Processing Agreement

Preamble

This Agreement sets forth the rights and obligations of the Parties with regard to the processing of Personal Data by Humanitec on behalf of the Customer in the context of Humanitec providing to Customer its Internal Developer Platform (“Platform”).

§ 1 Object, Nature, Scope and Purpose of the Commission

1.1. The object, nature, scope and purpose of the data processing is for Humanitec to provide to Customer the Platform which Customer uses to control workflows and processes in the course of its business.

1.2. Any transfer of personal data in the course of the Processing Agreement to a third country is subject to compliance with the specific requirements of Articles 44 to 49 GDPR. In any case, in which the Parties use the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (Official Journal L 39 dated 12.22.2010, p. 5 et seqq.) or another version substituting this decision (following: Standard Contractual Clauses), the regulations of the Standard Contractual Clauses shall prevail over those in this Agreement in case of any discrepancies.

§ 2 Term of the Commission

2.1 The commission’s term is undefined. The Agreement can be terminated by either Party by giving three months’ notice.

2.2 The Customer may terminate this Agreement at any time without notice, if there is an important reason for the termination of this Agreement, in particular but not limited thereto if Humanitec violates material obligations under this Agreement or if Humanitec has committed a serious breach of the applicable data protection regulations.

§ 3 Nature of the Data to be processed

The data made available or accessible to Humanitec include personal data within the meaning of the GDPR. Specifically, the following categories of data shall be processed:

  • Core data (e.g. name, address)
  • Contact details (e.g. phone number, e-mail address)
  • Other: Any data the Customer might enter into the Platform.

§ 4 Data Subjects

The group of data subjects affected by processing through Humanitec within the context of this commission includes the following categories of persons:

  • Employees
  • Other: Any data subject whose data the Customer enters into the Platform.

§ 5 Obligations of Humanitec

5.1. Humanitec undertakes vis-à-vis the Customer to adhere to the applicable data protection provisions, and the provisions of this Agreement with the utmost diligence.

5.2. Humanitec shall provide for appropriate technical and organisational measures pursuant to Article 24 GDPR in order to adhere to the data protection provisions, in particular to ensure data security pursuant to Article 32 GDPR.

5.3. Humanitec shall monitor and document the fulfilment of its obligations under the contractual provisions and under data protection law and shall provide the Customer upon request with the required information and suitable evidence. This also includes monitoring the execution of the data processing within the context of the commission and the technical and organisational measures taken.

5.4. Humanitec shall ensure that data confidentiality is observed. For this purpose, Humanitec shall familiarise all its employees who have access to personal data of the Customer within the context of the commission with the data protection provisions and shall obligate them in writing not to process any such personal data without authorisation. Upon the Customer’s request, Humanitec shall submit these declarations to the Customer at any time.

5.5. Humanitec shall use the data it has been provided with exclusively based on the Processing Agreement and pursuant to this Agreement. Any further processing/use of the data for any other purpose than the purpose of the Processing Agreement (e.g. for Humanitec’s own purposes or for the purposes of a third party) or the transmission to third parties is, unless agreed upon otherwise in writing, expressly excluded except where the data was anonymized prior to such processing.

5.6. Moreover, Humanitec shall not copy the data it has been provided with onto data storage media or make any other copies and shall not make them accessible to third parties, unless the Customer has given its explicit written consent to do so.

5.7. Should supervising authorities request information from or take measures at the Customer, Humanitec shall, upon the Customer’s request, offer its support to the extent that is required to settle the matter.

5.8. Furthermore, Humanitec shall support the Customer in a reasonable manner with regard to the adherence to the obligations stated in Articles 32 to 36 GDPR, if data processing within the context of the commission pursuant to this Processing Agreement is concerned, and shall, in particular, provide any required information which is available to it.

§ 6 Data Security

6.1 Humanitec shall protect the data it has been provided with against unauthorised disclosure and manipulation by taking appropriate technical and organisational measures pursuant to Article 32 GDPR. Data and systems have to be protected from, including but not limited to, unauthorised or accidental destruction, accidental loss, technical defects, falsification, theft, illegal use, unauthorised access as well as from unauthorised modifications, copying, deletion, forwarding, access and any other unauthorised processing. Moreover, Humanitec must ensure that appropriate measures are taken to quickly restore the availability of personal data and access thereto in cases of technical incidents and must allow for an examination of the effectiveness of the technical and organisational measures taken.

6.2 Humanitec shall ensure that the data made available to it for processing is strictly separated from any other data sets. Data storage media which are provided by the Customer to Humanitec are to be labelled accordingly. The receipt and return of such data storage media is to be documented.

6.3 Humanitec shall work out a security concept with the measures that have been taken and shall hand it over to the Customer before data processing starts. A documentation of the measures is to be attached to the Agreement as Attachment 1.

6.4 The technical and organisational measures to be taken by Humanitec shall be subject to continuous updating and adjustment reflecting the technical and organisational progress. The Customer is to be informed of any significant changes regarding the technical and organisational measures.

§ 7 Requests from Data Subjects

7.1 Humanitec may correct, delete, block or transfer data which are processed within the context of the commission exclusively upon instruction of the Customer.

7.2 If a data subject contacts Humanitec directly to assert his or her rights, in particular those stated in Articles 12 to 23 of the GDPR, with regard to the data processed within in context of the commission, Humanitec shall forward such requests to the Customer without delay. Humanitec may only disclose information to third parties or to the data subject after having obtained the Customer’s previous written consent, unless it is legally obliged to do so.

7.3 If a data subject contacts the Customer, Humanitec shall reasonably support the Customer in order to respond to the data subject’s request. For this purpose, appropriate technical and organisational measures shall be provided for by Humanitec.

§ 8 Subcontracting

8.1 Humanitec is entitled to commission third parties with the processing of the personal data. The subcontractors assigned at the time of the conclusion of this Agreement are listed on the website.

8.2 Humanitec shall notify the Customer of any change in relation to the incorporation of new or the replacement of existing subcontractors. The Customer has the right to object to such changes. An objection may only be raised by the Customer for important reasons to be proven to Humanitec. If the Customer objects, Humanitec is entitled to terminate the Processing Agreement and this Agreement with one month's notice from receipt of the objection

8.3 The contract between Humanitec and the subcontractor must impose essentially the same obligations on the subcontractor as are the responsibility of Humanitec under this Agreement. The Parties agree that this requirement is met if the contract has a level of protection corresponding to this Agreement or if the subcontractor is subject to the obligations set out in Art. 28 (3) GDPR

8.4 Services that Humanitec uses from third parties as an ancillary service to support the performance of the processing are not subcontractor relationships within the meaning of the above provisions. These include e.g. Telecommunications services, cleaning services, testing services or, under certain circumstances, maintenance services. However, in order to ensure the protection and security of the data of the Customer as well as to ensure confidentiality, Humanitec is obligated to make lawful and appropriate contractual agreements with externally assigned ancillary services and to take control measures.

§ 9 Customer’s Review Rights

9.1 The Customer is entitled to review, to the extent necessary, that the contractual provisions as well as the statutory regulations on data protection are complied with, and, in particular, the technical and organisational measures taken by Humanitec pursuant to this Agreement. In the even the information provided by Humanitec during such review gives rise to the Customer's concerns that Humanitec may be in non-compliance with substantial contractual or data protection law obligation, these rights also include the entitlement to assure itself by inspecting the premises at any time that the data is properly processed under data protection law and the contractual provisions and that the technical and organisational measures are implemented and complied with. The Customer is entitled to perform such controls itself in consultation with Humanitec, or, in an individual case, to have them performed by third party reviewers bound by confidentiality.

9.2 Humanitec shall appropriately support the Customer with regard to the execution of such reviews, including but not limited by granting access to the premises, systems and documents connected with the processing of the data within the context of the commission upon prior written request with at least two weeks’ notice.

§ 10 Notifications by Humanitec

10.1 Humanitec shall inform the Customer without delay of any requests by supervising authorities, in particular of any announced data protection inspections, if data processing under this Agreement is concerned.

10.2 Humanitec shall inform the Customer without delay if any severe disruptions of processing operations have occurred, if data protection violations are suspected, if the provisions of this Agreement have been violated, or if any other irregularities with regard to the processing of the Personal Data have occurred. This particularly concerns the loss of the personal data processed by Humanitec, unauthorised or unintended access to the personal data by third parties and/or their unauthorised disclosure. The duty to inform already applies if there is concern that potential disruptions, breaches or irregularities may have taken place with some degree of probability.

10.3 In consultation with the Customer, Humanitec shall immediately take appropriate measures in order to secure the data and to reduce any potential negative consequences for the data subjects. If the Customer is subject to obligations pursuant to Articles 33 and/or Article 34 GDPR, Humanitec has to support it in this regard.

§ 11 Authority to Issue Instructions

11.1 The processing of personal data by Humanitec and the persons subordinated to it who have access to the data shall exclusively take place within the framework of the Processing Agreement and based on the Customer’s documented instructions (cf. Article 29 GDPR). The Customer has a comprehensive right of direction with regard to the nature, scope and method of the data processing, which may be specified in individual instructions. If Humanitec is subject to a legal obligation which allows for a different processing, Humanitec shall inform the Customer of the respective legal requirements, unless such notification is legally prohibited.

11.2 Humanitec shall document any instructions given by the Customer in an appropriate manner. Instructions given orally are to be confirmed by the Customer in written form without delay.

11.3 Humanitec shall inform the Customer without delay if it is of the opinion that an instruction violates contractual provisions or statutory regulations under data protection legislation. If the Customer confirms the instruction and indemnifies and holds harmless Humanitec, Humanitec shall comply with the instruction.

§ 12 Erasure or Return of Data

12.1 Upon termination of the Term or earlier when requested by the Customer – and no later than at the moment when the commission has been completed – Humanitec must, at the Customer’s discretion, either return all personal data in its possession and connected to the commission, whether included in documents, in generated processing or utilisation results or in data sets, in a generally readable form or, with prior consent, destroy or delete them in accordance with data protection law regulations, unless there is a legal obligation to store the personal data. The destruction or erasure is to be confirmed to Humanitec in written form. In the case of electronic data, the processing and utilisation results or data sets shall be handed over in a format to be agreed upon by the Parties, or, if no agreement has been made, on standard data storage media in a format that is customary in the market and permits a structured readout.

12.2 There is no right to retain any personal data which have been made available or have been collected or processed by Humanitec within the framework of this contractual relationship, nor any of the respective data storage media.

§ 13 Miscellaneous

13.1 Documentation that evidences data processing in accordance with the commission and the rules is to be stored by Humanitec for the respective retention period even after the termination of the Processing Agreement.

13.2 If the Customer’s data are endangered due to measures of third parties taken at Humanitec, e.g. in the form of seizure or distraint, through insolvency or settlement proceedings or any other event, Humanitec must inform the Customer without delay.

13.3 Amendments to this Agreement and its Attachment have to be made in writing. This also applies to an amendment of this written form requirement.

13.5 In case of doubt the German wording of this Agreement shall prevail.

13.6 This Agreement is subject to German law. The place of jurisdiction is Berlin.

Attachment 1

Data Security Requirements

I. Object and scope of Attachment 1

The GDPR and BDSG contain requirements for data security, which must be implemented by suitable technical and organizational measures. The following documents the technical and organizational measures implemented by Humanitec.

Humanitec maintains a system to examine, assess, and evaluate regularly the effectivity of data security as described in this Attachment 1.

II. Physical Access Control (Zugangskontrolle)

Unauthorized access (in the physical sense) to systems and facilities shall be prevented.

Humanitec has technical and organizational measures to control access to premises and facilities, particularly to check authorization. These are:

  • Locking system with code lock
  • Manual locking system
  • Chip/transponder based lock system
  • Safety locks
  • Key management (key issuance)
  • Careful selection of security staff
  • Identity check at entry (gatekeeper)
  • Visitors are accompanied by authorized employees, everywhere on the premises
  • Careful selection of cleaning personnel


III. Data Medium Control (Datenträgerkontrolle)

Unauthorized reading, copying, changing or deleting of data media shall be prevented.

  • Authentication with username / password
  • Use of antivirus software
  • Use of firewalls with VPN-technology
  • Use of centralized Smartphone-Administrations-Software (e.g. for external deletion of Data)
  • Use of Intrusion-Detection-Systems
  • Case-locking
  • Forbid use of external interfaces such as USB systems
  • Encryption of data mediums in laptops / notebooks
  • Defining user profiles
  • Assign user profiles to IT-systems
  • Allocate user rights
  • Immediate blocking of authorization when employees leave the company
  • Periodic monitoring of the validity of authorizations (once per year)
  • Securing screen workstations during times of absence and running system


IV. Storage Control (Speicherkontrolle)

Unauthorized entering of personal data as well as unauthorized access, changes or deletion of saved personal data shall be prevented.

  • Authentication with username / password
  • Use of antivirus software
  • Use of firewalls with VPN-technology
  • Use of centralized Smartphone-Administrations-Software (e.g. for external deletion of Data)
  • Use of Intrusion-Detection-Systems
  • Case-locking
  • Forbid use of external interfaces such as USB systems
  • Encryption of data mediums in laptops / notebooks
  • Defining user profiles
  • Assign user profiles to IT-systems
  • Allocate user rights
  • Immediate blocking of authorization when employees leave the company
  • Periodic monitoring of the validity of authorizations (once per year)
  • Securing screen workstations during times of absence and running system


Humanitec uses a requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses. These are:

  • Use of document shredders or appropriate service providers
  • Logging of access to applications, especially if entering, changing or deletion of data takes place
  • Amount of user with admin rights reduced to the minimum
  • Development of an authorization concept (Differentiated authorizations for read, edit or delete data)
  • Secure storage of data mediums
  • Password procedures (incl. special characters, minimum length, change of password)
  • Assignment of rights by system administrator


V. User Control (Benutzerkontrolle)

Unauthorized use of automated processing systems shall be prevented.

Humanitec has technical (ID/password security) and organizational (user master data) measures for user identification and authentication. These are:

  • Authentication with username / password
  • Use of antivirus software
  • Use of firewalls with VPN-technology
  • Use of centralized Smartphone-Administrations-Software (e.g. for external deletion of Data)
  • Use of Intrusion-Detection-Systems
  • Case-locking
  • Forbid use of external interfaces such as USB systems
  • Encryption of data mediums in laptops / notebooks
  • Defining user profiles
  • Assign user profiles to IT-systems
  • Allocate user rights
  • Immediate blocking of authorization when employees leave the company
  • Periodic monitoring of the validity of authorizations (once per year)
  • Securing screen workstations during times of absence and running system


VI. Access Control (Zugriffskontrolle)

Unauthorized access to IT systems must be prevented, i.e. ensure that only persons with respective authorization may access personal data according to such authorization.

Humanitec has technical (ID/password security) and organizational (user master data) measures for user identification and authentication. These are:

  • Authentication with username / password
  • Use of antivirus software
  • Use of firewalls with VPN-technology
  • Use of centralized Smartphone-Administrations-Software (e.g. for external deletion of Data)
  • Use of Intrusion-Detection-Systems
  • Case-locking
  • Forbid use of external interfaces such as USB systems
  • Encryption of data mediums in laptops / notebooks
  • Defining user profiles
  • Assign user profiles to IT-systems
  • Allocate user rights
  • Immediate blocking of authorization when employees leave the company
  • Periodic monitoring of the validity of authorizations (once per year)
  • Securing screen workstations during times of absence and running system


VII. Transfer Control (Übertragungskontrolle)

Ensure to check and record how and where personal data are transferred or otherwise accessed by data and IT systems.

Humanitec has measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking. These are:

  • Encryption/tunneling (VPN = Virtual Private Network)
  • Information disclosure of anonymised or pseudonymised data records
  • Documentation of data recipients and time periods of transfer or rather agreed deletion deadline
  • Use of group guidelines


VIII. Data Entry Control (Eingabekontrolle)

Full documentation of data management and maintenance must be maintained.

Humanitec has measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom. These are:

  • No local admin privileges (except development staff)
  • Transparency of data input, modification and deletion by individual use of user names (not user groups)
  • Access policies and authorization mechanism of data input, modification and deletion within an authorisation concept
  • Monitoring of applications and data processing
  • Storage of completed forms from which data has been transferred to automized processes


IX. Transport Control (Transportkontrolle)

Aspects of the transport of data media and disclosure of personal data must be controlled: electronic transfer, data transport, transmission control, etc.

Humanitec has measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking. These are:

  • Encryption/tunneling (VPN = Virtual Private Network)
  • Information disclosure of anonymised or pseudonymised data records
  • Documentation of data recipients and time periods of transfer or rather agreed deletion deadline
  • Use of group guidelines


X. Data Restoring Control (Wiederherstellbarkeit)

Ensure that used systems may be restored in the event of any disorder.

  • Remote data backup in secure outsourced locations
  • Protocols
  • Cluster / Replica

XI. Reliability Control (Zuverlässigkeit)

Ensuring that all functions of the IT system are at disposal and any malfunctions or errors are reported.

  • Protocols
  • Mirroring of hard disks, e.g. RAID technology
  • Cluster
  • Replica

XII. Data Integrity (Datenintegrität)

Ensuring that saved personal data may not be damaged by malfunction(s) of the system.

  • Uninterruptible power supply (UPS)
  • Mirroring of hard disks, e.g. RAID technology
  • Remote data backup in secure outsourced locations
  • Development of an emergency plan
  • Development of a disaster recovery plan
  • Tests of data recovery (ability to restore the availability and access to personal data)
  • Testing, assessing and evaluating the effectiveness of technical and organisational measures

XIII. Job control (Auftragskontrolle)

Commissioned data processing shall be carried out according to instructions.

Humanitec has measures (technical/organizational) to segregate the responsibilities between the principal (responsible data authority) and the processor. These are:

  • Criteria for selecting the contractor (particularly in regarding to data security)
  • Prior verification of documentations of processor’s security measures
  • Obligation of employees of processor to data secrecy
  • Processor appointed a data protection officer
  • Contracts between processor and principal complying with provisions in GDPR and BDSG

XIV. Availability Control (Verfügbarkeitskontrolle)

The data must be protected against accidental destruction or loss.

Humanitec has measures to assure data security (physical/logical). These are:

  • Fire extinguishers in server rooms
  • Installation of fire and smoke detection systems
  • Uninterruptible power supply (UPS)
  • Mirroring of hard disks, e.g. RAID technology
  • Air conditioning in server rooms
  • Monitoring of temperature and humidity in server rooms
  • Power outlet strip with surge protection in server rooms
  • Alarm during unauthorized entry into server room
  • Remote data backup in secure outsourced locations
  • Development of an emergency plan
  • Development of a disaster recovery plan
  • Tests of data recovery (ability to restore the availability and access to personal data)
  • Testing, assessing and evaluating the effectiveness of technical and organisational measures
  • Server room not under sanitary facilities

XV. Isolation Control (Trennbarkeit)

Personal data, which were collected for differing purposes shall be processed separately.

Humanitec has measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data for different purposes. These are:

  • Segregation of functions (production/testing)
  • separate tables within database
  • physically separated storage on systems and data mediums
  • Encryption of data, which are used for same reason
  • Development of an authorization concept
  • Regulation of database access rights
  • Logical client separation
  • Data sets are equipped with attributes / data fields