* This English version of the Data Processing Agreement is an automatically generated translation of the original German document. It is provided solely for convenience. In the event of any discrepancies or inconsistencies, the German version shall prevail and is legally binding.
Preamble
The client (“responsible person”) would like to commission the contractor (“processor”) with the services specified in § 3. The processing of personal data is part of the execution of the contract. In particular, Article 28 GDPR imposes certain requirements on such order processing. In order to meet these requirements, the parties conclude the following agreement.
§ 1 Definitions
For terms used in this agreement, for which Article 4 GDPR provides a definition, this legal definition in the version valid at the time the contract is concluded also applies to this contract.
§ 2 Subject matter of the contract
2.1 The contractor provides the client with software-as-a-service services on the basis of the main contract. In doing so, the contractor and his employees or agents commissioned by the contractor have access to personal data and process them exclusively on behalf of and in accordance with the instructions of the client. The scope and purpose of data processing by the contractor result from the main contract (and, if available, from the associated service description) and from Appendix 1 to this contract. The client is responsible for assessing the admissibility of data processing.
2.2 In order to specify the mutual data protection rights and obligations, the parties conclude this agreement. In case of doubt, the provisions of the present contract take precedence over the provisions of the main contract.
2.3 The term of this contract depends on the duration of the main contract, unless the following provisions result in obligations beyond the term of the main contract. Cancellation rights arising from this contract remain unaffected by the above provision.
2.4 The present agreement remains valid beyond the end of the main contract as long as the contractor has personal data that was provided to him by the client or that he has collected for him.
2.5 The contractually agreed data processing generally takes place in a member state of the European Union or another state party to the Agreement on the European Economic Area. Any transfer to a third country only takes place if the special requirements of Art. 44 ff. GDPR are met.
§ 3 Right to issue instructions
3.1 The contractor may only process data within the framework of the main contract and in accordance with the client's instructions. If the contractor is required to carry out further processing under the law of the European Union or the Member States to which he is subject, he shall inform the client of these legal requirements before processing, provided that he is legally permitted to do so.
3.2 The client's instructions are initially defined by this contract and can then be amended, supplemented or replaced by individual instructions by the client in writing, in text form or via the software provided (individual instruction). The client is entitled to issue appropriate instructions at any time. This includes instructions regarding the correction and deletion of data and the restriction of processing
3.3 All instructions issued by both the client and the contractor must be documented. Instructions that go beyond the service agreed in the main contract will be treated as a request for a change in performance. Rules on any remuneration for additional expenses arising from supplementary instructions from the client to the contractor remain unaffected.
3.4 If the contractor is of the opinion that an instruction from the client violates data protection regulations, he must immediately inform the client of this. The contractor is entitled to suspend execution of the relevant instruction until it is confirmed or amended by the client. The contractor may refuse to carry out an obviously illegal instruction.
§ 4 Type of data processed, group of data subjects
As part of the execution of the main contract, the contractor receives access to the personal data specified in Annex 1 of the data subjects also specified in more detail in Appendix 1. This data may include the special categories of personal data listed in Appendix 1 and identified as such, if provided by the client.
§ 5 Technical and organizational measures taken by the contractor
5.1 The contractor is obliged to comply with the legal provisions on data protection and not to pass on the information obtained from the client's area to third parties without appropriate instructions or to suspend their access. Paper documents and data must be protected against access by unauthorised persons, taking into account the state of the art.
5.2 Within his area of responsibility, the contractor will design the internal organization in such a way that it meets the specific requirements of data protection. The contractor guarantees that it has taken all necessary technical and organizational measures to adequately protect the client's data in accordance with Article 32 GDPR, in particular at least the measures listed in Appendix 2. At the client's request, the contractor shall disclose the detailed circumstances of determining which measures are being taken and the implementation of the measures.
The contractor reserves the right to improve the security measures taken, ensuring that the level of protection does not fall below the contractually agreed level and that the client is immediately informed of significant changes.
5.3 The contact person for data protection at the contractor is:
Model Aachen GmbH
Interactive management systems
Am Kraftversorgungsturm 5
52070 Aachen, Germany
For your attention: data protection officer
datenschutz@modell-aachen.de
The client must be notified immediately of any change in the person of the data protection officer/contact person for data protection.
5.4 Persons employed during data processing by the contractor are prohibited from processing personal data without authorization. The contractor will oblige all persons who are entrusted by him with the processing and performance of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3 UAbs. 1 p. 2 lit. b GDPR), of the special data protection obligations arising from this contract as well as the existing instruction or purpose obligation and ensure compliance with the above obligation with due care. These obligations must be formulated in such a way that they remain in place even after the termination of this contract or the employment relationship between the employee and the contractor. Upon request, the client must prove the obligations of the employees in an appropriate manner.
§ 6 Contractor's duties to provide information
6.1 In the event of disruptions in processing activities, suspicion of data breaches or breaches of contractual obligations on the part of the contractor, or suspicion of other security-relevant incidents at the contractor, persons employed by him as part of the order or by third parties, the contractor will inform the client in text form immediately, but at the latest within 48 hours of becoming aware of this. The initial notification may be preliminary; missing or new information will be submitted without undue delay. The same applies to inspections of the contractor by the data protection supervisory authority concerning processing or facts relevant to the client. The report of a personal data breach includes, as far as possible, the following information:
a) a description of the nature of the personal data breach, including, as far as possible, the categories and number of data subjects, the categories concerned and the number of personal data sets affected
b) a description of the likely consequences of the injury
c) a description of the measures taken or proposed by the contractor to remedy the breach and, where appropriate, measures to mitigate its potential adverse effects
6.2 The contractor shall immediately take the necessary measures to secure the affected data and to reduce possible adverse consequences for the person (s) concerned, shall inform the client of this, ask him for further instructions and provide the client with further information at any time, insofar as his data is affected by a breach in accordance with paragraph 1.
6.3 Should the client's data be endangered by the contractor as a result of seizure or seizure, insolvency or settlement proceedings or other events or measures taken by third parties, the contractor must immediately inform the client of this, unless he is prohibited from doing so by a court or official order. In this context, the contractor will immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the client.
6.4 The contractor must immediately inform the client of significant changes to the security measures in accordance with Section 5 (2).
6.5 The contractor shall participate to an appropriate extent in drawing up the list of procedures by the client and in preparing a data protection impact assessment in accordance with Article 35 GDPR and, where applicable, in prior consultation with data protection supervisory authorities in accordance with Article 36 GDPR. He must provide the client with the required information in an appropriate manner.
§ 7 Client's control rights
7.1 Before starting data processing and then regularly, the client assesses himself of the contractor's technical and organizational measures. For this purpose, he can, for example, obtain information from the contractor, have existing certificates presented by experts, certifications or internal audits, or, if possible, personally check the contractor's technical and organizational measures after timely coordination during normal business hours or have them checked by an expert third party, provided that the contractor is not in a competitive relationship with the contractor. The client will only carry out checks to the extent necessary and will not disproportionately disrupt the contractor's operations. On-site checks are secondary, i.e. only if the previously provided information, certificates, certifications or questionnaires are not sufficient for an appropriate assessment.
7.2 At the client's oral or written request, the contractor undertakes to provide the client with all information and evidence required to carry out an inspection of the contractor's technical and organizational measures in accordance with Appendix 2.
Support services that go beyond this must be reimbursed by the client. This does not apply to support services required as a result of a government order, a security incident with the contractor, or a material breach by the contractor of this agreement.
On-site inspections shall take place no more than once within twelve months, after appropriate lead time, and shall be limited to one audit day. Travel and accommodation costs as well as a reasonable daily rate charged by the contractor are borne by the client.
7.3 The client documents the results of the checks carried out by him and communicates them to the contractor. In the event of errors or irregularities, which the client discovers, in particular when examining order results, he must immediately inform the contractor. If, during the inspection, facts are identified whose future prevention requires changes to the ordered procedural flow, the client shall immediately inform the contractor of the necessary procedural changes.
7.4 The contractor shall prove to the client the obligation of employees in accordance with Section 5 (4) upon request.
§ 8 Use of subcontractors
8.1 The client gives the contractor general permission to use further subcontractors within the meaning of Article 28 GDPR to perform its contractually agreed services. The contractor will specify all subcontracting relationships that already existed at the time of conclusion of the contract in Appendix 3 to this contract. The client must be informed in advance of any intended addition or replacement of subcontractors.
8.2 The client may object in writing or in text form to the establishment of further or replacement of subcontracting relationships within a period of 2 (two) weeks after receipt of information about the change. In the event of an objection, the contractor may, at its own discretion, provide the service without the intended change or — if the provision of the service is not possible without the contractor's intended change — terminate the services affected by the change vis-à-vis the client for good cause.
8.3 The contractor is obliged to carefully select subcontractors based on their suitability and reliability. When engaging subcontractors, the contractor must oblige them in accordance with the provisions of this agreement and ensure that the client can also exercise its rights under this agreement (in particular its testing and control rights) directly vis-à-vis the subcontractors. If subcontractors are to be involved in a third country, the contractor must ensure that the respective subcontractor guarantees an appropriate level of data protection (e.g. by concluding an agreement based on EU standard data protection clauses). On request, the contractor will prove to the client that the above agreements have been concluded with its subcontractors.
8.4 A subcontractor relationship within the meaning of these provisions does not exist if the contractor engages third parties with services that are to be regarded as purely ancillary services. This includes, for example, postal, transport and shipping services, cleaning services, telecommunications services without specific reference to services provided by the contractor for the client, and security services. Maintenance and testing services represent subcontractor relationships within the meaning of paragraph 1, insofar as these are provided for IT systems that are also used in connection with the provision of services to the client.
§ 9 Requests and rights of data subjects
9.1 The contractor supports the client with appropriate technical and organizational measures in fulfilling the client's obligations under Articles 12 — 22 and 32 and 36 GDPR.
9.2 If a data subject asserts rights, for example to provide information, correct or delete their data, directly against the contractor, the contractor does not react independently, but immediately refers the data subject to the client and awaits his instructions.
§ 10 Liability
10.1 Clients and contractors are liable to affected persons in accordance with the provision made in Article 82 of the GDPR. The contractor agrees with the client on any fulfilment of liability claims.
10.2 The contractor releases the client from all claims that data subjects assert against the client due to the breach of an obligation imposed on the contractor by the GDPR or due to failure to comply with or breach of an obligation set out in this agreement or an instruction issued separately by the client.
10.3 The parties release themselves from liability if/insofar as a party proves that it is in no way responsible for the fact that the damage occurred to an affected person. In addition, Article 82 (5) GDPR applies.
10.4 Unless otherwise stated above, liability under this contract is equal to that of the main contract.
§ 11 Extraordinary right of termination
The client may terminate the main contract in whole or in part without notice if the contractor fails to fulfill its obligations under this contract, violates the provisions of the GDPR intentionally or grossly negligently, or cannot or does not want to carry out an instruction from the client. In the case of simple — i.e. neither intentional nor grossly negligent — violations, the client shall set the contractor a reasonable period within which the contractor can remedy the infringement.
§ 12 Termination of the main contract
12.1 After termination of the main contract or at any time at the client's request, the contractor will return all documents provided to him in paper form, data and data carriers or — at the client's request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany. The obligation to surrender or destroy also applies to any data backups made by the contractor. The contractor must provide documented proof of proper deletion.
12.2 The client has the right to check the complete and contractual return or deletion of the data by the contractor in an appropriate manner or to have it checked by an expert third party, provided that the latter is not in a competitive relationship with the contractor. Any costs arising from the assignment and verification by a third party shall be borne by the client.
12.3 The contractor is obliged to keep confidential the information that has become known to him in connection with the main contract even after the end of the main contract.
§ 13 Final Provisions
13.1 The parties agree that the contractor has no right of retention with regard to the data to be processed and the associated data carriers.
13.2 Amendments and additions to this contract, the declaration of termination and the amendment of this clause must be made in writing to be effective.
13.3 Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.
13.4 This Agreement is subject to German law. The exclusive place of jurisdiction is Aachen.
The following attachments form part of this order processing agreement:
Appendix 1 — Description of affected persons/groups of data subjects and the data/data categories in particular need of protection
Appendix 2 — Technical and organizational measures taken by the contractor
Appendix 3 — Approved subcontractors
Appendix 1 — Description of data subjects/groups of data subjects and data categories in particular need of protection
Type (s) of personal data:
All data that the client processes voluntarily as part of the interactive management system software Q.wiki is considered as the type of personal data processed on behalf of the client. These are usually, in particular,
• Customer master data (e.g. name, address, contact details)
• communication data and
• Usage and content data.
• Company-related data (role, location, department)
As part of the operation of Q.wiki, Modell Aachen generally does not collect or process any special categories of personal data within the meaning of Article 9 (1) GDPR. Such data will only be processed if the client independently and voluntarily enters such information into the system. In these cases, processing is carried out exclusively in accordance with the client's instructions and on the basis of this order processing agreement.
Categories of affected persons:
The number of persons affected by data processing depends on the group of people to whom the client provides access to the interactive management system software Q.wiki. In particular, this may include
• employees and customers of the client and
• act with other third parties (e.g. technical service providers/interested parties or professional secrecy providers such as tax advisors or lawyers).
Appendix 2 - Technical and organizational measures taken by the contractor
The contractor shall take the following technical and organizational measures for data security within the meaning of Art. 32 GDPR.
Data location: Processing exclusively in the EU/EEA area, including data backups.
Certification: Modell Aachen operates an information security management system (ISMS) and is certified in accordance with ISO/IEC 27001. A current certificate can be provided upon request.
Provider standards: Physical security and data center operation are carried out in accordance with recognized standards of the cloud/data center provider (e.g. ISO/IEC 27001).
Confidentiality
Access control (physical access)
• Access via a chip card/transponder system operated by the landlord,
• Key/transponder management by the landlord
• Visitor management with registration and support,
• Use of external cleaning and security services only after careful selection and confidentiality obligations.
Access control (logical system access)
• Strong authentication: use of separate administrative accounts.
• Password policy: minimum length 12 characters, secure storage using state of the art.
• Single sign-on support
• Administrative accesses: IP restrictions for administrative access are used as far as technically possible and agreed upon.
Access control (permissions and data access)
• Role and authorization concept based on the least privilege principle, rights management by authorized employees (operations/administration).
• Separation of work and administrative accounts, reduced the number of privileged accounts to the necessary minimum
• Joiner/Mover/Leaver: Quick setup/change/withdrawal of authorizations in case of personnel changes.
• Data carriers/media: Logical deletion before reuse, physical destruction of internal data carriers in accordance with DIN 66399, if applicable. Cloud storage is subject to the provider's certified procedures.
Pseudonymization and encryption
• Data transfer: All connections to Q.wiki are encrypted
• Data storage (at rest): Encryption of dormant data using current encryption methods recognized as secure by the BSI.
• Pseudonymization not required due to the system
Separation control (separation requirement)
• Client separation: Technical separation of customer data through client logic, access checks at client level.
• Environments: Strict separation of development, test and production systems
Integrity
input control
• Processing of personal data exclusively under individual user accounts; group accounts are avoided.
• Procedures and responsibilities for changes subject to approval are defined
Transfer/transfer control
• Personal data is transmitted between system components, locations and to authorized third parties exclusively via encrypted connections.
• International transfers: No transfers to third countries outside the EU/EEA area; should such become necessary in individual cases, they will only be made on a valid legal basis (e.g. SCC) and after prior information.
Availability and resilience
• Operates on high-availability cloud infrastructure
• Reducing failure risks through redundant components and operation in professional data center environments from the cloud provider
• Capacity management and regulated operating processes to maintain service quality
• Periodic review, evaluation and evaluation procedures
Data protection and information security management
• Company-wide guidelines on data protection and information security, confidentiality obligations of all employees and regular training
• Operation of a certified ISMS in accordance with ISO/IEC 27001, continuous improvement of security measures
• Data protection through technology design and privacy-friendly default settings in accordance with Art. 25 GDPR (e.g. role-based rights with minimal standard authorizations)
Dealing with security incidents
• Procedures for identifying, containing, resolving and following up on security incidents
• Assisting the client in fulfilling its obligations under Art. 33/34 GDPR (notification/notification), including provision of available information about the incident
• Deletion and return of data
• After the end of the contract, processing is carried out only for the purpose of orderly termination
Endpoint security (employees)
• Corporate devices with disk encryption, latest security updates, and personalized user accounts
• Secure remote work (e.g. VPN) and baseline hardening of end devices, guidelines for handling removable drives
• Order control and sub-processors
• Processing exclusively on documented instructions from the client, internal guidelines prevent unauthorised processing
• Confidentiality obligation of all persons with access to personal data
Appendix 3 — Approved subcontractors
To process data on behalf of the client, the contractor uses services from third parties who process data on its behalf (“subcontractors”). These are the following companies:
Company:
Freshworks Inc.
2950 S. Delaware Street
San Mateo, CA 94403, United States
Services:
Customer Support Ticketing and Knowledge Base
Company:
Google EMEA Limited
70 Sir John Rogerson's Quay
Dublin 2, Ireland
Services:
Infrastructure as a Service (IaaS)
Regions used:
• Germany: FRANKFURT europe-west3
• Belgium: BELGIUM europe-west1
Company:
Mixpanel
Pier 1, Bay 2,
The Embarcadero
San Francisco, CA 94111 United States
Services:
Analyzing usage data to improve Q.wiki
Company:
Mailgun Technologies Inc.
112 E. Pecan Street
San Antonio, TX 78205, United States
Services:
Q.wiki mailing (e.g. tasks, password reset)
Company:
Relaix Networks GmbH
Kackertstrasse 10
52072 Aachen
Services:
Colocation & Operational Space/Data Center
Company:
Userlane GmbH
Rosenheimer Strasse 143c
81671 Munich
Services:
Digital assistant for software-supported implementation of user training
Company:
Productboard Inc.
333 Bush Street
San Francisco, CA 94104 United States
Services:
Managing and editing customer feedback
Company:
360 Learning SA
37 rue des Mathurins
Paris, Frankrijk
Services:
Administration and implementation of user training
Company:
Cloudflare Inc.
101 Townsend St.
San Francisco, CA 94107, United States
Services:
Protection against web application attacks (WAF), defense against DDoS attacks, and limiting requests to ensure resource conservation and availability (rate limiting)
Company:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052, United States
Services:
1. Using Microsoft Azure services to support our services — in particular to use LLMs to answer prompts, build a vector database for searches, and to automatically translate Q.wiki content.
2.Use of cloud and AI services for temporary data processing — for example for language processing, automatic translation, semantic search, and the creation and optimization of processes.
Company:
Hubspot
2 Canal Park
Cambridge, MA 02141
United States
Services:
Customer communication and contract management
* * * *
We are happy to provide you with inspiring content, current events and news.
