Contract for order processing in accordance with Art. 28 GDPR

**Instructions for filling out: Print out the contract or save the document as a PDF file **.
Please have this signed by the relevant person and send it as a PDF with the subject “AVV” to support@onevcard.de

Status: August 2024

Standard contract clauses

SECTION I

Clause 1

Purpose and scope of application

a) These Standard Contractual Clauses (hereinafter “Clauses”) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

b) The controllers and processors listed in Annex I have agreed to these clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

c) these clauses apply to the processing of personal data as set out in Annex II

d) Annexes I to IV form an integral part of the Clauses.

e) These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725

f) These clauses do not in themselves ensure that the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 are fulfilled.

Clause 2

Inalterability of the clauses

a) The parties undertake not to amend the Clauses except to supplement or update the information provided in the Appendices.

b) This does not prevent the parties from incorporating the standard contractual clauses set out in these clauses into a more comprehensive contract and from adding further clauses or additional guarantees, provided that these do not directly or indirectly contradict the clauses or restrict the fundamental rights or freedoms of the persons concerned.

**Clause 3

Interpretation

(a) Where terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 are used in these clauses, those terms shall have the same meaning as in that Regulation.

(b) these clauses shall be interpreted in the light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 respectively

(c) These clauses shall not be interpreted in a manner contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or in a manner that restricts the fundamental rights or freedoms of data subjects.

Clause 4

Priority

In the event of any conflict between these clauses and the provisions of any related agreements existing or subsequently entered into or entered into between the parties, these clauses shall prevail.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of the processing

The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.

Clause 6

Obligations of the parties

6.1 Instructions

a) The processor shall process personal data only on documented instructions from the controller, unless the processor is required to do so by Union law or by the law of a Member State to which the processor is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest. The controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.

b) The processor shall inform the controller without undue delay if it considers that instructions issued by the controller are in breach of Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable Union or Member State data protection provisions.

6.2 Purpose limitation

The Processor shall process the Personal Data only for the specific purpose(s) set out in Annex II, unless the Processor receives further instructions from the Controller.

6.3 Duration of the processing of personal data

The data shall be processed by the Processor only for the duration specified in Annex II. The duration of this contract (term) corresponds to the term of the service agreement.

6.4 Security of the processing

a) The Processor shall take at least the technical and organizational measures listed in Annex III to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, the data, whether accidental or unlawful (hereinafter “personal data breach”). In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks for the data subjects.

b) The Processor shall only grant its personnel access to the personal data subject to processing to the extent strictly necessary for the performance, management and monitoring of the Contract. The Processor shall ensure that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

6.5 Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning an individual’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the Processor shall apply specific restrictions and/or additional safeguards.

6.6 Documentation and compliance with the Clauses

a) The Parties must be able to demonstrate compliance with these Clauses.

b) The Processor shall deal promptly and appropriately with requests from the Controller regarding the processing of data under these Clauses.

c) The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and arising directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the request of the Controller, the Processor shall also allow and contribute to an audit of the processing activities covered by these Clauses at appropriate intervals or where there are indications of non-compliance. In deciding whether to review or audit, the controller may take into account relevant certifications held by the processor.

d) The controller may carry out the audit itself or commission an independent auditor. Audits may include inspections of the Processor’s premises or physical facilities and shall be conducted with reasonable advance notice where appropriate.

e) The parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority(ies) upon request.

6.7 Use of sub-processors

a) The Processor shall not subcontract any of its processing operations that it carries out on behalf of the Controller pursuant to these Clauses to a subprocessor without the prior separate written consent of the Controller. The Processor shall submit the request for the separate authorization at least one month before engaging the relevant subprocessor, together with the information necessary for the Controller to decide on the authorization. The list of sub-processors approved by the Controller can be found in Annex IV. The Parties shall keep Annex IV up to date.

b) Where the Processor engages a Sub-Processor to carry out certain Processing Activities (on behalf of the Controller), such engagement shall be by way of a contract which imposes on the Sub-Processor substantially the same data protection obligations as those applicable to the Processor under these Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) The Processor shall provide the Controller with a copy of such subcontracting agreement and any subsequent amendments upon the Controller’s request. To the extent necessary to protect business secrets or other confidential information, including personal data, the Processor may redact the text of the agreement before providing a copy.

d) The Processor shall be fully liable to the Controller for ensuring that the Sub-Processor fulfills its obligations under the Agreement concluded with the Processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfill its contractual obligations.

e) The Processor shall agree a third-party beneficiary clause with the Sub-Processor, whereby the Controller - in the event that the Processor factually or legally ceases to exist or becomes insolvent - has the right to terminate the subcontracting agreement and instruct the Sub-Processor to delete or return the personal data.

6.8 International data transfers

a) Any transfer of data by the Processor to a third country or international organization shall be made solely on the basis of documented instructions from the Controller or to comply with a specific provision under Union law or the law of a Member State to which the Processor is subject and shall comply with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

b) The Controller agrees that in cases where the Processor uses a sub-processor pursuant to Clause 6. 7 for the performance of certain processing activities (on behalf of the controller) and where such processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of such standard contractual clauses are met.

Clause 7

Assistance to the controller

a) The processor shall inform the controller without undue delay of any request received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the controller.

b) Taking into account the nature of the processing, the processor shall assist the controller in fulfilling the controller’s obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall follow the instructions of the controller.

c) In addition to the Processor’s obligation to assist the Controller pursuant to Clause 7(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor:

Obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter “data protection impact assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
Obligation to consult the competent supervisory authority(ies) prior to processing where a data protection impact assessment indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
Obligation to ensure that the personal data is accurate and kept up to date by the processor informing the controller without undue delay if it becomes aware that the personal data it is processing is inaccurate or out of date;
obligations under Article 32 of Regulation (EU) 2016/679.

d) The Parties shall set out in Annex III the appropriate technical and organizational measures to assist the Controller by the Processor in the application of this Clause and the scope and extent of the assistance required.

Clause 8

Notification of personal data breaches

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of the processing and the information available to the Processor.

8.1 Breach of the protection of data processed by the controller

In the event of a personal data breach in connection with the data processed by the controller, the processor shall assist the controller as follows

(a) in notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the personal rights and freedoms of natural persons);

b) when obtaining the following information to be included in the controller’s notification pursuant to Article 33(3) of Regulation (EU) 2016/679, which shall include at least the following:

the nature of the personal data, where possible, specifying the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the likely consequences of the personal data breach
the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification shall contain the information available at that time and further information shall be provided as soon as it becomes available without undue delay thereafter;

c) when complying with the obligation under Article 34 of Regulation (EU) 2016/679 to notify the personal data breach to the data subject without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

8.2 Breach of the protection of data processed by the processor

In the event of a personal data breach in connection with the data processed by the processor, the processor shall notify the controller without undue delay after becoming aware of the breach. This notification must contain at least the following information

(a) a description of the nature of the breach (where possible, specifying the categories and approximate number of data subjects concerned and the approximate number of data records concerned);

b) contact details of a contact point where further information about the personal data breach can be obtained;

(c) the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

If and to the extent that all such information cannot be provided at the same time, the initial notification shall contain the information available at that time and further information shall be provided subsequently, as soon as it becomes available, without undue delay.

The Parties shall specify in Annex III any other information that the Processor shall provide to assist the Controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III

FINAL PROVISIONS

Clause 9

Breach of the Clauses and termination of the contract

a) If the Processor fails to comply with its obligations under these Clauses, the Controller may, without prejudice to the provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, instruct the Processor to suspend the processing of personal data until it complies with these Clauses or the contract is terminated. The Processor shall inform the Controller without undue delay if, for whatever reason, it is unable to comply with these Clauses.

b) The Controller shall be entitled to terminate the contract insofar as it concerns the processing of personal data pursuant to these Clauses if

the Controller has suspended the Processor’s processing of personal data pursuant to point (a) and compliance with these Clauses has not been restored within a reasonable period of time and in any event within one month of the suspension;
the Processor substantially or persistently breaches these Clauses or fails to fulfil its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
the Processor fails to comply with a binding decision of a competent court or of the competent supervisory authority(ies) concerning its obligations under these Clauses, Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) The Processor shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data pursuant to these Clauses if the Controller insists on the execution of its instructions after being informed by the Processor that its instructions violate applicable legal requirements pursuant to Clause 6.1(b).

d) After completion of the provision of the processing services, the Processor shall erase all personal data of the Controller, unless Union or Member State law requires the personal data to be stored.

The contractor shall, without being asked to do so, provide the client with written proof, stating the date, that he has destroyed or deleted all data and other documents in accordance with data protection regulations and has therefore not retained any of the client’s data. Documentation that serves as proof of the order and proper data processing must be retained by the contractor beyond the end of the contract. He can hand it over to the client at the end of the contract to relieve himself of liability.

Clause 10

Client’s inspection rights

The client is entitled to check the technical and organizational measures and compliance with this agreement and data protection requirements before the start of the processing services and regularly during the processing. To do this, the client or an appointed auditor can inspect the contractor’s data processing systems and data processing programs. The contractor is obliged to grant the client access to the premises in which the client’s data is processed physically or electronically during normal business hours. The client will coordinate the implementation of the inspections with the contractor in such a way that the contractor’s operational processes are not affected. The contractor provides the client with all the information required to prove the technical and organizational measures and compliance with this agreement and data protection requirements. This information includes in particular current certificates, reports or extracts from reports from independent bodies (e.g. auditors, external experts, IT security or data protection auditors) and suitable certification (e.g. according to BSI basic protection). The contractor will immediately provide the client with specific information in individual cases. The client’s works council is also entitled to these control rights and may also exercise them.

APPENDIX I

List of parties

Responsible person(s):

Company / organization including legal form: ______________________________________

Address: ____________________________________

First name of contact person: _____________________________________

Last name of contact person: _______________________________________

Email address of contact person: ______________________________________

Contact person’s telephone number: ________________________________________

Contact person’s function: __________________________________________

Processor:

oneVcard GmbH

Address: Babenhäuser Str. 37, 63762 Großostheim

Name, function and contact details of the contact person: Fabian Ripp

Managing director, email: fr@onevcard.de

APPENDIX II

Description of the processing

Categories of data subjects whose personal data is processed:

Employees

Categories of personal data that is processed:

· First and last name

· Address (business)

· Telephone number (business)

· Mobile phone number (business)

· Email address (business)

· Function

· Photo(s)

· User names of personal social media channels

· Other personal data that is stored in the profile by the controller or its employees.

Sensitive data processed (if applicable) and limitations or safeguards applied that fully take into account the nature of the data and the risks involved, e.g. B. Strict purpose limitation, access restrictions (including access only for employees who have completed special training), records of access to the data, restrictions on further transmissions or additional security measures

n/a

Type of processing

· Use of the personal data to create a digital web-based business card, storage of the personal data in a data center, transmission of the data contained in the business card to desired recipients via an individual internet link, in the email signature, via vCard or via QR code in the oneVcard app Purpose(s) for which the personal data is processed on behalf of the controller

· Provision of a digital, web-based business card (website)

Duration of processing

Duration of the contract

ANNEX III

Technical and organizational measures, including to ensure the security of the data

Description of the technical and organizational security measures taken by the controller(s) (including all relevant certifications) to ensure an appropriate level of protection under Taking into account the nature, scope, circumstances and purpose of the processing as well as the risks to the rights and freedoms of natural persons:

· Measures to ensure non-public database access

· Measures to ensure database access only for authorized employees and only by means of 2-factor authentication

· Measures to ensure the security of processing

· Measures to protect data during storage

· Measures for encrypted transmission of personal data

· Measures to protect data during transmission

· Pseudonimization measures when collecting and processing information to improve the application

· Measures for random generation of user IDs

· Measures for random generation of product IDs

· Measures for encrypted storage of user passwords

· Measures to contain brute force attacks on User accounts

· Measures to identify and authorize users

· Measures to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services related to processing

· Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident, except in the case of deletion by the controller

· Procedures for regularly reviewing, assessing and evaluating the effectiveness of technical and organizational measures

· Measures to ensure the physical security of locations where personal data is processed

· Measures to ensure the logging of events

· Measures to ensure system configuration, including the default configuration

· Measures for internal governance and management of IT and IT security

· Measures to ensure data minimization

· Measures to ensure data quality

· Measures to ensure limited Data retention

· Measures to ensure accountability

· Measures to enable data portability and ensure deletion

When data is transferred to (sub)processors, the specific technical and organizational measures that the (sub)processor must take to support the controller must also be described.

Description of the specific technical and organizational measures that the processor must take to assist the controller:

· Measures to ensure the security of processing

· Measures to protect data during storage

· Measures to identify and authorize users

· Measures to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services related to processing

· Procedures for regularly reviewing, assessing and evaluating the effectiveness of the technical and organizational measures

· Measures to ensure the physical security of locations where personal data are processed

· Measures to ensure the logging of events

· Measures to enable data portability and to ensure deletion

· Measures to ensure data quality

· Measures to ensure accountability

Appendix V: Technical and organizational measures (checklist)

A. Measures to ensure confidentiality and integrity

Access control measures to server rooms

1.0

Are the client’s personal data stored on servers operated by you or any service providers?

☒ yes ☐ no

If no: In this case, the further questions on A1 do not need to be answered, but rather the questions from A2 onwards. The questions on B1 and B2 are also omitted.

1.1

Location of the server room / data center (DC).

Frankfurt and Nuremberg

1.2

Are the personal data distributed across more than one server location / data center (e.g. backup server / use of cloud services)?

☐ yes ☒ no

1.3

If yes: Please provide the relevant location information for other servers.

Other server locations:

1.4

Do the following information on access control measures apply to all server / data center locations in use?

☒ yes ☐ no

1.5

Is the server room protected by an intrusion alarm system (BAM)?

☒ yes ☐ no

1.6

If yes: Who is informed when the BAM is triggered? Multiple answers possible!

☒ commissioned security service ☐ Administrator ☐ Head of IT ☐ Other:

1.7

Is the server room under video surveillance?

☒ yes, without image recording ☐ yes, with image recording ☐ no

1.8

Is the server room equipped with an electronic locking system?

☒ yes ☐ no, with a mechanical lock

1.9

If yes: Which access technology is used? Multiple answers possible!

☒ RFID ☐ PIN ☒ Biometrics ☐ Other:

1.10

If yes: Are access rights assigned in a personalized manner?

☒ yes ☐ no

1.11

If yes: Are accesses to the room logged in the access system?

☒ yes, both successful and unsuccessful access attempts

☐ yes, but only successful access attempts

☐ yes, but only unsuccessful access attempts

☐ no, the lock is only released or not

1.12

Is the server room used for other purposes in addition to its actual function?

☐ yes ☒ no

1.13

If yes: What else is stored in the server room?

☐ Telephone system ☐ Storage of office supplies ☐ Storage of files ☐ Archive

☐ Storage of IT equipment ☐ Other:

Access control measures to office rooms

2.1

Location of client workstations from which personal data is accessed:

Access exclusively via VPN

2.2

Is there a concierge service / constantly manned reception area for the building or your offices?

☒ yes ☐ no

2.3

Is a visitor’s book kept?

☐ yes ☒ no

2.4

Is the building or the offices protected by an alarm system (BAM)?

☐ yes ☒ no

2.5

If yes: Who is informed when the BAM is triggered?

☐ appointed security service ☐ administrator ☐ IT manager ☐ other:

2.6

Are the office building and its entrances under video surveillance?

☐ yes, without image recording ☐ yes, with image recording ☒ no

2.7

If “yes, with image recording”, how long are the image data stored?

Access and access control measures

3.1

Is there a process for assigning user IDs and access authorizations when new employees are hired or leave the company or when organizational changes occur?

☒ defined approval process

☐ no defined approval process, on demand

☐ Other method of assignment:

3.2

Are the assignment or changes to access authorizations logged?

☒ yes ☐ no

3.3

Do employees authenticate themselves to the central directory service using an individual ID?

☒ yes ☐ no

3.4

Are there binding password parameters in the company?

☒ yes ☐ no

3.5

Password character length: 50

Must the password contain special characters?

☒ yes ☐ no

Minimum validity period in days: 90

3.6

Does the IT system force the user to comply with the above-mentioned password requirements?

x yes ☐ no

3.7

Is the screen locked if the user is inactive?

If yes, after how many minutes?

10 minutes

3.8

What measures do you take if a password is lost, forgotten or spied on?

☒ Admin assigns a new initial password

☐ none

3.9

Is there a limit to the number of unsuccessful login attempts?

☒ yes, 3 attempts ☐ no

3.10

If yes, how long do accesses remain blocked if the maximum number of unsuccessful login attempts has been reached?

☒ Accesses remain blocked until the block is manually lifted

☐ Accesses remain blocked for please enter value in minutes minutes.

3.11

How is authentication carried out for remote access:

Authentication with ☐ token ☒ VPN certificate ☐ password

3.12

Is there a limit on the number of unsuccessful login attempts for remote access?

☒ yes, 3 attempts ☐ no

3.13

If yes, how long do accesses remain blocked if the maximum number of unsuccessful login attempts has been reached?

☒ Access remains blocked until the block is manually lifted

☐ Access remains blocked for please enter value in minutes minutes.

3.14

Is remote access automatically disconnected after a certain period of inactivity?

☒ yes, after 30 minutes ☐ no

3.15

Are the systems on which personal data is processed secured by a firewall?

☒ yes ☐ no

3.16

If yes: Is the firewall regularly updated?

☒ yes ☐ no

3.17

If yes: Who administers your firewall?

☒ own IT ☐ external service provider

Measures to secure paper documents, mobile data storage devices and mobile devices

4.1

How are paper documents containing personal data (e.g. printouts / files / correspondence) that are no longer required disposed of?

☐ Waste paper / residual waste

☒ Shredders are available for this purpose and their use is instructed.

☐ Locked data bins are set up that are picked up by a disposal service provider for destruction in accordance with data protection regulations.

☐ Other:

4.2

How are data storage devices (USB sticks, hard drives) on which personal data is stored that are no longer required disposed of?

☐ Physical destruction by own IT.

☒ Physical destruction by external service providers.

☐ Delete the data

☐ Delete the data by overwriting (please specify the number)

☐ Other:

4.3

Are mobile data storage devices allowed to be used in the company (e.g. USB sticks)

☒ yes

☐ no

4.4

Are employees allowed to use private data storage devices (e.g. USB sticks)?

☐ generally yes

☐ yes, but only after the storage medium has been approved and checked by IT.

☒ no, all required storage media are provided by the company.

4.5

Is personal data encrypted on mobile devices?

☒ Encryption of the hard drive

☐ Encryption of individual directories

☐ no measures

4.6

Do employees also process personal data on their own private devices (bring your own device)?

☐ yes ☒ no

Measures for secure data transfer

5.1

Is the transfer of personal data encrypted throughout?

☐ not at all

☐ no, data transfer takes place via MPLS

☐ only occasionally

☐ via encrypted file as email attachment

☐ via PGP / S/MIME

☐ via encrypted data carrier

☐ via VPN

☒ via https/TLS

☐ via SFTP

☐ Other:

5.2

Who manages the keys or certificates?

☐ Users themselves ☐ own IT ☒ External service provider

5.3

Are the transfer processes logged?

☐ yes ☒ no

5.4

If 5.3 yes: How long are these log data stored?

please enter value in days days

5.5

If 5.3 yes: Are the protocols evaluated regularly?

☐ yes ☐ no, but an evaluation would be possible if necessary

B. Measures to ensure availability

Server room

1.1

Does the server room have a fireproof or fire-retardant access door?

☒ yes ☐ no

1.2

Is the server room equipped with smoke detectors?

☒ yes ☐ no

1.3

Is the server room connected to a fire alarm control panel?

☒ yes ☐ no

1.4

Is the server room air-conditioned?

☒ yes ☐ no

1.5

Does the server room have an uninterruptible power supply (UPS)?

☒ yes ☐ no

Backup and emergency concept, virus protection

2.1

Does a backup concept exist?

☒ yes ☐ no

2.2

Is the functionality of backup recovery tested regularly?

☒ yes ☒ no

2.3

How often are backups made of the systems on which personal data is stored?

☒ Real-time mirroring ☐ daily ☐ one to three times a week

☐ Other:

2.4

On what type of backup media are the backups stored?

☒ Second redundant server ☐ Backup tapes ☐ Hard drives

☐ Other:

2.5

Where are the backups stored?

☒ Second redundant server is located at a different location ☐ Safe, fireproof, data storage and document secure

☐ Simple safe ☐ Bank safe deposit box ☐ Locked filing cabinet / desk

☐ In the server room ☐ Private household ☐ Other:

2.6

Regarding 2.5: If the backups are transported: How is this done?

☐ Taken by an IT employee / management / secretary

☐ Picked up by a third party (e.g. bank employee / security company)

☒ Other: There is no physical transport

2.7

Are the backups encrypted?

☒ yes ☐ no

2.8

Is the backups stored in a separate fire compartment or part of the building from the primary server?

☒ yes ☐ no

2.9

Is there a documented process for software or patch management?

☒ yes ☐ no ☐ Process exists, but is not documented

2.10

If 2.9 yes, who is responsible for software or patch management?

☐ Users themselves ☐ Own IT ☒ External service provider

2.11

Is there an emergency plan (e.g. emergency measures in the event of hardware defects / fire / total loss etc.)?

☒ yes ☐ no

2.12

Are the IT systems technically protected against data loss / unauthorized data access? Yes, using constantly updated ☒ virus protection ☒ anti-spyware ☐ spam filter

2.13

If 2.12 yes, who is responsible for the current virus protection, anti-spyware and spam filter?

☐ Users themselves ☐ Own IT ☒ External service provider

Network connection

3.1

Does the company have a redundant Internet connection?

☒ yes ☐ no

3.2

Are the company’s individual locations redundantly connected to one another?

☒ yes ☐ no

3.3

Who is responsible for the company’s network connection?

☐ Own IT ☒ External service provider

C. Pseudonymization/encryption, Art. 32 para. 1 lit. a GDPR

Use of pseudonymization

1.1

Are processed personal data pseudonymized?

☐ yes ☒ no

If 1.1 no: In this case, the further questions on C1 do not need to be answered, but rather the questions from C2 onwards.

1.2

Are algorithms used for pseudonymization?

☐ yes ☐ no

1.3

If 1.1 yes: Which algorithm is used for pseudonymization?

1.4

Is the assignment data separated and stored in separate systems?

☐ yes ☐ no

1.5

How can pseudonymization be reversed if necessary? Multiple answers possible!

☐ according to a defined procedure

☐ using the multiple-eyes principle

☐ Direct access to non-pseudonymized raw data

☐ On the instructions of the supervisor

☐ Other:

Use of encryption

2.1

Are processed personal data encrypted beyond the measures already described?

☒ yes Passwords ☐ no

If 2.1 is no: In this case, the further questions on C2 do not need to be answered, but rather the questions from D1 onwards.

2.2

What types of encryption are used? Multiple answers possible! In the case of multiple answers, please describe in the “Other” field which type of encryption is used for which data.

☒ End-to-end encryption ☐ Transport encryption ☐ Data-at-rest encryption

☐ Other: please enter.

2.3

Which cryptographic algorithms are used for encryption or for encryption-like measures (e.g. hashing passwords)?

☐ AES ☒ SHA-256 ☐ RSA-2048 or higher ☐ Other:

2.4

Who has access to the encrypted data?

Employees from the departments: please enter. A total of 0 employees have access to the encrypted data

D. Other measures according to Art. 32 Para. 1 lit. b, c, d GDPR

Resilience

Measures exist that guarantee the ability to ensure the resilience of the systems and services in connection with processing in the long term.

☐ no

☒ yes Monitoring, regular load tests, IP blocking

Recoverability

Are there emergency or recovery concepts and measures beyond B.2.11 that guarantee the ability to quickly restore the availability of the personal data and access to it in the event of a physical or technical incident?

☐ no

☒ yes, daily backups

Procedures for checking, assessing and evaluating the measures taken

3.1

Is there a procedure for regularly checking, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing?

☐ no

☒ yes

3.2

If 3.1 yes: At what intervals do the checks take place?

When there are changes to the infrastructure, otherwise every 6 months

3.3

If 3.1 yes: Are the results of the checks documented?

☒ yes ☐ no

3.4

Are there certifications related to the technical and organizational measures and if so, which ones?

☐ yes

☒ no

ANNEX VI

List of sub-processors

The controller has approved the use of the following sub-processors:

Name: Hetzner

Address: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

Name and contact details of the contact person: Margit Müller, email: data-protection@hetzner.com

Description of the processing: Hosting, Computing, Storage, DBaaS, Kubernetes

Name: A1

Address: A1 Digital Deutschland GmbH, St.-Martin-Straße 59, 81669 Munich, Germany

Name and contact details of the contact person: Elisabetta Castiglioni, email: info@a1.digital

Description of the processing: Hosting, Computing, Storage, DBaaS, Kubernetes

Name: Mailjet

Address: Mailjet SAS, 13-13 bis rue de l’Aubrac, 75012 Paris, France

Name and contact details of the contact person:

Darine Fayed, Data Protection Officer, email: dfayed@mailjet.com

Description of processing: Mailing

Name: Axonaut

Address: DIGITICA SAS, 12 rue Louis Renault, 31130 Balma, France

Name and contact details of the contact person:

Nicolas Ricard, Data Protection Officer, Email: nicolas.richard@axonaut.com

Description of processing: CRM, Mailing, Ticket System

Name: Celonis

Address: Celonis SE , Theresienstr. 6, 80333 Munich, Germany

Name and contact details of the contact person: Martin Klenk, email: info@celonis.com

Description of the processing: Process Automation, DBaaS, Storage

Name: LifeOn Digital

Address: LifeOn Digital GmbH, Saaläckerstraße 2A, 63801 Kleinostheim, Germany

Name and contact details of the contact person: Jannis Bussalb, email: Datenschutz@Lifeon.digital

Description of the processing: CRM, AI Services, Process Automation, Office Software

APPENDIX VII

List of sub-processors in case of special (non-standard) configurations

The following subcontractors are not active in the standard. Only if your company or organization has explicitly commissioned or activated an integration, API or otherwise activated this service with us, are these part of your AVV.

In the case of using “Zapier”:

Name: Zapier Inc.

Address: Zapier, Inc. Attn: Legal Department/Privacy, 548 Market St. #62411, San Francisco, CA 94104-5401

Name and contact details of the contact person:

Darine Fayed, Data Protection Officer, Email: privacy@zapier.com

In the case of using “Google Ads” or “Google Analytics”:

Name: Google Ireland Limited

Address: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Name and contact details of the contact person:

Nicholas Leeder, Managing Director, Email: support-deutschland@google.com

In the case of using “Personio”

Name: Personio GmbH & Co. KG

Address: Personio GmbH & Co. KG, Rundfunkplatz 4, 80335 Munich, Germany

Name and contact details of the contact person:

Hanno Renner, Managing Director, Email: support@personio.comContract for order processing in accordance with Art. 28 GDPR