DATA PROCESSING ADDENDUM
Amendment since last version: Aligning the language to recent changes in the Definitions (Appendix 1) and in the Master Service Agreement and adding Microsoft Azure as a explicitly stated Sub-Processor in Section 9.
BRYTER GmbH, Biebergasse 2, Frankfurt am Main, Germany (hereinafter “Processor“) and Customer (hereinafter “Controller“), together also referred to as the “Parties” and each also referred to as a “Party” hereby agree as follows:
1. Definitions
The capitalized terms used in this data processing addendum (“DPA”) shall have the meaning as set forth in the definitions set out in the Definitions (Appendix 1) and in the Master Service Agreement.
2. General provisions
2.1. Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2. Controller is the controller in accordance with Article 4 no. 7 GDPR. Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3. Processor processes Personal Data on behalf of Controller for the delivery of the BRYTER Software and/or Professional Services within the meaning of the Master Service Agreement, the Definitions (Appendix 1) and the applicable Order and/or SOW (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4. The subject-matter of the processing is set out in the MSA.
2.5. The duration of the Processing shall be in accordance with Controller’s instructions and the terms of the MSA including the DPA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1. The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA including the DPA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | – Authorized User – End User, if a login is required | Functionality and security | 90 days as of last login |
First name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Password | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | – Authorized User – End User | Functionality and security | 90 days as of last login |
3.2. Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR.
5. Controller’s rights and obligations
5.1. It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects’ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2. 5.2 Controller agrees that the MSA including the DPA, along with Controller’s use of the Software, are Controller’s complete documented instructions to Processor for the processing of Personal Data. Controller may issue additional instructions if required by data protection regulations.
5.3. Any instructions given by Controller shall be in writing or in a documented electronic form. Oral instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4. Processor ensures that Controller, or a qualified third party instructed by Controller which is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid out in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5. Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit or are not independent. Controller acknowledges that most of the processing is done via cloud computing on the premises of Amazon AWS and Microsoft Azure (see Schedule 1). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS, Microsoft Azure or other Sub-processors in accordance with the respective DPAs concluded with those Sub-processors and as required by the applicable data protection laws and regulations.
5.6. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7. Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4. or 5.5. of Controller.
5.8. Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software concerning data protection.
6. Processor’s obligations
6.1. Processor processes Personal Data solely within the scope of this DPA and on documented instructions of Controller, unless otherwise required to do so law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects in accordance with Art. 12 to 22 GDPR by Controller.
6.3. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4. Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s instructions, except where they are required to process it under the law of the European Union or a member state or the UK.
7. Processor’s notification obligations
7.1. Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other European Union, member state or UK data protection regulations. Processor is entitled to suspend the execution of such an instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations in accordance with Art. 33 and 34 GDPR.
7.3. Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2. as far as the obligation does not arise due to a violation of data protection law by Processor.
8. Processor’s obligation to maintain professional secrecy
8.1. This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2. Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3. Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA including the DPA.
8.4. Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5. Processor may disclose Professional Secrets to subcontractors to the extent necessary for the for the performance of the obligations set out in the MSA including the DPA, provided that (i) each Sub-processor has been contractually prohibited in writ-ing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) Sub-processor must obligate their Sub-processors accordingly.
8.6. Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors.
9.1. By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2. Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3. Controller shall be entitled to object to any change notified by Processor within 15 business days for materially important reasons solely. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for Controller’s objection exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4. Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5. Processor shall remain liable to Controller for its Sub-processors’ obligations.
9.6. Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) and Microsoft Azure as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. In the relationship between Processor and Microsoft Azure the Microsoft Products and Services Data Protection Addendum applies. Both the AWS GDPR Data Processing Addendum and the Microsoft Products and Services Data Protection Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7. Controller acknowledges that the use of AWS (or a substitute Sub-processor) and Microsoft Azure (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) and/or Microsoft Azure (or a substitute Sub-processor) as Sub-processors, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries.
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9. of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures in accordance with Art. 32 GDPR.
11.1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2. Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures in accordance with Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3. Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4. Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1. After termination of the MSA, Processor shall, at Controller’s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2. However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5., the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability.
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions.
14.1. Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2. Section 16 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3. If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Schedule 1
List of Sub-processors
Sub-processor | Service Provided | Corporate Location | Server Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
Microsoft Azure | Cloud Server | Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co Dublin (Ireland) | Central-Gavle (Sweden) Schiphol (Netherlands) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
Intercom R&D Unlimited Company | Customer Support | 3rd Floor, Stephens Court, 18-21 Saint Stephen’s Green, Dublin 2 | Dublin (Ireland) | Name and IP address |
Schedule 2
Technical und organizational measures
Usage of AWS and Microsoft Azure
For data security measures concerning the servers where the BRYTER Software is located please refer to the refer to technical and organizational measures of AWS and / or Microsoft Azure.
Amazon Web Services EMEA Sarl, 8 Avenue John F. Kennedy, L-1855 Luxembourg
Microsoft Azure, Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Ireland
All personal data is stored and processed in European data centers of our sub-processor Amazon Web Services (AWS) and / or Microsoft Azure.
BRYTER has executed a Data Processing Addendum with AWS, namely “AWS GDPR DATA PROCESSING ADDENDUM”. BRYTER has executed a Data Processing Addendum with Microsoft Azure, namely “Microsoft Products and Services Data Protection Addendum”. Both agreements are integral parts of these technical and organizational measures. AWS is ISO 27001, 27017 and 27018 certified. Microsoft Azure is ISO 27001, ISO 27002, and ISO 27018 certified.
ISO 27018 is a code of conduct for the protection of personal data in the cloud. It is based on the ISO 27002 information security standard (the “Standard”) and serves as a guideline for the implementation of ISO 27002-controls that apply to personal data that uniquely identifies a person in the public cloud. The Standard provides additional controls and guidelines for the protection requirements of personal data that is not taken into account by the current controls of ISO 27002. By complying with this Standard, both AWS and Microsoft Azure have a system of control mechanisms that are specifically concerned with the protection of private data. By complying with this internationally recognized guide and independently reviewing it, both AWS and Microsoft Azure demonstrate their commitment to customer content privacy. Further information on our sub-processors and their certifications can be found here: https://aws.amazon.com/compliance/gdpr-center/ and https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
1. Physical access control
Processor is not using on-premises servers but cloud computing, currently AWS and Microsoft Azure, to provide and execute the Software and to process data entered into the Software. Thereto the following is stated to ensure physical access control:
- For data security measures concerning the physical location of the servers where the BRYTER Software is located please refer to the AWS and/or Microsoft Azure technical and organizational measures as stated above.
- Electronic data storages are safely deleted after their usage.
- The entrance of the office building by the public is prevented through doors that have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required.
2. User access control to data processing systems
To prevent unauthorized parties from using data processing systems.
Workstation computers are secured as follows:
- User login only through centrally controlled identity management system.
- Workstation computers are automatically locked after a certain idle time.
- Personal access code required to unlock computers.
Password policy:
- For administrative access (minimum requirements for password length and complexity, two-factor authentication).
- For employee access (minimum requirements for password length and complexity, two-factor authentication).
- For customer access (minimum requirements for password length and complexity).
3. Access control to personal data in data processing systems
To ensure that those authorized to use a data processing system can only access the data for which they are authorized and that data, especially personal data, is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored.
- Central rights management, separated for system access and application access.
- Controls to prevent users from changing their own rights.
- Controls to prevent users from requesting a change without the approval of the person in charge in accordance with the established approval process.
- External access restricted to VPN- or SSH-secured connections.
- Data encrypted for storage.
4. Separation control
To ensure that data collected for different purposes can be processed separately.
Separation of:
- Employee data.
- Customer contact data.
- Customer test data (project work, customer developments).
- Customer data in the BRYTER data center.
System level:
Customer data in data center is administered in strict separation and in separate systems (databases, etc.) from BRYTER data (including the CRM system).
Different applications:
Customer data and employee data is processed using separate applications.
5. Measures for pseudonymization and encryption
To ensure that traceability of data to individuals is at least restricted.
- Privacy-by-design and privacy-by-default measures, including the appropriate training for product teams and based on the principles of avoiding and limiting data.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- Input control
To ensure that it is possible to subsequently check and determine whether and by whom data, especially personal data, was entered into data processing systems, modified, or deleted.
- Comprehensive logging by all systems that process personal data, making it possible to subsequently determine whether and by whom personal data was entered, modified, or removed.
- Personalized user accounts extending to the specialized applications.
- Separate system logs and application logs, ruling out manipulation of the application logs at the system level.
6. Order control
To ensure that personal data from orders can only be processed according to the client’s instructions.
- Regulation of instructions in principal service and data processing agreement.
- Administration of users and rights by client at application level.
- Transfer/entry of data by client, who decides which data is transferred and when.
- Access to this data limited to roles with corresponding access rights.
- Automated processing of data by certified software ensuring that data is processed in accordance with contracted procedure.
- Use of standardized contracts as stipulated by law for relations with customers and service providers.
- Inclusion of sub-processor with corresponding confidentiality, data processing, system access agreements.
7. Transmission control
To ensure that data, especially personal data, cannot be viewed, copied, modified, or deleted without authorization while it is transmitted electronically, transported, or saved to storage media and that it is possible to check and determine the intended destinations of data, especially personal data, transferred using data transmission equipment.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- No local storage of personal data; all data stored centrally in the systems of BRYTER.
- External connections possible only through approved applications.
- External connections possible only through approved services.
- All remote data transfer connections logged wherever technically possible.
- Regulations for the disposal of waste with confidential content.
8. Availability
To ensure that data, especially personal data, is protected against random destruction or loss.
- Data encrypted for storage.
- All access authorizations and access rights of a person leaving the company are promptly blocked and if necessary deleted.
- All company-owned items relating to personal data are reclaimed from an individual leaving the company.
- Written data carriers are stored before and after dispatch in such a way that access is only possible for authorized persons.
- Regular testing of data security / backup systems, etc
9. Resilience
To ensure that data processing systems are sufficiently resilient and robust.
- Inventory of processing activities with integrated assessment of consequences for data protection and assessment of the appropriateness of technical and organizational measures.
- Integration of privacy by design in product management:
Advanced controls can be triggered by procedural manager together with the data protection officer for assessment of consequences for data protection (administration of processes including checks, coordination, analysis, and evaluation). - Use of next-generation firewall.
- Monitoring to ensure early detection and at least limit or even prevent damage due to malware.
- For server related resilience measures please refer to the to the Amazon Web Services (AWS) Technical and organizational measures.
- Incident Response Management.
10. Security Management
To ensure security during processing
- Internal and external ISO 27001 audits.
- Regular checks of technical and organizational measures with responsible roles, including whether they reflect the state of the art.
- Management evaluations as a regular routine.
11. Measures to prevent concatenation
To ensure that data is used only for the purpose for which it was collected (purpose limitation principle)
- Use of role concept to limit processing, use, and transmission rights.
- Programmed omission or closure of interfaces in procedures and procedure components.
- Rules prohibiting backdoors, quality assurance audits to check compliance in software development.
- Functional separations based on role concept.
- Separations through role concepts with phased access rights based on identity management and a secure authentication process.
- Regular awareness training.
12. Personal Data Protection Management
To ensure that obligations to provide information are met
- Data Protection Management System in place with reporting lines to senior management.
- Records of processing activities pursuant to Art. 30 GDPR (both as controller and as processor).
- Data privacy statement on BRYTER website.
- Detailed information outlined in data privacy portal of BRYTER.
- Documentation of contracts with internal employees, contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.
Amendment since last version: Renaming BRYTER Policy AI to BRYTER AI Agents due to rebranding of the product.
BRYTER GmbH, Biebergasse 2, Frankfurt am Main, Germany (hereinafter “Processor“) and Customer (hereinafter “Controller“), together also referred to as the “Parties” and each also referred to as a “Party” hereby agree as follows:
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1. Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2. Controller is the controller in accordance with Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3. Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA“) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4. The subject-matter of the processing is set out in the MSA.
2.5. The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1. The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | – Authorized User – End User, if a login is required | Functionality and security | 90 days as of last login |
First name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Password | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | – Authorized User – End User | Functionality and security | 90 days as of last login |
3.2. Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR.
5. Controller’s rights and obligations; Instructions
5.1. It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects’ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2. Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3. Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4. Processor ensures that Controller, or a qualified third party instructed by Controller which is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid out in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5. Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit or are not independent. Controller acknowledges that most of the Processing is done via cloud computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7. Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4. or 5.5. of Controller.
5.8. Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1. Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects in accordance with Art. 12 to 22 GDPR by Controller.
6.3. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4. Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1. Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations in accordance with Art. 33 and 34 GDPR.
7.3. Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2. as far as the obligation does not arise due to a violation of data protection law by Processor.
8. Processor’s obligation to maintain professional secrecy
8.1. This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2. Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3. Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4. Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5. Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6. Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors.
9.1. By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2. Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3. Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4. Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5. Processor shall remain liable to Controller for its Sub-processors’ obligations.
9.6. Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7. Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries.
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9. of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures in accordance with Art. 32 GDPR.
11.1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2. Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures in accordance with Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3. Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4. Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1. After termination of the MSA, Processor shall, at Controller’s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2. However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5., the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability.
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions.
14.1. Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2. Section 12 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3. If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Schedule 1
List of Sub-processors for the BRYTER Automation Platform
Sub-processor | Service Provided | Corporate Location | Server Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
List of Sub-processors for the BRYTER AI Agents
Sub-processor | Service Provided | Corporate Location | Server Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
Microsoft Azure | Cloud Server | Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co | Dublin (Ireland) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
Intercom R&D Unlimited Company | Customer Support | 3rd Floor, Stephens Court, 18-21 Saint Stephen’s Green, Dublin 2 | Dublin (Ireland) | Name and IP address |
Schedule 2
Technical und organizational measures
Usage of AWS
For data security measures concerning the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) technical and organizational measures.
Amazon Web Services EMEA Sarl, 8 Avenue John F. Kennedy, L-1855 Luxembourg
All personal data is stored and processed in European data centers of our sub-processor Amazon Web Services (AWS). BRYTER has executed a Data Processing Addendum with AWS, namely “AWS GDPR DATA PROCESSING ADDENDUM”. The agreement with AWS is an integral part of these technical and organizational measures. AWS is ISO 27001, 27017 and 27018 certified. ISO 27018 is a code of conduct for the protection of personal data in the cloud. It is based on the ISO 27002 information security standard (the “Standard”) and serves as a guideline for the implementation of ISO 27002-controls that apply to personal data that uniquely identifies a person in the public cloud. The Standard provides additional controls and guidelines for the protection requirements of personal data that is not taken into account by the current controls of ISO 27002. By complying with this Standard, AWS has a system of control mechanisms that are specifically concerned with the protection of private data. By complying with this internationally recognized guide and independently reviewing it, AWS demonstrates its commitment to customer content privacy. Further information on our sub-processors and their certifications can be found here: https://aws.amazon.com/compliance/gdpr-center/.
1. Physical access control
Processor is not using on-premises servers but cloud computing, currently AWS, to provide and execute the Software and to process data entered into the Software. Thereto the following is stated to ensure physical access control:
- For data security measures concerning the physical location of the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) Technical and organizational measures as stated above.
- Electronic data storages are safely deleted after their usage.
- The entrance of the office building by the public is prevented through doors that have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required.
2. User access control to data processing systems
To prevent unauthorized parties from using data processing systems.
Workstation computers are secured as follows:
- User login only through centrally controlled identity management system.
- Workstation computers are automatically locked after a certain idle time.
- Personal access code required to unlock computers.
Password policy:
- For administrative access (minimum requirements for password length and complexity, two-factor authentication).
- For employee access (minimum requirements for password length and complexity, two-factor authentication).
- For customer access (minimum requirements for password length and complexity).
3. Access control to personal data in data processing systems
To ensure that those authorized to use a data processing system can only access the data for which they are authorized and that data, especially personal data, is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored.
- Central rights management, separated for system access and application access.
- Controls to prevent users from changing their own rights.
- Controls to prevent users from requesting a change without the approval of the person in charge in accordance with the established approval process.
- External access restricted to VPN- or SSH-secured connections.
- Data encrypted for storage.
4. Separation control
To ensure that data collected for different purposes can be processed separately.
Separation of:
- Employee data.
- Customer contact data.
- Customer test data (project work, customer developments).
- Customer data in the BRYTER data center.
System level:
Customer data in data center is administered in strict separation and in separate systems (databases, etc.) from BRYTER data (including the CRM system).
Different applications:
Customer data and employee data is processed using separate applications.
5. Measures for pseudonymization and encryption
To ensure that traceability of data to individuals is at least restricted.
- Privacy-by-design and privacy-by-default measures, including the appropriate training for product teams and based on the principles of avoiding and limiting data.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- Input control
To ensure that it is possible to subsequently check and determine whether and by whom data, especially personal data, was entered into data processing systems, modified, or deleted.
- Comprehensive logging by all systems that process personal data, making it possible to subsequently determine whether and by whom personal data was entered, modified, or removed.
- Personalized user accounts extending to the specialized applications.
- Separate system logs and application logs, ruling out manipulation of the application logs at the system level.
6. Order control
To ensure that personal data from orders can only be processed according to the client’s instructions.
- Regulation of instructions in principal service and data processing agreement.
- Administration of users and rights by client at application level.
- Transfer/entry of data by client, who decides which data is transferred and when.
- Access to this data limited to roles with corresponding access rights.
- Automated processing of data by certified software ensuring that data is processed in accordance with contracted procedure.
- Use of standardized contracts as stipulated by law for relations with customers and service providers.
- Inclusion of sub-processor with corresponding confidentiality, data processing, system access agreements.
7. Transmission control
To ensure that data, especially personal data, cannot be viewed, copied, modified, or deleted without authorization while it is transmitted electronically, transported, or saved to storage media and that it is possible to check and determine the intended destinations of data, especially personal data, transferred using data transmission equipment.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- No local storage of personal data; all data stored centrally in the systems of BRYTER.
- External connections possible only through approved applications.
- External connections possible only through approved services.
- All remote data transfer connections logged wherever technically possible.
- Regulations for the disposal of waste with confidential content.
8. Availability
To ensure that data, especially personal data, is protected against random destruction or loss.
- Data encrypted for storage.
- All access authorizations and access rights of a person leaving the company are promptly blocked and if necessary deleted.
- All company-owned items relating to personal data are reclaimed from an individual leaving the company.
- Written data carriers are stored before and after dispatch in such a way that access is only possible for authorized persons.
- Regular testing of data security / backup systems, etc
9. Resilience
To ensure that data processing systems are sufficiently resilient and robust.
- Inventory of processing activities with integrated assessment of consequences for data protection and assessment of the appropriateness of technical and organizational measures.
- Integration of privacy by design in product management:
Advanced controls can be triggered by procedural manager together with the data protection officer for assessment of consequences for data protection (administration of processes including checks, coordination, analysis, and evaluation). - Use of next-generation firewall.
- Monitoring to ensure early detection and at least limit or even prevent damage due to malware.
- For server related resilience measures please refer to the to the Amazon Web Services (AWS) Technical and organizational measures.
- Incident Response Management.
10. Security Management
To ensure security during processing
- Internal and external ISO 27001 audits.
- Regular checks of technical and organizational measures with responsible roles, including whether they reflect the state of the art.
- Management evaluations as a regular routine.
11. Measures to prevent concatenation
To ensure that data is used only for the purpose for which it was collected (purpose limitation principle)
- Use of role concept to limit processing, use, and transmission rights.
- Programmed omission or closure of interfaces in procedures and procedure components.
- Rules prohibiting backdoors, quality assurance audits to check compliance in software development.
- Functional separations based on role concept.
- Separations through role concepts with phased access rights based on identity management and a secure authentication process.
- Regular awareness training.
12. Personal Data Protection Management
To ensure that obligations to provide information are met
- Data Protection Management System in place with reporting lines to senior management.
- Records of processing activities pursuant to Art. 30 GDPR (both as controller and as processor).
- Data privacy statement on BRYTER website.
- Detailed information outlined in data privacy portal of BRYTER.
- Documentation of contracts with internal employees, contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.
Version: 6.0 (July 2024)
No amendments since last version.
BRYTER GmbH, Biebergasse 2, Frankfurt am Main, Germany (hereinafter “Processor“) and Customer (hereinafter “Controller“), together also referred to as the “Parties” and each also referred to as a “Party” hereby agree as follows:
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1. Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2. Controller is the controller in accordance with Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3. Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA“) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4. The subject-matter of the processing is set out in the MSA.
2.5. The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1. The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | – Authorized User – End User, if a login is required | Functionality and security | 90 days as of last login |
First name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Password | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | – Authorized User – End User | Functionality and security | 90 days as of last login |
3.2. Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR.
5. Controller’s rights and obligations; Instructions
5.1. It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects’ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2. Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3. Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4. Processor ensures that Controller, or a qualified third party instructed by Controller which is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid out in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5. Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit or are not independent. Controller acknowledges that most of the Processing is done via cloud computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7. Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4. or 5.5. of Controller.
5.8. Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1. Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects in accordance with Art. 12 to 22 GDPR by Controller.
6.3. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4. Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1. Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations in accordance with Art. 33 and 34 GDPR.
7.3. Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2. as far as the obligation does not arise due to a violation of data protection law by Processor.
8. Processor’s obligation to maintain professional secrecy
8.1. This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2. Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3. Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4. Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5. Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6. Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors.
9.1. By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2. Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3. Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4. Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5. Processor shall remain liable to Controller for its Sub-processors’ obligations.
9.6. Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7. Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries.
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9. of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures in accordance with Art. 32 GDPR.
11.1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2. Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures in accordance with Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3. Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4. Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1. After termination of the MSA, Processor shall, at Controller’s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2. However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5., the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability.
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions.
14.1. Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2. Section 12 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3. If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Schedule 1
List of Sub-processors for the BRYTER Automation Platform
Sub-processor | Service Provided | Corporate Location | Sever Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
List of Sub-processors for the BRYTER Policy AI
Sub-processor | Service Provided | Corporate Location | Sever Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
Microsoft Azure | Cloud Server | Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co | Dublin (Ireland) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
Intercom R&D Unlimited Company | Customer Support | 3rd Floor, Stephens Court, 18-21 Saint Stephen’s Green, Dublin 2 | Dublin (Ireland) | Name and IP address |
Schedule 2
Technical und organizational measures
Usage of AWS
For data security measures concerning the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) technical and organizational measures.
Amazon Web Services EMEA Sarl, 8 Avenue John F. Kennedy, L-1855 Luxembourg
All personal data is stored and processed in European data centers of our sub-processor Amazon Web Services (AWS). BRYTER has executed a Data Processing Addendum with AWS, namely “AWS GDPR DATA PROCESSING ADDENDUM”. The agreement with AWS is an integral part of these technical and organizational measures. AWS is ISO 27001, 27017 and 27018 certified. ISO 27018 is a code of conduct for the protection of personal data in the cloud. It is based on the ISO 27002 information security standard (the “Standard”) and serves as a guideline for the implementation of ISO 27002-controls that apply to personal data that uniquely identifies a person in the public cloud. The Standard provides additional controls and guidelines for the protection requirements of personal data that is not taken into account by the current controls of ISO 27002. By complying with this Standard, AWS has a system of control mechanisms that are specifically concerned with the protection of private data. By complying with this internationally recognized guide and independently reviewing it, AWS demonstrates its commitment to customer content privacy. Further information on our sub-processors and their certifications can be found here: https://aws.amazon.com/compliance/gdpr-center/.
1. Physical access control
Processor is not using on-premises servers but cloud computing, currently AWS, to provide and execute the Software and to process data entered into the Software. Thereto the following is stated to ensure physical access control:
- For data security measures concerning the physical location of the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) Technical and organizational measures as stated above.
- Electronic data storages are safely deleted after their usage.
- The entrance of the office building by the public is prevented through doors that have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required.
2. User access control to data processing systems
To prevent unauthorized parties from using data processing systems.
Workstation computers are secured as follows:
- User login only through centrally controlled identity management system.
- Workstation computers are automatically locked after a certain idle time.
- Personal access code required to unlock computers.
Password policy:
- For administrative access (minimum requirements for password length and complexity, two-factor authentication).
- For employee access (minimum requirements for password length and complexity, two-factor authentication).
- For customer access (minimum requirements for password length and complexity).
3. Access control to personal data in data processing systems
To ensure that those authorized to use a data processing system can only access the data for which they are authorized and that data, especially personal data, is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored.
- Central rights management, separated for system access and application access.
- Controls to prevent users from changing their own rights.
- Controls to prevent users from requesting a change without the approval of the person in charge in accordance with the established approval process.
- External access restricted to VPN- or SSH-secured connections.
- Data encrypted for storage.
4. Separation control
To ensure that data collected for different purposes can be processed separately.
Separation of:
- Employee data.
- Customer contact data.
- Customer test data (project work, customer developments).
- Customer data in the BRYTER data center.
System level:
Customer data in data center is administered in strict separation and in separate systems (databases, etc.) from BRYTER data (including the CRM system).
Different applications:
Customer data and employee data is processed using separate applications.
5. Measures for pseudonymization and encryption
To ensure that traceability of data to individuals is at least restricted.
- Privacy-by-design and privacy-by-default measures, including the appropriate training for product teams and based on the principles of avoiding and limiting data.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- Input control
To ensure that it is possible to subsequently check and determine whether and by whom data, especially personal data, was entered into data processing systems, modified, or deleted.
- Comprehensive logging by all systems that process personal data, making it possible to subsequently determine whether and by whom personal data was entered, modified, or removed.
- Personalized user accounts extending to the specialized applications.
- Separate system logs and application logs, ruling out manipulation of the application logs at the system level.
6. Order control
To ensure that personal data from orders can only be processed according to the client’s instructions.
- Regulation of instructions in principal service and data processing agreement.
- Administration of users and rights by client at application level.
- Transfer/entry of data by client, who decides which data is transferred and when.
- Access to this data limited to roles with corresponding access rights.
- Automated processing of data by certified software ensuring that data is processed in accordance with contracted procedure.
- Use of standardized contracts as stipulated by law for relations with customers and service providers.
- Inclusion of sub-processor with corresponding confidentiality, data processing, system access agreements.
7. Transmission control
To ensure that data, especially personal data, cannot be viewed, copied, modified, or deleted without authorization while it is transmitted electronically, transported, or saved to storage media and that it is possible to check and determine the intended destinations of data, especially personal data, transferred using data transmission equipment.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- No local storage of personal data; all data stored centrally in the systems of BRYTER.
- External connections possible only through approved applications.
- External connections possible only through approved services.
- All remote data transfer connections logged wherever technically possible.
- Regulations for the disposal of waste with confidential content.
8. Availability
To ensure that data, especially personal data, is protected against random destruction or loss.
- Data encrypted for storage.
- All access authorizations and access rights of a person leaving the company are promptly blocked and if necessary deleted.
- All company-owned items relating to personal data are reclaimed from an individual leaving the company.
- Written data carriers are stored before and after dispatch in such a way that access is only possible for authorized persons.
- Regular testing of data security / backup systems, etc
9. Resilience
To ensure that data processing systems are sufficiently resilient and robust.
- Inventory of processing activities with integrated assessment of consequences for data protection and assessment of the appropriateness of technical and organizational measures.
- Integration of privacy by design in product management:
Advanced controls can be triggered by procedural manager together with the data protection officer for assessment of consequences for data protection (administration of processes including checks, coordination, analysis, and evaluation). - Use of next-generation firewall.
- Monitoring to ensure early detection and at least limit or even prevent damage due to malware.
- For server related resilience measures please refer to the to the Amazon Web Services (AWS) Technical and organizational measures.
- Incident Response Management.
10. Security Management
To ensure security during processing
- Internal and external ISO 27001 audits.
- Regular checks of technical and organizational measures with responsible roles, including whether they reflect the state of the art.
- Management evaluations as a regular routine.
11. Measures to prevent concatenation
To ensure that data is used only for the purpose for which it was collected (purpose limitation principle)
- Use of role concept to limit processing, use, and transmission rights.
- Programmed omission or closure of interfaces in procedures and procedure components.
- Rules prohibiting backdoors, quality assurance audits to check compliance in software development.
- Functional separations based on role concept.
- Separations through role concepts with phased access rights based on identity management and a secure authentication process.
- Regular awareness training.
12. Personal Data Protection Management
To ensure that obligations to provide information are met
- Data Protection Management System in place with reporting lines to senior management.
- Records of processing activities pursuant to Art. 30 GDPR (both as controller and as processor).
- Data privacy statement on BRYTER website.
- Detailed information outlined in data privacy portal of BRYTER.
- Documentation of contracts with internal employees, contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.
Version: 5.0 (May 2024)
Amendments since last version: (1) Addition of a list of sub-processors for the BRYTER Automation Platform and the BRYTER AI Agents as Schedule 1; (2) addition of a list of technical and organizational data security measures with respect to BRYTER’s use of Amazon Web Services as Schedule 2.
BRYTER GmbH, Biebergasse 2, Frankfurt am Main, Germany (hereinafter “Processor“) and Customer (hereinafter “Controller“), together also referred to as the “Parties” and each also referred to as a “Party” hereby agree as follows:
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1. Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2. Controller is the controller in accordance with Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3. Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA“) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4. The subject-matter of the processing is set out in the MSA.
2.5. The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1. The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | – Authorized User – End User, if a login is required | Functionality and security | 90 days as of last login |
First name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Password | – Authorized User – End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | – Authorized User – End User | Functionality and security | 90 days as of last login |
3.2. Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR.
5. Controller’s rights and obligations; Instructions
5.1. It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects’ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2. Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3. Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4. Processor ensures that Controller, or a qualified third party instructed by Controller which is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid out in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5. Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit or are not independent. Controller acknowledges that most of the Processing is done via cloud computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7. Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4. or 5.5. of Controller.
5.8. Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1. Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects in accordance with Art. 12 to 22 GDPR by Controller.
6.3. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4. Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1. Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations in accordance with Art. 33 and 34 GDPR.
7.3. Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2. as far as the obligation does not arise due to a violation of data protection law by Processor.
8. Processor’s obligation to maintain professional secrecy
8.1. This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2. Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3. Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4. Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5. Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6. Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors.
9.1. By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2. Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3. Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4. Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5. Processor shall remain liable to Controller for its Sub-processors’ obligations.
9.6. Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7. Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries.
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9. of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures in accordance with Art. 32 GDPR.
11.1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2. Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures in accordance with Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3. Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4. Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1. After termination of the MSA, Processor shall, at Controller’s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2. However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5., the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability.
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions.
14.1. Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2. Section 12 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3. If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Schedule 1
List of Sub-processors for the BRYTER Automation Platform
Sub-processor | Service Provided | Corporate Location | Sever Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
List of Sub-processors for the BRYTER Policy AI
Sub-processor | Service Provided | Corporate Location | Sever Location | Type of data processed |
Amazon Web Services (AWS) EMEA SARL | Cloud Server | 8 Avenue John F. Kennedy, L-1855 Luxembourg | Frankfurt am Main (Germany) | See above 3.1 |
Microsoft Azure | Cloud Server | Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co | Dublin (Ireland) | See above 3.1 |
DataDog Inc. | Monitoring Tool | 620 8th Avenue, 45th Floor, New York, NY 10019-1741, USA | Frankfurt am Main (Germany) | IP address |
Intercom R&D Unlimited Company | Customer Support | 3rd Floor, Stephens Court, 18-21 Saint Stephen’s Green, Dublin 2 | Dublin (Ireland) | Name and IP address |
Schedule 2
Technical und organizational measures
Usage of AWS
For data security measures concerning the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) technical and organizational measures.
Amazon Web Services EMEA Sarl, 8 Avenue John F. Kennedy, L-1855 Luxembourg
All personal data is stored and processed in European data centers of our sub-processor Amazon Web Services (AWS). BRYTER has executed a Data Processing Addendum with AWS, namely “AWS GDPR DATA PROCESSING ADDENDUM”. The agreement with AWS is an integral part of these technical and organizational measures. AWS is ISO 27001, 27017 and 27018 certified. ISO 27018 is a code of conduct for the protection of personal data in the cloud. It is based on the ISO 27002 information security standard (the “Standard”) and serves as a guideline for the implementation of ISO 27002-controls that apply to personal data that uniquely identifies a person in the public cloud. The Standard provides additional controls and guidelines for the protection requirements of personal data that is not taken into account by the current controls of ISO 27002. By complying with this Standard, AWS has a system of control mechanisms that are specifically concerned with the protection of private data. By complying with this internationally recognized guide and independently reviewing it, AWS demonstrates its commitment to customer content privacy. Further information on our sub-processors and their certifications can be found here: https://aws.amazon.com/compliance/gdpr-center/.
1. Physical access control
Processor is not using on-premises servers but cloud computing, currently AWS, to provide and execute the Software and to process data entered into the Software. Thereto the following is stated to ensure physical access control:
- For data security measures concerning the physical location of the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) Technical and organizational measures as stated above.
- Electronic data storages are safely deleted after their usage.
- The entrance of the office building by the public is prevented through doors that have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required.
2. User access control to data processing systems
To prevent unauthorized parties from using data processing systems.
Workstation computers are secured as follows:
- User login only through centrally controlled identity management system.
- Workstation computers are automatically locked after a certain idle time.
- Personal access code required to unlock computers.
Password policy:
- For administrative access (minimum requirements for password length and complexity, two-factor authentication).
- For employee access (minimum requirements for password length and complexity, two-factor authentication).
- For customer access (minimum requirements for password length and complexity).
3. Access control to personal data in data processing systems
To ensure that those authorized to use a data processing system can only access the data for which they are authorized and that data, especially personal data, is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored.
- Central rights management, separated for system access and application access.
- Controls to prevent users from changing their own rights.
- Controls to prevent users from requesting a change without the approval of the person in charge in accordance with the established approval process.
- External access restricted to VPN- or SSH-secured connections.
- Data encrypted for storage.
4. Separation control
To ensure that data collected for different purposes can be processed separately.
Separation of:
- Employee data.
- Customer contact data.
- Customer test data (project work, customer developments).
- Customer data in the BRYTER data center.
System level:
Customer data in data center is administered in strict separation and in separate systems (databases, etc.) from BRYTER data (including the CRM system).
Different applications:
Customer data and employee data is processed using separate applications.
5. Measures for pseudonymization and encryption
To ensure that traceability of data to individuals is at least restricted.
- Privacy-by-design and privacy-by-default measures, including the appropriate training for product teams and based on the principles of avoiding and limiting data.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- Input control
To ensure that it is possible to subsequently check and determine whether and by whom data, especially personal data, was entered into data processing systems, modified, or deleted.
- Comprehensive logging by all systems that process personal data, making it possible to subsequently determine whether and by whom personal data was entered, modified, or removed.
- Personalized user accounts extending to the specialized applications.
- Separate system logs and application logs, ruling out manipulation of the application logs at the system level.
6. Order control
To ensure that personal data from orders can only be processed according to the client’s instructions.
- Regulation of instructions in principal service and data processing agreement.
- Administration of users and rights by client at application level.
- Transfer/entry of data by client, who decides which data is transferred and when.
- Access to this data limited to roles with corresponding access rights.
- Automated processing of data by certified software ensuring that data is processed in accordance with contracted procedure.
- Use of standardized contracts as stipulated by law for relations with customers and service providers.
- Inclusion of sub-processor with corresponding confidentiality, data processing, system access agreements.
7. Transmission control
To ensure that data, especially personal data, cannot be viewed, copied, modified, or deleted without authorization while it is transmitted electronically, transported, or saved to storage media and that it is possible to check and determine the intended destinations of data, especially personal data, transferred using data transmission equipment.
- All download/upload internet connections secured through either SSL/TLS, SSH.
- No local storage of personal data; all data stored centrally in the systems of BRYTER.
- External connections possible only through approved applications.
- External connections possible only through approved services.
- All remote data transfer connections logged wherever technically possible.
- Regulations for the disposal of waste with confidential content.
8. Availability
To ensure that data, especially personal data, is protected against random destruction or loss.
- Data encrypted for storage.
- All access authorizations and access rights of a person leaving the company are promptly blocked and if necessary deleted.
- All company-owned items relating to personal data are reclaimed from an individual leaving the company.
- Written data carriers are stored before and after dispatch in such a way that access is only possible for authorized persons.
- Regular testing of data security / backup systems, etc
9. Resilience
To ensure that data processing systems are sufficiently resilient and robust.
- Inventory of processing activities with integrated assessment of consequences for data protection and assessment of the appropriateness of technical and organizational measures.
- Integration of privacy by design in product management:
Advanced controls can be triggered by procedural manager together with the data protection officer for assessment of consequences for data protection (administration of processes including checks, coordination, analysis, and evaluation). - Use of next-generation firewall.
- Monitoring to ensure early detection and at least limit or even prevent damage due to malware.
- For server related resilience measures please refer to the to the Amazon Web Services (AWS) Technical and organizational measures.
- Incident Response Management.
10. Security Management
To ensure security during processing
- Internal and external ISO 27001 audits.
- Regular checks of technical and organizational measures with responsible roles, including whether they reflect the state of the art.
- Management evaluations as a regular routine.
11. Measures to prevent concatenation
To ensure that data is used only for the purpose for which it was collected (purpose limitation principle)
- Use of role concept to limit processing, use, and transmission rights.
- Programmed omission or closure of interfaces in procedures and procedure components.
- Rules prohibiting backdoors, quality assurance audits to check compliance in software development.
- Functional separations based on role concept.
- Separations through role concepts with phased access rights based on identity management and a secure authentication process.
- Regular awareness training.
12. Personal Data Protection Management
To ensure that obligations to provide information are met
- Data Protection Management System in place with reporting lines to senior management.
- Records of processing activities pursuant to Art. 30 GDPR (both as controller and as processor).
- Data privacy statement on BRYTER website.
- Detailed information outlined in data privacy portal of BRYTER.
- Documentation of contracts with internal employees, contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.
Version: 4.2 (March 2024)
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4 The subject-matter of the processing is set out in the MSA.
2.5 The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
3.2 Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
5. Controller’s rights and obligations; Instructions
5.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2 Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4 or 5.5 of Controller.
5.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
6.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
7.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2 as far as the obligation does not arise due to a violation of data protection law by Processor.7.2
8. Processor’s obligation to maintain professional secrecy
8.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2 Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors
9.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
9.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures according to Art. 32 GDPR
11.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1 After termination of the MSA, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions
14.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Version: 4.1 (February 2024)
Amendments since last version: (1) Clarification that the type of Personal Data that will be processed with Processor’s Software in addition to the data set out in section 3.1 is the sole responsibility of the Controller; (2) clarification that Processor might use different sub-processors.
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4 The subject-matter of the processing is set out in the MSA.
2.5 The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
3.2 Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
5. Controller’s rights and obligations; Instructions
5.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2 Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4 or 5.5 of Controller.
5.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
6.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
7.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2 as far as the obligation does not arise due to a violation of data protection law by Processor.7.2
8. Processor’s obligation to maintain professional secrecy
8.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2 Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors
9.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.
9.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
9.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures according to Art. 32 GDPR
11.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1 After termination of the MSA, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions
14.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
14.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Version: 4.0 (January 2024)
Amendment since last version: Replacement of the term “BRYTER Automation Platform” with “BRYTER Software”.
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4 The subject-matter of the processing is set out in the MSA.
2.5 The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
5. Controller’s rights and obligations; Instructions
5.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2 Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4 or 5.5 of Controller.
5.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
6.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4 6.2Professor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
7.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2 as far as the obligation does not arise due to a violation of data protection law by Processor.7.2
8. Processor’s obligation to maintain professional secrecy
8.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2 Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors
9.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1.
9.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
9.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures according to Art. 32 GDPR
11.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1 After termination of the MSA, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions
14.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Version: 3.1 (October 2023)
Amendments since last version: (1) Change of BRYTER GmbH’s business address to Biebergasse 2, 60313 Frankfurt am Main, Germany; (2) integration of the terms “End User” and “Authorized User”; (3) deletion of the authorization to conclude EU standard contractural clauses and UK international data transfer agreements for international data transfers in favor of a general reference to the GDPR.
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. Definitions
The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.
2. General provisions
2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.
2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Automation Platform within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.
2.4 The subject-matter of the processing is set out in the MSA.
2.5 The beginning and the duration of the processing depends on the duration of the MSA.
3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of MSA |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed.
4. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
5. Controller’s rights and obligations; Instructions
5.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
5.2 Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
5.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
5.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
5.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
5.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4 or 5.5 of Controller.
5.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
6. Processor’s obligations
6.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
6.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
6.4 Professor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
7. Processor’s notification obligations
7.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
7.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
7.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2 as far as the obligation does not arise due to a violation of data protection law by Processor.
8. Processor’s obligation to maintain professional secrecy
8.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
8.2 Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
8.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.
8.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
8.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
8.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
9. Sub-processors
9.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1.
9.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
9.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.
9.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
9.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
9.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
9.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.
10. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.
11. Technical and organizational measures according to Art. 32 GDPR
11.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
11.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.
11.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
11.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
12. Obligations of Processor after termination of the MSA.
12.1 After termination of the MSA, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
12.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
13. Liability
Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
14. Final provisions
14.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
14.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Version: 3.0 June 2023
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Linienstr. 71, 10119 Berlin, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. General provisions
1.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
1.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor according Article 4 no. 8 of the GDPR.
1.3 Processor processes personal data on behalf of Controller for the delivery of the automation platform BRYTER within the meaning of the Master Subscription Agreement and agreements incorporating it (jointly referred to as “Main Agreement”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this Data Processing Agreement (“DPA”).
1.4 The subject-matter of the processing is set out in the Main Agreement.
1.5 The beginning and the duration of the processing depends on the duration of the Main Agreement.
2. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
2.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the Main Agreement. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
2.2 Additionally, Controller may use Processor’s Software to build custom Applications. Such Applications may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the User. Processor has no influence on the scope of such additional Personal Data being processed as it solely depends on the Applications built by Controller.
3. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the Main Agreement. Within the scope of the Main Agreement, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
4. Controller´s rights and obligations; Instructions
4.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the Main Agreement this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
4.2 Controller’s Instructions are set out in the Main Agreement. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
4.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
4.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
4.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
4.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
4.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 4.4 or 4.5 of Controller.
4.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
5. Processor´s obligations
5.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
5.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
5.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
6. Processor’s notification obligations
6.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
6.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
6.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 6.2 as far as the obligation does not arise due to a violation of data protection law by Processor.
7. Processor’s obligation to maintain professional secrecy
7.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
7.2 Under the Main Agreement and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
7.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the Main Agreement.
7.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
7.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
7.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
8. Sub-processors
8.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1.
8.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the Main Agreement (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
8.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the Main Agreement without the use of the respective Sub-processor or to terminate the Main Agreement at the time of the planned use of the respective Sub-processor.
8.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
8.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
8.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
8.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the Main Agreement and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the Main Agreement or any other agreement that is terminated for the full term agreed upon between the Parties.
9. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 8 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of EU standard contractual clauses (“SCC”) and/or an UK international data transfer agreement (“IDTA”) or international data transfer addendum to the SCC between Sub-Processors and Controller is required for this purpose, Controller hereby authorizes Processor to conclude these on Controller’s behalf with the respective Sub-processors. If this is not practically possible, Processor shall conclude them with the respective Sub-processors directly and shall, without undue delay, enforce against the Sub-processor all Instructions and rights to which the data exporter is entitled under them and assign such rights to Controller upon request.
10. Technical and organizational measures according to Art. 32 GDPR
10.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
10.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the Main Agreement.
10.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
10.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
11. Obligations of Processor after termination of the Main Agreement.
11.1 After termination of the Main Agreement, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
11.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 1.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
12. Liability
Any provisions on the Parties’ liability set out in the Main Agreement shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
13. Final provisions
13.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
13.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
13.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Definitions
“Personal Data” has the meaning according to Article 4 no. 1 of the General Data Protection Regulation (GDPR).
“Processing” has the meaning according to Article 4 no. 2 of the General Data Protection Regulation (GDPR).
“Professional Secrets” means data that is subject to professional secrecy obligations (“Berufsgeheimnis”) under Section 203 of the German Criminal Code.
“Instruction” means instruction issued by Controller to Processor, directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Application” has the meaning given in the Main Agreement.
“Software” is the software provided by the Processor as set out in the Main Agreement.
“Sub-processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Main Agreement.
“Authorized User” means a person at Controller to whom Controller grants access authorization to use, change and publish the Processor Software to build applications as agreed on in the Main Agreement.
“End User” means each person using applications built by Authorized User through a frontend interface.
“User” means both Authorized User and End User.
Version: 2.3 (March 2023)
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Linienstr. 71, 10119 Berlin, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. General provisions
1.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
1.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor according Article 4 no. 8 of the GDPR.
1.3 Processor processes personal data on behalf of Controller for the delivery of the automation platform BRYTER within the meaning of the Master Subscription Agreement and agreements incorporating it (jointly referred to as “Main Agreement”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this Data Processing Agreement (“DPA”).
1.4 The subject-matter of the processing is set out in the Main Agreement.
1.5 The beginning and the duration of the processing depends on the duration of the Main Agreement.
2. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
2.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the Main Agreement. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
2.2 Additionally, Controller may use Processor’s Software to build custom Applications. Such Applications may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the User. Processor has no influence on the scope of such additional Personal Data being processed as it solely depends on the Applications built by Controller.
3. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the Main Agreement. Within the scope of the Main Agreement, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
4. Controller´s rights and obligations; Instructions
4.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the Main Agreement this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
4.2 Controller’s Instructions are set out in the Main Agreement. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
4.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
4.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
4.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
4.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
4.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 4.4 or 4.5 of Controller.
4.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
5. Processor´s obligations
5.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
5.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
5.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
6. Processor’s notification obligations
6.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
6.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
6.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 6.2 as far as the obligation does not arise due to a violation of data protection law by Processor.
7. Processor’s obligation to maintain professional secrecy
7.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
7.2 Under the Main Agreement and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
7.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the Main Agreement.
7.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
7.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
7.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
8. Sub-processors
8.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1.
8.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the Main Agreement (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
8.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the Main Agreement without the use of the respective Sub-processor or to terminate the Main Agreement at the time of the planned use of the respective Sub-processor.
8.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
8.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
8.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
8.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the Main Agreement and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the Main Agreement or any other agreement that is terminated for the full term agreed upon between the Parties.
9. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 8 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of EU standard contractual clauses (“SCC”) and/or an UK international data transfer agreement (“IDTA”) or international data transfer addendum to the SCC between Sub-Processors and Controller is required for this purpose, Controller hereby authorizes Processor to conclude these on Controller’s behalf with the respective Sub-processors. If this is not practically possible, Processor shall conclude them with the respective Sub-processors directly and shall, without undue delay, enforce against the Sub-processor all Instructions and rights to which the data exporter is entitled under them and assign such rights to Controller upon request.
10. Technical and organizational measures according to Art. 32 GDPR
10.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
10.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the Main Agreement.
10.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
10.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
11. Obligations of Processor after termination of the Main Agreement.
11.1 After termination of the Main Agreement, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
11.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 1.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
12. Liability
Any provisions on the Parties’ liability set out in the Main Agreement shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
13. Final provisions
13.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
13.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
13.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Definitions
“Personal Data” has the meaning according to Article 4 no. 1 of the General Data Protection Regulation (GDPR).
“Processing” has the meaning according to Article 4 no. 2 of the General Data Protection Regulation (GDPR).
“Professional Secrets” means data that is subject to professional secrecy obligations (“Berufsgeheimnis”) under Section 203 of the German Criminal Code.
“Instruction” means instruction issued by Controller to Processor, directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Application” has the meaning given in the Main Agreement.
“Software” is the software provided by the Processor as set out in the Main Agreement.
“Sub-processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Main Agreement.
“Authorized User” means a person at Controller to whom Controller grants access authorization to use, change and publish the Processor Software to build applications as agreed on in the Main Agreement.
“End User” means each person using applications built by Authorized User through a frontend interface.
“User” means both Authorized User and End User.
Version: 2.2 (February 2023)
between
Customer as defined in the MSA (hereinafter “Controller“)
and
BRYTER GmbH, Linienstr. 71, 10119 Berlin, Germany (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1. General provisions
1.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.
1.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor according Article 4 no. 8 of the GDPR.
1.3 Processor processes personal data on behalf of Controller for the delivery of the automation platform BRYTER within the meaning of the Master Subscription Agreement and agreements incorporating it (jointly referred to as “Main Agreement”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this Data Processing Agreement (“DPA”).
1.4 The subject-matter of the processing is set out in the Main Agreement.
1.5 The beginning and the duration of the processing depends on the duration of the Main Agreement.
2. Nature and purpose of the Processing, type of Personal Data and categories of data subjects
2.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the Main Agreement. Specifically, Processing shall include the following Personal Data:
Type of Personal Data | Categories of subjects affected | Purpose of Processing | Duration of Processing |
IP address | · Authorized Users· End User, if a login is required | Functionality and security | 90 days as of last login |
First name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Last name | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Email address | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Password | · Authorized Users· End User, if a login is required | Functionality and security | Until termination of Main Agreement |
Encrypted IP address | · Authorized Users· End User | Functionality and security | 90 days as of last login |
2.2 Additionally, Controller may use Processor’s Software to build custom Applications. Such Applications may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the User. Processor has no influence on the scope of such additional Personal Data being processed as it solely depends on the Applications built by Controller.
3. Scope and Responsibility
Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the Main Agreement. Within the scope of the Main Agreement, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).
4. Controller´s rights and obligations; Instructions
4.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the Main Agreement this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.
4.2 Controller’s Instructions are set out in the Main Agreement. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.
4.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
4.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).
4.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.
4.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
4.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 4.4 or 4.5 of Controller.
4.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.
5. Processor´s obligations
5.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller
5.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.
5.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.
6. Processor’s notification obligations
6.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.
6.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
6.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 6.2 as far as the obligation does not arise due to a violation of data protection law by Processor.
7. Processor’s obligation to maintain professional secrecy
7.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.
7.2 Under the Main Agreement and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.
7.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the Main Agreement.
7.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.
7.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.
7.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.
8. Sub-processors
8.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1.
8.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the Main Agreement (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.
8.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the Main Agreement without the use of the respective Sub-processor or to terminate the Main Agreement at the time of the planned use of the respective Sub-processor.
8.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.
8.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.
8.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.
8.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the Main Agreement and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the Main Agreement or any other agreement that is terminated for the full term agreed upon between the Parties.
9. Transfer of Personal Data to third countries
Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 8 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of EU standard contractual clauses (“SCC”) and/or an UK international data transfer agreement (“IDTA”) or international data transfer addendum to the SCC between Sub-Processors and Controller is required for this purpose, Controller hereby authorizes Processor to conclude these on Controller’s behalf with the respective Sub-processors. If this is not practically possible, Processor shall conclude them with the respective Sub-processors directly and shall, without undue delay, enforce against the Sub-processor all Instructions and rights to which the data exporter is entitled under them and assign such rights to Controller upon request.
10. Technical and organizational measures according to Art. 32 GDPR
10.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.
10.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the Main Agreement.
10.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.
10.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.
11. Obligations of Processor after termination of the Main Agreement.
11.1 After termination of the Main Agreement, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.
11.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 1.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.
12. Liability
Any provisions on the Parties’ liability set out in the Main Agreement shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.
13. Final provisions
13.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
13.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.
13.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
Definitions
“Personal Data” has the meaning according to Article 4 no. 1 of the General Data Protection Regulation (GDPR).
“Processing” has the meaning according to Article 4 no. 2 of the General Data Protection Regulation (GDPR).
“Professional Secrets” means data that is subject to professional secrecy obligations (“Berufsgeheimnis”) under Section 203 of the German Criminal Code.
“Instruction” means instruction issued by Controller to Processor, directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Application” has the meaning given in the Main Agreement.
“Software” is the software provided by the Processor as set out in the Main Agreement.
“Sub-processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Main Agreement.
“Authorized User” means a person at Controller to whom Controller grants access authorization to use, change and publish the Processor Software to build applications as agreed on in the Main Agreement.
“End User” means each person using applications built by Authorized User through a frontend interface.
“User” means both Authorized User and End User.
Version: 2.1 (November 2022)