WP E-Signature by Approve Me - Sign Documents Using WordPress -

Data processing agreement according to Art. 28 GDPR

Contracting parties

This Agreement is concluded between

data controller /Client (hereinafter referred to as "Data Controller")

and Endereco UG (haftungsbeschränkt) as data processor with registered office in 97236 Randersacker, Balthasar-Neumann-Str. 4B (hereinafter referred to as "Data Processor").

§ 1 General Terms

(1) The Data Processor processes personal data on behalf of the Data Controller within the meaning of Art. 4 (8) and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.

(2) Wherever the term “data processing” or “processing” (of data) is used in this Agreement, the definition of “processing” within the meaning of Article 4(2) of the GDPR shall apply.

§ 2 Scope, term, and specification of the processing order

(1) The scope of the contract, the nature, and purpose of the processing and the categories of data processed as well as the categories of data subjects are set in the related main contract, concluded with the Data Controller, about the corresponding rights of use of the Endereco Services (hereinafter referred to as the “Service Agreement”) and are specified in Annex 1 to this contract.

If the Data Controller orders further rights of use or other additional services at a later point in time, this agreement shall also apply accordingly to these services.

(2) Data processing agreement according to Art. 28 GDPR becomes effective at the same time as the contract specified under §2 (1) of the data processing agreement and expires when this contract specified in more detail itself expires.

(3) The agreement is issued for regular execution.

§ 3 Processing location

(1) The contractual data processing shall generally take place in a member state of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA). The Data Processor is nevertheless permitted to process personal data outside the EEA in compliance with the terms of this contract if the Data Processor informs the Data Controller in advance about the location of the data processing and the requirements of Art. 44 ff. GDPR are fulfilled.

§ 4 Scope and responsibility

(1) The Data Processor is processing personal data on behalf of the Data Controller. Within the scope of this contract, the Data Controller shall be solely responsible for compliance with the statutory regulations of the data protection laws, in particular for the lawfulness of the data transfer to the Data Processor as well as for the lawfulness of the data processing ("Responsible Party" within the meaning of Art. 4 No. 7 GDPR).

(2) The instructions shall initially be stipulated by the contract and may thereafter be amended, supplemented or replaced (individual instructions) by the Data Controller in writing or in an electronic format (text form) addressed to the department designated by the Data Processor. Instructions not stipulated in the contract shall be treated as a request for a change in performance and shall be documented by the Data Processor. Verbal instructions shall be confirmed by the Data Controller in writing or text form without delay and documented by the Data Processor

Data Processor’s contact person for the instructions:

Name: Olena Schmitt

Role: GDPR compliance officer

Phone number: +49 931 663 98 39 2

e-Mail address: datenschutz@endereco.de

§ 5 Obligations of Contractor as a data processor

(1) The Data Processor may only process data of affected persons within the scope of the order and the instructions of the Data Controller, unless there is an exceptional case within the meaning of Art. 28 Par. 3 lit. a) GDPR. The Data Processor shall inform the Data Controller without delay if it is assumed that an instruction violates applicable laws. The Data Processor may suspend the implementation of the instruction until it has been confirmed or amended by the Data Controller.

(2) The Data Processor shall be obliged to structure the internal organization within its area of responsibility in such a way that it meets the special requirements of data protection. He will take technical and organizational measures to adequately protect the Data Controller's data that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR). The Data Processor shall take technical and organizational measures to ensure the continuous confidentiality, integrity, availability and resilience of the systems and services in connection with the Processing. The Data Controller is aware of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the data to be processed. Details of the measures taken by the Data Processor in accordance with Art 32 GDPR to ensure the security of the processing are listed in Annex 3.

(3) The Data Processor reserves the right to change the security measures taken without separate notice if the contractual level of protection is not thereby undercut and they do not contradict the GDPR. In the standard case, these are improvements in data security through measures in the sense of information security, data protection and quality management.

(4) The Data Processor warrants that the employees involved in processing the Data Controller's data and other persons working for the Data Processor are prohibited from processing the data outside the scope of the instruction. Furthermore, the Data Processor warrants that the persons authorized to process the personal data have committed themselves to confidentiality. The confidentiality obligation shall continue to exist after termination of the order.

(5) The Data Processor shall, to the extent agreed, support the Data Controller within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 of the GDPR.

(6) The Data Processor shall inform the Data Controller without undue delay if he becomes aware of violations of the Data Controller's personal data protection or if he becomes aware of circumstances that suggest a violation. The Data Processor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned and shall consult with the Data Controller on this without delay.

(7) The Data Processor warrants to comply with its obligations under Article 32(1)(d) of the GDPR to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing.

(8) The Data Processor shall correct or delete the contractual data if the Data Controller instructs to do so and this is covered by the scope of instructions. If deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the Data Processor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the Data Controller or return these data carriers to him, unless it is already agreed upon in the contract.

(9) Data, data carriers and all other materials shall be either surrendered or deleted by the Data Processor after the end of the contract at the Data Controller's request analogous to § 5 para. 8. In the case of test and reject materials, an individual instruction for deletion shall not be required. If additional costs are incurred due to the Data Controller's deviating, non-standard market requirements for the release or deletion of the data that do in no way comply with applicable data protection law or the contracts, these costs shall be borne by the Data Controller.

(10) In the event of a claim against the Data Controller by an affected person with regard to any claims pursuant to Art. 82 of the GDPR, the Data Processor undertakes to support the Data Controller in defending against the claim within the scope of its possibilities.

§ 6 Obligations of Client as a data controller

(1) The Client as Data Controller shall ensure that the Processing is carried out in accordance with the principles set by Chapter II of the GDPR and that the technical and organizational measures taken by the Contractor as Data Processor (Annex 3) and those measures specified in the Contracts, if any, in addition thereto provide an adequate level of protection, taking into account the nature, scope, circumstances and purposes of the Processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons.

(2) The Data Controller shall inform the Data Processor immediately and in full if it discovers errors or irregularities with regard to data protection regulations.

(3) According to Art. 33 – 34 GDPR, the Data Controller as the responsible party is obliged to report all breaches of the protection of personal data to the supervisory authority and to notify persons affected by them.

(4) In the event of a claim against the Data Processor by an affected person with regard to any claims pursuant to Art. 82 of the GDPR, Section 5 (10) shall apply mutatis mutandis.

(5) The Data Controller appoints the contact person for data protection issues arising within the scope of the contract.

§ 7 Data protection officer

(1) The Data Processor confirms that he has appointed a data protection officer in accordance with Art. 37 GDPR. The Data Processor shall ensure that the data protection officer has the required qualifications and expertise. The current contact details are easily accessible on the Data Processor's website.

The Data Processor may provide the Data Controller with the name and contact details of its data protection officer separately in text form upon request.

§ 8 Request from data subjects (individuals)

(1) If a data subject contacts the Data Processor with requests for correction, deletion or information, the Data Processor will refer the data subject to the Data Controller, provided that an association with the Data Controller is possible according to the information provided by the data subject. The Data Processor shall forward the data subject's request to the Data Controller without delay. The Data Processor shall support the Data Controller within the scope of its possibilities upon instruction as far as agreed.

(2) The Data Processor shall not be liable if the Data Controller fails to respond to the data subject's request or fails to respond to it correctly or in a timely manner.

§ 9 Controlling rights of the client

(1) The Data Controller shall have the right to monitor the Data Processor's compliance with the statutory provisions on data protection and/or compliance with the contractual provisions made between the Parties and/or compliance with the instructions of the Data Controller at any time to the extent required.

(2) The Data Processor shall be obligated to provide the Data Controller with information insofar as this is necessary to carry out the control within the meaning of paragraph 1.

(3) The Data Controller may request to inspect the data processed by the Data Processor for the Data Controller as well as the data processing systems and programs used.

(4) The Data Controller may carry out the inspection within the meaning of Paragraph 1 at the Data Processor's premises during normal business hours after prior notification with a reasonable period of notice. In doing so, the Data Controller shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the Data Processor's operating processes as a result of the inspections.

The Data Controller agrees to the appointment of an independent external auditor by the Data Processor, provided that the Data Processor provides a copy of the audit report.

The Data Processor may demand reimbursement for the performance of an inspection if this is agreed in the contract. The expenditure of an inspection is generally limited to one day per calendar year for the Data Processor.

(5) The Data Processor shall be obliged to provide the Data Controller with the necessary information in the event of measures taken by the supervisory authority vis-à-vis the Data Controller within the meaning of Article 58 of the GDPR, in particular with regard to information and control obligations, and to enable the competent supervisory authority to carry out an on-site inspection. The Data Controller shall be informed by the Data Processor about corresponding planned measures.

(6) Subject to deviating regulations, the Data Processor may demand additional reimbursement for additional expenses incurred by it as a result of the Data Controller's control measures. These shall be calculated according to the actual costs incurred and hourly rates.

§ 10 Subcontractors

(1) The Data Controller hereby gives its consent to the processing of data by the subsidiary mobilemojo - Apps & eCommerce UG (haftungsbeschränkt) & Co. KG, as a subcontracted processor, insofar as this is necessary for the provision of services in accordance with the underlying main contract.

(2) All subcontractor relationships of the Data Processor pre-existing at the time of contract closure are attached to this contract in Annex 2. For the subcontractors listed in Annex 2, approval shall be deemed to have been granted upon conclusion of this contract.

The Data Processor has entered into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.

Before engaging or replacing the subcontractors, the Data Processor shall inform the Data Controller in text form.

The Data Controller may object to the change – within a reasonable period of 14 days – for important reasons – to the office designated by the Data Processor. If no objection is made within this period, the change shall be deemed to have been approved.

Contact person for the Data Controller at the Data Processor is:

Name: Olena Schmitt

Role: Data protection officer

Phone Number: +49 931 663 98 39 2

e-Mail address: datenschutz@endereco.de

(3) If the Data Processor places orders with subcontractors, it shall be incumbent on the Data Processor to transfer its data protection obligations under this contract to the subcontractor. The transfer of personal data of the Data Controller to the subcontractor and the subcontractor's first activity shall only be permitted once all requirements for subcontracting have been met. In particular, it shall be incumbent on the Data Processor to transfer its obligations under data protection law from this Agreement to the further Processor in accordance with Article 28 (4) sentence 1 GDPR.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Data Processor shall take appropriate measures to ensure that it is admissible under data protection law.

§ 11 Information obligations, written form clause, legal choice

(1) Should the Data Controller's data at the Data Processor be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Data Processor shall inform the Data Controller thereof without delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Data Controller as the "responsible party" within the meaning of the General Data Protection Regulation.

(2) Amendments and modifications of this contract and all its components – including any warranties of the Contractor – shall require a written agreement, which may also be made in an electronic format (text form), and the express indication that it is an amendment or modification of these Terms and Conditions. This shall also apply to the waiver of this formal requirement.

(3) In the event of any contradictions, the provisions of this agreement on data protection shall take precedence over the provisions of the main contract. Should individual parts of this contract be invalid, this shall not affect the validity of the rest of the contract.

(4) German laws shall apply.

§ 12 Liability and compensations

The Data Controller and the Contractor shall be liable to data subjects under data protection law in accordance with the provision set out in Art. 82 GDPR. Any liability and compensation provisions that do not comply with data protection law or go beyond this or are individual shall be agreed exclusively in the offers and contracts between the Data Controller and the Contractor.

§ 13 Confidentiality and discretion

(1) Both parties undertake to maintain basic confidentiality and non-disclosure with regard to the contents of this agreement. This does not apply to statutory disclosure obligations vis-à-vis authorities, in court or criminal proceedings as well as contractual obligations vis-à-vis persons and auditors of both the Data Controller and the Contractor who undertake to maintain confidentiality vis-à-vis the Data Controller or the Contractor or who are subject to a confidentiality obligation, and ultimately also to other order processors and affiliated companies for whom the present provisions constitute an integral part within the scope of their performance of activities.

Annex 1 – Scope of the contract

1. Scope of the processing

The Data Controller’s order to the Data Processor includes:

(1) Matching, modification, transmission and storage of customer master data directly at the time of entry (address, e-mail, salutation, telephone, etc.)

(2) Data verification as well as correction and evaluation of existing data

2. Types of processing

Within the scope of the data processing described above, the Contractor shall carry out the following processing for the Data Controller:

(1) Collection and transmission of data entered by customers and employees to Endereco servers.

(2) Matching of data entered by customers and employees with data from address databases (hosted internally at Endereco and/or externally at our subcontractors)

(3) Temporary storage of data entered by customers and employees on Endereco servers

(4) Correction and enrichment of data entered by customers and employees

(5) Return of corrected data to the Data Controller

(6) Deletion of all transmitted personal data immediately after any corrected data has been transmitted back to the Data Controller.

(7) If applicable, storage of data entered by customers and employees for up to 30 days

(8) Storage of meta information for each request (time, referrer)

3. Purpose of the processing

(1) The processing serves the purpose of fraud prevention as well as the maintenance of an accurate data basis for the Data Controller.

(2) The processing from point 2.7 serves the purpose of error analysis as well as quality assurance of the Endereco Services.

(3) The processing from point 2.8 serves the purpose of fraud prevention as well as the usage billing of the Endereco Services.

4. Type(s) of personal data

The following types of data are processed as part of the contractual provision of services:

(1) Personal master data (e.g. postal addresses, salutation).

(2) Communication data (e.g. telephone, e-mail)

(3) Contract master data

(4) Technical Data (referrer to the Data Controller’s system, timestamp of the request)

5. Categories of affected person

(1) Clients of the Data Controller

(2) Employees of the Data Controller

Annex 2 – Subcontractors

For the processing of data on behalf of the Data Controller, the Contractor shall use the services of third parties who process data on its behalf ("Subcontractors"). These are the following company(ies):

Subcontractor	Address/Country	Scope of the contract
netcup GmbH	Daimlerstraße 25, 76185 Karlsruhe, GERMANY	Hosting of databases for verification and reporting of customer data
mobilemojo – Apps & eCommerce UG & CO.KG	Balthasar-Neumann-Str. 4B 97236 Randersacker GERMANY	Development and operation of Endereco software
Cabalon	Eversstraße 13 19370 Parchim GERMANY	Redundant Hosting of address validation services for national address database
sms77 e.K.	Willestr. 4-6 24103 Kiel GERMANY	Checking phone numbers for validity and reachability. Formatting of phone numbers
Linkomat GmbH	Goldschlagstraße 110/30 1150 Wien Österreich	Checking of company data and Vat-ID
itrinity, s.r.o.	Obchodná 2, 811 06 Bratislava, SLOVAKAI	Validation of the E-Mail Addresses
Melissa Data GmbH	Cäcilienstr. 42-44 50667 Köln GERMANY	Hosting And API for the international address management services
Cobisi Research™	Via della Costituzione, 31 35010, Vigonza (PD) Italy	PValidation of the E-Mail Addresses
Optimaize GmbH	Im Oberdorf 16, CH-8602 Wangen bei Zürich Switzerland	NameA API
Egon srl	Via Monte di Pietà 19 20121 MILANO MI Italia	Hosting And API for the international address management services

Annex 3 – Technical and organizational measures

As an organization that collects, processes or uses personal data itself or on behalf of others, we must take the technical and organizational measures necessary to ensure compliance with the provisions of data protection laws. Measures are only necessary if their cost is in reasonable proportion to the intended protective purpose.

Endereco UG meets this requirement through the following measures:

1. Confidentiality acc. Art. 32 Abs. 1 lit. b GDPR

1.1 Access control

The following measures have been taken to prevent unauthorized persons from accessing the data processing equipment with which personal data are processed or used:

Technical measures:	Organizational measures:
Manual Locksystems security locks	Key arrangement (handing over of keys etc.) Visitors accompanied by employees Careful selection of cleaning personnel Other: The contracts with our subcontractors in the hosting sector regulate access controls to the servers and offices in the enclosed TOMs.

1.2 Admission control

The following measures have been taken to prevent unauthorized third parties from using the data systems:

Technical measures:	Organizational measures:
Login with Username + Password Automatic desktop locks no transmission of data via unencrypted connections Encryption of data backup systems Use of intrusion detection systems (Cloudflare) Use of anti-virus software Encryption of data carriers in laptops/notebooks Use of a software firewall	Management of user permissions Central password assignment Secure Password Policy Delete / Destroy policy Clean desk" policy Manual desktop lock" policy Mobile Device Policy

1.3 Authorization control

The following measures have been taken to ensure that those authorized to use a data processing system can only access the data subject upon their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage:

Technical measures:	Organizational measures:
Logging of access to applications, especially when entering, changing and deleting data Use of document shredders (level P5) Secure storage of data media Encryption of data carriers	Authorization concept Administration of rights by system administrator Regular review and updating of access rights (especially when employees leave the company or similar) “Secure password" policy

1.4 Separation control

The following measures have been taken to ensure that data collected for different purposes can be processed separately:

Technical measures:	Organizational measures:
There is a software separation of the data of the individual customers Development, test and productive data are strictly separated Development, test and production systems are strictly separated Endereco uses different domains and SSL certificates for test and production systems	Control via authorization concept Determination of database rights

1.5 Pseudonymization (Art. 32 Abs. 1 lit. a) GDPR, Art. 25 Abs. 1 GDPR)

Personal data shall be processed in such a way that the data can no longer be attributed to a specific data subject without engaging additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures:

Technical measures:	Organizational measures:
separation/deletion of allocation data and storage in separate and secured system No access to data by the store operator or licensee	Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.

2. Integrity (Art. 32 Abs. 1 lit. b GDPR)

2.1 Input control

The following measures are used to subsequently check and determine whether and by whom personal data has been entered, changed or removed in data processing systems:

Technical measures:	Organizational measures:
Technical logging of entering, changing and deleting data Manual or automated control of the logs	Overview of the programs that can be used to enter, change or delete which data Traceability of entering, changing and deleting data through individual user names (not user groups) Assignment of rights to enter, change and delete data based on an authorization concept Clear responsibilities for deletions

2.2 Sharing Control

The following measures ensure that personal data cannot be obtained or taken note of by unauthorized persons when it is passed on (physically and/or digitally):

Technical measures:	Organizational measures:
Encryption of communication channels (e.g. encryption of e-mail traffic) Physical disk encryption in transit Safe transport containers Deployment over encrypted connections such sftp, https	Documentation of the data recipients and the duration of the planned transfer or the deletion periods Careful selection of transport personnel and vehicles

3. Availability and Resilience (Art. 32 Abs. 1 lit. b GDPR)

3.1 System availability, recoverability and resilience

The following measures ensure that the data processing systems used, function properly at all times and that personal data is protected against accidental destruction or loss:

Technical measures:

Organizational measures:

Testing of data recovery
Regular backups of databases
The technical measures for the availability, recoverability and resilience of the systems from the hardware side, are ensured by the TOMs of our subcontractors from the hosting areas.

◦ Fire and smoke detection systems

◦ Fire extinguisher server room

◦ Server room monitoring temperature and humidity

◦ Server room air-conditioned

◦ UPS

◦ RAID system / hard disk mirroring

Creation of a backup & recovery concept
Creation of a contingency plan for internal measures
The organizational measures for the availability, recoverability and resilience of the systems from the hardware side, are ensured by the TOMs of our subcontractors from the hosting areas.

◦ No sanitary connections in or above the server room.

◦ Backup & recovery concept (formulated)

◦ Control of the backup process

◦ Existence of an emergency plan (e.g. BSI IT Grundschutz 100-4)

4. Procedures for regular review, assessment and evaluation (Art. 32 Abs. 1 lit. d GDPR; Art. 25 Abs. 1 GDPR)

4.1 Data protection management

Technical measures:	Organizational measures:
Central documentation of all procedures and regulations on data protection with access for employees as required / authorized (wiki, intranet ...). A review of the effectiveness of the technical protection measures is carried out at least once a year.	Internal data protection officer Employees trained and obligated to confidentiality / data secrecy Regular sensitization of employees, at least annually Data protection impact assessment (DSFA) is carried out as required Organization complies with information obligations under Art. 13 and 14 GDPR Formalized process for handling requests for information from data subjects is in place

4.2 Incident Response Management

Support for security breach response

Technical measures:	Organizational measures:
Use of firewall and regular updating Use of spam filter and regular updating Use of virus scanner and regular updating Intrusion Detection System (IDS)	Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority) Documented procedure for dealing with security incidents Documentation of security incidents and data breaches, e.g. via ticket system Formal process and responsibilities for the follow-up of security incidents and data breaches

4.3 Privacy-friendly preferences (Art. 25 Abs. 2 GDPR)

Privacy by design / Privacy by default

Technical measures:	Organizational measures:
No more personal data is collected than is necessary for the respective purpose Simple exercise of the right of withdrawal of the data subject by technical measures

4.4 Order control (outsourcing to third parties)

Technical measures:

Organizational measures:

Prior review of the security measures taken by the contractor and their documentation
Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
Conclusion of the necessary contract processing agreement or EU standard contractual clauses
Written instructions to the contractor
Obligation of the contractor's employees to maintain data secrecy
Obligation to appoint a data protection officer by the contractor if there is an obligation to appoint one
Agreement on effective controlling rights vis-à-vis the contractor
Regulation on the use of further subcontractors
Ensuring the destruction of data after completion of the order

Status: 14.07.2022

Leave this empty:

Your legal name

Your email address

Please Confirm full name and signature.

Draw Signature
Type In Signature

Draw your signature with your mouse, tablet or smartphone Clear

I agree that I am and I agree this is a legal representation of my signature for all purposes just the same as a pen-and-paper signature

I agree that I am and I understand this is a legal representation of my signature

Adopt & Sign

Timestamp

Audit

14. July 2022 9:20 CET

Data processing agreement according to Art. 28 GDPR Uploaded by Lena Schmitt - lena@endereco.de IP 87.184.63.5