Data Processing Agreement

Last Updated on December 2, 2025.

Considerations

This Data Processing Agreement (hereafter: “DPA”) is an annex to the Treehatch Plantsoon Terms of Service. Together, the Terms of Service and the DPA constitute the Agreement with the Customer.

Within the context of the performance of the Services for the Customer, Treehatch shall have access to Personal Data and/or will have to Process these Personal Data, for which the Customer is responsible as ‘Controller’ in accordance with (i) the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the Processing of personal data and on the free movement of such data or ‘GDPR’) and (ii) all Belgian laws regarding the implementation of the GDPR (hereafter jointly referred to as the ‘Privacy Legislation’).

Through this DPA Parties wish to determine in writing their mutual agreements with regard to (i) managing, securing and/or Processing of such Personal Data and (ii) Parties’ obligation to comply with the Privacy Legislation.

Note that this DPA deals only with Treehatch 's role as Processor and not as a Controller. For more information about Treehatch’s Processing of Personal Data in its capacity as a Controller, please refer to the Privacy Statement.

1. Definitions

In this DPA, the following concepts have the meaning described in this article (when written with a capital letter):

‘Agreement’, ‘Contributions’, ‘Customer’, ‘Customer Account’, ‘Customer Account Data’, ‘Party’ / ‘Parties’, ‘Services’, ‘Subscription’, ‘Treehatch’, ’Term’ and ‘Tool’ shall have the meaning given to them in the Terms of Service.

For the purpose of this DPA only, ‘Personal Customer Account Data’ shall mean all Personal Data for which the Customer is responsible as ‘Controller’ and which Treehatch expects to Process on behalf of the Customer in the context of providing its Services, a non-limitative list of which can be found in Overview I. For the avoidance of any doubt, this definition is broader than the one used in the Terms of Service, because it also includes certain Personal Data of Users.

‘Controller’, ‘Data Subject’, ‘Data Breach’, ‘Personal Data’, ‘Processor’ and ‘Process/Processing’ shall have the meaning given to them in the Privacy Legislation.

Subprocessor: Any Processor engaged by Treehatch and authorized under this DPA to have logical access to and Process certain Personal Customer Account Data in order to provide parts of the Services and technical support.

This DPA includes the following overviews:

Overview I:

Overview of (i) the Personal Data which Parties expect to be subject of the Processing, (ii) the categories of Data Subjects which Parties expect to be subject of the Processing, (iii) the use (i.e. the way(s) of Processing) of the Personal Data, (iv) the goals and means of such Processing and (v) the term(s) during which the (different types of) Personal Data shall be stored;

Overview II:

Overview and description of the security measures taken by Treehatch under this DPA.

2. Roles of the Parties

Parties acknowledge and agree that with regard to the Processing of Personal Customer Account Data, the Customer shall be considered ‘Controller’ and Treehatch ‘Processor’. Further, Treehatch is allowed to engage Subprocessor(s) pursuant to the requirements set forth in Article 6.

3. Use of the Services

3.1 The Customer acknowledges explicitly that:

• Treehatch purely acts as a facilitator of its Services. Hence, the Customer shall be solely responsible for the use it makes of the Services;
• It shall be solely responsible to comply with all laws and regulations (such as but not limited to the retention period) imposed on it when using the Services.

3.2 In case of misuse by the Customer of the Services, the Customer agrees that Treehatch can never be held liable in this respect nor for any damage that would occur from such misuse.

3.3 The Customer therefore undertakes to safeguard Treehatch when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

4. Object

4.1 The Customer acknowledges that as a consequence of using the Services, Treehatch shall Process Personal Customer Account Data.

4.2 Treehatch shall Process the Personal Customer Account Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.

More specifically, Treehatch shall – during the performance of the Services under the Agreement – provide all its know-how in order to perform the Services according to the rules of art, as it fits a specialized and ‘good’ Processor.

4.3 Nonetheless, Treehatch shall only Process the Personal Customer Account Data upon request of the Customer and in accordance with its instructions, as described in Overview I, unless any legislation states otherwise.

4.4 The Customer, as Controller, owns and retains full control concerning (i) the Processing of Personal Customer Account Data, (ii), the types of Personal Customer Account Data Processed, (iii), the purpose of Processing and (iv) the fact whether such Processing is proportionate (non-limitative).

Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller (such as but not limited to the retention period) and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Customer Account Data, entered into the Tool, and the means by which it acquired such Personal Customer Account Data. The responsibility and control concerning the Personal Customer Account Data, subject to this DPA, shall thus never be vested in Treehatch.

5. Security of Processing

Taking into account the state of the art, Treehatch implements appropriate technical and organizational measures for the protection of (i) Personal Customer Account Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Customer Account Data, as set forth in Overview II.

6. Subprocessors

6.1 The Customer acknowledges and agrees that Treehatch may engage Subprocessors as disclosed at Plantsoon Subprocessors in connection with the Agreement. In such a case, Treehatch shall ensure that the Subprocessors are at least bound by the same obligations by which Treehatch is bound under this DPA.

6.2 Treehatch undertakes to inform the Customer in writing of any intended change to the aforementioned list (e.g. adding or replacing a Subprocessor).

The Customer is entitled to oppose a new Subprocessor.

If the Customer wishes to exercise its right to object, the Customer shall notify Treehatch in writing and in a reasoned manner by the latest within ten (10) days upon receipt of Treehatch’s notice (cfr. Article 6.3).

6.3 In the event the Customer objects to a new Subprocessor and such objection is not found unreasonable, Treehatch, in consultation with the Customer, will make all reasonable efforts to resolve the Customer's objection.

If Treehatch is, however, unable to resolve the Customer’s objection, the Customer may terminate the Agreement on the condition that:

• - The Services cannot be used by the Customer without appealing to the objected new Subprocessor; and/or
• - Such termination solely concerns the Services which cannot be provided by Treehatch without appealing to the objected new Subprocessor;

And this by providing written notice thereof to Treehatch within ten (10) days.

7. Transfer of Personal Customer Account Data outside the EEA

Any transfer of Personal Customer Account Data by Treehatch outside the EEA to a recipient which residence or registered office does not fall under an adequacy decision issued by the European Commission, shall - in addition to the clauses of this DPA – be governed by the terms of module four (4) of the standard contractual clauses pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021.

8. Confidentiality

8.1 Treehatch shall maintain the Personal Customer Account Data confidential and thus not disclose nor transfer any Personal Customer Account Data to third parties, without the prior written agreement of the Customer, unless:

• - In case of an explicit written deviation from this confidentiality obligation (e.g. in the Terms of Service);
• - Such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Treehatch shall, prior to any disclosure and/or announcement, discuss the scope and manner thereof with the Customer.

8.2 Treehatch shall ensure that its personnel, engaged in the performance of the Services under the Agreement, are informed of the confidential nature of the Personal Customer Account Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Treehatch shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

8.3 Treehatch shall ensure that its access to Personal Customer Account Data is limited to such personnel performing the Services under the Agreement in accordance with the DPA.

9. Notification

9.1 Treehatch shall use its best efforts to inform the Customer within a reasonable term when it:

• - Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Customer Account Data;
• - Has the intention to disclose Personal Customer Account Data to a competent public authority;
• - Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Customer Account Data.

9.2 In case of a Data Breach, Treehatch:

• - Notifies the Customer without undue delay after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;
• - Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

10. Rights of the Data Subjects

10.1 To the extent the Customer – in its use of the Services – does not have the ability to correct, amend, block or delete Personal Customer Account Data, as required by Privacy Legislation, Treehatch shall – to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions.

To the extent legally permitted, the Customer shall be responsible for any costs arising from Treehatch’s provision of such assistance.

10.2 Treehatch shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Treehatch shall, however, not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees.

Treehatch shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Services.

To the extent legally permitted, the Customer shall be responsible for any costs arising from Treehatch’s provision of such assistance.

11. Return and deletion of Customer Account Data

11.1 Treehatch provides the Customer as much as possible with the option to delete Personal Data from the Customer Account during the lifetime of the Agreement. This allows the Customer to meet its own responsibilities regarding data minimization and storage limitation as a Controller.

11.2 Upon termination of the Subscription, the Customer has the possibility to export the Personal Customer Account Data (as well as other data, both personal and non-personal) from the Customer Account on demand or via export tool if available. This should be done before the Subscription ends.

11.3 Once the Subscription ends, the Customer Account shall be deactivated and Treehatch shall retain the Personal Customer Account Data for a period of thirty (30) calendar days solely to enable the Customer to request an export of the Customer Account Data. During this period, the Customer Account cannot be restored or reactivated. Providing an export of the Customer Account Data during this period can only be done with the assistance of Treehatch, which may charge reasonable costs for the efforts made.

Treehatch shall subsequently hard delete the Personal Customer Account Data at the earliest thirty (30) days and at the latest three (3) months after the Subscription has ended. Once the Personal Customer Account Data has been hard deleted, providing an export of the Customer Account Data is no longer possible.

12. Control

12.1 Treehatch undertakes to provide the Customer with all information required by the Customer to allow verification whether Treehatch complies with the provisions of this DPA.

12.2 In this respect Treehatch shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.

To the extent legally permitted, the Customer shall be responsible for any costs arising from Treehatch’s provision of such assistance.

In any case, inspections must be conducted during regular business hours at the applicable facility, subject to Treehatch’s policies, and may not unreasonably interfere with Treehatch’s business activities.

13. Miscellaneous

13.1 The DPA lasts as long as the Agreement has not come to an end. The provisions of this DPA shall apply to the extent necessary for the completion of this DPA and to the extent intended to survive the end of this DPA (such as but not limited to Article 8 and 14).

13.2 If one or more provisions of this DPA are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this DPA shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such an event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this DPA. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.

13.3 This DPA and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other Party.

13.4 (Repeated) non-enforcement by a Party or by both Parties of any right or provision of this DPA, can only be regarded as a toleration of a certain state, and does not lead to forfeiture

13.5 This DPA takes precedence over any other DPA between the Parties as well as over any conflicting provisions regarding the Processing of Personal Customer Account Data in other agreements or written communication between the Parties.

14. Applicable law and jurisdiction

14.1 All issues, questions and disputes concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be governed by and construed in accordance with Belgian law, without giving effect to any other choice of law or conflict-of-laws rules or provisions (Belgian, foreign or international) that would cause the laws of any country other than Belgium to be applicable.

14.2 Any dispute concerning the validity, interpretation, enforcement, performance or termination of this DPA shall be submitted to the exclusive jurisdiction of the courts of Treehatch’s registered office.

---

Overview I – Processing of Personal Customer Account Data by Treehatch

This document entails an overview of the Personal Data Treehatch is expected to Process on behalf of the Customer in the context of the Agreement as well as the categories of Data Subjects involved, the way(s) of Processing) of Personal Data, the means and purposes of Processing and the term during which the Personal Data shall be stored.

The Customer acknowledges that the summary, as mentioned above, provides a general overview of the Personal Customer Account Data which Treehatch expects to Process in the context of the Agreement. For the sake of clarity, this overview does not cover all possible situations.

I. Personal Data Processed

Personal Data of Users:

• - First name
• - Last name
• - Gender
• - E-mail address(es)
• - Other Personal Data, depending on the use of the Services by the Customer (e.g. uploading or providing documents which contain Personal Data; entering descriptions of free fields which contain Personal Data; etc.)

Personal Data of third parties (e.g. prospects, business partners, clients and customers of the Customer ):

• - First name
• - Last name
• - Gender
• - Primary address
• - Other Personal Customer Account Data, depending on the use of the Services by the Customer (e.g. adding of custom fields to enter more Personal Customer Account Data; uploading or providing documents which contain Personal Customer Account Data; entering descriptions of free fields which contain Personal Customer Account Data; etc.)

Treehatch does not, under any circumstances, expect to collect any special categories of Personal Data as defined in the Privacy Legislation, including, but not limited to: information about the Data Subject’s health, race, political opinions, religious or other beliefs, sexual orientation, etc. The responsibility for any Processing of such sensitive data through the Customer Account and Services rests entirely with the Customer.

II. Categories of Data Subjects

• - Users
• - Prospects of the Customer
• - Suppliers of the Customer
• - Business partners of the Customer
• - Service providers of the Customer
• - Other Data Subjects whose Personal Data are entered into the Tool by users

III. The use of Personal Data, means and purposes of Processing

Use of Personal Data:

• - Make the Personal Customer Account Data readily available, editable, exportable and analyzable for the Customer in the Customer Account;
• - Store the Personal Customer Account Data in the cloud;
• - Make back-ups of the Personal Customer Account Data for disaster recovery purposes.

Means of Processing:

• The Tool;

Purposes of Processing:

• - Creation and management of Contributions.
• - Adding of Personal Customer Account Data to the Tool in order to follow-up management of contacts and companies
• - Management of Users
• - Saving and collecting documents
• - Management of data like flora, asset,... records

IV. Retention period

Treehatch shall retain the Personal Customer Account Data as long as the Agreement is ongoing, unless the Customer performs or requests an earlier deletion. 

Once the Agreement has ended, Treehatch shall deactivate the Customer Account and retain the Personal Customer Account Data for a period of thirty (30) calendar days solely for the purpose of enabling the Customer to request an export of the Personal Customer Account Data. During this period, the Customer Account cannot be restored or reactivated. Providing an export of the Personal Customer Account Data during this period can only be done with the assistance of Treehatch, which may charge reasonable costs for the efforts made.

Treehatch shall subsequently hard delete the Personal Customer Account Data at the earliest thirty (30) days and at the latest three (3) months after the Agreement has ended. Once the Personal Customer Account Data has been hard deleted, it can no longer be recovered or exported.

Treehatch does not apply ‘soft deletion’. Personal Customer Account Data is only retained temporarily for the above-mentioned export purpose, after which it is permanently (hard) deleted. During the retention period, no recovery of the Customer Account or reactivation thereof is possible.

Upon termination of the Agreement, Treehatch shall be entitled to retain the anonymous and anonymized Customer Account Data (or part thereof) for research, training, educational, statistical and commercial purposes.

Overview II – Description of security measures

This document entails the technical and organizational security measures implemented by Treehatch in support of its (Processing) activities, as set forth by the Privacy Legislation.

I. Access Control of Processing Areas (Physical)

Web applications, communications and database servers of Treehatch are located in secure data centers in the Netherlands, which are operated by Microsoft with whom Treehatch has signed a ‘Data Processing Agreement’ in order to be compliant with the standards and obligations as set forth in the Privacy Legislation.

II. Access Control to Personal Data Processing Systems (Logical)

Treehatch has implemented suitable measures to prevent its Personal Customer Account Data Processing systems from being used by unauthorized persons.

This is accomplished by:

• - Establishing the identification of the terminal and/or the terminal user to the Treehatch systems;
• - Automatic time-out of user terminal if left idle. Identification and password required to reopen;
• - Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis;
• - Ad hoc monitoring infrastructure security; 
• - Regularly examining security risks by internal employees and/or third party auditors;
• - Issuing and safeguarding of identification codes; 
• - Role-based access control implemented in a manner consistent with principle of least privilege;
• - Access to host servers, applications, databases, routers, switches, etc. is logged;
• - Making use of commercial and/or custom tools to collect and examine the Tool and system logs for anomalies.

III. Availability Control

Treehatch has implemented suitable measures to ensure that Personal Customer Account Data is protected from accidental destruction or loss.

This is accomplished by:

• - Geo-redundant backup infrastructure;
• - Constantly evaluating data centers and Internet service providers (ISPs) to optimize performance for its customers in regards to bandwidth, latency and disaster recovery isolation;
• - Service level agreements from ISPs to ensure a high level of uptime;
• - Rapid failover capability.

IV. Transmission Control

Treehatch has implemented suitable measures to prevent Personal Customer Account Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

This is accomplished by:

• - Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
• - Personal Customer Account Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys;
• - Protecting web-based access to account management interfaces by employees through encrypted TLS

V. Input Control

Treehatch has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Customer Account Data have been input into Personal Data Processing systems or removed.

This is accomplished by:

• - Authentication of the authorized personnel;
• - Protective measures for Personal Customer Account Data input into memory, as well as for the reading, alteration and deletion of stored Personal Customer Account Data, including by documenting or logging material changes to account data or account settings;
• - Segregation and protection of all stored Personal Customer Account Data via database schemas, logical access controls, and/or encryption;
• - Utilization of user identification credentials;
• - Physical security of data Processing facilities;
• - Session timeouts.

VI. Monitoring

Treehatch does not access Personal Customer Account Data, except:

• - To provide the required Services under the Agreement; 
• - To do security checks;
• - To provide assistance to the Customer; 
• - To do usage research and statistical analysis;
• - As required by law; or 
• - Upon request of the Customer.

This is accomplished by:

• - Individual appointment of system administrators;
• - A strict access control policy which provides for access rights in proportion to the employee's role;
• - Adoption of suitable measures to register system administrators’ access logs to the infrastructure.