Data processing agreement
Stand: 14/05/2024
between
Customer (who created a customer account with Flea Software UG)
- Principal -
and
Flea Software UG (limited liability)
Winterfeldtstraße 21, 10781 Berlin
- Contractor -
1. General
(1) The contractor processes personal data on behalf of the client in the sense of Art. 4 No. 8 and Art. 28 of the General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.
(2) If the term "data processing" or "processing" (of data) is used in this contract, the definition of "processing" in the sense of Art. 4 No. 2 GDPR is used as a basis.
2. Subject Matter of the Contract
The subject matter of the processing, nature and purpose of the processing, the type of personal data and the categories of data subjects are defined in Appendix 1 to this contract.
3. Rights and Obligations of the Client
(1) The client is the data controller in the sense of Art. 4 No. 7 GDPR for the processing of data on behalf of the contractor. Pursuant to Section 4 (3), the contractor has the right to inform the client if, in its opinion, a processing of data that it deems legally impermissible is the subject of the contract and/or a directive.
(2) The client is responsible as the data controller for the protection of the rights of the data subjects. The contractor will inform the client immediately if data subjects assert their rights against the contractor.
(3) The client has the right to issue additional instructions on the nature, scope and procedure of the data processing to the contractor at any time. Instructions must be given in writing (e.g. by e-mail).
(4) Provisions on any remuneration for additional expenses arising from additional instructions from the client to the contractor remain unaffected.
(5) The client may designate persons authorized to issue instructions. If persons authorized to issue instructions are to be designated, these shall be named in Appendix 1. In the event that the persons authorized to issue instructions change at the client, the client shall notify the contractor of this in writing.
(6) The client shall inform the contractor immediately if it detects errors or irregularities in connection with the processing of personal data by the contractor.
(7) In the event that there is an obligation to inform third parties in accordance with Art. 33, 34 GDPR or any other legal obligation applicable to the client, the client is responsible for compliance with them.
4. General Obligations of the Contractor
(1) The contractor processes personal data exclusively within the framework of the agreements made and/or in compliance with any additional instructions issued by the client. This shall not apply to legal regulations that may require the contractor to process data in a different manner. In such a case, the contractor shall inform the client of these legal requirements prior to processing, provided that the relevant law does not prohibit such notification on the grounds of important public interest. The purpose, nature and scope of the data processing shall otherwise be based exclusively on this contract and/or the client's instructions. The contractor is prohibited from processing data in a manner that deviates from this, unless the client has expressly consented to this in writing.
(2) As a general rule, the contractor will process data on behalf of the client in Member States of the European Union (EU) or the European Economic Area (EEA). The contractor may also process data outside the EU or EEA if subcontractors in a third country are used in compliance with the conditions of Section 9 and the requirements of Articles 44-48 GDPR are met, or if an exception in the sense of Article 49 GDPR applies.
(3) The contractor shall inform the client immediately if a directive issued by the client, in its opinion, violates legal regulations. The contractor is entitled to suspend the implementation of the directive in question until it is confirmed or amended by the client. If the contractor can demonstrate that processing in accordance with the client's directive may lead to liability on the part of the contractor in accordance with Article 82 GDPR, the contractor is free to suspend further processing in this respect until liability between the parties is clarified.
(4) The contractor may designate the person(s) authorized to receive the client's instructions. If persons authorized to receive instructions are to be designated, these shall be named in Appendix 1. If persons authorized to receive instructions change at the contractor, the contractor shall notify the client of this in writing.
5. Data Protection Officer of the Contractor
(1) The contractor confirms that it has appointed a data protection officer in accordance with Article 37 GDPR. The contractor will ensure that the data protection officer has the necessary qualifications and expertise. The contractor will separately notify the client of the name and contact details of its data protection officer in writing.
(2) The obligation to appoint a data protection officer pursuant to paragraph 1 may be dispensed with at the discretion of the client if the contractor can prove that it is not required by law to appoint a data protection officer and that the contractor can demonstrate that there are operational arrangements that ensure the processing of personal data in compliance with legal regulations, the provisions of this contract, as well as any further instructions from the client.
6. Reporting Obligations of the Contractor
(1) The contractor is obliged to immediately notify the client of any breaches of data protection regulations or of the contractual agreements and/or instructions issued by the client, which have occurred in the course of the processing of data by the contractor or by other persons involved in the processing. The same applies to any violation of the protection of personal data processed by the contractor on behalf of the client.
(2) Furthermore, the contractor will immediately inform the client if a supervisory authority takes action against the contractor in accordance with Article 58 GDPR, and this may also concern a review of the processing performed by the contractor on behalf of the client.
(3) The contractor is aware that there may be an obligation for the client to report to the supervisory authority in accordance with Article 33, 34 GDPR, which provides for a report to be made to the supervisory authority within 72 hours of becoming known. The contractor will support the client in fulfilling the reporting obligations. In particular, the contractor will immediately notify the client of any unauthorized access to personal data processed by the contractor on behalf of the client as soon as the access is known. The notification from the contractor to the client must include the following information in particular:
a description of the nature of the breach of the protection of personal data, if possible with details of the categories and approximate number of data subjects affected, the affected categories and the approximate number of personal data records affected;
a description of the measures taken or proposed by the contractor to remedy the breach of the protection of personal data and, if applicable, measures to mitigate their potential adverse effects.
7. Cooperation Obligations of the Contractor
(1) The contractor supports the client in its obligation to respond to requests to exercise data subject rights in accordance with Articles 12-23 GDPR. The provisions of Section 12 of this contract shall apply.
(2) The contractor participates in the creation of records of processing activities by the client. The contractor shall provide the client with the information required in each case in an appropriate manner.
(3) Taking into account the nature of the processing and the information available to it, the contractor supports the client in complying with the obligations mentioned in Articles 32-36 GDPR.
8. Regulation on Mobile Workplaces
(1) The contractor may allow its employees, who are entrusted with the processing of personal data for the client, to process personal data at mobile workplaces outside the business premises of the contractor.
(2) The contractor must ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when the employees of the contractor use mobile workplaces. Deviations from individual contractually agreed technical and organizational measures must be coordinated in advance with the client and approved by the client in writing.
(3) In particular, the contractor ensures that when processing personal data at mobile workplaces, the storage locations are configured in such a way that local storage of data on IT systems is precluded. If this is not possible, the contractor shall ensure that local storage takes place exclusively in encrypted form, and that other persons at the location of the respective mobile workplace do not have access to this data.
(4) The contractor is obliged to ensure that effective control of the processing of personal data on behalf of the client at mobile workplaces is possible. The personal rights of the employees are to be appropriately taken into account in this context.
9. Supervisory Powers
(1) The client has the right to inspect the compliance with data protection regulations and/or compliance with the contractual agreements made between the parties and/or the compliance with the instructions of the client by the contractor to the necessary extent.
(2) The contractor is obligated to provide the client with information as far as this is necessary for the performance of the inspection pursuant to paragraph 1.
(3) Prior to any on-site inspection in the contractor's place of business, after giving reasonable notice, the client can carry out the inspection as required during the usual business hours. The client shall ensure that the inspections are carried out only to the extent necessary, so as not to disproportionately disrupt the contractor's business operations. The parties assume that an inspection is required at most once a year. Further inspections must be justified by the client indicating the reason. In the case of on-site inspections, the client will reimburse the contractor for the expenses incurred, including the personnel costs for the care and accompaniment of the inspection personnel on site, to an appropriate extent. The basis for the cost calculation will be communicated to the client by the contractor before the inspection is carried out.
(4) At the option of the contractor, proof of compliance with the technical and organizational measures instead of an on-site inspection can also be provided by presenting a suitable, current test report, reports or report excerpts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or appropriate certification, if the audit report enables the client to be convinced of compliance with the technical and organizational measures in accordance with Appendix 3 to this contract in an appropriate manner. If the client has justified doubts about the suitability of the audit document within the meaning of the sentence 1, an on-site inspection by the client can be carried out. The client is aware that an on-site inspection in data centers is not possible or is only possible in exceptional cases.
(5) In the event of measures by the supervisory authority against the client pursuant to Article 58 GDPR, particularly with regard to disclosure and control obligations, the contractor is obliged to provide the necessary information to the client and to enable the supervisory authority concerned to carry out an on-site inspection. The client is to be informed by the contractor of any planned measures.
(6) The parties agree that control measures for the processing of personal data at mobile workplaces to protect the personal rights of other persons at these mobile workplaces primarily take place by controlling the implementation of the measures to be taken by the contractor in accordance with Section 8 (2) and (3). An inspection of the mobile workplace of employees by the contractor is to be made possible for the client based on specific occasions.
10. Subcontracting Arrangements
(1) The contractor is entitled to use the subcontractors specified in Annex 2 to this contract for the processing of data on behalf of the client. Changing subcontractors or engaging additional subcontractors is permissible under the conditions set out in paragraph 2.
(2) The contractor must carefully select and review the subcontractor before engaging them to ensure they can comply with the agreements made between the client and the contractor. The contractor must particularly ensure, before and regularly during the contract term, that the subcontractor has implemented the technical and organizational measures required under Art. 32 GDPR to protect personal data. The contractor must inform the client in text form in the event of a planned change of subcontractor or engagement of a new subcontractor at least 4 weeks before the change or new engagement (“Notification”). The client has the right to object to the change or new engagement of the subcontractor in text form within four weeks of receiving the “Notification,” providing a reason. The client may withdraw the objection in text form at any time. If an objection is raised, the contractor may terminate the contract with the client with a notice period of at least 14 days at the end of a calendar month, considering the client’s interests. If no objection is raised by the client within three weeks of receiving the “Notification,” this will be deemed as the client’s consent to the change or new engagement of the relevant subcontractor.
(3) The contractor must confirm that the subcontractor has appointed a Data Protection Officer in accordance with Art. 37 GDPR if the subcontractor is legally required to do so.
(4) The contractor must ensure that the provisions agreed in this contract and any supplementary instructions from the client also apply to the subcontractor.
(5) The contractor must enter into a data processing agreement with the subcontractor that meets the requirements of Art. 28 GDPR. Additionally, the contractor must impose the same obligations on the subcontractor regarding the protection of personal data as those agreed between the client and the contractor. The contractor must provide the client with a copy of the data processing agreement upon request.
(6) The contractor must ensure, through contractual agreements, that the client’s and supervisory authorities’ control rights (Section 9 of this contract) also apply to the subcontractor and that appropriate control rights are agreed. It must also be contractually agreed that the subcontractor must tolerate these control measures and any on-site inspections.
(7) Services that the contractor obtains from third parties as pure ancillary services to perform its business activities, such as cleaning services, telecommunications services without a specific relation to services provided to the client, postal and courier services, and transportation services, are not considered subcontracting relationships as per paragraphs 1 to 6. However, the contractor is obliged to ensure that appropriate precautions and technical and organizational measures have been taken to protect personal data even for ancillary services provided by third parties. Maintenance and servicing of IT systems or applications constitute a subcontracting relationship requiring consent and data processing as per Art. 28 GDPR if they involve accessing personal data processed on behalf of the client.
11. Confidentiality Obligation
(1) The contractor is obliged to maintain confidentiality regarding any data they receive or become aware of in connection with the contract when processing data for the client.
(2) The contractor must familiarize their employees with the relevant data protection regulations and commit them to confidentiality.
(3)The contractor must provide proof of their employees’ confidentiality obligation to the client upon request.
Safeguarding Data Subject Rights
(1) The client is solely responsible for safeguarding data subject rights. The contractor is obliged to assist the client in processing requests from data subjects under Art. 12-23 GDPR. The contractor must promptly provide the necessary information to the client to enable them to fulfill their obligations under Art. 12(3) GDPR.
(2) If the contractor’s involvement is necessary to safeguard data subject rights, particularly regarding access, rectification, restriction, or deletion, the contractor will take the required measures as instructed by the client. The contractor will support the client with suitable technical and organizational measures in responding to data subject rights requests.
(3) Regulations regarding possible remuneration for additional work resulting from assisting the client in safeguarding data subject rights remain unaffected.
Confidentiality Obligations
(1) Both parties agree to treat all information received in connection with this contract as confidential and only use it for contract execution. Neither party is entitled to use this information for any other purposes or disclose it to third parties.
(2) This obligation does not apply to information that either party has received from third parties without a confidentiality obligation or that is publicly known.
Remuneration
Any regulations regarding remuneration for services must be agreed upon separately between the parties.
Technical and Organizational Data Security Measures
(1) The contractor commits to complying with the technical and organizational measures necessary to adhere to applicable data protection regulations, including the requirements of Art. 32 GDPR.
(2) The current state of technical and organizational measures at the time of contract signing is attached as Annex 3 to this contract. The parties agree that changes to these measures may be necessary to adapt to technical and legal developments. Significant changes that may impact the integrity, confidentiality, or availability of personal data must be coordinated with the client in advance. Minor technical or organizational changes that do not negatively affect the integrity, confidentiality, and availability of personal data can be implemented by the contractor without prior coordination with the client. The client may request an updated version of the technical and organizational measures once a year or on justified occasions.
(3) The contractor will regularly and on an ad-hoc basis review the effectiveness of the technical and organizational measures they have implemented.
Duration of the Contract
(1) The contract is an appendix to the main contract and begins upon its signing. It continues for the duration of the main contract between the parties regarding the use of the contractor’s services by the client.
(2) The client may terminate the contract without notice if the contractor commits a serious breach of applicable data protection regulations or the obligations under this contract, if the contractor is unable or unwilling to follow the client’s instructions, or if the contractor unlawfully refuses access to the client or the competent supervisory authority.
Termination
(1) Upon termination of the contract, the contractor must return or delete all documents, data, and created processing or usage results that have come into their possession in connection with the contractual relationship, as chosen by the client. The deletion must be appropriately documented.
(2)The contractor may retain personal data processed in connection with the contract beyond the contract term if they are legally required to do so. In such cases, the data may only be processed for the purposes of fulfilling the legal retention obligations. The data must be deleted immediately after the retention period ends.
Right of Retention
The parties agree that the contractor cannot assert the right of retention under § 273 BGB concerning the processed data and associated data carriers.
Final Provisions
(1) If the client’s property at the contractor is endangered by third-party measures (e.g., seizure or confiscation), insolvency proceedings, or other events, the contractor must inform the client immediately. The contractor must inform creditors promptly that the data is processed on behalf of the client.
(2) Any side agreements require the written form.
(3) Should any parts of this contract be invalid, this does not affect the validity of the remaining provisions of the contract.
Attachment 1 - Subject of the contract
1. Object and Purpose of Processing
The client's order to the contractor includes the following work and/or services:
The services result from the main contract and include the provision of a cloud service for the qualitative and quantitative collection and processing of data in the field
the support and management of employees, as well as
the Developer Experience of employees,
including the associated maintenance, care, and support services.
The order includes the collection and evaluation of the data necessary to measure the Developer Experience and is aimed at developing a comprehensive understanding of the factors that influence the productivity and well-being of developers, as well as supporting the implementation of derived measures for improvement. These are specifically:
Data from employee surveys
Data from employee conversations (e.g. 1:1)
Data from other source systems: If agreed, this also includes the integration of data from other source systems used in the customer's development process into the cloud services provided by the contractor.
2. Type(s) of Personal Data
The following types of data are regularly the subject of processing:
Identification data: This includes first and last name, email address, and possibly position title within the organization.
Demographic data: This can include age, gender, and length of employment.
Feedback and opinions: Information and assessments of work processes, team dynamics, technical infrastructure, and personal commitment.
Work-related data: Information on team affiliation, role distribution within the team, and specific work tasks.
Work-related data from other source systems (as agreed and configured in the contractor's software), such as ticket, source code, or other development systems, e.g. deployment or systems for automated software testing.
3. Categories of Data Subjects
Circle of persons affected by the data processing:
Client
Client's employees
external employees of the client
Attachment 2 - Subcontractor
The contractor uses the services of third parties on behalf of the client to process data, who process data on his behalf ("subcontractors").
These are the following company(ies):
Amazon Web Services, Inc., P.O. Box 81226 Seattle, WA 98108-1226 USA
Scope of the contract: The contractor uses EC2 instances, as well as the file management of AWS S3, exclusively in the "EU region." This means that all uploaded data from Flea is stored in the EU.
An AV contract including an EU standard contract was concluded with the subcontractor. Amazon offers extensive possibilities for data encryption as an additional guarantee.
Attachment 3 - Technical and organizational measures of the contractor
The contractor takes the following technical and organizational measures for data security within the meaning of Art. 32 GDPR.
Hosting
Amazon AWS service is used for hosting the processing systems. Access to the services of the hosting company Amazon is secured according to the common, high requirements, such as encrypted data transmission via SSL, secure passwords, Two-Factor-Authentication. Further information on Amazon's security measures can be found at the following link: https://aws.amazon.com/security/
Access control
Flea currently does not have its own offices and uses the infrastructure of co-working providers. The access controls and restrictions of the respective provider being used apply, and are provided on request
Access control / Access rights
Password procedure
Authentication with username + password
Requirement of character mix (uppercase, lowercase letters, numbers, special characters)
Minimum length of 8 characters
Creation and management of user permissions
Logging of access (log in / log out)
Authorization concept and access rights
Authorization concept available
Role definition
Differentiated permissions (data, applications)
Management of user rights by system administrators
Limitation of the number of administrators to the "necessary minimum"
Assignment of responsibilities for the protection of information
The contractor's software is developed in the Ruby on Rails programming language, which is known for its high security standards. The security recommendations at http://guides.rubyonrails.org/security.html are implemented:
once a user has successfully authenticated, this login is stored encrypted in a cookie (session)
Cross-Site Request Forgery (CSRF) is prevented, among other things, by a Rails-internal security token for Post Requests
XSS is prevented by "sanitizing" user inputs
Separation of controls
Definition of database rights
Logical multitenancy (on the software side)
Separation of customer data (access rights)
Is pseudonymization of the data possible?
Pseudonymization of the data is possible where necessary.
Integrity
The integrity of personal data is ensured when it is correct, unchanged, and complete
Transfer control
Data transmission via https (online services)
SSL encryption for web access
Encryption of notebooks
Input control
Assignment of rights based on authorization concept
Logging of data input, modification, and deletion
Logging of log in and log out
Traceability of input, modification, and deletion by individual user names
Availability
The availability of personal data is ensured when it can always be used as intended by the users.
Backup and recovery procedures
Backups for servers including regulation and implementation
Backups for information in the network/services
Ability to rapidly restore the availability of data and access
Procedures for regular review, assessment, and evaluation
Order control
Careful selection of the contractor (especially with regard to data security)
Examination of data security measures (technical and organizational measures, certificates/seals of approval, data security concept)
Agreement of effective control rights vis-à-vis contractor
Instructions for handling personal data are documented in writing
If necessary, data processing agreements or suitable guarantees for the transmission of data to third countries are concluded
Data protection management
Data protection officer is not required
Written commitment of employees to confidentiality
Regular training of employees in data protection and information security
Keeping a directory of processing activities
Processes for the exercise of data subject rights are established
Data minimization and purpose limitation
Incident Response Management
Incident Response Management
Training and instruction of employees on data security and behavior in security incidents and data breaches