DPA & SCC

Our Data Processing and SCC which applies when using
1saas.co

Get Apps for your favorite automations:
  • Integromat
  • Zapier

DPA & TOM

This DataProcessing Agreement ("Agreement") forms part of the Contract forServices under the 1SaaS.co by Wemakefuture AG Terms and Conditions (the"Principal Agreement"). This Agreement is an amendment to thePrincipal Agreement and is effective upon its incorporation to the PrincipalAgreement, which incorporation may be specified in the Principal Agreement oran executed amendment to the Principal Agreement. Upon its incorporation intothe Principal Agreement, this Agreement will form a part of the PrincipalAgreement.

 

Weperiodically update this Agreement. If you have an active 1SaaS.co byWemakefuture AG account, you will be informed of any modification by email.At the bottom of this page you can find archived versions of our DPA.

 

The term ofthis Agreement shall follow the term of the Principal Agreement. Terms notdefined herein shall have the meaning as set forth in the Principal Agreement.

 

WHEREAS

 

(A) Yourcompany act as a Data Controller (the "Controller").

 

(B) Yourcompany wishes to subcontract certain Services (as defined below), which implythe processing of personal data, to Wemakefuture AG, acting as a DataProcessor (the "Processor").

 

(C) TheParties seek to implement a data processing agreement that complies with therequirements of the current legal framework in relation to data processing andwith the Regulation (EU) 2016/679 of the European Parliament and of the Councilof 27 April 2016 on the protection of natural persons with regard to theprocessing of personal data and on the free movement of such data, andrepealing Directive 95/46/EC (General Data Protection Regulation).

 

(D) TheParties wish to lay down their rights and obligations.

 

IT ISAGREED AS FOLLOWS:

 

1.Definitionsand Interpretation

1.1Unlessotherwise defined herein, capitalized terms and expressions used in this DPAshall have the following meaning:

1.1.2"CompanyPersonal Data" means any Personal Data Processed by a Contracted Processoron Controller's behalf pursuant to or in connection with the PrincipalAgreement;

1.1.3"ContractedProcessor" means a Subprocessor;

1.1.4"DataProtection Laws" means EU Data Protection Laws and, to the extentapplicable, the data protection or privacy laws of any other country;

1.1.5"EEA"means the European Economic Area;

1.1.6EUData Protection Laws" means EU Directive 95/46/EC, as transposed intodomestic legislation of each Member State and as amended, replaced orsuperseded from time to time, including by the GDPR and laws implementing orsupplementing the GDPR;

1.1.7"GDPR"means EU General Data Protection Regulation 2016/679;

1.1.8"DataTransfer" means:

1.1.8.1atransfer of Company Personal Data from Controller to a Contracted Processor; or

1.1.8.2anonward transfer of Company Personal Data from a Contracted Processor to aSubcontracted Processor, or between two establishments of a ContractedProcessor,

in eachcase, where such transfer would be prohibited by Data Protection Laws (or bythe terms of data transfer agreements put in place to address the data transferrestrictions of Data Protection Laws);

1.1.9"Services"means end-to-end encrypted email services. The Service is described more indetail in Schedule 1.

1.1.10"Subprocessor"means any person appointed by or on behalf of Processor to process PersonalData on behalf of Controller in connection with the Agreement.

1.2Theterms, "Commission", "Controller", "DataSubject", "Member State", "Personal Data","Personal Data Breach", "Processing" and "SupervisoryAuthority" shall have the same meaning as in the GDPR, and their cognateterms shall be construed accordingly.

2.Processingof Company Personal Data

2.1Processorshall:

2.1.1complywith all applicable Data Protection Laws in the Processing of Company PersonalData; and

2.1.2notprocess Company Personal Data other than on Controller's documentedinstructions.

2.2Controllerinstructs Processor to process Company Personal Data to provide the Servicesand related technical support.

3.ProcessorPersonnel

Processorshall take reasonable steps to ensure the reliability of any employee, agent orcontractor of any Contracted Processor who may have access to Company PersonalData, ensuring in each case that access is strictly limited to thoseindividuals who need to know / access the relevant Company Personal Data, asstrictly necessary for the purposes of the Principal Agreement, and to complywith Applicable Laws in the context of that individual's duties to theContracted Processor, ensuring that all such individuals are subject toconfidentiality undertakings or professional or statutory obligations ofconfidentiality.

 

4.Security

4.1Takinginto account the state of the art, the costs of implementation and the nature,scope, context and purposes of Processing as well as the risk of varyinglikelihood and severity for the rights and freedoms of natural persons,Processor shall in relation to the Company Personal Data implement appropriatetechnical and organizational measures to ensure a level of security appropriateto that risk, including, as appropriate, the measures referred to in Article32(1) of the GDPR.

4.2Inassessing the appropriate level of security, Processor shall take account inparticular of the risks that are presented by Processing, in particular from aPersonal Data Breach.

5.Subprocessing

5.1Processorshall not appoint (or disclose any Company Personal Data to) any Subprocessorunless required or authorized by Controller.

6.DataSubject Rights

6.1Takinginto account the nature of the Processing, Processor shall assist Controller byimplementing appropriate technical and organisational measures, insofar as thisis possible, for the fulfilment of Controller obligations, as reasonablyunderstood by Controller, to respond to requests to exercise Data Subjectrights under the Data Protection Laws.

6.2Processorshall:

6.2.1promptlynotify Controller if it receives a request from a Data Subject under any DataProtection Law in respect of Company Personal Data; and

6.2.2ensurethat it does not respond to that request except on the documented instructionsof Controller or as required by Applicable Laws to which the Processor issubject, in which case Processor shall to the extent permitted by ApplicableLaws inform Controller of that legal requirement before the ContractedProcessor responds to the request.

7.PersonalData Breach

7.1Processorshall notify Controller without undue delay upon Processor becoming aware of aPersonal Data Breach affecting Company Personal Data, providing Controller withsufficient information to allow Controller to meet any obligations to report orinform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2Processorshall co-operate with Controller and take reasonable commercial steps as aredirected by Controller to assist in the investigation, mitigation andremediation of each such Personal Data Breach.

8.DataProtection Impact Assessment and Prior Consultation

8.1Processorshall provide reasonable assistance to Controller with any data protectionimpact assessments, and prior consultations with Supervising Authorities orother competent data privacy authorities, which Controller reasonably considersto be required by article 35 or 36 of the GDPR or equivalent provisions of anyother Data Protection Law, in each case solely in relation to Processing ofCompany Personal Data by, and taking into account the nature of the Processingand information available to, the Contracted Processors.

9.Deletionor return of Company Personal Data

9.1Subjectto this section 9 Processor shall promptly and in any event within 10 businessdays of the date of cessation of any Services involving the Processing ofCompany Personal Data (the "Cessation Date"), delete and procure thedeletion of all copies of those Company Personal Data.

9.2Processorshall provide written certification to Controller that it has fully compliedwith this section 9 within 10 business days of the Cessation Date.

10.Auditrights

10.1Subjectto this section 10, Processor shall make available to Controller on request allinformation necessary to demonstrate compliance with this Agreement, and shallallow for and contribute to audits, including inspections, by Controller or anauditor mandated by Controller in relation to the Processing of the CompanyPersonal Data by the Contracted Processors.

10.2Informationand audit rights of Controller only arise under section 10.1 to the extent thatthe Agreement does not otherwise give them information and audit rights meetingthe relevant requirements of Data Protection Law.

11.DataTransfer

11.1TheProcessor may not transfer or authorize the transfer of Data to countriesoutside the EU and/or the European Economic Area (EEA) and/or Switzerlandwithout the prior written consent of Controller. If personal data processedunder this Agreement is transferred from a country within the European EconomicArea or Switzerland to a country outside the European Economic Area orSwitzerland, the Parties shall ensure that the personal data are adequatelyprotected. To achieve this, the Parties shall, unless agreed otherwise, rely onEU approved standard contractual clauses for the transfer of personal data.

12GeneralTerms

12.1Confidentiality.Each Party must keep any information it receives about the other Party and itsbusiness in connection with this Agreement ("Confidential Information”)confidential and must not use or disclose that Confidential Information withoutthe prior written consent of the other Party except to the extent that:

(a)disclosureis required by law;

(b)therelevant information is already in the public domain.

12.2Notices.All notices and communications given under this Agreement must be in writingand will be sent by email. Controller shall be notified by email sent to theaddress related to its use of the Service under the Principal Agreement.Processor shall be notified by email sent to the address: gdpr@1SaaS.co byWemakefuture AG.com.

13.GoverningLaw and Jurisdiction

13.1ThisAgreement is governed by German Law.

13.2Anydispute arising in connection with this Agreement, which the Parties will notbe able to resolve amicably, will be submitted to the exclusive jurisdiction ofthe courts of Gießen, subject to possible appeal to the Amtsgericht Gießen.

 

Schedule 1:Service Description and Pricing

 

The Serviceoffered by Wemakefuture GmbH is 1SaaS.co by Wemakefuture AG ("1SaaS.coby Wemakefuture AG").

 

1SaaS.co byWemakefuture AG offers cutting edge API services with an easy to use API interfacethat by individuals and enterprises around the world. 1SaaS.co by Wemakefuture AG provides a complete platform that includes both server-side software andclient-side.

 

Schedule 2:Data Processing and Security

 

1.Descriptionof the data processing carried out on behalf of the Controller

In additionto the information provided elsewhere in the Agreement, the Parties wish todocument the following information in relation to the data processingactivities.

 

The dataprocessing performed by the Data Processor on behalf of the Controller relatesto the service of end-to-end email communication. The data processing detailsand procedure can be found in the Company's Privacy Policy at https://1SaaS.co/privacy-policy.

 

Purposes ofthe order processing

Personaldata of the Client to which Wemakefuture AG obtains access will be processedWITHIN the company infrastructure on the basis of this order processingagreement for the following purposes:

a.            Consulting services.

b.            Support and management of websites,social media and other communication and information channels.

c.            Creation and/or processing ofpersonal profiles.

d.            Accounting automation.

e.            Provision of services in the fieldof IT security.

f.             Obtaining as well as processingcontact information, addresses and leads.

g.            Customer management and/or customersupport.

h.            Software-as-a-Service (SaaS)services.

i.             Software creation and / ormaintenance services.

j.Administrative, management and administration services.

k.            Web and cloud hosting.

l.             Advertising and marketing(consulting, design, implementation and execution).

Types andcategories of data

The typesand categories of personal data processed on the basis of this order processingagreement include:

a.            Inventory data.

b.            Contact data.

c.            Content data.

d.            Image and/or video recordings.

e.            Contract data.

f.             Payment data.

g.            Usage data.

h.            Location Data.

i.             Data of lottery participants.

j. Logdata.

k.            Meta and connection data.

l.             Employee data.

m.          Salary data.

n.            Employee performance and behaviordata.

o.            Applicant data.

p.            Business information.

q.            Member data.

Processingof special categories of data

The specialcatego- ries of personal data processed on the basis of this Order ProcessingAgreement (pursuant to Article 9(1) of the GDPR) include:

a.            Data from which racial origin can beinferred.

b.            Data revealing ethnic origin.

c.            Data from which political opinionsare derived.

d.            Data revealing religious orphilosophical beliefs.

e.            Data revealing trade unionmembership.

f.             Biometric data uniquely identifyinga natural person.

Categoriesof data subjects

Thecategories of persons affected by the processing of personal data on the basisof this GC Agreement include:

a.            Website Visitors.

b.            Software users.

c.            Recipients of marketing efforts.

d.            Participants.

e.            Subscribers.

f.             Interested parties.

g.            Business customers.

h.            Business partners.

i.             Freelancers.

j.Employees/workers.

k.            Applicants.

l.             Members.

Sources ofthe data processed

a.            Information provided by user-customers or other data subjects.

b.            Collection by the processor.

c.            Collection in the context of the useof software, applications, websites and other online services.

d.            Collection in the context of eventsand functions.

e.            Collection in the context ofadvertising and marketing campaigns.

f.             Collection via interfaces toservices of other providers.

g.            External databases and datacollections.

h.            Receipt by way of transmission orother communication by or on behalf of Customer.

Page break

Appendix:Responsible persons and contact persons

The contactpersons named below are authorized to issue or receive instructions from theCustomer. The other contracting party must be notified of any changes to thecontact persons, their not merely temporary prevention or their contactinformation.

Responsiblepersons and contact persons at the client:

- SebastianMertens - Managing Director.

 

Appendix:Technical and Organizational Measures (TOMs)

A level ofprotection appropriate to the risk to the rights and freedoms of the naturalpersons concerned by the processing shall be ensured for the specificcommissioned processing and the personal data processed within its scope. Tothis end, the protection objectives of confidentiality, integrity andavailability of the systems and services as well as their resilience withregard to the type, scope, circumstances and purpose of the processingoperations shall be taken into account in such a way that the risk ispermanently contained by means of appropriate technical and organizationalremedial measures.

Organizationalmeasures

Organizationalmeasures have been taken to ensure an appropriate level of data protection andits maintenance.

a.            The Processor has implemented anappropriate data protection management system or a data protection concept andensures its implementation.

b.            An appropriate organizationalstructure for data security and data protection is in place and informationsecurity is integrated into company-wide processes and procedures.

c.            Internal security guidelines aredefined and communicated to employees within the company as binding rules.

d.            The processor conducts a review,assessment and evaluation of the effectiveness of the technical andorganizational measures to ensure the security of the processing when there iscause to do so, but at least annually.

e.            System and security tests, such ascode scan and penetration tests, shall be performed regularly and also withoutcause.

f.             The technical and organizationalmeasures according to are reviewed and adjusted regularly, at least annually,according to the PDCA cycle (Plan-Do-Check-Act).  

g.            The development of the state of theart as well as developments, threats and security measures are continuouslymonitored and derived in a suitable manner for the company's own securityconcept.

h.            There is a concept that guaranteesthe protection of the rights of the data subjects by the client (in particularwith regard to information, correction, deletion or restriction of processing,data transfer, revocations and objections). The concept includes informingemployees about the information obligations towards the client, setting upimplementation procedures and appointing responsible persons as well as regularmonitoring and evaluation of the measures taken.

i.             A concept is in place to ensure aprompt response to threats and breaches of personal data protection inaccordance with legal requirements. The concept includes informing employeesabout the information obligations towards the client, setting up implementationprocedures and appointing responsible persons, as well as regular monitoringand evaluation of the measures taken.

j. Securityincidents are consistently documented, even if they do not lead to an externalreport (e.g., to the supervisory authority, affected persons) (so-called"security reporting").

k.            Sufficient professional qualificationof the data protection officer for security-relevant issues and opportunitiesfor further training in this specialist area.

l.             Sufficient professionalqualification of the IT security officer for security-relevant issues andopportunities for further training in this specialist area.

m.          Service providers used to performancillary tasks (maintenance, security, transport and cleaning services,freelancers, etc.) are carefully selected and it is ensured that they complywith the protection of personal data. If the service providers gain access topersonal data of the client in the course of their activities or if there isotherwise a risk of access to the personal data, they are specificallyobligated to maintain secrecy and confidentiality.

n.            The protection of personal datashall be taken into account, taking into account the state of the art, theimplementation costs and the nature, scope, circumstances and purposes of theprocessing, as well as the varying likelihood and severity of the risks to therights and freedoms of natural persons associated with the processing, alreadyduring the development or selection of hardware, software and procedures, inaccordance with the principle of data protection through technology design andthrough data protection-friendly default settings.

o.            Software and hardware used is alwayskept up to date and software updates are carried out without delay within areasonable period of time in view of the degree of risk and any need fortesting. No software and hardware will be used that is no longer updated by theproviders with regard to data protection and data security concerns (e.g.expired operating systems).

p.            Standard software and correspondingupdates are only obtained from trustworthy sources.

q.            A device management system makes itpossible to determine which employees or authorized representatives use whichdevices in which areas.

r.             A "paperless office" ismaintained, i.e., documents are generally only stored digitally and only keptin paper form in exceptional cases.  

s.            Documents are only stored in paperformat if there is no adequate digital copy with regard to the orderprocessing, its purpose and the interests of the persons affected by thecontents of the documents, or if storage has been agreed with the client or isrequired by law.

t.             There is a deletion and disposalconcept that complies with the data protection requirements of the orderprocessing and the state of the art. The physical destruction of documents anddata carriers is carried out in compliance with data protection requirementsand in accordance with legal requirements, industry standards andstate-of-the-art industrial standards (e.g. in accordance with DIN 66399).Employees have been informed about legal requirements, deletion deadlines and,if responsible, about specifications for the destruction of data or equipmentby service providers.

u.            The processing of the client's datathat has not been deleted in accordance with the agreements of this orderprocessing contract (e.g. as a result of legal archiving obligations) isrestricted to the necessary extent by blocking notices and/or segregation.

 

Use of asuitable information security management system (ISMS)

Use of asuitable information security management system (ISMS).

Use of an informationsecurity management system (ISMS) in accordance with BSI standards.

Dataprotection at employee level

Measureshave been taken to ensure that employees involved in the processing of personaldata have the expertise and reliability required by data protection law.

a.            Employees are bound toconfidentiality and secrecy (data protection secrecy).

b.            Employees are sensitized andinstructed with regard to data protection in accordance with the requirementsof their function. The training and sensitization will be repeated atappropriate intervals or when circumstances require it.

c.            Relevant guidelines, e.g. one-mail/Internet use, handling malware reports, use of encryption techniques,are kept up to date and are easy to find (e.g. on the intranet).

d.            If employees work outside thecompany's internal premises (home and mobile offices), employees are informedabout the special security requirements and protection obligations in theseconstellations and are required to comply with them, subject to control andaccess rights.

e.            If employees use private devices forbusiness activities, employees will be informed about the special securityrequirements and protection obligations in these constellations and will beobligated to comply with them, subject to control and access rights.

f.             Keys, access cards or codes issuedto employees as well as authorizations granted with regard to the processing ofpersonal data shall be withdrawn or revoked after they leave the services ofthe processor or after a change of responsibilities.

g.            Employees shall be obliged to leavetheir working environment tidy and in particular to prevent access to documentsor data carriers containing personal data (clean desk policy).

 

Accesscontrol

Physicalaccess control measures have been taken to prevent unauthorized persons fromphysically approaching the systems, data processing equipment or procedureswith which personal data are processed.

a.            Access to data processing equipmentis additionally secured and only authorized employees may enter.

b.            There is a personal check at thegatekeeper or at the reception desk.

c.            Video surveillance technology isused to prevent access by unauthorized persons.

d.            An alarm system is used to preventaccess by unauthorized persons.

e.            Access is secured by a manual lockingsystem with security locks.

f.             Access is secured by a smart cardor transponder locking system.

g.            The issuance and return of keysand/or access cards is logged.

h.            Employees will be required to lockequipment or have it specially secured when they leave their work environmentor the equipment.

i.             Records (files, documents, etc.)will be stored securely, e.g., in filing cabinets or other appropriatelysecured containers, and appropriately protected from access by unauthorizedpersons.

j. Datamedia are stored securely and appropriately secured from access by unauthorizedpersons.

 

AccessControl

Electronicaccess control measures are in place to ensure that access (i.e., the verypossibility of use, use, or observation) by unauthorized persons to systems,data processing equipment, or procedures is prevented.

a.            A password policy, specifies thatpasswords must be of a minimum length and complexity consistent with the stateof the art and security requirements.

b.            All data processing equipment is passwordprotected.

c.            Passwords are generally not storedin clear text and are only transmitted hashed or encrypted.

d.            Password management software isused.

e.            As far as technically supported,two-factor authentication is used to access data of the client.

f.             Failed attempts to log in tointernal systems are limited to a reasonable number (e.g., blocking of logindata).

g.            Access data are deleted ordeactivated when their users have left the company or organization of theprocessor.

h.            Server systems and services are usedthat have intrusion detection systems.

i.             Anti-virus software that is kept upto date is used.

j. Use ofsoftware firewall(s).

k.            Backups are stored in encryptedform.

 

Internalaccess control and input control (permissions for user rights to access andmodify data).

Accesscontrol measures have been taken to ensure that those authorized to use a dataprocessing system can only access the data subject to their access authorizationand that personal data cannot be read, copied, modified or removed withoutauthorization during processing. Furthermore, input control measures have beentaken to ensure that it is possible to check and establish retrospectivelywhether and by whom personal data have been entered into data processingsystems, modified, removed or otherwise processed.

a.            A rights and roles concept(authorization concept) ensures that personal data can only be accessed by agroup of persons selected on the basis of necessity and only to the extentrequired.

b.            The rights and roles concept(authorization concept) is evaluated regularly, within a reasonable timeframe,and when required (e.g., violations of access restrictions), and updated asnecessary.

c.            Access to individual files of theclient is logged.

d.            The entry, modification and deletionof individual client data is logged.

e.            The log files are protected againstmodification, loss and unauthorized access.

f.             The activities of theadministrators are appropriately monitored and logged within the scope oflegally permissible possibilities and within the scope of technicallyjustifiable expenditure.

g.            It is ensured that it is possible totrace which employees or authorized representatives had access to which dataand when (e.g., by logging software usage or drawing conclusions from accesstimes and the authorization concept).

 

Transfercontrol

Measureshave been taken to control the transfer of personal data to ensure that itcannot be read, copied, modified or removed by unauthorized persons duringelectronic transmission or during transport or storage on data media, and thatit is possible to check and determine to which bodies personal data is to betransferred by data transmission equipment.

a.            When accessing internal systems fromoutside (e.g. for remote maintenance), encrypted transmission technologies areused (e.g. TLS tunnel / VPN).

b.            Mobile data carriers are encrypted.

c.            E-mails are encrypted duringtransmission, which means that the e-mails are protected on their way from thesender to the recipient from being read by someone who has access to thenetworks through which the e-mail is sent.

d.            The transmission and processing ofpersonal data of the Client via online services (websites, apps, etc.), isprotected by means of TLS/SSL or equivalent secure encryption.

e.            Files are encrypted prior totransfer to cloud storage services.

Ordercontrol, earmarking and segregation control.

Ordercontrol measures have been taken to ensure that personal data processed onbehalf of the customer are only processed in accordance with the customer'sinstructions. The measures ensure that personal data of the customer collectedfor different purposes are processed separately and that no mixing, blending orother joint processing of these data that contradicts the order takes place.

a.            The processing operations carriedout for the Customer shall be separately documented to an appropriate extent ina register of processing activities.

b.            Careful selection of sub-processorsand other service providers.

c.            The Processor shall not include anyother sub-processors without the consent or information of the Customer (whoshall then have the right to object).

d.            Employees and agents shall beinformed in a clear and comprehensible manner about the client's instructionsand the permissible processing framework and instructed accordingly. Separateinformation and instruction are not required if compliance with the permissibleframework can be reliably expected anyway, e.g. due to other agreements orcompany practice.

e.            Compliance with instructions fromthe client and the permissible framework for the processing of personal data byemployees and agents shall be checked at appropriate intervals.

f.             The deletion periods applicable tothe processing of the Customer's personal data shall be documented separatelywithin the deletion concept of the Processor, if necessary.

g.            Necessary evaluations and analysesof the processing of the Customer's personal data shall be processedanonymously (i.e. without any reference to a person) or at least pseudonymouslyin accordance with Art. 4 No. 5 DSGVO (i.e. in such a way that the personaldata of the Customer shall not be identified). in such a way that the personaldata can no longer be allocated to a specific data subject without the use ofadditional information, whereby the additional information is stored separatelyand is subject to technical and organizational measures that ensure that thepersonal data cannot be allocated to an identified or identifiable naturalperson).

h.            The Personal Data of the Clientshall be processed physically separately from data of other processingoperations of the Processor.

i.             The personal data of the Customershall be processed logically separately from data of other processingprocedures of the Processor and shall be protected against unauthorized accessor connection or intersection with other data (e.g. in different databases orby appropriate attributes).

 

Ensuringthe integrity and availability of data and the resilience of processing systems

Measuresare in place to ensure that personal data is protected against accidentaldestruction or loss and can be restored expeditiously in the event of anemergency.

a.            Fail-safe server systems andservices are used that are duplicated, or multiple.

b.            The availability of the dataprocessing systems is permanently monitored and controlled, in particular foravailability, errors and security incidents.

c.            Personal data is stored withexternal hosting providers. The hosting providers are carefully selected andmeet the requirements of state-of-the-art technology with regard to protectionagainst damage caused by fire, moisture, power failures, disasters, unauthorizedaccess, data backup and patch management, as well as building security.

d.            Personal data is processed on dataprocessing systems that are subject to regular and documented patch management,i.e., in particular, that are regularly updated.

e.            The server systems used forprocessing have protection against Denial of Service (DoS) attacks.

f.             The server systems used forprocessing have an uninterruptible power supply (UPS) that is adequatelyprotected against failures and ensures a controlled shutdown in emergencieswithout loss of data.

g.            The server systems used forprocessing have adequate fire protection (fire and smoke alarm systems as wellas corresponding fire extinguishing devices or fire extinguishing equipment).

h.            Server systems are used that haveprotection against moisture damage (e.g. moisture detectors).

i.             Server systems and services areused that maintain a backup system at other locations where current data iskept, thus providing a running system even in the event of a disaster.

j. The client'sdata sets are protected from accidental modification or deletion by the system(e.g., through access restrictions, security queries, and backups).

k.            Server systems and services are usedthat have an adequate, reliable, and controlled backup & restorepolicy.  

l.             Restore tests are performedregularly at appropriate intervals to verify that backups can actually berestored (data integrity of backups).

 

Appendix:Sub-processors

TheProcessor shall use the following sub-processors in the course of processingdata for the Customer:

 

A.           Company:

- MicrosoftOffice 365

Purpose ofprocessing

Use ofMicrosoft Azure as provider backend side.

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof the contract, Art. 6 para. 1 lit. b DSGVO

Storageperiod

User datais stored for up to 1 year after removal of the last license.

Involvedsubcontractors

Microsoft,Redmond WA, USA

 

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof contract, Art. 6 para. 1 lit. b DSGVO

Storageperiod

User datais stored for up to 1 year after removal of the last license.

 

B.            Company:

- StripeInc.

Purpose ofprocessing

Payment andUser Account as well as VAT Verification

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof the contract, Art. 6 para. 1 lit. b DSGVO

Storageperiod

User datais stored for up to 1 year after removal of the last license.

Involvedsubcontractors

Stripe INCDublin Irland

 

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof contract, Art. 6 para. 1 lit. b DSGVO

Storageperiod

User datais stored for up to 1 year after removal of the last license.

- If theContractor engages third parties (e.g. subcontractors) who participate in theContractor's commissioned processing and who may gain knowledge of theprofessional secrets, the Contractor shall oblige the third parties inaccordance with its own obligation in this section "Maintainingprofessional secrecy" of this Agreement at least in text form. Furthermore,the Contractor shall inform the third parties of their obligations and, if theContractor has been instructed in this respect within the scope of thissection, also of the criminal liability of the violation of the professionalsecrecy. Irrespective of the above obligation, the Customer must have permittedthe use of third parties.The Customer shall instruct the Contractor as aprecaution that the involvement of third parties may result in a prisonsentence of up to one year or a fine if a third party breaches confidentialityand the Contractor at the same time has not ensured that the third party hasbeen obliged to maintain confidentiality (Sections 203 (1), (4) sentence 2 no.2 of the German Criminal Code). The threat of punishment is increased to imprisonmentfor up to two years or a fine if the perpetrator acts with the intention ofenrichment, even if it should exist for the benefit of a third party, or hasthe intention of damaging another person through the act.

- Theprocessing may take place in third countries, provided that the specialrequirements of Art. 44 et seq. DSGVO are met, i.e. in particular the EUCommission has determined an adequate level of data protection; b) on the basisof effective standard contractual clauses (SCC); or c) on the basis ofrecognized binding internal data protection regulations.

- Insofaras an action of the Processor leads to a disruption, data protection breach orirregularity in the Processing, the Customer shall not bear any costs for thesupport actions of the Processor necessarily resulting therefrom.

- Thepersonal data processed within the scope of the order shall be transmitted inend-to-end encrypted form, unless otherwise instructed by the Customer.