Preamble
This Data Processing Agreement (“DPA”) specifies the obligations of the contracting parties the processing of personal data described in detail in the principal agreement concluded between Controller and Processor on [Date] (the “Agreement”). It shall apply to all processing activities in connection with the Agreement and through which employees or persons commissioned by the Processor may come into contact with personal data (“data”) of the Controller.
1. Subject matter, duration and specification of the data processing
- The term of this DPA is based on the term of the Agreement. The data will be deleted after termination of the Agreement, provided that they are not subject to any retention obligations.
- The nature and subject matter of the processing are described in the Agreement and include in particular the provision of an investment platform.
- The purpose of the processing is described in the Agreement and includes, in particular the creation and management of user rights and the processing of data entered by users when using the software.
- The following types of personal data may be processed:
- master data of clients and customers of the Controller, as far as they are actively entered
- contact data of contact persons
- usage data
- data that Controller actively enters, e.g. in free text fields
- data which is actively entered by third parties when an input link is shared by Controller with these third parties
- The following categories of data subjects may be processed:
- Controller, contact person at Controller
- clients of Controller
- employees / users
2. Scope and responsibility
- The Processor processes data on behalf of the Controller. This includes activities that are specified in the Agreement. Regarding the processing of the data, the Controller shall be responsible for compliance with the statutory provisions on data protection, in particular for the lawfulness of the data processing.
- The instructions shall initially be stipulated by the DPA and may thereafter be amended, supplemented or replaced by the Controller in writing or in text form to the office designated by the Processor by means of individual instructions (individual instructions). Instructions that go beyond the contractually agreed performance shall be treated as a request for a change in performance.
3. Duties of the Processor
- The Processor may only process data of data subjects within the scope of the Agreement and the documented instructions of the Controller. If the Processor is obligated by national or European law to process data in a manner that deviates from this, the Processor shall - insofar as this is legally permissible - inform the Controller of this circumstance prior to the start of the processing.
- The Processor shall implement appropriate technical and organizational measures to adequately protect the Controller’s data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. The measures shall ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing on a permanent basis. The Controller is aware of these technical and organizational measures. He bears the responsibility for ensuring that they provide an adequate level of protection for the risks presented by the data being processed.
- The Processor reserves the right to change the technical and organizational measures taken, but it must be ensured that the changes do not degrade the contractually agreed level of protection.
- The Processor shall support the Controller within the scope of its possibilities and the contractually owed performance in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR as well as in complying with the obligations set forth in Articles 33 to 36 of the GDPR.
- The Processor warrants that the employees involved in the processing of the Controller's data and other individuals working for the Processor are prohibited from processing the data beyond the scope of the Controller's instructions. Furthermore, the Processor warrant that the individuals authorized to process data shall be obliged to maintain confidentiality or shall be subject to an appropriate legal duty of confidentiality. The confidentiality and the obligation to maintain secrecy shall continue to apply even after termination of the DPA.
- The Processor shall inform the Controller without undue delay if it becomes aware of any violations of DPA. The Processor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences of the data subjects and shall consult with the Controller on this without undue delay.
- The Processor shall name a contact person for the Controller for data protection issues arising within the scope of the DPA.
- The Processor warrants to comply with its obligations under Art. 32 (1) lit. d GDPR and to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the processing.
- The Processor shall correct or delete the data if the Controller instructs it to do so and this is covered by the scope of the instructions. If a deletion in compliance with data protection or a corresponding restriction of data processing is not possible, the Processor shall undertake the destruction of data carriers and other materials in compliance with data protection on the basis of an individual assignment by the Controller, unless already agreed in the contract.
- Data, data carriers as well as all other materials shall be either surrendered or deleted upon the Controller's request after the termination of the Agreement.
- The Processor shall process the Controller's data exclusively within the EU and the EEA. Any processing outside the EU and the EEA - also by sub-processors - requires the express consent of the Controller in text form. The requirements of Chapter V of the GDPR must be met.
4. Obligations of the Controller
- The Controller shall inform the Processor immediately and in full if it identifies errors or irregularities in the work results regarding data protection regulations.
- In the event of a claim by a data subject regarding any claims under Art. 82 GDPR, the Controller and the Processor undertake to support each other in the defense of the claim regarding the verification of the capacity to sue.
- The Controller shall name the Processor a contact person for data protection issues arising within the scope of the DPA.
5. Requests from affected parties
If a data subject approaches the Processor with requests for correction, deletion or information, the Processor will refer the data subject to the Controller, provided that an assignment to the Controller is possible according to the data subject's information.
6. Detection options
- The Processor shall prove to the Controller compliance with the obligations set forth in Art. 28 of the GDPR and this Agreement by appropriate means. To prove compliance with the agreed obligations, the Processor may provide the Controller with certificates and test results of third parties (e.g., according to Art. 42 GDPR or ISO 27001) or test reports of the company data protection officer.
- If, in individual cases, inspections by the Controller or an inspector commissioned by the Controller are necessary, these shall be carried out during normal business hours without disrupting operations after notification and taking into account a reasonable lead time. The Processor may make such inspections conditional upon the signing of an appropriate confidentiality agreement. Should the auditor commissioned by the Controller be in a competitive relationship with the Processor, the Processor shall have a right of objection against the auditor.
- Should a data protection supervisory authority or other sovereign supervisory authority of the Controller carry out an inspection, 6.2 shall apply accordingly as a matter of principle. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality, where a violation is punishable under the Criminal Code.
- The Processor may demand reasonable remuneration for assistance in conducting an inspection pursuant to 6.2 or 6.3, unless the inspection is prompted by the urgent suspicion of a data protection incident in the Processor's area of responsibility or another violation of the Processor was against this DPA. In this case, the suspicious facts are to be presented by the Controller with the announcement of the inspection.
7. Sub-processors
- The Controller agrees that the Processor may engage sub-processors. Prior to the involvement or replacement of sub-processors, the Processor shall inform the Controller in text form with a reasonable notice period. The Controller may object to the change only for good cause. The objection must be made within two weeks of being informed and all-important reasons must be expressly stated. If no objection is made within this period, the change shall be deemed to have been approved. No separate information shall be provided regarding the sub-processors and partial services already existing at the time of conclusion of the DPA. At the time of conclusion of this DPA the Controller expressly agrees to the following sub-processors:
- Google Cloud, Hosting Provider
- Amazon Web Services (“AWS”), Hosting provider
- Atlassian, Project management tool
- Mapbox International, LLC, USA
- Mapbox GmbH, Germany
- Gitlab Cloud, Code development, testing, and ticketing system
- If the Processor concludes agreements with sub-processors, Processor shall be obliged to transfer its data protection obligations under this DPA to the sub-processors.
- Upon written request of the Controller, the Processor shall at any time provide information about the data protection-related obligations of its sub-processors.
8. Information obligations, written form clause, choice of law
- If the Controller's data at the Processor are endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay. The Processor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data rests exclusively with Controller as the "controller" in the meaning of the General Data Protection Regulation.
- Amendments and supplements to this DPA and all of its components - including any warranties of the Processor - shall require a written agreement, which may also be in electronic form, and the express indication that it is an amendment or supplement addition to this DPA. This also applies to the waiver of this formal requirement.
- In the event of any contradictions, the provisions of this DPA shall take precedence over the provisions of the Agreement. Should individual parts of this DPA be invalid, this shall not affect the validity of the remainder of the DPA.
- To the extent that the parties have in the past, for the purposes described in this Agreement already concluded a data processing agreement, this DPA shall replace the previous data processing agreement(s).
- German law shall apply.