ORDER PROCESSING AGREEMENT (AVV)
DATE: SEPTEMBER 2023
This Order Processing Agreement governs the data protection obligations for the contractual relationships between the PassSecurium provider ALPEIN Software SWISS AG, Obergass 23, CH-8260 Stein am Rhein (hereinafter referred to as the "Provider") and product users or customers (hereinafter referred to as the "Client"), each individually a "Party" and together the "Parties".
In the event of discrepancies between the German and English versions of this document, the German version shall always prevail. The contractual language is English.
1. SUBJECT MATTER
1.1. A legal relationship exists between the Parties regarding the transfer of personal data from the Customer to the Processor ("Main Contract"). The legal relationship between the Parties shall be governed by the Provider's General Terms and Conditions ("GTC"). The contract for the execution of this order is concluded between the parties to ensure adequate protection in the transfer of personal data.
1.2. Unless otherwise defined in this agreement, all terms shall have the same meaning as in the Swiss Data Protection Act ("DPA"). In addition, this agreement supports the Parties in complying with the EU General Data Protection Regulation ("GDPR") insofar as it concerns the personal data of EU customers.
2. DESCRIPTION OF THE DATA PROCESSING
2.1. The Provider processes personal data on behalf of the Client. The content and duration of the contractual relationship as well as the type and purpose of processing are generally set out in the General Terms and Conditions ("GTC") and Annex A of the order processing contract. In addition, you can find the data processing procedures in the applicable privacy policy on the provider's product website.
2.2. By completing the order form and creating a user account in the PassSecurium customer portal, the client authorises the provider to process the data in question. Customers can add, change or withdraw their orders via the PassSecurium customer portal or by notifying the Provider. Client requests or instructions that are not regulated in the GTC are deemed to be service change requests. Verbal orders or instructions must be made by the client immediately in writing or confirmed by a corresponding deposit in the customer portal.
3. OBLIGATIONS OF THE PROVIDER
3.1. The Provider shall set up the internal organisation in its area of responsibility in such a way that it meets the requirements of data protection. In view of the nature of the processing, the Provider shall take appropriate technical and organisational measures ("TOM") described in Annex C to support the Client in its obligation to respond to requests from data subjects in accordance with the FADP and GDPR.
3.2. Considering the type of processing and the information available to it, the Provider shall support the Controller in complying with its obligations under the DPA and the GDPR. Specifically in the security of the processing, in the notification of breaches to the supervisory authority, the notification of data subjects in the event of a breach, the data protection impact assessment and the consultation of the competent supervisory authority.
3.3. The Provider shall only use persons to carry out the necessary work who are bound to confidentiality and who have been familiarised with the data protection regulations relevant to them prior to their deployment and who have undertaken in writing to comply with them.
3.4. In accordance with the agreement, the Provider shall support the Client in the fulfilment of data protection requests and claims of data subjects and in compliance with data protection obligations, within the scope of its possibilities.
3.5. If the Provider becomes aware of breaches of the protection of personal data, it shall take reasonable measures to secure the data and to minimise possible adverse consequences for the persons concerned. In addition, the Provider shall fully comply with the applicable statutory provisions regarding the reporting of data breaches.
3.6. If a data subject or a data protection supervisory authority contacts the Provider directly in connection with the personal data processed under this Agreement, the Provider shall inform the Client of this immediately and coordinate further steps with the Client.
3.7. Furthermore, with regard to the processing of the Client's personal data, the Provider warrants that
the personal data are processed in accordance with the concluded order processing contract and exclusively for the purposes pursued by the client,
the purposes pursued by the Client result from Annex A (point 1.2) or from express instructions of the Client or from other agreements with the Client,
the principles of "data privacy by design" and "data privacy by default" are considered with regard to the provider's work equipment, products, IT infrastructure and services,
the Client is informed if the Provider is no longer able to comply with agreements or will no longer be able to comply with agreements,
the Provider will, should this be necessary, co-operate with the competent supervisory authorities within the legally permissible framework in consultation with and in accordance with the instructions of the Client.
4. OBLIGATIONS OF THE CLIENT
4.1. Within the framework of the contractual relationship, the Client shall be responsible for compliance with the provisions of data protection law, in particular regarding the lawfulness of data transmission to the Provider and the lawfulness of its processing.
4.2. The Client has satisfied itself that the TOM used by the Provider and described in Annex C are sufficient to ensure adequate protection of the personal data transmitted.
4.3. The Customer is obliged to notify the Provider immediately and comprehensively in writing or via the PassSecurium website or customer portal if errors or anomalies are detected in the processing data within the prescribed scope.
4.4. The Client shall inform the Provider of the contact person for data protection issues arising within the scope of the contractual relationship if this person differs from the contact person named.
4.5. The client declares that it bears sole responsibility for informing the persons affected by the data processing regarding the possible storage, use, processing and forwarding of data by the provider in accordance with the provisions of the GTC, the data protection declaration and this order processing contract. If individual data subjects, i.e. third parties or customers of the client, do not agree with the intended data processing, the client is responsible for deleting the respective data of data subjects in the corresponding PassSecurium customer account.
4.6. By accepting the General Terms and Conditions and the order processing contract, the client agrees to pass on their data to the Provider itself and to third parties or subcontractors to whom the Provider entrusts the execution of orders. The Client shall indemnify the Provider against all claims. It is the responsibility of the Client to obtain the consent of the data subject.
5. SUBCONTRACTORS (OTHER ORDER PROCESSORS)
5.1. The Provider may engage subcontractors or third parties to fulfil the contractual services agreed with the Client and use the services of subcontractors or third parties to provide the services in accordance with the contract agreed with the Client.
5.2. The Provider must ensure in the contract that the principles agreed in this contract also apply to subcontractors. The contract between the Provider and subcontractors must be concluded in writing or electronically.
5.3 .Subcontractors in third countries shall only be commissioned if the special requirements of the FADP and GDPR are met.
5.4. Where necessary, the Provider shall conclude contracts with subcontractors or third parties involved in the fulfilment of the order in order to ensure full compliance with data protection and information security measures. If a subcontractor fails to fulfil its data protection obligations, the Provider shall be responsible and, if necessary, liable to the Client for the subcontractor's compliance with its obligations.
5.5. The Client agrees to the involvement of the subcontractors listed in Annex B. If a new subcontractor is added, the Provider is obliged to inform the Client of this immediately. The Client may object to changes in the list of subcontractors for good cause within 14 days of becoming aware of them. If no objection is made within this period, consent to the change shall be deemed to have been granted. If there are important data protection reasons and no amicable solution can be found between the parties, the client has an extraordinary right of cancellation.
5.6. Subcontractors or third parties also have no access to personal data. If they do not process personal data, the above provisions do not apply to subcontractors.
6. CONFIDENTIALITY
6.1. The Provider confirms that it is familiar with the relevant data protection provisions of the DSG and DSGVO required for order processing. The Provider shall maintain and observe confidentiality when handling the Client's personal data. This obligation shall continue to exist even after termination of the contractual relationship.
6.2. The Provider shall ensure that the employees involved in the execution of the work are familiar with the data protection regulations applicable to them. It is obliged to obligate these employees to secrecy and confidentiality in accordance with the security regulations. This shall be based on a written agreement for the duration of the employment contract and after its termination unless they are subject to a statutory duty of confidentiality. The Provider shall monitor compliance with data protection regulations within its organisation.
6.3. The Provider may only pass on information to third parties or interested parties with the prior consent of the Client.
7. TECHNICAL AMD ORGANISATIONAL MEASURES
7.1. The Provider shall implement the relevant TOM in such a way that the processing is carried out in accordance with the requirements of the DPA and the GDPR and at the same time the protection of the rights of the data subjects is guaranteed. It shall design its internal organisation in such a way that it meets the specific data protection requirements and achieves an appropriate level of protection. In particular, the provider must ensure a sufficient level of security during processing, in particular confidentiality (including pseudonymisation and encryption), availability, integrity and resistance to attacks, failures of data processing systems and services, considering the current state of the art.
7.2. The TOM may be adapted to technical developments during the contractual relationship. The adapted measures must at least correspond to the security level of the measures agreed in Annex C.
8. INFORMATION OBLIGATIONS OF THE PROVIDER AND VIOLATION OF THE PROTECTION OF PERSONAL DATA
8.1. The Provider shall inform the Client immediately of any breach or suspected breach of this Agreement or the principles for the protection of personal data.
8.2. The Provider shall support the Client in investigating, mitigating and remedying the breaches.
8.3. Should personal data processed under this Agreement be jeopardised by the Provider through seizure or confiscation, due to bankruptcy or incorporation proceedings or due to other events or measures by third parties, the Provider is obliged to notify the Client immediately. The Provider shall immediately inform all parties involved in the matter that control over the data lies with the Client.
8.4. In the event of an audit by a data protection supervisory authority, the Provider undertakes to disclose to the Client the results of the processing of personal data in accordance with this Agreement. The Provider shall immediately rectify any deficiencies identified in the audit report and notify the Client accordingly.
9. MEANS OF PROOF
9.1. The Provider shall provide the Client with evidence of compliance with the obligations set out in this Annex by suitable means. This shall take the form of self-audits, internal audits and/or ISO certification.
9.2. If, in individual cases, an audit by the Client or an auditor commissioned by the Client is required (e.g. in connection with the DPA or the GDPR), this audit shall normally be carried out during business hours, without interruption after notification, with appropriate instructions. The Provider may make this dependent on advance notification being given within a reasonable period and an agreement being reached on the confidentiality of other customers' data and on technical and organisational measures. If the auditor commissioned by the Client is in a competitive relationship with the Provider, the Provider may reject the auditor and recommend a neutral auditor. The Provider may charge the Client for the costs associated with the inspection if no violations are found.
9.3. In the event of an inspection by a data protection authority or other sovereign supervisory authority of the Client, this chapter shall apply accordingly. A non-disclosure agreement is not required if the supervisory authority is obliged to maintain professional or legal confidentiality, the violation of which is punishable under the German Criminal Code.
10. DURATION AND TERMINATION
10.1. The Provider shall process and store personal data for the duration of the main contract between the Provider and the Client. The Provider shall correct or delete contractual data if instructed to do so by the Client and if this is within the scope of the possible instructions. This does not apply to data that is required for further processing by law or for internal purposes. The Provider is authorised to suspend the execution of any abusive instructions until their legality has been proven. The General Terms and Conditions apply to the provision of data and the associated remuneration.
11. LIABILITY
11.1. The Provider shall be liable for damages arising from culpable breaches of data protection regulations or this Data Protection Agreement to the extent permitted by law. It is also responsible for the culpable behaviour of its subcontractors and contractors.
11.2. Liability shall be governed by the corresponding provisions in the GTC.
12. MISCELLANEOUS
12.1 .In all other respects, the provisions of PassSecurium's General Terms and Conditions and Privacy Policy apply. In the event of a conflict between the data processing agreement and the General Terms and Conditions, the provisions of the General Terms and Conditions shall take precedence. Should individual parts of the order processing contract be invalid, this shall not affect the validity of the General Terms and Conditions and the remaining provisions of the order fulfilment contract.
12.2. Annexes A, B and C are essential components of this order processing contract.
1. Appendix A: Subject matter, nature and purpose
2. Appendix B: Subcontractors
3. Appendix C: Technical and organisational measures (TOM)
1. ANNEX A – SUBJECT MATTER, NATURE AND PURPOSE
1.1. Object of the contract:
Processing of personal data of the Client in the context of its use of the services of Software-as-a-Service.
1.2. Scope and purpose of the data processing:
Personal data processed by the client is transmitted to the provider as part of the Software-as-a-Service offering. The Provider processes this data exclusively in accordance with the General Terms and Conditions and the respective service descriptions on the Provider's website.
1.3. Type of personal data:
Data category | List of specifically processed data |
Professional contact and (work) organisation data (business customers) | Surname, first name, gender, address, e-mail address, telephone number or mobile phone number |
Private contact and identification data (private customers) | Surname, first name, gender, address, e-mail address, telephone number or mobile phone number |
Contract data | Purchased product package, date of purchase, purchase price, contract term |
Creditworthiness and bank data | Payment method, bank details |
1.4. Group of affected parties:
Affected group | Description | Examples |
Employees of the client/customer | Own employees of the client/customer | Owners, managing directors, other operationally active persons, employees, trainees, applicants, former employees |
Employees of other companies | Employees of the partner company whose personal data is processed for the client/customer | Owners, managing directors, other operationally active persons, employees, trainees, applicants, former employees of the partner company (e.g. IT service providers) |
2. APPENDIX B - SUBCONTRACTORS
2.1. List of subcontractors:
Company | Description of the activity | Data category |
ALPEIN Software GmbH & Co. KG | Support in the maintenance of customer systems and product development Support with accounting | Contact details |
3. ANNEX C - TECHNICAL AND ORGANISATIONAL MEASURES (TOM)
3.1. Access control
Unauthorised persons are denied access to data processing systems with which personal data is processed or used by means of:
Access control system
Door security (security locks, doors with knob on the outside)
Controlled, documented key allocation, non-duplicable keys
Grilles in front of the windows
Visitor log
Careful selection of cleaning services
Customer data is stored exclusively on servers in highly secure data centres
Separate access controls with increased security standards exist for data centres (e.g. iris scanners, personnel locks, video surveillance, etc.)
3.2. Access and access control
Prevention of unauthorised reading, copying, modification or removal within the data processing system, through:
Personalised accounts (unique user ID/user assignment), no use of one account by several people
Individual set-up of access rights (access rights for employees are limited to the programmes they need to use to perform their assigned tasks)
Number of system administrators limited to the minimum required
Login with user ID, password and MFA
Password guidelines (strict password security requirements, regular change of passwords)
Use of centralised password manager based on the principle of minimum roles and rights
Set up only one user master record per user / separate user master records
Automatic locking (e.g. password or timeout/screen lock)
Encryption of data carriers
Network separation and personalised network access
Training of employees, awareness training
Needs-based design of the authorisation concept and access rights as well as their monitoring and logging (e.g. through differentiated authorisations (profiles, roles, transactions and objects), evaluations, access, modification, deletion)
Measures for transport, transmission and transfer or storage on data carriers (manual or electronic) as well as for subsequent verification (e.g. encryption / tunnel connection (VPN = Virtual Private Network), electronic signature, logging, transport security)
3.3. Input control
Measures that ensure subsequent verification of whether and by whom data has been entered, changed or removed (deleted):
Login and logout logging
Documentation of maintenance, remote maintenance or repair work carried out on IT systems
Ensuring the integrity of new programmes and updates (use of MDM, programmes are installed and updated either via central device management or individually and exclusively by the administrator)
Malware check for data carriers received and to be delivered
Complete backup of the affected systems prior to major maintenance/remote maintenance or repair work
3.4. Order control
Measures that ensure data processing on behalf of / by third parties in accordance with instructions:
Criteria for the careful selection of subcontractors
Clear contract design, written definition of instructions
Measures to ensure that the processing of personal data on behalf of the client is carried out in accordance with the client's instructions, e.g. written instructions, documentation of instructions, offer and order confirmation, ensuring that the provider's employees are obliged to maintain confidentiality under data protection law, contractually defined responsibilities (authorised persons and recipients of instructions), regular checks within the company.
Order processing contracts
Written order placement
Checking the provider's TOM
Checks on subcontractors (especially technical and organisational measures)
Ensuring the destruction of data after completion of the order
In the case of cooperation lasting more than one year, the subcontractors and their level of protection are reviewed annually
3.5. Separation check
Data collected for different purposes must also be processed separately:
Separation of data relating to different customers/clients
Separation of data that is processed for different purposes
Use of different, customer-specific or client-capable systems
Separation of functions (development/test/production)
Physical or logical separation
Compliance with the deletion periods in accordance with the Swiss FADP
3.6. Transfer control
No unauthorised reading, copying, modification or removal during electronic transmission or transport:
Encryption
Tunnel connection (VPN = Virtual Private Network)
Logging
Provision of data only via own, encrypted cloud system
3.7. Availability and resilience
Protection against accidental or wilful destruction or loss, e.g. data backup measures (physical / logical). Ensuring that all system functions are available and that any malfunctions are reported:
Own server infrastructure in certified data centres (resilience of IT systems)
Emergency plan for an IT emergency (disaster recovery plan) and for data protection breaches
Backup procedures (online, offline), backup plan
Redundant systems
Mirroring of hard disks (RAID procedure)
Uninterruptible power supply (UPS)
Physical separation of data storage
Virus protection / firewall
3.8. Organisational control
The smooth organisation of data protection and data security is ensured by the following measures:
Written commitment of all employees to confidentiality under data protection law
Guidelines on the use of company Internet access and the company e-mail account
Regular sensitisation/training of employees, guidelines/manuals for employees
Organisation of the implementation of data protection (external data protection officer and internal employees who support the data protection officer)
Auditing of internal processes
Preparation of a data protection concept
Existence of an IT security concept
Guidelines/working instructions for handling personal data in the home office/mobile office
Guidelines on the use of private devices for business activities (bring-your-own-device)
3.9. Privacy-friendly default settings (Privacy by Default / Privacy by Design)
No more personal data is collected than is necessary for the respective purpose
When developing the software, care is taken to ensure that the software requests/requires as little data as possible for processing
Simple exercise of the data subject's right of cancellation through technical measures
Zero knowledge principle - no access to customer data
3.10. Effectiveness control
The smooth organisation of data protection and data security is ensured by the following measures:
Regular checks on the effectiveness of the technical and organisational measures implemented
Regularly check the functionality of the anti-virus software and the firewall
Regular monitoring and documentation of authorization management
IT security certification in accordance with ISO:27001
Audit by external provider
Penetration tests