This Agreement describes the rights and obligations of the parties arising from the provision of our online services and from the provision of our services in the context of an order processing. 

We kindly ask you to read this Agreement in full and complete your information. 

By clicking on the "Send now" button, the Agreement will be generated as a PDF including the previously entered information and made available to you for download.

(Version 6.0)

Your information

1 Introduction, scope, definitions

 

  1. This contract regulates the rights and obligations of the Controller and the Processor (hereinafter referred to as the "Parties") in the context of the processing of personal data on behalf of the Controller.
  2. This contract applies to all activities in which employees of the Processor or Subcontractors commissioned by the Contractor (Sub-processors) process personal data of the Controller.
  3. Terms used in this contract are to be understood according to their definition in the EU Data Protection Regulation. Any declarations are to be made in writing. Declarations can generally be made in another form if it can be verified.

2 Subject matter and duration of the processing

Subject matter


The processing is based on the main contract existing between the Parties, which is substantiated by the service and individual orders placed.

If there is no main contract between the Parties, the processing shall be carried out in accordance with that contract.

Duration


The duration of this contract shall be determined by the duration of the existing main contract.

If there is no main contract between the Parties, this contract is concluded between the Parties for an indefinite period and shall commence with its adoption. The contract may be terminated by either party with four weeks' notice.

3 Nature, purpose and data subjects of the processing

 

The type, purpose and data subjects of the processing are regulated in Annex 4 under the respective subject matter.

4 Duties of the processor

 

  1. The Processor shall process personal data exclusively as contractually agreed upon or as instructed by the Controller unless the Processor is legally obliged to carry out a specific processing. The Processor shall not use the data provided for processing for any other purposes, not for its own purposes.
  2. The Processor acknowledges all relevant and general data protection regulations. The Processor observes the legal principles of data processing.
  3. Persons who could obtain knowledge of the processing data in connection with this Agreement are obligated in writing to confidentiality.
  4. The processor warrants that the persons who process the data have been made aware of the relevant provisions of data protection and this Agreement to the beginning of the processing.
  5. In connection with the processing within this Agreement, the Processor will support the Controller in preparing and updating records of processing activities and in carrying out data protection impact assessments.
  6. If the Controller is subject to inspection by supervisory authorities or other bodies or if data subjects assert their rights against the Controller, the Processor shall support the Controller to the extent necessary insofar as the contractual processing is affected.
  7. The Processor may provide information to third parties or the data subjects only with the prior approval of the Controller. The Processor shall immediately forward requests directly received to the Controller.
  8. The Controller shall appoint a competent and reliable person as Data Protection Officer. The contact details of the Data Protection Officer shall be disclosed in Annex 3.
  9. The data processing is to be conducted generally within the EU or EEA. Any transfer to a third country may be conducted only with the express consent of the Controller and subject to the conditions in Chapter V of the GDPR and in compliance with the provisions of this Agreement.

5 Technical and organizational measures

 

  1. The data security measures described in Annex 1 are set as mandatory. They define the minimum owed by the Processor.
  2. The data security measures can be adapted to the technical progress and further organizational development if the level does not fall below the level agreed upon. The Controller shall be given immediate notification of any changes.
  3. Insofar as the Controller has specific requirements for safety measures, the Controller shall inform the Processor of these. Insofar as the measures taken do not or no longer meet the Controller’s specific requirements, the Processor shall notify the Controller without delay.
  4. The Processor ensures that the processed data in connection with this Agreement will be strictly separated from other data.
  5. Copies or duplicates without the knowledge of the Controller are not allowed. Technically necessary, temporary duplications are excluded, as far as an impairment of the data protection level agreed to here is not compromised.
  6. Dedicated data carriers belonging to the Controller or used for the Controller shall be specially marked and shall be subject to ongoing administration.

6 Regulations for the rectification, deletion and blocking of data

 

  1. The Processor shall rectify, delete or block processed data within the scope of this Agreement only or per the instructions of the Controller.
  2. The Processor shall always follow the corresponding instructions of the Controller and also beyond the termination of this Agreement.

7 Sub-processors

 

  1. Currently, the Sub-processors specified in Annex 2 including name, address and order content are engaged in the processing of personal data to the extent stated therein and are approved by the Controller. The other obligations of the processors towards Sub-processors set out herein shall remain unaffected.
  2. The Controller agrees that the Processor may engage Sub-processors. The Processor shall inform the Controller before engaging or replacing any Sub-processors. The Controller has the right to object to a Sub-processing in writing within two weeks, stating the reasons. If the objection is not justifiable, the use of the Sub-processor shall be treated as approved.
  3. Sub-processors shall be subject to data protection obligations at least comparable to those agreed in this Agreement. The Controller shall be given access to the relevant contracts between the Processor and the Sub-processor upon request.
  4. It shall be possible for the Controller to effectively exercise its rights towards the Sub-processor. In particular, the Controller must be entitled to carry out inspections at any time to the extent specified here, also at Sub-processors, or to have them carried out by third parties.
  5. The Processor’s and Sub-processor’s responsibilities shall be clearly distinguished.
  6. The processor shall carefully select the Sub-processor, particularly considering the suitability of the technical and organizational measures taken by the Sub-processor.
  7. The use of Sub-processors who perform processing operations on behalf of the Controller not exclusively within the territory of the EU or the EEA is only permissible insofar and if the Sub-processor offers adequate data protection safeguards. The Processor shall notify the Controller of the specific data protection safeguards offered by the Sub-processor and how to obtain a copy of the respective safeguards.
  8. Sub-processing relationships within the meaning of this contract are only those services which are directly related to the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not included. The Processor’s obligation to ensure compliance with data protection and data security in these cases remains unaffected.

8 Rights and obligations of the Controller

 

  1. The Controller is solely responsible for assessing the admissibility of the processing and for protecting the rights of data subjects.
  2. The Controller shall place all orders, partial orders or instructions in a documented manner. In urgent cases, instructions may be placed verbally. The Controller shall immediately confirm such instructions in a documented manner.
  3. The Controller shall notify the Processor immediately if errors or irregularities are discovered in the review of the processing results.
  4. The Controller shall be entitled to verify compliance with the regulations on data protection and the contractual agreements by the Processor to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site inspections.
  5. Inspections at the Processor’s premises shall be carried out without avoidable disruption to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Controller, inspections shall take place after due notice of at least 72 hours and during the Processors’ business hours, and not more frequently than every 18 months. Insofar as the Processor provides verification of the correct implementation of the agreed data protection obligations, an inspection shall be limited to random checks.

9 Notification duties

 

  1. The Processor shall notify the Controller immediately of any identified breaches of the protection of personal data. The notification shall contain at least the information pursuant to Art. 33 (3) GDPR. The correct assessment and handling of the incident shall be the sole responsibility of the Controller.
  2. The Processor shall immediately notify the Controller of any significant disruptions in the performance of the Agreement and of any violations by the Processor or the persons employed by the Processor of the provisions of data protection law or the provisions of this Agreement.
  3. The Processor shall notify the Controller without delay of any inspections or measures by supervisory authorities or other third parties, insofar as these are related to the processing.
  4. The Processor shall ensure that it supports the Controller in its obligations according to Art. 33 and Art. 34 GDPR to the extent required.

10 Instructions

 

  1. The Controller has a comprehensive right to give instructions about processing on behalf of the Controller. Instructions shall be issued clearly and explicitly.
  2. The Processor shall immediately notify the Controller if, in its opinion, an instruction given by the Controller violates legal provisions. The Processor shall refrain from carrying out the relevant instruction until it is confirmed or changed by the Controller’s responsible person as set out in Annex 3.
  3. The Processor shall document instructions given to him and their implementation.

11 Agreement termination

 

  1. Upon termination of the contractual relationship or at any time at the request of the Controller, the Processor shall, at the Controller’s choice, either destroy the processed data or hand it over to the Controller and then destroy it. All existing copies of the data shall also be destroyed. Destruction must be carried out in such a way that it is no longer possible to recover even residual information with justifiable effort.
    A transfer of data to the Controller must be instructed in writing by a person authorized to issue instructions and must be completed before termination of the contractual relationship.
  2. The Processor is obliged to ensure the immediate return or deletion also in the case of Sub-processors.
  3. The Processor shall provide verification of proper destruction and submit it to the Controller immediately.
  4. Documentation, which serves as verification of proper data processing, shall be kept by the processor at least until the end of the third calendar year after the termination of the Agreement. The Processor may hand this documentation over to the Controller for release of liability.

12 Remuneration

 

The remuneration of the Processor is conclusively regulated in the main contract. There shall be no separate remuneration or cost reimbursement within the scope of this Agreement.

13 Special termination right

 

  1. The Controller may terminate the main contract and this Agreement at any time without notice ("extraordinary termination") if the Processor has committed a serious breach of data protection regulations or the provisions of this Agreement, is unable or unwilling to carry out a lawful instruction from the Controller or denies the Controller’s rights of inspection in breach of the Agreement.
  2. A serious breach is, if the Processor fails to fulfil or has failed to fulfil to a considerable extent the obligations determined in this Agreement, the agreed technical and organizational measures.
  3. In the event of insignificant breaches of the provisions of this Agreement, the Controller shall set the Processor a reasonable period to remedy the situation. If the remedy is not provided in time, the Controller shall be entitled to extraordinary termination.
  4. The Processor shall be entitled to terminate the main contract and this Agreement without notice if the Controller objects to the engagement of a Sub-processor pursuant to section 7 (1) of this Agreement and no agreement can be reached.
  5. The extraordinary termination shall be announced within a preclusive period of two weeks. The period starts with the knowledge of the underlying facts by the party entitled to termination.

14 Liability

 

  1. The Controller and the Processor shall be jointly and severally liable for the compensation of damages suffered by a person due to inadmissible or incorrect data processing within the scope of the contractual relationship.
  2. Insofar as the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Controller, the Controller shall indemnify the Processor on first demand against all claims of third parties which are raised against the Processor in connection with the processing. Insofar as the damage has been caused by a culpable breach of this Agreement or a legal data protection provision which directly affects the Processor, the Processor shall indemnify the Controller on first demand against all claims of third parties which are raised against the Controller in connection with the processing.
  3. A liability provision agreed upon between the Parties in the main contract for the provision of services shall also apply to the processing, unless expressly agreed upon otherwise.

15 Miscellaneous provisions

 

  1. Both Parties are obliged to treat confidential all knowledge of business secrets and data security measures of the respective other party acquired within the scope of the contractual relationship, also beyond the termination of this Agreement. If there are doubts as to whether information is subject to confidentiality, it shall be treated as confidential until it is released in writing by the other party.
  2. Should the Controller's ownership of the Processor be endangered by measures taken by third parties (e.g., by seizure or confiscation), by insolvency proceedings or settlement proceedings or by other events, the Processor shall notify the Controller immediately.
  3. For additional Agreements, the written form is required.
  4. The defense of the right of retention within the meaning of § 273 BGB (German Civil Code – Bürgerliches Gesetzbuch) is excluded about the processed data and the associated data carriers.
  5. Should individually parts of this Agreement be invalid, this shall not affect the validity of the remaining parts of this Agreement.

Annex 1 – Technical and organizational measures


The following describes which technical and organizational measures are defined to ensure data protection and data security. The aim is to guarantee the confidentiality, integrity and availability of the information processed in the company.

The structure is based on the internationally acknowledged standard DIN ISO/IEC 27002.

The current certificate can be found at https://www.soft-nrg.de/en/company/certification.

Organization of information security


The managers of soft-nrg Development GmbH are responsible in their organizational unit for the complete implementation of the principles of IT security and for the fulfilment of the IT security tasks required of them.

Information security roles and responsibilities are defined in the IT security organization concept. Conflicting roles and responsibilities are separated to reduce the potential for unauthorized or unintended modification or misuse of our organization’s assets.

We have a process in place to determine when and by whom relevant authorities are notified and identified data protection and information security incidents are reported in a timely manner.

We also maintain ongoing contact with special interest groups to keep informed about changes and improvements in data protection and information security.

In our projects, data protection and data security are part of all phases of our project methodology.

We have respective guidelines and processes for teleworking and the use of mobile devices in place that help us ensure data protection and data security in these areas as well.

Personnel security


We have carefully selected our employees and checked their suitability for their role in the company. We have defined their responsibilities in job descriptions and check regularly whether they comply with them. Before starting their employment, all employees sign a Confidentiality and Data Protection Agreement, which is valid beyond the end of the employment relationship. The employees are verifiably trained in data protection and data security.

In a documented process for the time before, during and after termination of the employment relationship, we ensure that personal data is protected and data security is guaranteed. This also includes measures in the event of a data protection breach.

Asset management


All assets (such as equipment, removable media, notebooks) and information related to personal data are inventoried and maintained by us.

To protect these assets, we have defined persons responsible for the life cycle of an asset.

Documented rules have been established for the permissible use of our assets. The return is documented.

Our information and data are classified and labelled based on legal requirements, its value, criticality and sensitivity to unauthorized disclosure or modification.

In accordance with this classification scheme, we have developed and implemented documented procedures for handling our assets, including our removable media. We have a documented and regulated process for transporting data carriers to protect them from unauthorized access, misuse or falsification.

We safely dispose data media that are no longer needed using a documented procedure and obligated certified service providers.

Access control


We have regulated and documented measures in place to ensure that authorized persons only have access to personal data for which they need the authorization to view and process.

Authorizations to access IT systems are assigned via a regulated procedure based on a documented and restrictive authorization concept. We have regulated and implemented the access to networks and network services.

It is ensured that only authorized users have access to systems and services and that unauthorized access is prevented. There is a formal process for registering and deregistering users that enables the assignment of access rights.

We assign our administrative rights in a limited and controlled manner.

We have a documented and regulated process for handling passwords. The current and desired status of user access rights are regularly compared. If necessary, these are withdrawn or adjusted.

We restrict access to our data as needed and control access to our systems and applications through a secure login process. We use a system for the use of strong and secure passwords.

The use of tools that may be capable of bypassing system and application protections is restricted and strictly monitored.

Cryptography


The appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information is ensured. For this purpose, we have implemented a policy on the use of cryptographic measures in the company, which also covers the management of cryptographic keys and is appropriate to the protection requirements.

Physical and environmental security of the premise


We have documented and regulated measures in place to prevent unauthorized persons from gaining access to data processing systems used to process or use personal data. These include, but are not limited to:

  • The premises are in an office building and are used exclusively.
  • The central entrance is monitored.
  • Doors to security areas are always closed. These can only be entered by authorized persons.
  • Visitors and external service providers are given individual access.
  • Fire protection is observed.
  • There are security areas to which only specially authorized persons have access.
  • IT rooms are locked separately and can only be opened by authorized persons.
  • Supply facilities are protected from power outages and malfunctions.
  • The wiring is secure.
  • System maintenance is planned and implemented.
  • The removal and modification of systems and information is regulated.
  • The security of systems outside the business premises is observed.
  • The disposal or reuse of operating equipment is regulated.
  • Policies for Clean Desk and screen locks are implemented.

Operational safety


We have regulated and documented measures in place to ensure the proper and secure operation of information and data processing facilities. These include, among other things, control in the event of a change to the information-processing facilities, as well as control and regular measurement of our capacities and resources to ensure the availability of the required system performance. The following assets, among others, are continuously monitored:

  • Hard disk status and available storage space
  • Raid-status
  • Service and status of all virtual machines
  • Failed login attempts
  • Memory allocation and main memory
  • Ethernet utilization in Kbit/s and Mbit/s
  • Number of RDP sessions of the individual terminal servers
  • Firewall throughput and utilization
  • Accessibility of all servers from outside
  • Accessibility and throughput of the switches

A protected procedure for data backup has been implemented by us and is documented.

Standard maintenance slots are defined. Additionally, required slots are announced in advance.

In our company, it is essential to separate development, testing and operational environments, so we have a special focus on this.

Measures for detection, prevention and recovery to protect against malware have been taken and are regularly updated.

We have centrally monitored and secured event logging and have privacy measures in place if sensitive personal data is stored. All logging facilities and log information, including administrators and operator logs, are protected from manipulation and unauthorized access.

Our clocks are synchronized centrally with a single reference time source.

We have a central procedure for the controlled installation of software on systems in our company.

There is a list of our technical assets and a regulated, documented handling in the event of a technical vulnerability, which includes our patch management with defined responsibilities.

We have centrally implemented regulations for the restrictions of software installations.

In the event of an audit review of our information systems, we have defined measures that minimize disruptions to business processes as far as possible.

Communication safety


The security of our personal data and information stored in networks and network services is unavoidable. Therefore, we have documented measures in place to manage, monitor and secure our networks.

Information services, users and information systems are kept separate from each other based on need.

We have policies and procedures in place for the transfer of information and data, as well as the agreements for the transfer of information to external bodies.

Our electronic communication is appropriately protected. Among other things, we have taken measures to protect messages from unauthorized access, modification or denial of service in accordance with the classification scheme adopted by the organization.

To protect our data, we conclude confidentiality or non-disclosure agreements as required, which we review regularly.

Acquisition, development and maintenance of systems


It is ensured that data and information security is an integral part throughout the life cycle of our systems. This also includes the requirements for and securing of information systems that provide services via public networks. Transaction protection for application services is carried out on an as-needed basis. In addition, we have established a system change management process to ensure the integrity of the system, applications and products from the early design stages to any subsequent maintenance. When changes are made to operating platforms, business-critical applications are reviewed and tested to ensure that there is no negative impact on the organizational security of customer applications as well. We have a managed process for analyzing, developing and maintaining secure IT systems.

Acceptance test programs and associated criteria are defined for new information systems, updates and new versions. Our test data is carefully selected, protected and monitored.

Supplier relations


We carefully select our suppliers in advance and check their suitability about maintaining data and information security.

Documented agreements ensure the protection and confidentiality of our assets and data. Suppliers are required to take technical and organizational measures to guarantee this.

There is a regulated and user-defined access authorization to the assets and data that are necessary for the respective supplier.

Suppliers may only engage additional suppliers with our consent to ensure a secure supply chain.

We regularly conduct a review of our suppliers' data protection and data security measures to maintain the agreed level. The assigned authorizations are also subject to continuous documented control.

After termination of the supplier relationship, they are obliged to destroy the data and assets received from us. In addition, the obligation to maintain secrecy shall apply indefinitely.

Handling of information security and data protection incidents


Our company has a regulated documented process for handling information security and data protection incidents to ensure a consistent and effective approach in this regard. Employees are required to report all data protection and security incidents immediately and receive regular training in this regard. We have installed a reporting system that forwards incidents to an intervention team to ensure a quick response. All incidents are documented, classified and evaluated. The implemented intervention team has precise guidelines on how to react to an incident.

Together with the management, improvement measures resulting from the findings and the collected evidence of an incident are regularly discussed and implemented.

Information security aspects of business continuity management


Within the framework of information security, the intended availability of systems is specifically evaluated and documented. From the requirements, we derive the technical and organizational specifications, such as redundant systems/connections or corresponding planning, and implement these consistently and in a controlled manner. An overarching emergency plan forms the framework regarding the corresponding instructions for action for selected documented emergency scenarios. Continuously updated exercise plans for testing the measures used and the documentation of the implementation of corresponding tests complete the emergency management.

Compliance


We have identified, documented and keep up to date all relevant legal, regulatory, self-imposed or contractual requirements and our company's approach to complying with them.

Adequate procedures have also been implemented to ensure compliance with legal, regulatory and contractual requirements relating to intellectual property rights and the use of proprietary software products.

In accordance with legal, regulatory, contractual and business requirements, we protect records and personal data as required. Annual activity reports by the data protection officer document the measures taken.

We follow the regulations of cryptographic measures for this.

To ensure the protection of our information and data, an independent review of our information security and data protection levels, our security and data protection policies, and compliance with technical requirements is carried out on a regular basis.

Annex 2 – Sub-processors


The listed sub-processors provide the necessary guarantees regarding data protection and information security through contractual, technical and organizational measures.

Maintenance and support of applications and databases


softnrg SRL
Strada Gheorghe Dima nr. 1
300079 Timişoara
ROMANIA

Server-Housing, -Hosting and Cloud Computing


Hetzner Online GmbH
Rechenzentrumspark Nürnberg
Sigmundstr. 135
90431 Nürnberg
GERMANY

InterNetX GmbH
Rechenzentrum München
Elisabeth-Selbert-Straße 7
80939 München
GERMANY

Microsoft Ireland Operations, Ltd.
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521
IRELAND
https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Internet security services


Cloudflare, Inc.
101 Townsend Street
San Francisco, CA 94107
USA
https://www.cloudflare.com/gdpr/introduction

E-mail delivery service


Mailjet SAS
13-13 bis, rue de l’Aubrac
75012 Paris
FRANCE
https://www.mailjet.com/resources/learn/gdpr/mailjet-gdpr-compliance

Annex 3 – Contact persons

Contact persons for the handling of this Agreement


Dedes Lionis
T +49 89 452280-456
[email protected]

Markus Zipfer
T +49 89 452280-540
[email protected]

Data Protection Officer


activeMind AG
Potsdamer Str. 3
80802 München
[email protected]

Annex 4 – Subject matter, nature, purpose and data subjects of data processing

Online Tools

Subject matter Provision, maintenance and support of online services and web applications
SOFT-SOLUTIONS
application package
  • soft-planning+
  • soft-net
  • soft-agent
  • soft-messenger
  • soft-confirm
  • soft-drop
  • soft-analytics
  • soft-clock
Nature and purpose

Collection, storage and processing data for user and employee administration.

Collection, storage, processing and transmitting customer data for making appointments, order processing and evaluation.

Further details on the purpose of the processing are included in the service description of the main contract.
Nature of the personal data

In particular, the following categories of data and data processed:

Customer data

  • Title, name, first name
  • Address
  • Telephone number
  • E-Mail address
  • Birthday
  • Vehicle registration number
  • Vehicle model
  • Vehicle identification number (VIN)
  • Personal content of the correspondence

Employee data

  • Title, name, first name
  • E-mail address

User data

  • Name, first name
  • Address
  • E-mail address
  • Face images (optional)
Categories of data subjects Customers, interested parties and employees of the Controller

Service and support

Subject matter

Provision of service such as

  • Software maintenance and user support via e-mail, telephone, and remote maintenance
  • Instruction and training of users

for which access to personal data cannot be excluded.
Nature and purpose

Collection, processing, transmission and deletion of customer, employee and user data.

Further relevant purposes of the processing are regulated in the service description of the main contract or the respective individual order.
Nature of the personal data

In particular, the following categories of data and data processed:

Customer data

  • Title, name, first name
  • Address
  • Age
  • Telephone number
  • E-mail address
  • Vehicle registration number
  • Vehicle model
  • Vehicle identification number (VIN)

Employee data

  • Title, name, first name
  • Personnel number
  • Start and termination date of the employment relationship

User data

  • Name, first name
  • Address
  • E-mail address
Categories of data subjects Customers, interested parties and employees of the client