Data Processing Agreement

Contract for commissioned processing of personal data in accordance with the EU General Data Protection Regulation (DPA)

This Data Processing Agreement (“DPA”) governs your („Customer“) relationship with www.moderan.net website (the “Service”) operated by Moderan Solutions OÜ (“Contractor”).

Please read the DPA carefully before using the Service.

Your access to and use of the Service is conditioned on your acceptance of and compliance with the DPA. The DPA apply to all visitors, users and others who access or use the Service.

By accessing or using the Service you agree to be bound by the DPA. If you disagree with any part of the terms then you may not access the Service.

1 Scope and Responsibility

(1) This contract applies to all activities related to the fulfilment of the General Terms and Conditions and the Special Conditions for the use of Moderan and in which the Contractor or persons commissioned by the Contractor may process the personal data of the data subjects of the Customer. The Contractor collects and processes personal data on behalf of and according to the instructions of the Customer. As the responsible party within the meaning of Art. 4 (7) GDPR (General Data Protection Regulation 2016/679), the Customer is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor and for the lawfulness of the data processing.

(2) The Parties conclude this Agreement to specify the mutual rights and obligations regarding data protection. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Service Agreement to the extent that they refer to data protection.

2 Subject and Duration of Processing

(1) At the time of concluding this Contract, certain amount of data is processed by the Contractor. The type and scope of the data processing shall also be determined by the type and scope of the use of the Moderan software by the Customer. The Customer is responsible for providing the Contractor the personal data of the data subjects in good time for the provision of services in accordance with the agreements concluded, and is responsible for the quality of this personal data.

(2) The processing is based on Moderan’s General Terms and Conditions, the validity of which the Customer acknowledges by using the service, as well as on the Special Conditions for the use of Moderan agreed between the Parties.

(3) The processing shall commence on with the start of using Moderan and shall continue for an indefinite period until termination of this Contract or termination of the User Relationship by either Party

3 Customer’s right to issue instructions

(1) The Contractor may collect and process data within the limits of this Contract and in accordance with the Customer’s instructions.

(2) Additional instructions may initially be defined in the Special Terms and Conditions for the Use of Moderan. Thereafter, these may be amended, supplemented or replaced by the Customer only in writing. Instructions that go beyond the contractually agreed service shall be treated as a request for a change in service. Verbal instructions shall be confirmed immediately in written form. The Customer shall be entitled to issue corresponding instructions at any time.

(3) The Contractor may anonymise data on the use of the online software for the purpose of statistical evaluation and product improvement and use it in anonymised form for its own purposes.

(4) All issued instructions shall be documented by the Customer.

(5) If the Contractor thinks that an individual instruction violates applicable data protection law, it shall notify the Customer thereof without undue delay. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Customer.

4 Control Rights of the Customer

(1) The Customer may audit the Contractor’s compliance to the obligations pursuant to Article 28 of the GDPR prior to the commencement of data processing and thereafter on a regular basis. The Customer may obtain information from the Contractor or, in principle, after making and coordinating an appointment in good time, personally inspect or have inspected by a competent third party the Contractor’s compliance during normal business hours without disrupting operations, provided that the third party is not in a competitive relationship with the Contractor. This right is limited to a reasonable and necessary extent.

(2) The Contractor agrees to provide the Customer, upon written request and within a reasonable period of time, information and evidence reasonably required to carry out an inspection.

(3) The Contractor is authorised, at its own discretion and taking into account the statutory provisions, not to disclose sensitive information regarding Contractor’s business or any information where the Contractor would violate statutory or other contractual regulations by disclosing it. The Customer is not entitled to have access to the data or information of other customers of the Contractor, to information regarding the costs – unless these form the basis of the expenditure directly reimbursable by the Customer – of quality audit and contract management reports as well as to all other confidential information of the Contractor which are not directly relevant to the agreed inspection purposes.

(4) The Customer shall inform the Contractor in good time (as a rule at least four weeks in advance) of all circumstances connected with the performance of the inspection.

(5) The Contractor may demand compensation from the Customer for enabling the inspection, according to the time and effort involved. The amount shall be determined in accordance with the hourly rates for consultancy services customary for the Contractor at the time of the inspection.

(6) If the Customer appoints a third party to carry out the inspection, the Contractor shall extend to the respective third party the obligations of the Customer pursuant to this Contract. In addition, the Customer shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the Contractor, the Customer shall submit to the Contractor the agreements proving the third party’s obligations. The Customer may not appoint a competitor of the Contractor to carry out the inspection.

5 Rights and Obligations of the Contractor

(1) The Contractor shall process personal data only as contractually agreed or as instructed by the Customer, unless the Contractor is legally obliged to carry out a specific processing operation. If such obligations exist for the Contractor, the Contractor shall notify the Customer thereof prior to the processing, unless the Contractor is prohibited by law from such notification.

(2) The Contractor confirms that it is aware of the relevant general data protection regulations. The Contractor shall observe the principles of proper data processing.

(3) The Contractor is obliged to strictly maintain confidentiality during processing of personal data. The confidentiality/non-disclosure obligation shall continue to exist after termination of the order.

(4) Persons who may obtain knowledge of the data processed on behalf of the Customer are required to commit themselves in written form to confidentiality, insofar as they are not already subject to a relevant confidentiality obligation by law. The duty of confidentiality shall continue to apply for a reasonable period after termination of the employment relationship with the relevant persons.

(5) The Contractor warrants that the persons employed by the Contractor for processing have been made familiar with the relevant provisions of data protection and this contract before the start of the processing. The Contractor ensures that persons deployed for commissioned processing are adequately instructed and monitored with regard to compliance with the data protection requirements on an ongoing basis.

(6) In connection with the commissioned processing, the Contractor shall support the Customer to the necessary extent in fulfilling its obligations under data protection law, specifically as stated in the GDPR Art. 28 (3).

(7) If the Customer is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against the Customer, the Contractor is obliged to support the Customer to the necessary extent, insofar as the processing under this Contract is affected.

(8) The Contractor may only provide information to third parties or those affected with the prior consent of the Customer. Inquiries addressed directly to him will be forwarded to the Customer without delay.

(9) The Contractor undertakes to appoint a data protection officer to the extent required by law.

(10) Order processing takes place exclusively within the European Union (EU) or the European Economic Area (EEA).

6 Obligations and Liability of the Customer

(1) The Customer is responsible for ensuring that there is a legal basis for processing data that is made available to the Contractor and for ensuring that the instructions given to the Contractor are in compliance with the GDPR and other applicable laws.

(2) The Customer shall inform the Contractor immediately if it discovers any inconsistencies with the GDPR.

7 Reporting Requirements

(1) The Contractor shall notify the Customer without delay of any violations of the protection of personal data processed on behalf of the Customer. Justified suspicions of such breaches shall also be notified. The notification shall be made as soon as possible, and if possible within 24 hours of the Contractor becoming aware of the relevant event to an address specified by the Customer. It must contain at least the information stated in the GDPR Art. 33 (3).

(2) The Contractor supports the Customer in his obligations according to Art. 33 and 34 GDPR to the required extent.

8 Technical and organisational measures

(1) The Contractor shall ensure an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a possible breach of rights due to security breaches and allow for immediate detection of relevant breach events. All the technical and organisational measures applicable by the Contractor are listed in the Annex A, which define the adequate level of protection. The Customer hereby confirms the adequacy of technical and organisational measures listed in the Annex A.

9 Use of sub-processors

(1) The Contractor may engage sub-processors for the personal data processing. The Customer provides its consent for the Contractor for engage sub-processors. The Contractor shall assume full liability for the sub-processors to process personal data in accordance with the applicable law and this Contract. The Contractor provides the list of engaged sub-processors as soon as possible when requested by the Customer.

(2) The Contractor must conclude contracts with each sub-processor. All the contracts with the sub-processors must be in written form, which may also be in electronic format (Art. 28(4) and (9) GDPR).

10 Duration and termination, deletion and return of personal data

(1) The duration and termination of this Contract are governed by the provisions of the duration and termination of the Special Terms and Conditions for the Use of Moderan and the General Terms and Conditions. Termination of the aforementioned agreements automatically results in the termination of this Contract. An isolated termination of this Contract is excluded.

(2) The Customer is obliged to treat all knowledge of the Contractor’s business secrets and data security measures obtained within the framework of the contractual relationship as confidential. This obligation shall remain in force even after termination of this contract.

(3) Upon termination of the service agreements, if applicable, after the completion of the contractually agreed processing or upon request by the Customer, the Contractor shall hand over to the Customer all documents in its possession, created during the processing and/or resulting from the processing as well as data files that are related to the contractual relationship. The Customer shall in principle be responsible for deleting all personal data from the Moderan programme. Alternatively, the data may be destroyed in accordance with data protection regulations at the Customer’s instruction. The deletion or destruction shall be confirmed to the Customer upon request in written form or in a documented electronic format, stating the date of the deletion or destruction.

11 General terms, governing law and jurisdiction

(1) In the event of any contradictions, the provisions of this contract on data protection shall take precedence over the provisions of the Special Terms and Conditions for the Use of Moderan. Should individual parts of this contract be invalid, this shall not affect the validity of the rest of the contract.

(2) This Agreement shall be governed exclusively by Estonian law. The place of jurisdiction is Tallinn, Estonia.

Annex A – Technical and organisational measures

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)

• Access control: No unauthorised access to data processing facilities

• Measures:

• Access to the Contractor’s offices is secured by security doors of at least level WK3.

• Employees of the Contractor are granted access through a centrally controlled key management system.

• Documents going beyond the Customer Contracts are not kept in analogue form.

• Access control: No unauthorised use of the system

• Measures:

• No shared logons or accounts.

• Passwords must be at least 8 characters long and contain at least the following characters: at least one uppercase letter, at least one lowercase letter, at least one digit.

• All logins and logoffs are protocolled IP-specifically. No other personal data is collected in the process. The IP logs are intended exclusively for internal auditing protocols.

• Access control: No unauthorised reading, copying, modifying or deleting within the system

•  Measures:

• Only employees working in customer service are authorised to access and manage the database and to change and delete data. The login and all database access of all employees working in the operational area is logged.

• In particular, the account manager assigned to the Customer shall have access to the Customer Data and shall be able to view and process it, although this shall only be done via tools provided by the Contractor.

• Separation control: Separate processing of data collected for different purposes

• Measures:

• Customer data in our data centres is logically separated and stored using a unique customer identifier.

• Under no circumstances customer data from other customers can be accessed.

• Leading employees in the area of platform operations have unrestricted access to customer data.

• Pseudonymisation (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR): The processing of personal data in a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures.

• Measures:

• Users sign up for use under their own chosen real names. The user’s content is listed under this user account.

2. Integrity (Art. 32 para. 1 lit. b GDPR)

• Transfer control: No unauthorised reading, copying, modifying or deleting during electronic transmission or transport.

• Measures:

• The data in the Contractor’s databases are protected by HTTPS and SSH protocols during the transmission between the Customer and the Contractor.

• Data entry control: Determining whether and by whom personal data have been entered into, modified or deleted from data processing systems.

• Measures:

• The administrative activities that take place on servers are logged.

• All data manipulation, including addition, deletion or modification of content, shall be logged via the Contractor’s system.

3. Availability and resilience (Art. 32 para. 1 lit. b GDPR)

• Availability control: Protection against accidental or deliberate destruction or loss.

• Measures:

• Moderan servers are located with highly reputable and certified service providers in the jurisdiction of the highest security legislation of the European Union (both the live server and the backup servers are located in Germany). In addition to state-of-the-art climate control and other standard hosting requirements, our service provider meets the following conditions:

• Certified according to DIN ISO/IEC 27001 for the entire data park and its infrastructure.

• Continuous assessment and constant sustainable improvement of the applied safety standards.

• DDoS protection system with automated security solutions, the latest Arbor and Juniper hardware applications and advanced perimeter security technologies.

• Video surveillance and high-security fencing around the entire data centre as well as modern surveillance cameras for 24/7 monitoring of all access roads, entrances, high-security doors secured by locking systems and server rooms.

• Modern fire alarm systems with direct connection to the nearest fire station and special door locking system.

• The uninterruptible power supply (UPS) is guaranteed by a 15-minute battery capacity and emergency diesel generators. All UPS systems are designed with redundancy.

• Rapid restorability (Art. 32 para. 1 lit. c GDPR)

• Measures:

• Overnight backups are performed for all databases and user documents, a monitoring system is applied to check the correct operation of the backup system.

• The backups are located on a separate server, both locally and legally separated from the Moderan application and database, at another service provider’s premises.

4. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

• Data protection management

• Measures:

• The Contractor shall maintain a data protection management system in which mechanisms and procedures are defined. This includes in particular:

• the appointment of a data protection officer,

• the provision of staff training,

• Deletion concepts.

• The data protection processes are reviewed regularly.

• The data protection management system is checked for its proper implementation and effectiveness at regular intervals and adjusted if necessary.

• Incident Response Management

• Measures:

• Automated DDoS protection system for all Moderan servers.

• Minimum password requirements for all users of the platform.

• The Contractor shall maintain an Incident Management Plan to document responsibilities and procedures in the event of an incident.

• The Incident Management Plan is reviewed at regular intervals for its implementation and effectiveness and adjusted if necessary.

• Data protection-friendly default settings (Art. 25 (2) GDPR)

• Measures:

• The platform only requires data necessary for the work (name, e-mail address if applicable). Further data is only collected if it is required for the Customer’s processes.

• User accounts are visible to other users of the Customer with administrator rights, but not their login status.

• Order control: No data processing in the sense of Art. 28 GDPR without corresponding instructions from the Customer

• Measures:

• There is training for newly recruited staff. As long as the training measures have not been completed and the management has not agreed to the access, newly hired employees do not have access rights.

• The management holds weekly team meetings with all staff.

• Any violation of the Company’s protocols and procedures, if serious, will result in immediate termination and revocation of all access rights.

• Data Protection Officer

• Measures:

• Appointment of an internal data protection officer: Martin Schröder, martin@moderan.net

Do you have questions about data processing in Moderan?