Order Processing Contract in accordance with Art. 28 GDPR


You are here: InLoox Order Processing Contract in accordance with Art. 28 GDPR

InLoox GmbH

Order Processing Contract in accordance with Art. 28 GDPR

Version: 24 April 2018

Agreement

between the

customer of InLoox GmbH
- Party responsible - hereinafter referred to as the Client -

and

InLoox GmbH, Walter-Gropius-Strasse 17, D-80807 München
- Order processor - hereinafter referred to as the Contractor -

1. Subject matter and duration of the order

(1) The subject matter of the order depends on the respective order of the customer and the general terms and conditions referenced therein, which are referred to altogether here (hereinafter referred to as “Service Agreement”).

(2) The duration of this order (term) is the same as the term of the Performance Agreement.

2. Specification of the order content

(1) The type and purpose of the processing of personal data by the Contractor for the Client are described specifically in the Service Agreement. The Contractor will provide the following services in particular for the Client within the framework of the Service Agreement:

The provision of the contractually agreed data processing will be carried out by the Contractor itself exclusively in a member state of the European Union or in another contracting country of the Agreement on the European Economic Area. Any other relocation to a third country requires the prior permission of the Client and may only take place if the specific requirements in accordance with Art. 44 et seqq. GDPR are fulfilled. This consent can be granted for individual processing cases named in this Contract for one specific third country at a time, even with regards to subcontracting relationships. Where expressly indicated in Appendix 1 - Technical and Organisational Measures - individual processing operations take place outside a Member State of the European Union or in another Contracting State to the Agreement on the European Economic Area; in these cases, however, the appropriate level of protection is always guaranteed in the third country (see Appendix 2) and ensured by the measures specified in Appendix 1. Any other transfer to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. Such consent may be granted for individual processing operations referred to in this contract for a specific third country, including in respect of subcontracting relationships.

(2) The subject matter of the processing of personal data is the following data types/categories (list/description of the data categories):

(3) The categories of the persons concerned by the processing include:

3. Technical and organisational measures

(1) Before beginning the processing, the Contractor must document the implementation of the necessary technical and organisational measures specified before the placing of the order, in particular with regards to the specific order performance, and hand the documentation over to the Client for verification. Upon acceptance by the Client, the documented measures will form the basis of the order. If the verification/an audit by the Client results in a need for adjustment, this must be carried out mutually.

(2) The Contractor must establish the security in accordance with Art. 28(3)(c) and Art. 32 GDPR in particular in connection with Art. 5(1) and (2) GDPR. Altogether, the measures to be executed are measures for data protection and to guarantee a protection level appropriate to the risk in terms of the confidentiality, integrity, availability and capacity of the systems. The technical sophistication, the implementation costs and, and the type, extent and purpose of the processing, and the different likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must thereby be considered. The particular technical and organisational measures taken are listed in Appendix 1.

(3) The technical and organisational measures are subject to the technical progress and the further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the set measures may thereby not fall below the minimum requirement. Significant changes must be documented.

4. Amendment, restriction and deletion of data

(1) The Contractor may not amend or delete data that is processed in the order, or restrict its processing, on its own authority, but may only do so after receiving documented instructions from the Client, if no statutory requirements oblige the Contractor to take action independently. Should a person concerned contact the Contractor directly in this respect, the Contractor will forward this solicitation immediately to the Client.

(2) If included in the scope of the service, the deletion plan, right to be forgotten, correction, data portability and information must be ensured directly by the Contractor after receiving documented instruction from the Client.

5. Quality assurance and other duties of the Contractor

In addition to compliance with the regulations of this order, the Contractor also has statutory duties in accordance with Art. 28 to Art. 33 GDPR; in this respect, it guarantees adherence to the following standards in particular:

a) Written order of a data protection officer that carries out its activities in accordance with Art. 38 and Art. 39 GDPR. The contact details of the data protection officer must be shared with the Client upon contract conclusion. Changes of the data protection officer must be reported to the Client immediately.

b) The safeguarding of confidentiality in accordance with Art. 28(3)(2)(b), Art. 29 and Art. 32(4) GDPR. When carrying out its work, the Contractor will only use employees who are bound to confidentiality and have been familiarised beforehand with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this Contract, unless they are legally obliged to process the data.

c) The implementation of and compliance with all technical and organisational measures necessary for this order in accordance with Art. 28(3)(2)(c) and Art. 32 GDPR. The details are listed in Appendix 1.

d) The Client and the Contractor will work together with the supervisory authority, upon request, in the performance of their tasks.

e) The immediate informing of the Client about control actions and measures by the supervisory authorities, if they relate to specific and fundamental assignments and if such information is not prohibited by law. This also applies if a competent authority is carrying out an investigation of the order processing by the Contractor in relation to the processing of personal data, within the framework of administrative offence or criminal proceedings.

f) If the Client is subject in turn to an examination by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party, or another claim in connection with the order processing by the Contractor, the Contractor must support it to the best of its abilities, to the extent legally permitted.

g) The Contractor will regularly control the internal processes, as well as the technical and organisational measures, in order to guarantee that the processing within its area of responsibility takes place in accordance with the requirements of the applicable data protection law, and that the protection of the rights of the person concerned is guaranteed.

h) Verifiability of the technical and organisational measures for the Client within the framework of its control authorisation in accordance with Figure 7 of this Contract.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this rule are such services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses, e.g. in the form of telecommunications services, post/transport services, maintenance and user services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and capacity of hardware and software of data processing systems. However, the Contractor is obliged to also use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client’s data in the case of outsourced secondary services.

(2) The Contractor may only assign subcontractors (other order processors) after receiving prior explicit written permission or documented permission from the Client.

a) The Client agrees to the tasking of the subcontractors named in Appendix 2 under the condition of a contractual arrangement in accordance with Art. 28(2-4) GDPR.

b) Changes of the existing subcontractor are permitted provided that:

(3) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor will ensure legitimacy under data protection law by corresponding measures. The same applies if service providers within the meaning of Sect. 1(2) are used.

(4) Any further outsourcing by the subcontractor requires the explicit permission of the main client (text form at least). All contractual regulations in the contract chain must also be imposed on the other subcontractor. The technical and organisational measures of subcontractors must comply with the technical and organisational measures defined herein and may only fall below the level agreed herein in justified circumstances.

7. Control rights of the Client

(1) The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by examiners named on a case-by-case basis. It has the right to convince itself of the adherence to this Agreement by the Contractor in its business operations by means of random sample controls that must generally be announced in a timely manner and 14 days beforehand at the latest.

(2) The Contractor will ensure that the Client can be convinced of the adherence to the obligations of the Contractor in accordance with Art. 28 GDPR. The Contractor is obliged to share with the Client, upon request, the required information and in particular demonstrate the implementation of the technical and organisational measures.

(3) The demonstration of such measures that do not just concern the specific order can take place by:

8. Reporting of violations by the Contractor

(1) The Contractor will support the Client in the compliance with the duties for the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations, named in Articles 32 to 36 GDPR. This includes, inter alia:

a) Ensuring a suitable protection level by means of technical and organisational measures that consider the circumstances and purpose of the processing and the forecasted probability and severity of a possible rights violation by security flaws, and enable immediate detection of relevant incidents of violation;

b) the obligation to immediately report breaches of personal data to the Client;

c) the obligation to support the Client within the framework of its obligation to provide information to the party concerned, and provide it with all relevant information in this regard immediately:

d) immediately forwarding solicitation from people concerned, e.g. right to information, to the Client;

e) supporting the Client in its data protection impact assessment;

f) supporting the Client within the framework of prior consultation with the supervisory authority.

(2) For support services that are not included in the service description or cannot be traced back to misconduct of the Contractor, the Contractor may claim a compensation. The basis for the calculation of the remuneration is the Service Agreement or the general remuneration rates of the Contractor for comparable activities.

9. Authority of the Client to issue instructions

(1) The Client will confirm verbal instructions immediately (text form at least).

(2) The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to discontinue the implementation of the corresponding instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

(1) Copies or duplicates of data will not be produced without the knowledge of the Client. Exceptions are backup copies, if they are necessary to guarantee proper data processing, and data that is necessary in terms of adherence to statutory retention obligations.

(2) After the completion of the contractually agreed work or earlier upon request by the Client – upon the termination of the Service Agreement at the latest – the Contractor must hand over all documents, processing and use results produced, and databases, that it obtains possession of in connection with the contractual relationship, to the Client or destroy them in accordance with data protection law after obtaining prior permission. The same applies for test and scrap material.

(3) Documentation that proves proper data processing that is suitable for the order must be stored by the Contractor in accordance with the respective retention periods beyond the end of the Contract. It may transfer it to the Client for its relief at the end of the Contract.

11. Other

The point of contact on the part of the Client, and also for data protection, is generally the point of contact named as the billing contact; this can be changed or added to at any time by the Client. The point of contact on the part of the Contractor is its respective data protection officer, which can be reached at dataprotection@inloox.com.

Appendix 1 – Technical and Organisational Measures

A. Contractor:

1. Confidentiality (Art. 32(1)(b) GDPR)

2. Integrity (Art. 32(1)(b) GDPR)

3. Availability and capacity (Art. 32(1)(b) GDPR)

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

B. Subcontractors:

See also the references to the current state of the measures for each respective subcontractor in Appendix 2.

1. Microsoft Corporation, as of April 2018

General practice. Microsoft has taken the following security measures for the online services, and will maintain and follow them. In connection with the security obligations in the OST, these security measures represent the individual responsibility of Microsoft in relation to the security of customer data:

Information security guideline for online services
For Microsoft Azure core services and Microsoft Cloud App Security, a written data security guideline (“Information Security Guideline”) applies, containing the control standards and framework conditions of ISO 27007, inter alia. You will find information about further certification at https://www.microsoft.com/de-de/TrustCenter/Compliance/ISO-IEC-27001.

Checking of online services by Microsoft
For every online service, Microsoft carries out the following checks regarding computer security, data processing environments and physical data centres that it uses to process customer data (including personal data):

For each test, a test report will be created (“Microsoft test report”), which will count as confidential information of Microsoft. The Microsoft test report will clearly disclose the significant findings of the examiner. Microsoft will immediately rectify all problems detected in a Microsoft test report, to the satisfaction of the examiner.

Upon request by the customer, Microsoft will provide the customer with the individual Microsoft test reports, so that the customer can convince itself of Microsoft’s compliance with the security obligations under the terms of the DPT. The Microsoft test report is subject to the confidentiality and distribution restrictions of Microsoft and the examiner.

2. SendGrid Inc., as of April 2018

1. Network-Level Controls

a) SendGrid will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform thefollowing functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and antispoofing.

b) SendGrid will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.

c) SendGrid will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.

d) SendGrid will employ change management standards for network/infrastructure components handling Personal Data.

2. Hosting Level Controls

a) SendGrid will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, SendGrid will implement access control processes and restrict access to operating system configurations based on the least privilege principle.

b) SendGrid will perform patch management on systems that host or handle Personal Data.
SendGrid will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.

c) SendGrid will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.

d) SendGrid will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

f) Physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.

3. Application-Level Controls

a) SendGrid will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.

b) SendGrid will employ secure programming guidelines and protocols in the development of
applications processing or handling Personal Data.

c) SendGrid will regularly perform patch management on applications that host or handle Personal Data. SendGrid will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.

d) SendGrid will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will perform code review and maintain documentation of code reviews performed for applications that host or handle Personal Data.

f) SendGrid will employ change management standards for applications hosting or handling
Personal Data.

4. Data-Level Controls

SendGrid will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in SendGrid’s production environment, Personal Data in SendGrid’s production databases will not be encrypted at rest.

5. End User Computing Level Controls

a. SendGrid will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.

b. SendGrid will ensure that end user computing devices that handle Personal Data are encrypted.

6. Compliance Controls

a. SendGrid will make a good faith effort to operate within the parameters of SendGrid’s then-current Information Security Policy. This Policy will be provided to Customer in soft copy format upon request.

b. Notwithstanding any of the foregoing, SendGrid will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.

Appendix 2 – Approved subcontracting contracts

The order processers below are considered approved upon signing the Agreement:

Name of the order processor:

Microsoft Corporation

Subject of performance:

Microsoft Azure data centres that InLoox hires for internal use, e.g. for administration, development, support and marketing

Company head office and country:

One Microsoft Way, Redmond, Washington 98052, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard data protection clauses (Art. 46 (2)(c) and (d) GDPR):

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

Microsoft Ireland Operations Limited Subject of performance:

Microsoft Cloud Germany data centres that InLoox hires within the framework of InLoox now!

Company head office and country:

One Microsoft Place, South County Business Park, Leopardstown, Dublin, D18 P521, Ireland

Data processing location:

EU only

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

SendGrid Inc.

Subject of performance:

E-mail notifications from InLoox now! to users stored in the project platform about actions of other users, as well as e-mail notifications from InLoox support and other administrative systems, such as the InLoox Online Store.

Company head office and country:

1801 California St., Suite 500, Denver, Colorado 80202, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “2. SendGrid Inc.”

Date: 2018-04-24