Data Processing Agreement (DPA)
Last updated: December 9, 2024
between
the Customer, defined in the specific order confirmation
- hereinafter referred to as "Controller" -
and
All Quiet GmbH, Blumenstr. 45, 10243 Berlin, Germany
- hereinafter referred to as the "Processor" -
- hereinafter referred to individually and collectively as „Party“ and/or „Parties“ -
§ 1 Definition of Terms
(1) For the purposes of this Data Processing Agreement, the following definitions apply:
(a) The “Processor”: the contractual party referred to as "Processor" in the above.
(b) “Main Agreement” refers to the Service Level or Cooperation Agreement designated in detail in § 2.
(c) The “Controller”: the contractual Party referred to above as the “Controller” that bears the sole responsibility for making decisions regarding the purposes and means for Processing Personal Data under this Agreement.
(d) “Additional Processor or Sub-Processor” is the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Controller;
(2) In any other case, the definitions pursuant to Art. 4 GDPR shall apply.
§ 2 Subject matter of the Agreement; legal basis
This Agreement governs the collection and processing of personal data (hereinafter referred to as "Data") by the Processor for and on behalf of the Controller, according to the Controller's instructions, in connection with the terms of service of the "All Quiet Platform" and serves to supplement the agreement concluded by the parties (hereinafter referred to as "Main Agreement").
§ 3 Rights and obligations of the Controller
(1) The following shall arise from the main contract: the subject and duration of the assignment, the nature and purpose of the processing, the type of personal data and the categories of data subjects in connection with Annex 1.
(2) In relation to the Processor, the Controller is solely responsible for assessing whether Data can be processed lawfully and for safeguarding the rights of the data subjects.
(3) The Controller has the right to issue instructions on the type, scope, and methods of data processing. All instructions shall be issued in writing or by e-mail. If, in exceptional cases, instructions are given by telephone, they must then be confirmed by e-mail.
(4) The Controller may check the Processor's compliance with the Legal Provisions and this Agreement at any time and without undue delay, even at the Processor's premises, in particular by obtaining information and viewing the stored Data and the data processing programs on the Processor's premises. The Controller may perform the checks himself at his own expense or have them performed by a contracted independent, qualified third party who is obligated to maintain secrecy. The Controller shall announce checks to be carried out at the Processor within a reasonable period of time, perform the checks during normal business hours only, and take due care during their performance not to disturb the Processor's business operations and operational workflows. However, this does not apply in the case of a specific suspicion of abuse.
§ 4 Rights and obligations of the Processor
(1) The Processor processes the data in accordance with the law, the provisions of this contract and the instructions of the Controller. If the Processor is prevented by law from processing the data in accordance with this contract and the instructions of the Controller, it shall inform the Controller prior to processing, unless law prohibits such information. The Processor may not use the data for any other purpose and is in particular not entitled to pass on the data provided to him to third parties.
The data Processor will inform the data Controller immediately if instructions given by the data Controller, in the opinion of the data Processor, infringe the GDPR or the applicable Union or Member State data protection provisions.
(2) Any transfer of data to a third country or an international organisation by the data Processor shall be undertaken only because of documented instructions from the data Controller. With regard to the engagement of subcontractors the provisions in § 7 apply.
(3) The Processor shall support the Controller if necessary; in particular, in data protection audits by the supervisory authorities, insofar as these audits concern data processing in accordance with this Agreement.
(4) The Processor is obliged to assist the Controller in accordance with its instructions when the Controller fulfills his obligations towards data subjects exercising their rights under the law (e.g. right of access, rectification).
If a data subject addresses the Processor directly, the Processor shall not disclose any information, but rather refer the data subject to the Controller. The Processor shall inform the Controller accordingly.
(5) The Processor shall support the Controller in the performance of its other legal duties in accordance with Art. 32-36 GDPR where these are associated with the data processing under this contract. In particular, these include:
(a) reporting and/or documentation duties in accordance with the Legal Provisions;
(b) provision of information on the processing of data to government authorities and individuals;
(c) Information on data protection violations. The Processor is aware that the Controller is obliged to inform the supervisory authorities immediately of any data protection violations.
(6) The Processor will immediately notify the Controller of all communications from the supervisory authorities (e.g., inquiries, notification of measures or requirements) to the Processor in connection with the processing of Data under this Agreement. Subject to mandatory statutory requirements, the Processor shall only provide information to third parties, including supervisory authorities, with the prior consent of and in consultation with the Controller (in writing or by e-mail).
(7) The data Processor shall make available to the data Controller all information necessary to demonstrate compliance with the obligations set out in these Clauses and that are stemming directly from the GDPR.
(8) After completion of the commissioned work and after notification within a reasonable period of time the Processor shall delete the personal data or destroy data carriers with personal data in such a way that it is not possible to restore the data or only at unreasonable expense, and shall confirm this to the Controller. The Processor will delete all existing copies.
Deviations from the above obligations to delete or return data will only be considered if legal regulations require the storage of personal data.
(9) Unless explicitly agreed otherwise, support services provided by the Processor under this Agreement shall be remunerated according to agreed, otherwise regular per hour rate.
§ 5 Appropriate technical and organisational measures
(1) The Processor shall ensure that the Controller's Data is processed exclusively in compliance with the technical and organizational measures required in accordance with the Legal Provisions and this Agreement. The measures currently required are described in Annex 2.
(2) The Processor will inform the Controller on any substantial security-related decisions on the organization of data processing and the applied procedures.
§ 6 Confidentiality
The Processor guarantees that only persons who have first been bound by confidentiality or are subject to an appropriate legal obligation to secrecy are authorized to process the personal data. The Processor shall ensure that persons entrusted with the data processing are familiar with the specifications and instructions in this Agreement in advance.
§ 7 Sub-Processors
(1) The Processer may assign other Processors ("Sub-Processors"). The Processor shall inform the Controller in writing or by e-mail of any intended order and/or change in respect of the inclusion or change of a Sub-Processor in advance. It may proceed as suggested if the Controller raises no objection within one week from receipt of the information.
(2) The Processor ensures that the Sub-Processor is obligated toward the Processor in the same manner that the Processor is obligated toward the Controller under this Agreement.
(3) The Processor shall review the Sub-Processor's compliance with the Sub-Processor's obligations, in particular compliance with the agreed technical and organizational measures, before the start of data processing and regularly thereafter. Replacement of these reviews based on approved rules of conduct or an approved certification procedure with regard to the subcontracted Processor is permitted.
(4) The companies listed in Annex 3 are deemed to be approved by the Controller. The Parties shall keep Annex 3 up to date.
(5) The use of sub-sub-contractors is permissible provided that the above requirements are met.
§ 8 Term and Termination of the Agreement
This Agreement shall be valid for the duration of the actual provision of services by the Processor. This shall apply regardless of the terms of any other agreements (in particular, the Main Agreement) that the Parties have concluded regarding the provision of the agreed services.
§ 9 Liability
(1) Any limitations of liability under the main contract shall apply. The Controller shall indemnify the Processor against all claims brought by third parties against the Processor for infringement of their rights on the basis of the processing of personal data under this contract, unless the claim of the third party is based on unlawful processing of the personal data by the Processor.
(2) The Processor is liable for any fault on the part of its Sub-Processor and Sub-Sub-Processors as if the Processor itself were at fault.
§ 10 Miscellaneous
(1) The invalidity of a provision of this Agreement shall not affect the validity of the remaining provisions. If a provision proves to be invalid, the Parties shall replace it with a new provision that approximates the intentions of the Parties as closely as possible.
(2) Any changes to this Agreement and any side agreements shall be made in writing (including by e-mail). This shall also apply to the waiver of this written form clause itself.
(3) The General Terms and Conditions of the Controller shall not apply to this Agreement.
(4) The sole place of jurisdiction for this contract is that of the main contract. This shall apply notwithstanding any exclusive statutory jurisdiction.
(5) In the event of any contradictions between the provisions of this Agreement and provisions of any other agreements, and in particular of the Main Agreement, the provisions of this CDP Agreement shall take precedence. In all other respects, the provisions of the Main Agreement shall remain unaffected and shall apply accordingly to this Agreement.
Annexes
The following Annexes are integral parts of this Agreement:
Annex 1: Details about data processing
Annex 2: Technical and organizational measures
Annex 3: List of the assigned Sub-Processors
Annex 1
Details about data processing
1. Data-to-be-processed/Data-affected; Type of access; services
a. Categories of data subjects
- Employees
- Customers
b. Possibly affected personal data (if sent in a payload):
- Surname/First name
- Address
- Contact details (e.g. telephone, e-mail)
- Inventory data (e.g. billing address, contract number)
- Traffic data (e.g. connection identification, location data, beginning/end of a telephone connection)
- Contract master data
- Personnel master data
- Customer history
- Profession
2. Services, purpose of the Processing:
The object of the data processing as well as the type and purpose is described in the main contract.
3. Processing location
The processing of the data by the Provider takes place at the following locations: Germany
Annex 2
Technical and organizational security measures pursuant to Article 32 GDPR
| Preamble |
|---|
| The present annex specifies the technical and organisational measures described in the contract data processing agreement in detail. In this connection, the present state of the art, the cost of implementation and the type, scope, circumstances and purposes of data processing will be taken into account especially. In addition, the different likelihoods of occurrence and the severity of the risk for the rights and freedoms of natural persons will be considered so as to achieve an appropriate level of protection for natural persons commensurate with the risk. |
| 1 Permanent confidentiality |
| The Processor shall implement technical and organisational measures to ensure appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include, but are not limited to, the conclusion of confidentiality agreements with internal and external employees and service providers, the use of a broad data protection concept, compliance with security guidelines to identify vulnerabilities for the protection of personal data and to manage the security infrastructure, and protection against external influences (espionage, hacking, access to business premises). In particular, the data protection concept classifies the processed personal data and takes into account the principles of privacy by design and privacy by default. |
| 2 Permanent integrity |
| To ensure the integrity of the data processing systems, the Processor shall take measures to prevent unauthorised or unlawful processing, destruction or unintentional damage. Such measures include, in particular, procedures to ensure that data is kept up to date, documentation of the hardware and software as well as the definition of the required performance of processes and the regular performance of tests to determine and document the functionality, risks, security vulnerabilities and side effects of processes. In addition, a crypto concept is used that is based on a risk-based classification of data records and that uses checksums, electronic seals and signatures in data processing procedures. |
| 3 Pseudonymisation |
| The Processor shall pseudonymise the personal data based on the specific need for protection. In order to do this, it uses software that allows for the secure management of pseudonymised data. The cryptographic keys or checklists used for pseudonymisation are stored securely to ensure that the personal data can no longer be attributed to a specific data subject without the use of additional information. |
| 4 Encoding |
| The Processor encrypts personal data ensuring that it is protected from external influences such as hacking attacks and espionage. This is done based on the protection categories of the data protection concept and is regularly updated to reflect the state-of-the-art. After encryption, the unencrypted original file is deleted. If the Processor engages its own employees, they shall be trained in the safe handling of encrypted personal data on a regular basis. |
| 5 Permanent availability |
| The Processor shall implement measures to ensure that Personal Data is protected against accidental destruction or loss. This is accomplished, for example, by using standard software from reliable sources and regular data backups. Hardware is only decommissioned after the data carriers contained therein have been checked and, if necessary, after backups of the relevant data records have been made. Other measures consist in a complex virus-protection and firewall, emergency plans for security and data protection breaches with concrete instructions for action as well as regular tests of data recovery in accordance with the data protection concept. Additionally, procedures are implemented to ensure that the systems of the Processor can be restored in the event of failure. For this purpose, data files are regularly archived and stored separately, and an emergency plan for data breakdowns is developed. The processor also provides back-up computers and software for emergency situations. |
| 6 Ensuring permanent resilience of the systems |
| The Processor shall ensure in advance that its data processing systems are resilient also in the long term by carrying out regular stress tests and setting the stress limits for the respective data processing system higher than the necessary minimum in advance. |
| 7 Examination and assessment of data security |
| The Processor shall regularly review and assess all technical and organisational measures in order to keep them up to date. This includes, in particular, the regular review of data processing systems and processing activities to identify security gaps that may arise due to new technical developments or changes in processing practices, and the regular revision of standard software in accordance with the data protection concept. |
| 8 Access control |
| The processor shall ensure that unauthorised persons cannot access personal data. Therefore, the Processor shall take measures to ensure that personal data cannot be read, copied, modified or removed by unauthorised persons during processing, use and after storage. This is done in particular by using user-related and individualised login information and a secure password (including the use of special characters, minimum length, regular change of password). Data and data carriers are encrypted depending on their need for protection and destroyed in accordance with data protection regulations. In addition, screens will be disabled after a certain period of inactivity. Private data carriers shall not be used. |
| 9 Admission control |
| Admission control is accomplished by ensuring that unauthorised persons do not obtain access to rooms in which personal data of the Controller are processed. |
| 10 Transfer control |
| The Processor shall ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during transport or storage on data carriers. In particular, this is accomplished by encryption of data and data carriers depending on their need for protection as well as by encryption of the transmission of data, especially during transmission via public networks (e.g. ssl, tls). |
| 11 Input control |
| This means measures to ensure that it can be examined and determined subsequently whether and by whom personal data in data processing systems or applications were entered, changed or deleted. |
| 12 Assignment control (when sub-contractors are used) |
| When using sub-processors, the Processor shall ensure that personal data of the Controller can only be processed in accordance with the Controller's instructions and data processing requirements. This includes specific criteria for the choice of contractors (references, certifications, seals of approval), detailed written rules (contract/agreement) for the contractual relationships and formalisation of the entire process, ensuring that the execution of the contract is controlled and documented. Subcontractors, their own and external employees shall be bound by the contractual agreement to confidentiality. |
| 13 Separation rule |
| The Processor shall ensure that data collected for different purposes are processed separately. This is particularly achieved through the logical or technical separation of data and storage in specific storage areas. |
Annex 3
List of the assigned Sub-Processors
The following sub-processors may be user under the agreements:
| Sub-Processor | Address | Service description | Location of data processing | Transfer mechanism |
|---|---|---|---|---|
| MessageBird B.V. | MessageBird B.V., Keizersgracht 268, Amsterdam, 1016 EV Noord Holland, The Netherlands |
Telecommunication | The Netherlands, Ireland, Belgium, Germany | Standard Contractual Clauses |
| Amazon Web Services, Inc. | 410 Terry Avenue North, Seattle WA 98109 United States |
Cloud Computing Services Provider / Email Notification Provider | Default: United States, EU-Locations on Customer Request | Standard Contractual Clauses, EU-US Data Privacy Framework |
| Stripe Payments Europe, Limited | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland |
Billing and Payment Service Provider | Ireland | Standard Contractual Clauses, Data Privacy Framework |
| Functional Software, Inc. dba Sentry | 132 Hawthorne St, San Francisco, CA 94107 |
Exception Tracking | United States | Standard Contractual Clauses, EU-US Data Privacy Framework |
| Slack Technologies Limited | Salesforce Tower, 60 R801, North Dock, Dublin Ireland |
Customer Service (on request by the customer) | United States | Standard Contractual Clauses, EU-US Data Privacy Framework |
| Google LLC | 1600 Amphitheatre Pkwy, Mountain View, CA, USA |
Google Workspace (Emails, Docs, Sheets); Ads, Analytics, Tag, Push Notification Service (Firebase Cloud Messaging) | Workspace: EU Rest: Globally, based on users Location |
Standard Contractual Clauses, EU-US Data Privacy Framework |
| Capterra Inc. | 1201 Wilson Blvd Arlington VA 22209, USA |
Conversion Tracking for PPC Campaigns via Capterra Platform | United States | EU-US Data Privacy Framework |
Contact Us
If you have any questions about this Data Processing Agreement, You can contact us:
- By email: support@allquiet.app
Compare
© 2024 All Quiet GmbH. All rights reserved.