.svg){kind=small}
Order processing agreement
1) Scope of application
When providing the services in accordance with the order form and Software-as-a-Service contract concluded between the parties (hereinafter together "Main Contract"), Hivebuy (hereinafter "Contractor") processes personal data that the customer (hereinafter "Customer") has provided for the provision of the services and with regard to which the Customer acts as the controller in the sense of data protection law ("Customer Data").
This Data Processing Agreement ("DPA") specifies the data protection obligations and rights of the parties in connection with the processing of the Client Data processed by the Contractor for the Client under the main contract.
2) Subject matter and scope of the assignment / Client's authority to issue instructions
2.1) The Contractor shall process the Client Data exclusively on behalf of and in accordance with the instructions of the Client, unless the Contractor is legally obliged to do so under the law of the European Union or a member state. In such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.
2.2) Unless otherwise agreed in the main contract, the Contractor shall process the Client Data exclusively in the manner, to the extent and for the purpose specified in Annex 1 to this DPA; the processing shall relate exclusively to the types of personal data and categories of data subjects specified therein. If these processing operations change due to a change in the Contractor's contractual performance in accordance with the main contract, the Contractor shall amend Annex 1 accordingly.
2.3) The duration of the agreement corresponds to the term of the main contract.
2.4) The processing of the Client Data shall generally take place in the territory of the European Union or in another state party to the Agreement on the European Economic Area ("EEA"). The Contractor shall also be permitted to process Client Data outside the EEA in compliance with the provisions of this DPA or to have it processed by other contractors in accordance with Section 5 of this DPA if the requirements of Art. 44 to 48 GDPR are met or an exception pursuant to Art. 49 GDPR applies.
The provisions on the use of other processors in Section 5 of this DPA remain unaffected.
2.5) The instructions result from the main contract. In addition, the Client shall only be entitled to issue instructions regarding the type, scope, purposes and means of processing Client data if these are required by law, court or official regulations. These instructions must be issued in writing or text form. The client shall confirm verbal instructions in writing or by e-mail. All instructions must be documented by the parties.
2.6) If the Contractor is of the opinion that an instruction of the Client violates these DPA, the GDPR or other data protection regulations of the European Union or the Member States, it shall inform the Client of this immediately in writing or text form. The Contractor shall be entitled to suspend the execution of such an instruction until the Client confirms it in writing or text form. If the Client insists on the execution of an instruction despite the concerns raised by the Contractor, the Client shall indemnify the Contractor against all damages and costs incurred by the Contractor as a result of the execution of the Client's instruction. The Contractor shall draw the Client's attention to any damages asserted against it and any costs incurred by it and shall not acknowledge any third-party claims without the Client's consent and shall, at the Contractor's discretion, conduct the defense in consultation with the Client or leave it to the Client.
3) Requirements for personnel
3.1) The Contractor shall oblige all persons who process Client Data and are entrusted with the fulfillment of this contract to maintain confidentiality.
3.2) The Contractor shall ensure that persons subordinate to it who have access to Client Data process them only in accordance with the provisions of this DPA and the instructions of the Client, unless they are obliged to do so under European Union or Member State law.
4) Security of processing
4.1) The Contractor shall take all appropriate technical and organizational measures necessary, taking into account the state of the art, the costs of implementation and, as far as the Contractor is aware, the nature, scope, context and purposes of the processing of the Client Data and the risk of varying likelihood and severity for the rights and freedoms of data subjects, to ensure a level of security appropriate to the risk for the Client Data.
4.2) The Contractor shall, in particular, take the technical and organizational measures specified in Annex 2 to this DPA before commencing the processing of the Client Data and maintain them for the duration of the main contract and ensure that the processing of Client Data is carried out in accordance with these measures.
4.3) Since the technical and organizational measures are subject to technical progress, the Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If the Contractor makes significant changes to the measures set out in Annex 2, it shall inform the Client of this in advance.
5) Use of other subcontractors
5.1) The Contractor shall use the other subcontractors listed in Annex 3 when processing the Client Data. These shall be deemed approved upon conclusion of the DPA.
5.2) The Contractor may use additional subcontractors for the processing of Client Data subject to the following conditions: The Contractor shall inform the Client in text or written form at least fifteen (15) working days before using the additional subcontractor. If the Client does not raise an objection within five (5) working days, the utilization shall be deemed approved.
5.3) If the Client objects to the use of an additional subcontractor, the Contractor shall be entitled, at its discretion, to continue to provide the services without the relevant subcontractor or to terminate the main contract and this GCT at the time of the planned use of the subcontractor.
5.4) The Contractor shall obligate each additional subcontractor by way of a written contract in the same way as the Contractor is obligated to the Client under this agreement.
5.5) The Contractor shall be obliged to select and use only such further processors that offer sufficient guarantees that the appropriate technical and organizational measures are implemented in such a way that the processing of the Client Data is carried out in accordance with the requirements of the GDPR and this DPA.
6) Rights of the data subjects
6.1) The Contractor shall take all reasonable technical and organizational measures to assist the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
6.2) In particular, the Contractor shall:
inform the Client without undue delay if a data subject contacts the Contractor directly with a request to exercise their rights in relation to Client Data;
immediately provide the Client with all information available to the Client regarding the processing of Client Data which the Client requires to respond to a data subject's request and which the Client does not have itself;
rectify, erase or restrict the processing of Client Data without undue delay at the instruction of the Client;
ensure that the client can receive and receives the client data processed in the contractor's area of responsibility in a structured, common and machine-readable format, insofar as the data subject has a right to data portability with regard to the client data vis-à-vis the client.
7) Other support obligations of the Contractor
7.1) The Contractor shall notify the Client immediately after becoming aware of any breach of the protection of Client data, in particular incidents that lead to the destruction, loss, modification, unauthorized disclosure of or unauthorized access to Client data.
7.2) In the event of any breach of the protection of Client Data, the Contractor is obliged to immediately take all necessary and reasonable measures to remedy the breach of the protection of the Client Data and, if necessary, to mitigate its possible adverse effects.
7.3) If the Client is obliged vis-à-vis a government agency or a person to provide information about the processing of Client Data or to cooperate with these agencies in any other way, the Contractor shall be obliged to support the Client in providing such information or fulfilling other obligations to cooperate.
7.4) The Contractor shall support the Client in complying with the obligations set out in Art. 32 GDPR, taking into account the information available to it.
7.5) In the event that the Client is obliged to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, the Contractor shall support the Client in complying with these obligations at the Client's request. In particular, the Contractor shall be obliged to document all potential breaches of the protection of Client data, including all related facts, in such a way that the Client can prove compliance with any relevant statutory reporting obligations.
7.6) The Contractor shall support the Client to the extent reasonable in any data protection impact assessments to be carried out by it and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR.
8) Deletion and return of data
8.1) At the Client's instruction, the Contractor shall either delete all Client Data completely or return it to the Client upon termination of the main contract and delete any existing copies, unless the Contractor is obliged to continue storing the Client Data under the law of the European Union or a member state.
8.2) However, the Contractor shall be entitled to retain backup copies of the Client Data for a period of three (3) months, insofar as deletion of the Client Data from these backup copies is technically impossible or impossible with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3.
8.3) Documentation that serves as proof of the proper processing of the Client Data in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the statutory retention periods.
9) Evidence and checks
9.1) The Contractor must ensure and regularly check that the processing of the Client Data is in accordance with this DPA, including the scope of the processing of the Client Data specified in Annex 1 and the instructions of the Client.
9.2) The Contractor shall document the implementation of the obligations under this DPA in a suitable manner and provide the Client with all necessary evidence of compliance with the Contractor's obligations under the GDPR and this DPA at the Client's request.
9.3) The Client shall be entitled to inspect the Contractor itself or through a qualified auditor who is bound to confidentiality before the start of the processing of Client data and regularly during the term of the main contract with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures in accordance with Annex 2, or, for example, to obtain information from the Contractor, have existing certificates from experts, certifications or internal audits presented. The Contractor shall enable such inspections and shall contribute to such inspections by taking all appropriate and reasonable measures, including by granting the necessary access rights and providing all necessary information.
9.4) The audits and inspections shall, as far as possible, not hinder the Contractor in its normal business operations and shall not place an undue burden on it. In particular, inspections at the Contractor's premises should not take place more than once per calendar year without a specific reason and only during the Contractor's normal business hours. The Client shall notify the Contractor of inspections in good time in advance in writing or text form.
10) Final provisions
10.1) In the event of contradictions between this DPA and the main contract that are relevant under data protection law, the provisions of this DPA shall take precedence. Otherwise, the provisions of the main contract shall apply accordingly.
10.2) This agreement does not establish any obligations of the parties towards third parties (in particular towards the data subjects) that go beyond the GDPR.
Appendix 1 - Processing procedures
Purpose of data processing: Provision of the SaaS Service in accordance with the provisions of the Main Agreement
Type and scope of data processing: Processing of account and usage data as part of the provision of the SaaS service, hosting/storage, processing as part of the provision of the SaaS service
Group of data subjects:
Customer (if natural person)
Supplier (if natural person)
Representatives and employees of the customer
Representatives and employees of the supplier
Type of data - customer / supplier:
Master data
Account and usage data
Bank details and payment data
Order data and documentation
Budget planning and data
Billing between customers and suppliers
Representatives and employees:
Master data
Account and usage data
Appendix 2 - Technical and organizational measures
Organizational control:
Existence of internal data processing guidelines and procedures, instructions, work instructions, process descriptions and regulations (e.g. for programming, checking and approving processes relating to the processing of personal data)
Separation of tasks/functions between the IT department and other departments
Clear demarcation between the areas of responsibility in relation to the processing of data as controller and as processor
Instructions for employees on the processing of personal data
Definition of access authorizations for employees and third parties including the respective documentation
Special security areas with their own access control ("closed stores")
With regard to activities as a processor: Written obligation of employees to maintain data secrecy or legal obligation of employees to maintain secrecy in accordance with Art. 28 para. 3 lit. b GDPR
With regard to activity as a processor: The processing of personal data only takes place on the documented instructions of the controller, including the transfer of personal data to a third country or to an international organization
With regard to activity as a processor: Upon request, the controller can be provided with all information necessary to demonstrate compliance with the DPA, even at short notice (within a maximum of 48 hours)
Access control:
Only technically competent employees have access to the data processing systems
Regulations for third parties (visitors, customers, cleaning staff, tradesmen, etc.)
Ensuring that all entrances to the data processing systems (rooms, apartments, computer hardware and associated equipment) are lockable
Physically securing all areas in which data media are located
Key regulation (key issue etc.)
Access to data and user control
Processes for checking and releasing programs
Granting access authorizations only to certain persons
User passwords for data and programs
Username and passwords (guidelines including password length and change)
Automatic return of the user ID if several incorrect passwords are entered
Protection of internal networks against unauthorized access (e.g. through firewalls)
Automatic logout of user IDs that have not been used for a long period of time
Automatic screen lock after a certain period of time
Username and passwords on all devices
Transfer control
Use of document shredders or service providers (if possible with a data protection seal of approval)
Restriction of the use of external storage media (in particular USB sticks, external hard disks, SD cards, CD and DVD burners) by technical means (e.g. software to control interfaces or complete deactivation of interfaces)
Electronic signature
Input control
Electronic recording of data processing, in particular the entry, modification and deletion of data (audit trails)
Assignment of rights to enter, change and delete data on the basis of an authorization concept
Availability control
Central procurement of hardware and software
Updating the software used (e.g. through updates, corrections, bug fixes, etc.)
Formal approval procedures for hardware, software and IT processes
Server rooms are not located under sanitary facilities
Resilience of the IT system, even with (very) high utilization
Data mirroring
Separability
Separation of productive and test system
Definition of database rights
Logical client separation (on the software side)
Evaluation
There is a procedure for regularly reviewing, evaluating and assessing the effectiveness of the above technical and organizational aspects to ensure the security of processing. If yes, please indicate the frequency of the reviews: Every sixth month.
Appendix 3 - Other subcontractors
Amazon Web Services EMEA SARL (AWS - Amazon Web Services)
Oskar-von-Miller-Ring 20, 80333 Munich, Germany
Data location: Frankfurt am Main,
https://aws.amazon.com/de/about-aws/global-infrastructure/
Purpose: Data backup and hosting
Twilio SendGrid, 375 Beale Street, 3rd Floor, San Francisco, CA 94105
Type of data: E-mail address of the supplier for the order. The data is hosted here in the USA. However, Twilio is certified in accordance with the EU/US Data Privacy Framework. Data processing in the USA is therefore carried out in accordance with Art. 45 para. 1 GDPR on the basis of the adequacy decision of the European Commission. Hivebuy also offers the option of deactivating the sending of orders to suppliers by e-mail and thus dispensing with the use of Twilio.
Status: 04.03.2024