Subject matter and term of the DPA
1.1 Subject matter
1.1.1 The subject of the DPA results from the Terms of Use concluded between the Processor and the Controller on the provision of the Application Beam (hereinafter referred to as "Main Contract").
1.2 Term
1.2.1 The term of this DPA is determined by the term of the Main Contract. The right to terminate this DPA without notice for good cause shall remain unaffected. Terminations must be made in writing to be effective. The data processing under this DPA shall only be carried out outside the European Union and the European Economic Area, provided that the necessary data protection requirements of Article 44 et seq. GDPR are fulfilled.
Specification of the scope of the DPA
2.1 Nature and purpose of the intended processing of data
2.1.1 The Controller's data shall be processed by the Processor for the purpose of executing the Main Contract.
2.2 Type of data and categories of data subjects
2.2.1 The subject of the processing of personal data are the types/categories of data specified in Annex 1 and the categories of persons specified therein.
Technical and organizational measures
3.1 The Processor shall establish security pursuant to Articles 28 (3) (c) and 32 GDPR, in particular in connection with Article 5 (1), (2) GDPR.
3.2 The Processor has documented the implementation of the required technical and organizational measures before the start of the processing, in particular with regard to the specific execution of the DPA in Annex 2. The Controller agrees with the measures listed in Annex 2 and has accepted them as appropriate. Insofar as the inspection/audit of the Controller reveals a need for adaptation, the necessary adaptations shall be implemented amicably.
3.3 The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor shall be permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes shall be documented.
3.4 Processing of data by employees of the Processor outside the Processor's premises (mobile working) is permitted. The Controller acknowledges that in these cases the technical and organizational measures described in Annex 2 do not fully fit. However, the Processor warrants that it shall also take appropriate technical and organizational measures for the data processing under this DPA outside its own business premises. The Processor shall present the company's own guideline on mobile working to the Controller at the latter's request.
Rectification, restriction and erasure of data
4.1 The Processor may not rectify, erase, or restrict the processing of data processed under this DPA on its own authority, but only in accordance with the instructions of the Controller. In the event that a data subject contacts the Processor directly in order to assert the right of rectification, erasure or restriction, the Processor shall forward the request to the Controller.
Quality assurance and other obligations of the Processor
5.1 In addition to compliance with the provisions of this DPA, the Processor has statutory obligations pursuant to Articles 28 to 33 of the GDPR; in this respect, the Processor shall in particular ensure compliance with the following requirements:
5.1.1 The Processor is aware that the Processor may process company data requiring special confidentiality and, if applicable, also business secrets of the Controller. When performing the processing, the Processor shall therefore only employ employees who have been obligated to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Processor shall inform its employees of the extraordinarily confidential nature of such data and shall sensitize and train all employees accordingly. The Processor and any person under its control who has access to personal data may process such data exclusively in accordance with the Controller's instructions, including the authorizations granted in this DPA, unless they are required by law to process it. The further-reaching confidentiality obligations pursuant to Section 9 shall remain unaffected.
5.1.2 The Controller and the Processor shall, upon request, cooperate with the supervisory authority in the performance of duties.
5.1.3 The Controller shall be informed without undue delay about control actions and measures of the supervisory authority, insofar as they relate to this DPA. This shall also apply insofar as a competent authority investigates in the context of administrative offense or criminal proceedings with regard to the processing of personal data within the framework of this DPA on the part of the Processor.
5.1.4 To the extent that the Controller is subject to an inspection by the supervisory authority, administrative or criminal proceedings, a liability claim of a data subject or a third party or any other claim in connection with the processing of personal data by the Processor on behalf of the Controller, the Processor shall support the Controller with best efforts.
5.1.5 The Processor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in the Processor's area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subjects is ensured.
5.2 The Processor shall support the Controller in complying with the obligations stipulated in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. This includes, but is not limited to the obligation to:
5.2.1 Ensure an adequate level of data protection by technical and organizational measures that address the circumstances and purposes of the processing, as well as the predicted probability and severity of a potential security breach, and allow an immediate detection of relevant incidents.
5.2.2 Report personal data breaches to the Controller without undue delay
5.2.3 To support the Controller within the fulfillment of Controller’s obligation to provide information to the data subject and to provide the Controller with all relevant information in this context without undue delay
5.2.4 Support the Controller in data protection impact assessments
5.2.5 Support the Controller in prior consultations with the supervisory authority.
5.3 For support services that are not agreed in the Main Contract or are due to misconduct by the Processor, the Processor may claim reasonable compensation.
Sub-Processors
6.1 “Sub-Processors” within the meaning of this provision are service providers rendering services that relate directly to the performance of the main service under this DPA. Not covered by the term Sub-Processor are service providers providing ancillary services to the Processor, e.g. telecommunications services, mail/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor shall be obligated to implement appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Controller's data even in the case of outsourced ancillary services.
6.2 The Controller agrees to the commissioning of the Sub-Processors listed in Annex 3, provided that a contractual agreement is concluded between Processor and the respective Sub-Processor in accordance with Article 28 (2) to (4) of the GDPR.
6.3 The outsourcing of data processing to further Sub-Processors or the change of the commissioned Sub-Processors shall be permitted, provided that:
6.3.1 The Processor notifies the Controller of the outsourcing to Sub-Processors in writing or in text form within a reasonable period of time in advance
6.3.2 The Controller does not object in writing and
6.3.3 A contractual agreement in accordance with Article 28 (2) to (4) of the GDPR is used as a contractual basis.
6.4 The objection according to section 6.3.2 must be made within a period of one month after the information has been provided. In the event of an objection, the Controller shall bear the consequences (e.g. subjective impossibility of performance) and any additional costs resulting from the fact that the Sub-Processor cannot be commissioned. If the Processor cannot provide the service agreed in the Main Contract due to the objection or can only do so at economically unreasonable expense, the Processor shall have an extraordinary right of termination.
6.5 The transfer of personal data of the Controller to the Sub-Processor and the Sub-Processors initial engagement shall only be permitted after all requirements for the outsourcing of data processing to Sub-Processors have been met.
6.6 In the event that the Sub-Processor provides the agreed service outside the EU/EEA, the Processor shall ensure that the service provided by the Sub-Processor is compliant with data protection law by taking appropriate measures. The same shall apply in the event that service providers rendering ancillary services within the meaning of Section 6.1 shall be assigned.
6.7 Further outsourcing by the Sub-Processor is only permitted within the scope of the statutory provisions.
Control rights of the Controller
7.1 The Controller shall have the right, in consultation with the Processor, to carry out inspections at the Processor's business premises or to have inspections carried out by inspectors to be named in individual cases. The Controller shall have the right to convince itself of the Processor's compliance with this DPA in the Processor’s business premises during business hours by means of spot checks, which must be notified at least four weeks in advance. Such inspections shall take place no more than once a year.
7.2 The Processor shall ensure that the Controller can convince itself of the Processor's compliance with its obligations pursuant to Art. 28 of the GDPR. The Processor undertakes to provide the Controller with the necessary information upon request and, in particular, to provide evidence of the implementation of the contractually agreed technical and organizational measures.
7.3 The proof of those measures, not only relating to the specific data processing under this DPA, can be provided by
7.3.1 Compliance with approved codes of conduct pursuant to Article 40 GDPR
7.3.2 Certification in accordance with an approved certification procedure pursuant to Article 42 GDPR
7.3.3 Current attestations, reports or excerpts of reports from independent organizations (e.g. auditors, data protection officers, IT security departments, data protection auditors, quality auditors)
7.3.4 Suitable certification by IT security or data protection audit (e.g., in accordance with the standards for IT security of the Federal Office for Information Security).
7.4 The Processor may claim reasonable remuneration for enabling the Controller to carry out inspections.
Authorization of the Controller to issue instructions
8.1 The Controller shall immediately confirm verbal instructions at least in text form (documented instruction). The Controller may not derive any claim from instructions that have not been confirmed in text form in due time.
8.2 The Processor shall notify the Controller in the event that the Processor is of the opinion that an instruction violates data protection regulations. The Processor shall be entitled to suspend the execution of the relevant instruction until the instruction has been confirmed or amended by the Controller.
8.3 The Processor shall be obliged to treat as confidential all knowledge of personal data, business secrets and data security measures of the Controller obtained within the framework of the contractual relationship.
Confidentiality
9.1 The Processor shall be obliged to obtain knowledge of confidential information only to the extent that this is necessary for the fulfilment of its tasks vis-à-vis the Controller. Insofar as the Processor employs employees or service providers for the performance of the contract, the Processor shall impose the same obligations from this DPA on these persons. Corresponding declarations shall be submitted to the Controller upon Controller’s request. The Processor may also submit sample declarations, provided that the submission of all submitted declarations is disproportionate for legal or factual reasons in the individual case and provided that the Processor assures in writing that all relevant employees / service providers have been obligated in accordance with this sample. Section 6 and in particular Section 6.1 shall remain unaffected in any case.
9.2 Insofar as a confidentiality obligation has already been agreed between the Controller and the Processor in the Main Contract or elsewhere, the provisions on confidentiality from this Section 9 shall apply in addition to that confidentiality obligation. In the event of a conflict regarding a particular situation, the stricter provision shall apply to the Processor.
9.3 The obligation to maintain confidentiality set forth in this Section 9 shall continue to apply for an unlimited period of time after the end of the contractual relationship.
Erasure and return of personal data
10.1 Copies or duplicates of the data shall not be created without the knowledge of the Controller. This shall not apply to backup copies to the extent that they are required to ensure proper data processing as well as data processing that is required to comply with statutory retention obligations.
10.2 After completion of the contractually agreed services or earlier upon request by the Controller - at the latest upon termination of the Main Contract - the Processor shall be obliged to return to the Controller or, after prior consent, destroy in accordance with data protection law all documents, processing and utilization results created, as well as data files related to the contractual relationship that have come into its possession. The same shall apply to test and reject material. The record of erasure shall be submitted upon request.
10.3 Documentation which serves as proof of the proper data processing in accordance with this DPA shall be kept by the Processor beyond the term of the DPA in accordance with the respective retention periods. The Processor may hand them over to the Controller at the end of the term of the DPA to relieve the Processor.
Liability
11.1 In the event that claims for damages within the meaning of Article 82 of the GDPR, fines within the meaning of Article 83 of the GDPR and/or other sanctions within the meaning of Article 84 of the GDPR are threatened or imposed against a Party in connection with the processing activities covered by this DPA, that respective Party shall inform the other Party thereof in text form without undue delay. The Controller and Processor are obliged to support each other in the defense against the aforementioned claims.
11.2 The Controller and the Processor shall be liable for the data processing in the external relationship in accordance with the relevant laws. The liability in the internal relationship between the Controller and the Processor shall be governed by the provisions of the Main Contract.
Final provisions
12.1 The provisions of this DPA shall only apply to the processing of personal data pursuant to Article 28 GDPR and take precedence over any conflicting or deviating provisions from the Main Contract to this extent.
12.2 All amendments to this DPA must be made in writing. This shall also apply to any amendment of this written form clause. The written form may also be complied with by means of an exchange of letters (with the exception of notices of termination) or by means of electronically transmitted signatures (fax, transmission of scanned signatures via email). However, Section 127 (2) and (3) German Civil Code (“BGB”) shall not apply in all other respects.
Annex 1: Categories of data subjects and categories of personal data
a) Categories of data subjects
Employees of the Controller
Shareholders and Board Members of the Controller
b) Order-related data
All customer specific data that are necessary for the fulfillment of the main order
Appendix 2: Technical and organizational measures
Confidentiality
a) Access control
No unauthorized access to data processing systems, ensured by:
Magnetic or chip cards
Electric door opener
Security or gatekeeper
Alarm systems
Video systems
b) Access control
No unauthorized system use, ensured by:
(Secure) passwords
Two-factor authentication
c) Access control
No unauthorized reading, copying, modification or removal within the system, ensured by:
Authorization concepts
Needs-based access rights
Logging of accesses
d) Separation control
Separate processing of data collected for different purposes, ensured by:
Multi-client capability
Sandboxing
e) Pseudonymization
The processing of personal data in a way that the data can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is stored separately and is subject to appropriate technical and organizational measures.
Integrity
a) Transfer control
No unauthorized reading, copying, modification or removal during electronic transmission or transport, ensured by:
Encryption
Virtual Private Networks (VPN)
Electronic signature
b) Input control
Determining whether and by whom personal data have been entered into data processing systems, modified or removed, ensured by:
Logging
Document Management
Availability and resilience
a) Availability control
Protection against accidental or wilful destruction or loss, ensured by backup strategy (online/offline; on-site/off-site)
Uninterruptible power supply (UPS)
Virus protection
Firewall
Reporting channels
Emergency plans
b) Rapid recoverability
Rapid recoverability ensured by
Regular backups and appropriate backup strategy (online / offline; on-site/off-site).
Procedures for regular review, assessment and evaluation
a) Data protection management
b) Incident Response Management
c) Privacy-friendly default settings
d) Contract control
No data processing within the meaning of Article 4 (8), 28 GDPR without corresponding instructions from the Controller, ensured by:
Clear contract design
Formalized management
Strict selection of the service provider
Obligation to convince in advance
Follow-up inspections
Annex 3: Sub-Processors
The Controller agrees to the commissioning of the Sup-Processors listed in this Annex 3, provided that a contractual agreement is concluded between the respective Sub-Processor in accordance with Article 28 (2) – (4) of the GDPR.
Amazon web services - Cloud hosting- (Standard)
Pinecone - Managed VectorDB- (Standard)
Google Cloud Platform - Single-Sign On (Standard)
Azure OpenAI Service- Private OpenAI Model Deployments (Standard)