Data Processing Agreement
Welcome to our website and thank you for your interest. Below you will find the latest version of our data processing agreement
Last edited: January 2024
This agreement is concluded in compliance with the German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR) as well as all other relevant data protection regulations. This agreement is governed by the current version of the applicable legal provisions.This agreement concerns the collection, processing and use of personal data within the meaning of the BDSG and GDPR by the contractor on behalf of the client ("order processing"). Personal data is individual information about personal or factual circumstances of an identified or identifiable natural person ("data subject"). The Agreement relates to the commissioned processing of personal data ("commissioned data").Against this background, the parties agree the following:
1. Object and duration of the order
- Subject matter
The main object of the data handling contract is the performance of the following tasks by the contractor:
Data generation and transmission for customer target market analysis and for the subsequent acquisition of new customers.
The duration of this order (term) corresponds to the term of the service agreement.
2. Specification of the order content
1. Nature and purpose of the intended processing of data
In order to fulfill the Contractor's obligations under the main contract, the preparation of aggregated overviews and evaluations of the use of the Contractor's services and, if necessary, the migration of existing data, personal data from the Client's sphere of control shall be processed in full by the Contractor within the meaning of Art. 4 No. 2 GDPR, in particular, to the extent necessary, collected, stored, modified, read out, queried, used, disclosed, compared, linked and deleted.
In particular, personal data is used for
- The application/registration for our service
- Invitations to a workspace
- The link to a workspace incl. billing via Stripe
- Import from the CRM to create tasks for the owner of an account
Other client-specific data that is used for service creation:
- Accounts from the CRM to implement the linking of tasks in the CRM
- URLs on which the extension is used
2. Nature and purpose of the intended processing of data
The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
3. Type of data
The subject of the processing of personal data are the following data types/categories (list/description of data categories)
- Personal master data
- address data
- Communication data
- Connection data
- Usage data
4. The following categories of persons are affected by these regulations: Interested parties, customers, cooperation partners, suppliers, applicants, employees and other third parties.
3. Technical and organizational measures
- The contractor must establish security in accordance with Art. 28 para. 3 lit. c) and Art. 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account [details in Annexes 1 and 2].
- The technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.
4. Correction, restriction and deletion of data
- The Contractor may not rectify, erase or restrict the processing of data processed on behalf of the Client without authorization, but only in accordance with documented instructions from the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.
- If included in the scope of services, the deletion concept, right to be forgotten, rectification, data portability and information are to be ensured directly by the contractor in accordance with documented instructions from the client.
- If agreed, the Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects in accordance with Chapter III of the GDPR, as well as in complying with the obligations set out in Art. 32 to 36 GDPR.
- The client is solely responsible for assessing the permissibility of the processing in accordance with Art. 6 para. 1 GDPR and for safeguarding the rights of the data subjects in accordance with Art. 12 to 22 GDPR. If a data subject asserts rights, such as the right to information, correction or deletion of their data, directly against the contractor, the contractor will forward this request to the client and await the client's instructions. The contractor will not contact the data subject without corresponding individual instructions.
5. Quality assurance and other obligations of the contractor
In addition to complying with the provisions of this contract, the Contractor has legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Contractor guarantees compliance with the following requirements in particular:
a. Written appointment of a data protection officer who performs his or her duties in accordance with Art. 38 and 39 GDPR. You can contact our data protection officer at the following e-mail address email@example.com. The client must be informed immediately of any change of data protection officer.
b. Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b), 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the powers granted in this contract, unless they are legally obliged to process it.
c. The implementation of and compliance with all technical and organizational measures required for this order in accordance with Art. 28 para. 3 sentence 2 lit. c), 32 GDPR [details in Annex 1].
d. The Client and the Contractor shall cooperate with the supervisory authority in the performance of their tasks upon request.
e. Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the contractor.
f. If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
g. The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
h. Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of its control powers pursuant to Section 7 of this contract.
i. The Contractor shall take appropriate measures in accordance with the Client's instructions to prevent further unlawful access by third parties and/or to prevent further damage to the data subjects. Pending any instructions from the Client, the Contractor shall take all measures necessary to secure data and minimize damage.
j. The Contractor shall support the Client in complying with its legal obligations, in particular obligations regarding the security of personal data, reporting obligations in the event of data breaches, information obligations towards data subjects and supervisory authorities, data protection impact assessments and prior consultations. The same shall also apply if the Client is subject to an inspection by the supervisory authority, misdemeanor or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing. Upon request, the Contractor shall provide the Client with a copy of the list of all processing activities to be drawn up by the Contractor in accordance with the relevant statutory provisions.
k. The Contractor shall inform the Client immediately if it becomes aware of any breaches of the protection of the Client's personal data. The Contractor shall take the necessary measures to secure the data and to mitigate possible adverse consequences for the persons concerned and shall consult with the Client without delay.
6. Subcontracting relationships
- Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Contractor uses, e.g. as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Client's data, even in the case of outsourced ancillary services.
- The Contractor may only commission subcontractors (other processors) with the prior express written or documented consent of the Client.
☐ Subcontracting is not permitted.
☒ The client agrees to the commissioning of the following subcontractors, subject to the condition of a contractual agreement in accordance with Art. 28 para. 2-4 GDPR:
Subcontractor, Adress/Country, Type of service:
- Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210 Irland, Subscription Management, Billing & Payment services
- Auth0 (by Okta), 100 1st Street, Suite 600, San Francisco, California 94105, United States, Authentification & Login services
- Powerplay GmbH (Cello.so), Philipp-Loewenfeld-Str. 19, 80339 Munich, Postbox 786799 11516 Berlin, Referral & Bonus programm
- Heroku (a Salesforce Company), SALESFORCE, 415 Mission Street, Suite 300, San Francisco, CA 94105, Server & Data Hosting (Location: Frankfurt a.M.)
- AWS (through Heroku), Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States, Server & Data Hosting (Server Location: Frankfurt a.M./Europe West)
Outsourcing to subcontractors or / the change of the existing subcontractor is permitted, provided that
- the Contractor notifies the Client of such outsourcing to subcontractors at least 2 weeks in advance in writing or in text form and
- the client does not object to the planned outsourcing in writing or in text form to the contractor by the time the data is handed over and
- a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is used as a basis.
3. The transfer of the client's personal data to the subcontractor and the subcontractor's initial activities are only permitted once all requirements for subcontracting have been met.
4. If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
5. Further outsourcing by the subcontractor
☐ is not permitted;
☒ requires the express consent of the main client (at least in text form);
☐ requires the express consent of the main contractor (at least in text form); all contractual provisions in the contractual chain must also be imposed on the additional subcontractor.
7. Control rights of the client
- The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases. It shall have the right to satisfy itself of the Contractor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.
- The Contractor shall ensure that the Client can satisfy itself of the Contractor's compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
- Proof of such measures, which do not only concern the specific order, can be provided by, for example
- compliance with approved codes of conduct in accordance with Art. 40 GDPR
- certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR
- current attestations, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors)
- suitable certification through an IT security or data protection audit (e.g. in accordance with BSI basic protection).
8. Notification of violations by the contractor
- The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes, among other things
a. ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events;
b. the obligation to report personal data breaches to the client without delay;
c. the obligation to support the client within the scope of his duty to inform the data subject and to provide him with all relevant information in this context without delay;
d. the support of the client for its data protection impact assessment;
e. supporting the client in the context of prior consultations with the supervisory authority.
2. In the event of breaches of protection, the responsible party can be notified via the usual (electronic, telephone) communication channels, and the fastest possible exchange of information is ensured against the background of the reporting obligations.
- The Contractor shall be liable to the Client for ensuring that the subcontractor complies with the data protection obligations contractually imposed on it by the Contractor in accordance with this section of the contract. The provisions of Art. 82 GDPR apply to liability.
- The Contractor, its legal representatives or vicarious agents shall not be liable for slight negligence. However, this exclusion of liability for slight negligence shall not apply in the event of a breach of a material contractual obligation (cardinal obligation). Cardinal obligations or essential contractual obligations are those obligations of the contractor whose fulfillment is essential for the proper execution of this specific contract and on whose compliance the customer may regularly rely; i.e. obligations whose breach would jeopardize the achievement of the purpose of the contract.
- The parties shall indemnify each other against liability if a party proves that it is not responsible in any respect for the circumstance that caused the damage to a party concerned. This shall apply accordingly in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the other party bears a share of the responsibility for the infringement sanctioned by the fine.
10. Authority of the client to issue instructions
The client alone has the authority to make decisions and issue instructions for order processing. The contractor shall act solely on behalf of and in the interests of the client. The responsibility for compliance with data protection law and the lawfulness of the commissioned processing as well as for safeguarding the rights of the data subjects lies with the client.
The Contractor shall carry out the commissioned processing exclusively within the framework of the agreement and in accordance with the written instructions of the Client, whereby the instructions shall take precedence or if there is a legal obligation to process. The Client shall confirm verbal instructions in writing without delay. The Contractor shall not be entitled to make statements to the data subjects without the prior written consent of the Client. In the event of a legal obligation, the Contractor shall inform the Client of this obligation prior to processing.
The Contractor may not correct, delete or restrict the processing of the order data on its own authority, but only following written instructions from the Client. The Contractor shall immediately inform the Client in writing of all requests and complaints from the data subjects and support the Client in safeguarding the rights of the data subjects, e.g. by notifying them, providing information or correcting, blocking and deleting order data.
The parties shall comply with the relevant data protection regulations within the scope of order processing. If the Contractor is of the opinion that an agreement or instruction violates data protection regulations, it shall inform the Client of this immediately in writing. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
1. The client shall confirm verbal instructions without delay (at least in text form).
2. The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
11. Deletion and return of personal data
- Upon completion of the provision of the processing services, the processor must either delete or return all personal data at the controller's discretion and delete the existing copies, unless there is an obligation to store the personal data under Union law or the law of the Member States.
- Copies or duplicates of the data are not created without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with statutory retention obligations.
- Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract in order to discharge the Client.
- The Client and the Contractor agree to exclude the right of retention under civil law pursuant to Section 273 of the German Civil Code (BGB) to exclude the retention of processed personal data and data carriers in the event of contractual/service disruptions.
The Contractor shall keep the information and documents received as part of the order processing, in particular the order data, strictly confidential ("business and trade secrets"). The confidentiality/confidentiality obligations shall continue to apply indefinitely even after termination of this agreement.
The Client shall be obliged to treat as confidential all knowledge of business secrets and data security measures of the Contractor acquired in the course of the contractual relationship. This obligation shall remain in force even after termination of this contract.
The confidentiality obligation shall not apply or shall cease to apply if the information and documents were already known to the public or to the Contractor upon conclusion of this agreement or become known to the public after conclusion of this agreement, without the Contractor being at fault, or become known to the Contractor through a third party, provided that the third party does not violate its own confidentiality obligation when handing over the information. The burden of proof for these facts lies with the Contractor.
13. Duty to inform, written form clause, choice of law
- Should the Client's data be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures by third parties, the Contractor shall inform the Client of this immediately. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the controller within the meaning of the General Data Protection Regulation.
- Amendments and supplements to this Annex and all its components - including any assurances made by the Contractor - require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that it is an amendment or supplement to these Terms and Conditions. This also applies to the waiver of this formal requirement.
- In the event of any contradictions, the provisions of this annex on data protection shall take precedence over the provisions of the contract. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of the Annex.
- German law applies.
14. Others, General
Amendments and supplements to this Annex and all its components, including any assurances given by the Contractor, shall require a written agreement and an express reference to the fact that this is an amendment or supplement to these Terms and Conditions. This also applies to the waiver of this formal requirement.
The place of jurisdiction is Münster.
Appendix 1 - Technical and organizational measures
1. Measures to ensure confidentiality
1. Access control (physical access protection)
- Existence of an access authorization concept.
- There is a key regulation / key concept.
- Accompaniment of visitor access by own employees.
- Separately secured access to server environments or the data center.
2. Access control (unauthorized access to and use of IT systems by unauthorized persons must be prevented).
- Use of suitable network encryption.
- Password protection of computer workstations.
- Use of individual passwords or prevention of group passwords.
- Automatic password-protected locking of the screen after inactivity (screen saver).
- Automatic blocking of user accounts after multiple incorrect password entries.
- Use of a password policy that requires secure password complexity.
- Process for assigning rights when new employees join the company.
- Process for revoking rights when employees change departments.
- Process for revoking rights when employees leave the company.
- Einsatz geeigneter Verschlüsselung der Netzwerke.
3. Access control (unauthorized activities in IT systems outside of granted authorizations must be prevented).
- Definition of access authorization / use of an authorization concept.
- Definition of authorization for data entry, modification and deletion.
- Regular review of authorizations.
- Logging of file accesses.
- Logging of file deletions.
- Logging of file changes.
- Use of a firewall including spam protection.
- Possible applications: to encrypt job-related / individual files.
4. Order control (it must be ensured that service providers who process data on behalf of the client only process data in accordance with the client's instructions).
- Contract design of order processing in accordance with legal requirements (Art. 28 GDPR).
- Relevant processing only takes place after the order processing has been completed.
- Central recording of existing service providers and processors.
- Checks of technical and organizational measures are carried out before processing begins.
5. Separation control (it must be ensured that data collected for different purposes, persons and companies can be processed separately).
- Separation of customers (multi-client capability of the systems used).
- Logical data separation (e.g. based on customer or client numbers) in databases.
- Authorization concept that takes into account the separate processing of customer data and data from other customers.
- Separation of development, test and production systems.
2. Measures to ensure integrity
1. Transfer control (aspects of the transfer (transmission) of personal data must be regulated: electronic transmission, data transport and its control).
- There is a secure method of sending data between the client, contractor and third parties.
- Data is exchanged via SSL (https) encryption.
- Use of document shredders (shredder according to DIN 66399).
- Documentation of the locations to which data is to be transmitted and the transmission channels.
2. Input control (traceability and documentation of data management and maintenance must be ensured).
- Labeling of recorded data.
- Logging of entries/deletions.
3. Measures to ensure availability
1. Availability control (the data must be protected against accidental destruction or loss).
- Data protection and backup concepts are in place.
- Regular implementation of data protection and backup concepts.
- Access to server rooms restricted to necessary personnel.
- Fire alarm systems in server rooms or in the data center.
- Smoke detectors in server rooms or in the data center.
- Waterless fire suppression systems in server rooms or in the data center.
- Air-conditioned server rooms.
- Lightning/overvoltage protection.
- Server rooms in separate fire compartment.
- Accommodation of backup systems in separate rooms and fire compartment.
- Disaster or emergency plan (e.g. water, fire, explosion, threat of attack, crash, earthquake).
- UPS system (uninterruptible power supply).
- Use of a power generator in the event of power failures.
4. Measures to ensure resilience
1. Resilience and reliability check
- Backup data centers / servers are available.
- Redundant data connection.
- Data storage on RAID systems (RAID 1 and higher).
- Communication channel with manufacturers to find out about new updates and patches that have been released for the devices in possession.
- Definition of periods in which the updates are to be implemented (e.g. periods of lower operations, maintenance periods, etc.).
- Defining a test period to check the correct implementation of the update and ensure that operations continue to run smoothly with the new updates.
- Limiting authorizations to only those required.
5. Measures for regular review, assessment and evaluation
1. Control procedure
- Notification of new/changed data processing procedures to the data protection officer.
- Processes for reporting new/changed procedures are documented.
- Security measures taken are subject to regular internal monitoring.
- A process is in place to prepare for security breaches (attacks) and system malfunctions and to identify, contain, eliminate and recover from them (incident response process).
- A data protection management system is used.
These technical and organizational measures are audited by Keyed GmbH on an ongoing basis at regular intervals.