In addition to the business continuity and contingency plans, data back-up procedures, virus/hacker avoidance measures we employ, Babelway anually reviews and assesses our security policy, which encompasses the following:
Certifications
Secure Cloud Services
Security Management
This Privacy Policy was written in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”).
This Policy applies to Tradeshift Belgium SA or any of its Tradeshift Belgium subsidiaries wherever located (collectively referred to as “Tradeshift Belgium”) when Tradeshift Belgium processes Personal Data as a Controller as defined in the GDPR.
This Policy relates to Personal Data of all Data Subjects, including non-EU citizens.
Tradeshift Belgium shall pay particular attention to the protection of the privacy of the Data Subjects and therefore undertakes to take all reasonable precautions required to protect Personal Data collected against the loss, theft, disclosure or breach of privacy or any unauthorized use.
Tradeshift Belgium collects and processes Personal Data from Data Subjects for the following purposes:
• Registration and subsequent authorized access to the Babelway service;
• Billing and payment management;
• Providing user and customer support;
• Data backup to meet service availability guarantees;
• User experience analysis and improvement;
• Auditing data access;
• Convert prospective users;
Tradeshift Belgium may also collect and process Personal Data that are not yet foreseen in this Policy. In such a case, Tradeshift Belgium will inform Data Subjects that their Personal Data is processed for another purpose.
This Policy relates to Personal Data collected from Data Subjects via any means, including cookies, online registration, email and offline communication methods.
Personal Data collected by Tradeshift Belgium is defined as personally identifiable data such as:
• Electronical identification data (IP addresses, cookies, …) ;
• Personal identification data (name, email address, …) ;
• Personal identification data issued by public services (identity card number, national register number, …) ;
• Professional data (company name, head office, VAT number, professional telephone number, professional email address,…);
• Data related to logs and users web sessions;
• Any other data that Data Subjects voluntarily communicate to Babelway, for example during information inquiries and / or registrations on the platform.
Tradeshift Belgium shall keep Personal Data only for the reasonable and necessary time with regard to the purposes and in accordance with the legal and regulatory requirements. Tradeshift Belgium retains Personal Data for a maximum of three years after termination of the relationship that required the collection of Personal Data. At the end of the retention period, Tradeshift Belgium makes every effort to ensure Personal Data has been made unavailable and inaccessible.
Tradeshift Belgium always uses the encryption technologies that are recognized as industry standards within the IT sector to secure Personal Data.
Data Subjects may obtain a free copy (including in an electronic format) of their Personal Data and, if necessary, ask Tradeshift Belgium to rectify, complete or delete data that are inaccurate, incomplete or irrelevant.
Tradeshift Belgium may require the payment of reasonable fees based on administrative costs for any additional copies requested by the Data Subjects. When submitting this application electronically, the information shall be provided in an electronic form in common use, unless the Data Subject requests otherwise. The copy of the data will be communicated to the Data Subject at the latest within one month after receipt of the request.
The Data Subject has the right to restrict the processing in case :
• The accuracy of Personal Data is contested by the Data Subject until Tradeshift Belgium has verified this accuracy ;
• The processing is unlawful and the Data Subject refuses the erasure of his/her Personal Data and requests the restriction of their use instead ;
• And the other unlikely cases foreseen in the GDPR.
Tradeshift Belgium shall inform the Data Subject when the restriction ended.
Data Subjects may ask Tradeshift Belgium to directly transmit their own Personal Data to another Controller in a structured and commonly used format.
Data Subjects have the right to obtain the erasure, at no cost, of their Personal Data without undue delay in the following case:
• Personal Data are no longer necessary in relation to the purposes for which they were collected;
• Personal Data have been unlawfully processed;
• The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
• Personal Data have to be erased for compliance with a legal obligation.
When required by the purpose, Tradeshift Belgium may transfer Data Subjects’ Personal Data to third parties, including in countries outside the EU. In such case, this transfer is performed under Tradeshift Belgium’s control and responsibility and to the extent it is necessary for the performance of their duties.
When required by law, a court order or an order from a public authority, Tradeshift Belgium may be obliged to disclose Personal Data.
If Data Subjects wish to exercise any of the rights described above, they must send their written request to Tradeshift Belgium with proof of identity (ID card copy) to the Tradeshift Belgium contact address below. Data Subjects will receive an answer as soon as possible, and no later than one month.
If the application has been rejected, Tradeshift Belgium shall explain the rejection decision.
If the request is refused, Civil Courts shall be competent regarding any request relating to the right to obtain communication, rectification, deletion or limitation of Personal Data.
In addition to the security information provided in the contract concerning all the data received or collected, Tradeshift Belgium shall implement the appropriate technical and organizational measures to ensure an appropriate level of security in regard to Babelway’s risk.
Those security measures were implemented taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purpose of the processing as well as the risks to the rights and freedoms of the Data Subjects.
Tradeshift Belgium implemented appropriate security measures to protect Personal Data against loss, theft, alteration, disclosure or unauthorized use.
Data Subjects who wish to react to one of the practices described in this Policy may always contact Tradeshift Belgium at Tradeshift Belgium contact address below.
Data Subjects may also file a complaint with the Belgian Commission for the Protection of Privacy at the contact address below:
Data Subjects may also file a complaint with the Civil Brussels Court.
For further information on complaints and possible remedies, Data Subjects are invited to consult the information available on the website of the Belgian Commission for the Protection of Privacy: https://www.privacycommission.be/en
Babelway:
By email: info@babelway.com
By mail: Chemin du Cyclotron, 6 1348 Louvain-la-Neuve.
Commission for the Protection of Privacy
Rue de la Presse, 35
1000 Brussels
Phone : + 32 2 274 48 00
Fax :+ 32 2 274 48 35
commission@privacycommission.be
Tradeshift Belgium may change, modify, adapt provisions of this Policy at any time. The changes shall be applicable at the publication time. Therefore, Tradeshift Belgium advises Users and Data Subjects to consult the most recent version of this Policy.
This Policy is governed by Belgian law.
French-speaking courts of the judicial district of Brussels shall have the exclusive jurisdiction regarding any dispute relating to the interpretation or execution of this Policy.
This Data Processing Attachment (“DPA”) applies to Tradeshift Belgium’s Processing of Personal Data in Tradeshift Belgium’s capacity as a Processor for the Customer under the Agreement and this version of the DPA is incorporated into and subject to the terms of the Agreement. Where Babelway is a Controller, Tradeshift Belgium will comply with its own privacy policy in the handling of any applicable Personal Data. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the terms of this DPA, the relevant terms of this DPA shall take precedence.
“Agreement” means the existing contract between Tradeshift Belgium and Customer.
“Controller” and “Processor” have the meaning set out in the Data Protection Regulations.
“Customer” means the entity on whose behalf the Agreement is executed.
“Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“ Tradeshift Belgium’s Affiliates” means the subsidiaries, parent or Tradeshift Belgium group entities that may assist in the performance of the Data Exchange Services.
“Data Protection Regulations” means the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 and applicable laws by EU member states which either supplement or are necessary to implement the GDPR.
“Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2021/914/EU of 4 June 2021 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
“Personal Data” means any information that relates to a Data Subject that Customer, its Users or its Trading Partners provide to Tradeshift Belgium to Process under the Agreement.
“Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Data that is stored on computers, servers, or mobile devices owned or maintained by Tradeshift Belgium, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the Tradeshift Belgium entity listed in the Agreement.
“Processor List” means the list of Tradeshift Belgium’s Affiliates and/or Third Party Processors who may assist Tradeshift Belgium with some or all of the Processing of Personal Data of the Customer.
“Services” means the Software-as-a-Service data exchange application and services to be provided by Tradeshift Belgium pursuant to this Agreement.
“Third Party Processor” means a third party subcontractor, other than a Tradeshift Belgium’s Affiliate, engaged by Tradeshift Belgium, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Data of the Customer.
“Trading Partner” means any entity or organization that the Customer exchanges data with using Babelway.
“Users” means individual users who are authorized by Customer to use the Services and who have been supplied Account access by Customer.
Customer shall remain the Controller of the Personal Data for the purposes of the Agreement, including this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Data to Tradeshift Belgium (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Data. Customer acknowledges its responsibility in configuring the Services via the Babelway Self-Service Platform and selecting appropriate options to secure Personal Data, in choosing transfer protocols or retention periods for example. Customer will not provide Tradeshift Belgium with access to any special categories of Personal Data, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Data unless permitted in the Agreement.
Tradeshift Belgium is a Processor of the Personal Data for the purposes of the Agreement. Tradeshift Belgium will Process Personal Data as necessary and as instructed for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Data to third parties other than to Tradeshift Belgium’s Affiliates or Third Party Processors for the aforementioned purposes or as required by law.
Customer authorizes and requests that Tradeshift Belgium Process the necessary types of Personal Data required to fulfill the Agreement. Personal Data may be included in the following types of data:
a) Files or data flows, in any format, submitted by Customers, its Users or its Trading Partners for transfers and/or archiving with Babelway;
b) Lookup table data populated automatically from data flows or manually by Users and stored within Babelway;
c) Any data provided by Users or generated as part of the service which are necessary to provide the service;
Customer authorizes Tradeshift Belgium to Process Personal Data for the following purposes only:
a) providing the requested Services under the Agreement;
b) providing support and assistance to Users and complying with Customer’s written instructions;
c) handling or preparing for disputes or litigation;
d) to comply with Tradeshift Belgium’s legal or regulatory obligations;
e) for no other reason unless provided for under the Data Protection Regulations.
To the extent Tradeshift Belgium receives additional instructions for the Processing of Personal Data, Tradeshift Belgium will comply with such instructions to the extent necessary for: (i) Tradeshift Belgium to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement. Without prejudice to Tradeshift Belgium’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Tradeshift Belgium to comply with Customer’s instructions with regard to the Processing of Personal Data that require the use of resources different from, or in addition to, those required for the provision of the product or services under the Agreement.
Customer will ensure that its instructions to Tradeshift Belgium for the Processing of Personal Data will, at all times, be lawful and in compliance with the Data Protection Regulations. Tradeshift Belgium will notify Customer if it reasonably believes any instruction or request from the Customer will require Tradeshift Belgium to take any action that Tradeshift Belgium reasonably believes will not be in compliance with the GDPR. Tradeshift Belgium shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.
Tradeshift Belgium will use reasonable efforts to accommodate Customer’s detailed written instructions to access, delete, release, correct or block access to Personal Data provided that at no time shall Tradeshift Belgium have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records maintained in a system that are inconsistent with the purpose for which the Personal Data was originally provided to Babelway for Processing, or to alter any record that Babelway is required to keep by any law or for any regulatory purposes. If Customer requires Tradeshift Belgium to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, or blocking of access to Personal Data on behalf of Customer, Customer and Tradeshift Belgium will mutually agree on the scope of the work that Tradeshift Belgium may be willing to undertake and the reasonable fees for such work.
Tradeshift Belgium will pass on to the Customer any requests of an individual Data Subject to access, delete, release, correct or block Personal Data Processed under the Agreement. Tradeshift Belgium will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law. Tradeshift Belgium shall provide the Customer with assistance in responding to such requests in accordance with Section 5.
Any transfers of Personal Data of Data Subjects received by Tradeshift Belgium from Customer in the EU to Babelway, Tradeshift Belgium’s Affiliates or Third Party Processors which are outside of the EU are subject to the terms of the Model Clauses and the terms of this DPA shall be read in conjunction with the Model Clauses; provided, however, that the Model Clauses shall not apply where the transfers of Personal Data are to any country or territory which is, at the time, subject to a current finding of adequacy by the European Commission as set out at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html (as amended from time to time).
Some or all of Tradeshift Belgium obligations under the Agreement may be performed by Tradeshift Belgium’s Affiliates and/or Third Party Subprocessors. Babelway maintains a Processor List, which lists all Tradeshift Belgium’s Affiliates and Third Party Subprocessors that may Process Personal Data on behalf of Tradeshift Belgium. Tradeshift Belgium will provide a copy of the Processor List to Customer upon request.
The Tradeshift Belgium’s Affiliates and Third Party Subprocessors are required to abide by substantially the same obligations as Tradeshift Belgium under this DPA as applicable to the Processing of the Customer’s Personal Data and, in any event, in a manner that is compliant with the Data Protection Regulations.
Tradeshift Belgium remains responsible at all times for compliance with the terms of this DPA by Tradeshift Belgium’s Affiliates and Third Party Subprocessors. Customer consents to Tradeshift Belgium use of Tradeshift Belgium’s Affiliates and Third Party Subprocessors in the performance of the Data Exchange Services in accordance with this DPA.
If additional Tradeshift Belgium’s Affiliates or Third Party Subprocessors are required to process Customer’s Personal Data in connection with Babelway’s performance under an Agreement, Customer will be notified in advance of changes to the Processor List. The Customer may refuse to consent to the involvement of a Tradeshift Belgium’s Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Babelway of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Babelway’s Affiliate or Third Party Processor’s ability to adequately protect Personal Data in accordance with this DPA. In the event that the Customer’s objection is justified, Babelway and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Babelway and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.
Tradeshift Belgium shall implement appropriate physical, administrative, organizational, technical, and personal security measures based on the type and nature of the Personal Data being processed and the level of risk associated with it. Tradeshift Belgium shall retain all Personal Data, including Personal Data that is contained on back-up media, in a logically secure environment that protects it from unauthorized access, modification, theft, misuse and destruction. Tradeshift Belgium shall ensure that platforms hosting the Personal Data are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorized change. Tradeshift Belgium’s security policy shall not allow electronic files containing Personal Data to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Data is encrypted using industry standard encryption technology. Tradeshift Belgium shall ensure that all employees with access to Personal Data are subject to a duty of confidence and/or written confidentiality agreement.
For the purposes of this section, “Security Breach” means the misappropriation or unauthorized Processing of Personal Data located on Babelway’s systems, including by a Tradeshift Belgium employee, that compromises the security, confidentiality or integrity of such Personal Data. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Tradeshift Belgium will: (i) within forty eight (48) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Data and the initial steps taken by Tradeshift Belgium to address the Security Breach; and (iii) within fifteen (15) business days, provide to Customer a detailed incident report analyzing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.
In investigating any Security Breach, Tradeshift Belgium will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Tradeshift Belgium will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.
In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.
During the Term of the Agreement, on an annual basis, Tradeshift Belgium will conduct, at no charge to Customer, an ISAE SOC 2, Type II and an ISO 27001 audit of controls relating to the network operations of Babelway through which Personal Data is processed by Babelway under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Tradeshift Belgium will remediate, as Tradeshift Belgium deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Tradeshift Belgium.
In the event Customer wishes to audit Tradeshift Belgium’s compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Tradeshift Belgium’s compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Data to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Tradeshift Belgium before conducting the audit.
To request an audit, Customer must submit a detailed audit plan to Tradeshift Belgium at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Tradeshift Belgium will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Babelway’s security, privacy, employment or other relevant policies). Tradeshift Belgium will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II or ISO27001 report prepared for Tradeshift Belgium by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Tradeshift Belgium confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to Tradeshift Belgium’s policies, and may not unreasonably interfere with Tradeshift Belgium’s business activities.
Customer will provide Tradeshift Belgium any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Tradeshift Belgium may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits are at the Customer’s expense. Any request for Tradeshift Belgium to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Tradeshift Belgium will seek the Customer’s written approval and agreement to pay any related fees before performing such audit assistance.
Except as otherwise required by law, Tradeshift Belgium will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Data. At Customer’s request, Tradeshift Belgium will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Tradeshift Belgium has no responsibility to interact directly with the entity making the Demand.
If requested by Customer, Tradeshift Belgium will, within a commercially reasonable period of time, destroy or render unreadable all Personal Data received by Tradeshift Belgium from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Data to be preserved or maintained. Written confirmation that the Personal Data was destroyed or rendered unreadable can be provided upon request.
