X

Data Processing Agreement

In accordance with Art. 28 GDPR

between

Smart Enterprise Solutions GmbH 
Stuttgarter Str. 13a
75179 Pforzheim
(hereinafter: Data processor or processor)

and the customer or users of our products smenso Cloud and Smart Project Manager
specified in the main contract, the order confirmation or in an offer.
(hereinafter: Data controller or controller)

Preamble

This agreement specifies the obligations of the contracting parties to data protection in connection with the processor’s handling of personal data of the controller or his contact person (customers, suppliers, etc.). It shall apply to all activities in which employees of the processor or agents may come into contact with the controller’s personal data through the processor. In addition, confidential information from the controller’s company is made available to the processor within the framework of the main contract, or other business relations between the parties, or it is not excluded that the processor comes into contact with such information at the controller’s premises.

Subject of the agreement

  1. The nature, scope and purpose of the collection, processing or use of data shall be specified in Appendix 1. The processor may only process the categories of data referred to in Appendix 1, of the data subjects mentioned therein for the purposes specified therein or in any main contract. The existence of a possible main contract is noted in Appendix 1.
  2. Any collection or use of data that deviates from this or goes beyond this is prohibited by the processor, in particular the use of the data for its own purposes.
  3. The duration of this agreement shall apply for the duration of an existing contractual relationship, in particular an existing maintenance contract, or any main contract.

Rights and obligations of the controller

  1. The controller is responsible for compliance with the statutory data protection regulations in the case of instructions given as well as for the protection of the rights and freedoms of the data subjects and third parties. The responsibilities of the processor in accordance with Articles 28 (10), 82, 83 and 84 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) remain unaffected. The controller is the owner of the data and the holder of all rights to the data in relation to each other.
  2. The controller shall place all orders or partial orders in writing. Changes to the subject-matter of the processing and procedural changes (initially defined by Appendix 1) shall be agreed jointly and specified in writing. Oral instructions may be given in urgent cases, but must be confirmed in writing immediately afterwards.  Persons of the Parties authorized to initiate or confirm changes/additions are listed in Appendix 3.
  3. The controller shall inform the processor immediately if he finds errors or irregularities in the processing results, in particular if he has reason to believe that the manner in which the Data is processed by the processor violates data protection requirements.
  4. The controller is obliged to treat confidentially all knowledge of trade secrets and data security measures acquired within the framework of the contractual relationship. This obligation shall remain in place after the termination of this Agreement.
  5. The controller is entitled to convince himself before the start of the data processing and then regularly of compliance with the technical and organizational measures taken by the processor. The controller documents the result of these checks. For this purpose, the controller may, for example, obtain information from the processor or - in principle, by appointment - check on site at the processor’s premises during normal business hours or have it checked by a third party.
  6. The processor grants the controller or a third party commissioned by him the rights of access, information and access necessary for carrying out the checks and shall participate in the control to an appropriate extent, whereby the controller will take into account the operational interests of the processor when exercising the right of examination.

Rights and obligations of the processor

  1. The processor processes personal data exclusively within the framework of the agreements made and in accordance with the instructions of the controller and only in the territory of the European Union and the European Economic Area. The processor shall not use the data provided for data processing for any purpose other than the fulfilment of the main contract, in particular not for its own purposes.
  2. The processor may not hand over data to third parties or other recipients in writing without prior consent by the controller. Excluded from this are data transfers to subcontractors in accordance with point. 4.
  3. The processor declares that, due to the legal requirements of the European Union or a Member State of the European Union, he is not obliged to process data even without the instructions of the controller. The processor shall inform the controller immediately if he nevertheless receives a corresponding request for data processing. This does not apply if the processor is obliged to maintain secrecy due to legal regulations.
  4. The processor shall immediately draw the controller’s attention to this if he considers that an instruction given by the controller violates data protection requirements. The processor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the controller.
  5. The processor shall ensure and regularly ensure that the data processing in its area of responsibility, which includes any subcontractors, is carried out in accordance with the provisions of this Agreement, the special legal requirements of the Data Protection Act and the instructions of the controller and that the technical and organisational measures are complied with for the duration of this contract. The current state of the art must be taken into account, taking into account the risk. These measures are set out in Appendix 4. The processor will be allowed to change the measures taken, provided that it is ensured that the agreed level of protection is not exceeded. In the event of significant changes, the controller shall be informed of the processor’s intentions to change in good time before their implementation in text form. Upon request, the processor shall provide the controller with the observance of these measures by presenting documentation.
  6. The processor assures that he is aware of all relevant data protection regulations of the GDPR and guarantees their implementation. Unless already done, the processor shall oblige all persons employed with the processing of the data to maintain confidentiality in accordance with the GDPR in writing, insofar as these persons are not already subject to a comparable obligation of confidentiality, including legal ones. The processor must instruct these persons in the essential legal provisions on data protection and oblige them to comply with these provisions. At the request of the controller, the processor shall prove this by submitting the declarations of undertaking.
  7. The processor shall immediately correct, delete or block the data if the controller instructs him to. The processor assumes the data protection-compliant deletion of data or destruction of data carriers on the basis of an individual order by the controller, unless this has already been agreed upon in a possible main contract. In the case of test and scrap materials, a single assignment for deletion is not required. Legal retention obligations remain unaffected.
  8. Upon termination of the contractual relationship, the processor shall, at the discretion of the controller, hand over or delete all personal data that has been transferred to him and to subcontractors, at the discretion of the controller, unless the processor is obliged to store it on the basis of other regulations. The processor has no right of retention of the data, unless his counterclaim is legally established or undisputed.
  9. The processor warrants to appoint a Data Protection Officer and to employ him at least for the duration of this Agreement. The name of the data protection officer as well as the contact details can be found in the data protection declaration on the homepage of the processor (www.smenso.de/en/privacy). A change of data protection officer shall be communicated to the controller without delay.
  10. The processor assists the controller in complying with the controller’s obligations under Art. 32 GDPR (TOM), Articles 33 and 34 GDPR (reporting obligations in the event of data breaches) and, if applicable, Article 35 GDPR (data protection impact assessment) and Article 36 GDPR (consultation of the supervisory authority).

Subcontractors

  1. Subcontractors are contractors of the processor, who in turn process personal data of the controller, as well as their contractors.
  2. The processor may entrust suitable subcontractors in the territory of the European Union or the European Economic Area with the processing of data on behalf of and in accordance with instructions, if the controller has agreed to this in writing (e.g. by e-mail) in individual cases before commissioning the subcontractor. The processor shall inform the controller of any proposed change with regard to the use or replacement of subcontractors. The controller may object to the use or exchange of subcontractors after information by the processor. A contradiction may only be made for good reason.
  3. The contract of subcontractors in third countries may only take place if the special conditions set out in Article 44 a.s. GDPR (e.g. Commission adequacy decision, standard data protection clauses, approved codes of conduct) are met.
  4. The processor shall contractually ensure that the subcontractor is subject to the same data protection obligations under this agreement. In particular, it is necessary to ensure that the appropriate technical and organisational measures are carried out by the subcontractor in such a way that the processing is carried out in accordance with the requirements of data protection law. The controller must be entitled to carry out on-site checks at the subcontractor or to have it carried out by third parties.
  5. The subcontractors referred to in Appendix 2 with name, address and content of the contract are being employed by the processor at the time of the conclusion of this agreement. The subcontractors differ substantially depending on the product or services used, which is why Appendix 2 includes two separate lists of subcontractors. The controller agrees to their assignment.

Special obligations of the processor in the event of disruptions to the processing or breach of the protection of personal data

  1. The processor shall immediately notify the controller of any disruption or breach of the controller or of the persons employed by him in breach of data protection provisions or this agreement if there are indications that personal data has been unlawfully processed. The processor shall also take the necessary measures to secure the data and to reduce possible adverse consequences of the data subjects.
  2. Should the data of the controller be endangered by attachment or seizure, insolvency proceedings or other events or measures of third parties, the processor must inform the controller immediately. The processor will immediately inform all persons responsible in this regard that the sovereignty and ownership of the data lie exclusively with the controller.

Requests from affected persons

  1. In the event that a data subject asserts legitimate data protection claims against the controller, the processor, taking into account the nature of the processing, will, if possible, assist the controller with appropriate technical and organisational measures to comply with these claims.
  2. Should data subjects or other third parties directly address data protection requests to the processor or assert data protection rights against the processor, the processor will forward these requests to the controller without delay.

Liability

  1. The controller and the processor shall be liable to third parties within the scope of their responsibilities in accordance with the statutory provisions of Art. 82 GDPR for damages caused by data processing that does not comply with the GDPR.

Final provisions

  1. Amendments or additions to this agreement or its appendices must be made in writing.
  2. If and to the extent that the main contract contains provisions that conflict with those of this agreement, the provisions of this agreement shall prevail unless otherwise provided for in this agreement.
  3. German law applies.
  4. Should any of these provisions be ineffective, this shall not affect the validity of the remaining provisions.

Übersicht Anlagen

AnlageInhalt
Appendix 1The subject matter, nature, scope and purpose of the data processing / circle of data subjects
Appendix 3Subcontractors
Appendix3Persons responsible
Appendix 4Technical and organisational measures

Appendices

Appendix 1:
The subject matter, nature, scope and purpose of the data processing / circle of data subjects

Subject of data collection, processing or use

  • Main contract between client and contractor
  • Alternatively offer (with services description) or order confirmation

The nature, scope and purpose of data collection, processing or use

  • Creation and management of user profiles
  • Communicating with users about our services, updates or offers
  • Access to data as part of support/remote access
  • Processing of support requests in the processor’s help center
  • Processing of support requests by e-mail to the processor
  • Order and subscription management

Types of data

  • Personal master data
    • First and last names
    • Positions / Organizational Units
    • Customer numbers
  • Contact data
    • Phone number(s)
    • E-mail address(s)
    • Postal addresses
  • Account data
    • Username
    • Permissions
    • Plans / Tariffs information
  • Usage data
    • Device identifiers
    • System states
    • IP addresses
    • Device identifiers
    • Browser (manufacturer, version)
    • Browser history, page view statistics
    • Information about signup, last login, login duration
    • Access information
    • Log files
    • Cookies
  • Planning and controlling data in the project management context (e.g. data from projects/tasks, customer/supplier names)
  • Communication data
    • E-mail content
  • Transaction data
    • Billing information
    • Company/departmental affiliations
    • Credit card
    • Transaction and invoice data
    • Account number(s)/IBAN

Data subjects

  • Employees of the controller
  • Contact persons of the controller (customers/suppliers/partners/potential customers)
  • Users and customers of customers of the processor

Appendix 2: Subcontractors

Subcontractors valid for the web application “smenso Cloud

AnlageInhalt
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
Parts of the software are hosted in Microsoft's data centers in the European Union territory. As part of this, various services and data are processed. Data storage is also carried out in Microsoft's data centers in the territory of the European Union.

https://privacy.micrhttps://azure.microsoft.com/de-de/osoft.com/de-de/privacystatement

https://privacy.microsoft.com/de-de/privacystatement

https://www.microsoft.com/de-de/trust-center/privacy/gdpr-overview
Auth0, Inc.
10800 NE 8th Street
Suite 700
Bellevue, WA 98004
USA
Auth0 is a provider of identity management services. We use Auth0 to authenticate and log on users and maintain user profiles.

The data is hosted in the territory of the European Union.

https://auth0.com/privacy/
mongoDB, Inc.
3rd Floor
3 Shelbourne Building
Crampton Avenue Ballsbridge
Dublin
Ireland
We use hosting services from mongoDB for databases. Physically, however, the databases are hosted in Microsoft Azure data centers in the European Union territory.

https://www.mongodb.com/legal/privacy-policy
Zendesk International Ltd
55 Charlemont Place
Saint Kevin’s
Dublin D02, F985 Ireland
We use Zendesk's services to run our help center and to process support requests from our users.

https://www.zendesk.de/company/customers-partners/privacy-policy/

Contract basis: Data Processing Agreement as of 11.03.2020
Atlassian Corporation Plc
C/O Herbert Smith Freehills Llp Exchange House, Primrose Street, London, EC2A 2EG
United Kingdom
We use the ticket management system Jira Software in regard to the processing of feature requests of our users.

https://de.atlassian.com/legal/privacy-policy
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308
USA
MailChimp is a mailing service provided by The Rocket Science Group.

We use MailChimp for marketing campaigns, advertising and information about updates and use the service for web analytics and in our marketing campaigns.

https://mailchimp.com/legal/privacy/^

https://mailchimp.com/legal/data-processing-addendum/

Subcontractors valid for the on-premises application “Smart Project Manager

AnlageInhalt
Atlassian Corporation Plc
C/O Herbert Smith Freehills Llp Exchange House, Primrose Street, London, EC2A 2EG
United Kingdom
We use the ticket management system Jira Software in combination with Jira Service Desk to process support requests from our users.

https://de.atlassian.com/legal/privacy-policy
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308
USA
MailChimp is a mailing service provided by The Rocket Science Group.

We use MailChimp for marketing campaigns, advertising and information about updates and use the service for web analytics and in our marketing campaigns.

https://mailchimp.com/legal/privacy/^

https://mailchimp.com/legal/data-processing-addendum/
itelligence AG
Königsbreede 1,
33605 Bielefeld
Deutschland
We are contracting itelligence AG for SAP consulting and development services.

https://itelligencegroup.com/de/privacy/
itmX GmbH
Stuttgarter Str. 8
75179 Pforzheim
Deutschland
We are contracting itmX GmbH for SAP consulting and development services.

https://itmx.de/datenschutzerklaerung/
enosiX, Inc.
250 E Fifth Street
Suite 1500
Cincinnati, OH 45202
USA
enosiX is the manufacturer of the enosiX framework, which integrates data from SAP ERP / S4 into front-end systems. We use the enosiX framework to integrate SAP into our software.

https://enosix.com/company/

Appendix 3: Persons responsible for data protection issues

Persons responsible with the contractor / data processor

Name, VornameFunktionKontakt
De Tullio, MarcoManaging Director
Smart Enterprise Solutions GmbH
Stuttgarter Str. 13a
75179 Pforzheim
Germany
+49 7231 77857 53
marco.detullio@smenso.de
Riermeier, PhilippManaging Director
Smart Enterprise Solutions GmbH
Stuttgarter Str. 13a
75179 Pforzheim
Germany
+49 7231 77857 51
philipp.riermeier@smenso.de
Ernst, VolkerData Protection Officer
Just-IT GmbH
Schwebelstraße 10
75172 Pforzheim
Germany
+49 7231 133 6008
datenschutzbeauftragter@justitgmbh.de

Appendix 4: Technical and organisational measures

Admission control

Measures to prevent unauthorized persons from gaining spatial access to the processing facilities/rooms of personal data or other personal documents, such as files or data carriers.

  • Access control is granted via key control (key output, etc.)
  • Use of safety locks
  • Careful selection of cleaning staff
  • Access to internal servers with additional backup - only dedicated employees are allowed to enter the area
  • Storage of sensitive data carriers and paper files in lockable cabinets

Access control

Measures that are likely to prevent data processing systems from being used by unauthorized persons.

  • Authenticate with personalized username/password and dedicated user rights
  • Password assignment with technically supported password policy
  • Boundary logon attempts at the domain
  • Use of VPN technology including two-factor authentication
  • Use of intrusion detection system
  • Use of anti-virus software
  • Using a software firewall
  • Using a hardware firewall
  • Ensuring security patches
  • Mapping user profiles to IT systems
  • Immediate deactivation of unused user accounts
  • Use of central smartphone administration software (e.g. for external deletion of data)

Access authorization

Measures to ensure that those entitled to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

  • Use of a permission concept (Active Directory from Microsoft incl. group assignments)
  • Reduced the number of administrators to the "Most Necessary"
  • Use of VPN technology
  • Physical deletion of disks before reuse
  • Manage rights by requesting internal IT support
  • Secure storage of disks
  • Use of shredders or service providers (if possible with data protection seal of approval)

Transfer control

Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and identify the places where personal data is provided for the transfer of personal data by data transmission facilities.

  • Use of VPN tunnels incl. two-factor authentication
  • Physical transport: selection of safe transport containers/packaging,
  • Physical transport: selection of safe transport personnel, safe transport vehicles (e.g. courier services)
  • Encryption of disks used for transport
  • Monitor and log traffic using software and hardware firewall
  • Use of anti-virus software

Input control

Measures to ensure that it is possible to verify retrospectively whether and by whom personal data have been entered, modified or removed in data processing systems.

  • Logging the input, modification and deletion of data
  • Traceability of input, modification and deletion of data by individual user names (not user groups)
  • Logging VPN Connections (Firewall)

Order control

Measures to ensure that personal data processed on behalf of the contract can only be processed in accordance with the instructions of the client.

  • Selection of subcontractors, with particular regard to Article 28 GDPR and thus the suitability of the technical and organisational measures taken by them
  • The collection, processing, rectification and deletion of the data is strictly bound by the order and individual instructions of the client in accordance with the contractual agreements made herein
  • Written obligation of employees and subcontractors to keep data confidential or confidentiality where access to personal data cannot be excluded
  • Written instructions to the contractor
  • Effective control rights against the subcontractor are agreed
  • Ensuring the destruction of data after the end of the contract
  • Conclusion of contracts with subcontractors in third countries only using the EU standard contractual clauses

Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

  • Uninterruptible Power Supply (UPS)
  • Devices for monitoring temperature and humidity in server rooms
  • Use of virtualization solutions for servers as well as backup & recovery measures
  • Fire and smoke alarm systems
  • Regular monitoring of essential systems
  • Use of intrusion detection systems and a central firewall
  • Retention of data backup in a secure, outsourced location
  • Air conditioning in server rooms
  • Fire extinguishers in server rooms
  • Server rooms not under sanitary facilities

Separation requirement

Measures to ensure that data collected for different purposes can be processed separately.

  • Logical separation of clients (software-side), can be deleted separately
  • Separation of productive and test systems
  • Providing the records with purpose attributes/data fields

CONTACT

Logo SMENSO GmbH

smenso | Smart Enterprise Solutions GmbH

Stuttgarter Straße 13a
75179 Pforzheim | Germany

Phone: +49 7231 778575-0
Fax: +49 7231 77857-99

Mail: info@smenso.de