This DataProcessing Agreement("Agreement") forms part of the Contract forServices under the MakeMarket.ioby Makeitfuture SRL Terms and Conditions (the"Principal Agreement").This Agreement is an amendment to thePrincipal Agreement and is effective uponits incorporation to the PrincipalAgreement, which incorporation may bespecified in the Principal Agreement oran executed amendment to the PrincipalAgreement. Upon its incorporation intothe Principal Agreement, this Agreementwill form a part of the PrincipalAgreement.


Weperiodically update this Agreement. If you havean active MakeMarket.io byMakeitfuture SRL account, you will be informed of anymodification by email.At the bottom of this page you can find archived versionsof our DPA.


The term ofthis Agreement shall follow the term ofthe Principal Agreement. Terms notdefined herein shall have the meaning as setforth in the Principal Agreement.




(A) Yourcompany act as a Data Controller (the"Controller").


(B) Yourcompany wishes to subcontract certainServices (as defined below), which implythe processing of personal data, to MakeitfutureSRL, acting as a DataProcessor (the "Processor").


(C) TheParties seek to implement a data processingagreement that complies with therequirements of the current legal framework inrelation to data processing andwith the Regulation (EU) 2016/679 of theEuropean Parliament and of the Councilof 27 April 2016 on the protection ofnatural persons with regard to theprocessing of personal data and on the freemovement of such data, andrepealing Directive 95/46/EC (General Data ProtectionRegulation).


(D) TheParties wish to lay down their rights andobligations.




1.Definitionsand Interpretation

1.1Unlessotherwise defined herein, capitalizedterms and expressions used in this DPAshall have the following meaning:

1.1.2"CompanyPersonal Data" means anyPersonal Data Processed by a Contracted Processoron Controller's behalfpursuant to or in connection with the PrincipalAgreement;

1.1.3"ContractedProcessor" means aSubprocessor;

1.1.4"DataProtection Laws" means EU DataProtection Laws and, to the extentapplicable, the data protection or privacylaws of any other country;

1.1.5"EEA"means the European EconomicArea;

1.1.6EUData Protection Laws" means EUDirective 95/46/EC, as transposed intodomestic legislation of each Member Stateand as amended, replaced orsuperseded from time to time, including by the GDPRand laws implementing orsupplementing the GDPR;

1.1.7"GDPR"means EU General DataProtection Regulation 2016/679;

1.1.8"DataTransfer" means: of Company Personal Data fromController to a Contracted Processor; or transfer of Company Personal Datafrom a Contracted Processor to aSubcontracted Processor, or between twoestablishments of a ContractedProcessor,

in eachcase, where such transfer would beprohibited by Data Protection Laws (or bythe terms of data transfer agreementsput in place to address the data transferrestrictions of Data Protection Laws);

1.1.9"Services"means end-to-end encryptedemail services. The Service is described more indetail in Schedule 1.

1.1.10"Subprocessor"means any personappointed by or on behalf of Processor to process PersonalData on behalf ofController in connection with the Agreement.

1.2Theterms, "Commission","Controller", "DataSubject", "Member State","Personal Data","Personal Data Breach","Processing" and "SupervisoryAuthority" shall have the samemeaning as in the GDPR, and their cognateterms shall be construed accordingly.

2.Processingof Company Personal Data


2.1.1complywith all applicable Data Protection Lawsin the Processing of Company PersonalData; and

2.1.2notprocess Company Personal Data other than onController's documentedinstructions.

2.2Controllerinstructs Processor to process CompanyPersonal Data to provide the Servicesand related technical support.


Processorshall take reasonable steps to ensure thereliability of any employee, agent orcontractor of any Contracted Processor whomay have access to Company PersonalData, ensuring in each case that access isstrictly limited to thoseindividuals who need to know / access the relevantCompany Personal Data, asstrictly necessary for the purposes of the PrincipalAgreement, and to complywith Applicable Laws in the context of thatindividual's duties to theContracted Processor, ensuring that all suchindividuals are subject toconfidentiality undertakings or professional orstatutory obligations ofconfidentiality.



4.1Takinginto account the state of the art, thecosts of implementation and the nature,scope, context and purposes ofProcessing as well as the risk of varyinglikelihood and severity for the rightsand freedoms of natural persons,Processor shall in relation to the CompanyPersonal Data implement appropriatetechnical and organizational measures toensure a level of security appropriateto that risk, including, as appropriate,the measures referred to in Article32(1) of the GDPR.

4.2Inassessing the appropriate level of security,Processor shall take account inparticular of the risks that are presented byProcessing, in particular from aPersonal Data Breach.


5.1Processorshall not appoint (or disclose anyCompany Personal Data to) any Subprocessorunless required or authorized byController.

6.DataSubject Rights

6.1Takinginto account the nature of the Processing,Processor shall assist Controller byimplementing appropriate technical andorganisational measures, insofar as thisis possible, for the fulfilment ofController obligations, as reasonablyunderstood by Controller, to respond torequests to exercise Data Subjectrights under the Data Protection Laws.


6.2.1promptlynotify Controller if it receives arequest from a Data Subject under any DataProtection Law in respect of CompanyPersonal Data; and

6.2.2ensurethat it does not respond to that requestexcept on the documented instructionsof Controller or as required by ApplicableLaws to which the Processor issubject, in which case Processor shall to theextent permitted by ApplicableLaws inform Controller of that legal requirementbefore the ContractedProcessor responds to the request.

7.PersonalData Breach

7.1Processorshall notify Controller without unduedelay upon Processor becoming aware of aPersonal Data Breach affecting CompanyPersonal Data, providing Controller withsufficient information to allowController to meet any obligations to report orinform Data Subjects of thePersonal Data Breach under the Data Protection Laws.

7.2Processorshall co-operate with Controller andtake reasonable commercial steps as aredirected by Controller to assist in theinvestigation, mitigation andremediation of each such Personal Data Breach.

8.DataProtection Impact Assessment and PriorConsultation

8.1Processorshall provide reasonable assistance toController with any data protectionimpact assessments, and prior consultationswith Supervising Authorities orother competent data privacy authorities, whichController reasonably considersto be required by article 35 or 36 of the GDPRor equivalent provisions of anyother Data Protection Law, in each case solelyin relation to Processing ofCompany Personal Data by, and taking into accountthe nature of the Processingand information available to, the ContractedProcessors.

9.Deletionor return of Company Personal Data

9.1Subjectto this section 9 Processor shallpromptly and in any event within 10 businessdays of the date of cessation ofany Services involving the Processing ofCompany Personal Data (the"Cessation Date"), delete and procure thedeletion of all copies ofthose Company Personal Data.

9.2Processorshall provide written certification toController that it has fully compliedwith this section 9 within 10 businessdays of the Cessation Date.


10.1Subjectto this section 10, Processor shall makeavailable to Controller on request allinformation necessary to demonstratecompliance with this Agreement, and shallallow for and contribute to audits,including inspections, by Controller or anauditor mandated by Controller inrelation to the Processing of the CompanyPersonal Data by the ContractedProcessors.

10.2Informationand audit rights of Controller onlyarise under section 10.1 to the extent thatthe Agreement does not otherwisegive them information and audit rights meetingthe relevant requirements of DataProtection Law.


11.1TheProcessor may not transfer or authorize thetransfer of Data to countriesoutside the EU and/or the European Economic Area(EEA) and/or Switzerlandwithout the prior written consent of Controller. Ifpersonal data processedunder this Agreement is transferred from a countrywithin the European EconomicArea or Switzerland to a country outside theEuropean Economic Area orSwitzerland, the Parties shall ensure that thepersonal data are adequatelyprotected. To achieve this, the Parties shall,unless agreed otherwise, rely onEU approved standard contractual clauses forthe transfer of personal data.


12.1Confidentiality.Each Party must keep anyinformation it receives about the other Party and itsbusiness in connectionwith this Agreement ("Confidential Information”)confidential and must notuse or disclose that Confidential Information withoutthe prior written consentof the other Party except to the extent that:

(a)disclosureis required by law;

(b)therelevant information is already in the publicdomain.

12.2Notices.All notices and communications givenunder this Agreement must be in writingand will be sent by email. Controllershall be notified by email sent to theaddress related to its use of the Serviceunder the Principal Agreement.Processor shall be notified by email sent to theaddress: gdpr@MakeMarket.io byMakeitfuture SRL.com.

13.GoverningLaw and Jurisdiction

13.1ThisAgreement is governed by German Law.

13.2Anydispute arising in connection with thisAgreement, which the Parties will notbe able to resolve amicably, will besubmitted to the exclusive jurisdiction ofthe courts of Gießen, subject topossible appeal to the Amtsgericht Gießen.


Schedule 1:Service Description and Pricing


The Serviceoffered by Makeitfuture SRL is MakeMarket.ioby Makeitfuture SRL ("MakeMarket.ioby Makeitfuture SRL").


MakeMarket.io byMakeitfuture SRL offers cuttingedge API services with an easy to use API interfacethat by individuals andenterprises around the world. MakeMarket.io by Makeitfuture SRL provides acomplete platform that includes both server-side software andclient-side.


Schedule 2:Data Processing and Security


1.Descriptionof the data processing carried out onbehalf of the Controller

In additionto the information provided elsewhere inthe Agreement, the Parties wish todocument the following information inrelation to the data processingactivities.


The dataprocessing performed by the Data Processoron behalf of the Controller relatesto the service of end-to-end emailcommunication. The data processing detailsand procedure can be found in theCompany's Privacy Policy at https://MakeMarket.io/privacy-policy.


Purposes ofthe order processing

Personaldata of the Client to which MakeitfutureSRL obtains access will be processedWITHIN the company infrastructure on thebasis of this order processingagreement for the following purposes:

a.           Consulting services.

b.            Supportand management of websites,social media and other communication and informationchannels.

c.           Creation and/or processing ofpersonal profiles.

d.           Accounting automation.

e.           Provision of services in the fieldof IT security.

f.            Obtaining as well as processingcontact information, addresses and leads.

g.           Customer management and/or customersupport.

h.           Software-as-a-Service (SaaS)services.

i.            Software creation and / ormaintenance services.

j.Administrative, management and administrationservices.

k.            Web andcloud hosting.

l.            Advertising and marketing(consulting, design, implementation and execution).

Types andcategories of data

The typesand categories of personal data processedon the basis of this order processingagreement include:

a.           Inventory data.

b.            Contactdata.

c.            Contentdata.

d.            Imageand/or video recordings.

e.           Contract data.

f.            Payment data.

g.            Usagedata.

h.            LocationData.

i.             Dataof lottery participants.

j. Logdata.

k.            Metaand connection data.

l.            Employee data.

m.          Salary data.

n.           Employee performance and behaviordata.

o.           Applicant data.

p.           Business information.

q.            Memberdata.

Processingof special categories of data

The specialcatego- ries of personal data processedon the basis of this Order ProcessingAgreement (pursuant to Article 9(1) of theGDPR) include:

a.            Datafrom which racial origin can beinferred.

b.            Datarevealing ethnic origin.

c.            Datafrom which political opinionsare derived.

d.            Datarevealing religious orphilosophical beliefs.

e.            Datarevealing trade unionmembership.

f.            Biometric data uniquely identifyinga natural person.

Categoriesof data subjects

Thecategories of persons affected by the processingof personal data on the basisof this GC Agreement include:

a.            WebsiteVisitors.

b.           Software users.

c.           Recipients of marketing efforts.

d.           Participants.

e.           Subscribers.

f.            Interested parties.

g.           Business customers.

h.            Businesspartners.

i.            Freelancers.


k.           Applicants.

l.            Members.

Sources ofthe data processed

a.           Information provided by user-customers or other data subjects.

b.           Collection by the processor.

c.           Collection in the context of the useof software, applications, websitesand other online services.

d.           Collection in the context of eventsand functions.

e.           Collection in the context ofadvertising and marketing campaigns.

f.            Collection via interfaces toservices of other providers.

g.           External databases and datacollections.

h.            Receiptby way of transmission orother communication by or on behalf of Customer.

Page break

Appendix:Responsible persons and contact persons

The contactpersons named below are authorized toissue or receive instructions from theCustomer. The other contracting partymust be notified of any changes to thecontact persons, their not merely temporaryprevention or their contactinformation.

Responsiblepersons and contact persons at theclient:

- SebastianMertens - Managing Director.


Appendix:Technical and Organizational Measures(TOMs)

A level ofprotection appropriate to the risk to therights and freedoms of the naturalpersons concerned by the processing shall beensured for the specificcommissioned processing and the personal data processedwithin its scope. Tothis end, the protection objectives of confidentiality,integrity andavailability of the systems and services as well as theirresilience withregard to the type, scope, circumstances and purpose of theprocessingoperations shall be taken into account in such a way that the riskispermanently contained by means of appropriate technical andorganizationalremedial measures.


Organizationalmeasures have been taken to ensure anappropriate level of data protection andits maintenance.

a.            TheProcessor has implemented anappropriate data protection management system or adata protection concept andensures its implementation.

b.            Anappropriate organizationalstructure for data security and data protection is inplace and informationsecurity is integrated into company-wide processes andprocedures.

c.           Internal security guidelines aredefined and communicated to employeeswithin the company as binding rules.

d.            Theprocessor conducts a review,assessment and evaluation of the effectiveness ofthe technical andorganizational measures to ensure the security of theprocessing when there iscause to do so, but at least annually.

e.            Systemand security tests, such ascode scan and penetration tests, shall be performedregularly and also withoutcause.

f.             Thetechnical and organizationalmeasures according to are reviewed and adjustedregularly, at least annually,according to the PDCA cycle (Plan-Do-Check-Act). 

g.            Thedevelopment of the state of theart as well as developments, threats andsecurity measures are continuouslymonitored and derived in a suitable mannerfor the company's own securityconcept.

h.            Thereis a concept that guaranteesthe protection of the rights of the data subjectsby the client (in particularwith regard to information, correction, deletion orrestriction of processing,data transfer, revocations and objections). Theconcept includes informingemployees about the information obligations towardsthe client, setting upimplementation procedures and appointing responsiblepersons as well as regularmonitoring and evaluation of the measures taken.

i.             Aconcept is in place to ensure aprompt response to threats and breaches ofpersonal data protection inaccordance with legal requirements. The conceptincludes informing employeesabout the information obligations towards theclient, setting up implementationprocedures and appointing responsible persons,as well as regular monitoringand evaluation of the measures taken.

j. Securityincidents are consistently documented,even if they do not lead to an externalreport (e.g., to the supervisoryauthority, affected persons) (so-called"security reporting").

k.           Sufficient professional qualificationof the data protection officer forsecurity-relevant issues and opportunitiesfor further training in thisspecialist area.

l.            Sufficient professionalqualification of the IT security officer forsecurity-relevant issues andopportunities for further training in thisspecialist area.

m.          Serviceproviders used to performancillary tasks (maintenance, security, transport andcleaning services,freelancers, etc.) are carefully selected and it is ensuredthat they complywith the protection of personal data. If the service providersgain access topersonal data of the client in the course of their activities orif there isotherwise a risk of access to the personal data, they arespecificallyobligated to maintain secrecy and confidentiality.

n.            Theprotection of personal datashall be taken into account, taking into account thestate of the art, theimplementation costs and the nature, scope, circumstancesand purposes of theprocessing, as well as the varying likelihood and severityof the risks to therights and freedoms of natural persons associated with theprocessing, alreadyduring the development or selection of hardware, softwareand procedures, inaccordance with the principle of data protection throughtechnology design andthrough data protection-friendly default settings.

o.           Software and hardware used is alwayskept up to date and software updatesare carried out without delay within areasonable period of time in view of thedegree of risk and any need fortesting. No software and hardware will be usedthat is no longer updated by theproviders with regard to data protection anddata security concerns (e.g.expired operating systems).

p.           Standard software and correspondingupdates are only obtained fromtrustworthy sources.

q.            Adevice management system makes itpossible to determine which employees orauthorized representatives use whichdevices in which areas.

r.             A"paperless office" ismaintained, i.e., documents are generally onlystored digitally and only keptin paper form in exceptional cases.  

s.           Documents are only stored in paperformat if there is no adequate digitalcopy with regard to the orderprocessing, its purpose and the interests of thepersons affected by thecontents of the documents, or if storage has been agreedwith the client or isrequired by law.

t.             Thereis a deletion and disposalconcept that complies with the data protectionrequirements of the orderprocessing and the state of the art. The physicaldestruction of documents anddata carriers is carried out in compliance withdata protection requirementsand in accordance with legal requirements, industrystandards andstate-of-the-art industrial standards (e.g. in accordance with DIN66399).Employees have been informed about legal requirements, deletiondeadlines and,if responsible, about specifications for the destruction of dataor equipmentby service providers.

u.            Theprocessing of the client's datathat has not been deleted in accordance with theagreements of this orderprocessing contract (e.g. as a result of legalarchiving obligations) isrestricted to the necessary extent by blocking noticesand/or segregation.


Use of asuitable information security managementsystem (ISMS)

Use of asuitable information security managementsystem (ISMS).

Use of an informationsecurity management system(ISMS) in accordance with BSI standards.

Dataprotection at employee level

Measureshave been taken to ensure that employeesinvolved in the processing of personaldata have the expertise and reliabilityrequired by data protection law.

a.           Employees are bound toconfidentiality and secrecy (data protectionsecrecy).

b.           Employees are sensitized andinstructed with regard to data protection in accordancewith the requirementsof their function. The training and sensitization will berepeated atappropriate intervals or when circumstances require it.

c.            Relevantguidelines, e.g. one-mail/Internet use, handling malware reports, use ofencryption techniques,are kept up to date and are easy to find (e.g. on theintranet).

d.            Ifemployees work outside thecompany's internal premises (home and mobileoffices), employees are informedabout the special security requirements andprotection obligations in theseconstellations and are required to comply withthem, subject to control andaccess rights.

e.            Ifemployees use private devices forbusiness activities, employees will beinformed about the special securityrequirements and protection obligations inthese constellations and will beobligated to comply with them, subject tocontrol and access rights.

f.             Keys,access cards or codes issuedto employees as well as authorizations granted withregard to the processing ofpersonal data shall be withdrawn or revoked afterthey leave the services ofthe processor or after a change of responsibilities.

g.           Employees shall be obliged to leavetheir working environment tidy and inparticular to prevent access to documentsor data carriers containing personaldata (clean desk policy).



Physicalaccess control measures have been taken toprevent unauthorized persons fromphysically approaching the systems, dataprocessing equipment or procedureswith which personal data are processed.

a.            Accessto data processing equipmentis additionally secured and only authorizedemployees may enter.

b.            Thereis a personal check at thegatekeeper or at the reception desk.

c.            Videosurveillance technology isused to prevent access by unauthorized persons.

d.            Analarm system is used to preventaccess by unauthorized persons.

e.            Accessis secured by a manual lockingsystem with security locks.

f.             Accessis secured by a smart cardor transponder locking system.

g.            Theissuance and return of keysand/or access cards is logged.

h.           Employees will be required to lockequipment or have it specially securedwhen they leave their work environmentor the equipment.

i.            Records (files, documents, etc.)will be stored securely, e.g., in filingcabinets or other appropriatelysecured containers, and appropriately protectedfrom access by unauthorizedpersons.

j. Datamedia are stored securely and appropriatelysecured from access by unauthorizedpersons.



Electronicaccess control measures are in place toensure that access (i.e., the verypossibility of use, use, or observation) byunauthorized persons to systems,data processing equipment, or procedures isprevented.

a.            Apassword policy, specifies thatpasswords must be of a minimum length andcomplexity consistent with the stateof the art and security requirements.

b.            Alldata processing equipment is passwordprotected.

c.           Passwords are generally not storedin clear text and are only transmittedhashed or encrypted.

d.           Password management software isused.

e.            As faras technically supported,two-factor authentication is used to access data ofthe client.

f.             Failedattempts to log in tointernal systems are limited to a reasonable number (e.g.,blocking of logindata).

g.            Accessdata are deleted ordeactivated when their users have left the company ororganization of theprocessor.

h.            Serversystems and services are usedthat have intrusion detection systems.

i.             Anti-virussoftware that is kept upto date is used.

j. Use ofsoftware firewall(s).

k.            Backupsare stored in encryptedform.


Internalaccess control and input control(permissions for user rights to access andmodify data).

Accesscontrol measures have been taken to ensurethat those authorized to use a dataprocessing system can only access the datasubject to their access authorizationand that personal data cannot be read,copied, modified or removed withoutauthorization during processing. Furthermore,input control measures have beentaken to ensure that it is possible to checkand establish retrospectivelywhether and by whom personal data have beenentered into data processingsystems, modified, removed or otherwise processed.

a.            A rightsand roles concept(authorization concept) ensures that personal data can only beaccessed by agroup of persons selected on the basis of necessity and only tothe extentrequired.

b.            Therights and roles concept(authorization concept) is evaluated regularly, withina reasonable timeframe,and when required (e.g., violations of accessrestrictions), and updated asnecessary.

c.            Accessto individual files of theclient is logged.

d.            Theentry, modification and deletionof individual client data is logged.

e.            The logfiles are protected againstmodification, loss and unauthorized access.

f.             Theactivities of theadministrators are appropriately monitored and logged withinthe scope oflegally permissible possibilities and within the scope oftechnicallyjustifiable expenditure.

g.            It isensured that it is possible totrace which employees or authorizedrepresentatives had access to which dataand when (e.g., by logging softwareusage or drawing conclusions from accesstimes and the authorization concept).



Measureshave been taken to control the transfer ofpersonal data to ensure that itcannot be read, copied, modified or removed byunauthorized persons duringelectronic transmission or during transport orstorage on data media, and thatit is possible to check and determine to whichbodies personal data is to betransferred by data transmission equipment.

a.            Whenaccessing internal systems fromoutside (e.g. for remote maintenance), encryptedtransmission technologies areused (e.g. TLS tunnel / VPN).

b.            Mobiledata carriers are encrypted.

c.            E-mailsare encrypted duringtransmission, which means that the e-mails are protected ontheir way from thesender to the recipient from being read by someone who hasaccess to thenetworks through which the e-mail is sent.

d.            Thetransmission and processing ofpersonal data of the Client via online services(websites, apps, etc.), isprotected by means of TLS/SSL or equivalent secureencryption.

e.            Filesare encrypted prior totransfer to cloud storage services.

Ordercontrol, earmarking and segregation control.

Ordercontrol measures have been taken to ensurethat personal data processed onbehalf of the customer are only processed inaccordance with the customer'sinstructions. The measures ensure that personaldata of the customer collectedfor different purposes are processed separatelyand that no mixing, blending orother joint processing of these data thatcontradicts the order takes place.

a.            Theprocessing operations carriedout for the Customer shall be separatelydocumented to an appropriate extent ina register of processing activities.

b.            Carefulselection of sub-processorsand other service providers.

c.            TheProcessor shall not include anyother sub-processors without the consent orinformation of the Customer (whoshall then have the right to object).

d.           Employees and agents shall beinformed in a clear and comprehensiblemanner about the client's instructionsand the permissible processing frameworkand instructed accordingly. Separateinformation and instruction are notrequired if compliance with the permissibleframework can be reliably expected anyway,e.g. due to other agreements orcompany practice.

e.           Compliance with instructions fromthe client and the permissible frameworkfor the processing of personal data byemployees and agents shall be checked atappropriate intervals.

f.             Thedeletion periods applicable tothe processing of the Customer's personal datashall be documented separatelywithin the deletion concept of the Processor, ifnecessary.

g.            Necessaryevaluations and analysesof the processing of the Customer's personal data shallbe processedanonymously (i.e. without any reference to a person) or at leastpseudonymouslyin accordance with Art. 4 No. 5 DSGVO (i.e. in such a way thatthe personaldata of the Customer shall not be identified). in such a way thatthe personaldata can no longer be allocated to a specific data subject withoutthe use ofadditional information, whereby the additional information is storedseparatelyand is subject to technical and organizational measures that ensurethat thepersonal data cannot be allocated to an identified or identifiablenaturalperson).

h.            ThePersonal Data of the Clientshall be processed physically separately from dataof other processingoperations of the Processor.

i.             Thepersonal data of the Customershall be processed logically separately from dataof other processingprocedures of the Processor and shall be protected againstunauthorized accessor connection or intersection with other data (e.g. indifferent databases orby appropriate attributes).


Ensuringthe integrity and availability of data andthe resilience of processing systems

Measuresare in place to ensure that personal datais protected against accidentaldestruction or loss and can be restoredexpeditiously in the event of anemergency.

a.           Fail-safe server systems andservices are used that are duplicated, ormultiple.

b.            Theavailability of the dataprocessing systems is permanently monitored and controlled,in particular foravailability, errors and security incidents.

c.           Personal data is stored withexternal hosting providers. The hostingproviders are carefully selected andmeet the requirements of state-of-the-arttechnology with regard to protectionagainst damage caused by fire, moisture,power failures, disasters, unauthorizedaccess, data backup and patchmanagement, as well as building security.

d.           Personal data is processed on dataprocessing systems that are subject toregular and documented patch management,i.e., in particular, that are regularlyupdated.

e.            Theserver systems used forprocessing have protection against Denial of Service(DoS) attacks.

f.             Theserver systems used forprocessing have an uninterruptible power supply (UPS)that is adequatelyprotected against failures and ensures a controlled shutdownin emergencieswithout loss of data.

g.            Theserver systems used forprocessing have adequate fire protection (fire and smokealarm systems as wellas corresponding fire extinguishing devices or fireextinguishing equipment).

h.            Serversystems are used that haveprotection against moisture damage (e.g. moisturedetectors).

i.             Serversystems and services areused that maintain a backup system at other locationswhere current data iskept, thus providing a running system even in the event ofa disaster.

j. The client'sdata sets are protected fromaccidental modification or deletion by the system(e.g., through accessrestrictions, security queries, and backups).

k.            Serversystems and services are usedthat have an adequate, reliable, and controlledbackup & restorepolicy.  

l.            Restore tests are performedregularly at appropriate intervals to verify thatbackups can actually berestored (data integrity of backups).



TheProcessor shall use the following sub-processorsin the course of processingdata for the Customer:


A.           Company:

- MicrosoftOffice 365

Purpose ofprocessing

Use ofMicrosoft Azure as provider backend side.

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof the contract, Art. 6 para. 1 lit. bDSGVO


User datais stored for up to 1 year after removalof the last license.


Microsoft,Redmond WA, USA


Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof contract, Art. 6 para. 1 lit. b DSGVO


User datais stored for up to 1 year after removalof the last license.


B.           Company:

- StripeInc.

Purpose ofprocessing

Payment andUser Account as well as VAT Verification

Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof the contract, Art. 6 para. 1 lit. bDSGVO


User datais stored for up to 1 year after removalof the last license.


Stripe INCDublin Irland


Categoriesof personal data

Inventorydata, content data, usage data

Legal basis

Executionof contract, Art. 6 para. 1 lit. b DSGVO


User datais stored for up to 1 year after removalof the last license.

- If theContractor engages third parties (e.g.subcontractors) who participate in theContractor's commissioned processing andwho may gain knowledge of theprofessional secrets, the Contractor shall obligethe third parties inaccordance with its own obligation in this section"Maintainingprofessional secrecy" of this Agreement at least in textform. Furthermore,the Contractor shall inform the third parties of theirobligations and, if theContractor has been instructed in this respect withinthe scope of thissection, also of the criminal liability of the violation ofthe professionalsecrecy. Irrespective of the above obligation, the Customermust have permittedthe use of third parties.The Customer shall instruct theContractor as aprecaution that the involvement of third parties may result in aprisonsentence of up to one year or a fine if a third party breachesconfidentialityand the Contractor at the same time has not ensured that thethird party hasbeen obliged to maintain confidentiality (Sections 203 (1), (4)sentence 2 no.2 of the German Criminal Code). The threat of punishment isincreased to imprisonmentfor up to two years or a fine if the perpetrator actswith the intention ofenrichment, even if it should exist for the benefit of athird party, or hasthe intention of damaging another person through the act.

- Theprocessing may take place in third countries,provided that the specialrequirements of Art. 44 et seq. DSGVO are met, i.e. inparticular the EUCommission has determined an adequate level of dataprotection; b) on the basisof effective standard contractual clauses (SCC); orc) on the basis ofrecognized binding internal data protection regulations.

- Insofaras an action of the Processor leads to adisruption, data protection breach orirregularity in the Processing, theCustomer shall not bear any costs for thesupport actions of the Processornecessarily resulting therefrom.

- Thepersonal data processed within the scope ofthe order shall be transmitted inend-to-end encrypted form, unless otherwiseinstructed by the Customer.