Data Processing Agreement

Annex 1

 Data Processing Agreement

Data Processing Agreement between payever GmbH, Rödingsmarkt 20, 20459 (“payever”) and its Business Customer

Preamble

1

Scope

When providing the services pursuant to the General Terms and Conditions for Business Customers (the “Main Agreement“), payever processes personal data provided by the Business Customer in order to provide the services, and the customer functions as the data controller for purposes of data protection law (the “Customer Data“). This Annex specifies the data protection duties and rights of the Parties in connection with the processing of the Customer Data for the purpose of rendering the services under the Main Agreement.

2

Scope of the contract / authority of the Customer to issue instructions

2.1

payever will process the Customer Data exclusively on order and in accordance with the instructions of the Customer unless payever is required by the law to do otherwise. In the latter case, payever will inform the Customer about these legal requirements prior to the processing unless the relevant law does not prohibit such notification on the basis of important public interests.

2.2

The processing of Customer Data by payever is carried out exclusively in the manner and scope and for the purpose specified in Appendix 1 to this Annex; the processing involves exclusively the types of personal data and categories of data subjects set forth in Appendix 1.

2.3

The term for the processing corresponds to the term of the Main Agreement.

2.4

The instructions are conclusively set forth in the content of the Main Agreement and this present Annex unless mandatory provisions in data protection law require additional instructions.

3

Requirements for personnel

3.1

payever must impose obligations to maintain confidentiality about the processing of Customer Data on all persons who process Customer Data.

3.2

payever will make sure that natural persons who work for payever and have access to the Customer Data only process the data according to the instructions of the Customer, unless they are required to process the data pursuant to the law of the European Union or the Member States.

4

Security in the processing

4.1

payever will take all appropriate technical and organizational measures required to provide a reasonable level of protection for the Customer Data appropriate for the risk, taking into account the state of the art in technology, the costs and type and scope of implementation, the circumstances and the purpose of the processing of the Customer Data as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of the data subjects.

4.2

payever must take the technical and organizational measures specified in Appendix 2 
to this Annex prior to the beginning of the processing of the Customer Data, and payever must maintain these measures during the course of the Main Agreement or replace them by at least equivalent measures as well as make sure that the processing of Customer Data is carried out in accordance with these measures.

5

Use of additional contract processors

5.1

The Customer hereby generally approves the use of additional contract processors by payever. The present, additional contract processors used by payever are designated in Appendix 3.

5.2

payever will inform the Customer about any intended change with regard to the involvement or replacement of additional contract processors by sending an email to the email address entered in the payever Account. The Customer is entitled to raise an objection to any intended change within 4 weeks. If the Customer objects, payever is prohibited from making the intended change. In the case of permitted changed, payever will update the list of subcontractors in Appendix 3 accordingly and automatically provide the updated list to the Customer.

5.3

payever will impose data protection obligations by contract on each further contract processor which are at least equivalent to the duties for payever established in this present Annex.

6

Rights of the data subjects

6.1

payever will all possible support, using technical and organizational measures in exchange for compensation, the Customer in complying with its duties to answer requests by data subjects exercising their rights.

6.2

payever will especially inform the Customer without undue delay if a data subject directly contacts payever with a request to exercise the data subject’s rights with regard to the Customer Data.

7

Other duties of payever to provide support

7.1

payever will report to the Customer every violation of the protection of Customer Data without undue delay after learning about such a violation, especially events which lead to the destruction, loss, modification or unauthorized disclosure of or access to Customer Data.

7.2

In the event that the Customer is required to inform the supervisory authorities and/or data subjects pursuant to Art. 33, 34 GDPR, payever will support the Customer upon request in complying with these duties in exchange for compensation.

7.3

payever will provide all possible support to the Customer in exchange for compensation in the case of any data protection assessments to be carried out and any subsequent consultations with the supervisory authorities under Art. 35, 36 GDPR.

8

Deletion and return of data

8.1

payever will either delete or return to the Customer all Customer Data at the instruction of the Customer when the Main Agreement ends, unless payever is required by law to continue to store the Customer Data.

9

Proof and inspections

9.1

payever declares its consent that the Customer is entitled, upon scheduling a date, to itself monitor the compliance with the provisions on data protection and data security as well as the contractual agreements in a reasonable and necessary extent or to have such an inspection conducted by third parties retained by the Customer, especially by means of obtaining information and reviewing the stored data and the data processing programs as well as by examinations and on-site inspections which are conducted during normal business hours at the own expense of the Customer and without disturbing operations.

9.2

payever will receive from the Customer compensation for payever’s efforts in connection with this monitoring.

Date [18.05.2018]

Appendix 1 – Information for data processing

Purpose, type and scope of data processing, type of the data and group of data subjects

Appendix 2 – Technical and organizational measures by payever

payever will take appropriate technical and organizational measures to achieve a level of protection reasonable for the risk, taking into account the state of the art in technology, the costs and type of implementation, the scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of natural persons. These measures include:

Infrastructure and physical security measures

The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:

construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)

interruption-free electric power supply

modern, fire early detection system

installation of entry authorization for employees and third parties, including the respective documentation

identity cards or code cards

certain security areas with the own entry control (“closed shops”)

rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)

24/7 servicing by qualified personnel

installation work by qualified technicians

Infrastructure and physical security measures

The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:

construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)

interruption-free electric power supply

modern, fire early detection system

installation of entry authorization for employees and third parties, including the respective documentation

identity cards or code cards

certain security areas with the own entry control (“closed shops”)

rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)

24/7 servicing by qualified personnel

installation work by qualified technicians

Security measures for internal networks:

payever has a secure internal network for collecting, processing and using the Customer Data, and payever maintains this network. For this purpose, payever protects the data communication between the data centers with VPN and between individual payever service components with SSL. payer uses a secure encryption process (RSA 4096bit) for the internal processing of confidential and sensitive data.

payever also implements and maintains reasonable firewalls for the protection of the internal networks against unauthorized access to the data, including, but not limited to, defending against dynamic IPs. All user logins, IPs, changes in data files and http access which are improperly used are monitored by a system and communicated to payever (alerting). All firewall settings are examined at least once each quarter and adjusted in accordance with the market standard.

Internal measures at the company:

payever has implemented numerous internal measures at the company. These measures include:

entry control for all persons entering the business by way of rooms that can be locked and accompanying visitors

security for all end-devices using passwords

introduction of access authorization for employees on the basis of an access authorization concept, including the corresponding documentation with differentiated access rules (e.g. partial block, exact user roles or profiles)

binding guidelines and procedures for the employees with regard to data security and data processing

identification of the end-device and/or user

automatic reporting of user IDs which have not been used for a certain period of time

rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)

use of encryption for data files that are critical with regard to security

guidelines for the organization of data files

user name and password

guidelines for creating a secure password

separation of production and test environments for libraries and data files

backup routine with regular backups

guidelines for the production of backup copies

existence of an emergency plan (backup emergency plan)

determination of binding or potential storage locations for data

electronic reporting of data processing, especially use, modification and deletion of data

continuous updating of the used software (e.g. with updated, patches, fixes etc.)

guidelines for documentation of software and IT processes

payever also has implemented reasonable measures for separation monitoring so that there is assurance that the data collected for different purposes can be processed separately:

separation of test data and production data

authorization concept (logical separation)

separation of the data according to customers

payever reserves the right to update or adjust these technical and organizational measures over the course of time, to the extent such adjustments do not lead to a deterioration of the general security of the services by payever as a contract data processor.

Appendix 3 – List of subcontractor

© payever. All rights reserved.

English (United Kingdom)