customer in ensuring compliance with the obligations with regard to security measures and conducting data protection impact assessments, if required pursuant to Article 32-36 of the General Data Protection Regulation (GDPR). Flora Logistics will assist the Customer and provide support in the event of an investigation by a data protection authority or similar authority, insofar as that investigation relates to the processing of Personal Data pursuant to this Processor Agreement. Flora Logistics will inform the Customer without delay if in Flora's opinion Logistics violates an instruction given by the Customer, or any applicable laws and regulations, including data protection laws, or if a change in applicable laws and regulations is likely to cause a will have a significant negative effect on Flora Logistics' ability to meet its obligations under this Data Processing Agreement; Flora Logistics will be entitled to the execution of the to suspend the relevant instruction until it is confirmed or amended by the Customer. Flora Logistics can refuse to carry out an instruction that is clearly unlawful;


8. Requests for Disclosure

To the extent permitted by applicable law, Flora Logistics will notify the Customer of any request that Flora Logistics receives from a government agency Personal Data processed in the context of the Service Agreement or to participate in an investigation involving that Personal Data involved. Flora Logistics will make reasonable efforts to limit the extent of such receipt request and will only provide the Personal Data specifically requested;

9. Data Breach

Flora Logistics will inform the Customer immediately (and in any case within forty-eight (48) hours) after received, about facts known to Flora Logistics about an actual, unintentional or unauthorized access, disclosure or use, or accidental or unauthorized loss,

damage or destruction of Personal Data by a current or former employee, contractor

or agent of Flora Logistics or by any other person or third party; Flora Logistics will fully cooperate to the Customer in the event of accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data due to a current or former employee, contractor or agent of Flora Logistics or by any other person or third party, in order to limit unauthorized disclosure or use, the Personal Data and support the Customer in reporting to the competent regulators and troopers persons if requested by the Customer;

Article 7 - Further data processing

1. Flora Logistics may only outsource the performance of part of the Services to third parties as sub-processors (with including affiliates of Flora Logistics outside the EEA, Switzerland and the UK) as Flora Logistics before it ensures that these sub-processors are bound in writing to the same obligations and to the Customer the same rights as included in this Processor Agreement are granted with respect to these sub-processors.

Article 8 - Storage and removal

1. Flora Logistics processes Personal Data for as long as is reasonably necessary to provide the Services. The retention period may be longer if Flora Logistics is required by applicable law or to manage its business to Keep personal data longer.

2. At the request of the Customer, Flora Logistics will immediately cease to process Personal Data and will immediately return or delete such Personal Data, in accordance with instructions that may be given by the Customer given at that time, unless Flora Logistics is obliged to store the Personal Data on the basis of applicable law or regulation applicable to it or unless expressly agreed otherwise with the Customer. The in this obligations referred to in this article shall remain in force notwithstanding termination or termination thereof Processing Agreement.

Article 9 - Audit and Compliance

1. Flora Logistics will make available to the Customer all information necessary to demonstrate its compliance

obligations regarding the processing of Personal Data to Flora Logistics in its role as data processor have been provided.

2. Flora Logistics will process the processing systems, facilities and supporting documentation with regard to the make the processing of Personal Data available for an audit by the Customer or one selected by the Customer qualified, independent reviewer, and it will provide all support that the Customer may reasonably require before the audit, but not more than once in a 12-month period. If the audit shows that Flora Logistics has breached an obligation under the Data Processing Agreement, Flora Logistics will report this breach recover immediately;

3. In case of inspection or audits by a competent government authority regarding the processing of Personal data, Flora Logistics will include its relevant processing systems, facilities and supporting documentation make it available to the relevant competent government authority for an inspection or audit if necessary to compliance with applicable laws. In the event of an inspection or audit, each party shall provide all reasonable assistance to the other party in responding to that inspection or audit. If a competent government authority considers that the processing of Personal Data under this Data Processing Agreement is unlawful, the parties will take immediate action undertake to ensure future compliance with applicable data protection laws. Instead of inspections and checks on site, Flora Logistics can refer the Customer to an equivalent check independent third parties (such as neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or appropriate data protection or ICT security certifications pursuant to Art. 42 GDPR. This is particularly of application if trade secrets of Flora Logistics or Personal Data of third parties would be endangered by the controls;

4. Unless Flora Logistics is prohibited by law from making such a statement, Flora Logistics will inform the Customer immediately inform if:

a. it is a request for information, a subpoena or a request for an inspection or audit from a competent authority public authority with regard to the processing of Personal Data to which it Processing Agreement applies, insofar as it concerns the data of the Customer; or

b. intends to disclose Personal Data to a competent government authority.

5. Flora Logistics will ensure that any employee, agent, independent contractor or any other person involved is in the provision of the Services and who has access to Personal Data of Customer, complies with all laws and regulations on data protection and privacy (including any legislative and/or regulatory changes or successors thereto) that

applies to Flora Logistics.

Article 10 - Data transfers

1. The Customer authorizes Flora Logistics to order processing in a third country, including by sub-processors, if the specific requirements of Articles 44-49 GDPR are met. Customer is deemed to have explicit permission granted for processing in a third country in relation to the processing activities performed by Flora Logistics and its sub-processors, as stated here: www.floralogistics.nl/privacy/processors.

Article 11 - Questions about data protection

1. Customer can contact Flora Logistics at any time via info@floralogistics.nl with all its questions and suggestions regarding data protection.

Article 12 - General provisions

1. No right of retention

The parties agree that the Customer has no right of retention with regard to the data to be processed and the related storage media.

2. Changes

All amendments or additions to this Processor Agreement must be made in writing. The same applies to any waiver of any right or obligation under this Data Processing Agreement. The ranking of individual contractual agreements will not be affected thereby. Flora Logistics reserves the right to change this Processing Agreement at any time with effect for the future. Changes will only be applied if there are the following objective reasons:

a. if the amendment helps to bring the Data Processing Agreement into line with applicable law, in particular if the applicable legal situation changes;

b. if the change enables Flora Logistics to comply with mandatory judicial or administrative decisions;

c. if the change reflects details of a new or updated Flora Logistics Service or of

new or updated technical or organizational processes and not the existing contractual relationship with the affects the Customer to the detriment of the Customer;

d. if the change is solely for the benefit of the Customer.

3. Severability

If any provision of this Agreement is or becomes invalid or practically unenforceable, in whole or in part, it shall not affect the validity of the remaining provisions.

4. Maturity

This Data Processing Agreement enters into force on the Effective Date and ends on the date on which the Services Agreement has expired or is being terminated.

Attachment 1

Security measures of Flora Logistics

Flora Logistics has taken appropriate and sufficient technical and organizational measures to secure the Personal data to prevent a breach leading to the accidental or unlawful loss, destruction, dealteration or unauthorized disclosure of or unauthorized access to Personal Data, in particular where the processing involves a transmission of Personal Data over a network, as well as against all other unlawful forms of data processing. Flora Logistics has a permanent information security organization that is managed and directed by the Flora Logistics security team is by the Chief Technology Officer. Flora Logistics has established and maintains policies and procedures, including apply standards for logical access to the production environments of Flora Logistics. Also identify the policies functional responsibilities for managing logical access and security. The policies related to information security are reviewed and approved annually by security management and are used to monitor Flora Logistics to fulfill the service promises we make to the Customer.

The following description provides an overview of the technical and organizational security measures that have been put in place. This measures include, but are not limited to, those listed below. For more detailed information about the most advanced measures, please contact us directly.

Data protection

Flora Logistics processes Personal Data as a data processor solely for the purpose of providing the Services in accordance with documented instructions from the Customer (provided that these instructions are proportionate to the functionalities

of the Services) and as may be agreed with the Customer. Flora Logistics implements and maintains appropriate technical and organizational measures to protect Personal Data

against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, modification or disclosure. Flora Logistics ensures that the employees who have access to Personal Data are bound by confidentiality obligations that limit their ability to disclose the Personal Data. Flora Logistics applies the concepts of 'least privilege' (minimum authorization) and 'need to know', whereby it only allows access that

users need to perform their tasks. User accounts are created with minimal access rights.

Access to information requiring more than minimal authorization must obtain appropriate and separate approval. Flora Logistics applies Multi-Factor Authentication to all critical applications and infrastructure.

1. In transit:

Flora Logistics makes HTTPS encryption available on all login interfaces and on every hosted Customer website on the Products of Flora Logistics. Flora Logistics' HTTPS implementation uses standard algorithms and security certificates.

2. At Rest:

Flora Logistics stores user passwords according to industry standard security practices. FloraLogistics applies encryption at rest to other sensitive fields specifically identified by Flora Logistics.

Prevention of unauthorized access to products

1. Processing by third parties:

Flora Logistics hosts its services on external hosting infrastructure in the form of data centers and Infrastructure-as-aService (IaaS). In addition, Flora Logistics maintains contractual relationships with suppliers to deliver the service in accordance with our data processing agreement. Flora Logistics relies on contractual agreements, privacy policies and vendor compliance programs to protect data processed by these vendors processed or stored.

2. Physical and Environmental Security:

Flora Logistics hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environment security controls of our infrastructure providers are checked for, among other things, SOC 2 Type II, ISO 27001 and PCI DSS compliance.

3. Authentication:

Flora Logistics has implemented a uniform password policy for its products. All users using any interface with the products must authenticate before accessing non-public

customer data.

4. Authorization:

Customer data is stored in multi-tenant storage systems that are accessible to customers only via user interfaces and the API. Customers do not have direct access to the underlying application infrastructure. It authorization model in every Flora Logistics product is designed to ensure that only the designated individuals have access to relevant features, views, and customization options. Authorization for datasets is performed by validating the user's permissions against the attributes assigned to each dataset are linked.

Prevention of unauthorized use of the product

1. Access Controls:

Network access controls are designed to prevent network traffic from passing through

unauthorized protocols would reach the product infrastructure. The implemented technical measures vary by infrastructure providers and include Virtual Private Cloud (VPC) deployments, allocation of security groups and traditional firewall rules.

2. Intruder Detection and Prevention:

Flora Logistics has implemented a WAF (Web Application Firewall) solution to protect certain hosted Products and protect other internet-accessible applications identified by Flora Logistics. The WAF is designed to identify and prevent attacks against publicly available services.

3. Vulnerability Scanning:

Flora Logistics regularly scans its code, infrastructure and web services for known vulnerabilities and resolves them in a timely manner. Flora Logistics subscribes to news feeds for applicable supplier errors and monitors the websites of suppliers and other relevant channels active on new patches.

Privilege limitations and authorization requirements

1. Product access:

Some of Flora Logistics' employees have access to the products and services via controlled interfaces customer data. Granting access to a group of employees is intended to provide effective support provide, troubleshoot potential issues, detect and respond to security incidents, and data security to implement. Employees may be granted access by virtue of their position or by submitting a approved request. Login sessions to data storage or processing systems are logged.

2. Database access:

Customer data is only accessible to authorized employees. Direct database access is limited and access rights are established and adhered to.

Incident Management Control

1. Detection:

Flora Logistics has designed its infrastructure to provide extensive information about the system, received data traffic, system verification and other requests. Internal systems collect data and alert those authorized employees about malicious, accidental or abnormal activity. Flora Logistics staff, including the security team and support, will respond to known incidents.

2. Response and Tracking:

Flora Logistics maintains a register of known security incidents with descriptions, dates and times of relevant ones activities and incidents. Suspected and confirmed security incidents are investigated by security, operations or support and appropriate steps are identified and documented. For all confirmed incidents, Flora Logistics appropriate measures to prevent damage to products and customers or unauthorized disclosure minimalize.

3. Communication:

If Flora Logistics becomes aware of unauthorized access to customer data stored in its products, Flora Logistics, if and insofar as it deems this necessary or is obliged to do so: inform the relevant Customers about the incident; share a description of the steps Flora Logistics is taking to resolve the incident; status updates with this Sharing customers. Notification of any incidents will be delivered to one or more Customer contacts in an

form selected by Flora Logistics, possibly via e-mail or telephone.

Did this answer your question?