Data Processing Agreement

This Data Processing Agreement is concluded as an annex to the main contract between the customer (client) and the sole proprietorship Hans Goedecke (processor), as identified in the offer email. This agreement governs the processing of personal data that the client uploads or otherwise provides to the processor in connection with the services, as well as the processing of personal data that the processor uploads or otherwise provides to the client in connection with the services.

§ 1

Scope of the contract and its duration

1. The scope of this annex to the contract is the data processing which the processor of the order carries out for the client within the framework of the main contract. This includes any processing of personal data within the scope of the main contract according to Art. 28 GDPR.
2. The purpose of the processing is the fulfillment of the main contract by the processor and the fulfillment of the obligations of both parties under the GDPR.
3. The term of this contract is determined by its purpose. It shall run for the duration of the main contract including the fulfillment of warranty obligations or other post-contractual obligations by the processor. If the main contract is terminated, this contract shall remain in force for the duration of the remaining post-contractual obligations and shall not end until the main contract has been fully terminated and the data has been deleted or returned in accordance with this annex.

§ 2

Type of data, data subjects, and processing, place of contract

1. This annex to the contract shall apply to all types of processing operations referred to in Art. 4 No. 2 GDPR.
2. The type of data processed shall include all data processed by the processor on behalf of the client under the main contract. The data is specified in Annex 1 to this agreement.
3. The categories of the persons affected by this agreement result from the client's use of data; they are listed in more detail in Annex 1 to this agreement.
4. Processing outside the European Union is only possible in the cases permitted by law.

§ 3

Responsibility and instructions

1. This annex to the contract does not change the fact that the client remains solely responsible for compliance with data protection laws and the lawful transfer of data to the processor pursuant to Art. 4 No. 7 GDPR. This shall also apply to all processing operations which are subject to this annex.
2. Instructions within the scope of data processing shall be specified by the client on the one hand in the main order. They may then be given orally or in text form. The processor has the right to demand that verbal instructions are confirmed immediately in text form (e.g. via email or other electronic means). The processor may—except in the case of imminent danger—make the execution of the instruction dependent on a prior instruction in text form.
3. Instructions that go beyond the content of the main contract shall only be binding for the processor if they are required in accordance with the meaning of the main contract and the provisions of the GDPR (e.g. necessary safeguards in an attack situation). In addition, they are to be paid as an additional service within the framework of the main contract and in accordance with the provisions there, alternatively on the basis of the customary local and appropriate remuneration.
4. If the processor is not obliged to carry out the instructions, he may refuse to carry them out until the client has confirmed the additional service and commissioned it for a fee. The execution of the instruction is not a waiver of a claim to additional remuneration.
5. If the processor cannot reasonably be expected to carry out an instruction, for example, because it is technically impossible to comply with it, the processor may terminate the main contract if no other solution can be found between the parties. An example would be the provision of services by the processor on a technical platform with other clients of order processing, where the instruction cannot be followed without consequences for other contractual partners of the processor (e.g. data cannot be separated).
6. If the client issues an unlawful instruction, they shall bear the resulting costs, including the legal advice or representation costs of the processor.

§ 4

Obligations of the processor

1. The processor is obliged to process the data only within the scope of the order and the instructions of the client. This shall not apply insofar as the processor of the order is obliged to carry out other processing on the basis of a law applicable to him in the European Union. The processor may reject an instruction that violates applicable law, which is also binding for him and is not obliged to execute it. In such a case, the processor shall request the client to issue a lawful instruction.
2. The processor shall support, within the scope of his capacities, the client in fulfilling the legal claims under Articles 12 to 23 GDPR by parties concerned. He shall name a contact person for the client within the framework of data protection.
3. The processor shall comply with the obligations under Articles 32 to 36 GDPR in his area on behalf of the client, taking into account the type of processing and the information available to him and shall review them at appropriate intervals.
4. The processor shall organize his operations in such a way that they meet the special requirements of data protection. According to Art. 32 GDPR, he will take into account his reasonable possibilities and facilities, technical and organizational measures which ensure the confidentiality, integrity, availability, and resilience of the systems and services in connection with the processing in the long term. The current technical and organizational measures are set out in Annex 2 to this agreement.
5. The processor guarantees that employees and other third parties involved in the processing of the client's data have been instructed about the requirements of data protection and that they are being managed, trained and supervised accordingly. The processor further guarantees that these employees and third parties are obliged not to process the data beyond the client's instructions and to treat the data confidentially and that this obligation of secrecy shall continue to apply even after termination of the main contract.
6. The processor may only correct, block or delete data which is subject to this data processing contract in accordance with this contract or upon the client's instruction. Such instructions by the client are also binding after the term of the contract.
7. The processor shall inform the client if he becomes aware that data of the client has been or will be infringed. He shall independently take the necessary measures for data backup to avert danger and, as far as possible, mitigate the consequences for those affected. He shall consult with the client as soon as possible.
8. After completion of the processing activity, the processor shall either delete all personal data or return it to the client at the client's option. This shall not apply if the data must continue to be stored in accordance with the applicable law or if the contract stipulates otherwise. If the client does not give any instructions, the deletion is deemed to have been agreed.

§ 5

Remuneration

1. For all services under this agreement, the processor shall be entitled to additional remuneration in accordance with the main contract, or, alternatively, the customary local and reasonable remuneration. This shall not apply to the extent that the main contract expressly stipulates otherwise or such claims are excluded due to warranty or fault of the processor of the order.
2. The obligation to pay remuneration shall apply until the scope of agreement has been fully completed and does not end with the main contract.

§ 6

Obligations of the client

1. The client may not issue any instructions that violate applicable law. The client is also responsible for the data, it is, therefore, their responsibility to obtain information and advice on the applicable laws and to give the processor only such instructions that are lawful.
2. The client shall be obliged to inquire about and check the technical and organizational measures taken by the processor. They shall be responsible for ensuring that the measures taken by the processor represent an adequate level of protection against the risks of the data to be processed.
3. The client shall inform the processor immediately and completely if facts become apparent to them that errors or irregularities occur in the data processing.
4. At the request of the processor, the client shall designate a contact person for all data protection issues in their company.
5. The client is obliged to process claims of affected parties for correction, deletion, blocking or information. The processor shall refer the person concerned to the client where the information provided by the person concerned makes this possible. The processor shall not be liable if the client does not reply to the data subject's request, or does so incorrectly or not within the time limit laid down.

§ 7

Records

1. The processor shall inform the client of all measures taken to comply with the requirements of Art. 28 GDPR and allows for inspections within reasonable limits. Sec. 5 shall apply mutatis mutandis.
2. The processor is entitled to demand a declaration of confidentiality from the client and/or their auditor. The client may appoint an independent external auditor provided that a copy of the audit report is made available to the processor. The processor may refuse to accept competitors of the processor or entities who would otherwise be reasonably unacceptable to the processor.
3. These rules, including Sec. 5, shall apply mutatis mutandis to inspections by a public authority.

§ 8

Other contract processors / Place of processing

1. The processing of data on behalf the client shall only be carried out within the member states of the European Union (EU) or the European Economic Area (EEA). Processing personal data in a third country is only an option if it is guaranteed that the legal duties under Articles 44 to 49 GDPR will be respected in order to provide an appropriate level of protection for the personal data.
2. The processor shall be entitled to assign further processors in accordance with Art. 28 GDPR in order to fulfill the contract.
3. The other processors currently in use are listed in Annex 3 to this agreement. The client consents to their use.
4. The processor shall inform the client if he wishes to use other subcontractors. The client may refuse to accept these if there is an important reason for doing so. If, due to the rejection of a new subcontractor, the processor can no longer reasonably be expected to perform the contract, he may terminate the main contract within a reasonable period.
5. The processor shall be obliged to transfer the obligations arising under this contract to his subcontractors.
6. For the purposes of this regulation, subcontractors are only those undertakings which obtain services directly related to the principal performance of the contract. In particular, this excludes ancillary services such as telecommunications, printing and transport services as well as pure maintenance obligations, the disposal of data carriers and measures to ensure the confidentiality, availability, integrity, and resilience of personal data, networks, services, data processing systems, and other IT systems. This shall be without prejudice to the obligation of the processor to ensure data protection and data security with regard to the data of the client.

§ 9

Liability and damages

1. If a party concerned asserts claims for damages against a contracting party, the parties shall support each other and jointly contribute to clarifying the facts of the case.
2. The processor's and the client's liability for damages sustained by concerned persons due to illegal or incorrect data processing is governed by Art. 82 GDPR.

§ 10

Final provisions

1. The main contract shall apply to the settlement of disputes, choice of law and place of jurisdiction.
2. This contract is concluded in text form and requires the text form to be amended.

Annex 1

Groups of data and persons concerned

• User account data

  Information related to user accounts, such as usernames, email addresses, encrypted passwords, and account settings.

• User payment data

  Information necessary for paying usage fees, such as credit card details. As these data are highly sensitive, they are not stored directly by the processor but solely by the company Stripe Inc., which has implemented special measures in accordance with legal regulations to protect this data.

• Uploaded files

  Files uploaded by users and stored on AWS S3 servers, such as documents, music, images, etc.

Annex 2

Technical and organizational measures

Access control

The following measures ensure that unauthorized third parties do not have access to the data:

• Management of differentiated permissions (profiles, roles)
• Conclusion of data processing agreements for the external maintenance, upkeep, and repair of data processing systems, provided that data processing is part of the contractor's service during remote maintenance.
• Authorization process for permissions

Control of disclosure

It is ensured that data, during transmission or storage on storage media, cannot be read, copied, altered, removed, or otherwise processed without authorization. To ensure this, the following measures are implemented:

• Secured file transfer or other data transport
• Qualified electronic signature

Datenschutz-Management

The following measures are intended to ensure the presence of an organization that meets the fundamental data protection requirements:

• Data Processing Agreement with provisions regarding the rights and obligations of the parties.
• Determination of contact persons and/or responsible employees
• Obligation of employees to maintain confidentiality

Annex 3

Subcontractors

The client hereby authorizes the processor to engage additional data processors for the processing of personal data in accordance with this agreement:

• Amazon Web Services, Inc.
• Salesforce, Inc.
• Stripe, Inc.
• Better Stack, Inc.
• Netlify, Inc.