Commissioned Data Processing Agreement in accordance with Art. 28 of the General Data Protection Regulation (DPA) (11.07.2023)
1. Subject of the DPA
1.1. Between the provider Flip GmbH (hereinafter also: "Processor") and the customer (hereinafter also: "Controller") there is a contract (see section 1.2 GTC, the contract without this Data Protection Agreement on Commissioned Processing hereinafter: "Main Contract") on the use of a communication software for employees in the company.
1.2. The performance of the Main Agreement may require the Processor to handle personal data for which the Customer is the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: "GDPR") (hereinafter: also "Data Controller").
1.3. In addition to the Main Agreement, this DPA specifies the mutual rights and obligations under data protection law between the Controller and the Processor in connection with the Processor's handling of the Controller's data for the purpose of implementing the Main Agreement. The DPA is an integral part of the contract and cannot be terminated in isolation. The annexes to the DPA are an integral part of the DPA. In the event of any contradictions between provisions in this DPA and the other provisions of the Main Contract, the provisions of this DPA shall prevail. 1.4.
1.4. If the Customer sub-licenses the Software Service to Affiliates in accordance with the Main Agreement, this DPA shall apply mutatis mutandis with the proviso that the respective Affiliate acts as the relevant controller pursuant to Art. 4 No. 7 of the GDPR and No. 1.2, the Customer acts as its processor to that extent and the Provider acts as its sub-processor to that extent. The Customer shall ensure that the necessary agreements under data protection law are in place with the respective affiliated company before any processing of personal data by the Provider takes place.
2. Scope of the commission, instruction-based processing
2.1. The subject matter and duration of the order, the type and purpose of the processing, the type of personal data and the categories of data subjects are specified in Annex 1.
2.2. Unless the description of the Processing in this DPA expressly provides otherwise, the Processing by the Processor shall in principle take place within the European Union or in another contracting state to the Agreement on the European Economic Area (EEA). The Processor is only permitted to process the Data outside the EEA in compliance with the provisions of this Agreement if the requirements of Art. 44 - 48 GDPR are met or an exception pursuant to Art. 49 GDPR applies. In any case of processing in the third country, the Processor shall ensure compliance with the requirements of Art. 44 - 49 GDPR. For the use of sub-processors, the requirements and information obligations under Section 4 must also be observed.
2.3. The Processor shall only process the Personal Data on the documented instructions of the Controller (commissioned processing), unless it is obliged to do so by Union or German law; in such a case, the Processor shall notify the Controller of these legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest. The instructions of the Controller are in principle exhaustively set out and documented in the provisions of this Agreement together with the Main Contract. Individual instructions by which the scope of services agreed in the Main Contract is to be changed or extended shall require the prior consent of the Processor.
2.4. The Processor shall inform the Controller without undue delay if it is of the opinion that an instruction of the Controller violates the GDPR or another provision on data protection. In this case, the Processor shall be entitled to suspend the execution of the instruction until confirmation of the instruction by the Controller to the extent required by data protection law. The Controller's assessment of the permissibility of the data processing shall be binding on the Processor.
2.5. The Controller shall inform the Processor without undue delay if it discovers errors or irregularities relevant to the commissioned processing with regard to data protection provisions or its instructions.
2.6. To the extent that the Parties are required by law to provide information or otherwise cooperate with governmental bodies such as a supervisory authority with respect to the commissioned processing, the Parties shall, to the extent legally permissible, (i) assist each other and (ii) inform each other without undue delay of supervisory authority control actions or other governmental measures to the extent that they relate to the commissioned processing.
3. Responsibility of the Controller Confidentiality, Security of Processing
3.1. The Processor shall only employ persons for the performance of the Contract (i) whom it has committed to confidentiality or who are subject to an appropriate legal duty of confidentiality and (ii) who have previously been familiarised with the data protection provisions relevant to them.
3.2. The Processor shall ensure the implementation of and compliance with all necessary technical and organisational measures pursuant to Article 32 GDPR. A list of the current technical and organisational measures of the Processor can be found in Annex 2. The Processor is permitted to change or adapt technical and organisational measures during the term of the contract, provided they continue to meet the legal requirements and this does not lead to a reduction in the initially agreed level of protection.
4. Use of the services of other processors
4.1. If the Processor uses the services of another processor ("Sub-processor") to carry out certain processing activities on behalf of the Controller, the same data protection obligations as set out in this Data Protection Agreement shall be imposed on that Sub-processor by way of a contract to be drawn up in writing, which may also be in an electronic format, in particular providing sufficient guarantees that the appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of the GDPR.
4.2. The Controller hereby grants the Processor its general authorisation to use sub-processors. The sub-processors used at the time of the conclusion of the contract are listed in Annex 3.
4.3. The Processor shall always inform the Controller of any intended change in the use or replacement of a Sub-processor, which shall give the Controller the opportunity to object to such changes. The Parties agree that any concerns raised by the Controller shall be appropriately discussed and, where possible, resolved by the Parties in a spirit of cooperation based on trust. An objection may only be raised by the Controller for good reason to be proven to the Processor. A good reason exists in particular if the intended change would lead to a violation of data protection requirements. If the data controller does not raise an objection within 14 days after receipt of the notification, his right to object to the corresponding information shall expire. If the Data Controller raises an objection in due time, the intended change shall not be made and the Processor shall be entitled to terminate the contract with three months' notice.
5. Data subject rights, duties of cooperation/ support of the processors
5.1. In view of the nature of the Processing, the Processor shall, where possible, support the Controller with appropriate technical and organisational measures in complying with its obligation to respond to requests to exercise the rights of the Data Subject referred to in Chapter III of the GDPR. To the extent that a data subject contacts the Processor directly for the purpose of responding to requests for the exercise of the data subject's rights referred to in Chapter III of the GDPR, the Processor shall pass on such request to the Controller without undue delay.
5.2. The Processor shall assist the Controller in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Controller. If the Processor becomes aware of a Personal Data Breach, the Processor shall notify the Controller without undue delay.
6. Deletion and return of personal data
Unless prevented from doing so by legal storage obligations, the Processor shall, at the end of the provision of the Processing Services, return to the Controller or erase all Personal Data concerned, at the Controller's option. Where the Processor returns the Data, it shall delete any existing copies after the Controller has confirmed that the Data have been properly received. The Processor shall provide evidence of the deletion to the Controller upon request. Documentation which serves to prove that the data of the Data Controller have been processed in accordance with the contract and in the proper manner may be retained by the Processor even after the end of the contract.
7. Proof of obligations and support during audits
7.1. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR. The Processor shall facilitate and contribute to audits, including inspections, carried out by the Controller or any other auditor appointed by the Controller.
7.2. In order to carry out inspections, the Controller shall be entitled to enter the business premises of the Processor in which the Controller's data are processed during normal business hours (Mondays to Fridays from 10:00 a.m. to 6:00 p.m.) after timely advance notice in accordance with sentence 2, without disrupting business operations and while maintaining strict confidentiality of the Processor's business and trade secrets. The Controller shall inform the Processor in good time (as a rule, at least two weeks in advance) of all circumstances related to the performance of the inspection and, to the extent possible, coordinate with the Processor.
7.3. The Processor shall not be obliged to unlawfully disclose information or disclose business secrets, without prejudice to the rights of the Controller under Clause 7.1. The Controller shall not be entitled to have access to data or information relating to other clients of the Processor, information relating to costs, quality review and contract management reports and any other confidential data of the Processor which is not directly relevant for the purposes of the review.
7.4. If the Controller engages a third party to carry out the review, the Controller shall impose the same obligation in writing on the third party as the Controller has on the Processor under this Clause 7. In addition, the Controller shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the Processor, the Controller shall immediately submit to the Processor the commitment agreements with the third party. The Controller may not commission a competitor of the Processor to carry out the inspection.
8. Data protection officer
The data protection officer of the Processor can be reached using the following contact details:
Data Protection Officer of Flip GmbH
70178 Stuttgart, Germany
Subject matter and duration of processing, type and purpose of processing, type of personal data, categories of data subjects
Technical and organisational measures in accordance with Art. 32 GDPR
Subject matter and duration of processing, type and purpose of processing, type of personal data, categories of data subjects
1. Subject matter of the order
The subject matter of the order is determined by the Main Agreement. For the provision of the Flip software as Software-as-a-Service, the Processor is granted access to the personal data of the Controller to a limited extent, namely:
· Receipt of an encrypted data set with the following components:
Title, first name, last name, business email address
· Creation of a user list for user creation
· Set-up of individual users for first login
· Creation of information sheets with user access for first login
· Deletion of individual or multiple users from the system on request in text form
· Hosting of the system with a hosting provider
2. Duration of the order
The duration of the order is determined by the Main Agreement.
3. Purpose of data processing
On behalf of the Controller, the Processor shall process personal data of employees of the Controller for the purpose of providing the Flip software as Software-as-a-Service in accordance with the Main Agreement.
4. Type of personal data (types of data)
The following types of data are the subject of this order:
· Contact details (e.g. email address or telephone number)
Service and IT (usage) data
· Device identifiers
· Access details
· Identification data/IDs
· Telecommunications data/message content
· Usage and connection data/metadata
· Image/video data (if set up by users)
· Audio/voice data (if set up by users)
· Form data (if form feature is used)
5. Categories of data subjects
The following categories of data subjects are the subject of the order:
Employees of the Controller
Technical and organisational measures to be taken in accordance with Art. 32 GDPR which are relevant to fulfilment of the order by the Processor
1. Measures to ensure confidentiality
a. Employee training
All employees receive regular training (at least 1x per year) on awareness, general information security topics and proper handling of customer personal data.
b. Measures by which unauthorized persons are denied access:
- Access control system with badge scanner.
- Key management/documentation of key allocation
- Video surveillance of entrances
- Visitor regulation
- Collection at the entrance
- Documentation of visiting hours
- Escort after the visit to the exit
- Central authorization process for access cards
- Immediate blocking of access cards if they are lost
c. Measures to prevent unauthorised persons from being able to use the processing systems:
- Personal and individual user log-in when logging into the system.
- State-of-the-art authentication methods (multifactor authentication)
- Authorization process for access permissions
- Limitation of authorized users (need-to-know principle)
- Password specifications (enforcing password parameters in terms of complexity and length)
- Electronic documentation of passwords and protection of this documentation against unauthorized access (password manager)
- Separate administrative account for privileged activities (with hardware authentication)
- Regular account reviews
- Automatic locking of devices after a certain period of time without user activity (also password-protected screen saver or automatic pause)
- Anti-virus software
- Corporate policy for mobile working
- Encryption of mobile devices
d. Measures to ensure that only authorised persons can access the processing systems and cannot read, copy, modify or remove personal data without authorisation:
- Management and documentation of differentiated authorizations (role-based access).
- Segregation of duties (4-Eye-Principle)
- Destruction of files and data media in accordance with DIN 66399
- Non-reversible deletion of data media
- Logging of accesses to applications, specifically at the time of entry,modification and deletion of data
e. Measures to ensure that data collected for different purposes can be processed separately:
- Separation of customer data at the Tennant Controller level.
- Access authorizations based on functional responsibility
- Separate data processing through differentiating access rules
- Use of test data
- Separation of development and production environment
- Pseudonymization of customer data on systems where possible
- In case of pseudonymization: separation of allocation data and storage in separate and secured system
- Deletion and/or anonymization of customer data at sub-processors in the event of a deletion request/erasure or customer churn
2. Measures to ensure integrity
- Access rights
- Encrypted transport of data
- System-side logging of accesses and retrievals
- Document management system (DMS) with change history
- Functional responsibilities, organizationally defined responsibilities
- Logging of data transfer or data transport
3. Measures to ensure and restore availability
- Security concept for software and IT applications
- Back-up procedure
- Retention process for back-ups
- Virus protection
- Disaster recovery plan
- Regular data recovery testing and logging of results
4. Procedures for regular review, assessment and evaluation of the effectiveness of technical and organisational measures
- Concept for regular review, assessment and evaluation of TOMs (external and internal audits)
- Regular reporting to management
- Emergency tests
- Annual penetration tests
- Documented incident response process
5. Instruction control/order control
- Commissioned data processing Agreements pursuant to Art. 28 (3) DSGVO with regulations on the rights and obligations of the processor and controller
- Process for issuing and/or following instructions
- Designation of contact persons and/or responsible employees
- Obligation of employees to maintain confidentiality
- Designation of a data protection officer pursuant to Art. 37 et seq. DSGVO
- Appointment of an information security officer
- Data protection manager/coordinator
- Maintaining a register of processing activities pursuant to Art. 30 (2) DSGVO
- Documentation and escalation process for personal data breaches
- Guidelines/provisions to ensure technical/organizational measures for security of processing
- Process for forwarding requests from data subjects
- Agreement on effective control rights vis-à-vis the contractor
- Regular review of critical contractors
Microsoft Ireland Operations Limited, One Microsoft Court, South County Business Park, Leopardstown, Dublin 18, D18 DH6k
Server hosting in data centres in Germany
WEBO GROUP ltd, Flandrova 17, 1000 Ljubljana, Slovenia
Nextcloud hosting in data centres within the EU
Zendesk, Inc., 989 Market Street, San Francisco, CA 94103, USA
Customer support request management platform, hosted within the EU. Data transfers take place on the basis of the EU Commission's standard contractual clauses
Mailjet GmbH, Alt-Moabit 2, 10557 Berlin, Germany
Provision of an email API for sending reset password links (not applicable when using SSO)
hibase UG, Wildenbruchstr. 88, 12045 Berlin, Germany
Connection of data sources for the provision of system statistics
Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Irland
Google Cloud Platform for analysis and provision of system statistics
DeepL GmbH, Maarweg 165, 50825 Cologne, Germany
Provision of on-demand machine translations, hosted within the EU (translation feature)
Helsinki Systems GmbH, Industriestr. 24, 70565 Stuttgart, Germany
Provision of the “Jitsi” video conferencing service, hosted within Germany. (video conferencing feature)
Entrecode GmbH, Dornhaldenstr. 6, 70199 Stuttgart, Germany
Interface Development (API), Development of integrations
Friendventure GmbH, Oskar-Jäger-Str. 173 / K6, 50825 Köln
Provision of forms and static pages (Form and page builder)
Kombo Technologies GmbH, Lohmühlenstraße 65, 12435 Berlin, Germany
Interface Provider for defined Integrations