Data Processing Terms

These Data Processing Terms, if directly or indirectly referenced and incorporated in the Order Form specify the rights and obligations regarding the processing of personal data by the Provider as processor (“Processor”) for the Customer as controller (“Controller”) in connection with the provision of the Service in accordance with Art. 28 (2) – (4) GDPR.

Insofar as data protection terminology such as “controller”, “processor”, “personal data”, “data subject(s)”, “personal data breach” is used in these Data Processing Terms, these are to be understood in the sense of the corresponding legal definitions according to Art. 4 GDPR.

Capitalized terms shall have the meaning defined in the applicable terms & conditions which reference these Data Processing Terms for the relevant Service.

1.            Specification of data processing

1.1          Subject matter/purpose. The subject matter and purpose of the data processing performed by the Processor is the provision of the Service and its functionalities as specified in the Order Form.

1.2          Term. The data processing shall commence and terminate along with the term of the Order Form. Permission of data processing necessary to fulfil deletion and/or return obligations as set out in section 3.8 remains unaffected hereof.

1.3          Nature of processing/type of personal data/categories of data subjects. The nature of the data processing results from the functionalities of the Service and may typically include processing operations from collection, through storage to deletion of personal data. The types of personal data subject to and categories of data subjects affected by the data processing will be specified in the service description (referenced) in the Order Form.

2.            Controller’s rights and obligations

2.1          Controllership. The Controller remains responsible vis-à-vis the data subjects and ensures that the data processing will be carried out in accordance with the relevant provisions of applicable data protection law and therefore shall be the responsible data controller in terms of applicable data pro-tection laws.

2.2          Instructions. In addition to the instructions specified in these Data Processing Terms, the Controller may instruct the Processor as to the manner, scope and procedure of the personal data processing, in particular correction, blocking and deletion..

2.3          Review and audit rights. The Controller may adequately audit the Processor’s compliance with these Data Processing Terms and the Controller’s instructions, in particular the Processor’s TOMs, upon request and with reasonable prior notice. For these purposes the Processor will allow the Controller, its employees or authorized agents or advisers who are bound to secrecy upon reasonable prior written notice to the Processor, reasonable access to any relevant premises during normal business hours. Any internal and external costs incurred on the Processor by such audit shall be borne by the Controller.

3.            Processor’s obligations

3.1           Commitment to purpose and instructions. The Processor may solely process personal data on behalf of the Controller pursuant to these Data Processing Terms and, as the case may be, according to the instructions of the Controller and exclusively for the purposes stated in these Data Processing Terms. The Processor may not process personal data for any other purposes unless required under applicable law; in the latter case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2          Location of data processing/third-country data transfers. Data processing shall be carried out within a Member State of the European Union (“EU”) or the European Economic Area (“EEA”). Each and every transfer of personal data to country outside the EU/EEA (“Third Country”), including the grant of access to personal data stored in the EU/EEA from a Third Country shall only be permitted if the specific conditions of Art. 44 et seq. GDPR are met before personal data is transferred.

3.3          Technical and organizational measures. The Processor shall establish technical and organisational measures (“TOMs”) which guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the Service. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons shall be taken into account. The TOMs currently established by the Processor are described in ANNEX 1. TOMs are subject to technical progress and further development. In this respect, it is permissible for the Processor to change the described TOMs, as long as the security level of the defined measures is not reduced. Notwithstanding this, any changes shall be documented and communicated to the Controller, e.g. by providing an updated list of TOMs.

3.4          Confidentiality. The Processor is obliged to maintain confidentiality and shall ensure that all its personnel authorized to process personal data belonging to the Controller under these Data Processing Terms have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.5          Compliance monitoring. During the entire contractual term, the Processor shall monitor compliance with the data protection provisions under these data processing terms and, as the case may be, the instructions issued by the Controller according to section 2.2 above.

3.6          Information on audit activities/control measure of data protection supervisory authorities. The Processor shall inform the Controller immediately on audit activities or any other controlling measures of data protection supervisory authorities, insofar as they relate to the data processing under these Data Processing Terms.

3.7          Support obligations. Taking into account the nature of the data processing and the information available, the Processor shall assist the Controller, as far as possible, in fulfilling its obligations laid down in the applicable data protection law (e.g. issuing data breach notifications to data protection supervisory authorities and data subjects, carrying out data protection impact assessments, as well as responding to requests for exercising data subjects’ rights). In particular, the Processor shall notify the Controller without undue delay after becoming aware of a personal data breach which might affect personal data processed on behalf of the Controller under these Data Processing Terms. If a data subject approaches the Processor directly with a request for correction, deletion or restriction of processing of his/her personal data, the Processor shall immediately forward this request to the Controller.

3.8          Return/deletion of personal data. After termination of the Service the Processor shall, at the choice of the Controller, i) delete or ii) return to the Controller all the personal data processed under these Data Processing Terms and any copies hereof, unless applicable law requires further storage of the personal data (e.g. retention obligations). In the latter case, the Processor shall ensure that data processing is restricted to that purpose. Until the Customer decides whether Controller should delete or return the data, Customer’s (personal) data will be stored in accordance with the applicable terms & conditions which reference these Data Processing Terms for the relevant Service.

3.9          Provision of evidence/acceptance of audits. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Processors’ obligations laid down under these Data Processing Terms. For this purpose, the Processor shall also allow audits, including inspections under the conditions set out in section 2.3 above.

3.10      Doubts about the lawfulness of the processing. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor shall then be entitled to suspend the execution of the relevant instruction until the Controller confirms or changes it.

4.            Use of subprocessors

4.1          Subprocessing. Subprocessing for the purpose of these Data Processing Terms is to be understood as data processing related to outsourced services which relate directly to the provision of the Services. This does not include ancillary services, such as telecommunication services, postal/transport services. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of Controller’s personal data, also in the case of outsourced ancillary services.

4.2          Authorization of the Controller. The Processor has the Controller’s general authorization for the engagement of sub-processors as listed in ANNEX 2. The Processor shall inform the Controller of any intended changes of that list through the addition or replacement of subprocessors at least 15 calender days before the changes shall become effective, thereby giving the controller the opportunity to object to the changes. Within 14 calendar days upon Processor’s notice, Controller may object to the intended involvement of an additional or replaced subprocessor, providing objective justifiable grounds related to the ability of such new subprocessor to adequately protect personal data in accordance with these Data Processing Terms or applicable data protection law. In the event Controller’s objection is justified, the Parties will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the subprocessors’ compliance with these Data Processing Terms or applicable data protection law, or delivering the Services without the involvement of such subprocessor. To the extent the Parties do not reach a mutually acceptable resolution within a reasonable timeframe, Controller shall have the right to terminate the relevant Services (i) upon 14 days prior notice; (ii) without liability to the Parties and (iii) without relieving the Controller from its payment obligations under the Agreement up to the date of termination.

4.3          Subprocessing agreement. The Processor shall enter into a data processing agreement with each sub-processor which shall be consistent with the data protection level of these Data Processing Terms.

4.4          Subprocessors in Third Countries. If the respective subprocessor wants to provide the agreed service in or from a Third Country, the Processor shall ensure the legitimacy of that Third Country transfer of personal data pursuant to Art. 44 et seq. GDPR. The relevant subprocessor(s) and the respective transfer mechanism shall be included in ANNEX 2.

4.5          Liability for subprocessors. Where a subprocessor fails to fulfil its data protection obligations when processing personal data the Controller is responsible for, the Processor shall remain fully liable to the Controller for the performance of the subprocessor’s obligations.

5.            Communication under these Data Protection Terms

5.1          Form and mutual contacts. Insofar as the provisions of these Data Processing Terms require communication between the Controller and the Processor (e.g. issuing individual instructions; notification of changes to subprocessors; notification of Personal Data Breaches etc.), this must be made in writing or in text form to the postal or email addresses of the Parties contained in the Order Form.

5.2          Change of contact addresses. Permanent changes of a contact address must be communicated to the other Party in advance in writing or in text form.

6.            Appendices

The following attachments are integral part of these Data Processing Terms:

ANNEX 1:        TOMs

ANNEX 2:        List of approved subprocessors

ANNEX 1

The Processor takes the following TOMs:

1. Confidentiality (article 32 paragraph 1 lit. b GDPR)

☐   Physical access control

= No unauthorized access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

Specific measures taken by the Processor:

– physical access control by cloud provider Microsoft AZURE

– developer hardware access control by locks

☐   Electronic access control

= No unauthorized use of the Data Processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

Specific measures taken by the Processor:

– electric access control by cloud provider Microsoft AZURE

– enforce strong password policies

– two factor authentication

– role based access control

– regular access reviews

☐   Internal access control (permissions for user rights of access to and amendment of data)

= No unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events

Specific measures taken by the Processor:

– data encryption both in transit and at rest to protect sensitive information

– logging and monitoring of access to sensitive data (Grafana)

– limiting admin-level permissions to essential personnel

– regular employee training on data policies

☐   Isolation control

= The isolated Data Processing, which is collected for differing purposes, e.g. multiple client support, sandboxing

Specific measures taken by the Processor:

– logical separation of data through database schemas, virtualization, or encryption

– secure APIs with Auth0 and firewalls to prevent unauthorized data mixing or access.

☐   Pseudonymization (article 32 paragraph 1 lit. a GDPR; article 25 paragraph 1 GDPR)

= The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures

Specific measures taken by the Processor:

– use of unique identifiers or tokenization for sensitive personal data fields

– pseudonymization keys are stored separately from the data

– access restriction to de-anonymization keys to authorized personnel only

2. Integrity (Article 32 Paragraph 1 Point b GDPR)

☐   Data transfer control

= No unauthorized reading, copying, changes or deletions of Personal Data with electronic transfer or transport, e.g.: encryption, virtual private networks (VPN), electronic signature

Specific measures taken by the Processor:

– use of end-to-end encryption protocols (e.g., HTTPS, TLS, VPNs)

– secure file transfer protocols like SFTP or FTPS

– limiting access to authorized communication endpoints

☐   Data entry control

= Verification, whether and by whom Personal Data is entered into a data processing system, is changed or deleted, e.g.: logging, document management

Specific measures taken by the Processor:

– audit trails of data modifications, including timestamp and responsible personnel.

– input validation to ensure only correct and relevant data is stored

– version control for critical records to track and recover changes.

3. Availability and Resilience (article 32 Paragraph 1 lit. b GDPR)

☐   Availability control (article 32 paragraph 1 lit. c GDPR)

= Prevention of accidental or willful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall

Specific measures taken by the Processor:

– redundant storage systems by cloud provider (Microsoft Azure)

– deployment of cloud solutions with high availability SLAs (e.g., 99.9% uptime)

– regular monitoring of system performance and uptime (Grafana)

☐   Rapid recovery (article 32 paragraph 1 lit. c GDPR)

= Ability to quickly recover the data processing system and Personal Data stored on it in the event of an incident (e.g., reporting channels and contingency plans; backup strategy (online/offline; on-site/off-site)

Specific measures taken by the Processor:

– routine data backups

– regular disaster recovery testing and updates to recovery procedures.

4. Procedures for regular testing, assessment and evaluation (article 32 Paragraph 1 lit. d GDPR; article 25 paragraph 1 GDPR)

☐   Data protection management

= Implementation and ongoing monitoring of compliance with data protection regulations, in particular data protection principles and accountability under article 5 GDPR (e.g. data protection policy with clear rules/principles for handling Personal Data; documentation and legality and risk assessments of processing activities; implementation of data protection processes with clear assignment of roles and responsibilities (in particular with regard to dealing with Personal Data Breaches); regular data protection training for employees; obligation of employees to maintain data secrecy; if necessary, appointment of a data protection officer)

Specific measures taken by the Processor:

– regular internal and external audits of data processing practices

☐   Data protection by design and default (article 25 paragraph 2 GDPR)

= technical consideration of data protection already in the development phase (e.g. waiving (mandatory) coupling of Data Processing and concatenation of Personal Data for various functions/purposes; processing of Personal Data only to the extent necessary for the respective purpose or functionality; ensuring data transparency and rights of Data Subjects in the product) and through data protection-friendly pre-settings (e.g. pre-setting of the most data-efficient variant)

Specific measures taken by the Processor:

– minimal data collection and shortest retention periods as default

– privacy-enhancing technologies like encryption and anonymization

– regular training for developers on secure coding practices.

☐   Order or contract control

= No third party Data Processing as per article 28 GDPR without corresponding instructions from the Controller, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the service providers, duty of pre-evaluation, supervisory follow-up checks.

Specific measures taken by the Processor:

– regular training for developers on secure coding practices.

– incident reporting and response mechanisms for processors.

ANNEX 2

List of approved subprocessors