91㽶Ƶ

By clicking “A”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Data Processing

Privacy Policy for third-party integrations

This Privacy Policy describes how 91㽶Ƶ handles private date in regards of third party add-on integrations.

Google Calendar

When you configure your 91㽶Ƶ workspace to use the 91㽶Ƶ Google Calendar™, 91㽶Ƶ will be able to access data in your calendar.

91㽶Ƶ reads all calendar events, which contain 91㽶Ƶ meeting links. For those events, 91㽶Ƶ extracts the name, eventId, start time and end time to display the Meeting inside of the 91㽶Ƶ application, which requires 91㽶Ƶ to save the name, eventId, start time and end time inside the 91㽶Ƶ database. The event name will be visible to all 91㽶Ƶ users. The Meeting itself is locked and only the creator is able to invite other 91㽶Ƶ users.

User generated Event data are needed to read the eventId properly.
For creating events from the 91㽶Ƶ side (when your workspace has the feature enabled to sync new temporary Channels as Meetings into calendars) 91㽶Ƶ needs the ability to write events into every user's calendar. Especially for inviting Guests for future Events.

External request from our Google Calendar™integration need to be send out to our server for:

Script App triggers are used to sync events to 91㽶Ƶ. Especially in cases of:

91㽶Ƶ won't save meeting data forever. When a meeting is over it will be deleted in the upcoming 24 Hours from the 91㽶Ƶ database, since it's not needed anymore.





Last Updated: 16.08.2022

Data Processing Agreement - 91㽶Ƶ

1)Subject of the Agreement
In the course of the fulfillment of the contract between 91㽶Ƶ, Am Talenberg 14, 44227 Dortmund (the "Processor") and the customer (the "Customer", together with the Processor the "Parties") regarding the provision of the Processor's software to the Customer (the "Contract"), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation ("GDPR"), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer's customers), with regard to which the Customer acts as a controller pursuant to data protection law (the "CustomerData‟). This agreement (the "Agreement") specifies the data protection obligations and rights of the Parties in connection with the Processor's use of Customer Data to render the services under the Contract.

2) Scope of the Processing

a)  The Processor shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR. The Customer remains the controller pursuant to Art. 28 GDPR.

b)The processing of CustomerData by the Processor occurs in the manner and the scope and for the purposedetermined in Annex 2.2 to this Agreement; the processing relates tothe types of personal data and categories of data subjects specified therein.The duration of processing corresponds to the term of the Contract.

c) The Processor reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-based designing, machine-learning, developing and optimizing as well as rendering of the services agreed as per the Contract. The Parties agree that anonymized and according to the above requirement aggregated Customer Data are not considered Customer Data for the purposes of this Agreement.

d) The Processor may process and use the Customer Data for the Processor´s own purposes as controller to the extent legally permitted by data protection law. This Agreement does not apply to such data processing.

e) The processing of Customer Data by the Processor shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Processor is nevertheless permitted to process Customer Data in accordance with the provisions of this Agreement outside the EEA if the Processor informs the Customer in advance (e.g. in the privacy policy) about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3) Right of the Customer to Issue Instructions

a) The Processor processes the Customer Data in accordance with the instructions of the Customer, unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

b) The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this Agreement. Individual instructions which deviate from the stipulations of this Agreement or which impose additional requirements shall require the Processor's consent.

c) The Processor shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Processor is of the opinion that an instruction givenby the Customer infringes this Agreement or applicable data protection law, the Processor is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.

4)Legal Responsibility of theCustomer

a) The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify the Processor from all such claims upon first request.

b) The Customer is responsibleto provide the Processor with the Customer Data in time for the rendering of services according to the Contract and the Customer is responsible for the quality of the Customer Data. The Customer shall inform the Processor immediately and completely if during the examination of the Processor's results the Customer finds errors or irregularities with regard to data protection provisions or instructions of the Customer.

c) Upon request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2GDPR, insofar as it is not already available to the Processor.

d) If the Processor is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Customer is obliged to assist the Processor at first request in providing such information and in fulfilling other appropriate cooperation obligations.

5)Requirements for Personneland Systems
The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

6) Security of Processing

a) The Processor takesnecessary appropriate technical and organizational measures according to Art.32 GDPR, taking into account the state of the art, the implementation costs andthe nature, scope, circumstances and purposes of the Customer Data, as well asdifferent likelihood and severity of the risk to the rights and freedoms ofthe data subjects, in order to ensure a level of protection of Customer Dataappropriate to the risk. The implemented technical and organizational measuresinclude the measures as listed in Annex 6.1.

b) The Processor shall have the right to modify technical and organizational measures during the term ofthis Agreement, as long as they continue to comply with the statutory requirements.

7) Engagement of Further Processors

a)The Customer grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 7.2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, aslong as the Processor takes reasonable steps to protect the confidentiality of the Customer Data. In order receive notifications with respect to adding or replacing existing subprocessors Customer may subscribe to a mailing list using to following link: . Subprocessor notifications will occur no later than 14 days prior to any changes, in order to allow for Customer to object. An objection may only be raised by the Customer for important reasons which have to be substantiated vis-à-vis the Processor. Insofar as the Customer does not object within 14 days after receipt of the notification, the Customer´s right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Contract and this Agreement with a notice period of three months until the end of a month.

b) The agreement between the Processor and the further processor must impose the same obligations on the further processor as those incumbent upon the Processor under this Agreement. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this Agreement.

c)Subject to compliance with the requirements of Sec. 2.5 of this Agreement, the provisions of this Sec. 7 shall also apply if a further processor in a third country is involved. The Customer hereby authorizes the Processor to conclude an agreement with another processor on behalf of the Customer based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Customer declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

8) Data Subjects' Rights

a)The Processor shall support the Customer within reason by virtue of technical and organizational measures in fulfilling the Customer's obligation to respond to requests for exercising data subjects' rights.

b) As far as a data subject submits a request for the exercise of its rights directly to the Processor, the Processor will forward this request to the Customer in a timely manner.

c)The Processor shall inform the Customer of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Processor may disclose it in accordance with the instructions and about the purpose of storage, as far asthe Customer does not have this information at its disposal and as far as the Customer is not able to collect it itself.

d) The Processor shall, within the bounds of what is reasonable and necessary, enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing itself, if and to the extent that this is impossible for the Customer. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

e)Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Processor shall support the Customer within the bounds of what is reasonable and necessary in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

9) Notification and Support Obligations of the Processor

a)Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security regarding the Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in the Processor´s area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations at the Processor's request to the extent reasonable and necessary. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

b) The Processor shall assist the Customer to the extent reasonable and necessary with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

10)Deletion and Return of Customer Data

a)Upon termination of this Agreement, the Processor shall, in the discretion of the Customer,
i. either delete or return the Customer Data; and
ii. delete existing copies thereof unless the Processor is obligated by law to further store the Customer Data.

iii. The Processor may keepdocumentations which serve as evidence of the orderly and accurate processingof Customer Data, also after the termination of this Agreement.

11)  Evidence and audits

a)The Processor shall provide the Customer, at the Customer's request, with all information required and available to the Processor to prove compliance with its obligations under this Agreement.

b) The Customer shall be entitled to audit (including inspections) the Processor with regard to compliance with the provisions of this Agreement, in particular the implementation of the technical and organisational measures.

c)In order to carry out inspections in accordance with Sec. 11.2., the Customer is entitled to access the business premises of the Processor in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 am to 6 pm, German time zone CET+1) after timely advance notification in accordance with Sec. 11.5 at its own expense, without disruption of the course of business and under strict secrecy of the Processor's business and trade secrets.

d) The Processor is entitled, at its own discretion and taking into account the Customer's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Processor's other customers, cost information, quality control and contract management reports,or any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.

e)The Customer shall inform the Processor in good time (usually at least two weeks in advance) of all circumstances in relation to the performance of the audit. The Customer may carry out not more than one audit per calendar year.

f) If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing in the same way as the Customer is obliged vis-à-vis the Processor according to this Sec. 11. In addition, the Customer shall by way of written agreement obligate the third party to maintain secrecy and confidentiality unless the third party is subject to a professional obligation of secrecy. At the request of the Processor, the Customer shall immediately submit to the Processor the commitment and confidentiality agreements with the third party. The Customer may not commission any of the Processor's competitors to carry out the audit.

g) At the discretion of the Processor, proof of compliance with the obligations under this Agreement may be provided, instead of an inspection, by submitting an appropriate current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit (the "Audit Report"), if the Audit Report makes it possible for the Customer in an appropriate manner to convince itself of the Processor's compliance with the contractual obligations contained in this Agreement.

12)Contract term andtermination
The term and termination of this Agreement shall be governed by the term and termination provisions of the Contract. Atermination of the Contract automatically results in a cancellation of this Agreement. An isolated termination of this contract is excluded.

13)Liability

a) The Processor's liability under this Agreement shall be governed by the disclaimers and limitations of liability provided for in the Contract. As far as third parties assert claims against the Processor which are caused by the Customer's culpable breach of this Agreement or one of the Customer´s obligations as the controller in terms of data protection law, the Customer shall upon first request indemnify and hold the Processor harmless from these claims.

b) The Customer undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Customer's part of responsibility for the infringement sanctioned by the fine.

14)Final provisions

a)In case individual provisions of this Agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

b) In case of conflicts between this Agreement and other arrangements of the Parties, in particular the Contract, the provisions of this Agreement shall prevail.

Annex 2.2

Further Information on the Processing of Customer Data

1

Purpose and extent of Data Processing

Provision of the 91㽶Ƶ software as a web application, desktop application, or mobile application, and which functions as a platform for communication; the collection, storage, analysis and reporting to the Customer of data and metrics of user engagement; fulfillment of the Processor’s obligations under the Contract.

2

Types of personal data

Contact data; usage data; any data filled in by the Customer in the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; Usernames; password; email; logfiles; data relating user interaction;

3

Categories of data subjects

Users of the 91㽶Ƶ software; possibly other data subjects mentioned or included in data filled in by the Customer in the Software.

Annex 6.1

Technical and Organizational Measures according to Art. 32 GDPR

According to controller and processor of personal data must take technical and organizational measures (TOM) to ensure that the security and protection requirements of data protection are met. Technical measures are to be understood as all protection attempts that are physically implementable in the broadest sense, such as securing doors and windows or measures implemented in software and hardware, such as setting up a user account and password requirement. Organizational measures are to be understood as protection attempts that are implemented through instructions, procedures and procedures.

No.

Category of Measures

Description of Category

Technical Measures

Organizational Measures

1

Encryption (Art. 32 (1) a) GDPR)

Cryptographic measures to ensure that information is hashed when transferred internally or externally and can only become readable again by using the correct encryption key.

Encryption of the company website (“data in motion”)

 

Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

2

Confidentiality – physical access control (Art. 32 (1) b) GDPR)

Measures to prevent unauthorized persons from gaining access to data Processing systems with which personal data is processed or used.

Security of the buildings, windows and doors with an alarm system

Digital keys management system

Automated access control system and manual locking system with safety locks

Light barriers/motion detectors

Video surveillance of entrances

3

Confidentiality – data access control (Art. 32 (1) b) GDPR)

Measures to prevent data Processing systems from being used without authorisation.

Authentication with username /password, and/or biometric methods

Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

Use of Intrusion-Detection-Systems

Immediate blocking of authorization when employees leave the company

Locked housings / security locks

Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication

Implementation of virtual networks for the separation of data streams

4

Confidentiality – data usage control (Art. 32 (1) b) GDPR)

Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage.

Use of document shredders or appropriate service providers and physical deletion of data mediums before reuse

Development of an authorization concept (Differentiated authorisations for read, edit or delete data) and password procedures (incl. special characters, minimum length, change of password)

Assignment of rights by system administrator

5

Confidentiality – transmission control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Documentation of all interfaces

Documentation of recipients of data and the time periods of planned surrender or agreed erasure time limits

6

Confidentiality – separation control (Art. 32 (1) b) GDPR)

Measures to ensure that data collected for different purposes can be processed separately.

Segregation of functions (production/testing)

Development of an authorization concept

Separated databases and separate tables within database

Logical client separation

7

Integrity – input control (Art. 32 (1) b) GDPR)

Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom.

No local admin privileges

Assignment of authorisations for input

Alteration and erasure of data on the basis of an authorisation concept

8

Availability – availability control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data is protected from accidental destruction or loss.

Air conditioning in server rooms

Alarm during unauthorized entry into server room

Fire extinguishers in server rooms, installation of fire and smoke detection systems, uninterruptible power supply (UPS)

Remote data backup in secure outsourced locations

Monitoring of temperature and humidity and power outlet strip with surge protection in server rooms

Development of an emergency plan and a disaster recovery plan, in flood areas: server rooms above waterline

Server room not under sanitary facilities

9

Availability – job control (Art. 32 (1) b) GDPR)

Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller.

 

Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)

Contractual penalties for breaches

Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR

Processor has appointed a Data Protection Officer

Efficient rights of control agreed with the Processor

Putting the Processor's employees under an obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)

Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

Use of Subcontractors requires the Controller's consent and prior verification and documentation of the security measures taken by the Processor

10

Resilience (Art. 32 (1) b) GDPR)

Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled.

 

Testing of storage, access and line capacities

11

Restoration of availability (Art. 32 (1) c) GDPR)

Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident.

Redundant design of the infrastructure (of hard disks, e.g. RAID)

Backup concept

Cloud Service

Testing of data restoration

12

Data protection management (Art. 32 (1) d) GDPR)

Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing.

 

Checking of the DSB and the IT revision

Annex 7.1

Further Processors

No.

Name of the further processor

Processing site

Description of processing via this further processor

1

Amazon Web Services Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA.

Germany, EU

Secure cloud service platform for database storage

3

Sendinblue GmbH
Köpenicker Straße 126

10179 Berlin, Germany

Germany, EU

eMail service platform

4

Google LLC

1600 Amphitheatre Pkwy, Mountain View, CA USA

Ireland, EU

Web analytics service

5

Intercom, Inc. a Delaware corporation with offices at 55 2nd Street, 4th Fl., San Francisco, CA 94105, USA

Ireland, EU

Ticket & Chat system for websites

Last Updated: 16.08.2022

Data Processing Agreement - 91㽶Ƶ

1)Subject of the Agreement
In the course of the fulfillment of the contract between 91㽶Ƶ, Am Talenberg 14, 44227 Dortmund (the "Processor") and the customer (the "Customer", together with the Processor the "Parties") regarding the provision of the Processor's software to the Customer (the "Contract"), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation ("GDPR"), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer's customers), with regard to which the Customer acts as a controller pursuant to data protection law (the "CustomerData‟). This agreement (the "Agreement") specifies the data protection obligations and rights of the Parties in connection with the Processor's use of Customer Data to render the services under the Contract.

2) Scope of the Processing

a)  The Processor shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR. The Customer remains the controller pursuant to Art. 28 GDPR.

b)The processing of CustomerData by the Processor occurs in the manner and the scope and for the purposedetermined in Annex 2.2 to this Agreement; the processing relates tothe types of personal data and categories of data subjects specified therein.The duration of processing corresponds to the term of the Contract.

c) The Processor reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-based designing, machine-learning, developing and optimizing as well as rendering of the services agreed as per the Contract. The Parties agree that anonymized and according to the above requirement aggregated Customer Data are not considered Customer Data for the purposes of this Agreement.

d) The Processor may process and use the Customer Data for the Processor´s own purposes as controller to the extent legally permitted by data protection law. This Agreement does not apply to such data processing.

e) The processing of Customer Data by the Processor shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Processor is nevertheless permitted to process Customer Data in accordance with the provisions of this Agreement outside the EEA if the Processor informs the Customer in advance (e.g. in the privacy policy) about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3) Right of the Customer to Issue Instructions

a) The Processor processes the Customer Data in accordance with the instructions of the Customer, unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

b) The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this Agreement. Individual instructions which deviate from the stipulations of this Agreement or which impose additional requirements shall require the Processor's consent.

c) The Processor shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Processor is of the opinion that an instruction givenby the Customer infringes this Agreement or applicable data protection law, the Processor is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.

4)Legal Responsibility of theCustomer

a) The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify the Processor from all such claims upon first request.

b) The Customer is responsibleto provide the Processor with the Customer Data in time for the rendering of services according to the Contract and the Customer is responsible for the quality of the Customer Data. The Customer shall inform the Processor immediately and completely if during the examination of the Processor's results the Customer finds errors or irregularities with regard to data protection provisions or instructions of the Customer.

c) Upon request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2GDPR, insofar as it is not already available to the Processor.

d) If the Processor is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Customer is obliged to assist the Processor at first request in providing such information and in fulfilling other appropriate cooperation obligations.

5)Requirements for Personneland Systems
The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

6) Security of Processing

a) The Processor takesnecessary appropriate technical and organizational measures according to Art.32 GDPR, taking into account the state of the art, the implementation costs andthe nature, scope, circumstances and purposes of the Customer Data, as well asdifferent likelihood and severity of the risk to the rights and freedoms ofthe data subjects, in order to ensure a level of protection of Customer Dataappropriate to the risk. The implemented technical and organizational measuresinclude the measures as listed in Annex 6.1.

b) The Processor shall have the right to modify technical and organizational measures during the term ofthis Agreement, as long as they continue to comply with the statutory requirements.

7) Engagement of Further Processors

a)The Customer grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 7.2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, aslong as the Processor takes reasonable steps to protect the confidentiality of the Customer Data. In order receive notifications with respect to adding or replacing existing subprocessors Customer may subscribe to a mailing list using to following link: . Subprocessor notifications will occur no later than 14 days prior to any changes, in order to allow for Customer to object. An objection may only be raised by the Customer for important reasons which have to be substantiated vis-à-vis the Processor. Insofar as the Customer does not object within 14 days after receipt of the notification, the Customer´s right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Contract and this Agreement with a notice period of three months until the end of a month.

b) The agreement between the Processor and the further processor must impose the same obligations on the further processor as those incumbent upon the Processor under this Agreement. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this Agreement.

c)Subject to compliance with the requirements of Sec. 2.5 of this Agreement, the provisions of this Sec. 7 shall also apply if a further processor in a third country is involved. The Customer hereby authorizes the Processor to conclude an agreement with another processor on behalf of the Customer based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Customer declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

8) Data Subjects' Rights

a)The Processor shall support the Customer within reason by virtue of technical and organizational measures in fulfilling the Customer's obligation to respond to requests for exercising data subjects' rights.

b) As far as a data subject submits a request for the exercise of its rights directly to the Processor, the Processor will forward this request to the Customer in a timely manner.

c)The Processor shall inform the Customer of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Processor may disclose it in accordance with the instructions and about the purpose of storage, as far asthe Customer does not have this information at its disposal and as far as the Customer is not able to collect it itself.

d) The Processor shall, within the bounds of what is reasonable and necessary, enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing itself, if and to the extent that this is impossible for the Customer. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

e)Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Processor shall support the Customer within the bounds of what is reasonable and necessary in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

9) Notification and Support Obligations of the Processor

a)Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security regarding the Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in the Processor´s area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations at the Processor's request to the extent reasonable and necessary. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

b) The Processor shall assist the Customer to the extent reasonable and necessary with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

10)Deletion and Return of Customer Data

a)Upon termination of this Agreement, the Processor shall, in the discretion of the Customer,
i. either delete or return the Customer Data; and
ii. delete existing copies thereof unless the Processor is obligated by law to further store the Customer Data.

iii. The Processor may keepdocumentations which serve as evidence of the orderly and accurate processingof Customer Data, also after the termination of this Agreement.

11)  Evidence and audits

a)The Processor shall provide the Customer, at the Customer's request, with all information required and available to the Processor to prove compliance with its obligations under this Agreement.

b) The Customer shall be entitled to audit (including inspections) the Processor with regard to compliance with the provisions of this Agreement, in particular the implementation of the technical and organisational measures.

c)In order to carry out inspections in accordance with Sec. 11.2., the Customer is entitled to access the business premises of the Processor in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 am to 6 pm, German time zone CET+1) after timely advance notification in accordance with Sec. 11.5 at its own expense, without disruption of the course of business and under strict secrecy of the Processor's business and trade secrets.

d) The Processor is entitled, at its own discretion and taking into account the Customer's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Processor's other customers, cost information, quality control and contract management reports,or any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.

e)The Customer shall inform the Processor in good time (usually at least two weeks in advance) of all circumstances in relation to the performance of the audit. The Customer may carry out not more than one audit per calendar year.

f) If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing in the same way as the Customer is obliged vis-à-vis the Processor according to this Sec. 11. In addition, the Customer shall by way of written agreement obligate the third party to maintain secrecy and confidentiality unless the third party is subject to a professional obligation of secrecy. At the request of the Processor, the Customer shall immediately submit to the Processor the commitment and confidentiality agreements with the third party. The Customer may not commission any of the Processor's competitors to carry out the audit.

g) At the discretion of the Processor, proof of compliance with the obligations under this Agreement may be provided, instead of an inspection, by submitting an appropriate current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit (the "Audit Report"), if the Audit Report makes it possible for the Customer in an appropriate manner to convince itself of the Processor's compliance with the contractual obligations contained in this Agreement.

12)Contract term andtermination
The term and termination of this Agreement shall be governed by the term and termination provisions of the Contract. Atermination of the Contract automatically results in a cancellation of this Agreement. An isolated termination of this contract is excluded.

13)Liability

a) The Processor's liability under this Agreement shall be governed by the disclaimers and limitations of liability provided for in the Contract. As far as third parties assert claims against the Processor which are caused by the Customer's culpable breach of this Agreement or one of the Customer´s obligations as the controller in terms of data protection law, the Customer shall upon first request indemnify and hold the Processor harmless from these claims.

b) The Customer undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Customer's part of responsibility for the infringement sanctioned by the fine.

14)Final provisions

a)In case individual provisions of this Agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

b) In case of conflicts between this Agreement and other arrangements of the Parties, in particular the Contract, the provisions of this Agreement shall prevail.

Annex 2.2

Further Information on the Processing of Customer Data

1

Purpose and extent of Data Processing

Provision of the 91㽶Ƶ software as a web application, desktop application, or mobile application, and which functions as a platform for communication; the collection, storage, analysis and reporting to the Customer of data and metrics of user engagement; fulfillment of the Processor’s obligations under the Contract.

2

Types of personal data

Contact data; usage data; any data filled in by the Customer in the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; Usernames; password; email; logfiles; data relating user interaction;

3

Categories of data subjects

Users of the 91㽶Ƶ software; possibly other data subjects mentioned or included in data filled in by the Customer in the Software.

Annex 6.1

Technical and Organizational Measures according to Art. 32 GDPR

According to controller and processor of personal data must take technical and organizational measures (TOM) to ensure that the security and protection requirements of data protection are met. Technical measures are to be understood as all protection attempts that are physically implementable in the broadest sense, such as securing doors and windows or measures implemented in software and hardware, such as setting up a user account and password requirement. Organizational measures are to be understood as protection attempts that are implemented through instructions, procedures and procedures.

No.

Category of Measures

Description of Category

Technical Measures

Organizational Measures

1

Encryption (Art. 32 (1) a) GDPR)

Cryptographic measures to ensure that information is hashed when transferred internally or externally and can only become readable again by using the correct encryption key.

Encryption of the company website (“data in motion”)

 

Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

2

Confidentiality – physical access control (Art. 32 (1) b) GDPR)

Measures to prevent unauthorized persons from gaining access to data Processing systems with which personal data is processed or used.

Security of the buildings, windows and doors with an alarm system

Digital keys management system

Automated access control system and manual locking system with safety locks

Light barriers/motion detectors

Video surveillance of entrances

3

Confidentiality – data access control (Art. 32 (1) b) GDPR)

Measures to prevent data Processing systems from being used without authorisation.

Authentication with username /password, and/or biometric methods

Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

Use of Intrusion-Detection-Systems

Immediate blocking of authorization when employees leave the company

Locked housings / security locks

Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication

Implementation of virtual networks for the separation of data streams

4

Confidentiality – data usage control (Art. 32 (1) b) GDPR)

Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage.

Use of document shredders or appropriate service providers and physical deletion of data mediums before reuse

Development of an authorization concept (Differentiated authorisations for read, edit or delete data) and password procedures (incl. special characters, minimum length, change of password)

Assignment of rights by system administrator

5

Confidentiality – transmission control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Documentation of all interfaces

Documentation of recipients of data and the time periods of planned surrender or agreed erasure time limits

6

Confidentiality – separation control (Art. 32 (1) b) GDPR)

Measures to ensure that data collected for different purposes can be processed separately.

Segregation of functions (production/testing)

Development of an authorization concept

Separated databases and separate tables within database

Logical client separation

7

Integrity – input control (Art. 32 (1) b) GDPR)

Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom.

No local admin privileges

Assignment of authorisations for input

Alteration and erasure of data on the basis of an authorisation concept

8

Availability – availability control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data is protected from accidental destruction or loss.

Air conditioning in server rooms

Alarm during unauthorized entry into server room

Fire extinguishers in server rooms, installation of fire and smoke detection systems, uninterruptible power supply (UPS)

Remote data backup in secure outsourced locations

Monitoring of temperature and humidity and power outlet strip with surge protection in server rooms

Development of an emergency plan and a disaster recovery plan, in flood areas: server rooms above waterline

Server room not under sanitary facilities

9

Availability – job control (Art. 32 (1) b) GDPR)

Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller.

 

Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)

Contractual penalties for breaches

Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR

Processor has appointed a Data Protection Officer

Efficient rights of control agreed with the Processor

Putting the Processor's employees under an obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)

Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

Use of Subcontractors requires the Controller's consent and prior verification and documentation of the security measures taken by the Processor

10

Resilience (Art. 32 (1) b) GDPR)

Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled.

 

Testing of storage, access and line capacities

11

Restoration of availability (Art. 32 (1) c) GDPR)

Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident.

Redundant design of the infrastructure (of hard disks, e.g. RAID)

Backup concept

Cloud Service

Testing of data restoration

12

Data protection management (Art. 32 (1) d) GDPR)

Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing.

 

Checking of the DSB and the IT revision

Annex 7.1

Further Processors

No.

Name of the further processor

Processing site

Description of processing via this further processor

1

Amazon Web Services Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA.

Germany, EU

Secure cloud service platform for database storage

3

Sendinblue GmbH
Köpenicker Straße 126

10179 Berlin, Germany

Germany, EU

eMail service platform

4

Google LLC

1600 Amphitheatre Pkwy, Mountain View, CA USA

Ireland, EU

Web analytics service

5

Intercom, Inc. a Delaware corporation with offices at 55 2nd Street, 4th Fl., San Francisco, CA 94105, USA

Ireland, EU

Ticket & Chat system for websites

Last Updated: 16.08.2022

Data Processing Agreement - 91㽶Ƶ

1)Subject of the Agreement
In the course of the fulfillment of the contract between 91㽶Ƶ, Am Talenberg 14, 44227 Dortmund (the "Processor") and the customer (the "Customer", together with the Processor the "Parties") regarding the provision of the Processor's software to the Customer (the "Contract"), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation ("GDPR"), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer's customers), with regard to which the Customer acts as a controller pursuant to data protection law (the "CustomerData‟). This agreement (the "Agreement") specifies the data protection obligations and rights of the Parties in connection with the Processor's use of Customer Data to render the services under the Contract.

2) Scope of the Processing

a)  The Processor shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR. The Customer remains the controller pursuant to Art. 28 GDPR.

b)The processing of CustomerData by the Processor occurs in the manner and the scope and for the purposedetermined in Annex 2.2 to this Agreement; the processing relates tothe types of personal data and categories of data subjects specified therein.The duration of processing corresponds to the term of the Contract.

c) The Processor reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-based designing, machine-learning, developing and optimizing as well as rendering of the services agreed as per the Contract. The Parties agree that anonymized and according to the above requirement aggregated Customer Data are not considered Customer Data for the purposes of this Agreement.

d) The Processor may process and use the Customer Data for the Processor´s own purposes as controller to the extent legally permitted by data protection law. This Agreement does not apply to such data processing.

e) The processing of Customer Data by the Processor shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Processor is nevertheless permitted to process Customer Data in accordance with the provisions of this Agreement outside the EEA if the Processor informs the Customer in advance (e.g. in the privacy policy) about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3) Right of the Customer to Issue Instructions

a) The Processor processes the Customer Data in accordance with the instructions of the Customer, unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

b) The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this Agreement. Individual instructions which deviate from the stipulations of this Agreement or which impose additional requirements shall require the Processor's consent.

c) The Processor shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Processor is of the opinion that an instruction givenby the Customer infringes this Agreement or applicable data protection law, the Processor is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.

4)Legal Responsibility of theCustomer

a) The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify the Processor from all such claims upon first request.

b) The Customer is responsibleto provide the Processor with the Customer Data in time for the rendering of services according to the Contract and the Customer is responsible for the quality of the Customer Data. The Customer shall inform the Processor immediately and completely if during the examination of the Processor's results the Customer finds errors or irregularities with regard to data protection provisions or instructions of the Customer.

c) Upon request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2GDPR, insofar as it is not already available to the Processor.

d) If the Processor is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Customer is obliged to assist the Processor at first request in providing such information and in fulfilling other appropriate cooperation obligations.

5)Requirements for Personneland Systems
The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

6) Security of Processing

a) The Processor takesnecessary appropriate technical and organizational measures according to Art.32 GDPR, taking into account the state of the art, the implementation costs andthe nature, scope, circumstances and purposes of the Customer Data, as well asdifferent likelihood and severity of the risk to the rights and freedoms ofthe data subjects, in order to ensure a level of protection of Customer Dataappropriate to the risk. The implemented technical and organizational measuresinclude the measures as listed in Annex 6.1.

b) The Processor shall have the right to modify technical and organizational measures during the term ofthis Agreement, as long as they continue to comply with the statutory requirements.

7) Engagement of Further Processors

a)The Customer grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 7.2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, aslong as the Processor takes reasonable steps to protect the confidentiality of the Customer Data. In order receive notifications with respect to adding or replacing existing subprocessors Customer may subscribe to a mailing list using to following link: . Subprocessor notifications will occur no later than 14 days prior to any changes, in order to allow for Customer to object. An objection may only be raised by the Customer for important reasons which have to be substantiated vis-à-vis the Processor. Insofar as the Customer does not object within 14 days after receipt of the notification, the Customer´s right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Contract and this Agreement with a notice period of three months until the end of a month.

b) The agreement between the Processor and the further processor must impose the same obligations on the further processor as those incumbent upon the Processor under this Agreement. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this Agreement.

c)Subject to compliance with the requirements of Sec. 2.5 of this Agreement, the provisions of this Sec. 7 shall also apply if a further processor in a third country is involved. The Customer hereby authorizes the Processor to conclude an agreement with another processor on behalf of the Customer based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Customer declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

8) Data Subjects' Rights

a)The Processor shall support the Customer within reason by virtue of technical and organizational measures in fulfilling the Customer's obligation to respond to requests for exercising data subjects' rights.

b) As far as a data subject submits a request for the exercise of its rights directly to the Processor, the Processor will forward this request to the Customer in a timely manner.

c)The Processor shall inform the Customer of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Processor may disclose it in accordance with the instructions and about the purpose of storage, as far asthe Customer does not have this information at its disposal and as far as the Customer is not able to collect it itself.

d) The Processor shall, within the bounds of what is reasonable and necessary, enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing itself, if and to the extent that this is impossible for the Customer. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

e)Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Processor shall support the Customer within the bounds of what is reasonable and necessary in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

9) Notification and Support Obligations of the Processor

a)Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security regarding the Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in the Processor´s area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations at the Processor's request to the extent reasonable and necessary. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

b) The Processor shall assist the Customer to the extent reasonable and necessary with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.

10)Deletion and Return of Customer Data

a)Upon termination of this Agreement, the Processor shall, in the discretion of the Customer,
i. either delete or return the Customer Data; and
ii. delete existing copies thereof unless the Processor is obligated by law to further store the Customer Data.

iii. The Processor may keepdocumentations which serve as evidence of the orderly and accurate processingof Customer Data, also after the termination of this Agreement.

11)  Evidence and audits

a)The Processor shall provide the Customer, at the Customer's request, with all information required and available to the Processor to prove compliance with its obligations under this Agreement.

b) The Customer shall be entitled to audit (including inspections) the Processor with regard to compliance with the provisions of this Agreement, in particular the implementation of the technical and organisational measures.

c)In order to carry out inspections in accordance with Sec. 11.2., the Customer is entitled to access the business premises of the Processor in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 am to 6 pm, German time zone CET+1) after timely advance notification in accordance with Sec. 11.5 at its own expense, without disruption of the course of business and under strict secrecy of the Processor's business and trade secrets.

d) The Processor is entitled, at its own discretion and taking into account the Customer's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Processor's other customers, cost information, quality control and contract management reports,or any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.

e)The Customer shall inform the Processor in good time (usually at least two weeks in advance) of all circumstances in relation to the performance of the audit. The Customer may carry out not more than one audit per calendar year.

f) If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing in the same way as the Customer is obliged vis-à-vis the Processor according to this Sec. 11. In addition, the Customer shall by way of written agreement obligate the third party to maintain secrecy and confidentiality unless the third party is subject to a professional obligation of secrecy. At the request of the Processor, the Customer shall immediately submit to the Processor the commitment and confidentiality agreements with the third party. The Customer may not commission any of the Processor's competitors to carry out the audit.

g) At the discretion of the Processor, proof of compliance with the obligations under this Agreement may be provided, instead of an inspection, by submitting an appropriate current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit (the "Audit Report"), if the Audit Report makes it possible for the Customer in an appropriate manner to convince itself of the Processor's compliance with the contractual obligations contained in this Agreement.

12)Contract term andtermination
The term and termination of this Agreement shall be governed by the term and termination provisions of the Contract. Atermination of the Contract automatically results in a cancellation of this Agreement. An isolated termination of this contract is excluded.

13)Liability

a) The Processor's liability under this Agreement shall be governed by the disclaimers and limitations of liability provided for in the Contract. As far as third parties assert claims against the Processor which are caused by the Customer's culpable breach of this Agreement or one of the Customer´s obligations as the controller in terms of data protection law, the Customer shall upon first request indemnify and hold the Processor harmless from these claims.

b) The Customer undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Customer's part of responsibility for the infringement sanctioned by the fine.

14)Final provisions

a)In case individual provisions of this Agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

b) In case of conflicts between this Agreement and other arrangements of the Parties, in particular the Contract, the provisions of this Agreement shall prevail.

Annex 2.2

Further Information on the Processing of Customer Data

1

Purpose and extent of Data Processing

Provision of the 91㽶Ƶ software as a web application, desktop application, or mobile application, and which functions as a platform for communication; the collection, storage, analysis and reporting to the Customer of data and metrics of user engagement; fulfillment of the Processor’s obligations under the Contract.

2

Types of personal data

Contact data; usage data; any data filled in by the Customer in the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; Usernames; password; email; logfiles; data relating user interaction;

3

Categories of data subjects

Users of the 91㽶Ƶ software; possibly other data subjects mentioned or included in data filled in by the Customer in the Software.

Annex 6.1

Technical and Organizational Measures according to Art. 32 GDPR

According to controller and processor of personal data must take technical and organizational measures (TOM) to ensure that the security and protection requirements of data protection are met. Technical measures are to be understood as all protection attempts that are physically implementable in the broadest sense, such as securing doors and windows or measures implemented in software and hardware, such as setting up a user account and password requirement. Organizational measures are to be understood as protection attempts that are implemented through instructions, procedures and procedures.

No.

Category of Measures

Description of Category

Technical Measures

Organizational Measures

1

Encryption (Art. 32 (1) a) GDPR)

Cryptographic measures to ensure that information is hashed when transferred internally or externally and can only become readable again by using the correct encryption key.

Encryption of the company website (“data in motion”)

 

Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

2

Confidentiality – physical access control (Art. 32 (1) b) GDPR)

Measures to prevent unauthorized persons from gaining access to data Processing systems with which personal data is processed or used.

Security of the buildings, windows and doors with an alarm system

Digital keys management system

Automated access control system and manual locking system with safety locks

Light barriers/motion detectors

Video surveillance of entrances

3

Confidentiality – data access control (Art. 32 (1) b) GDPR)

Measures to prevent data Processing systems from being used without authorisation.

Authentication with username /password, and/or biometric methods

Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

Use of Intrusion-Detection-Systems

Immediate blocking of authorization when employees leave the company

Locked housings / security locks

Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication

Implementation of virtual networks for the separation of data streams

4

Confidentiality – data usage control (Art. 32 (1) b) GDPR)

Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage.

Use of document shredders or appropriate service providers and physical deletion of data mediums before reuse

Development of an authorization concept (Differentiated authorisations for read, edit or delete data) and password procedures (incl. special characters, minimum length, change of password)

Assignment of rights by system administrator

5

Confidentiality – transmission control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Documentation of all interfaces

Documentation of recipients of data and the time periods of planned surrender or agreed erasure time limits

6

Confidentiality – separation control (Art. 32 (1) b) GDPR)

Measures to ensure that data collected for different purposes can be processed separately.

Segregation of functions (production/testing)

Development of an authorization concept

Separated databases and separate tables within database

Logical client separation

7

Integrity – input control (Art. 32 (1) b) GDPR)

Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom.

No local admin privileges

Assignment of authorisations for input

Alteration and erasure of data on the basis of an authorisation concept

8

Availability – availability control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data is protected from accidental destruction or loss.

Air conditioning in server rooms

Alarm during unauthorized entry into server room

Fire extinguishers in server rooms, installation of fire and smoke detection systems, uninterruptible power supply (UPS)

Remote data backup in secure outsourced locations

Monitoring of temperature and humidity and power outlet strip with surge protection in server rooms

Development of an emergency plan and a disaster recovery plan, in flood areas: server rooms above waterline

Server room not under sanitary facilities

9

Availability – job control (Art. 32 (1) b) GDPR)

Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller.

 

Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)

Contractual penalties for breaches

Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR

Processor has appointed a Data Protection Officer

Efficient rights of control agreed with the Processor

Putting the Processor's employees under an obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)

Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

Use of Subcontractors requires the Controller's consent and prior verification and documentation of the security measures taken by the Processor

10

Resilience (Art. 32 (1) b) GDPR)

Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled.

 

Testing of storage, access and line capacities

11

Restoration of availability (Art. 32 (1) c) GDPR)

Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident.

Redundant design of the infrastructure (of hard disks, e.g. RAID)

Backup concept

Cloud Service

Testing of data restoration

12

Data protection management (Art. 32 (1) d) GDPR)

Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing.

 

Checking of the DSB and the IT revision

Annex 7.1

Further Processors

No.

Name of the further processor

Processing site

Description of processing via this further processor

1

Amazon Web Services Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA.

Germany, EU

Secure cloud service platform for database storage

3

Sendinblue GmbH
Köpenicker Straße 126

10179 Berlin, Germany

Germany, EU

eMail service platform

4

Google LLC

1600 Amphitheatre Pkwy, Mountain View, CA USA

Ireland, EU

Web analytics service

5

Intercom, Inc. a Delaware corporation with offices at 55 2nd Street, 4th Fl., San Francisco, CA 94105, USA

Ireland, EU

Ticket & Chat system for websites