Data Processing Agreement

Agreement on the Processing of Personal Data
on behalf of a Client in accordance with Art. 28 GDPR

between

${client}

- hereinafter referred to as the "Client" -

and
insight.out GmbH, Hertelsbrunnenring 22, 67657 Kaiserslautern, represented by the management

- hereinafter referred to as the "Client" -

Preamble

This agreement specifies the data protection obligations of the contracting parties arising from the use of the Contractor's "test.box" tool, the subscription "main contract" related to it and the general terms and conditions. It applies to all activities related to the main contract, in which employees of the Contractor or third parties commissioned by the Contractor may come into contact with personal data of the client.

1. Subject matter of the contract
   In the context of the performance of the main contract, it is necessary for the Contractor to handle personal data for which the client acts as the controller within the meaning of data protection regulations (hereinafter referred to as "Client Data"). This contract specifies the data protection rights and obligations of the parties in connection with the Contractor's handling of Client Data for the performance of the main contract.
2. Scope of the Contract

   2.1	The Processor shall process the Client's Data on behalf of and as instructed by the Client within the meaning of Art. 28 GDPR (Data Processing Agreement). The Client remains the Data Client within the meaning of data protection regulations.
   2.2	The Processing of Client's Data by the Processor is carried out in the manner, scope and for the purpose specified in Annex 1 to this Agreement; the Processing concerns the types of personal data and categories of data subjects specified therein. The Processing period corresponds to the term of the main agreement.
   2.3	The Processor is entitled to anonymize or aggregate Client's Data so that the identification of individual data subjects is no longer possible, and to use such data for the purpose of customizing, improving and optimizing the Service agreed upon under the main agreement, in accordance with the instructions of the Client. The Parties agree that anonymized or aggregated Client's Data will no longer be considered as Client's Data under this Agreement.
   2.4	The Processor may process and use the Client's Data for its own purposes within the scope of what is legally permitted, on its own responsibility, if there is a legal permission or consent of the data subject. This Agreement does not apply to such data processing.
   2.5	The Processing of the Client's Data by the Processor generally takes place within the European Union or in another Contracting State to the Agreement on the European Economic Area (EEA). Nevertheless, the Processor is permitted to process Client's Data outside the EEA in compliance with the provisions of this Agreement, if it informs the Client in advance about the place of Data Processing and the requirements of Art. 44-48 GDPR are fulfilled or an exemption under Art. 49 GDPR applies.

3. Authority of the Client to Issue Instructions

   3.1	The contractor processes the client's data in accordance with the instructions of the client, provided that the contractor is not legally obliged to process the data in another way. In the latter case, the contractor shall inform the client of these legal requirements before processing, provided that the relevant law does not prohibit such notification due to an important public interest.
   3.2	The client's instructions are generally conclusively established and documented in the provisions of this contract. Individual instructions that deviate from or establish additional requirements to the provisions of this contract require the prior consent of the contractor and are carried out in accordance with the change procedure established in the main contract, in which the instruction is to be documented and the client is to regulate the assumption of any resulting additional costs of the contractor.
   3.3	The contractor guarantees that they process the client's data in accordance with the client's instructions. If the contractor believes that an instruction from the client violates this agreement or applicable data protection laws, they are entitled to suspend the execution of the instruction until the instruction is confirmed by the client after appropriate notification. The parties agree that the sole responsibility for the proper processing of the client's data according to instructions lies with the client.

4. Responsibility of the Client

   4.1	The client is solely responsible for the legality of the processing of client data and for protecting the rights of data subjects in relation to the parties. Should third parties make claims against the contractor due to the processing of client data in accordance with this agreement, the client shall indemnify the contractor against all such claims upon first request.
   4.2	The client is responsible for providing the contractor with client data in a timely manner for the performance of services under the main contract, and is responsible for the quality of the client data. The client shall inform the contractor immediately and completely if it detects errors or irregularities regarding data protection regulations or its instructions in the examination of the contractor's work results.
   4.3	Upon request, the client shall provide the information referred to in Art. 30 (2) GDPR to the contractor, to the extent that it is not already in possession of the contractor.
   4.4	If the contractor is obliged to provide information to a governmental authority or person regarding the processing of client data or to otherwise cooperate with such authorities, the client is obligated to assist the contractor at first request in providing such information or fulfilling other obligations to cooperate.

5. Requirements for Personnel
   The contractor must obligate all individuals who process client data to maintain confidentiality with respect to the processing of client data.
6. Security of Processing

   6.1

   The contractor shall take necessary and appropriate technical and organizational measures in accordance with Art. 32 GDPR, which are necessary to ensure an appropriate level of protection for client data, taking into account the state of the art, the implementation costs, the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the contractor (see Annex 3) have been noted and deemed sufficient by the client.

   6.2

   The contractor is allowed to modify or adapt technical and organizational measures during the term of the contract, as long as they continue to meet legal requirements.

7. Engaging Subprocessors

   7.1

   The Client hereby grants the Processor general permission to engage further subprocessors with respect to the processing of Client Data. The subprocessors engaged at the time of conclusion of this Agreement are listed in Appendix 2. Contracts with service providers that involve the review or maintenance of data processing procedures or systems by other entities or other ancillary services, even if access to Client Data cannot be ruled out, are generally not subject to approval, as long as the Processor implements adequate provisions to protect the confidentiality of Client Data.

   7.2

   The Processor shall inform the Client about intended changes with respect to the engagement or replacement of subprocessors. The Client has the right to object to the engagement of a potential further subprocessor on a case-by-case basis. The Client may only raise an objection for important reasons that must be demonstrated to the Processor. If the Client does not raise an objection within 14 days of receiving the notification, their right to object to the corresponding engagement will expire. If the Client objects, the Processor is entitled to terminate the main contract and this agreement with a notice period of 3 months.

8. Rights of data subjects

   8.1	The processor shall support the client, to the extent reasonable, with technical and organizational measures in fulfilling the client's obligation to respond to requests from data subjects exercising their rights under data protection laws.
   8.2	If a data subject directly contacts the processor with a request to exercise their rights under data protection laws, the processor shall promptly forward the request to the client.
   8.3	The processor shall provide the client with information regarding the client's data that is being processed, recipients of the client's data to whom the processor is disclosing or has disclosed the client's data in accordance with the agreement, and the purpose of the storage, to the extent that such information is not already available to the client or can be obtained by the client without undue burden.
   8.4	The processor shall, to the extent reasonable and necessary and upon reimbursement of the documented costs and expenses incurred by the processor in connection therewith, enable the client to comply with its obligation to rectify, erase, or restrict the processing of client's data, or to carry out such rectification, erasure, or restriction itself at the request of the client, to the extent that the client is unable to do so itself.
   8.5	To the extent that a data subject has a right to data portability with regard to the client's data pursuant to Art. 20 of the GDPR, the processor shall support the client, to the extent reasonable and necessary and upon reimbursement of the documented costs and expenses incurred by the processor in connection therewith, in providing the client's data in a commonly used and machine-readable format if the client is unable to obtain the data itself.

9. Notification and support obligations of the contractor

   9.1

   If the client is obligated by law to report or notify a breach of client data protection (in particular according to Art. 33, 34 GDPR), the contractor shall promptly inform the client about any reportable events within its area of responsibility. The contractor shall assist the client upon request, to the extent reasonable and necessary, in fulfilling reporting and notification obligations, and shall be reimbursed for any documented expenses and costs incurred as a result.

   9.2

   The contractor shall support the client, to the extent reasonable and necessary and against reimbursement of documented expenses and costs incurred as a result, in carrying out data protection impact assessments and any subsequent consultations with supervisory authorities pursuant to Art. 35, 36 GDPR.

10. Data deletion

    10.1	After termination of this agreement, the contractor shall delete the customer data, unless there is a legal obligation for the contractor to further store the customer data. Alternatively, the data may be anonymized.
    10.2	Documentation that serves as evidence of the proper processing of customer data may be retained by the contractor even after termination of the contract.

11. Proof and Verification

    11.1	Upon request by the client, the contractor shall provide all necessary and available information to demonstrate compliance with its obligations under this Agreement.
    11.2	The client is entitled to verify the contractor's compliance with the provisions of this Agreement, including the implementation of technical and organizational measures, including by means of inspections.
    11.3	For the purpose of inspections under section 11.2, the client is entitled, at its own expense and during normal business hours (Monday to Friday, 10 a.m. to 6 p.m.), with prior notice in accordance with section 11.5, to enter the business premises of the contractor where client data is processed, without disturbing the contractor's operations and with strict confidentiality of the contractor's business secrets.
    11.4	The contractor is entitled, at his own discretion and taking into account the legal obligations of the client, not to disclose information that is sensitive with respect to the contractor's business or if disclosure would violate legal or other contractual provisions. The client is not entitled to access data or information about other clients of the contractor, information regarding costs, quality control and contract management reports, as well as all other confidential data of the contractor that are not directly relevant to the agreed review purposes.
    11.5	The client must inform the contractor in a timely manner (usually at least two weeks in advance) of all circumstances related to the execution of the review. The client may carry out one review per calendar year. Additional reviews will be carried out against reimbursement of costs and after consultation with the contractor.
    11.6	If the client commissions a third party to carry out the review, the client must also obligate the third party in writing in the same way that the client is obligated to the contractor under this clause 11 of this agreement. In addition, the client must obligate the third party to confidentiality and secrecy, unless the third party is subject to a professional obligation of confidentiality. Upon request by the contractor, the client must immediately submit to him the obligation agreements with the third party. The client may not commission a competitor of the contractor with the review.
    11.7	At the option of the contractor, proof of compliance with the obligations under this contract may be provided not only by an inspection but also by the submission of a suitable, current certificate or report from an independent body (e.g. auditors, auditors for data protection, IT security department, quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-Grundschutz – ("audit report"), if the audit report allows the client to verify compliance with the contractual obligations in an appropriate manner.

12. Duration of Contract and Termination

    12.1	The duration and termination of this contract are subject to the provisions on duration and termination of the main contract. Termination of the main contract automatically results in termination of this contract. Isolated termination of this contract is excluded.

13. Liability

    13.1

    The liability exclusions and limitations of the main contract apply to the liability of the contractor under this contract. To the extent that third parties make claims against the contractor that result from a culpable breach by the client of this contract or of one of its obligations as the data protection responsible party, the client shall indemnify the contractor against these claims upon first request.

    13.2

    The client also undertakes to indemnify the contractor upon first request from any fines imposed on the contractor to the extent that the client is responsible for the breach that gave rise to the fine.

14. Final provisions

    14.1	If individual provisions of this Agreement are or become invalid or contain a gap, the remaining provisions shall remain unaffected. The parties shall be obliged to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.
    14.2	In case of inconsistencies between this Agreement and other agreements between the parties, in particular the main agreement, the provisions of this Agreement shall prevail.

Attachment 1: Purpose, nature and scope of data processing, type of data and categories of affected persons

Attachment 2: Other data processors

Appendix 3: Technical and Organizational Measures of the Contractor

1. Confidentiality (Art. 32 (1) (b) GDPR)
   1.1 Physical Access Control

   Technical Measures	Organizational Measures
   Chip cards / transponder systems	Key arrangement / list
   Security locks	Visitor book / record of visitors
   	Visitors accompanied by employees
   	Careful selection of cleaning services

   1.2 System Access Control

   Technical Measures	Organizational Measures
   Login with username + password	Manage user permissions
   Anti-virus software clients	Create user profiles
   Firewall	Central password assignment
   Intrusion detection systems	"Secure password" policy
   Encryption of data carriers	"Clean desk" policy
   Encryption of notebooks / tablets	General data protection and / or security policy

   1.3 Data Access Control

   Technical measures	Organizational measures
   Logging of accesses to applications, specifically during input, modification, and deletion of data	Use of authorization concepts
   	Minimum number of administrators
   	Management of user rights by administrators

   1.4 Separation Control

   Technical measures	Organizational measures
   Separation of production and test environment	Control through authorization concept
   	Determination of database rights

   1.5 Pseudonymization

   Technical measures	Organizational measures
   In case of pseudonymization: separation of assignment data and storage in a separate and secured system (possibly encrypted)	Internal directive to anonymize/pseudonymize personal data in case of disclosure or after the expiration of the legal retention period if possible

2. Integrity (Art. 32 para. 1 lit b. GDPR)
   2.1 Disclosure Protocols

   Technical measures	Organizational measures
   Logging of accesses and retrievals	Documentation of data recipients and the planned duration of transfer and retention periods
   Provision via encrypted connections such as sftp, https	Overview of regular retrieval and transmission processes
   	Disclosure in anonymized or pseudonymized form

   2.2 Incoming Inspection

   Technical Measures	Organizational Measures
   Technical logging of data entry, modification, and deletion	Overview of which programs can be used to enter, modify, or delete data
   Manual or automated control of logs	Traceability of data entry, modification, and deletion through individual user names (not user groups)
   	Assignment of rights to enter, modify, and delete data based on an authorization concept
   	Clear responsibilities for deletions

3. Availability and resilience (Art. 32 para. 1 lit. B GDPR)
   3.1 Availability control

   Technical measures	Organizational measures
   Fire and smoke alarm systems	Backup & recovery concept (formulated)
   RAID system / disk mirroring	Regular tests for data recovery

4. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
   4.1 Data protection measures

   Technical measures	Organizational measures
   Central documentation of all procedures and regulations regarding data protection with access for employees as needed / authorized (e.g. Wiki, Intranet ...)	Employees trained and obliged to confidentiality / data secrecy
   	Regular sensitization of employees at least annually
   	The organization complies with the information obligations under Art. 13 and 14 GDPR
   	Formalized process for handling requests for information by data subjects is in place

   4.2 Incident Response Management

   Technical Measures	Organizational Measures
   Use of firewall and regular updating	Documented process for detecting and reporting security incidents / data breaches (including notification requirements to supervisory authorities)
   Use of spam filter and regular updating	Documented procedure for dealing with security incidents
   Use of virus scanner and regular updating	Documentation of security incidents and data breaches, e.g. via ticket system

   4.3 Data Protection by Design and Default

   Technical Measures	Organizational Measures
   No more personal data is collected than is necessary for the respective purpose

   4.4 Order control (outsourcing to third parties)

   Technical measures	Organizational measures
   	Prior examination of the security measures taken by the contractor and their documentation
   	Selection of the contractor with due care (especially with regard to data protection and data security)
   	Conclusion of the necessary contract for order processing or EU standard contractual clauses
   	Written instructions to the contractor
   	Obligation of the contractor's employees to maintain data secrecy
   	Obligation of the contractor to appoint a data protection officer if required by law
   	Ensuring the destruction of data after completion of the contract
   	In case of longer-term cooperation: ongoing review of the contractor and their level of protection