DPA (data processing agreement)
Contract for processing personal data on behalf of
Between the
GAL Digital GmbH, Unter den Linden 26, 35410 Hungen-Obbornhofen, Germany
- hereinafter referred to as “Contract processor” -
and
Customers and users of the software "nele.ai”
- hereinafter referred to as “Client” -
- Contract processors and clients are hereinafter referred to as “Contracting parties” referred to -
All terms are gender-neutral.
The following order processing contract is concluded:
Preamble and scope
The processor processes personal data on behalf of the client. The order processing contract specifies the order processing with regard to its subject matter and the claims and obligations between the contracting parties arising from the order processing relationship.
The order processing contract does not apply if the GDPR does not apply to the processing of personal data by the client (for example in the case of exclusively personal or family activities in accordance with Art. 2 para. 2 lit. c. GDPR) and the processor therefore does not act as a contract processor within the meaning of Article 4 No. 8 GDPR.
1. Terms and definitions
a. “Order processing” - In accordance with 4 No. 8 GDPR, “order processing” means the processing of personal data on behalf of the person responsible, regardless of the number of order processors intervening, by the processor in accordance with the subject matter of this order processing contract in accordance with Article 4 No. 2 GDPR.
b. “Main contract” - The term main contract includes all types of ongoing business relationships between the client and the processor, within the framework of which the processor processes personal data on behalf of and on the instructions of the client in accordance with the information on the subject matter of the order processing in this order processing contract. If the validity of this order processing contract has been limited elsewhere (i.e. within this agreement or outside, in other contracts or regulations) to specific types, types or specific business relationships, contracts, etc., these are to be understood as a main contract. The term main contract also includes ongoing individual orders from the client to the processor, which are placed by the client as part of the main contract (e.g. in the case of framework agreements).
c. “Responsible person” - “Responsible person” is anyone who alone or together with others decides on the purposes and means of processing (Art. 4 No. 7 GDPR).
d. “Personal data” - “Personal data” (hereinafter also referred to as “data” for short) is all information relating to an identified or identifiable natural person (data subject); a natural person who can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or to one or more special features is considered identifiable, the expression of are the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
e. “Data subjects” - In accordance with Art. 4 No. 1 GDPR, data subjects (“data subjects” for short) are persons who are at least identifiable by means of personal data. The persons affected by this order processing result from the subject matter of the order processing.
f. “Third parties” - “third parties” are, in accordance with Article 4 No. 10 GDPR, natural or legal person, authority, agency or other body, apart from the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process personal data.
g. “Sub-order processing” - When a processor has not been engaged directly by the controller but by a processor of the controller, there is “sub-processing” and the processors following the first processor are referred to as “sub-processors”.
h. “Electronic format” - Statements are considered to have been submitted in “electronic format” in accordance with Article 28 (9) GDPR if the declarant is identifiable and the electronic declaration format is suitable to prove the declaration. In particular, “electronic format” means text form, an agreement stored on durable data carriers (e.g. e-mail), digital signing processes or the use of dedicated online functions (e.g. in user accounts).
2. Subject matter of order processing
a. Order processing takes place within the framework of the following legal relationship (main contract):
Contract for the use of the software "nele.ai" based on the terms of use of nele.ai:
https://nele.ai/nutzungsbedingungen.
b. Detailed information on the subject matter of the processing carried out on behalf of the order, the personal data processed, persons affected by the processing and the type, scope and purpose of the processing are based on the requirements of the “Object of Order Processing” appendix.
3. Type of order processing
Insofar as the client acts as the person responsible for order processing, he is responsible under this order processing contract for compliance with the provisions of data protection laws, in particular for the lawfulness of data processing and for the lawfulness of the assignment of the order processor. Insofar as the client himself acts as a processor, he commissions the processor as a sub-processor. On the basis of this order processing contract, the person responsible for processing may directly rely on the rights to which the client is entitled vis-à-vis the sub-processor.
4. Power to issue instructions
a. The processor may only process personal data within the framework of the main contract and the client's instructions and only insofar as processing is necessary within the framework of the main contract.
b. The instructions are initially defined by the main contract or this order processing contract and can then be amended, supplemented or replaced by the client with instructions in written form or in an electronic format (text form, e.g. e-mail) to the processor or the body designated by the processor.
c. Oral instructions can be given if they are necessary due to circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronic form.
d. If, based on objective circumstances, the processor is of the opinion that an instruction from the client violates applicable data protection law, the processor will immediately inform the client of this and give factual reasons for the opinion. In this case, the processor is entitled to suspend execution of the instruction until the instruction is expressly confirmed by the client and to reject obviously illegal instructions.
e. The processor may be required to carry out processing or provide information by Union or Member State law and administrative and judicial measures to which the processor is subject. In such a case, the processor shall inform the client of the legal requirements of the mandatory legal obligation before processing, unless the relevant law or order prohibits such notification due to an important public interest; in the event of a prohibition of notification, the processor shall take the possible and reasonable measures to prevent or restrict legally mandatory processing.
f. The processor must document instructions given to him and their implementation.
g. The processor names the contact persons authorized to receive instructions and is obliged to immediately report changes to the contact persons or their contact information as well as representatives in the event of a non-temporary absence or impediment.
5. Maintaining professional secrecy Professional secrecy (Azure OpenAI - Microsoft)
a. The following obligations under the “Professional Secrecy” section of this order processing agreement apply if the data processed on behalf includes professional secrecy within the meaning of Section 203 StGB and oblige the processor. They also apply to the AI model provider used if, as part of the use of nele.ai, the AI model from the provider Microsoft is selected by the user, e.g. (“Azure OpenAI”). In this case, the “Professional Secrecy Additional Agreement” comes from Microsoft (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Pcj0) for use. Microsoft also provides further information on professional confidentiality obligations in an article at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4NKw7 ready.
b. Regardless of the time limits of this order processing contract, the obligations apply for an unlimited period of time, even after the end of the contract.
c. The processor may only become aware of professional secrecy insofar as this is necessary for the execution of the main contract and this order processing contract and fulfilment of the contractual obligations.
d. The client informs the processor that the breach of confidentiality obligations in accordance with the Act and this order processing contract through breach of confidentiality or the use of third-party secrets in accordance with Sections 203 (1), (4) StGB, Section 204 StGB to punish the order processor, which also includes persons acting on behalf of the client, with a term of imprisonment of up to one year, in the case of § 204 StGB with imprisonment of up to two years, or can be punished with a fine. The penalty is increased to imprisonment of up to two years or a fine if the perpetrator acts with intent to enrich, even if it should exist in favor of third parties, or intends to harm another person as a result of the act.
e. If the processor engages third parties (e.g. subcontractors) who can participate in the processor's order processing and become aware of professional secrecy, he shall accordingly oblige the third parties to maintain secrecy, at least in text form. In addition, the processor shall inform third parties of their obligations. Irrespective of the above obligation, the client must have allowed the use of third parties. As a precautionary measure, the client informs the processor that the involvement of third parties may result in imprisonment of up to one year or a fine if a third party breaks confidentiality and at the same time that the processor has failed to ensure that the third party has been bound to secrecy (Section 203 (1), paragraph 4, p. 2, StGB). The threat of punishment is increased to imprisonment of up to two years or a fine, provided that the perpetrator acts with intent to enrich, even if it should exist in favor of third parties, or intends to harm another person as a result of the act.
6. Technical and organizational measures (safety and protection concept)
a. The processor will design the internal organization within its area of responsibility in accordance with legal requirements and will in particular take technical and organizational measures (hereinafter referred to as “TOMs”) to adequately secure, in particular the confidentiality, integrity and availability of the client's data, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probability of occurrence and Determine the severity of the risk to the rights and freedoms of those affected and ensure that they are maintained, in particular through regular evaluation, at least once a year. With regard to the protection of personal data, TOMs include in particular access control, access control, access control, transfer control, input control, order control, integrity and availability control, separation control and securing the rights of data subjects.
b. The TOMs notified by the processor when the contract is concluded define the minimum level of security owed by the processor. The TOMs may be further developed in line with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the security level of the defined measures and significant changes are notified to the client. The description of the measures must be so detailed that an expert third party can see beyond doubt at any time on the basis of the description alone that the required legal data protection level and the defined minimum level of security are not falling below.
c. The processor guarantees that employees, agents and other persons working for the processor involved in processing the data are prohibited from processing personal data outside the instructions. The processor also ensures that the persons authorized to process the client's data have been briefed on the legal and data protection regulations arising from this order processing contract and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate legal confidentiality obligation. The processor shall ensure that persons employed for order processing are adequately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.
d. The processor shall ensure that the persons employed by it for processing take part in recurring training and awareness-raising measures at an appropriate frequency with regard to the protection of personal data and compliance with legal data protection regulations.
e. The processing of personal data outside the processor's premises (e.g. in the home or mobile office or with remote access) is permitted provided that the necessary technical and organizational measures are taken and documented which adequately take into account the particularities of these processing situations and, in particular, also enable adequate control of data processing (e.g. conclusion of an agreement on data protection in the home and mobile office with employees). The processor shall provide the client with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing operations upon request.
f. The processing of personal data on private devices of the contract processor and agent's employees is only permitted with the consent of the client.
g. If required by legal requirements, the processor will appoint a data protection officer in accordance with legal requirements. The processor will provide the client with the contact information of the data protection officer and any subsequent changes.
h. The processing processes carried out on behalf of the order are separately documented by the processor to an appropriate extent, in a register of processing activities and made available to the client upon request.
i. The data and data carriers and all copies made of them provided under the order processing contract remain the property or ownership of the client, are subject to the control of the client, must be carefully stored by the processor, protected against access by unauthorised third parties and may only be destroyed with the consent of the client. Destruction must be carried out in accordance with data protection regulations and in such a way that recovery of even residual information is no longer possible and is not expected with reasonable effort. Copies of data may only be made if they are necessary to fulfill the main and secondary obligations of the processor towards the client (e.g. backups) and if the contractual and legal level of data protection is guaranteed.
j. The processor is obliged to immediately return or delete the data and data carriers under this order processing contract, even with sub-processors.
k. The processor must provide proof that data and files have been duly destroyed or deleted under this order processing contract and make them available to the client upon request.
l. The objection of a right of retention is excluded with regard to the data processed in the order and the associated data carriers.
m. The processor shall provide regular evidence of the fulfilment of its obligations, in particular the full implementation of the agreed technical and organizational measures and their effectiveness (e.g. through regular checks, audits, etc.). The proof must be provided to the client upon request. Evidence can be provided through approved codes of conduct or an approved certification process.
n. If the security measures taken do not or no longer meet the requirements of the order processor or the legal requirements, the processor will immediately notify the client.
O. The technical and organizational measures already in place at the conclusion of this order processing contract are carried out by the processor in Annex “Technical and Organizational Measures” listed and accepted by the client.
7. Information obligations and cooperation obligations of the order processor
a. The processor may only provide information to third parties or the person concerned with the prior consent of the client or in the case of mandatory legal obligations, judicial or legal information. If a data subject contacts the processor and asserts their data subject rights (in particular rights to information or correction, or deletion of personal data), the processor will refer the data subject to the client, provided that an assignment to the client is possible according to the data subject. The processor immediately forwards the data subject's request to the client and supports the client as far as is reasonable and possible. The processor is not liable if the data subject's request is not answered by the client, is not answered correctly or in due time, unless the processor is responsible for this.
b. The processor must immediately and completely inform the client if the processor finds errors or irregularities with regard to the processing of personal data in compliance with the provisions of this order processing agreement and/or relevant data protection regulations. The processor shall take the necessary measures to secure personal data and to reduce possible adverse consequences for data subjects and shall immediately discuss this with the client.
c. The processor will immediately inform the client if a supervisory authority acts vis-à-vis the processor and whose activity may concern the data processed for the client. The processor supports the client in carrying out its duties (in particular to provide information and tolerate checks) vis-à-vis supervisory authorities.
d. Should the security of the client's personal data be jeopardized by measures taken by third parties (e.g. creditors, authorities, courts, etc.) (seizure, seizure, insolvency proceedings, etc.), the processor will immediately inform the third parties that the authority and ownership of the data lies exclusively with the client and, after consultation with the client, take appropriate protective measures (e.g. make objections, requests, etc.).
e. The processor provides the client with information regarding the processing of data under this order processing contract, which is necessary for the fulfilment of legal obligations of the client (which may include, in particular, inquiries from data subjects or authorities and compliance with its accountability obligations of a data protection impact assessment) and supports the client in complying with the obligations set out in Articles 32-36 GDPR.
f. The processor's information obligations initially extend to information available to the processor, its employees and agents. The information does not have to be obtained from third sources if the procurement could be carried out by the client within reasonable limits and no other agreement has been made.
g. The processor must be able to prove compliance with its contractual and legal obligations arising from order processing at any time by suitable means.
8. Measures in the event of a risk or violation of data protection
a. In the event that the processor finds facts which justify the assumption that the protection of personal data processed for the client within the meaning of Article 4 No. 12 GDPR could be violated, the processor must immediately and completely inform the client, immediately take necessary protective measures and assist in fulfilling the obligations incumbent on the client, in particular in connection with reporting to competent authorities or data subjects.
b. Information about a (possible) breach of personal data protection must be provided immediately, in principle within 24 hours of becoming aware of it.
c. In accordance with Article 33 (3) GDPR, the processor's report must contain at least the following information:
c. a. description of the nature of the personal data breach, including, as far as possible, the categories of data concerned and the approximate number of data subjects and the approximate number of personal data sets concerned;
c.b. the name and contact details of the data protection officer or other contact or contact point for further information;
c.c. a description of the likely consequences of the personal data breach (e.g. including further details: identity theft, financial disadvantages, etc.);
c.d. a description of the measures taken or proposed by the processor to remedy the personal data breach and, where appropriate, measures to mitigate its potential adverse effects
d. Significant disruptions in order processing and breaches by the order processor or persons employed by him or his agents against data protection regulations or the stipulations made in this order processing contract must also be reported immediately.
9. Checks and inspections
a. The client has the right to check compliance with the legal requirements and the regulations of this order processing agreement, in particular the TOMs of the processor, at any time, by himself or through third parties, and to carry out the necessary checks, including inspections.
b. The processor must support the client with checks and inspections to the extent necessary (e.g. by providing personnel and granting access and access rights).
c. On-site checks are carried out within normal business hours and must be notified by the client within a reasonable period of time (at least 14 days). In emergencies, i.e. if waiting would jeopardize the rights of the person concerned and/or the client for them to an unreasonable extent, a reasonably shorter period may be chosen. Conversely, a longer period of time may be required (e.g. when extensive preparations must be made or during vacation time). Any deviations from the deadline must be justified in each case by the contracting party making use of them.
d. The controls are limited to the necessary limits and must take account of the processor's business and business secrets as well as the protection of personal data of third parties (e.g. other customers or employees of the order processor). Avoidable operational disruptions must be avoided. As far as the reason and purpose of the test is sufficient, an inspection should be limited to random samples.
e. Only qualified persons who can legitimize themselves and are bound to confidentiality and secrecy with regard to the contractor's business and trade secrets as well as internal processes and personal data are allowed to carry out the check. The processor may request proof of a corresponding obligation. If the inspector commissioned by the client is in a competitive relationship with the processor or if there is any other justified reason to reject it, the processor has a right of appeal against the processor.
f. Instead of inspections and on-site checks, the processor may refer the client to equivalent control by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or appropriate data protection or IT security certifications in accordance with Art. 42 GDPR. This only applies if the reference is reasonable on the part of the client and the nature and scope of the review and references correspond to the nature and scope of the client's legitimate control project. The processor undertakes to immediately inform the client of the exclusion of approved rules of conduct in accordance with Article 41 (4) GDPR, the revocation of a certification in accordance with Article 42 (7) and any other form of cancellation or significant change of the aforementioned evidence.
g. In principle, the client does not exercise his right of control more than every 12 months, unless a specific reason (in particular a breach of data protection, a security incident or the result of an audit) requires checks before the end of this period.
11. Spatial area of order processing
a. Personal data is processed as part of order processing in a member state of the European Union (EU) or in another state party to the Agreement on the European Economic Area (EEA) or Switzerland.
b. Processing may take place in third countries, provided that the special requirements of Art. 44 ff. GDPR are met, i.e. in particular the EU Commission has established an appropriate level of data protection; b) on the basis of effective standard protection clauses (so-called standard contractual clauses, SCC); or c) on the basis of recognized binding internal data protection regulations.
c. The approval of subcontracting relationships by the client within the framework of this order processing agreement also extends to the geographical area of order processing.
d. Order processing in countries other than those mentioned above, including by sub-processors, requires the prior approval of the client.
12. Obligations of the client
a. The client must immediately and completely inform the processor if he finds errors or irregularities with regard to data protection regulations in the order results, instructions or processing processes.
b. The client appoints the contact persons authorized to receive instructions and is obliged to immediately report changes to the contact persons or their contact information as well as representatives in the event of a non-temporary absence or impediment.
c. In the event of a claim against the order processor by data subjects, third companies, bodies or authorities with regard to any claims arising from the processing of personal data under this order processing contract, the client undertakes to assist the processor in defending the claim within the scope of its capabilities and taking into account the degree of fault of the contracting parties.
13. liability
The statutory liability regulations apply, in particular Article 82 GDPR and, in the case of the use of a sub-processor, Article 28 (4) (2) GDPR.
14. Duration, Continuation after End of Contract and Data Deletion
a. This order processing contract becomes effective when it is signed or concluded in an electronic format.
b. The term and end of this order processing contract depend on the term and end of the main contract.
c. The contracting parties reserve the right to extraordinary termination, in particular in the event of a serious breach of the obligations and requirements of this order processing agreement and applicable data protection law. A serious infringement exists in particular if the processor does not or has not performed the obligations specified in the order processing contract and the agreed technical and organizational measures to a significant extent.
d. In the event of minor breaches of duty, the extraordinary termination must be preceded by a warning of the breaches with a reasonable period of time to remedy them, although the warning is not required unless it is expected that the breaches complained of will be remedied or will weigh them so seriously that it is not reasonable to expect the terminating contracting party to stick to the order processing contract.
e. The termination of this order processing contract, as well as the abolition of this formal clause, must be carried out at least in electronic format.
f. After completion of the provision of processing services under this order processing agreement, the processor will either destroy or return all personal data and their copies (as well as all documents in connection with the contractual relationship, processing and use results created and data sets), at the client's option, unless there is a legal obligation to store the personal data; in this case, the processor will inform the client Client about the obligation and its scope, unless knowledge of the obligation on the part of the client can be expected. The destruction or deletion must be carried out in accordance with data protection regulations and in such a way that recovery of even residual information is no longer possible and is not expected with reasonable effort. The objection of a right of retention is excluded with regard to the processed data and the associated data carriers. With regard to cancellation or return, the client's rights of information, proof and control apply in accordance with this order processing contract.
g. The obligations arising from the order processing contract to protect confidential information continue to apply even after the end of the order processing contract, provided that the processor continues to process the personal data covered by the order processing contract and compliance with the obligations is reasonable for the processor even after the end of the contract.
h. Documentation that serves to prove proper data processing and ensuring the TOMs must be kept by the processor in accordance with the client's respective storage and deletion periods known to him (or those that should be known to him), at least three years after the end of the contract. The processor may hand over the documentation to the client at the end of the contract to relieve him.
15. Final provisions
a. The applicable law is determined by the main contract.
b. The place of jurisdiction is determined in accordance with the main contract.
c. This order processing contract represents the complete agreement reached between the contracting parties. There are no ancillary agreements.
d. When this order processing contract is concluded, all previous contracts concluded between the parties to this contract and which regulate the processing of personal data on behalf of the contract will be terminated if and insofar as these relate to the same subject matter of order processing and if and to the extent that nothing else has been expressly agreed in writing between the contracting parties.
e. Amendments and additions to this order processing contract, as well as the abolition of this formal clause, must be made at least in electronic format.
f. In the event of any objections, the provisions of this order processing agreement on data protection take precedence over the provisions of the main contract.
g. Should one or more provisions of this order processing contract be invalid or unenforceable, this shall not affect the validity of the remaining provisions. Instead, the ineffective provisions will be replaced by means of supplementary interpretation by such a provision which comes as close as possible to the economic purpose of the contracting parties with the ineffective provision (s). If the above additional interpretation is not possible due to mandatory legal requirements, the contracting parties will agree on a provision corresponding to them.
This order processing contract is part of the main contract and becomes effective upon its conclusion.
Appendix: Subject matter of order processing
The following information on the type and purpose of processing, the type of personal data and the categories of data subjects determine the subject matter of the processing regulated by the order processing contract. Changes to the subject matter of processing and further procedural changes must be agreed and documented jointly between the contracting parties.
Purposes of order processing
The client's personal data is processed on the basis of this order processing contract for the following purposes:
Provision of the "nele.ai" software and associated applications, websites and functions within the contractually agreed framework.
Types and categories of data
The types and categories of personal data processed on the basis of this order processing contract include:
a. Users' inventory data (personal, company, address details).
b. Users' contact details (e.g. email addresses)
c. User input in connection with the use of the software or application (e.g. prompts).
d. Log data (e.g. log files relating to logins, retrieval of data or access times).
e. Meta and connection data (IP addresses, system and device-related information).
f. telemetry data (data that allows monitoring and maintaining the functionality and security of the functionality of the software or application with regard to the contractually agreed use).
g. Audio data (in the event that user voice inputs are processed).
h. Image data (in the event that user image inputs are processed).
Categories of affected persons
The groups of people affected by the processing of personal data on the basis of this order processing agreement include:
a. Customers and users of the respective software or application.
b. Persons whose personal data is processed as part of the content entered by customers and users.
Sources of processed data
The data processed on the basis of this order processing contract is collected or otherwise received from the following sources or within the framework of the procedures mentioned below:
a. Survey of affected persons.
b. Submissions or information provided by the client.
c. Entries or details provided by the order processor.
d. Collection as part of the use of software, applications, websites and other online services.
e. Receipt by means of transmission or other notification by or on behalf of the client.
Appendix: Technical and Organizational Measures (TOMs)
A level of protection appropriate to the risk to the rights and freedoms of natural persons affected by the processing is guaranteed for the specific order processing and the personal data processed within its framework. In particular, the protection objectives of confidentiality, integrity and availability of systems and services as well as their resilience with regard to the type, scope, circumstances and purpose of the processing operations are taken into account in such a way that the risk is contained in the long term through appropriate technical and organizational remedies.
Organizational measures
Organizational measures have been taken to ensure an appropriate level of data protection and its maintenance.
a. The processor has implemented an appropriate data protection management system or data protection concept and ensures its implementation.
b. There is a suitable organizational structure for data security and data protection, and information security is integrated into company-wide processes and procedures.
c. Internal security guidelines and guidelines are defined, which are communicated to employees within the company as binding rules.
d. System and security tests, such as code scanning and penetration tests, are carried out regularly and without cause.
e. The development of the state of the art as well as developments, threats and security measures are continuously monitored and derived from the company's own security concept in an appropriate manner.
f. There is a concept that ensures that the client respects the rights of data subjects (in particular with regard to information, correction, deletion or restriction of processing, data transfer, revocations & objections). The concept includes informing employees of the information requirements vis-à-vis the client, setting up implementation procedures and the appointment of responsible persons, as well as regular monitoring and evaluation of the measures taken.
g. There is a concept that ensures an immediate response to risks and breaches of personal data protection in accordance with legal requirements. The concept includes informing employees of the information requirements vis-à-vis the client, setting up implementation procedures and the appointment of responsible persons, as well as regular monitoring and evaluation of the measures taken.
h. Security incidents are consistently documented, even if they do not result in an external report (e.g. to the supervisory authority, data subjects) (so-called “security reporting”).
i. Service providers who are used to perform ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they comply with the protection of personal data. If service providers obtain access to the client's personal data as part of their work or there is otherwise a risk of access to the personal data, they are specifically committed to secrecy and confidentiality.
j. Taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risks associated with processing to the rights and freedoms of natural persons, the protection of personal data is already taken into account when developing or selecting hardware, software and processes, in accordance with the principle of data protection through technology design and through privacy-friendly default settings.
k. The software and hardware used are always kept up to date and software updates are carried out without delay within a reasonable period of time in view of the level of risk and any need for testing. No software and hardware is used that is no longer updated by providers with regard to data protection and data security concerns (e.g. expired operating systems).
l. Standard software and corresponding updates are only obtained from trustworthy sources.
m. There is a deletion and disposal concept that meets the data protection requirements of order processing and the state of the art. The physical destruction of documents and data carriers is carried out in accordance with data protection regulations and in accordance with legal requirements, industry standards and state of the art industry standards (e.g. DIN 66399). Employees were informed of legal requirements, deletion periods and, where responsible, requirements for data destruction or device destruction by service providers.
n. The processing of the client's data that has not been deleted in accordance with the provisions of this order processing agreement (e.g. as a result of legal archiving obligations) is restricted to the extent necessary by blocking notices and/or segregation.
Employee level data protection
Measures have been taken to ensure that employees working with the processing of personal data have the necessary expertise and reliability under data protection law.
a. Employees are required to maintain confidentiality and secrecy (data protection secrecy).
b. Employees are sensitized and informed about data protection in accordance with the requirements of their function. Training and awareness-raising will be repeated at appropriate intervals or when circumstances require.
c. The keys, access cards or codes issued to employees, as well as authorizations granted with regard to the processing of personal data, are withdrawn or withdrawn after they leave the services of the order processor or change of responsibilities.
d. Employees are required to leave their work environment tidy and in particular to prevent access to documents or data carriers containing personal data (Clean Desk Policy).
access control
Physical access control measures have been taken to prevent unauthorised persons from physically approaching the systems, data processing equipment or methods used to process personal data.
a. There is a personal check at the doorman or at the reception.
b. The issuance and return of keys and/or access cards is logged.
c. Employees are required to lock devices or particularly secure them when they leave their work environment or devices.
d. Documents (files, documents, etc.) are stored securely, e.g. in filing cabinets or other suitably secured containers, and adequately secured against access by unauthorized persons.
e. Data carriers are stored securely and adequately protected against access by unauthorised persons.
access control
Electronic access control measures have been taken to ensure that access (i.e. even the possibility of use, use or observation) by unauthorised persons to systems, data processing systems or processes is prevented.
a. A password concept states that passwords must have a minimum length and complexity that meets the state of the art and security requirements.
b. All data processing systems are password protected.
c. Passwords are generally not stored in plain text and are only transmitted in hashed or encrypted form.
d. Login data is deleted or deactivated when their users have left the company or organization of the order processor.
e. Server systems and services are used that have attack detection systems (“intrusion detection systems”).
f. Server systems and services are used that have attack prevention and defense systems (“intrusion protection systems”).
g. Up-to-date anti-virus software is used.
h. Use of hardware firewall (s).
i. Use of software firewall (s).
Internal access control and input control (permissions for user rights to access and change data)
Access control measures have been taken to ensure that persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, changed or removed without authorization during processing. In addition, input control measures have been taken to ensure that it can be checked and determined retrospectively whether and by whom personal data has been entered, changed, removed or otherwise processed in data processing systems.
a. A rights and role concept (authorization concept) ensures that access to personal data is only possible for a group of people selected according to requirements and only to the extent necessary.
b. The rights and role concept (authorization concept) is evaluated regularly, within an appropriate frequency of time and when an occasion requires it (e.g. violations of access restrictions), and updated as necessary.
c. Registrations in data processing systems or processing systems are logged.
d. The activities of administrators are adequately monitored and logged within the scope of legally permissible options and within the scope of technically justifiable effort.
e. It is ensured that it is comprehensible which employees or agents had access to which data and when (e.g. by logging software usage or inferring access times and the authorization concept).
Transfer control
Data transfer control measures have been taken to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it is possible to check and determine to which points a transfer of personal data by data transmission facilities is intended.
a. When accessing internal systems from outside (e.g. for remote maintenance), encrypted transmission technologies are used (e.g. VPN).
b. E-mails are encrypted during transmission, which means that the emails are protected from being read by someone who has access to the networks through which the email is sent.
c. The transmission and processing of the client's personal data via online offers (websites, apps, etc.) is protected by TLS or equivalent secure encryption.
Order control, earmarking and separation control
Order control measures have been taken to ensure that personal data processed on behalf of the client is only processed in accordance with the client's instructions. The measures ensure that personal data collected by the client for different purposes is processed separately and that there is no mixing, blending or other joint processing of this data contrary to the order.
a. The processing processes carried out for the client are separately documented to an appropriate extent in a register of processing activities.
b. Careful selection of sub-processors and other service providers.
c. Employees and agents are comprehensibly and clearly informed about the client's instructions and the permitted processing framework and instructed accordingly. Separate information and instructions are not required if compliance with the admissible framework can be reliably expected anyway, e.g. as a result of other agreements or operational practice.
d. Compliance with instructions from the client and the permitted framework for processing personal data by employees and agents is checked at appropriate intervals.
e. The deletion periods applicable to the processing of the client's personal data are documented separately, if necessary, within the order processor's deletion plan.
f. Required evaluations and analyses of the processing of the client's personal data are, as far as possible and reasonable, processed anonymously (i.e. without any personal reference) or at least processed pseudonymously in accordance with Article 4 No. 5 GDPR (i.e. in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, this additional information being stored separately and taking technical and organizational measures who ensure that the personal data is not assigned to an identified or identifiable natural person).
g. The client's personal data is processed logically separately from data from other processing methods used by the processor and protected against unauthorized access or connection or interconnection with other data (e.g. in different databases or by appropriate attributes).
h. Production and test data are stored strictly separately in different systems. The production systems are operated separately and independently of the development and test systems.
Ensuring the integrity and availability of data and the resilience of processing systems
Measures have been taken to ensure that personal data is protected against accidental destruction or loss and can be quickly restored in emergencies.
a. Fail-safe server systems and services are used that are designed twice or multiple times.
b. The availability of data processing systems is constantly monitored and controlled, in particular for availability, errors and security incidents.
c. The personal data is stored by external hosting providers. The hosting providers are carefully selected and meet the state of the art requirements with regard to protection against damage caused by fire, moisture, power outages, disasters, unauthorized access, data backup and patch management, as well as building security.
d. Personal data is processed on data processing systems that are subject to regular and documented patch management, i.e. in particular regularly updated.
e. The server systems and services used for processing are subjected to resilience tests and hardware tests at appropriate intervals.
f. The server systems used for processing have protection against denial of service (DoS) attacks.
g. The server systems used for processing have an uninterruptible power supply (UPS), which is adequately protected against failures and ensures a regular shutdown in emergencies without loss of data.
h. Video surveillance at the server location.
i. Intrusion and contact detectors at the server location.
j. The server systems used for processing have appropriate fire protection (fire and smoke alarm systems and corresponding fire extinguishing devices or fire extinguishing devices).
k. Server systems are used that have protection against moisture damage (e.g. moisture detectors).
l. Server systems and services are used which provide a backup system at other locations, where the current data is stored and thus provides an operable system even in the event of a disaster.
m. The client's data records are protected by the system against accidental change or deletion (e.g. through access restrictions, security queries and backups).
n. Server systems and services are used that have an appropriate, reliable and controlled backup & recovery concept.
O. Recovery tests are carried out regularly at a reasonable time interval to verify that the data backups can actually be restored (data integrity of the backups).
Appendix: Subprocessor
The processor uses the following sub-processors as part of the processing of data for the client:
Azure OpenAI - Microsoft: interface access (so-called “API”) to AI-based services, which are designed to understand and generate natural language and associated inputs and data, to analyze information and make predictions (“AI”, i.e. “artificial intelligence”, is to be understood in the relevant legal sense of the term); Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Site: https://azure.microsoft.com/ , https://www.microsoft.com/; Privacy statement: https://azure.microsoft.com/de-de/support/legal/ / https://privacy.microsoft.com/de-de/privacystatement; Order processing contract: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Basis for transfer to third countries: EU-US Data Privacy Framework); List of sub-processors used by Microsoft: https://aka.ms/Online_Serv_Subcontractor_List.
OpenAI: interface access (so-called “API”) to AI-based services, which are designed to understand and generate natural language and associated inputs and data, to analyze information and make predictions (“AI”, i.e. “artificial intelligence”, is to be understood in the relevant legal sense of the term); Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Site: https://openai.com/product; Privacy statement: https://openai.com/de/policies/eu-privacy-policy; Order processing contract: https://openai.com/policies/data-processing-addendum; Standard contractual clauses (ensuring data protection level when processing in third countries): https://openai.com/policies/data-processing-addendum; Objection option (opt-out): https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform; List of sub-processors used by OpenAI: https://platform.openai.com/subprocessors.
Claude 3: interface access (so-called “API”) to AI-based services, which are designed to understand and generate natural language and associated inputs and data, to analyze information and make predictions (“AI”, i.e. “artificial intelligence”, is to be understood in the relevant legal sense of the term); Service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, United States; Site: https://www.anthropic.com/; Privacy statement: https://www.anthropic.com/legal/privacy; Order processing contract: https://www.anthropic.com/legal/commercial-terms; Basis for transfers to third countries: EU/EEA - standard contractual clauses https://www.anthropic.com/legal/commercial-terms.
Hetzner: services in the area of providing information technology infrastructure and related services (e.g. storage and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Site: https://www.hetzner.com; Privacy statement: https://www.hetzner.com/de/rechtliches/datenschutz; Order processing contract: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
Brevo: email delivery and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Site: https://www.brevo.com/; Privacy statement: https://www.brevo.com/legal/privacypolicy/; Order processing contract: Provided by service provider.
To operate the marketing website www.nele.ai:
Webflow: creating, managing and hosting websites, online forms and other web elements; Service provider: Webflow, Inc. 208 Utah, Suite 210, San Francisco, CA94103, United States; web page: https://www.webflow.com; Privacy statement: https://webflow.com/legal/euprivacy-policy; Order processing contract & standard contractual clauses: https://webflow.com/legal/signdpa.
