Data Processing Agreement
General Terms and Conditions for Commissioned Processing pursuant to Art. 28 (3) GDPR
General Terms and Conditions for Commissioned Processing pursuant to Art. 28 (3) GDPR
This agreement applies to the following platforms:
"InPrivy" – inprivy.io
"eniston" – eniston.io
"FeatureShift" – featureshift.com
"Hyperlynk" – hyperlynk.io
"Usertally" – usertally.com
"Deftform" – deftform.com
"Releases" – releasesapp.com
The following General Terms and Conditions for Commissioned Processing pursuant to Art. 28 para. 3 DSGVO (hereinafter "GTC-OPC") concretize the obligations for data protection resulting from a service contract concluded between the responsible party (hereinafter gender-neutral "Principal") and the ivy.mayhem GmbH, represented by Managing Director Andreas Mühe, Westenberg 9, 27432 Bremervörde OT Elm, Germany (hereinafter gender-neutral "Contractor", together with the Principal also "Parties") according to clause 2.1. (hereinafter "Main Contract").
2.1. In the course of rendering services as per the Main Agreement of the General terms and conditions with customer information dated June 19th 2023 available under this link (hereinafter referred to as “Main Agreement”), it is necessary that the Supplier deals with personal data with regard to which the Customer acts as a controller in terms of data protection law (hereinafter referred to as “Customer Data”). This agreement specifies the data protection obligations and rights of the parties in connection with the Supplier’s use of Customer Data to render the services under the Main Agreement.
2.2. The Supplier shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR (Processing on Behalf). The Customer remains the controller in terms of data protection law.
2.3. The processing of Customer Data by the Supplier occurs in the manner and the scope and for the purpose determined in Annex 1 (“Subject-Matter of the Processing“) to this Agreement; the processing relates exclusively to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Main Agreement.
2.4. The Supplier reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-based designing, developing and optimizing as well as rendering of the services agreed as per the Main Agreement. The parties agree that anonymized and according to the above requirement aggregated Customer Data are not considered Customer Data for the purposes of this agreement.
2.5. The Supplier may process and use the Customer Data for his own purposes as controller to the extent legally permitted by data protection law, if permitted by a statutory permission or consent by the data subject. This Agreement does not apply to such data processing.
2.6. The processing of Customer Data by the Supplier shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Supplier is nevertheless permitted to process Customer Data in accordance with the provisions of this agreement outside the EEA if he informs the Customer in advance about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.
3.1. The Supplier processes the Customer Data in accordance with the instructions of the Customer, unless the Supplier is legally required to do otherwise. In the latter case, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2. The instructions of the Customer are in principle conclusively stipulated in den Bestimmungen dieses Vertrags and documented in the provisions of this agreement. Individual instructions which deviate from the stipulations of this agreement or which impose additional requirements shall require the Supplier’s consent and shall be made in accordance with the change request procedure laid down in the Main Agreement, in which the instruction shall be documented and any additional costs incurred by the Supplier as a result thereof shall be borne by the Customer.
3.3. The Supplier shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Supplier is of the opinion that an instruction given by the Customer infringes this agreement or applicable data protection law, he is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction. The parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.
4.1. The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the parties. Should third parties assert claims against the Supplier based on the processing of Customer Data in accordance with this agreement, the Customer shall indemnify the Supplier from all such claims upon first request.
4.2. The Customer is responsible to provide the Supplier with the Customer Data in time for the rendering of services according to the Main Agreement and he is responsible for the quality of the Customer Data. The Customer shall inform the Supplier immediately and completely if during the examination of the of the Supplier’s results he finds errors or irregularities with regard to data protection provisions or his instructions.
4.3. On request, the Customer shall provide the Supplier with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Supplier himself.
4.4. If the Supplier is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Customer is obliged at first request to assist the Supplier in providing such information and in fulfilling other cooperation obligations.
The Supplier shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.
6.1. The Supplier takes according to Art. 32 GDPR necessary, appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Customer Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Customer Data appropriate to the risk.
6.2. The Supplier shall have the right to modify technical and organizational measures , in particular the measures listed in more detail in Annex 2 ("Technical and Organizational Measures") to this Agreement, during the term of the agreement, as long as they continue to comply with the statutory requirements.
7.1. The Customer grants the Supplier the general authorization to engage further processors with regard to the processing of Customer Data. Further processors consulted at the time of conclusion of the agreement result from Annex 3 (“Sub-processors“). In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, as long as the Supplier takes reasonable steps to protect the confidentiality of the Customer Data.
7.2. The Supplier shall notify the Customer of any intended changes in relation to the consultation or replacement of further processors. In individual cases, the Customer has the right to object to the engagement of a potential further processor. An objection may only be raised by the Customer for important reasons which have to be proven to the Supplier. Insofar as the Customer does not object within 14 days after receipt of the notification, his right to object to the corresponding engagement lapses. If the Customer objects, the Supplier is entitled to terminate the Main Agreement and this agreement with a notice period of 3 months.
7.3. The agreement between the Supplier and the further processor must impose the same obligations on the latter as those incumbent upon the Supplier under this agreement. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in Art. 28 para. 3 GDPR are imposed on the further processor.
7.4. Subject to compliance with the requirements of Section 2.6. of this agreement, the provisions of this Section 7. shall also apply if a further processor in a third country is involved. The Customer hereby authorises the Supplier to conclude an agreement with another processor on behalf of the Customer based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Customer declares his willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.
8.1. The Supplier shall support the Customer within reason by virtue of technical and organizational measures in fulfilling the latter’s obligation to respond to requests for exercising data subjects’ rights.
8.2. As far as a data subject submits a request for the exercise of his rights directly to the Supplier, the Supplier will forward this request to the Customer in a timely manner.
8.3. The Supplier shall inform the Customer of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Supplier shall disclose it in accordance with the instruction and about the purpose of storage, as far as the Customer does not have this information at his disposal and as far as he is not able to collect it himself.
8.4. The Supplier shall, within the bounds of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing himself, if and to the extent that this is impossible for the Customer.
8.5. Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Supplier shall support the Customer within the bounds of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere.
9.1. Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security of Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Supplier shall inform the Customer in a timely manner of any reportable events in his area of responsibility. The Supplier shall assist the Customer in fulfilling the notification obligations at the latter’s request to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven.
9.2. The Supplier shall assist the Customer to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.
10.1. The Supplier shall delete the Customer Data upon termination of this agreement, unless the Supplier is obligated by law to further store the Customer Data.
10.2. The Supplier may keep documentations, which serve as evidence of the orderly and accurate processing of Customer Data, also after the termination of the agreement.
11.1. The Supplier shall provide the Customer, at the latter’s request, with all information required and available to the Supplier to prove compliance with his obligations under this agreement.
11.2. The Customer shall be entitled to audit the Supplier with regard to compliance with the provisions of this agreement, in particular the implementation of the technical and organizational measures; including inspections.
11.3. In order to carry out inspections in accordance with Section 11.2., the Customer is entitled to access the business premises of the Supplier in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 3 p.m. with the exception of public holidays at the Contractor's registered office) after timely advance notification in accordance with Section 11.5. at his own expense, without disruption of the course of business and under strict secrecy of the Supplier’s business and trade secrets.
11.4. The Supplier is entitled, at his own discretion and taking into account the legal obligations of the Customer, not to disclose information which is sensitive with regard to the Supplier’s business or if the Supplier would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Supplier’s other customers, cost information, quality control and contract management reports, or any other confidential data of the Supplier that is not directly relevant for the agreed audit purposes.
11.5. The Customer shall inform the Supplier in good time (usually at least two weeks in advance) of all circumstances relation to the performance of the audit. The Customer may carry out one audit per calendar year. Further audits are carried out against reimbursement of the costs and after consultation with the Supplier.
11.6. If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing the same way as the Customer is obliged vis-à-vis the Supplier according to this Section 11. of this agreement. In addition, the Customer shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Supplier, the Customer shall immediately submit to him the commitment agreements with the third party. The Customer may not commission any of the Supplier’s competitors to carry out the audit.
11.7. At the discretion of the Supplier, proof of compliance with the obligations under this agreement may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-Grundschutz – (“audit report”), if the audit report makes it possible for the Customer in an appropriate manner to convince himself of compliance with the contractual obligations.
The term and termination of this agreement shall be governed by the term and termination provisions of the Main Agreement. A termination of the Main Agreement automatically results in a cancellation of this agreement. An isolated termination of this contract is excluded.
13.1. FThe Supplier’s liability under this agreement shall be governed by the disclaimers and limitations of liability provided for in the Main Agreement. As far as third parties assert claims against the Supplier which are caused by the Customer’s culpable breach of this agreement or one of his obligations as the controller in terms of data protection law affecting him, the Customer shall upon first request indemnify and hold the Supplier harmless from these claims.
13.2. The Customer undertakes to indemnify the Supplier upon first request against all possible fines imposed on the Supplier corresponding to the Customer’s part of responsibility for the infringement sanctioned by the fine.
14.1. The applicable law is determined by the Main Agreement.
14.2. The place of jurisdiction is determined by the Main Agreement.
14.3. In case of conflicts between this agreement and other arrangements between the parties, in particular the Main Agreement, the provisions of this agreement shall prevail.
14.4. In case individual provisions of this agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.
14.5. This Order Processing Agreement is a part of the Main Agreement and becomes effective upon its conclusion.
Purposes of Processing
Personal data of the Customer shall be processed on the basis of this Data Processing Agreement for the following purposes:
Software-as-a-Service-Leistungen (SaaS)
Types and Categories of Data
The types and categories of personal data processed on the basis of this DPA include:
Master / Inventory data
Contact information
Content data
Contract details
Location data (these values are imprecise and cannot be used to identify a specific address or household)
Log data
Meta / communication data
Performance and behavioral data
Business information
Emails
Comments
Ratings
Referrer URL
Categories of data subjects
The categories of data subjects affected by the processing of personal data on the basis of this DPA include:
Website visitors
Software users
An adequate level of protection is ensured for the Processing and the Data processed, which is appropriate to the risks for the interests or fundamental rights and freedoms of data subjects concerned. To this end, especially the protection objectives of confidentiality, integrity and availability of the systems and services and their resilience with respect to the nature, extent, circumstances and purposes of the Processing shall be taken into account in such a way that the risk is mitigated on a lasting basis by appropriate technical and organisational remedial measures.
Except for the workstation computers and mobile devices, no data processing systems are maintained on the company's own business premises.
Physical access control measures have been taken to prevent unauthorised persons from physically approaching the systems, data processing equipment or procedures by which the Data are processed.
24/7 video surveillance technology is used to prevent physical access by unauthorised persons.
The access is secured by a manual locking system.
Electronic access control measures have been put in place to ensure that access (i.e. already the possibility of exploitation, use or observation) by unauthorised persons to systems, data processing equipment or procedures is being prevented.
A password concept specifies that passwords must have a minimum length and complexity in line with the state of the art and security requirements.
All data processing systems are password protected.
Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.
Es wird eine Passwort-Management-Software eingesetzt.
A password management software is used.
Use of hardware firewall(s) to protect the network.
Internal access control measures have been put in place to ensure that persons authorised to use a data processing system can only access the Data covered by their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the Processing. Furthermore, input control measures have been taken to ensure that it is possible to subsequently check and establish whether and by whom the Data have been input, modified, removed or otherwise processed in data processing systems.
A rights and roles concept (authorisation concept) ensures that access to personal data is only possible for a group of people selected according to necessity and only to the extent necessary.
The rights and roles concept (authorisation concept) is evaluated regularly, within a reasonable time frequency and when required by an occasion (e.g. violations of access restrictions), and updated as necessary.
Use of document shredders (min. security level 3 and protection class 2)
The entry, modification and deletion of individual Data of the Customer will be recorded.
Creation and use of an authorization concept.
Secure storage of data media.
Measures have been taken to control the transmission of the Data to ensure that the Data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.
When accessing internal systems from outside (e.g. for remote maintenance), encrypted transmission technologies are used (e.g. VPN).
Encrypted data transfer (e.g. e-mail encryption, encrypted Internet connections using TLS/SSL, use of SFTP - data transfer tool).
Encrypted data storage (e.g. file encryption according to AES256 standard).
Measures have been taken to ensure that Data processed on behalf of the Customer are only processed in accordance with the instructions of the Customer. The measures ensure that the Data collected for different purposes are processed separately and that there is no merging, combining or other combined processing of the Data contrary to the instructions.
The Data are processed physically separated from data of other processing operations of the Processor.
Production and test data are stored strictly separately from each other in different systems. The productive systems are operated separately and independently of the development and test systems.
Measures have been taken to ensure that personal data are protected against accidental destruction or loss and can be quickly restored in an emergency.
Server systems and services are used which have an appropriate, reliable and controlled backup & recovery concept.
Keeping data backup in a secure, off-site location.
The Processor shall use the following sub-processors in the Processing of data on behalf of the Client:
Company | Purpose |
|---|---|
netcup Daimlerstraße 25 | Hosting |
Hetzner Industriestr. 25 | Hosting |
Exoscale Bd de Grancy 19A | File-Hosting |
Ploi Melkrijder 4E, 3861SG, Nijkerk, Gelderland, The Netherlands | Server Control Panel |
RunCloud D2-04-09 Tamarind Square, Persiaran Multimedia, Cyber 10, 63000 Cyberjaya, Selangor, Malaysia | Server Control Panel |
Postmark 2400 Market Street, No. 200, Suite 235B, | Transactional email delivery |
Cloudflare 101 Townsend St., | Captcha |
BugSnag 450 Artisan Way, Somerville, MA 02145, USA | Platform Error-Monitoring |