Order processing agreement
1) Scope of application
When providing the services in accordance with the order form and Software-as-a-Service agreement concluded between the parties (hereinafter collectively referred to as the “Main Agreement”), Hivebuy (hereinafter referred to as the “Contractor”) processes -a-Service Agreement (hereinafter collectively referred to as the “Main Agreement”), Hivebuy (hereinafter referred to as the “Contractor”) processes personal data that the customer (hereinafter referred to as the ‘Client’) has provided for the provision of the services and for which the Client acts as the controller within the meaning of data protection law (“Client Data”).
This Data Processing Agreement (“DPA”) specifies the data protection obligations and rights of the parties in connection with the processing of the Client Data processed by the Contractor for the Client under the Main Agreement.
2) Subject matter and scope of the assignment / Client's authority to issue instructions
2.1) The contractor shall process the client's data exclusively on behalf of and in accordance with the client's instructions, unless the contractor is legally obliged to do so under European Union or member state law. In such a case, the contractor shall notify the client of these legal requirements prior to processing, unless the law in question prohibits such notification on grounds of an important public interest. These instructions must be in writing or text form. The client shall confirm verbal instructions in writing or by email. All instructions shall be documented by the parties.
2.2) Unless otherwise agreed in the main contract, the processing of client data by the contractor shall be carried out exclusively in the manner, scope, and for the purpose specified in Appendix 1 to these GTC; the processing shall relate exclusively to the types of personal data and categories of data subjects specified therein. If these processing procedures change due to a change in the Contractor's contractual performance, the Contractor shall inform the Client of this in advance.
2.3) This contract for order processing shall come into force at the start of the main contract. The term and notice periods shall correspond to those of the main contract. In case of doubt, termination of the main contract shall also be deemed termination of this contract.
2.4) The contractually agreed data processing shall be carried out exclusively in a member state of the European Union. Any transfer to a third country requires the prior consent of the customer and may only take place if the specific requirements of Articles 44 et seq. GDPR are met.
The provisions on the use of additional processors in Section 5 of this DPA remain unaffected.
2.5) If the contractor believes that an instruction from the client violates legal regulations, it shall inform the client of this immediately in writing or text form. The contractor is entitled to suspend the execution of such an instruction until the client confirms it in writing or text form.
3) Requirements for personnel
3.1) The contractor shall require all persons who process client data to maintain confidentiality, unless they are subject to appropriate legal confidentiality requirements.
4) Security of processing
4.1) The contractor shall take all appropriate technical and organizational measures that are necessary, taking into account the state of the art, the costs of implementation, and, as far as the contractor is aware – the nature, scope, circumstances, and purposes of the processing of the Client's data, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection for the Client's data that is appropriate to the risk.
4.2) Before commencing processing of the Client's data, the Contractor shall, in particular, take the technical and organizational measures specified in Appendix 2 to these GTC and maintain them for the duration of the main contract, as well as ensure that the processing of the Client's data is carried out in accordance with these measures.
4.3) As the technical and organizational measures are subject to technical progress, the contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Appendix 2. If the contractor makes significant changes to the measures specified in Appendix 2, it shall inform the client of this in advance.
5) Use of other subcontractors
55.1) The contractor shall use the additional processors listed in Appendix 3 to process the client's data. These shall be deemed approved upon conclusion of the DPA.
5.2) The contractor may use additional processors to process client data under the following conditions: The contractor shall inform the client in writing or in text form at least fifteen (15) working days before using the additional processor. If the client does not object within five (5) working days, the use shall be deemed approved.
5.3) If the client objects to the use of an additional processor, the contractor shall be entitled, at its discretion, to continue to provide the services without the relevant processor or to terminate the main contract and this DPA at the time of the planned use of the processor.
5.4) The contractor shall impose the same obligations on any additional processor as the contractor is obliged to impose on the client under this agreement.
5.5) The contractor is obliged to select and use only those additional processors who offer sufficient guarantees that the appropriate technical and organizational measures will be implemented in such a way that the processing of the client's data is carried out in accordance with the requirements of the GDPR and this DPA.
6) Rights of the data subjects
6.1) The contractor shall take all reasonable technical and organizational measures to support the client in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
6.2) In particular, the contractor shall:
inform the client immediately if a data subject contacts the contractor directly with a request to exercise their rights in relation to client data;
immediately provide the client with all information it has about the processing of client data that the client needs to respond to a data subject's request and that the client does not have itself;
immediately correct, delete, or restrict the processing of client data on the instructions of the client;
ensure that the client can and does receive the client data processed within the contractor's area of responsibility in a structured, commonly used, and machine-readable format, insofar as the data subject has a right to data portability with regard to the client data vis-à-vis the client.
7) Other support obligations of the Contractor
7.1) The contractor shall notify the client immediately after becoming aware of any breach of the protection of client data, in particular incidents leading to the destruction, loss, alteration, or unauthorized disclosure of or unauthorized access to client data.
7.2) In the event of any breach of the protection of the Client's data, the Contractor shall be obliged to take all necessary and reasonable measures without delay to remedy the breach of the protection of the Client's data and, where appropriate, to mitigate its possible adverse effects.
7.3) If the client is obliged to provide information about the processing of client data to a government agency or a person, or to cooperate with these agencies in any other way, the contractor is obliged to support the client in providing such information or fulfilling other obligations to cooperate.
7.4) The contractor shall support the client in complying with the obligations set out in Art. 32 GDPR, taking into account the information available to it.
7.5) In the event that the Client is obliged to inform the supervisory authorities and/or data subjects in accordance with Articles 33 and 34 of the GDPR, the Contractor shall assist the Client at its request in complying with these obligations. In particular, the contractor is obliged to document all potential breaches of the protection of client data, including all related facts, in a manner that enables the client to prove compliance with any relevant legal reporting obligations.
7.6) The contractor shall support the client within reasonable limits in any data protection impact assessments to be carried out by it and, where applicable, in any subsequent consultations with the supervisory authorities in accordance with Articles 35 and 36 of the GDPR.
8) Deletion and return of data
8.1) Upon termination of the main contract, the contractor shall, at the client's request, either delete all client data completely or return it to the client and delete any existing copies, unless the contractor is obliged to continue storing the client data under European Union or member state law.
8.2) However, the contractor shall be entitled to retain backup copies of the client's data for a period of three (3) months if it is technically impossible or impossible under Article 32 GDPR to delete the client's data from these backup copies. The rights and obligations of the parties under this GTC in relation to the backup copies shall continue to apply for this period.
8.3) Documentation serving as evidence of the proper and orderly processing of the client's data shall be retained by the contractor beyond the end of the contract in accordance with the statutory retention periods.
9) Evidence and checks
9.1) The contractor must ensure and regularly check that the processing of the client's data complies with these GTC, including the scope of processing of the client's data specified in Appendix 1 and the client's instructions.
9.2) The Client is entitled to check the Contractor's compliance with the provisions of this GTC, in particular the implementation of the technical and organizational measures specified in Appendix 2, either itself or through a qualified auditor bound to secrecy, before the start of the processing of Client data and regularly during the term of the main contract; this includes inspections. The contractor shall facilitate such checks and contribute to them by taking all appropriate and reasonable measures, including granting the necessary access rights and providing all necessary information.
9.3) The checks and inspections shall, as far as possible, not hinder the Contractor in its normal business operations and shall not place an undue burden on it. In particular, inspections at the Contractor's premises shall not take place more than once per calendar year without specific cause and shall only take place during the Contractor's normal business hours. The Client shall notify the Contractor of inspections in writing or text form in good time in advance.
10) Final provisions
10.1) In the event of any conflicts between this GTC and the main contract that are relevant to data protection law, the provisions of this GTC shall take precedence. In all other respects, the provisions of the main contract shall apply accordingly.
10.2) This agreement does not establish any obligations of the parties towards third parties (in particular towards the data subjects) that go beyond the GDPR.
Appendix 1 - Processing procedures
Purpose of data processing: Provision of SaaS services in accordance with the provisions of the main contract
Type and scope of data processing: Processing of account and usage data in connection with the provision of SaaS services, hosting/storage, processing in connection with the provision of SaaS services
Group of data subjects:
Customer (if a natural person)
Supplier (if a natural person)
Representatives and employees of the customer
Representatives and employees of the supplier
Type of data - customer/supplier:
Master data
Account and usage data
Bank details and payment data
Order data and documentation
Budget planning and data
Settlements between customers and suppliers
Representatives and employees:
Master data
Account and usage data
Appendix 2 - Technical and organizational measures
Organizational control:
Are there internal data processing guidelines and procedures, instructions, work instructions, process descriptions, and regulations (e.g., for programming, testing, and approving processes related to the processing of personal data)
Separation of tasks/functions between the IT department and other departments
Clear distinction between areas of responsibility with regard to data processing as a controller and as a processor
Instructions for employees on the processing of personal data
Definition of access rights for employees and third parties, including the relevant documentation
Special security areas with their own access control (“closed shops”)
With regard to activities as a processor: Written obligation of employees to maintain data secrecy or legal obligation of employees to maintain confidentiality in accordance with Art. 28 (3) (b) GDPR
With regard to activities as a processor: Personal data shall only be processed on documented instructions from the controller, including the transfer of personal data to a third country or to an international organization
With regard to activities as a processor: Upon request, the controller may be provided with all information necessary to demonstrate compliance with the AVV, even at short notice (within a maximum of 48 hours)
Access control:
Only technically competent employees have access to the data processing systems
Regulations for third parties (visitors, customers, cleaning staff, tradespeople, etc.)
Ensuring that all entrances to data processing facilities (rooms, apartments, computer hardware, and associated equipment) are lockable.
Physical security of all areas where data carriers are located.
Key policy (key issuance, etc.).
Access to data and user control
Processes for reviewing and approving programs.
Granting access authorizations only to specific persons
User passwords for data and programs
User names and passwords (guidelines including password length and changes)
Automatic return of user ID after entering several incorrect passwords
Protection of internal networks against unauthorized access (e.g., through firewalls)
Automatic logout of user IDs that have not been used for a long period of time
Automatic screen lock after a certain period of time
User names and passwords on all devices
Transfer control:
Use of document shredders or service providers (with data protection certification where possible)
Restriction of the use of external storage media (in particular USB sticks, external hard drives, SD cards, CD and DVD burners) by technical means (e.g., software for controlling interfaces or complete deactivation of interfaces)
Electronic signature
Input control:
Electronic recording of data processing, in particular the input, modification, and deletion of data (audit logs)
Assignment of rights to input, modify, and delete data based on an authorization concept
Availability control:
Central procurement of hardware and software
Updating of the software used (e.g., through updates, corrections, bug fixes, etc.)
Formal approval procedures for hardware, software, and IT procedures
Server rooms are not located under sanitary facilities
Resilience of the IT system, even under (very) high load
Data mirroring
Separability:
Separation of production and test systems
Definition of database rights
Logical client separation (on the software side)
Evaluation
There is a procedure in place for regularly reviewing, evaluating, and assessing the effectiveness of the above-mentioned technical and organizational aspects to ensure the security of processing. If so, please indicate the frequency of the reviews: Every six months.
Appendix 3 - Other subcontractors
Subcontractors |
Purpose of processing |
Data categories |
Location of processing |
---|---|---|---|
FusionAuth |
Authentification and user management |
Login-data, E-Mail-adresses, role information |
EU |
HubSpot |
Customer communication & Support (CRM) |
Name, E-Mail-address, communication content |
EU |
Sentry |
Error analysis & performance monitoring |
Metadata on user interactions (e.g. Browser, page visits), anonymized IDs |
EU (EU-Cluster) |
Workato |
Automation of workflows (e.g. ERP-Integration) |
Transactional data, possibly personal meta data |
EU/USA (depends on target system) |
AWS (Amazon Web Services) |
Provision of cloud services and hosting of systems |
All personal data stored or processed |
EU |
Twilio SendGrid |
Providers of marketing and mailing services |
Email address, email content (e.g., order confirmations) |
EU |
Stand: 08.08.2025