1. Subject matter and duration of the Order or Contract
1.1 Subject matter
The duration of this Order or Contract corresponds to the duration of the Service Agreement.
2. Specification of the Order or Contract Details
2.1 Nature and Purpose of the intended Processing of Data
Nature and Purpose of Processing of personal data by the Supplier for the Client result from the Service Agreement.
The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled.
2.2 Type of Data
The Subject Matter of the processing of personal data comprises the following data types/categories
- Personal Master Data (Key Personal Data)
- Contact Data (e.g. phone numbers, email addresses and other contact information)
- Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest)
- Customer History
- Contract Billing and Payments Data
- Planning and control data (e.g. on-call duties of employees)
- Identification and authentication data (e.g. IP address, user ID, session cookie, login token)
2.3 Categories of Data Subjects
The Categories of Data Subjects comprise customers, suppliers and employees of the client.
Technical and Organisational Measures
Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organisational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.
The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [Details in Appendix 1]
The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.
4. Rectification, restriction and erasure of data
The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.
Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.
Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.
5. Quality assurance and other duties of the Supplier
In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:
- The Supplier is not obliged to appoint a Data Protection Officer. Mr Herr Birol Yildiz, Managing Director, +49 221 9996 9976, firstname.lastname@example.org is designated as the Contact Person on behalf of the Supplier.
- Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
- Implementation of and compliance with all Technical and Organisational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1].
- The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
- The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
- Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.
- The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
- Verifiability of the Technical and Organisational Measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract.
Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.
The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client.
- The Client agrees to the commissioning of the subcontractors listed at www.ilert.com/subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.
- Outsourcing to additional subcontractors or changing the existing subcontractor are permissible when:
- The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and
- The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and
- The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.
The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.
If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.
7. Audit rights of the Client
The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.
The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.
Evidence of such measures, which concern not only the specific Order or Contract, may be provided by current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor) or a suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).
The Supplier may claim remuneration for enabling Client inspections.
8. Communication in the case of infringements by the Supplier
The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
- Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
- The obligation to report a personal data breach immediately to the Client
- The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
- Supporting the Client with its data protection impact assessment
- Supporting the Client with regard to prior consultation of the supervisory authority
The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.
9. Authority of the Client to issue instructions
The Client shall immediately confirm oral instructions (at the minimum in text form).
The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.
10. Deletion and return of personal data
Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.
Appendix - Technical and Organisational Measures
1. Physical access control
Technical and organizational measures for access control, in particular also for the legitimation of authorized persons:
- AWS uses multi-factor authentication mechanisms and additional security mechanisms for access to data centers, which are designed in such a way that only authorized persons have access to an AWS data center. Authorized persons must use their badge on a card reader and enter their individual PIN to gain access to the facility and the rooms for which they have been authorized.
- Physical access to the data centers is monitored by the AWS electronic access control system. For access to the building and the rooms, the system consists of card readers and PIN pads, for exiting it only consists of card readers. By using card readers when leaving buildings and rooms, double access barriers come into effect, which ensure that authorized persons are not followed by unauthorized persons who gain access without ID.
- In addition to the access control system, all entrances to the AWS data centers, including the main entrance, the loading ramp and all roof hatches / hatches, are equipped with intrusion detection devices that trigger an alarm as soon as the door is broken into or held open. In addition to the electronic mechanisms, the AWS data centers also use trained security guards who are stationed both inside and in the vicinity of the building around the clock. Within the system, access to the data centers is only granted when necessary; all physical access requests are checked and approved by the responsible AAM (Area Access Manager).
- AWS data centers are housed in inconspicuous facilities and are not open to the public. Physical access is strictly controlled both in the area and at the access points to the building.
- AWS only provides access and information to the data center to vendors, contractors, and visitors for a legitimate business need, such as emergency repairs. All visitors to the data centers must have been authorized in advance by the responsible access manager (AAM) and documented in the AWS ticket management system. Upon arrival at the data center, they must identify themselves and log in before being issued a visitor badge.
- While they are in the data center, they are constantly accompanied by authorized personnel. AWS 'physical security mechanisms are reviewed by independent, external auditors during the SOC, PCI DSS, ISO / IEC 27001 and FedRAMP compliance reviews.
2. Logical access control
Technical (password / password protection) and organizational (user master record) measures with regard to user identification and authentication:
- ilert authenticates users using their access data (client ID, user name and password). When storing passwords, ilert uses accepted industry standards by only storing a “cryptographic hash” of a password.
- Access to IT systems is basically only possible via password-protected VPN, IPSec, SSH, SFTP, SSL / TLS connections (encrypted, authenticated connections). IT systems are divided into separate logical networks using VLANs.
- Every IT system is protected from unauthorized access by firewalls as well as username and password and / or client certificates. Access to the IT systems is logged in the access log and stored as required by the project.
3. Data access control
Demand-oriented design of the authorization concept and the access rights as well as their monitoring and logging:
- ilert uses differentiated authorizations in order to prevent unauthorized activities outside the granted authorizations in the IT system.
- All services (console, databases, application server) are recorded in the form of log files.
- Services, ports and accounts that are not required are deactivated / blocked by default.
4. Transmission and transport control
Measures for transport, transfer and transmission or storage on data carriers (manual or electronic) as well as for subsequent verification:
- Access to ilert via browser takes place exclusively via encrypted channels (through the use of HTTPS). This affects both the transmission of the password and other data from the user's browser to the iLert servers.
- For programmatic access via the "API", ilert provides encrypted access and, in order to continue to support legacy systems, unencrypted access. The client is instructed to always use encrypted access. Furthermore, ilert reserves the right to switch off unencrypted access in the future and without prior notice.
5. Input control
Measures to subsequently check whether and by whom data has been entered, changed or removed (deleted):
- AWS has identified auditable event categories for all systems and devices within the AWS system. Service teams configure the audit functions so that security-related events are continuously recorded according to requirements.
- The log storage system is designed to provide a highly scalable and highly available service, the capacity of which is automatically expanded as the log storage requirement increases. The audit data contains a set of data elements that support the required analysis requirements. In addition, they are available to the AWS security team or other relevant teams if necessary for review or analysis and for the rectification of security-relevant or business-damaging events.
- Furthermore, ilert uses logging systems that record all accesses to IT systems (such as servers and databases) in order to track changes to resources.
6. Order control
Measures (technical / organizational) to delimit the competencies between client and contractor:
- The processing of personal data in the order may only be processed in accordance with the instructions of the client and is regulated in the SaaS contract between the parties.
- Careful selection of the subcontractors according to uniform criteria (especially data protection).
- Prior review of the subcontractor and the technical and organizational measures taken.
- Deployed subcontractors will only receive data that is necessary to fulfill the service in the interests of the client.
7. Availability control
Measures for data backup (physical / logical):
- ilert operates its databases in two data centers and its application servers in three data centers in Frankfurt to ensure high availability. The data from the primary database is automatically and synchronously transferred to the “standby” database. Each database runs on its own physically independent infrastructure and is designed for high reliability. In the event of a failure, ilert automatically fails over to the “standby” database so that operation continues after the failover.
- Furthermore, ilert creates complete backup copies on a daily basis and stores them redundantly. Backup copies are deleted after 30 days.
8. Separation control
Measures for the separate processing (storage, modification, deletion, transmission) of data with different purposes:
- The separate processing of data is guaranteed by the software through a logical client separation.
- Furthermore, productive and test systems are separated from each other.