Annex 1 Data Processing Agreement
Data Processing Agreement between payever GmbH, Rödingsmarkt 20, 20459 (“payever”) and its Business Customer
When providing the services pursuant to the General Terms and Conditions for Business Customers (the “Main Agreement“), payever processes personal data provided by the Business Customer in order to provide the services, and the customer functions as the data controller for purposes of data protection law (the “Customer Data“). This Annex specifies the data protection duties and rights of the Parties in connection with the processing of the Customer Data for the purpose of rendering the services under the Main Agreement.
Scope of the contract / authority of the Customer to issue instructions
- payever will process the Customer Data exclusively on order and in accordance with the instructions of the Customer unless payever is required by the law to do otherwise. In the latter case, payever will inform the Customer about these legal requirements prior to the processing unless the relevant law does not prohibit such notification on the basis of important public interests.
- The processing of Customer Data by payever is carried out exclusively in the manner and scope and for the purpose specified in Appendix 1 to this Annex; the processing involves exclusively the types of personal data and categories of data subjects set forth in Appendix 1.
- The term for the processing corresponds to the term of the Main Agreement.
- The instructions are conclusively set forth in the content of the Main Agreement and this present Annex unless mandatory provisions in data protection law require additional instructions.
Requirements for personnel
- payever must impose obligations to maintain confidentiality about the processing of Customer Data on all persons who process Customer Data.
- payever will make sure that natural persons who work for payever and have access to the Customer Data only process the data according to the instructions of the Customer, unless they are required to process the data pursuant to the law of the European Union or the Member States.
Security in the processing
- payever will take all appropriate technical and organizational measures required to provide a reasonable level of protection for the Customer Data appropriate for the risk, taking into account the state of the art in technology, the costs and type and scope of implementation, the circumstances and the purpose of the processing of the Customer Data as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of the data subjects.
- payever must take the technical and organizational measures specified in Appendix 2 to this Annex prior to the beginning of the processing of the Customer Data, and payever must maintain these measures during the course of the Main Agreement or replace them by at least equivalent measures as well as make sure that the processing of Customer Data is carried out in accordance with these measures.
Use of additional contract processors
- The Customer hereby generally approves the use of additional contract processors by payever. The present, additional contract processors used by payever are designated in Appendix 3.
- payever will inform the Customer about any intended change with regard to the involvement or replacement of additional contract processors by sending an email to the email address entered in the payever Account. The Customer is entitled to raise an objection to any intended change within 4 weeks. If the Customer objects, payever is prohibited from making the intended change. In the case of permitted changed, payever will update the list of subcontractors in Appendix 3 accordingly and automatically provide the updated list to the Customer.
- payever will impose data protection obligations by contract on each further contract processor which are at least equivalent to the duties for payever established in this present Annex.
Rights of the data subjects
- payever will all possible support, using technical and organizational measures in exchange for compensation, the Customer in complying with its duties to answer requests by data subjects exercising their rights.
- payever will especially inform the Customer without undue delay if a data subject directly contacts payever with a request to exercise the data subject’s rights with regard to the Customer Data.
Other duties of payever to provide support
- payever will report to the Customer every violation of the protection of Customer Data without undue delay after learning about such a violation, especially events which lead to the destruction, loss, modification or unauthorized disclosure of or access to Customer Data.
- In the event that the Customer is required to inform the supervisory authorities and/or data subjects pursuant to Art. 33, 34 GDPR, payever will support the Customer upon request in complying with these duties in exchange for compensation.
- payever will provide all possible support to the Customer in exchange for compensation in the case of any data protection assessments to be carried out and any subsequent consultations with the supervisory authorities under Art. 35, 36 GDPR.
Deletion and return of data
payever will either delete or return to the Customer all Customer Data at the instruction of the Customer when the Main Agreement ends, unless payever is required by law to continue to store the Customer Data.
Proof and inspections
- payever declares its consent that the Customer is entitled, upon scheduling a date, to itself monitor the compliance with the provisions on data protection and data security as well as the contractual agreements in a reasonable and necessary extent or to have such an inspection conducted by third parties retained by the Customer, especially by means of obtaining information and reviewing the stored data and the data processing programs as well as by examinations and on-site inspections which are conducted during normal business hours at the own expense of the Customer and without disturbing operations.
- payever will receive from the Customer compensation for payever’s efforts in connection with this monitoring.
Appendix 1 – Information for data processing
Purpose, type and scope of data processing, type of the data and group of data subjects
|Purpose of the data processing||Customer management, order processing and administration, order history, analyses of statistics and sales, advertising measures|
|Type and extent of data processing||Data processing in the extent described for the respective service; the details in the description of the service apply in this regard. There are three fundamental, different forms of the services and data processing:|
|Type of data||Contact information, address data, content of messenger communications, basic contract data, payment information and further relevant personal data in connection with the payment process (e.g. credit application), personal circumstances, interests and preferences|
|Group of data subjects||Customers, potential customers, visitors, suppliers|
Appendix 2 – Technical and organizational measures by payever
payever will take appropriate technical and organizational measures to achieve a level of protection reasonable for the risk, taking into account the state of the art in technology, the costs and type of implementation, the scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of natural persons. These measures include:
Infrastructure and physical security measures
The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:
- construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)
- interruption-free electric power supply
- modern, fire early detection system
- installation of entry authorization for employees and third parties, including the respective documentation
- identity cards or code cards
- certain security areas with the own entry control (“closed shops”)
- rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)
- 24/7 servicing by qualified personnel
- installation work by qualified technicians
Security measures for internal networks:
payever has a secure internal network for collecting, processing and using the Customer Data, and payever maintains this network. For this purpose, payever protects the data communication between the data centers with VPN and between individual payever service components with SSL. payer uses a secure encryption process (RSA 4096bit) for the internal processing of confidential and sensitive data.
payever also implements and maintains reasonable firewalls for the protection of the internal networks against unauthorized access to the data, including, but not limited to, defending against dynamic IPs. All user logins, IPs, changes in data files and http access which are improperly used are monitored by a system and communicated to payever (alerting). All firewall settings are examined at least once each quarter and adjusted in accordance with the market standard.
Internal measures at the company:
payever has implemented numerous internal measures at the company. These measures include:
- entry control for all persons entering the business by way of rooms that can be locked and accompanying visitors
- security for all end-devices using passwords
- introduction of access authorization for employees on the basis of an access authorization concept, including the corresponding documentation with differentiated access rules (e.g. partial block, exact user roles or profiles)
- binding guidelines and procedures for the employees with regard to data security and data processing
- identification of the end-device and/or user
- automatic reporting of user IDs which have not been used for a certain period of time
- use of encryption for data files that are critical with regard to security
- guidelines for the organization of data files
- user name and password
- guidelines for creating a secure password
- separation of production and test environments for libraries and data files
- backup routine with regular backups
- guidelines for the production of backup copies
- existence of an emergency plan (backup emergency plan)
- determination of binding or potential storage locations for data
- electronic reporting of data processing, especially use, modification and deletion of data
- continuous updating of the used software (e.g. with updated, patches, fixes etc.)
- guidelines for documentation of software and IT processes
- internal data processing guidelines and procedures, instructions, working instructions, process descriptions and rules for programming, examining and releasing data
payever also has implemented reasonable measures for separation monitoring so that there is assurance that the data collected for different purposes can be processed separately:
- separation of test data and production data
- authorization concept (logical separation)
- separation of the data according to customers
payever reserves the right to update or adjust these technical and organizational measures over the course of time, to the extent such adjustments do not lead to a deterioration of the general security of the services by payever as a contract data processor.
|Amazon, Inc.||440 Terry Avenue|
North Seattle, WA 98109
|Amazon Web Services, Inc.||410 Terry Avenue|
North Seattle WA 98109
|Atlassian Pty Ltd and the subsidiaries Atlassian, Inc.; Atlassian Network Service, Inc., Dogwood Labs, Inc.; Trello, Inc.||1098 Harrison Street San Francisco, California 94103||USA|
|Bugsnag, Inc.||939 Harrison St, San Francisco, CA 94107||USA|
|FullStory, Inc.||818 Marietta Street NW|
Atlanta, GA 30318
|Google LLC||1600 Amphitheatre Parkway|
Mountain View, CA 94043
|Hetzner Online GmbH||Industriestr. 25|
|Microsoft Corporation||One Microsoft Way|
Redmond, WA 98052
|Microsoft Ireland Operations Limited||Atrium Building Block A|
Carmen Hall Road,
Sandyford Industrial Park,
|myLoc managed IT AG||Am Gatherhof 44|
|Twilio Inc.||375 Beale Street|
San Francisco, CA 94105
|Zendesk, Inc.||1019 Market Street|
San Francisco, CA 94103