Annex 1 Data Processing Agreement

Data Processing Agreement between payever GmbH, Rödingsmarkt 20, 20459 (“payever”) and its Business Customer

Preamble

  1. Scope

    When providing the services pursuant to the General Terms and Conditions for Business Customers (the “Main Agreement“), payever processes personal data provided by the Business Customer in order to provide the services, and the customer functions as the data controller for purposes of data protection law (the “Customer Data“). This Annex specifies the data protection duties and rights of the Parties in connection with the processing of the Customer Data for the purpose of rendering the services under the Main Agreement.

  2. Scope of the contract / authority of the Customer to issue instructions

    1. payever will process the Customer Data exclusively on order and in accordance with the instructions of the Customer unless payever is required by the law to do otherwise. In the latter case, payever will inform the Customer about these legal requirements prior to the processing unless the relevant law does not prohibit such notification on the basis of important public interests.
    2. The processing of Customer Data by payever is carried out exclusively in the manner and scope and for the purpose specified in Appendix 1 to this Annex; the processing involves exclusively the types of personal data and categories of data subjects set forth in Appendix 1.
    3. The term for the processing corresponds to the term of the Main Agreement.
    4. The instructions are conclusively set forth in the content of the Main Agreement and this present Annex unless mandatory provisions in data protection law require additional instructions.
  3. Requirements for personnel

    1. payever must impose obligations to maintain confidentiality about the processing of Customer Data on all persons who process Customer Data.
    2. payever will make sure that natural persons who work for payever and have access to the Customer Data only process the data according to the instructions of the Customer, unless they are required to process the data pursuant to the law of the European Union or the Member States.
  4. Security in the processing

    1. payever will take all appropriate technical and organizational measures required to provide a reasonable level of protection for the Customer Data appropriate for the risk, taking into account the state of the art in technology, the costs and type and scope of implementation, the circumstances and the purpose of the processing of the Customer Data as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of the data subjects.
    2. payever must take the technical and organizational measures specified in Appendix 2 to this Annex prior to the beginning of the processing of the Customer Data, and payever must maintain these measures during the course of the Main Agreement or replace them by at least equivalent measures as well as make sure that the processing of Customer Data is carried out in accordance with these measures.
  5. Use of additional contract processors

    1. The Customer hereby generally approves the use of additional contract processors by payever. The present, additional contract processors used by payever are designated in Appendix 3.
    2. payever will inform the Customer about any intended change with regard to the involvement or replacement of additional contract processors by sending an email to the email address entered in the payever Account. The Customer is entitled to raise an objection to any intended change within 4 weeks. If the Customer objects, payever is prohibited from making the intended change. In the case of permitted changed, payever will update the list of subcontractors in Appendix 3 accordingly and automatically provide the updated list to the Customer.
    3. payever will impose data protection obligations by contract on each further contract processor which are at least equivalent to the duties for payever established in this present Annex.
  6. Rights of the data subjects

    1. payever will all possible support, using technical and organizational measures in exchange for compensation, the Customer in complying with its duties to answer requests by data subjects exercising their rights.
    2. payever will especially inform the Customer without undue delay if a data subject directly contacts payever with a request to exercise the data subject’s rights with regard to the Customer Data.
  7. Other duties of payever to provide support

    1. payever will report to the Customer every violation of the protection of Customer Data without undue delay after learning about such a violation, especially events which lead to the destruction, loss, modification or unauthorized disclosure of or access to Customer Data.
    2. In the event that the Customer is required to inform the supervisory authorities and/or data subjects pursuant to Art. 33, 34 GDPR, payever will support the Customer upon request in complying with these duties in exchange for compensation.
    3. payever will provide all possible support to the Customer in exchange for compensation in the case of any data protection assessments to be carried out and any subsequent consultations with the supervisory authorities under Art. 35, 36 GDPR.
  8. Deletion and return of data

    payever will either delete or return to the Customer all Customer Data at the instruction of the Customer when the Main Agreement ends, unless payever is required by law to continue to store the Customer Data.

  9. Proof and inspections

    1. payever declares its consent that the Customer is entitled, upon scheduling a date, to itself monitor the compliance with the provisions on data protection and data security as well as the contractual agreements in a reasonable and necessary extent or to have such an inspection conducted by third parties retained by the Customer, especially by means of obtaining information and reviewing the stored data and the data processing programs as well as by examinations and on-site inspections which are conducted during normal business hours at the own expense of the Customer and without disturbing operations.
    2. payever will receive from the Customer compensation for payever’s efforts in connection with this monitoring.

Date [18.05.2018]

Appendix 1 – Information for data processing

 

Purpose, type and scope of data processing, type of the data and group of data subjects

Purpose of the data processingCustomer management, order processing and administration, order history, analyses of statistics and sales, advertising measures
Type and extent of data processingData processing in the extent described for the respective service; the details in the description of the service apply in this regard. There are three fundamental, different forms of the services and data processing:

  • data processing triggering or processing an order or transaction
  • data processing related to downstream measures (e.g. payment processing, order information, customer administration, shipping, analyses, etc.)
  • data processing for marketing measures, i.e. especially data processing for providing support to marketing and sales
Type of dataContact information, address data, content of messenger communications, basic contract data, payment information and further relevant personal data in connection with the payment process (e.g. credit application), personal circumstances, interests and preferences
Group of data subjectsCustomers, potential customers, visitors, suppliers

Appendix 2 – Technical and organizational measures by payever

payever will take appropriate technical and organizational measures to achieve a level of protection reasonable for the risk, taking into account the state of the art in technology, the costs and type of implementation, the scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of natural persons. These measures include:

Infrastructure and physical security measures

The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:

  • construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)
  • interruption-free electric power supply
  • modern, fire early detection system
  • installation of entry authorization for employees and third parties, including the respective documentation
  • identity cards or code cards
  • certain security areas with the own entry control (“closed shops”)
  • rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)
  • 24/7 servicing by qualified personnel
  • installation work by qualified technicians

Security measures for internal networks:

payever has a secure internal network for collecting, processing and using the Customer Data, and payever maintains this network. For this purpose, payever protects the data communication between the data centers with VPN and between individual payever service components with SSL. payer uses a secure encryption process (RSA 4096bit) for the internal processing of confidential and sensitive data.

payever also implements and maintains reasonable firewalls for the protection of the internal networks against unauthorized access to the data, including, but not limited to, defending against dynamic IPs. All user logins, IPs, changes in data files and http access which are improperly used are monitored by a system and communicated to payever (alerting). All firewall settings are examined at least once each quarter and adjusted in accordance with the market standard.

Internal measures at the company:

payever has implemented numerous internal measures at the company. These measures include:

  • entry control for all persons entering the business by way of rooms that can be locked and accompanying visitors
  • security for all end-devices using passwords
  • introduction of access authorization for employees on the basis of an access authorization concept, including the corresponding documentation with differentiated access rules (e.g. partial block, exact user roles or profiles)
  • binding guidelines and procedures for the employees with regard to data security and data processing
  • identification of the end-device and/or user
  • automatic reporting of user IDs which have not been used for a certain period of time
  • use of encryption for data files that are critical with regard to security
  • guidelines for the organization of data files
  • user name and password
  • guidelines for creating a secure password
  • separation of production and test environments for libraries and data files
  • backup routine with regular backups
  • guidelines for the production of backup copies
  • existence of an emergency plan (backup emergency plan)
  • determination of binding or potential storage locations for data
  • electronic reporting of data processing, especially use, modification and deletion of data
  • continuous updating of the used software (e.g. with updated, patches, fixes etc.)
  • guidelines for documentation of software and IT processes
  • internal data processing guidelines and procedures, instructions, working instructions, process descriptions and rules for programming, examining and releasing data

payever also has implemented reasonable measures for separation monitoring so that there is assurance that the data collected for different purposes can be processed separately:

  • separation of test data and production data
  • authorization concept (logical separation)
  • separation of the data according to customers

 

payever reserves the right to update or adjust these technical and organizational measures over the course of time, to the extent such adjustments do not lead to a deterioration of the general security of the services by payever as a contract data processor.

 

NameAddressCountry
Amazon, Inc.440 Terry Avenue
North Seattle, WA 98109
USA
Amazon Web Services, Inc.410 Terry Avenue
North Seattle WA 98109
USA
Atlassian Pty Ltd and the subsidiaries Atlassian, Inc.; Atlassian Network Service, Inc., Dogwood Labs, Inc.; Trello, Inc.1098 Harrison Street San Francisco, California 94103USA
Bugsnag, Inc.939 Harrison St, San Francisco, CA 94107USA
FullStory, Inc.818 Marietta Street NW
Atlanta, GA 30318
USA
Google LLC1600 Amphitheatre Parkway
Mountain View, CA 94043
USA
Hetzner Online GmbHIndustriestr. 25
91710 Gunzenhausen
Germany
Microsoft CorporationOne Microsoft Way

Redmond, WA 98052

USA
Microsoft Ireland Operations LimitedAtrium Building Block A
Carmen Hall Road,
Sandyford Industrial Park,
Dublin
Ireland
myLoc managed IT AGAm Gatherhof 44
40472 Düsseldorf
Germany
Twilio Inc.375 Beale Street

Suite 300

San Francisco, CA 94105

USA
Zendesk, Inc.1019 Market Street
San Francisco, CA 94103
USA